450 likes | 458 Views
Learn about Bluetooth technology, its origins, specifications, and how it can be used to unify different devices and enhance connectivity. Discover the features of Frontline Test Equipment's FTS4BT Bluetooth Protocol Analyzer and its applications in analyzing Bluetooth communication. Upgrade firmware and configure different sniffing options for a seamless Bluetooth experience.
E N D
Welcome to Redmond, Washington March 3, 2011
Bluetooth Fun Facts H=Haglaz B=Berkanan Bluetooth likewise was intended to unify different technologies like computers and mobile phones. The name may have been inspired less by the historical Harald than the loose interpretation of him in The Long Ships by Frans Gunnar Bengtsson, a Swedish best-selling Viking-inspired novel. The Bluetooth logo merges the Nordic runes analogous to the modern Latin H and B. The name Bluetooth is derived from the cognomen of a 10th century king, Harald Bluetooth, King of Denmark and Norway from 935 and 936 respectively, to 940. He is known for his unification of warring tribes from Denmark (including Scania, present-day Sweden, where the Bluetooth technology was invented) and Norway.
About Frontline Test Equipment Charlottesville is located at the foothills of the Blue Ridge Mountains in the Commonwealth of Virginia. The City is named after Princess Sophia Charlotte of Mecklenburg-Strelitz, the wife of King George III of England. The area has an incredibly rich history that draws millions of visitors every year to Monticello, home of Thomas Jefferson, Ashlawn-Highlands, home of James Monroe, and Montpelier, home of James Madison as well as the renowned University of Virginia. • Founded in 1985 • Over 40,000 units shipped • #1 Seller is FTS4BT Classic O-T-A • Thousands of global customers • Sales and support in San Jose, CA • Headquarters in Charlottesville, VA
Bluetooth Specifications Bluetooth 2.0 + EDRIntroduced Enhanced Data Rate, data transfer up to 3mbps. Useful for stereo (A2DP) transmissions Bluetooth 2.1 + EDRIncludes Secure Simple Pairing (SSP), making it easier for users to pair devices Bluetooth 3.0 + HS Allows for high speed transfer of data over alternate MAC/Phy, in this case 802.11 Bluetooth 4.0The new name for Bluetooth low energy. For transferring small amounts of data infrequently. Longer battery life. Typical applications are medical and sports and fitness
Version/Host/Controller Matrix How to determine the specification version of End Product when combining hosts and controllers conforming to different specification releases.
What is FTS4BT? • FTS4BT is a Bluetooth Protocol Analyzer based on Frontline’s “Frontline Test System” • FTS is a common platform for a range of data communications analyzers • FTS4BT • Captures Bluetooth messages at various points in an application system • Decodes the various profile and protocol layers to the “bit level” • Analyzes error rates and data transmission efficiency • Extracts pictures, business cards, audio and other high level objects from a Bluetooth application profile session
Bluetooth Device 2 HOST Profiles Profiles RFCOMM RFCOMM L2CAP L2CAP SDP SDP HCI HCI HostControllerInterface HCI HCI Link Controller/ Link Manager Link Controller/ Link Manager Baseband Baseband HOST Controller Points of Observation Bluetooth Device 1 HOST HCI Sniffing USB USB Internal Tap (H2) Virtual Sniffing USB ComProbe (H2) • Asynchronous Serial • HCI UART (H4) HostControllerInterface • 3-Wire UART (H5) • BCSP Air Sniffing HOST Controller Bluetooth ComProbe
Firmware Upgrades Firmware is available with new software builds. Check to see if FW needs to be upgraded with new build. Use “Bluetooth ComProbe Maintenance Tool” for FW upgrades. “Bluetooth ComProbe Maintenance Tool” available in “Setup Folder” of FTS4BT Desktop folder.
Firmware Upgrades(BluetoothComProbe Maintenance Tool) Select Device Check FW Version
Firmware Upgrades Update Firmware will take you to the Firmware path automatically
Firmware Upgrades 2 1 3 Looks for Driver as DFU mode is seen as new device.
Bluetooth Air Sniffing 1 2 3 4
Single Connection (Air Basic) • This configuration should be used when there is one Master device and one Slave device in use • Either the Standard or the Alternate Clock Synchronization Mode may be chosen • Only one BluetoothComProbe is needed for this configuration • This configuration can be used when there is one Master device with multiple Slaves, IF security (encryption) will not be used on any of the links • The BluetoothComProbe can only decrypt data between a single pair of devices
Interlaced Page Scan (IPS) • This configuration should be used when • There is one Master device and one Slave device in use, AND • The Slave device is using Interlaced Page Scan (IPS) • Two BluetoothComProbes are needed for this configuration • One of the ComProbes is configured to follow one of the Inquiry and Paging Sequences • The other ComProbe is configured to follow the other Inquiry and Paging Sequence
Multiple Connections • This configuration should be used when there are multiple Master devices in use • In other words, a Scatternet • This configuration is effectively the same as using multiple copies of Single Connection (Air Basic) • The difference is that the data for each Master/Slave device pair is in the same capture file • The individual Piconets that make up the Scatternet are identified and tracked separately • A BluetoothComProbe is needed for each master in this configuration
802.11/Bluetooth Coexistence • This configuration should be used when • There is one Master device and one Slave device, AND • It is desired to capture 802.11 (Wi-Fi) data at the same time • OR, when Bluetooth 3.0 + HS is being used with an 802.11 AMP (Alternative MAC Phy ) • This configuration needs • One BluetoothComProbe to capture the Bluetooth BR/EDR data • One Wi-Fi ComProbe to capture the 802.11 data • In this configuration, the Packet Timeline displays Coexistence of BR/EDR packets and the 802.11 packets
I/O Settings • The I/O Settings dialog is the place to provide information about the device(s) to be sniffed.
Selecting The Bluetooth Devices • The [Device Discovery] button will perform an Inquiry process in order to identify nearby devices • If a device that you wish to use is not currently discoverable, it will not be found • Once the Inquiry process has completed, the device(s) may be selected in either the Master or Slave drop down lists • The Master and Slave selections refer to each devices role in the piconet • If a device is not discoverable, its Bluetooth Device Address may be entered manually
Synchronization Modes • FTS4BT provides two synchronization modes: • Standard Mode • The Slave device must be connectable • The Slave device does Not need to be discoverable • This mode is formerly known as Slave Page • Alternate Mode • The Slave device must be discoverable • The Slave device may be connectable • This mode is formerly known as Slave Inquiry
Synchronization Modes • Different devices may need different modes • Most devices work well with Standard Mode • For some devices, Alternate Mode is a better choice • If the Slave device is using Interlaced Page Scanning then you Should use Interlaced Page Scan (IPS) application.
Pairing • The Pairing process between two Bluetooth devices produces a new common Link Key • The BluetoothComProbe must be sniffing during the pairing process so it can calculate the new Link Key • Failure to learn the new Link Key will cause received packets to be processed incorrectly if encryption is used on the data link • If one of the devices has the capability to display its current link key, it may be entered into the Air Datasource
Authentication And Encryption • The information needed for the BluetoothComProbe to calculate the correct Link Key during Pairing is entered in the “Encryption” area of the dialog • If the Link Key currently in use between the devices is known, it may be entered into FTS4BT by selecting “Link Key” as the “Pairing Method”
Authentication And Encryption • If the pair of devices are using Bluetooth Core Specification 2.1 or later, then • One of the devices must be in Secure Simple Pairing Debug Mode • Or, one of the devices must be capable of displaying the Link Key shared by the devices • Or, an HCI trace must be taken in order to capture the Link Key Notification event
How Encryption Works in Bluetooth The sequence of events used to create the link key, called “the pairing process”, is shown below on the LMP filter Tab.
How FTS4BT Decrypts Data FTS4BT must use the same link key being used by the devices being sniffed. The Link Key is calculated during Pairing process only. The link key is never transmitted over the air, so FTS4BT must capture (sniff) the Pairing session in order to calculate the same link as is calculated on the devices that are being paired.
Two Types of Encryption (Legacy and SSP) Spec is backward compatible SSP implemented on V2.1 devices
Secure Simple Pairing (SSP) • New different method of encryption/decryption • All devices with V2.1 spec and above must use SSP • To successfully decrypt SSP on FTS4BT, at least One device Must be in DEBUG MODE. • Debug mode is mandatory on core specification V2.1 • It is not mandatory for Device to support Debug mode. • If debug mode is not available then Link Key may be found: • A) From HCI trace. • B) from in-house tool • Possible to insert Link Key manually.
How FTS4BT Decrypts Data To decrypt, FTS4BT must know the PIN code and capture: • The LMP Opcodein_rand Request and accept. • Both (Master and Slave) LMP Opcodescomb_keys • Both (Master and Slave)LMP Opcodesau_rand/sres If any of these packets are missed by FTS4BT, the wrong Link Key will be calculated and FTS4BT decryption will fail because FTS4BT will not have the same Link Key as is used in the Piconet.
Failure to Decrypt If FTS4BT doesn’t have all the information it needs, it won’t be able to calculate the link key correctly. In the example below, after frame 24 – the LMP Opcode “Start Encryption Request” - all following frames are shown as bad (Red) packets. This is a good indication that the sniffer is unable to decrypt any payload data in the baseband packets after encryption is enabled within the piconet.
Example of LMP for SSP Pairing One device MUST be in Debug Mode
Starting Data Capture Once the information in the I/O Settings dialog has been completed, the [Start Sniffing] button initiates data capture The icon on the Air Datasource window (and in the system tray) indicates the state of capture
Resynchronization • Bluetooth devices that are not currently active in a connection operate independently • This independence means that after some period of time the BluetoothComProbe will not be able to detect a connection initiation from the Master device (clock drift). • To correct for this, the Air Datasource resynchronizes with the target device every 30 seconds • A warning that this is about to happen is indicated by the status icon turning yellow five seconds before the resynchronization
Inability To Synchronize With The Master Device • The most common causes for this type of problem include • Selection of the wrong device address • The surrounding environment is RF “noisy” • The Master and Slave devices are too far apart • This results in higher transmission power levels which may overwhelm the BluetoothComProbe • The Master and Slave devices are too close to each other • This results in lower transmission power levels which may not reach the BluetoothComProbe • Interlaced Page Scanning is being used • This can result in the BluetoothComProbe listening to the wrong set of paging frequencies
All Packets Are Captured With Errors • This most commonly occurs after the Master and Slave initiate encryption on the link • In this case, the captured packets are not being decrypted properly. This can be caused by • Entering the wrong PIN Code or not entering a PIN Code • Failing to capture the Pairing process • Devices re-executing the Pairing process when the BluetoothComProbe wasn’t listening
All Packets Are Captured With Errors • This can usually be confirmed by looking at the last packet in the LMP tab • The last packet seen is an LMP_start_encryption_req • All following packets (except NULLs and POLLs) have length and CRC errors • It is possible that some number of packets immediately following an LMP_start_encryption_req will not be properly decrypted • Prioritized Decryption can used to minimize the number of such packets • Prioritized Decryption can cause packets to not be captured • Prioritized Decryption is enabled on the Advanced I/O Settings
The Analyzer Asks For Help Decoding • Packets are decoded based on information that was discovered earlier in the connection • If there is missing information earlier in the session, the decoder subsystem may ask for help • Missing information may be caused by • Packets not being decrypted • See Prioritized Decryption on the previous slide • Clearing the capture buffer during a connection • Sniffer missed SDP information.