1 / 45

Bluetooth Technology: Unifying Devices and Enhancing Connectivity

Learn about Bluetooth technology, its origins, specifications, and how it can be used to unify different devices and enhance connectivity. Discover the features of Frontline Test Equipment's FTS4BT Bluetooth Protocol Analyzer and its applications in analyzing Bluetooth communication. Upgrade firmware and configure different sniffing options for a seamless Bluetooth experience.

Download Presentation

Bluetooth Technology: Unifying Devices and Enhancing Connectivity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Welcome to Redmond, Washington March 3, 2011

  2. Agenda

  3. Bluetooth Fun Facts H=Haglaz B=Berkanan Bluetooth likewise was intended to unify different technologies like computers and mobile phones. The name may have been inspired less by the historical Harald than the loose interpretation of him in The Long Ships by Frans Gunnar Bengtsson, a Swedish best-selling Viking-inspired novel. The Bluetooth logo merges the Nordic runes analogous to the modern Latin H and B. The name Bluetooth is derived from the cognomen of a 10th century king, Harald Bluetooth, King of Denmark and Norway from 935 and 936 respectively, to 940. He is known for his unification of warring tribes from Denmark (including Scania, present-day Sweden, where the Bluetooth technology was invented) and Norway.

  4. About Frontline Test Equipment Charlottesville is located at the foothills of the Blue Ridge Mountains in the Commonwealth of Virginia.  The City is named after Princess Sophia Charlotte of Mecklenburg-Strelitz, the wife of King George III of England. The area has an incredibly rich history that draws millions of visitors every year to Monticello, home of Thomas Jefferson, Ashlawn-Highlands, home of James Monroe, and Montpelier, home of James Madison as well as the renowned University of Virginia. • Founded in 1985 • Over 40,000 units shipped • #1 Seller is FTS4BT Classic O-T-A • Thousands of global customers • Sales and support in San Jose, CA • Headquarters in Charlottesville, VA

  5. Bluetooth Specifications Bluetooth 2.0 + EDRIntroduced Enhanced Data Rate, data transfer up to 3mbps. Useful for stereo (A2DP) transmissions Bluetooth 2.1 + EDRIncludes Secure Simple Pairing (SSP), making it easier for users to pair devices Bluetooth 3.0 + HS Allows for high speed transfer of data over alternate MAC/Phy, in this case 802.11 Bluetooth 4.0The new name for Bluetooth low energy. For transferring small amounts of data infrequently. Longer battery life. Typical applications are medical and sports and fitness

  6. Version/Host/Controller Matrix How to determine the specification version of End Product when combining hosts and controllers conforming to different specification releases.

  7. What is FTS4BT? • FTS4BT is a Bluetooth Protocol Analyzer based on Frontline’s “Frontline Test System” • FTS is a common platform for a range of data communications analyzers • FTS4BT • Captures Bluetooth messages at various points in an application system • Decodes the various profile and protocol layers to the “bit level” • Analyzes error rates and data transmission efficiency • Extracts pictures, business cards, audio and other high level objects from a Bluetooth application profile session

  8. Bluetooth Device 2 HOST Profiles Profiles RFCOMM RFCOMM L2CAP L2CAP SDP SDP HCI HCI HostControllerInterface HCI HCI Link Controller/ Link Manager Link Controller/ Link Manager Baseband Baseband HOST Controller Points of Observation Bluetooth Device 1 HOST HCI Sniffing USB USB Internal Tap (H2) Virtual Sniffing USB ComProbe (H2) • Asynchronous Serial • HCI UART (H4) HostControllerInterface • 3-Wire UART (H5) • BCSP Air Sniffing HOST Controller Bluetooth ComProbe

  9. Firmware Upgrades Firmware is available with new software builds. Check to see if FW needs to be upgraded with new build. Use “Bluetooth ComProbe Maintenance Tool” for FW upgrades. “Bluetooth ComProbe Maintenance Tool” available in “Setup Folder” of FTS4BT Desktop folder.

  10. Firmware Upgrades(BluetoothComProbe Maintenance Tool) Select Device Check FW Version

  11. Firmware Upgrades Update Firmware will take you to the Firmware path automatically

  12. Firmware Upgrades 2 1 3 Looks for Driver as DFU mode is seen as new device.

  13. Bluetooth Air Sniffing 1 2 3 4

  14. Bluetooth/802.11 Air Sniffing (Optional)

  15. Bluetooth/802.11 Air Sniffing (Optional)

  16. High Speed Serial Sniffing (Optional)

  17. Air Sniffing Configurations

  18. Single Connection (Air Basic) • This configuration should be used when there is one Master device and one Slave device in use • Either the Standard or the Alternate Clock Synchronization Mode may be chosen • Only one BluetoothComProbe is needed for this configuration • This configuration can be used when there is one Master device with multiple Slaves, IF security (encryption) will not be used on any of the links • The BluetoothComProbe can only decrypt data between a single pair of devices

  19. Interlaced Page Scan (IPS) • This configuration should be used when • There is one Master device and one Slave device in use, AND • The Slave device is using Interlaced Page Scan (IPS) • Two BluetoothComProbes are needed for this configuration • One of the ComProbes is configured to follow one of the Inquiry and Paging Sequences • The other ComProbe is configured to follow the other Inquiry and Paging Sequence

  20. Multiple Connections • This configuration should be used when there are multiple Master devices in use • In other words, a Scatternet • This configuration is effectively the same as using multiple copies of Single Connection (Air Basic) • The difference is that the data for each Master/Slave device pair is in the same capture file • The individual Piconets that make up the Scatternet are identified and tracked separately • A BluetoothComProbe is needed for each master in this configuration

  21. Wi-Fi Coexistence

  22. 802.11/Bluetooth Coexistence • This configuration should be used when • There is one Master device and one Slave device, AND • It is desired to capture 802.11 (Wi-Fi) data at the same time • OR, when Bluetooth 3.0 + HS is being used with an 802.11 AMP (Alternative MAC Phy ) • This configuration needs • One BluetoothComProbe to capture the Bluetooth BR/EDR data • One Wi-Fi ComProbe to capture the 802.11 data • In this configuration, the Packet Timeline displays Coexistence of BR/EDR packets and the 802.11 packets

  23. Preparing to Use the Air Sniffer

  24. I/O Settings • The I/O Settings dialog is the place to provide information about the device(s) to be sniffed.

  25. Selecting The Bluetooth Devices • The [Device Discovery] button will perform an Inquiry process in order to identify nearby devices • If a device that you wish to use is not currently discoverable, it will not be found • Once the Inquiry process has completed, the device(s) may be selected in either the Master or Slave drop down lists • The Master and Slave selections refer to each devices role in the piconet • If a device is not discoverable, its Bluetooth Device Address may be entered manually

  26. Synchronization Modes • FTS4BT provides two synchronization modes: • Standard Mode • The Slave device must be connectable • The Slave device does Not need to be discoverable • This mode is formerly known as Slave Page • Alternate Mode • The Slave device must be discoverable • The Slave device may be connectable • This mode is formerly known as Slave Inquiry

  27. Synchronization Modes • Different devices may need different modes • Most devices work well with Standard Mode • For some devices, Alternate Mode is a better choice • If the Slave device is using Interlaced Page Scanning then you Should use Interlaced Page Scan (IPS) application.

  28. Pairing • The Pairing process between two Bluetooth devices produces a new common Link Key • The BluetoothComProbe must be sniffing during the pairing process so it can calculate the new Link Key • Failure to learn the new Link Key will cause received packets to be processed incorrectly if encryption is used on the data link • If one of the devices has the capability to display its current link key, it may be entered into the Air Datasource

  29. Authentication And Encryption • The information needed for the BluetoothComProbe to calculate the correct Link Key during Pairing is entered in the “Encryption” area of the dialog • If the Link Key currently in use between the devices is known, it may be entered into FTS4BT by selecting “Link Key” as the “Pairing Method”

  30. Authentication And Encryption • If the pair of devices are using Bluetooth Core Specification 2.1 or later, then • One of the devices must be in Secure Simple Pairing Debug Mode • Or, one of the devices must be capable of displaying the Link Key shared by the devices • Or, an HCI trace must be taken in order to capture the Link Key Notification event

  31. How Encryption Works in Bluetooth The sequence of events used to create the link key, called “the pairing process”, is shown below on the LMP filter Tab.

  32. How FTS4BT Decrypts Data FTS4BT must use the same link key being used by the devices being sniffed. The Link Key is calculated during Pairing process only. The link key is never transmitted over the air, so FTS4BT must capture (sniff) the Pairing session in order to calculate the same link as is calculated on the devices that are being paired.

  33. Two Types of Encryption (Legacy and SSP) Spec is backward compatible SSP implemented on V2.1 devices

  34. Secure Simple Pairing (SSP) • New different method of encryption/decryption • All devices with V2.1 spec and above must use SSP • To successfully decrypt SSP on FTS4BT, at least One device Must be in DEBUG MODE. • Debug mode is mandatory on core specification V2.1 • It is not mandatory for Device to support Debug mode. • If debug mode is not available then Link Key may be found: • A) From HCI trace. • B) from in-house tool • Possible to insert Link Key manually.

  35. How FTS4BT Decrypts Data To decrypt, FTS4BT must know the PIN code and capture: • The LMP Opcodein_rand Request and accept. • Both (Master and Slave) LMP Opcodescomb_keys • Both (Master and Slave)LMP Opcodesau_rand/sres If any of these packets are missed by FTS4BT, the wrong Link Key will be calculated and FTS4BT decryption will fail because FTS4BT will not have the same Link Key as is used in the Piconet.

  36. Failure to Decrypt If FTS4BT doesn’t have all the information it needs, it won’t be able to calculate the link key correctly. In the example below, after frame 24 – the LMP Opcode “Start Encryption Request” - all following frames are shown as bad (Red) packets. This is a good indication that the sniffer is unable to decrypt any payload data in the baseband packets after encryption is enabled within the piconet.

  37. Example of LMP for SSP Pairing One device MUST be in Debug Mode

  38. Capturing Data From The Air

  39. Starting Data Capture Once the information in the I/O Settings dialog has been completed, the [Start Sniffing] button initiates data capture The icon on the Air Datasource window (and in the system tray) indicates the state of capture

  40. Resynchronization • Bluetooth devices that are not currently active in a connection operate independently • This independence means that after some period of time the BluetoothComProbe will not be able to detect a connection initiation from the Master device (clock drift). • To correct for this, the Air Datasource resynchronizes with the target device every 30 seconds • A warning that this is about to happen is indicated by the status icon turning yellow five seconds before the resynchronization

  41. Common Problems While Air Sniffing

  42. Inability To Synchronize With The Master Device • The most common causes for this type of problem include • Selection of the wrong device address • The surrounding environment is RF “noisy” • The Master and Slave devices are too far apart • This results in higher transmission power levels which may overwhelm the BluetoothComProbe • The Master and Slave devices are too close to each other • This results in lower transmission power levels which may not reach the BluetoothComProbe • Interlaced Page Scanning is being used • This can result in the BluetoothComProbe listening to the wrong set of paging frequencies

  43. All Packets Are Captured With Errors • This most commonly occurs after the Master and Slave initiate encryption on the link • In this case, the captured packets are not being decrypted properly. This can be caused by • Entering the wrong PIN Code or not entering a PIN Code • Failing to capture the Pairing process • Devices re-executing the Pairing process when the BluetoothComProbe wasn’t listening

  44. All Packets Are Captured With Errors • This can usually be confirmed by looking at the last packet in the LMP tab • The last packet seen is an LMP_start_encryption_req • All following packets (except NULLs and POLLs) have length and CRC errors • It is possible that some number of packets immediately following an LMP_start_encryption_req will not be properly decrypted • Prioritized Decryption can used to minimize the number of such packets • Prioritized Decryption can cause packets to not be captured • Prioritized Decryption is enabled on the Advanced I/O Settings

  45. The Analyzer Asks For Help Decoding • Packets are decoded based on information that was discovered earlier in the connection • If there is missing information earlier in the session, the decoder subsystem may ask for help • Missing information may be caused by • Packets not being decrypted • See Prioritized Decryption on the previous slide • Clearing the capture buffer during a connection • Sniffer missed SDP information.

More Related