Is there a way to force legacy LE pairing for a device

Is there a way to force legacy LE pairing for a device

[Jacek Konieczny]

Hi,

I have a problem connecting to a BT device from a Linux desktop –
pairing fails, while an Android phone pairs properly.

The obvious difference in the btsnoop logs is in the pairing request.

Android:
< ACL Data TX: Handle 65 flags 0x00 dlen 11


#995 150.491086
      SMP: Pairing Request (0x01) len 6
        IO capability: KeyboardDisplay (0x04)
        OOB data: Authentication data not present (0x00)
        Authentication requirement: Bonding, MITM, Legacy, No Keypresses
(0x05)
        Max encryption key size: 16
        Initiator key distribution: EncKey IdKey Sign (0x07)
        Responder key distribution: EncKey IdKey Sign (0x07)
[...]
> ACL Data RX: Handle 65 flags 0x02 dlen 11


#1006 150.571137
      SMP: Pairing Response (0x02) len 6
        IO capability: NoInputNoOutput (0x03)
        OOB data: Authentication data not present (0x00)
        Authentication requirement: Bonding, No MITM, Legacy, No
Keypresses (0x01)
        Max encryption key size: 16
        Initiator key distribution: EncKey (0x01)
        Responder key distribution: EncKey (0x01)


And on Linux:
< ACL Data TX: Handle 16 flags 0x00 dlen 11               #53 [hci0]
132.273100
      SMP: Pairing Request (0x01) len 6
        IO capability: NoInputNoOutput (0x03)
        OOB data: Authentication data not present (0x00)
        Authentication requirement: Bonding, No MITM, SC, No Keypresses,
CT2 (0x29)
        Max encryption key size: 16
        Initiator key distribution: EncKey Sign LinkKey (0x0d)
        Responder key distribution: EncKey IdKey Sign LinkKey (0x0f)
[...]
> ACL Data RX: Handle 16 flags 0x02 dlen 6                #57 [hci0]
132.362160
      SMP: Pairing Failed (0x05) len 1
        Reason: Invalid parameters (0x0a)



So it looks like 'Bonding, MITM, Legacy, No Keypresses' used by Android
works and 'Bonding, No MITM, SC, No Keypresses, CT2' used by the desktop
Linux (bluez 5.62, kernel '5.6.2-050602-lowlatency' from Ubuntu) does
not (note: I am still quite ignorant about Bluetooth stuff).

So my question is: is there any way to force using legacy pairing? Even
if that requires bluez or kernel patching (though, I would rather avoid
that).


Greets,
Jacek

Re: Is there a way to force legacy LE pairing for a device

[Luiz Augusto von Dentz]

Hi Jacek,

On Mon, Nov 1, 2021 at 10:26 AM Jacek Konieczny <jajcus@jajcus.net> wrote:
>
> Hi,
>
> I have a problem connecting to a BT device from a Linux desktop –
> pairing fails, while an Android phone pairs properly.
>
> The obvious difference in the btsnoop logs is in the pairing request.
>
> Android:
> < ACL Data TX: Handle 65 flags 0x00 dlen 11
>
>
> #995 150.491086
>       SMP: Pairing Request (0x01) len 6
>         IO capability: KeyboardDisplay (0x04)
>         OOB data: Authentication data not present (0x00)
>         Authentication requirement: Bonding, MITM, Legacy, No Keypresses
> (0x05)
>         Max encryption key size: 16
>         Initiator key distribution: EncKey IdKey Sign (0x07)
>         Responder key distribution: EncKey IdKey Sign (0x07)
> [...]
> > ACL Data RX: Handle 65 flags 0x02 dlen 11
>
>
> #1006 150.571137
>       SMP: Pairing Response (0x02) len 6
>         IO capability: NoInputNoOutput (0x03)
>         OOB data: Authentication data not present (0x00)
>         Authentication requirement: Bonding, No MITM, Legacy, No
> Keypresses (0x01)
>         Max encryption key size: 16
>         Initiator key distribution: EncKey (0x01)
>         Responder key distribution: EncKey (0x01)
>
>
> And on Linux:
> < ACL Data TX: Handle 16 flags 0x00 dlen 11               #53 [hci0]
> 132.273100
>       SMP: Pairing Request (0x01) len 6
>         IO capability: NoInputNoOutput (0x03)
>         OOB data: Authentication data not present (0x00)
>         Authentication requirement: Bonding, No MITM, SC, No Keypresses,
> CT2 (0x29)
>         Max encryption key size: 16
>         Initiator key distribution: EncKey Sign LinkKey (0x0d)
>         Responder key distribution: EncKey IdKey Sign LinkKey (0x0f)
> [...]
> > ACL Data RX: Handle 16 flags 0x02 dlen 6                #57 [hci0]
> 132.362160
>       SMP: Pairing Failed (0x05) len 1
>         Reason: Invalid parameters (0x0a)
>
>
>
> So it looks like 'Bonding, MITM, Legacy, No Keypresses' used by Android
> works and 'Bonding, No MITM, SC, No Keypresses, CT2' used by the desktop
> Linux (bluez 5.62, kernel '5.6.2-050602-lowlatency' from Ubuntu) does
> not (note: I am still quite ignorant about Bluetooth stuff).

What android version are we talking about here?

> So my question is: is there any way to force using legacy pairing? Even
> if that requires bluez or kernel patching (though, I would rather avoid
> that).

So Invalid Parameter is normally used when the stack doesn't
understand something in the request:

'x0A Invalid Parameters The Invalid Parameters error code indicates
that the command length is invalid or that a
parameter is outside of the specified range.'

From the looks of it Android doesn't set SC nor CT2, which were bits
introduced after 4.0, so perhaps with this version of Android we
cannot use one of these bits (CT2 most likely).

>
> Greets,
> Jacek



-- 
Luiz Augusto von Dentz

Re: Is there a way to force legacy LE pairing for a device

[Jacek Konieczny]

Hi Luiz,

On 01/11/2021 21:21, Luiz Augusto von Dentz wrote:
> 
> On Mon, Nov 1, 2021 at 10:26 AM Jacek Konieczny <jajcus@jajcus.net> wrote:
>> So it looks like 'Bonding, MITM, Legacy, No Keypresses' used by Android
>> works and 'Bonding, No MITM, SC, No Keypresses, CT2' used by the desktop
>> Linux (bluez 5.62, kernel '5.6.2-050602-lowlatency' from Ubuntu) does
>> not (note: I am still quite ignorant about Bluetooth stuff).
> 
> What android version are we talking about here?

Android 11 on Samsung Galaxy S10 with current software.

>> So my question is: is there any way to force using legacy pairing? Even
>> if that requires bluez or kernel patching (though, I would rather avoid
>> that).
> 
> So Invalid Parameter is normally used when the stack doesn't
> understand something in the request:
> 
> 'x0A Invalid Parameters The Invalid Parameters error code indicates
> that the command length is invalid or that a
> parameter is outside of the specified range.'
> 
>  From the looks of it Android doesn't set SC nor CT2, which were bits
> introduced after 4.0, so perhaps with this version of Android we
> cannot use one of these bits (CT2 most likely).

The problem is not the Android, but the device I am trying to pair with 
(VOX Adio Air GT guitar amplifier). The Bluetooth implementation in the 
device is most probably outdated or/and broken and definitely insecure, 
but I still need to connect to it. Android can do that, I wonder how I 
can do it from a regular Linux machine with recent kernel and Bluez.

Jacek

Re: Is there a way to force legacy LE pairing for a device

[Marcel Holtmann]

Hi Jacek,

> I have a problem connecting to a BT device from a Linux desktop –
> pairing fails, while an Android phone pairs properly.
> 
> The obvious difference in the btsnoop logs is in the pairing request.
> 
> Android:
> < ACL Data TX: Handle 65 flags 0x00 dlen 11
> 
> 
> #995 150.491086
>      SMP: Pairing Request (0x01) len 6
>        IO capability: KeyboardDisplay (0x04)
>        OOB data: Authentication data not present (0x00)
>        Authentication requirement: Bonding, MITM, Legacy, No Keypresses
> (0x05)
>        Max encryption key size: 16
>        Initiator key distribution: EncKey IdKey Sign (0x07)
>        Responder key distribution: EncKey IdKey Sign (0x07)
> [...]
>> ACL Data RX: Handle 65 flags 0x02 dlen 11
> 
> 
> #1006 150.571137
>      SMP: Pairing Response (0x02) len 6
>        IO capability: NoInputNoOutput (0x03)
>        OOB data: Authentication data not present (0x00)
>        Authentication requirement: Bonding, No MITM, Legacy, No
> Keypresses (0x01)
>        Max encryption key size: 16
>        Initiator key distribution: EncKey (0x01)
>        Responder key distribution: EncKey (0x01)
> 
> 
> And on Linux:
> < ACL Data TX: Handle 16 flags 0x00 dlen 11               #53 [hci0]
> 132.273100
>      SMP: Pairing Request (0x01) len 6
>        IO capability: NoInputNoOutput (0x03)
>        OOB data: Authentication data not present (0x00)
>        Authentication requirement: Bonding, No MITM, SC, No Keypresses,
> CT2 (0x29)
>        Max encryption key size: 16
>        Initiator key distribution: EncKey Sign LinkKey (0x0d)
>        Responder key distribution: EncKey IdKey Sign LinkKey (0x0f)
> [...]
>> ACL Data RX: Handle 16 flags 0x02 dlen 6                #57 [hci0]
> 132.362160
>      SMP: Pairing Failed (0x05) len 1
>        Reason: Invalid parameters (0x0a)
> 
> 
> 
> So it looks like 'Bonding, MITM, Legacy, No Keypresses' used by Android
> works and 'Bonding, No MITM, SC, No Keypresses, CT2' used by the desktop
> Linux (bluez 5.62, kernel '5.6.2-050602-lowlatency' from Ubuntu) does
> not (note: I am still quite ignorant about Bluetooth stuff).
> 
> So my question is: is there any way to force using legacy pairing? Even
> if that requires bluez or kernel patching (though, I would rather avoid
> that).
> 

you can use btmgmt tool from bluez.git to force Secure Connections off. I am not sure if that sticks when starting bluetoothd, but then you need to hack it out there.

I am really not sure how your device can be a qualified Bluetooth device and fail here. The handling of the flags has actually proper test cases to ensure that this does’t happen. And I remember that even Android switched to Secure Connections support at some point.

Regards

Marcel

Re: Is there a way to force legacy LE pairing for a device

[Jacek Konieczny]

Hi Marcel,

On 11/2/21 9:43 AM, Marcel Holtmann wrote:
> you can use btmgmt tool from bluez.git to force Secure Connections off. I am not sure if that sticks when starting bluetoothd, but then you need to hack it out there.

Thank you! This works. I had to run 'btmgmt sc off' after starting
bluetoothd, before 'power on', but then I was able to pair with my
device. When paired MIDI over Bluetooth is working properly.

Even after I re-enable SC the connection with the already-paired device
works.

I think I can work with that.

> I am really not sure how your device can be a qualified Bluetooth device and fail here. The handling of the flags has actually proper test cases to ensure that this does’t happen.

That would not be a first time when a device is compatible with the
standard it is advertised with. Especially that for this one this is
extra feature hardly anyone uses and the manufacturer does not even
support their own software properly (the Android app just doesn't work)
and usually the USB interface would be rather used than BT, anyway.

What is interesting this amplifier has two different BT adapters. It can
function as a 'bluetooth speaker' and this seems to be working without
any issue. It is the 'regular Bluetooth', not LE. This one feature would
be probably enough to call this Bluetooth device.

The other function is amplifier remote control via MIDI over Bluetooth.
This seems to be a separate BLE interface and works as I described. It
does not even have any special 'pairing mode' (the 'speaker' function
requires pressing a button on the device) or pairing verification, so
anyone can pair with the amplifier at any time (unless already someone
else uses the BLE interface) and change its settings. It would be quite
an interesting attack if anyone used those devices on stage. Using SC or
not probably does not matter at this point at all.

Greets,
Jacek