Agenda - Frontline Test Equipment

Report
Welcome to Redmond, Washington
March 3, 2011
1
Agenda
9:00 - 9:15
Introduction and Logistics
9:15 - 10:30
Bluetooth® Protocol; Classic and Low Energy
10:30 - 10:45 Break
10:45 - 12:00 Bluetooth Protocol
2
12:00 - 1:00
Lunch
1:00 - 1:45
Frontline-Centric Bluetooth Protocol
1:45 - 2:30
Frontline 101
2:30 - 3:00
Break
3:00 - 3:45
Frontline 202
3:45 - 4:30
BT / Wi-Fi; USB / HCI; BT Robustness; Dual Mode
4:30 - 4:45
Wrap-up
Bluetooth Fun Facts
The name Bluetooth is derived from the cognomen of a
10th century king, Harald Bluetooth, King of Denmark
and Norway from 935 and 936 respectively, to 940. He is
known for his unification of warring tribes from Denmark
(including Scania, present-day Sweden, where the
Bluetooth technology was invented) and Norway.
Bluetooth likewise was intended to unify different
technologies like computers and mobile phones. The
name may have been inspired less by the historical
Harald than the loose interpretation of him in The Long
Ships by Frans Gunnar Bengtsson, a Swedish bestselling Viking-inspired novel. The Bluetooth logo merges
the Nordic runes analogous to the modern Latin H and B.
3
H=Haglaz
B=Berkanan
About Frontline Test Equipment
• Founded in 1985
• Over 40,000 units shipped
• #1 Seller is FTS4BT Classic O-T-A
• Thousands of global customers
Charlottesville is located at the foothills of the
Blue Ridge Mountains in the Commonwealth
of Virginia. The City is named after Princess
Sophia Charlotte of Mecklenburg-Strelitz, the
wife of King George III of England. The area
has an incredibly rich history that draws
millions of visitors every year to Monticello,
home of Thomas Jefferson, AshlawnHighlands, home of James Monroe, and
Montpelier, home of James Madison as well
as the renowned University of Virginia.
4
• Sales and support in San Jose, CA
• Headquarters in Charlottesville, VA
Bluetooth Specifications
Bluetooth 2.0 + EDR
Introduced Enhanced Data Rate, data transfer up to 3mbps. Useful for stereo
(A2DP) transmissions
Bluetooth 2.1 + EDR
Includes Secure Simple Pairing (SSP), making it easier for users to pair
devices
Bluetooth 3.0 + HS
Allows for high speed transfer of data over alternate MAC/Phy, in this case
802.11
Bluetooth 4.0
The new name for Bluetooth low energy. For transferring small amounts of
data infrequently. Longer battery life. Typical applications are medical and
sports and fitness
5
Version/Host/Controller Matrix
How to determine the specification version of End Product when combining hosts and
controllers conforming to different specification releases.
BR/EDR Controller
3.0 (with EDR)
3.0 (with EDR)
3.0 (with EDR)
3.0 (with EDR)
3.0
3.0
3.0
3.0
3.0
3.0
2.1 + EDR
2.1 + EDR
2.1 + EDR
2.1 + EDR
2.1 + EDR
2.1 + EDR
2.0 + EDR
2.1
2.1
2.1
2.1
2.1
2.1
2.0
1.2
6
Host
3.0 + HS
2.1 + EDR
2.0 + EDR
1.2
3.0 + HS
3.0 + HS
3.0
2.1 + EDR
2.0 + EDR
1.2
3.0 + HS
3.0 + HS
3.0
2.1 + EDR
2.0 + EDR
1.2
1.2 or later
3.0 + HS
3.0 + HS
3.0
2.1 + EDR
2.0 + EDR
1.2
1.2 or later
1.2 or later
AMP Controller
3.0 + HS
N/A
N/A
N/A
3.0 + HS
Not present
N/A
N/A
N/A
N/A
3.0 + HS
Not present
N/A
N/A
N/A
N/A
N/A
3.0 + HS
Not present
N/A
N/A
N/A
N/A
N/A
N/A
Design Core Version
3.0 + HS
2.1 + EDR
2.0 + EDR
2.0 + EDR
3.0
3.0
3.0
2.1
2.0
2.0
3.0 + HS
3.0
3.0
2.1 + EDR
2.0 + EDR
2.0 + EDR
2.0 + EDR
3.0
3.0
3.0
2.1
2.0
2.0
2.0
1.2
What is FTS4BT?
FTS4BT is a Bluetooth Protocol Analyzer based on Frontline’s
“Frontline Test System”
• FTS is a common platform for a range of data communications
analyzers
FTS4BT
• Captures Bluetooth messages at various points in an application
system
• Decodes the various profile and protocol layers to the “bit level”
• Analyzes error rates and data transmission efficiency
• Extracts pictures, business cards, audio and other high level objects
from a Bluetooth application profile session
77
Bluetooth Device 1
Bluetooth Device 2
HOST
HOST
Profiles
Profiles
HCI Sniffing
RFCOMM
L2CAP
SDP
USB
USB Internal Tap (H2)
USB ComProbe (H2)
Virtual
Sniffing
RFCOMM
L2CAP
SDP
Asynchronous Serial
HCI
Host
Controller
Interface
HCI
HCI UART (H4)
3-Wire UART (H5)
Host
Controller
Interface
BCSP
HCI
Air Sniffing
HCI
Link Controller/
Link Manager
Link Controller/
Link Manager
Baseband
Baseband
HOST Controller
HOST Controller
Bluetooth ComProbe
88
Points of Observation
Firmware Upgrades
Firmware is available with new software builds. Check to see if
FW needs to be upgraded with new build.
Use “Bluetooth ComProbe Maintenance Tool” for FW upgrades.
“Bluetooth ComProbe Maintenance Tool” available in “Setup
Folder” of FTS4BT Desktop folder.
9
Firmware Upgrades
(Bluetooth ComProbe Maintenance Tool)
Select Device
10
Check FW Version
Firmware Upgrades
Update Firmware
11
will take you to the Firmware path automatically
Firmware Upgrades
Looks for Driver as DFU mode is seen as new device.
2
1
3
12
Bluetooth Air Sniffing
1
2
3
4
14
Bluetooth/802.11 Air Sniffing (Optional)
15
Bluetooth/802.11 Air Sniffing (Optional)
16
High Speed Serial Sniffing (Optional)
17
Air Sniffing Configurations
18
Single Connection (Air Basic)
• This configuration should be used when there is one Master device
and one Slave device in use
• Either the Standard or the Alternate Clock Synchronization Mode may
be chosen
• Only one Bluetooth ComProbe is needed for this configuration
• This configuration can be used when there is one Master device with
multiple Slaves, IF security (encryption) will not be used on any of the
links
• The Bluetooth ComProbe can only decrypt data between a single pair of
devices
19
Interlaced Page Scan (IPS)
This configuration should be used when
• There is one Master device and one Slave device in use, AND
• The Slave device is using Interlaced Page Scan (IPS)
Two Bluetooth ComProbes are needed for this configuration
• One of the ComProbes is configured to follow one of the Inquiry and
Paging Sequences
• The other ComProbe is configured to follow the other Inquiry and
Paging Sequence
20
Multiple Connections
This configuration should be used when there are multiple
Master devices in use
• In other words, a Scatternet
This configuration is effectively the same as using multiple
copies of Single Connection (Air Basic)
• The difference is that the data for each Master/Slave device pair is in
the same capture file
• The individual Piconets that make up the Scatternet are identified and
tracked separately
A Bluetooth ComProbe is needed for each master in this
configuration
21
Wi-Fi Coexistence
26
802.11/Bluetooth Coexistence
This configuration should be used when
• There is one Master device and one Slave device, AND
• It is desired to capture 802.11 (Wi-Fi) data at the same time
OR, when Bluetooth 3.0 + HS is being used with an 802.11 AMP
(Alternative MAC Phy )
This configuration needs
• One Bluetooth ComProbe to capture the Bluetooth BR/EDR data
• One Wi-Fi ComProbe to capture the 802.11 data
In this configuration, the Packet Timeline displays Coexistence
of BR/EDR packets and the 802.11 packets
27
Preparing to Use the Air Sniffer
28
I/O Settings
The I/O Settings dialog is the place to provide information about
the device(s) to be sniffed.
29
Selecting The Bluetooth Devices
The [Device Discovery] button will perform an Inquiry process
in order to identify nearby devices
• If a device that you wish to use is not currently discoverable, it will not
be found
Once the Inquiry process has completed, the device(s) may be
selected in either the Master or Slave drop down lists
• The Master and Slave selections refer to each devices role in the
piconet
If a device is not discoverable, its Bluetooth Device Address
may be entered manually
30
Synchronization Modes
FTS4BT provides two synchronization modes:
Standard Mode
• The Slave device must be connectable
• The Slave device does Not need to be discoverable
• This mode is formerly known as Slave Page
Alternate Mode
• The Slave device must be discoverable
• The Slave device may be connectable
• This mode is formerly known as Slave Inquiry
31
Synchronization Modes
Different devices may need different modes
• Most devices work well with Standard Mode
• For some devices, Alternate Mode is a better choice
• If the Slave device is using Interlaced Page Scanning then you Should
use Interlaced Page Scan (IPS) application.
32
Pairing
• The Pairing process between two Bluetooth devices produces a new
common Link Key
• The Bluetooth ComProbe must be sniffing during the pairing process
so it can calculate the new Link Key
• Failure to learn the new Link Key will cause received packets to be
processed incorrectly if encryption is used on the data link
• If one of the devices has the capability to display its current link key, it
may be entered into the Air Datasource
33
Authentication And Encryption
• The information needed for the Bluetooth ComProbe to calculate the
correct Link Key during Pairing is entered in the “Encryption” area of
the dialog
• If the Link Key currently in use between the devices is known, it may
be entered into FTS4BT by selecting “Link Key” as the “Pairing
Method”
34
Authentication And Encryption
If the pair of devices are using Bluetooth Core Specification 2.1 or
later, then
• One of the devices must be in Secure Simple Pairing Debug Mode
• Or, one of the devices must be capable of displaying the Link Key shared
by the devices
• Or, an HCI trace must be taken in order to capture the Link Key
Notification event
35
How Encryption Works in Bluetooth
The sequence of events used to create the link key, called “the
pairing process”, is shown below on the LMP filter Tab.
36
How FTS4BT Decrypts Data
FTS4BT must use the same link key being used by the devices being sniffed.
The Link Key is calculated during Pairing process only.
The link key is never transmitted over the air, so FTS4BT must capture (sniff)
the Pairing session in order to calculate the same link as is calculated on the
devices that are being paired.
37
Two Types of Encryption (Legacy and SSP)
Spec is backward compatible
SSP implemented on V2.1 devices
38
Secure Simple Pairing (SSP)
• New different method of encryption/decryption
• All devices with V2.1 spec and above must use SSP
• To successfully decrypt SSP on FTS4BT, at least One device Must be in
DEBUG MODE.
• Debug mode is mandatory on core specification V2.1
• It is not mandatory for Device to support Debug mode.
• If debug mode is not available then Link Key may be found:
• A) From HCI trace.
• B) from in-house tool
• Possible to insert Link Key manually.
39
How FTS4BT Decrypts Data
To decrypt, FTS4BT must know the PIN code and capture:
• The LMP Opcode in_rand Request and accept.
• Both (Master and Slave) LMP Opcodes comb_keys
• Both (Master and Slave) LMP Opcodes au_rand/sres
If any of these packets are missed by FTS4BT, the wrong Link Key will be
calculated and FTS4BT decryption will fail because FTS4BT will not have the
same Link Key as is used in the Piconet.
40
Failure to Decrypt
If FTS4BT doesn’t have all the information it needs, it won’t be able to
calculate the link key correctly.
In the example below, after frame 24 – the LMP Opcode “Start Encryption
Request” - all following frames are shown as bad (Red) packets.
This is a good indication that the sniffer is unable to decrypt any payload
data in the baseband packets after encryption is enabled within the piconet.
41
Example of LMP for SSP Pairing
One device MUST be in Debug Mode
42
Capturing Data From The Air
43
Starting Data Capture
Once the information in the I/O Settings dialog has been
completed, the [Start Sniffing] button initiates data capture
The icon on the Air Datasource window (and in the system tray)
indicates the state of capture
(Clear) Data capture is not active
(Red) The Bluetooth ComProbe is attempting to
synchronize with the selected device
(Green) The Bluetooth ComProbe is is synchronized to
the slave, and waiting for the Master device to initiate a
connection
(Blue) A Bluetooth connection exists and data is being
captured
(Yellow) The Air Datasource is about to resynchronize
with the selected device
44
Resynchronization
Bluetooth devices that are not currently active in a connection
operate independently
This independence means that after some period of time the
Bluetooth ComProbe will not be able to detect a connection
initiation from the Master device (clock drift).
To correct for this, the Air Datasource resynchronizes with the
target device every 30 seconds
• A warning that this is about to happen is indicated by the status icon
turning yellow five seconds before the resynchronization
45
Common Problems While Air Sniffing
46
Inability To Synchronize
With The Master Device
The most common causes for this type of problem include
• Selection of the wrong device address
• The surrounding environment is RF “noisy”
• The Master and Slave devices are too far apart
• This results in higher transmission power levels which may overwhelm the
Bluetooth ComProbe
• The Master and Slave devices are too close to each other
• This results in lower transmission power levels which may not reach the
Bluetooth ComProbe
• Interlaced Page Scanning is being used
• This can result in the Bluetooth ComProbe listening to the wrong set of
paging frequencies
47
All Packets Are Captured With Errors
This most commonly occurs after the Master and Slave initiate
encryption on the link
In this case, the captured packets are not being decrypted
properly. This can be caused by
• Entering the wrong PIN Code or not entering a PIN Code
• Failing to capture the Pairing process
• Devices re-executing the Pairing process when the Bluetooth
ComProbe wasn’t listening
48
All Packets Are Captured With Errors
This can usually be confirmed by looking at the last packet in
the LMP tab
• The last packet seen is an LMP_start_encryption_req
• All following packets (except NULLs and POLLs) have length and CRC
errors
It is possible that some number of packets immediately
following an LMP_start_encryption_req will not be properly
decrypted
• Prioritized Decryption can used to minimize the number of such
packets
• Prioritized Decryption can cause packets to not be captured
• Prioritized Decryption is enabled on the Advanced I/O Settings
49
The Analyzer Asks For Help Decoding
Packets are decoded based on information that was discovered
earlier in the connection
• If there is missing information earlier in the session, the decoder
subsystem may ask for help
Missing information may be caused by
• Packets not being decrypted
• See Prioritized Decryption on the previous slide
• Clearing the capture buffer during a connection
• Sniffer missed SDP information.
50

similar documents