-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SMP timeout leading disconnection with Android 13 #567
Comments
From the looks of it we were assuming hcon->out to mean central, but the SMP never says the central to correspond to initiator: BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part H Figure 2.1: LE pairing phases So we need to check who actually sends the Pairing Request and properly mark is as iniatiator, that said it is probably recommended that only one side start the pairing procedure in which case the central probably needs to have priority over this, so when we act as peripheral we shall just send a Security_Request. @NJNXP Can you please include the HCI/btmon traces as well? |
Hello @Vudentz, Thanks in advance. Warm Regards |
SMP initiator role shall be considered the one that initiates the pairing procedure with SMP_CMD_PAIRING_REQ: BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part H page 1557: Figure 2.1: LE pairing phases Note that by sending SMP_CMD_SECURITY_REQ it doesn't change the role to be Initiator. Link: bluez/bluez#567 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
SMP initiator role shall be considered the one that initiates the pairing procedure with SMP_CMD_PAIRING_REQ: BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part H page 1557: Figure 2.1: LE pairing phases Note that by sending SMP_CMD_SECURITY_REQ it doesn't change the role to be Initiator. Link: bluez/bluez#567 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
SMP initiator role shall be considered the one that initiates the pairing procedure with SMP_CMD_PAIRING_REQ: BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part H page 1557: Figure 2.1: LE pairing phases Note that by sending SMP_CMD_SECURITY_REQ it doesn't change the role to be Initiator. Link: bluez/bluez#567 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
@NJNXP have a look if the patch above fixes the problem, we may need to double check if there isn't any test on SMP testing that affects this change before we merge it though. |
Hi @Vudentz, I tested the changes done and following are the observations:-
Attaching logs for all three devices which contains bluetoothctl, bluetoothd and btmon. Thanks, |
@purendra-singh thanks for testing, we may need to run SMP PTS tests just to be safe, can you do that? |
Hi @Vudentz, Currently dont have compatible dongle to perform the SMP PTS test. Could you please provide us the link to the dongle which is used to do the PTS test for BREDR, so that we can procure it and use it for future test cases if required. Thanks, |
Description:
Advertise from : Mobile Phone
Scan from : Linux Bluez DUT (bluetoothctl)
Android 13 phones are connected as master during pairing process, and this conflicts with the keys exchange process that leads to SMP timeout. In comparison, Android 12 or iPhone act as slaves during the pairing process; hence the issue is not observed with them.
As per Bluetooth specs, an Initiator(master) sends smp pairing request command (in which keys that the initiator requests to share and keys it demands from the responder/slave are mentioned).
![image](https://private-user-images.githubusercontent.com/122077213/257209504-06e51d36-ba25-430c-b9ad-836a997b3b5e.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAzMjUyODUsIm5iZiI6MTcyMDMyNDk4NSwicGF0aCI6Ii8xMjIwNzcyMTMvMjU3MjA5NTA0LTA2ZTUxZDM2LWJhMjUtNDMwYy1iOWFkLTgzNmE5OTdiM2I1ZS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzA3JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcwN1QwNDAzMDVaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT00M2Y1YjhmMjliMGM5NjAwMTZkOTM5NDhjZTJhNGU1OGY4Y2RlZWEzZWIxNjQ1M2VhZDhhNTc5YmNmYjliZGNiJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.m9PqfFPSdrZ66hLhuD3-HXRrVqxbtiKlGNSKoVRhT6o)
In return, the responder sends smp pairing response (in which it sends keys that shall be shared by the initiator and keys which the responder shall share).
![image](https://private-user-images.githubusercontent.com/122077213/257209662-a4282d5d-fe8e-4d9d-96a0-5d88b9be1a9d.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAzMjUyODUsIm5iZiI6MTcyMDMyNDk4NSwicGF0aCI6Ii8xMjIwNzcyMTMvMjU3MjA5NjYyLWE0MjgyZDVkLWZlOGUtNGQ5ZC05NmEwLTVkODhiOWJlMWE5ZC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzA3JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcwN1QwNDAzMDVaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT05ZDRhMDJhODU5NTZlZmI1ZWQzZTFhNDY4MjMxODFkYzNmYTRmZGI1ZGJiN2E5OTJhYmYwNjE1Mzk2MWQ0NzkwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.on_mPOvw84X0iC1tGw0-zR9Zo39e86ViXA-blKMzu8E)
According to the specs, after the pairing response is sent, the responder/slave shall send its keys first (whichever is mentioned in the responder key distribution field of the pairing response).
Till android 12, all phones were connecting as slaves when the connection was initiated from the DUT, and the link was successful as phones were not changing their roles to master until all the SMP commands and key exchanges were complete. Starting from Android 13, phones sent role change orders after the DUT initiated the connection and became master.
Analysis and Fix
Analysis
Please find the code screenshot for reference: - (linux-kernel/net/bluetooth/smp.c)
![image](https://private-user-images.githubusercontent.com/122077213/257209756-7f0d21a1-c788-4c4c-b3f8-c101ad8f90b0.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAzMjUyODUsIm5iZiI6MTcyMDMyNDk4NSwicGF0aCI6Ii8xMjIwNzcyMTMvMjU3MjA5NzU2LTdmMGQyMWExLWM3ODgtNGM0Yy1iM2Y4LWMxMDFhZDhmOTBiMC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzA3JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcwN1QwNDAzMDVaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01NDAwZThlZDM5ZWM3N2Y3YjVlZmYyMWVhZjEyNjJlYTU0MmZhZmI1N2NjYjRkNDBhOTdhMmQ0ZTc5Y2RiZDYzJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.JVPSFvyTxH_fTvnd1Io1ohbhLLODYJf0cNBK5OdXeXA)
Fix:
![image](https://private-user-images.githubusercontent.com/122077213/257209850-1fa171b6-7b34-4d29-a620-94eb180c7d33.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAzMjUyODUsIm5iZiI6MTcyMDMyNDk4NSwicGF0aCI6Ii8xMjIwNzcyMTMvMjU3MjA5ODUwLTFmYTE3MWI2LTdiMzQtNGQyOS1hNjIwLTk0ZWIxODBjN2QzMy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzA3JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcwN1QwNDAzMDVaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0yZmQ1ZjI3NjY2NzVmNWQ1OWY5NDc3ZmI1OGRjYmI3MDRlMjk1YjNiYTgxMDNiNDQ0NGVhMjZhNmExNzllNzQwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.Po0vD_Zm4xSlCU9CAseuV_uWLQ0UDy0S309KqsgjTJo)
After putting a check for the role, the connection is maintained and keys are appropriately distributed according to specs (checked with pixel 7 phones), and the connection is maintained.
Consequence of fix:
On Samsung phones with Android 13, we are facing issues during first-time connection, even with this patch. Later, the connection is sustained.
The text was updated successfully, but these errors were encountered: