1

Welcome to Redmond, WashingtonMarch 3, 2011

2

Agenda

9:00 - 9:15 Introduction and Logistics

9:15 - 10:30 Bluetooth® Protocol; Classic and Low Energy

10:30 - 10:45 Break

10:45 - 12:00 Bluetooth Protocol

12:00 - 1:00 Lunch

1:00 - 1:45 Frontline-Centric Bluetooth Protocol

1:45 - 2:30 Frontline 101

2:30 - 3:00 Break

3:00 - 3:45 Frontline 202

3:45 - 4:30 BT / Wi-Fi; USB / HCI; BT Robustness; Dual Mode

4:30 - 4:45 Wrap-up

3

Bluetooth Fun Facts

The name Bluetooth is derived from the cognomen of a 10th century king, Harald Bluetooth, King of Denmark and Norway from 935 and 936 respectively, to 940. He is known for his unification of warring tribes from Denmark (including Scania, present-day Sweden, where the Bluetooth technology was invented) and Norway.

Bluetooth likewise was intended to unify different technologies like computers and mobile phones. The name may have been inspired less by the historical Harald than the loose interpretation of him in The Long Ships by Frans Gunnar Bengtsson, a Swedish best-selling Viking-inspired novel. The Bluetooth logo merges the Nordic runes analogous to the modern Latin H and B.

H=Haglaz B=Berkanan

4

About Frontline Test Equipment

•Founded in 1985

•Over 40,000 units shipped

•#1 Seller is FTS4BT Classic O-T-A

•Thousands of global customers

•Sales and support in San Jose, CA

•Headquarters in Charlottesville, VA

Charlottesville is located at the foothills of the Blue Ridge Mountains in the Commonwealth of Virginia. The City is named after Princess Sophia Charlotte of Mecklenburg-Strelitz, the wife of King George III of England. The area has an incredibly rich history that draws millions of visitors every year to Monticello, home of Thomas Jefferson, Ashlawn-Highlands, home of James Monroe, and Montpelier, home of James Madison as well as the renowned University of Virginia.

5

Bluetooth Specifications

Bluetooth 2.0 + EDRIntroduced Enhanced Data Rate, data transfer up to 3mbps. Useful for stereo (A2DP) transmissions

Bluetooth 2.1 + EDRIncludes Secure Simple Pairing (SSP), making it easier for users to pair devices

Bluetooth 3.0 + HS

Allows for high speed transfer of data over alternate MAC/Phy, in this case 802.11

Bluetooth 4.0The new name for Bluetooth low energy. For transferring small amounts of data infrequently. Longer battery life. Typical applications are medical and sports and fitness

6

Version/Host/Controller MatrixHow to determine the specification version of End Product when combining hosts and controllers conforming to different specification releases.

BR/EDR Controller Host AMP Controller Design Core Version 3.0 (with EDR) 3.0 + HS 3.0 + HS 3.0 + HS3.0 (with EDR) 2.1 + EDR N/A 2.1 + EDR3.0 (with EDR) 2.0 + EDR N/A 2.0 + EDR3.0 (with EDR) 1.2 N/A 2.0 + EDR3.0 3.0 + HS 3.0 + HS 3.03.0 3.0 + HS Not present 3.03.0 3.0 N/A 3.03.0 2.1 + EDR N/A 2.13.0 2.0 + EDR N/A 2.03.0 1.2 N/A 2.02.1 + EDR 3.0 + HS 3.0 + HS 3.0 + HS2.1 + EDR 3.0 + HS Not present 3.02.1 + EDR 3.0 N/A 3.02.1 + EDR 2.1 + EDR N/A 2.1 + EDR2.1 + EDR 2.0 + EDR N/A 2.0 + EDR2.1 + EDR 1.2 N/A 2.0 + EDR2.0 + EDR 1.2 or later N/A 2.0 + EDR2.1 3.0 + HS 3.0 + HS 3.02.1 3.0 + HS Not present 3.02.1 3.0 N/A 3.02.1 2.1 + EDR N/A 2.12.1 2.0 + EDR N/A 2.02.1 1.2 N/A 2.02.0 1.2 or later N/A 2.01.2 1.2 or later N/A 1.2

7 7

What is FTS4BT?

FTS4BT is a Bluetooth Protocol Analyzer based on Frontline’s “Frontline Test System”

• FTS is a common platform for a range of data communications analyzers

FTS4BT• Captures Bluetooth messages at various points in an application

system• Decodes the various profile and protocol layers to the “bit level”• Analyzes error rates and data transmission efficiency• Extracts pictures, business cards, audio and other high level objects

from a Bluetooth application profile session

8 8

HOST

RFCOMM

L2CAP

Bluetooth Device 1

Points of Observation

HOST Controller

Profiles

SDP

Link Controller/ Link Manager

Baseband

HCI

HCI

HOST

RFCOMM

L2CAP

Bluetooth Device 2

HOST Controller

Profiles

SDP

Link Controller/ Link Manager

Baseband

HCI

HCI

HostControllerInterface

Bluetooth ComProbe

HCI SniffingUSB

USB Internal Tap (H2)

HostControllerInterface

Air Sniffing

Virtual Sniffing

USB ComProbe (H2)

Asynchronous SerialHCI UART (H4)

3-Wire UART (H5)

BCSP

9

Firmware Upgrades

Firmware is available with new software builds. Check to see if FW needs to be upgraded with new build.

Use “Bluetooth ComProbe Maintenance Tool” for FW upgrades.

“Bluetooth ComProbe Maintenance Tool” available in “Setup Folder” of FTS4BT Desktop folder.

10

Firmware Upgrades(Bluetooth ComProbe Maintenance Tool)

Select Device Check FW Version

11

Firmware Upgrades

will take you to the Firmware path automaticallyUpdate Firmware

12

Firmware Upgrades

Looks for Driver as DFU mode is seen as new device.

12

3

14

Bluetooth Air Sniffing

1

2

3

4

15

Bluetooth/802.11 Air Sniffing (Optional)

16

Bluetooth/802.11 Air Sniffing (Optional)

17

High Speed Serial Sniffing (Optional)

18

Air Sniffing Configurations

19

Single Connection (Air Basic)

• This configuration should be used when there is one Master device and one Slave device in use

• Either the Standard or the Alternate Clock Synchronization Mode may be chosen

• Only one Bluetooth ComProbe is needed for this configuration• This configuration can be used when there is one Master device with

multiple Slaves, IF security (encryption) will not be used on any of the links

• The Bluetooth ComProbe can only decrypt data between a single pair of devices

20

Interlaced Page Scan (IPS)

This configuration should be used when• There is one Master device and one Slave device in use, AND• The Slave device is using Interlaced Page Scan (IPS)

Two Bluetooth ComProbes are needed for this configuration• One of the ComProbes is configured to follow one of the Inquiry and

Paging Sequences• The other ComProbe is configured to follow the other Inquiry and

Paging Sequence

21

Multiple Connections

This configuration should be used when there are multiple Master devices in use

• In other words, a Scatternet

This configuration is effectively the same as using multiple copies of Single Connection (Air Basic)

• The difference is that the data for each Master/Slave device pair is in the same capture file

• The individual Piconets that make up the Scatternet are identified and tracked separately

A Bluetooth ComProbe is needed for each master in this configuration

26

Wi-Fi Coexistence

27

802.11/Bluetooth Coexistence

This configuration should be used when• There is one Master device and one Slave device, AND• It is desired to capture 802.11 (Wi-Fi) data at the same time

OR, when Bluetooth 3.0 + HS is being used with an 802.11 AMP (Alternative MAC Phy )This configuration needs

• One Bluetooth ComProbe to capture the Bluetooth BR/EDR data• One Wi-Fi ComProbe to capture the 802.11 data

In this configuration, the Packet Timeline displays Coexistence of BR/EDR packets and the 802.11 packets

28

Preparing to Use the Air Sniffer

29

I/O Settings

The I/O Settings dialog is the place to provide information about the device(s) to be sniffed.

30

Selecting The Bluetooth Devices

The [Device Discovery] button will perform an Inquiry process in order to identify nearby devices

• If a device that you wish to use is not currently discoverable, it will not be found

Once the Inquiry process has completed, the device(s) may be selected in either the Master or Slave drop down lists

• The Master and Slave selections refer to each devices role in the piconet

If a device is not discoverable, its Bluetooth Device Address may be entered manually

31

Synchronization Modes

FTS4BT provides two synchronization modes:

Standard Mode• The Slave device must be connectable• The Slave device does Not need to be discoverable• This mode is formerly known as Slave Page

Alternate Mode• The Slave device must be discoverable• The Slave device may be connectable• This mode is formerly known as Slave Inquiry

32

Synchronization Modes

Different devices may need different modes• Most devices work well with Standard Mode• For some devices, Alternate Mode is a better choice• If the Slave device is using Interlaced Page Scanning then you Should

use Interlaced Page Scan (IPS) application.

33

Pairing

• The Pairing process between two Bluetooth devices produces a new common Link Key

• The Bluetooth ComProbe must be sniffing during the pairing process so it can calculate the new Link Key

• Failure to learn the new Link Key will cause received packets to be processed incorrectly if encryption is used on the data link

• If one of the devices has the capability to display its current link key, it may be entered into the Air Datasource

34

Authentication And Encryption

• The information needed for the Bluetooth ComProbe to calculate the correct Link Key during Pairing is entered in the “Encryption” area of the dialog

• If the Link Key currently in use between the devices is known, it may be entered into FTS4BT by selecting “Link Key” as the “Pairing Method”

35

Authentication And Encryption

If the pair of devices are using Bluetooth Core Specification 2.1 or later, then

• One of the devices must be in Secure Simple Pairing Debug Mode• Or, one of the devices must be capable of displaying the Link Key shared

by the devices• Or, an HCI trace must be taken in order to capture the Link Key

Notification event

36

How Encryption Works in Bluetooth

The sequence of events used to create the link key, called “the pairing process”, is shown below on the LMP filter Tab.

37

How FTS4BT Decrypts Data

FTS4BT must use the same link key being used by the devices being sniffed. The Link Key is calculated during Pairing process only.

The link key is never transmitted over the air, so FTS4BT must capture (sniff) the Pairing session in order to calculate the same link as is calculated on the devices that are being paired.

38

Two Types of Encryption (Legacy and SSP)

SSP implemented on V2.1 devices

Spec is backward compatible

39

Secure Simple Pairing (SSP)

• New different method of encryption/decryption• All devices with V2.1 spec and above must use SSP• To successfully decrypt SSP on FTS4BT, at least One device Must be in

DEBUG MODE.• Debug mode is mandatory on core specification V2.1• It is not mandatory for Device to support Debug mode.• If debug mode is not available then Link Key may be found:

• A) From HCI trace.• B) from in-house tool

• Possible to insert Link Key manually.

40

How FTS4BT Decrypts Data

To decrypt, FTS4BT must know the PIN code and capture:

• The LMP Opcode in_rand Request and accept.• Both (Master and Slave) LMP Opcodes comb_keys• Both (Master and Slave) LMP Opcodes au_rand/sres

If any of these packets are missed by FTS4BT, the wrong Link Key will be calculated and FTS4BT decryption will fail because FTS4BT will not have the same Link Key as is used in the Piconet.

41

Failure to Decrypt

If FTS4BT doesn’t have all the information it needs, it won’t be able to calculate the link key correctly.

In the example below, after frame 24 – the LMP Opcode “Start Encryption Request” - all following frames are shown as bad (Red) packets. This is a good indication that the sniffer is unable to decrypt any payload data in the baseband packets after encryption is enabled within the piconet.

42

Example of LMP for SSP Pairing

One device MUST be in Debug Mode

43

Capturing Data From The Air

44

Starting Data Capture

Once the information in the I/O Settings dialog has been completed, the [Start Sniffing] button initiates data captureThe icon on the Air Datasource window (and in the system tray) indicates the state of capture

(Clear) Data capture is not active

(Red) The Bluetooth ComProbe is attempting to synchronize with the selected device(Green) The Bluetooth ComProbe is is synchronized to the slave, and waiting for the Master device to initiate a connection(Blue) A Bluetooth connection exists and data is being captured(Yellow) The Air Datasource is about to resynchronize with the selected device

45

Resynchronization

Bluetooth devices that are not currently active in a connection operate independentlyThis independence means that after some period of time the Bluetooth ComProbe will not be able to detect a connection initiation from the Master device (clock drift).To correct for this, the Air Datasource resynchronizes with the target device every 30 seconds

• A warning that this is about to happen is indicated by the status icon turning yellow five seconds before the resynchronization

46

Common Problems While Air Sniffing

47

Inability To Synchronize With The Master Device

The most common causes for this type of problem include• Selection of the wrong device address• The surrounding environment is RF “noisy”• The Master and Slave devices are too far apart

• This results in higher transmission power levels which may overwhelm the Bluetooth ComProbe

• The Master and Slave devices are too close to each other• This results in lower transmission power levels which may not reach the

Bluetooth ComProbe• Interlaced Page Scanning is being used

• This can result in the Bluetooth ComProbe listening to the wrong set of paging frequencies

48

All Packets Are Captured With Errors

This most commonly occurs after the Master and Slave initiate encryption on the linkIn this case, the captured packets are not being decrypted properly. This can be caused by

• Entering the wrong PIN Code or not entering a PIN Code• Failing to capture the Pairing process• Devices re-executing the Pairing process when the Bluetooth

ComProbe wasn’t listening

49

All Packets Are Captured With Errors

This can usually be confirmed by looking at the last packet in the LMP tab

• The last packet seen is an LMP_start_encryption_req• All following packets (except NULLs and POLLs) have length and CRC

errors

It is possible that some number of packets immediately following an LMP_start_encryption_req will not be properly decrypted

• Prioritized Decryption can used to minimize the number of such packets

• Prioritized Decryption can cause packets to not be captured• Prioritized Decryption is enabled on the Advanced I/O Settings

50

Packets are decoded based on information that was discovered earlier in the connection

• If there is missing information earlier in the session, the decoder subsystem may ask for help

Missing information may be caused by• Packets not being decrypted

• See Prioritized Decryption on the previous slide• Clearing the capture buffer during a connection• Sniffer missed SDP information.

The Analyzer Asks For Help Decoding