ble smp layer – ble SMP Message sequence charts

bluetooth tutorial May 8, 2026 · 0 Comment

 

SM Part 5 — Practical Examples & Chapter Summary

Chapter 11 Part 5 of 5 — Pairing Request/Response Sniffer Captures · SMP Message Sequence Chart · LE Secure Connections Setup · Summary

Frame 690Pairing starts
Just WorksSelected automatically
Phase 3LTK + EDIV distributed
Chapter 11Complete
Keywords:

BLE SMP sniffer frame 690 Pairing Request BLE IO KeyboardDisplay MITM yes key distribution BLE Pairing Response NoInputNoOutput Just Works BLE SMP message sequence chart phases 1 2 3 BLE Mconfirm Sconfirm Mrand Srand LTK EDIV hex BLE LE Secure Connections pairing phase 1 BLE chapter 11 Security Manager summary

11.10 — Practical Examples

11.10.1 — Message Sequence for LE Legacy Pairing

The textbook shows a real BLE sniffer capture of a complete SMP transaction. Two devices are labelled Side 1 (Initiator/Master) and Side 2 (Responder/Slave). Security procedures start at Frame #690 with the Pairing Request. This is what you would see with Wireshark + a BLE sniffer dongle, or with btmon on Linux.

Figure 11.11 — Pairing Request Capture (Frame 690)

The Pairing Request from Side 1 (the Initiator) carries full capability information. The four main observations from this capture:

Figure 11.11 — Annotated Pairing Request Frame #690

Frame #690 — SMP Pairing Request (0x01) Side 1 → Side 2 | Len=26

IO Capabilities KeyboardDisplay → has both numeric display AND numeric keypad
OOB Data Flag Not present → no NFC or other OOB channel
Bonding Flags Bonding requested
MITM Protection Yes (requested)
Max Encryption Key 16 octets (128-bit)

Initiator Key Distribution (keys Side 1 will send):

EncKey = 1 → will distribute LTK + EDIV + Rand
IdKey = 1 → will distribute IRK + address
Sign = 1 → will distribute CSRK

Responder Key Distribution (keys Side 1 requests from Side 2):

EncKey = 1 → Side 2 shall send LTK + EDIV + Rand
IdKey = 1 → Side 2 shall send IRK + address
Sign = 1 → Side 2 shall send CSRK

Figure 11.12 — Pairing Response Capture (Frame 693)

Side 2 (the Responder) replies with its own capabilities. Three critical observations that determine everything that follows:

Figure 11.12 — Annotated Pairing Response Frame #693
Frame #693 — SMP Pairing Response (0x02) Side 2 → Side 1 | Len=26
IO Capabilities NoInputNoOutput → NO display, NO keyboard
MITM Protection No → cannot support MITM (no display/keyboard)
Max Encryption Key 16 octets
Initiator Key Dist. No keys specified → Side 2 does not request Side 1 to send keys
Responder Key Distribution (keys Side 2 will send):

EncKey = 1 → will distribute LTK + EDIV + Rand only

Pairing Method Determination:
Side 1 IO = KeyboardDisplay
Side 2 IO = NoInputNoOutput
Neither set MITM bit on responder side → Just Works selected
(NoInputNoOutput cannot support MITM regardless of Side 1’s capabilities)

Figure 11.13 — Full SMP Message Sequence Chart

This chart shows the complete pairing sequence derived from the air logs above, covering all three phases with the actual hex values seen in the capture.

Figure 11.13 — SMP Message Sequence Chart (Annotated with Hex Values)
SMP_M (Master / Side 1) SMP_S (Slave / Side 2)

PHASE 1 — Pairing Feature Exchange
SMP_Pairing Request [IoCaps=KeyboardDisplay, MaxKeySize=16]
SMP_Pairing Response [IoCaps=NoInputNoOutput, MaxKeySize=16]

PHASE 2 — Just Works (TK=0) Confirm & Random Exchange
SMP_Pairing Confirm [Confirm=0xcf1a6f0bc23db316fe4f354ad6695ac0]
SMP_Pairing Confirm [Confirm=0x7a59aa484abb08692884eba0107406cc]
SMP_Pairing Random [Random=0xff94d225a3d59c1491f4bded1cda919f]
Slave verifies: c1(TK=0, Mrand) matches Mconfirm ?
SMP_Pairing Random [Random=0xcfbb5996562cbeb1f661eb431ca2a7e4]
Master verifies: c1(TK=0, Srand) matches Sconfirm ?
Both confirmed → STK calculated → Baseband connection encrypted

PHASE 3 — Key Distribution (over encrypted link)
Encryption Information [LTK=0x6213cb753494511771667763d5a83434]
Master Identification [EDIV=0xa7e4, Rand=0xbeb1f661eb431ca2]
Master stores LTK+EDIV+Rand for future reconnections

Key observations from this capture:

  • The Pairing Confirm values are opaque 128-bit blobs — without knowing TK and the random, they reveal nothing about the session key
  • Just Works means TK=0, making the confirm and random values predictable to any eavesdropper who was listening. This is acceptable only because the pairing method was forced by the peripheral’s lack of display/keyboard — not because it is secure
  • Only Encryption Information and Master Identification appear in Phase 3 — Side 2’s limited key distribution field (only EncKey=1) means no IRK or CSRK are distributed in this session
  • After Phase 3, the channel map update at the end indicates normal data exchange is starting

11.10.2 — LE Secure Connections Pairing Sequence

Phase 1 Setup for LE Secure Connections (Figures 11.14–11.16)

The textbook references Figures 11.14–11.16 which show the LE Secure Connections sequence. Side 1 is the Master. The key difference in Phase 1 compared to legacy pairing is the AuthReq byte — the SC bit (bit 3) is set to 1 by both sides to signal that they both support and want Secure Connections pairing.

LE Secure Connections — Phase 1 Pairing Request Differences
LE Legacy Pairing (4.0/4.1) AuthReq
Bond
2b
MITM
1b
SC=0
1b
KP=0
1b
SC bit = 0 → legacy pairing used
LE Secure Connections (4.2) AuthReq
Bond
2b
MITM
1b
SC=1
1b
KP=1
1b
SC=1 + KP=1 → LE Secure Connections with keypress
Phase 1 completes with both sides setting SC=1
Phase 2 uses ECDH key exchange — see Part 3 Section 11.8.2.5
Phase 3 distributes IRK + CSRK only (LTK generated by ECDH, not distributed)
/* Triggering LE Secure Connections pairing with bluetoothctl */
/* Both devices must support BLE 4.2 and have SC feature bit  */

/* Check if your controller supports SC:                      */
hcitool cmd 0x08 0x0003  /* LE Read Local Supported Features */
/* Bit 6 (0x40) = LL Privacy, Bit 7+ = Extended Scanner      */
/* SC is advertised in SMP, not in LE features bitmap         */

/* Force SC with BlueZ (in main.conf):                        */
/* /etc/bluetooth/main.conf:                                  */
/* [Policy]                                                   */
/* JustWorksRepairing = always                                */

/* To pair from bluetoothctl:                                 */
/* [bluetooth]# pairable on                                   */
/* [bluetooth]# pair AA:BB:CC:DD:EE:FF                        */
/* If SC supported: Request confirmation: 384291 yes/no       */
/* (Numeric Comparison appears if both have display+buttons)  */

/* Monitor SC pairing with btmon:                             */
/* sudo btmon | grep -A 5 "SMP"                               */
/* Look for: Authentication requirement: Bonding, MITM, SC    */
/*                                                   ^^        */

Chapter 11 Summary

What the Security Manager Provides to a BLE Connection

Chapter 11 covers the full security lifecycle of a BLE connection — from the threat landscape that motivated the design, through the cryptographic primitives used, to the complete three-phase pairing process and the specific SMP commands that implement it.

Threats Addressed

  • Passive eavesdropping
  • MITM active attacks
  • Location tracking (RPA)
Security Levels

  • LE Secure Connections (4.2)
  • Authenticated MITM protection
  • Unauthenticated (Just Works)
  • No Security
Crypto Functions

  • e (AES-128) — legacy base
  • ah, c1, s1 — legacy functions
  • AES-CMAC — SC base
  • f4, f5, f6, g2, h6 — SC functions
Three-Phase Pairing

  • Phase 1: IO capability exchange
  • Phase 2: TK→STK (legacy) or ECDH→LTK (SC)
  • Phase 3: LTK, EDIV, IRK, CSRK distributed
SMP Protocol

  • CID 0x0006, 30s timer
  • 15 command codes (Table 11.2)
  • 3 added in BLE 4.2 (0x0C–0x0E)
  • Max PDU = 23 bytes

Next chapter: Attribute Protocol (ATT) — The protocol that runs over L2CAP CID 0x0004 and provides the read/write/notify primitives that GATT and all BLE profiles are built on.

Chapter 11 Security Manager — Complete Series

Part 1
Intro, Breaches, Methods Part 2
Security Properties, Crypto Part 3
Pairing Phases 1 & 2 Part 4
Phase 3, SMP Commands

Part 5 ✅
Practical Examples, Summary

Chapter 11 Security Manager — Complete!

All five parts cover the Security Manager from first principles to practical sniffer captures. Next chapter: Attribute Protocol (ATT) running on CID 0x0004.

← Back to Part 1

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2026 embeddedpathashala.com - WordPress Video Theme by WPEnjoy