FrontLine BPA LOW ENERGY Hardware User Manual Download Page 203 | Manualshive

Page: 203 / 228

background image

A.1 Decrypting Encrypted Bluetooth® low energy

A.1.1 How Encryption Works in

Bluetooth

low energy

Data encryption is used to prevent passive and active—man-in-the-middle (MITM) — eavesdropping attacks
on a

Bluetooth

low energy link. Encryption is the means to make the data unintelligible to all but the

Bluetooth

master and slave devices forming a link. Eavesdropping attacks are directed on the over-the-air transmissions
between the

Bluetooth

low energy devices, so data encryption is accomplished prior to transmission using a

shared, secret key.

A.1.2 Pairing

A

Bluetooth

low energy device that wants to share secure data with another device must first pair with that

device. The Security Manager Protocol (SMP) carries out the pairing in three phases.

1. The two connected

Bluetooth

low energy devices announce their input and output capabilities and

from that information determine a suitable method for phase 2.

2. The purpose of this phase is to generate the Short Term Key (STK) used in the third phase to secure

key distribution. The devices agree on a Temporary Key (TK) that along with some random numbers
creates the STK.

3. In this phase each device may distribute to the other device up to three keys:

a. the Long Term Key (LTK) used for Link Layer encryption and authentication,

b. the Connection Signature Resolving Key (CSRK) used for data signing at the ATT layer, and

c. the Identity Resolving Key (IRK) used to generate a private address.

Of primary interest in this paper is the LTK. CSRK and IRK are covered briefly at the end.

Bluetooth

low energy uses the same pairing process as Classic

Bluetooth

: Secure Simple Pairing (SSP). During

SSP initially each device determines its capability for input and output (IO). The input can be None, Yes/No, or
Keyboard with Keyboard having the ability to input a number. The output can be either None or Display with
Display having the ability to display a 6-digit number. For each device in a paring link the IO capability
determines their ability to create encryption shared secret keys.

The Pairing Request message is transmitted from the initiator containing the IO capabilities, authentication
data availability, authentication requirements, key size requirements, and other data. A Pairing Response

Frontline BPA low energy Hardware & Software User Manual

196

«
...
201
202
203
204
205
...
»

Summary of Contents for BPA LOW ENERGY

Page 1: ...Hardware and Software User Manual Revision Date 1 3 2017...

Page 2: ...tered trademarks of Teledyne LeCroy Inc The Bluetooth SIG Inc owns the Bluetooth word mark and logos and any use of such marks by Teledyne LeCroy Inc is under license All other trademarks and register...

Page 3: ...3 6 Minimizing Windows 12 Chapter 3 Configuration Settings 13 3 1 BPAle I O Settings Datasource 13 3 1 1 BPA Low Energy datasource Toolbar Menu 13 3 1 2 BPA low energy Devices Under Test 14 3 1 3 BPA...

Page 4: ...egend 130 4 4 4 Packet Error Rate Additional Statistics 130 4 4 5 Packet Error Rate Sync Selected Packets With Other Windows 131 4 4 6 Packet Error Rate Export 131 4 4 7 Packet Error Rate Scroll Bar 1...

Page 5: ...f a Capture File 166 6 2 Adding Comments to a Capture File 166 6 3 Confirm Capture File CFA Changes 167 6 4 Loading and Importing a Capture File 167 6 4 1 Loading a Capture File 167 6 4 2 Importing Ca...

Page 6: ...a Using Frontline BPA 600 low energy Capture 199 A 2 Bluetooth low energy Security 204 A 2 1 How Encryption Works in Bluetooth low energy 205 A 2 2 Pairing 205 A 2 3 Pairing Methods 206 A 2 4 Encrypti...

Page 7: ...A 3 8 Case Studies Virtual Sniffing and Bluetooth Mobile Phone Makers 213 A 3 9 Virtual Sniffing and You 213 TELEDYNE LECROY Frontline BPA low energy Hardware Software User Manual vi...

Page 8: ...ffing the air or connecting directly to the chip Frontline analyzers use the same powerful Frontline software to help you test troubleshoot and debug communications faster Frontline software is an eas...

Page 9: ...d how to observe the captured packets frames layers and events l Chapter 5 Navigating and Searching the Data Here you will find how to move through the data and how to isolate the data to specific eve...

Page 10: ...her end of the USB cable into the PC Figure 2 1 BPA low energy Hardware USB Port 2 2 Data Capture Methods This section describes how to load TELEDYNE LECROY Frontline Protocol Analysis System software...

Page 11: ...Note You can also access this dialog by selecting Start All Programs Frontline Version Frontline ComProbe Protocol Analysis System Figure 2 3 Example Select Data Capture Method BPA 600 Three buttons...

Page 12: ...checkbox and the system creates a shortcut for the selected method and places it in the Frontline ComProbe Protocol Analysis System version desktop folder and in the start menu when you click the Run...

Page 13: ...ost behind other windows every window has a Home icon that brings the Control window back to the front Just click on the Home icon to restore the Control window When running the Capture File Viewer th...

Page 14: ...or saves the capture file Event Display framed data only Opens a Event Display with the currently selected bytes highlighted Frame Display framed data only Opens a Frame Display with the frame of the...

Page 15: ...en on the network This is the total number of events monitored not the total number of events captured The analyzer is always monitoring the circuit even when data is not actively being captured These...

Page 16: ...file Opens a Windows Save As dialog at the default location Public Documents Frontline Test Equipment My Capture Files Exit ComProbe Protocol Analysis System Shuts down the ComProbe Protocol Analysis...

Page 17: ...scription The following two rows apply to all Frontline products except Set in Target Live Start Capture Shift F5 Begins data capture from the configured wireless devices Stop Capture F10 Stops data c...

Page 18: ...system allows the user to define any number of parameters and save them in templates for later use Each entry in the window takes effect from the beginning of the capture onward or until redefined in...

Page 19: ...w Windows Menu Selections Mode Selection Hot Key Description Live Capture File Help Topics Opens the Frontline Help window About Frontline Protocol Analysis System Provides a pop up showing the versio...

Page 20: ...you start sniffing Pause button to stop sniffing Save button to save the configuration if you made changes but did not begin sniffing All settings are saved automatically when you start sniffing Help...

Page 21: ...rough Bluetooth 4 2 except optional extended packet length Figure 3 1 BPA Low Energy datasource Devices Under Test Tab The default value in the LE Device drop down is Sync with First Master Devices in...

Page 22: ...devices and used to derive a fresh encryption key each time the devices go encrypted Click here to learn more about the Long Term Key In LE the long term key is generated solely on the slave device a...

Page 23: ...capture analysis or display of data Filter out ADV packets for Non Configured devices Checking this box will filter out advertising packets from devices not specified in the LE Device field If Sync w...

Page 24: ...ting the BD_Addr Type field Tab to toggle appears Press the keyboard Tab key until your selected device address type appears LE Device Database Fields In the LE Device Database table the following col...

Page 25: ...est ComProbe BPAle hardware firmware you select the Update Firmware button l The current firmware is displayed under Firmware Version 3 1 5 BPA low energy Update Firmware When you select the Update Fi...

Page 26: ...or the response may be incomplete The Set Initial Decoder Parameters window allows you to supply the context for any frame The dialog allows you to define any number of parameters and save them in a t...

Page 27: ...Parameters dialog Override Existing Parameters The Set Subsequent Decoder Parameters dialog allows the user to override an existing parameter at any frame in the capture where the parameter is used If...

Page 28: ...e selected decode parameter override l The Remove All button will remove all decoder overrides If you do not have decoders loaded that require parameters the menu item does not appear and you don t ne...

Page 29: ...der Parameters window to apply the template and close the dialog Save Changes to a Template This procedure saves changes to parameters in an existing template 1 After making changes to parameter setti...

Page 30: ...ding using the Set Initial Decoder Parameters window Note By default the decoder decodes only the header fields of the frame 1 Select Set Initial Decoder Parameters from the Options menu on the Contro...

Page 31: ...ployed set this parameter to 0 zero otherwise set to the desired data source number Carries PSM Select the protocol that L2CAP traverses to from the following l AMP Manager l AMP Test Manager l SDP l...

Page 32: ...cting a frame in the frame display and choosing from the right click pop up menu and make the needed changes Refer to 3 Change the L2CAP parameter by selecting from the rule to change and click on the...

Page 33: ...otherwise set to the desired data source l Carries UUID Select from the list to apply the Universal Unique Identifier UUID of the application layer that RFCOMM traverses to from the following o OBEX...

Page 34: ...rs with implicit information not included in the transmission In any case either view the RFCOMM payload of this frame and other frames with the same channel as hex data or assist the analyzer by sele...

Page 35: ...ton If you want to remove all decoder parameter settings click on Remove All 4 Choose the protocol the selected item carries from the drop down list and click OK Each entry in the Set Subsequent Decod...

Page 36: ...y 20 dB by each 10 to 1 increase in range In the real world the effects of objects in an outdoor environment cause reflection diffraction and scattering resulting in greater signal losses Indoors the...

Page 37: ...ontline hardware and the DUTs because they cause a reduction in signal strength Obstructions include but are not limited to water bottles coffee cups computers computer screens computer speakers and b...

Page 38: ...Even small objects can cause signal scattering Figure 4 2 Example Poor Capture Environment 4 1 2 Capturing Data to Disk General Procedure Note Capture is not available in Viewer mode 1 Click the Star...

Page 39: ...ure to a single file choose System Settings from the Options menu on the Control window When live capture stops no new packets are sniffed but there can still be packets that were previously sniffed b...

Page 40: ...ta Figure 4 4 Frame Display Extended Inquire Response EIR displays extensive information about the Bluetooth devices that are discovered as data is being captured EIR provides more information during...

Page 41: ...and click Finish Most stacks are pre defined here If you have special requirements and need to set up a custom stack see Creating and Removing a Custom Stack on page 35 1 If you select a custom stack...

Page 42: ...it or select it and click the left arrow button 4 If you need to change the order of the protocols in the stack select the protocol you want to move and click on the Move Up and Move Down buttons unti...

Page 43: ...ognizer used to capture the data is different from the current frame recognizer In addition to choosing to Reframe you can also be prompted to Reframe by the Protocol Stack Wizard 1 Load your capture...

Page 44: ...tor lists If the analyzer sees L2CAP listed with a PSM it stores the PSM and the UUID for the next protocol in the list After the SDP session is over the analyzer looks at the PSM in the L2CAP Connect...

Page 45: ...coder A dialog appears that shows the data for which you can provide information If you need to change this information for a particular frame 1 Right click on the frame in the Frame Display window 2...

Page 46: ...protocol Click here for an explanation of the symbols next to the frame numbers l Decode Pane The Decode Pane displays a detailed decode of the highlighted frame Fields selected in the Decode Pane hav...

Page 47: ...both Classic Bluetooth and Bluetooth low energy there will be L2CAP tabs in the General group the Classic Bluetooth group and the Bluetooth low energy group Select the Unfiltered tab to display all pa...

Page 48: ...con Description Control Brings the Control window to the front Open File Opens a capture file I O Settings Opens the I O Settings dialog Start Capture Begins data capture to a user designated file Sto...

Page 49: ...Error Rate Statistics Opens the Packet Error Rate Statistics display Bluetooth Classic Packet Error Rate Statistics Opens the Packet Error Rate Statistics display Reload Decoders When Reload Decoders...

Page 50: ...fer Next Frame Moves to the next frame in the buffer Last Frame Moves to the last frame in the buffer Find on Frame Display only searches the Decode Pane for a value you enter in the text box Find Pre...

Page 51: ...Display It contains the following information l Frame s Selected Displays the frame number or numbers of selected highlighted frames and the total number of selected frames in parentheses l Total Fra...

Page 52: ...ue In this situation the Event pane displays 0x7d 0x23 while the Radix pane displays 0x03 4 3 1 5 Sorting Frames By default frames are sorted in ascending numerical sequence by frame number Click on a...

Page 53: ...ted The next occurrence of the value if it is found will be highlighted in the Decode Pane 4 Select Find Previous Occurrence or Find Next Occurrence to continue the search There are several important...

Page 54: ...y is synchronized with the Event Display Click on a frame in the Frame Display and the corresponding bytes is highlighted in the Event Display Each Frame Display has its own Event Display As an exampl...

Page 55: ...have to stop filtering until the data is captured 4 3 1 9 Working with Panes on Frame Display When the Frame Display first opens all panes are displayed except the Event pane To view all the panes sel...

Page 56: ...Summary pane Filtered out frames are not exported l Selected Frames export is the same as All Frames export except that only frames selected in the Summary pane will be exported Figure 4 9 Byte Expor...

Page 57: ...the background color of the one line summary indicates whether the frame came from the DTE or the DCE device Frames with a white background come from the DTE device frames with a gray background come...

Page 58: ...ecial tabs that appear in the Summary pane when certain conditions are met These tabs appear only in the General group and apply to all technologies The tabs are l Bookmarks appear when a bookmark is...

Page 59: ...lute timing to correct this error there would still be cases where we get it wrong Therefore we always assign 1 to the first packet in a connection event So even though it is rare there are connection...

Page 60: ...may cause this error As a rule of thumb it is always a good idea to ensure the ComProbe device is positioned away from sources of interference and is placed in between the two devices being sniffed 3...

Page 61: ...ut the protocol listed in the Summary Layer drop down box does not exist in the frame A green circle means the frame was not fully decoded There are several reasons why this might happen l One reason...

Page 62: ...he frame in either hexadecimal decimal or octal The radix can be changed from the Format menu or by right clicking on the pane and choosing Hexadecimal Decimal or Octal Because the Radix pane displays...

Page 63: ...es at the bottom of the pane give the same information as the status lines in the Event Display window This includes physical data errors control signal changes if appropriate and timestamps Because t...

Page 64: ...or associated with the byte 4 3 1 12 2 Red Frame Numbers and Bytes Red is reserved for bytes or frames with errors In the Summary pane frame numbers in red mean there is an error in the frame This cou...

Page 65: ...e filter criteria Frames that do not match the filter criteria are not displayed Display filters allow a user to look at a subset of captured data without affecting the capture content There are three...

Page 66: ...s that when you Select each frame under Conditions the following displayed fields depend on your selection With each subsequent selection the dialog fields will change depending on you selection in th...

Page 67: ...filter definition and appears as part of the filter description displayed to the right of the Toolbar Include A filter constructed with the Include button selected returns a data set that includes fra...

Page 68: ...at the bottom of the dialog for Select each frame 5 Set the parameters for the selected condition in the fields provided The fields that appear in the dialog box are dependent upon the previous select...

Page 69: ...B from the Typecombo box The address type selection populates both Address combo boxes with node address in the data set that match the type selection 4 Select a node address from the first Address co...

Page 70: ...e system deletes the filter Hiding and Revealing Display Filters If a display filter is showing the following steps will hide that filter but will not delete it 1 Select Hide Show Display Filters from...

Page 71: ...lter click the Open icon and select the filter from the pop up list of all the saved filters 2 Edit the desired parameter of the condition Because the required fields for a condition statement depend...

Page 72: ...ected Line icon 4 Edit the Boolean operators and parentheses as needed 5 Click OK The system displays the Save Named Condition dialog Ensure that the filter name is displayed in the text box at the to...

Page 73: ...e ComProbe software assigns to identify a pair of devices in a BR EDR connection In the Frame Display details pane the Baseband layer contains the link ID field if the field s value is not 0 An Access...

Page 74: ...ng out any other technology frames l HCI o All will filter in all HCI frames You are in effect filtering out any other technology frames Figure 4 22 Connection Filter from the Frame Display Menu From...

Page 75: ...Classic Bluetooth link or a Bluetooth low energy access address an additional pop up menu item will appear as shown in the example image below This selection is a predetermined filter based on your se...

Page 76: ...e original Frame Display will remain open and can be minimized Note The system currently limits the number of frame displays to 5 This limit includes any Frame Displays opened using Duplicate View fro...

Page 77: ...filtered display there are four low energy protocol tabs as compared to nine in the original display This access address connection is not using five of the protocols From any open Frame display the u...

Page 78: ...n Filter selecting All 802 11 frames front 4 3 1 13 3 Protocol Filtering from the Frame Display 4 3 1 13 3 1 Quick Filtering on a Protocol Layer On the Frame Display click the Quick Filtering icon or...

Page 79: ...haracter panes The box on the right is the Named Filters It contains filters that you create using the and dialogs When you select the checkbox for the Name Filters a tab appears on the Summary Pane t...

Page 80: ...il the data is captured 4 3 2 low energy Timeline The Bluetooth low energy Timeline displays packet information with an emphasis on temporal information and payload throughput The timeline also provid...

Page 81: ...if it is within 150 s or 2us l If the Interframe Spacing is less than 148 us or greater than 152 s but less than or equal to 300 us it is considered an IFS error Previous Error Packet Next Error Pack...

Page 82: ...isplays rows of packets from sending devices The source device address will appear on the left of each row Show Radio Rows Displays rows packets received on radios 0 1 or 2 The radio number will appea...

Page 83: ...s segment with 100 markers 437 5 ms 1x350 Displays one 437 5 ms segment with 350 markers 1 875 s 1x1500 Displays one 1 875 s segment with 1500 markers 3 75 s 1x3000 Displays one 3 75 ms segment with 3...

Page 84: ...0 1 25 ms time intervals 60x30 60 segments 30 markers per segment 2 7225 s 2178 1 25 ms time intervals 66x33 66 segments 33 markers per segment 3 24 s 2592 1 25 ms time intervals 72x36 72 segments 36...

Page 85: ...vious Error Packet Goes to the first error packet prior to the current selection If there are no error packets available this item is not active Keyboard Shortcut Ctrl Left Arrow Next Error Packet Goe...

Page 86: ...splays the maximum throughput seen so far l A horizontal bar indicates percentage of max seen up to that point and text gives the actual throughput 4 3 2 6 Average and 1 Second Payload Throughput The...

Page 87: ...You may want to include Message Integrity Checks in your throughput even though MIC is not application data MICs are transmitted and you may want to included in the throughput as a measure of how act...

Page 88: ...kets within a specific period of time Time is shown as one or more contiguous segments Within each segment are one or more source access address or radio rows Figure 4 33 Bluetoothlow energy Timeline...

Page 89: ...Because the segments are contiguous in multiple segment displays the rows in each segment are identical In the following diagram we see a three segment display showing the timeline flow Figure 4 34 Di...

Page 90: ...l The Timeline and Frame Display are synchronized so the packet range selected by the user in one is automatically selected in the other For the selected packet range the Timeline shows various durati...

Page 91: ...o the beginning or end of any packet by right clicking on a packet and selecting Align Time Marker to Beginning of Packet or Align Time Marker to End of Packet All other markers will shift relative to...

Page 92: ...gs of the first and last packets selected o Span Duration between the beginning of the first selected packet and the end of the last selected packet Figure 4 41 Bluetooth le Timeline Packet Info Line...

Page 93: ...d line in the throughput graph When the timestamp delta is greater than 4 01 seconds the discontinuity is a cosmetic convenience that avoids excessive empty space When the timestamp delta is negative...

Page 94: ...ubsequent selected next packets will appear on the right of the bottom segment l Multiple packets are selected either by dragging the mouse or by holding down the shift key while navigating or clickin...

Page 95: ...ntiguous time segment x n where x is 1 2 3 segment and n is the total number of segments For example Contiguous time segment 2 3 4 3 2 14 Zoom menu Figure 4 43 low energy Timeline Zoom menu TELEDYNE L...

Page 96: ...in 1 segment with 27 markers The scroll bar at the bottom of the segment will scroll the throughput graph view port 4 3 2 16 Multiple Segments Zoom Menu Multiple Segment Each selection defines the tim...

Page 97: ...ne view You access the Coexistence View by clicking its button in the Control window or Frame Display toolbars or Coexistence View from the View menus Figure 4 44 Coexistence View Window 4 3 3 1 Coexi...

Page 98: ...culations and all packets in the last one second of the capture session are used for the 1 sec throughput See on page 98 for more information Performs the same function as the throughput indicator All...

Page 99: ...me function as the Timeline Both radio button Show Timelines Which Have or Had Packets Auto Mode When check shows only timelines which have had packets at some point during this session If no packets...

Page 100: ...checked the y axis scales are unfroozen Performs the same function as the Unfreeze Y button which appears with the Zoomed Throughput Graph See on page 100 Show Tooltips in Upper Left Corner of Screen...

Page 101: ...rt and the Timeline to a fixed time duration 300 usec 625 usec 1 Bluetooth slot 1 25 msec 2 Bluetooth slots 1 875 msec 3 Bluetooth slots 2 5 msec 4 Bluetooth slots 3 125 msec 5 Bluetooth slots 6 25 ms...

Page 102: ...line Performs the same function as the Previous Retransmitted Packet button Next Retransmitted Packet When clicked selects the next retransmitted packet from the current selection and displays it in t...

Page 103: ...end Refer to on page 107 Performs the same functions as the Next Legend Packet button Last Legend Packet When clicked selects the last legend packet in the session and displays it in the Timeline This...

Page 104: ...ected in the legend Move to the previous packet of the type selected in the legend Move to the next packet of the type selected in the legend Move to the last packet of the type selected in the legend...

Page 105: ...cket size is used if the Packet or Both radio button is selected in the Throughput group l Payload size is used if the Payload radio button is selected in the Throughput group l Included packets are d...

Page 106: ...hat range of time are used for average throughput and packets in the 1 second duration ending at the end of the last packet in the viewport time range are used for 1 second throughput except that Blue...

Page 107: ...e color coded Blue Classic Bluetooth Green Bluetooth low energy Orange 802 11 Each data point represents a duration which is initially 0 1 s Each time the number of data points per line reaches 300 th...

Page 108: ...tool tips can be shown in the upper left corner of your computer screen to provide an unobstructed view Refer to Relocating Tool Tips A discontinuity is when the timestamp going from one packet to th...

Page 109: ...gure 4 56 Throughput Graph Viewport The viewport is moved by dragging it or by clicking on the desired location in the Throughput Graph the viewport will be centered at the click point The viewport is...

Page 110: ...icking the Dots button Dots are different sizes for each technology so that they reveal overlapping data points which otherwise wouldn t be visible A tooltip can be displayed for each dot Dots can be...

Page 111: ...ther zooming techniques listed in the Zooming subsection in the Timelines section Figure 4 60 Synchronized Zoomed Throughput Graph and View Port The largest value in each technology in the Zoomed Thro...

Page 112: ...omatically depending on the zoom level The other menu selections provide the ability to select a fixed data point interval Selecting from a larger to a smaller interval will display more data points S...

Page 113: ...result in the total duration of the two Throughput Graphs being different Another factor that can affect total duration is that the BluetoothTimeline s Throughput Graph stops at the last Classic Blue...

Page 114: ...o button shows only timelines which have had packets at some point during this session If no packets have been received at all and the Auto button is selected the 2 4 GHz timeline is shown 4 3 3 8 Coe...

Page 115: ...Timelines Click here to see a Coexistence View Timeline video Figure 4 66 Coexistence View Timelines The Timelines show Classic Bluetooth Bluetooth low energy and 802 11 packets by channel and time P...

Page 116: ...selection box around it as shown above and highlights the applicable entries in the legend Figure 4 68 Highlighted entries in the legend for a selected packet Summary information for a selected packe...

Page 117: ...or a Classic Bluetooth packet You can relocate the tool tip for convenience or to see the timeline or throughput graph unobstructed while displaying packet information In the Format menu select Show T...

Page 118: ...Figure 4 73 Coexistence View Format Menu Show Tooltips on Computer Screen Chapter 4 Capturing and Analyzing Data TELEDYNE LECROY Frontline BPA low energy Hardware Software User Manual 111...

Page 119: ...luetooth and Bluetooth low energy occur only in the 2 4 GHz range 802 11 can occur in both Figure 4 75 5 GHz and 2 4 GHz 802 11 packets The y axis labels show the channels for each technology and are...

Page 120: ...n the time range each of the two packet numbers is drawn with an arrow to indicate the next packet in each direction and can be clicked on to navigate to that packet the packet number changes color wh...

Page 121: ...lection of Zoom to Data Point Packet Range or selection of Zoom to Selected Packet The zoom buttons and tools step through the zoom presets and custom zoom where the custom zoom is logically inserted...

Page 122: ...and a single value is shown Figure 4 81 Timeline header with discontinuity Figure 4 82 Timeline duration footer with discontinuity For example the timeline above has a zoom level duration of 15 625 ms...

Page 123: ...tool tip 4 3 3 11 Coexistence View No Packets Displayed with Missing Channel Numbers Note This topic applies only to Classic Bluetooth Captured packets that don t contain a channel number such as HCI...

Page 124: ...e Bluetooth packets are slow they are not visible in High Speed mode 1 Click on the Control window File menu and select Close 2 The Control window will open again Click on the Control Window File menu...

Page 125: ...he data including role switches connection requests and errors You can look at all the packets int he capture or filter by protocol or profile the MSC is color coded for a clear and easy view of your...

Page 126: ...ssic or only LE the Classic and LE tabs will not appear Also along the top of the dialog are a series of protocol tabs The tabs will vary depending on the captured protocols Clicking on a tab displays...

Page 127: ...and Time of the packets are displayed on the left side of the chart Figure 4 88 Frame and Time Display inside red box If you click on the description of the message interaction the corresponding infor...

Page 128: ...e Address the message itself and the timestamp Additionally the control signaling packets for each layer are shown in a different background color Figure 4 91 Packet Layers Shown in Different Colors I...

Page 129: ...ime l Hide both Frame and Time 4 3 4 1 Message Sequence Chart Toolbar Figure 4 95 Message Sequence Chart Toolbar Tool Keyboard Description Ctrl H Zoom in horizontal expands the chart horizontal view S...

Page 130: ...her state Ctrl W Print display preview Ctrl P Print the display Ctrl C Cancel an in process print Table 4 10 Message Sequence Chart Tools continued 4 3 4 2 Message Sequence Chart Search The Message Se...

Page 131: ...tance of the search value you see this following dialog Once you have set the search value you can 1 use the Search Previous and Search Next buttons or 2 F2 and F4 to move to the next or previous fram...

Page 132: ...r then OK the first error for that layer will be displayed If no error is found a dialog will announce that event 4 3 4 5 Message Sequence Chart Printing There are three standard MSC print buttons Pri...

Page 133: ...the data that is currently being displayed Cancel Printing Cancels the current printing Zoom In Horizontially Expands the data horizontally so it can be easier to read Zoom Out Horizontally Squeezes...

Page 134: ...n connections When a high percentage of re transmits and or header payload errors occur careful analysis of the statistics indicate whether the two devices under test are experiencing trouble communic...

Page 135: ...Stats Window 4 4 1 Packet Error Rate Channels The main portion of the PER Stats dialog displays the Figure 4 100 Bluetooth low energy Packet Error Rate Channels TELEDYNE LECROY Chapter 4 Capturing an...

Page 136: ...the size of the entire dialog l c changes the contrast of the dialog l The Reset button is only available in live mode The button will appear in the lower right hand corner of the Channels section Cli...

Page 137: ...ow energy l The number of Packets with No Errors and percentage of packets with No Errors in relationship to total packets for the channel is displayed in green l The number of Packets with CRC Errors...

Page 138: ...nap Mode turned off the values for channels in the main chart are shown in absolute values where the max value of each channel graph is the same regardless of the position of the Viewport Channel 33 w...

Page 139: ...stay the same size but doubles in duration for example the first time the Scroll Bar fills the bars return to the middle but now each bar represent two seconds of time instead of one Each time the ba...

Page 140: ...t the Viewport from moving if there is not enough room to move by its full width l Pressing the double right arrow button or the PgDn key moves the Viewport to the right by the current width of the Vi...

Page 141: ...ed on the toolbar to prevent the display from updating Clicking on the icon again will unlock the display While locked you can review your data run searches determine delta time intervals between byte...

Page 142: ...Event Display Mixed Sides Serial data only By default the analyzer shows data with the DTE side above the DCE side This is called DTE over DCE format DTE data has a white background and DCE data has a...

Page 143: ...ick and drag to select the data for which you want to generate a CRC 3 Click on the CRC icon 4 In the CRC dialog box click on the down arrow to show the list of choices for CRC algorithms Choose an al...

Page 144: ...ction is independent on each window This means that you can have two Event Display windows open simultaneously and one window can be locked while the other continues to update 4 5 7 Data Formats and S...

Page 145: ...click on the data display header labels and choose a different radix Figure 4 106 Header labels right click 2 Or right click anywhere in the data display and select a different radix Figure 4 107 Data...

Page 146: ...check mark and return to side by side display 4 Right click in the sides panel on the right of the data display and select Display Sides Together A check mark is displayed Click on Display Sides Toge...

Page 147: ...character Flow Control Inactive An event occurred which caused flow control to become inactive i e caused the analyzer to transmit data Events which deactivate flow control are signal changes or the r...

Page 148: ...ze on one window does not affect the font size on any other window To change the font size 1 Click on Event Display menu Options and select Change the Font Size Figure 4 108 Event Display Options menu...

Page 149: ...button to write the streams as Two Mono Files or as One Stereo File Note This option is for SCO eSCO only 5 Select the checkbox if you want to convert A Law and law to Linear PCM CVSD are always conv...

Page 150: ...Audio Extraction Status dialogs appear When the process is complete the dialogs display what files have been created and where they are located Figure 4 111 Data and Audio Extraction Status If you sel...

Page 151: ...ction Status Then you can rename the file adding a file type to attempt to open the file When you are finished select Close to close the dialogs TELEDYNE LECROY Chapter 4 Capturing and Analyzing Data...

Page 152: ...ing data within the ComProbe analyzer produces a wealth of information for analysis This mass of information by itself however is just that a mass of information There has to be ways to manage the inf...

Page 153: ...string search on the data in the Decode Pane of the Frame Display window To access the search within decodes function 1 Open a capture file to search 2 Open the Event Display or Frame Display window 3...

Page 154: ...arch 3 When you have specified the time interval you want to use click on the Find Next or Find Previous buttons to start the search from the current event The result of the search is displayed in the...

Page 155: ...earches the DTE side first followed by the DCE side Note Side Restriction is available for pattern and error searching 1 Select one of the two options 2 Select DTE DCE or both 3 When you made your sel...

Page 156: ...ttern 2 Check Ignore Case to do a case insensitive search 3 When you have specified the pattern you want to use click on the Find Next or Find Previous buttons to start the search from the current eve...

Page 157: ...ime specified If no event is found at that time the analyzer goes to the nearest event either before or after the selected time based on the Go to the timestamp selection l Relative A relative search...

Page 158: ...ime 2 When you have specified the time interval you want to use click on the Go To Move Forward or Move Backward buttons to start the search from the current event When you select Absolute as Search f...

Page 159: ...io button 2 Type the number of the event in the box 3 Click the Go To button 4 To move forward or backwards through the data type in the number of events that you want to move each time 5 Then click o...

Page 160: ...Events tab of the Find dialog Note The tabs displayed on the Find dialog depend on the product you are running and the content of the capture file you are viewing Figure 5 8 Find Special Events tab 5...

Page 161: ...nt Display or Frame Display window 3 Click on the Find icon or choose Find from the Edit menu 4 Click on the Signal tab of the Find dialog Note The tabs displayed on the Find dialog depend on the prod...

Page 162: ...d see if any one of those signals changed state at any time o If you want to look at just one control signal n Check the box for the signal n Uncheck all the other boxes n Choose to search for an even...

Page 163: ...of the four radio buttons to choose the condition that must be met in the search o Select one or more of the checkboxes for Pin 1 2 3 or 4 o Click Find Next to locate the next occurrence of the searc...

Page 164: ...Figure 5 10 Find Error tab Chapter 5 Navigating and Searching the Data TELEDYNE LECROY Frontline BPA low energy Hardware Software User Manual 157...

Page 165: ...ch for an event where one or more error conditions were off and choose to search only for framing The analyzer searches the file and finds the point at which framing errors stopped occurring Searching...

Page 166: ...t really doesn t matter if they did or not choose overrun to be On and set the others to Don t Care The analyzer ignores any other type of error and find events where overrun errors occurred To find t...

Page 167: ...Where the Search Lands When doing a search in the analyzer the byte or bytes matching the search criteria are highlighted in the Event Display The first selected byte appears on the third line of the...

Page 168: ...ble to you Once you have created a bookmark you can use the Find function or other navigation methods to locate and move among them 5 2 1 Adding Modifying or Deleting a Bookmark You can add modify or...

Page 169: ...rame Display and Event Display b Select the Add or Modify Bookmark icon on one of the toolbars or c Right click on the frame event and choosing Modify Bookmark on the selection 3 Click on the Delete b...

Page 170: ...lete a bookmark select it and click the Delete button To modify a bookmark select it and click the Modify button Click Remove All to delete all the bookmarks Chapter 5 Navigating and Searching the Dat...

Page 171: ...ways to save portions or all of the data collected during a data capture Click here to see how to capture data to disk 6 1 1 Saving the Entire Capture File This option is only available when you sele...

Page 172: ...ame Display window 3 Right click in the data 4 Select Save Selection or Save As from the right click menu 5 Click on the radio button labeled Entire File 6 Choose to save Events or Frames Choosing to...

Page 173: ...ange type the numbers of the first and last items in the range in the boxes 7 Select either Events or Frames to indicate whether the numbers are event or frame numbers 8 Type a file name in the As box...

Page 174: ...t pane You can click on each item to see details in the right pane about what was changed for each item You simply check the boxes next to the changes you want to keep Once you decide what changes to...

Page 175: ...porting DOS timestamps l Greenleaf ViewComm 3 0 for DOS requires the byt for data and the tim for timestamps see note on importing DOS timestamps l Frontline Ethertest for DOS requires 3 files filenam...

Page 176: ...me Display Print dialog Select Print if you just want to print your data to your default printer Select Print Preview if you want access to printer options 2 Choose to include the Summary pane check t...

Page 177: ...browser print preview display with options for printing such as page orientation and paper size You can also use your Printer Preferences dialog to make some of these selections When printing your dat...

Page 178: ...log Selecting more than one event in the Event Display window defaults the radio button in the Event Display Print dialog to Selection and allows the user to choose the All radio button When only one...

Page 179: ...Frame Display Export You can dump the contents of the Summary pane on the Frame Display into a Comma Separated File csv To access this feature 1 Right click on the Summary pane or open the Frame Disp...

Page 180: ...of the Event Display Export dialog l Selecting more than one event in the Event Display window defaults the radio button in the Event Display Export dialog to Selection and allows the user to choose t...

Page 181: ...dard Windows time Timestamp Delta Event Number Byte Number Frame Number Type Hex Dec Oct Bin Side ASCII 7 bit ASCII EBCDIC Baudot RTS CTS DSR DTR CD RI UART Overrun Parity Error Framing Error 7 If you...

Page 182: ...signal changes and Set I O events Non printable characters or both If you choose to filter out Special Events your export file would contain only the data bytes Filtering out the non printable charact...

Page 183: ...m Settings from the Options menu on the Control window To enable a setting click in the box next to the setting to place a checkmark in the box To disable a setting click in the box to remove the chec...

Page 184: ...e file when it becomes full The oldest events are moved out of the file to make room for new events Any events moved out of the file are lost When disabled the analyzer stops capture when the file bec...

Page 185: ...changes to the settings at any time 7 1 1 2 Advanced System Options These parameters affect fundamental aspects of the software and it is unlikely that you ever have to change them If you do change th...

Page 186: ...ure immediately on starting up or not Figure 7 3 Start Up Options dialog l Don t start capturing immediately This is the default setting The analyzer begins monitoring data but does not begin capturin...

Page 187: ...a new location Figure 7 5 File Locations Browse dialog 5 Click OK 6 Click OK when finished If a user sets the My Decoders directory such that it is up directory from an installation path multiple inst...

Page 188: ...however Let s say you have selected Use Last Opened Folder for Capture Files and opened a file from a location other than the default directory All subsequent capture files will be saved to that loca...

Page 189: ...f precise recording in time of packet arrival Timestamps is an optional parameter in the Frame Display and Event Display that can assist in troubleshooting a network link 7 1 4 1 Timestamping Options...

Page 190: ...e capture file because more bits are required to store the timestamp Also more timestamps need to be stored than at normal resolutions The second issue is that using high resolution timestamping may a...

Page 191: ...s section at the bottom of the window and find the Number of Digits to Display box 3 Click on the arrows to change the number You can display between 0 and 6 digits to the right of the decimal point 7...

Page 192: ...he window is being updated Some windows require more processing time than others because the information being displayed in them is constantly changing Refrain from displaying data live in the Event D...

Page 193: ...RFC1761 snoop version 2 format Datalink Type Code Reserved 0 1000 Un encapsulated HCI H1 1001 HCI UART H4 1002 HCI BSCP 1003 HCI Serial H5 1004 Unassigned 1005 4294967295 Table 7 1 Datalink Codes Pack...

Page 194: ...one Packets may be lost because of insufficient resources in the capturing system or for other reasons Note some implementations lack the ability to count dropped packets Those implementations may set...

Page 195: ...re out of the buffer are not reassigned In other words when event number 1 is wrapped out of the buffer event number 2 is not renumbered to event 1 This means that the first event in the buffer may be...

Page 196: ...haracter system abbreviation for each one Some abbreviations have forward slash characters between the two letters This is to differentiate the abbreviations for a control character from a hex number...

Page 197: ...Feed NK NAK Negative Acknowledge NU NUL Null RS RS Record Separator SI SI Shift In SO SO Shift Out SH SOH Start of Heading SX STX Start of Text SB SUB Substitute SY SYN Synchronous Idle US US Unit Se...

Page 198: ...e system Common Files directory The readme file in the root directory of the protocol analyzer installation contains a complete list of included files Most files are located in My Decoders and My Meth...

Page 199: ...many user related questions Frontline s website has documentation on common problems as well as software upgrades and utilities to use with our products On the Web http fte com support supportrequest...

Page 200: ...TELEDYNE LECROY Chapter 7 General Information 193 Frontline BPA low energy Hardware Software User Manual...

Page 201: ...Appendicies Appendix A Application Notes 195 Frontline BPA low energy Hardware Software User Manual 194...

Page 202: ...ion Notes A 1 Decrypting Encrypted Bluetooth low energy 196 A 2 Bluetooth low energy Security 204 A 3 Bluetooth Virtual Sniffing 210 TELEDYNE LECROY Appendicies 195 Frontline BPA low energy Hardware S...

Page 203: ...ee on a Temporary Key TK that along with some random numbers creates the STK 3 In this phase each device may distribute to the other device up to three keys a the Long Term Key LTK used for Link Layer...

Page 204: ...ime a unique LTK is distributed Of particular importance to decrypting the encrypted data on a Bluetooth low energy link is LTK EDIV and RAND A 1 3 Pairing Methods The two devices in the link use the...

Page 205: ...the link the first time the two devices pair STK remains in each device on the link and is not transmitted between devices STK is formed by combining Mrand and Srand which were formed using device in...

Page 206: ...in transmitting and receiving encrypted data A 1 7 Decrypting Encrypted Data Using Frontline BPA 600 low energy Capture Note The following discussion uses the ComProbe BPA 600 in low energy capture mo...

Page 207: ...ge of encryption keys 5 To start capture click on the Start Sniffing button on the BPA 600 datasource toolbar A 1 7 2 Use Frame Display to View Encryption Decryption Process A 1 7 2 1 Security Manager...

Page 208: ...k Layer LL protocol manages the Bluetooth low energy radio transmissions and is involved in starting link encryption To observe the decoded LL commands click on the Frame Display LE LL tab search for...

Page 209: ...ink Clicking on Frame 39 617 displays the LL_ENC_REQ command from the master to the slave In the MSC below this command you will see the data transferred that includes SKDmaster used to generate the L...

Page 210: ...by a third party attacker The actual decrypted data appears between the Payload Length and the MIC in the packet This is shown in the Binary pane below the Summary pane Figure 15 Decrypted Data Examp...

Page 211: ...copes for viewing the other stations in the link and clocks were used to synchronize the stations By 1803 a communications network extended from Paris across the countryside and into Belgium and Italy...

Page 212: ...the means to make the data unintelligible to all but the Bluetooth master and slave devices forming a link Eavesdropping attacks are directed on the over the air transmissions between the Bluetooth l...

Page 213: ...used to generate the session key for an encrypted connection 4 Encrypted Diversifier EDIV 16 bit stored value used to identify the LTK A new EDIV is generated each time a new LTK is distributed 5 Rand...

Page 214: ...ulate and verify Sconfirm A 2 4 Encrypting the Link The Short Term Key STK is used for encrypting the link the first time the two devices pair STK remains in each device on the link and is not transmi...

Page 215: ...the same IRK and generate the same random number is low but not absolute IRK and Bluetooth low energy Privacy Feature Bluetooth low energy has a feature that reduces the ability of an attacker to trac...

Page 216: ...middle Mrand 128 bit random number used to generate Mconfirm OOB Out of Band RAND Random Number Sconfirm 128 bit confirmation value from the responder SK Session key SMP Security Manager Protocol Sra...

Page 217: ...h mobile phone makers l Virtual sniffing and you Where to go for more information A 3 2 Why HCI Sniffing and Virtual Sniffing are Useful Because the Bluetooth protocol stack is very complex a Bluetoot...

Page 218: ...In response to these requests Frontline developed SerialBlue the world s first commercially available serial HCI analyzer The response to SerialBlue was very positive When we asked our Bluetooth cust...

Page 219: ...Import Any application can feed data into ComProbe software using Live Import A simple API provides four basic functions and a few other more advanced functions The four basic Live Import functions a...

Page 220: ...s fully decoded and the debug messages are decoded as well The decoder for the debug messages was written using ComProbe software s DecoderScript feature DecoderScript allows ComProbe software user to...

Page 221: ...Author Eric Kaplan Publish Date May 2003 Revised December 2013 Appendicies TELEDYNE LECROY Frontline BPA low energy Hardware Software User Manual 214...

Page 222: ......

Page 223: ...ally Save Imported Capture Files 176 Autotraversal 35 37 B Baudot 139 175 Baudot Codes 188 Begin Sync Character Strip 140 Binary 138 149 Binary Pane 56 BL 190 Bookmarks 161 162 Boolean 60 65 BPA low e...

Page 224: ...tors 98 Throughput Radio Buttons 107 Timeline Radio Buttons 107 Timelines 108 discontinuities 114 high speed 116 packet 108 two timelines 112 Toolbar 96 Tooltip 101 relocate 101 110 Color of Data Byte...

Page 225: ...uplicate View 47 48 134 136 E E B 190 E C 190 Easy Protocol Filtering 72 EBCDIC 139 EBCDIC Codes 189 EIR 33 EM 189 EQ 190 Errors 57 73 156 181 ET 189 Event Display 47 133 172 Event Display Export 172...

Page 226: ...ettings Change 140 Icons in Data on Event Display 139 Importable File Types 168 Importing Capture Files 167 INCLUDE 60 Include Exclude 60 L L2CAP 23 L2CAP Override Decode Information 25 Layer Colors 5...

Page 227: ...attern 148 Pause 31 Performance Notes 184 Physical Errors 57 Printing 171 Printing from the Frame Display 168 Progress Bars 187 Protocol Protocol Layer Colors 57 Protocol Layer Filtering 71 Protocol S...

Page 228: ...53 54 Sync Dropped 140 Sync Found 140 Sync Hunt Entered 140 Sync Lost 140 Synchronization 47 System Settings 176 178 T Technical Support 192 Test Device Began Responding 141 Test Device Stopped Respo...

Reviews:

No comments

Related manuals for BPA LOW ENERGY

Brand: Oakton Pages: 4

Brand: Yamaha Pages: 69

Brand: Callaway Pages: 11

Brand: Hach Pages: 38

Brand: Hach Pages: 28

Brand: Hach Pages: 40

POCKET COLORIMETER II

Brand: Hach Pages: 142

Brand: Hach Pages: 4

Brand: Hach Pages: 308

Brand: Hach Pages: 158

Brand: Hach Pages: 118

POCKET COLORIMETER II

Brand: Hach Pages: 116

Brand: Hach Pages: 132

Brand: Hach Pages: 8

Brand: Hach Pages: 38

Brand: Hach Pages: 200

Brand: Roland Pages: 15

Brand: Kamstrup Pages: 100

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands