BPA 600 Devices Under Test - LE Only

By selecting the "LE Only" radio button under the "Devices Under Test" tab you can configure the BPA 600 protocol analyzer for sniffing Bluetooth low energy communications.

The default value in the LE Device drop down is Sync with First Master. To begin sniffing Bluetooth low energy simply click the red button to start. The analyzer will capture packets from the first Master that makes a connection . To capture the advertising traffic and the connection(s), you must specify a device address.

Specifying the LE Device Address and Encryption

1. If you would like you may specify the LE device you are testing by typing in or choosing its address (BD_ADDR). You can type it directly into the drop down, or choose it from the existing previous values list in the drop down.

   To enter the device manually type the address - 12 digit hex number (6 octets). The "0x" is automatically typed in the drop down control.

   Once you have the devices address identified, the next step is to identify the Encryption.

2. Enter the Long Term Key for the LE Encryption.

The Long Term Key is similar to the Link key in Classic.  It is a persistent key that is stored in both devices and used to derive a fresh encryption key each time the devices go encrypted.

Click here to learn more about the Long Term Key.
The Long Term Key is similar to the Link key in Classic; it is a persistent key that is stored in both devices and used to derive a fresh  encryption key each time the devices go encrypted.

There are a few differences though:
In Classic the Link key is derived from inputs from both devices and is calculated in the same way independently by both devices and then stored persistently. The link key itself is never transmitted over the air during pairing.

In LE, the long term key is generated solely on the slave device and then, during pairing, is distributed to a master device that wants to establish an encrypted connection to that slave in the future. Thus the long term key is transmitted over the air, albeit encrypted with a one-time key derived during the pairing process and discarded afterwards (the so called short term key).

Unlike the link key, this long term key is directional, i.e. it is only used to for connections from the master to the slave (referring to the roles of the devices during the pairing process). If the devices also want to connect the other way round in the future, the device in the master role (during the pairing process) also needs to send its own long term key to the device in the slave role during the pairing process (also encrypted with the short term key of course), so that the device which was in the slave during the pairing process can be a master in the future and connect to the device which was master during the pairing process (but then would be in a slave role).

Since most simple LE devices are only ever slave and never master at all, the second long term key exchange is optional during the pairing process.

Note: If you use Copy/Paste to insert the Long Term Key , Frontline will auto correct (remove invalid white spaces) to correctly format the key.

3. Enter a PIN or out-of-band (OOB) value for Pairing.

This optional information offers alternative pairing methods.

Click here to learn more about these possible pairing values.
 One of two pieces of data allow alternative pairing:

1. PIN is a six-digit (or less if leading zeros are omitted) decimal number.

2. Out-of-Band (OOB) data is a 16-digit hexadecimal code which the devices exchange via a channel that is different than the le transmission itself. This channel is called OOB.

For off-the-shelf devices we cannot sniff OOB data, but in the lab you may have access to the data exchanged through this channel. 

Click here to see how to capture data after completing the configuration.