Skip to content

BLE: Advertisements broken after an encrypted connection is closed

Observation: After a reset, card10 start normal advertisements:

systime=1565990915 freq=2402 addr=8e89bed6 delta_t=385.054 ms rssi=-32
20 12 01 00 00 10 4d ca 02 01 06 02 0a 00 05 03 0a 18 0f 18 f2 e5 35 
Advertising / AA 8e89bed6 (valid)/ 18 bytes
    Channel Index: 37
    Type:  ADV_IND
    AdvA:  ca:4d:10:00:00:01 (public)
    AdvData: 02 01 06 02 0a 00 05 03 0a 18 0f 18
        Type 01 (Flags)
           00000110
               LE General Discoverable Mode
               BR/EDR Not Supported

        Type 0a (Tx Power Level)
           0 dBm
        Type 03 (16-bit Service UUIDs) 
           180a
           180f

    Data:  01 00 00 10 4d ca 02 01 06 02 0a 00 05 03 0a 18 0f 18
    CRC:   f2 e5 35

Afterwards a pairing using numeric comparison with MITM is created and a connection opened.

After closing this connection, the advertisements are broken:

systime=1565991064 freq=2402 addr=8e89bed6 delta_t=508.126 ms rssi=-32
20 16 1e ac 40 56 62 98 eb fb 78 b0 59 c3 31 39 27 0a e8 6c c2 96 36 70 1f 11 80 
Advertising / AA 8e89bed6 (valid)/ 22 bytes
    Channel Index: 37
    Type:  ADV_IND
    AdvA:  98:62:56:40:ac:1e (public)
    AdvData: eb fb 78 b0 59 c3 31 39 27 0a e8 6c c2 96 36 70
Error: attempt to read past end of buffer (1 + 235 > 16)

    Data:  1e ac 40 56 62 98 eb fb 78 b0 59 c3 31 39 27 0a e8 6c c2 96 36 70
    CRC:   1f 11 80

In both cases, the call to BbBleDrvTxData() in bbSetupAdvOp() seems to have correct data:

BbBleDrvTxData (descs=0x200246f8, cnt=1 '\001')
    at /home/maxim/Documents/src/BLE/mcbusw/Hardware/Micro/ME14/Firmware/trunk/NDALibraries/BTLE/phy/bb/bb_ble_drv.c:169
169	/home/maxim/Documents/src/BLE/mcbusw/Hardware/Micro/ME14/Firmware/trunk/NDALibraries/BTLE/phy/bb/bb_ble_drv.c: No such file or directory.
(gdb) reset
max32xxx.cpu: external reset detected
(gdb) break BbBleDrvTxData
Breakpoint 1 at 0x10039a00: file /home/maxim/Documents/src/BLE/mcbusw/Hardware/Micro/ME14/Firmware/trunk/NDALibraries/BTLE/phy/bb/bb_ble_drv.c, line 169.
(gdb) c
Continuing.
Note: automatically using hardware breakpoints for read-only addresses.

Breakpoint 1, BbBleDrvTxData (descs=0x2003ff70, cnt=1 '\001')
    at /home/maxim/Documents/src/BLE/mcbusw/Hardware/Micro/ME14/Firmware/trunk/NDALibraries/BTLE/phy/bb/bb_ble_drv.c:169
169	/home/maxim/Documents/src/BLE/mcbusw/Hardware/Micro/ME14/Firmware/trunk/NDALibraries/BTLE/phy/bb/bb_ble_drv.c: No such file or directory.
(gdb) x/2xw x2003ff70
No symbol "x2003ff70" in current context.
(gdb) x/2xw 0x2003ff70
0x2003ff70:	0x20010014	0x2001cf28
(gdb) x/20xb 0x2001cf28
0x2001cf28 <lctrSlvAdv>:	0x20	0x12	0x01	0x00	0x00	0x10	0x4d	0xca
0x2001cf30 <lctrSlvAdv+8>:	0x02	0x01	0x06	0x02	0x0a	0x00	0x05	0x03
0x2001cf38 <lctrSlvAdv+16>:	0x0a	0x18	0x0f	0x18

Length of 0x14 and the data matched.

Things point to a mis-configured radio. Maybe encryption is still active or some other parameter does not get reset as expected.