I am trying to develop a BLE test bed for my research work on wireless security. Basically, I am trying to follow a BLE connection and replay packets from an SDR. In this case, I am using two Cypress as my test devices and a Ubertooth One as the sniffer. I was able to do all that, i.e. follow the Cypress communication on all channel and get the data packets. Now, I am trying to replay packets of the server Cypress from the Ubertooth to the client Cypress, but I was not able to do that. I would like to mention that I didn't enable any encryption on the Cypress side, so the packets are just purely whitened. Just to verify that Ubertooth is doing the correctly modulation, I sent some advertisement packets to a Cypress scanner and I was able to initiate a connection between them, which I verified in the Wireshark. I would also like to mention that, I have maintained all the communication timing requirements for the BLE communication. Since, I am new this platform and it is the only tool I have right now to work, I would like to know the following -
1. If I send an exact packet from my Ubertooth One that has a valid CRC, and the NSEN & SN also matched with the current communication, will Cypress receive the data?
2. How can I get the raw BLE packets recevied by Cypress i.e. before the CRC, NSEN and SN are check and discarded.
One more thing is that the Ubertooth has no BLE stacks, that is no layers above link layer.
I would really appreciate if someone could help me with my questions. Thank you in advance!
- psoc 4 ble
Can you please specify which Cypress device you are using?
To be specific, are you using PSoC BLE based device or discrete BLE device?
I am using PSoC 4 BLE based devices. To be specific CY8C4247LQI-BL483.
To answer your questions 1 and 2 in case of PSoC:
1 can be done once the connection is up. There will not be any issues.
2 is not possible with PSoC as HW stirps those fields( after checking the CRC) and populates the packet in our RX FIFO.
Thank you for your reply. I just wanted to clarify, so, for my question no. 1, the Cypress doesn't form a connection with the Ubertooth. The link is between two Cypresses and Ubertooth just send a replay packet. In this case, will sending a replay packet from Ubertooth be received, processed and displayed (sending so ATT data) by the Cypress receiver?
for my 2nd question, is the CRC check integrated into the HW? How can I get this RX FIFO data?
To answer your question 2, yes the CRC check is integrated into the HW. It is not recommended to read the RX FIFO data or any BLE hardware registers manually. Doing so may lead the system to unhandled state.
To answer your question 1, can you please clarify whether you are doing the following process?
As per our Unserstanding, you are doing the following sequence:
1. Cy_Master sends an LL Data packet in Connection Event # 1 (CE-1)
2. Cy_Slave as well as Ubertooth receivee the packet in CE-1
3. Cy_Slave replies with its ACK 150 us after Cy_Master's packet
4. In CE-2, Ubertooth replays the Cy_Master's previous packet in the correct channel, with correct Access Address, and CRC, Modifies SN to make this as a new packet and not of a re-transmission
5. Cy_Slave receives this new packet from ubertooth, and assumes it to be comming from Cy_Master
Please correct us if we are wrong.
Thank you for your response. Yes, you are absolutely correct, this is what I am trying to do.
To answer to your question 1, please note that your Cypress slave should receive frames from either Ubertool or Cypress Master but not both. For example if you want to communicate Ubertooth to the slave you have to ensure that Cy-master packet is overridden by Ubertooth. You can try this by having large TX power.
Also we recommend you to go with following steps for your testing:
1. Use the Non-Stack version project for Cy_Slave and Cy_Master ie. the HCI mode project. Please refer Day 18 Direct Test mode project from the link below:
2. Establish connection using HCI commands
3. Now when Cy_Slave receives the ubertooth packet, it will send a HCI Packet to the host. There you can see the packet in HCI ACL Data format ( BLE Spec V5.2 Vol 4E, Section 5.4.2).
Thank you very much for the suggestions!! I guess this is the thing I was looking for. Please, let me looked into it as per your suggestion and I will forward anymore questions that I have.
I am getting the following error when building the project.
arm-none-eabi-gcc.exe: error: ..\..\..\..\..\..\..\..\Documents\PSoC Creator\4.2\Downloads ( 4.2).cylib\BLE_v3_63\Library\gccCyBLEStack_HCI_MODE_CENTRAL_PERIPHERAL.a: No such file or directory
The command 'arm-none-eabi-gcc.exe' failed with exit code '1'.
Thank you for the help! The code compiled successfully. I have one more question - do you guys have any tools to generate and decode the HCI commands. I found several tools online but they are for like TI and NXP, I am not sure if it will work with Cypress.
I am facing a few problems -
1. I am not able to find the btwusb driver as the link on the README.txt doesn't work
2. I just installed the HCI_DTM code on the cypress and tried to send HCI command using the NXP test tool 12, but it doesn't work. Do I need to use the UART as mentioned on the schematics or using the onboard USB is fine?
Looking forward to your reply.
Are you using CY8CKIT-042 BLE kit? If yes, have you assigned the pins for UART correctly?
Ideally there is no need to install any drivers. If you have any USB to UART bridge it is sufficient. Can you please attach the errors that you are getting when you try to send the HCI commands? What is the bridge that you are using?
I am using the CY8CKIT-042 BLE kit. I was able to figure out the problem, the pins were not correctly assigned. I am able to send commands from both the NXP Test tool 12 and CyBluetool. But, it is hard for me to establish a connection. Do you guys have any script that is able to do that? It would be really helpful for me. Or the series of commands that I need to follow to establish the BLE connection and send data. I am currently using the Kit and the BLE dongle provided with it to do the connection setup.