Tracing Bluetooth Headsets With The Catc

Transcript

Computer Access Technology Corporation Tel: (408) 727-6600, Fax: (408) 727-6622 www.catc.com Enabling Global Connectivity Tracing Bluetooth Headsets with the CATC Bluetooth Analysers Application Note Introduction Bluetooth Headsets and Hands free audio devices typically make connection with a Bluetooth Audio Gateway (Phone or PC usually). Typically apart from the pairing process the Headset is not discoverable and sometimes the audio-gateway in not either. This application note describes the various methodologies for recording Bluetooth Headset and Handsfree links. This application note assumes that the reader is using CATC Bluetooth software 2.01 or higher although the principles were still applicable in the older software versions the examples are based around the 2.0 user interface. CATC 1 of 10 02/04 External Triggering Capability Part1: Pairing Before the user can user a Bluetooth Audio device (eg Headset or Handsfree) with a Phone or PC it is normally required to pair the devices. In some cases the pairing may have been performed at the factory to enhance the user experience though as a general rule these devices too can be re-paired at any time. Pairing ensures that the Audio device and Audio gateway know how to connect and find each other when not discoverable to other devices. In most cases it also allows the link to be encrypted. Encryption of the link is optional but most systems implement it by default. Therefore to successfully trace and decrypt an audio device link it is generally advisable to record the pairing process. Recording the pairing process has the secondary advantage of confirming or learning the device BD_addr’s have been correctly identified to the tracer system. In order to pair the devices the most common method is to first turn the audio device off and then turn it on again and hold the on button down for a further10-15seconds. In most cases this also results in a flashing light sequence too. At this point the audio device is discoverable. The audio gateway is usually made discoverable from a menu option. At this point (while the devices are discoverable the CATC Bluetooth analyser can be asked to survey the Bluetooth Neighbourhood (menu option or toolbar icon). This will result in the devices being listed in the device list. The COD field can be used to identify which device is the headset and which the audio gateway. Note: If the BD_address is know this can be added to the device list manually, however you should be careful of typographical errors here or you may find you wait for a non-existent device to connect. Pairing processes are usually initiated from the audio gateway so we will follow this procedure. If the pairing is initiated from the audio device the master and slave roles for this example would need to be switched. On the device list right click the audio gateway device (Phone or PC) and set this as the recording options master. Right click the audio device (headset or handsfree) and set this as the page target (slave). On the recording options you can set the following method (advanced mode) CATC 2 of 10 02/04 External Triggering Capability The loss of sync time out should be low because the Audio Gateway will probably recover the headset Friendly name before pairing. This will make a temporary link and then disconnect. We want the analyser to be ready to restart recording before the pairing connection is made (this way we get both events in one trace) and we are assuming that it will take the operator more than 3 seconds to start the actual pairing (1second timeout + 2 second re-sync allowance). The final stage of setup is to prepare the security (prior to CATC SW version 2.2 this must be done before recording, later versions allow you to enter this retrospectively if you forget to do it). Either right click and edit the Audio device (slave) or double click it, and select the setup button (Tip: in V2.4 or higher you can get here directly by double click the security box of the device). Since you probably do not have access to the link key information you will need to enter the PIN number for the audio device (Tip: The Bluetooth spec says that devices without a user interface should default to the PIN code ‘0000’ so this should be the default for most devices, some use ‘1234’ and some use ‘1111’ if you are not sure then in V2.2 or higher you can enter all possibilities to be on the safe side). Make sure you press the OK button to close these windows. Once this is setup we are ready to record, however the Audio device will probably have timed out (or is about to) and so it will need to be turned off and turned on again such that it is discoverable again. When the audio device is discoverable you can press the record button on the CATC analyser (after one or 2 seconds the sync message will change to include a bd_addr at this point the analyser is ready for Bluetooth activity to record). Now on the Audio Gatway device (phone) using the menus ask it to add a headset (or pair with a device). You will probably see the analyser briefly flash to Rec mode and then return back to sync mode when the Audio Gateway starts to list the device names in the area. Select the audio device you are tracing, it should connect and ask for the PIN code of the audio device CATC 3 of 10 02/04 External Triggering Capability (this must be the same as the code you entered in the security settings for recording). During this time the analyser will probably be in record mode. Assuming the devices pair correctly you can stop the recording an look at the results. If it is successful then the security setting of the audio device will now have been updated to include the calculated link key: Trouble shooting tips: • no link key after pairing: a. check first that there is an LMP packet of type ‘in_rand’ followed by an ‘au_rand’ and an ‘sres’ in the trace. If it is not present and you only see ‘au_rand’ without the ‘in_rand’ the device have already been paired previously and are choosing to to pair again. – solution remove the device entry from either Bluetooth device (eg delete headset from the phone pair list). b. Check the pin code in the security list was the same as the one you used. • Nothing recorded. a. Check you have the correct device address for recording b. Check the tracer was not in waiting for sync mode when the pairing was made. • Only Red error packets after the LMP packet ‘accept crypt’ a. Link key is missing b. Incorrect pin code supplied CATC 4 of 10 02/04 External Triggering Capability Part 2: Recording an Audio link Before we can record an active audio link we need to change the recording options depending on the activity we wish to record. In all cases we will assume the audio device (Headset/Handfree) is not discoverable (does not support inquiry scan) other than in the pairing mode (see part1) and as such we cannot use it as our sync device. We also need to determine which device will be the initiating master and which the slave. Action Device roles Recording method incoming call to Audio Gateway (handset/phone/PC) Audio Gateway is Master. 1) If the audio gateway is discoverable use the ‘sync and record’ method (suits most Nokia phones and PC’s by default). Sync must be established prior to the incoming call. Audio Device is Slave no established BT connection. 2) If the audio gateway is not discoverable use the ‘passive sync and record’ method (most Ericsson phones unless discovery is enabled). No sync will be shown but a delay of 3-5seconds is required after pressing record before the incoming call is received. Call is initiated by a pressing button on Audio device (headset/hands free) Audio Gateway is Slave. Audio Device is Master No established BT connection 3) If the audio gateway is discoverable use the ‘Page sync and record’ method (suits most Nokia phones and PC’s by default). Sync must be established prior to the incoming call. 4) If the audio gateway is not discoverable use the ‘passive sync and record’ method (most Ericsson phones unless discovery is enabled). No sync will be shown but a delay of 3-5seconds is required after pressing record before the incoming call is received. A BT connection is Audio Gateway is Master. maintained constantly Audio Device is Slave between phone and headset. This is often found on Nokia phones where it maintains a constant link with the headset (shown by a small icon on the display). In this case the phone is the master device and the headset is usually in ‘sniff’ mode until a call is made in either direction. If the phone is discoverable during the link then the ‘sync and record’ method can be used to break in to the existing link and recording will start CATC 5 of 10 02/04 External Triggering Capability immediately. Otherwise it will be necessary to break the connection between headset and phone prior to recording (eg turn the headset off and on again) and use one of the method above to synchronise. NOTE: you will probably want to use event trigger in this case not snapshot mode to avoid using large buffers. Note: you may want to make sure that the loss of sync timeout is >2sec in case the device senter sniff mode of 1.28s, loss of sync timeout should be more than the sniff interval but shorter than the disconnect/connect cycle. As a general rule the loss of sync timeout should be 2x the sniff interval assuming this is less than the disconnect/ connect times on the link A succesful trace will include a mixture of AT (RFCOMM) and SCO packets. Headset and Handsfree device send configuration and control data via AT commands and the audio data is in SCO packets (HV1,HV3 or HV5 typically). The traffic summary report is an excellent way to navigate to the various AT commands in the audio stream. Selecting the AT report the hyperlinks will take you to the point at which the command was issued. If you wish to just the AT commands there are several ways of doing this from hiding unassociated traffic to using the ‘find all’ filter.: CATC 6 of 10 02/04 External Triggering Capability which will open a second window with just the AT commands in. CATC 7 of 10 02/04 External Triggering Capability Note: the latest AT (Handfree and Headset included) decoded can be found on the CATC newsgroup site. Use the mouse tooltip to view the enhanced decode functionality. CATC 8 of 10 02/04 External Triggering Capability CATC 9 of 10 02/04 External Triggering Capability CATC 10 of 10 02/04