Creating a PAN with Thinkpad R51, Samsung D500 and iPaq RX4240
Sh4d03
mlists at shadow-security.net
Mon Apr 23 08:32:33 UTC 2007
Hello all,
Ultimately I want to be able to connect my Laptop, PDA and Mobile
together to share/synchronise appointments and contacts - the usual guff.
My Hardware is as follows:
IBM Thinkpad R51
USB Bluetooth Adapter (unknown brand)
Samsung D500 Mobile Phone (Cellular)
HP iPaq RX4240 Personal Digital Assistant
My Software (so far):
FreeBSD 6.2-STABLE
obexapp-1.4.5
openobex-1.3
I've read/followed the handbook section for Bluetooth and accomplished
the following so far:
I've loaded the Kernel Module
# kldload ng_ubt
I've plugged in my USB Dongle and received the following in dmesg:
ubt0: vendor 0x0a12 product 0x0001, rev 2.00/15.93, addr 3
ubt0: vendor 0x0a12 product 0x0001, rev 2.00/15.93, addr 3
ubt0: Interface 0 endpoints: interrupt=0x81, bulk-in=0x82, bulk-out=0x2
ubt0: Interface 1 (alt.config 5) endpoints: isoc-in=0x83, isoc-out=0x3;
wMaxPacketSize=49; nframes=6, buffer size=294
I've copied /usr/share/examples/netgraph/bluetooth/rc.bluetooth to
/etc/rc.bluetooth - despite 6.1 and above apparently being able to start
bluetooth automagically.
Now I run 'hccontrol -n ubt0hci inquiry' and receive:
# hccontrol -n ubt0hci inquiry
Inquiry result, num_responses=1
Inquiry result #0
BD_ADDR: 00:12:47:5c:be:6a
Page Scan Rep. Mode: 0x1
Page Scan Period Mode: 00
Page Scan Mode: 00
Class: 52:02:04
Clock offset: 0x15e3
Inquiry result, num_responses=1
Inquiry result #0
BD_ADDR: Sh4d03_PDA
Page Scan Rep. Mode: 00
Page Scan Period Mode: 0x2
Page Scan Mode: 00
Class: 32:01:10
Clock offset: 0x59fd
Inquiry complete. Status: No error [00]
#
Next, to find out whether the first entry is really my phone I run
'hccontrol -n ubt0hci remote_name_request 00:12:47:5c:be:6a'
# hccontrol -n ubt0hci remote_name_request 00:12:47:5c:be:6a
BD_ADDR: 00:12:47:5c:be:6a
Name: Sh4d03_Mobile
Yep, it sure is.
Next, I do 'hccontrol -n ubt0hci read_connection_list' and receive only
the column headings - i.e. no currently open connections, which would
make sense - right?
Next, I attempt an l2ping to both devices:
# sudo l2ping -a 00:12:47:5c:be:6a -c 4
4 bytes from 00:12:47:5c:be:6a seq_no=1313822285 time=560.831 ms result=0
4 bytes from 00:12:47:5c:be:6a seq_no=1313822285 time=36.562 ms result=0
4 bytes from 00:12:47:5c:be:6a seq_no=1313822285 time=31.758 ms result=0
4 bytes from 00:12:47:5c:be:6a seq_no=1313822285 time=42.943 ms result=0
# sudo l2ping -a Sh4d03_PDA -c 4
44 bytes from Sh4d03_PDA seq_no=0 time=31.945 ms result=0
44 bytes from Sh4d03_PDA seq_no=1 time=43.630 ms result=0
44 bytes from Sh4d03_PDA seq_no=2 time=31.823 ms result=0
44 bytes from Sh4d03_PDA seq_no=3 time=34.018 ms result=0
Now I figure it's time I should pair my devices, so firstly I add the
following entries into /etc/bluetooth/hcsecd.conf:
device {
bdaddr 00:12:47:6c:be:6a
name "Sh4d03_Mobile"
key nokey;
pin "1777";
}
device {
bdaddr Sh4d03_PDA
name "Sh4d03_PDA"
key nokey;
pin "1777";
}
I then added the line 'hcsecd_enable="YES"' to my /etc/rc.conf. I can't
remember whether this process automagically started but while writing
this I kill -9'd the process and started it manually like so:
# hcsecd -f /etc/bluetooth/hcsecd.conf
# ps auxw | grep hcsecd
root 18341 0.0 0.1 1432 720 ?? Is 4:46PM 0:00.00 hcsecd -f
/etc/bluetooth/hcsecd.conf
Next I used sdpcontrol to browse the services of the PDA:
# sdpcontrol -a Sh4d03_PDA browse
Record Handle: 0x00010000
Service Class ID List:
GN (0x1117)
Protocol Descriptor List:
L2CAP (0x0100)
Protocol specific parameter #1: u/int/uuid16 15
BNEP (0x000f)
Protocol specific parameter #1: u/int/uuid16 256
Protocol specific parameter #2: 0x09 0x08 00 0x09 0x08
0x06
Bluetooth Profile Descriptor List:
GN (0x1117) ver. 1.0
Record Handle: 0x00010001
Service Class ID List:
PANU (0x1115)
Protocol Descriptor List:
L2CAP (0x0100)
Protocol specific parameter #1: u/int/uuid16 15
BNEP (0x000f)
Protocol specific parameter #1: u/int/uuid16 256
Protocol specific parameter #2: 0x09 0x08 00 0x09 0x08
0x06
Bluetooth Profile Descriptor List:
PANU (0x1115) ver. 1.0
Record Handle: 0x00010002
Service Class ID List:
Serial Port (0x1101)
Protocol Descriptor List:
L2CAP (0x0100)
RFCOMM (0x0003)
Protocol specific parameter #1: u/int8/bool 1
Bluetooth Profile Descriptor List:
Serial Port (0x1101) ver. 1.0
Record Handle: 0x00010003
Service Class ID List:
OBEX Object Push (0x1105)
Protocol Descriptor List:
L2CAP (0x0100)
RFCOMM (0x0003)
Protocol specific parameter #1: u/int8/bool 2
OBEX (0x0008)
Bluetooth Profile Descriptor List:
OBEX Object Push (0x1105) ver. 1.0
Record Handle: 0x00010004
Service Class ID List:
OBEX File Transfer (0x1106)
Protocol Descriptor List:
L2CAP (0x0100)
RFCOMM (0x0003)
Protocol specific parameter #1: u/int8/bool 3
OBEX (0x0008)
Bluetooth Profile Descriptor List:
OBEX File Transfer (0x1106) ver. 1.0
Record Handle: 0x00010005
Service Class ID List:
Headset Audio Gateway (0x1112)
Generic Audio (0x1203)
Protocol Descriptor List:
L2CAP (0x0100)
RFCOMM (0x0003)
Protocol specific parameter #1: u/int8/bool 4
Bluetooth Profile Descriptor List:
Headset (0x1108) ver. 1.1
And then the same for the Mobile Phone:
# sdpcontrol -a 00:12:47:6c:be:6a browse
Could not execute command "browse". Host is down
Ah, the first sign of trouble. I stopped working on the Phone from here
on but would appreciate any input on a possible cause. I've previously
had this Phone working with (I think) FreeBSD - however it *may* have
been when I was still using Gentoo.
Back to the PDA - I can see the services offered by the PDA so I
installed obexapp and tried to connect:
# cd /usr/ports/comms/obexapp
# make install clean
<snip>
# obexapp -c -a Sh4d03_PDA -C 1
This looked promising because the PDA then asked me for a pass key - I
entered the same as I entered in the hcsecd.conf and hit ok, but obexapp
simply dropped to a new line where I believe I should have received the
obexftp prompt or something similar.
My hcidump -x of this connection is as follows:
Before running obexapp:
p# hcidump -x
HCIDump - HCI packet analyzer ver 1.5
device: any snap_len: 65535 filter: 0xffffffff
After starting obexapp, before entering code into PDA:
< HCI Command: Create Connection(0x01|0x0005) plen 13
68 75 1A 18 10 00 18 CC 00 00 00 00 00
> HCI Event: Command Status(0x0f) plen 4
00 01 05 04
> HCI Event: Connect Complete(0x03) plen 11
00 2B 00 68 75 1A 18 10 00 01 00
< HCI Command: Write Link Policy Settings(0x02|0x000d) plen 4
2B 00 0E 00
< ACL data: handle 0x002b flags 0x02 dlen 12
L2CAP(s): Connect req: psm 3 scid 0x006b
> HCI Event: Number of Completed Packets(0x13) plen 5
01 2B 00 01 00
> HCI Event: Max Slots Change(0x1b) plen 3
2B 00 05
> HCI Event: Command Complete(0x0e) plen 6
01 0D 08 00 2B 00
> ACL data: handle 0x002b flags 0x02 dlen 16
L2CAP(s): Connect rsp: dcid 0x0041 scid 0x006b result 0 status 0
< ACL data: handle 0x002b flags 0x02 dlen 12
L2CAP(s): Config req: dcid 0x0041 flags 0x0000 clen 0
> ACL data: handle 0x002b flags 0x02 dlen 16
L2CAP(s): Config req: dcid 0x006b flags 0x0000 clen 4
MTU 1691
< ACL data: handle 0x002b flags 0x02 dlen 14
L2CAP(s): Config rsp: scid 0x0041 flags 0x0000 result 0 clen 0
> HCI Event: Number of Completed Packets(0x13) plen 5
01 2B 00 01 00
> ACL data: handle 0x002b flags 0x02 dlen 14
L2CAP(s): Config rsp: scid 0x006b flags 0x0000 result 0 clen 0
< ACL data: handle 0x002b flags 0x02 dlen 8
L2CAP(d): cid 0x41 len 4 [psm 3]
RFCOMM(s): SABM: cr 1 dlci 0 pf 1 ilen 0 fcs 0x1c
> HCI Event: Number of Completed Packets(0x13) plen 5
01 2B 00 01 00
> HCI Event: Number of Completed Packets(0x13) plen 5
01 2B 00 01 00
> ACL data: handle 0x002b flags 0x02 dlen 8
L2CAP(d): cid 0x6b len 4 [psm 3]
RFCOMM(s): UA: cr 1 dlci 0 pf 1 ilen 0 fcs 0xd7
< ACL data: handle 0x002b flags 0x02 dlen 18
L2CAP(d): cid 0x41 len 14 [psm 3]
RFCOMM(s): PN CMD: cr 1 dlci 0 pf 0 ilen 10 fcs 0x70 mcc_len 8
dlci 2 frame_type 0 credit_flow 15 pri 7 ack_timer 0 frame_size
667 max_retrans 0 credits 7
> HCI Event: Number of Completed Packets(0x13) plen 5
01 2B 00 01 00
> ACL data: handle 0x002b flags 0x02 dlen 18
L2CAP(d): cid 0x6b len 14 [psm 3]
RFCOMM(s): PN RSP: cr 0 dlci 0 pf 0 ilen 10 fcs 0xaa mcc_len 8
dlci 2 frame_type 0 credit_flow 14 pri 7 ack_timer 0 frame_size
660 max_retrans 0 credits 7
< ACL data: handle 0x002b flags 0x02 dlen 8
L2CAP(d): cid 0x41 len 4 [psm 3]
RFCOMM(s): SABM: cr 1 dlci 2 pf 1 ilen 0 fcs 0x59
> HCI Event: Number of Completed Packets(0x13) plen 5
01 2B 00 01 00
After entering code into PDA:
> HCI Event: PIN Code Request(0x16) plen 6
68 75 1A 18 10 00
< HCI Command: PIN Code Request Negative Reply(0x01|0x000e) plen 6
68 75 1A 18 10 00
> HCI Event: Command Complete(0x0e) plen 10
01 0E 04 00 68 75 1A 18 10 00
> HCI Event: Disconn Complete(0x05) plen 4
00 2A 00 05
From this point on I'm stuck. Googling 'PIN Code Request Negative
Reply' didn't give me much useful information.
Any assistance would be greatly appreciated. I've been very verbose in
the information I've provided so hopefully I've given all the required
details.
When the journey is over I'll be documenting and posting to my website
what was necessary to get to where I wanted to be with Bluetooth, my
phone, my PDA, my laptop and FreeBSD.
Kind Regards,
Sh4d03
More information about the freebsd-bluetooth
mailing list