Open Radar

 
Summary:
We observed an issue where the iPod's Bluetooth (LE) controller was using an EDIV (0xcdc1) / Rand (0x9731f7bdf5e0b466) that had never been given to it. This caused the Bluetooth controller on the end of the accessory (Pebble Time) to disconnect with an Connection Failed Due to MIC Failure (0x3D).

Shortly after, we opened the Bluetooth Settings on iOS.
The Settings app hung for a while.
Then Bluetooth appeared to get power-cycled.
After this, the LE connection was getting set up correctly and the right EDIV (0xe2cb) / Rand (0x0x336039bb9d0bb724) were being used again.

We captured an air trace of the issue (see attachments).
When opening the trace in Frontline's Viewer, look at the "LE LL" tab.
The first 2 LL_ENC_REQ have the bad EDIV / Rand.
The 3rd LL_ENC_REQ is after power cycling BT on the iPod and have the correct EDIV / Rand.

I can't tell whether the EDIV / Rand were already bad when given to the iPod's BT controller or whether the controller itself somehow mangled them (there was no HCI trace captured on the iPod's side)

Steps to Reproduce:
We currently don't have a way to reproduce.

Expected Results:
The EDIV / Rand (and LTK) that is used by the Apple device should always match those that are given to it in the prior pairing procedure.

Actual Results:
The EDIV / Rand that were used in the LL_ENC_REQ were not the ones given to the Apple device in the prior pairing procedure.

Version:
iOS 8.3

Notes:


Configuration:
iPod Touch ME643LL/A

Attachments: