feat(ble): auto-unpair the peer on BT_SECURITY_ERR_PIN_OR_KEY_MISSING#3385
Open
akira-toriyama wants to merge 1 commit into
Open
feat(ble): auto-unpair the peer on BT_SECURITY_ERR_PIN_OR_KEY_MISSING#3385akira-toriyama wants to merge 1 commit into
akira-toriyama wants to merge 1 commit into
Conversation
Add CONFIG_ZMK_BLE_AUTO_UNPAIR_ON_KEY_MISSING (default n). When the BLE peer rejects security elevation with BT_SECURITY_ERR_PIN_OR_KEY_MISSING (its bond table no longer matches ours), call bt_unpair and bt_conn_disconnect so the next advert initiates a fresh pairing exchange. Why --- In a split / dongle keyboard setup, if one side's bond is wiped (e.g. partial settings reset, NVS corruption, or one peripheral's flash re-flashed without the other half being rebonded), every subsequent reconnect ends in the same security_changed callback with PIN_OR_KEY_MISSING. The connection stays up but is unusable, and the loop is not recoverable without manually wiping bonds on both sides and going through the pairing flow again. What ---- The existing security_changed handler logs the error and otherwise takes no action. When the new Kconfig is enabled, the PIN_OR_KEY_MISSING branch additionally drops our half of the bond (bt_unpair) and disconnects with BT_HCI_ERR_AUTH_FAIL, putting the endpoint back into "discoverable and unpaired" state so the next advert/scan cycle can re-establish a fresh pairing without user intervention. Default is `n` to preserve the current behaviour. Firmwares bitten by the dongle/split stale-bond loop can opt in. Signed-off-by: Akira Toriyama <noreply@anthropic.com>
Merged
2 tasks
akira-toriyama
added a commit
to akira-toriyama/canon
that referenced
this pull request
Jun 9, 2026
…#46) 両 patch を zmkfirmware/zmk へ Kconfig gate (default n) 付きで PR 済: - security-changed-auto-unpair → zmkfirmware/zmk#3385 - usb-hid-prime-on-ready → zmkfirmware/zmk#3384 merge され次第 patches/zmk/ から畳む方針。dongle-roadmap.md と patches/zmk/README.md の該当節を「提案準備中」から「PR 中」状態に 更新する。 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Add
CONFIG_ZMK_BLE_AUTO_UNPAIR_ON_KEY_MISSING(defaultn). Whenenabled, the
security_changedhandler reacts toBT_SECURITY_ERR_PIN_OR_KEY_MISSINGby callingbt_unpairandbt_conn_disconnect, so the next advert initiates a fresh pairingexchange instead of looping on the same handshake failure.
Why
In a split / dongle keyboard setup, if one side's bond is wiped
(partial settings reset, NVS corruption, or reflashing one peer
without rebonding the other), every subsequent reconnect ends in
security_changedwithPIN_OR_KEY_MISSING. The connection staysup but is unusable, and the loop is not recoverable without manually
wiping bonds on both sides and going through the pairing flow again.
The existing handler logs the error and otherwise does nothing,
which means there is no firmware-side recovery path for the
asymmetric-bond case that is easy to hit on dongle setups.
How
The new branch sits inside the existing
elsearm ofsecurity_changed, guarded by the Kconfig. When the peer reportsPIN_OR_KEY_MISSING, drop our half of the bond and disconnect withBT_HCI_ERR_AUTH_FAIL. The endpoint goes back to discoverable +unpaired, and the next advert/scan cycle re-establishes a fresh
pairing without user intervention.
Default-off so the current behaviour (surface the error, take no
action) is preserved for users who would rather notice and act
manually.
Testing
Tested in production on a dongle-based BLE split
(XIAO BLE central + two
assimilator-btperipherals). Reproducedthe loop by wiping one peripheral's bond settings while the central
retains theirs; with the option enabled, the central self-recovers
into a fresh pair on the next reconnect attempt; with the option
disabled (or this patch absent), the loop persists until both bonds
are wiped manually.
Downstream use: akira-toriyama/canon
runs this fix as an out-of-tree patch (
patches/zmk/security-changed-auto-unpair.patch)pending this upstream PR.
PR check-list