Where to find Bluetooth link keys in the Windows registry for the EkoBuy USB dongle / CSR Harmony stack

TLDR; the data you want is in

LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CsrBtPort\ScDbData

and you’re looking for a 32 character string within that block, that changes when you re-pair the device.


Since 2005, I had been using the keyboard that came with the Dell desktop I bought when I went to university (with a brief interlude to find out that I don’t get on with Cherry MX black switches). By now, it’s pretty grotty. Also, my friend Jimmy spilled a glass of cheap red wine into it at some point in second year.

Having recently started working at a company where nearly everything is done on Macbooks, I have been very impressed with the Apple Magic keyboard that I was provided with. I thought I would give the Logitech K380 a go; especially appealing is a feature that allows you to switch between three devices without having to re-pair. This means that I can use it with my work laptop, and also with my home desktop, and have one channel left for my tablet.

Did you know that the Bluetooth logo is derived from Scandanavian runes?

My desktop machine is the frankensteiny result of cumulatively upgrading a 2011 AMD Phenom 2 x6 build (6 cores omg) — it just keeps on keeping on! But of course, it has nothing so exotic as onboard Bluetooth. The EkoBuy Bluetooth 4.0 dongle is well reviewed on Amazon, and cheap, so I decided to give it a try.

“Sure, I guess I’ll get this one”

Once I had accepted that it wasn’t going to plug ’n’ play on Windows 7, and had installed the packaged drivers, it worked well enough. (I had trouble pairing a Logitech MX Master 2S mouse, but that works with a Logitech Universal Receiver, so whatevs.)

However, here’s the wrinkle: I dual-boot my computer with Linux (currently Linux Mint 18.3). Unfortunately, Bluetooth pairing relies on matching a key stored in both the device, and the computer’s OS. And a different key is generated each time it is paired. If you pair on Windows, reboot into Linux, and pair again, the Windows pairing will be broken. Pair again in Windows, and the Linux pairing will be broken. Therefore, you need to pair with one OS, then copy the link key to the other OS.

In Linux Mint, the Bluetooth link key is stored very sensibly, in a file called info in the directory /var/lib/bluetooth/[bluetooth dongle MAC address]/[keyboard MAC address]/

[LinkKey]

Unfortunately, in Windows, the equivalent information is (like so many things) buried deep within the registry. Apparently, if the device is using the default Windows Bluetooth stack, the place to look is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys , where you’ll find a set of keys corresponding to your paired Bluetooth devices’ MAC addresses.

At least the MAC address is easy to find

But if, like me, you had to install the EkoBuy dongle’s drivers (which probably means you’re using Windows 7, 8 or Vista), then you will instead be using something that calls itself the ‘CSR Harmony stack’, which doesn’t use the default registry structure at all. Using the regedit search function, I was able to find a whole bunch of likely-looking keys prefixed with csr, but nothing resembling the MAC address of my keyboard.

Perhaps surprisingly for such an popular device, Googling both EkoBuy and CSR Harmony didn’t turn up anything obvious, so I had to search more widely in the registry.

There is a tool called whatchanged.exe , downloadable from majorgeeks, which you can use to dump the registry to a text file, pair your device, and then scan the registry for changes, and dump the changed keys to another file. (It also takes bloody forever: it must be a very brute-force-y kind of a search. I imagine there is probably a fairly standard way to serialise the registry as text files that can then be diffed; I should work out how to do it that way next time.)

As expected, in the WhatChanged output file, there was no plaintext MAC address to be seen. But there was the following suspicious-looking key:

...\CurrentControlSet\services\CsrBtPort\ScDbData=šx€úÿÿ3Œ€øÿÿÁ•

CsrBtPort certainly seems like a promising name! And, weird garbage characters in a text file usually mean binary data. Let’s have a closer look at it in regedit:

Red underlining mine

Well, that’s definitely the name of my keyboard in the ASCII view on the right, and in the hex view on the left is its MAC address: backwards, and padded for some reason. The conventional representation

34:88:5d:95:0f:c1 

has become

C1 0F 95 00 5D 00 88 34

But it’s definitely the MAC address I’m looking for! Hopefully the link key is buried somewhere else in this big block of binary data. Let’s export this registry data to a text file, delete and re-pair the keyboard, and see how it changes.

Hmm…

There are a few changes, here and there, between pairings. However, there is only one 16 byte string that changes between the two — could this be the link key?

b9f8e36c8975e07d800909b6d88f5aba

With the commas taken out, and saved to Dropbox, it’s ready to paste over the link key in Linux:

(There’s that mouse I mentioned earlier.)

I don’t know much about Bluetooth development, but it seems a strange decision to encode Bluetooth pairing information like this. If I’d thought to search the registry for the MAC address in binary format, I probably wouldn’t have thought to search for it backwards. And if I had, I might have thought to take out the colons, but I probably wouldn’t have arbitrarily padded it with zeros. But now you know where to look!


References:

I learned most of what I needed on the practicalities of Bluetooth pairing, registry editing and dual-booting from this excellent post on Stack Exchange by Mario Olivio Flores:

https://unix.stackexchange.com/questions/255509/bluetooth-pairing-on-dual-boot-of-windows-linux-mint-ubuntu-stop-having-to-p