Security And Pairing
The current firmware allows clients to connect, read, and subscribe without write authorization. Writes are accepted only when the session policy says the connection is allowed to write.
Write Authorization
A protocol or OTA data write must pass both BLE security and application policy.
The connection must be:
- paired/bonded according to the device
- encrypted
- authenticated
- authorized as the current write owner
If a write reaches the firmware but fails the application policy, the device sends a ble_access update with write_rejected=true.
Pairing Mode
Pairing mode is entered from physical controls on the box. In the current quizzer handler, the chord is:
QUIZZER_RESET + TIMER_530 + CONTEST
While pairing mode is active:
- the device displays a six-digit PIN
- pairing requests can be accepted
- the BLE access status is
PAIRING_MODE - pressing
QUIZZER_RESETorTIMER_RESETexits pairing mode - pairing mode also exits on timeout or successful pairing
The advertised name remains Reaction_XXXXXX.
PIN And Lockout Settings
Defaults from DeviceConfig:
| Setting | Default |
|---|---|
| pairing timeout | 60000 ms |
| PIN failure limit | 3 |
| PIN lockout | 300000 ms |
| stale bond quick timeout window | 3000 ms |
| stale bond strikes | 2 |
These values are configurable through ConfigMessage.
Write Owner Behavior
The firmware tracks one write-authorized owner. When a new peer successfully pairs during pairing mode, the firmware deletes other stored bonds and downgrades other connected peers to read-only access.
Other connected clients may remain connected for notifications, but write access stays reserved for the authorized owner.
BLE Access Updates
BleAccessMessage is carried by the root ble_access oneof.
Statuses:
| Status | Meaning |
|---|---|
NO_CONNECTION |
no BLE peers connected |
READ_ONLY |
at least one peer connected, no current write-authorized connection |
WRITE_AUTHORIZED |
a connected peer can write |
PAIRING_MODE |
pairing mode is active |
Write rejection reasons:
| Reason | Meaning |
|---|---|
WRITE_REJECT_NOT_AUTHORIZED |
connection is not the current write owner |
WRITE_REJECT_NOT_PAIRED |
connection is not paired/bonded |
WRITE_REJECT_NOT_ENCRYPTED |
connection is not encrypted |
WRITE_REJECT_NOT_AUTHENTICATED |
connection is not authenticated |
Client UX recommendation: if a write is rejected, show the reject_reason and offer a re-pair flow that tells the user to enter pairing mode physically on the box.