Provisioning

What Is Provisioning?

Provisioning is the process of adding an unprovisioned BLE device to a Bluetooth Mesh network. During provisioning, the device receives a unicast address, the Network Key (NetKey), and other configuration data that allow it to participate in the mesh. Until provisioned, a device exists in an isolated state, unable to send or receive mesh messages.

Provisioning Flow

The provisioning procedure consists of five stages:

1. Beaconing. The unprovisioned device broadcasts Unprovisioned Device beacons containing its ATT">UUID and OOB information. The provisioner (typically a smartphone) scans for these beacons and presents discovered devices to the user.

2. Invitation. The provisioner sends a Provisioning Invite PDU. The device responds with its Provisioning Capabilities, including the number of elements, supported algorithms, input/output OOB capabilities, and public key availability.

3. Public Key Exchange. Both sides exchange ECDH public keys (P-256 curve). The exchange can happen in-band (over the provisioning bearer) or out-of-band (e.g., via a QR code printed on the device packaging).

4. Authentication. The provisioner and device authenticate the ECDH exchange using one of four methods: - No OOB -- similar to Just Works, no MITM protection. - Static OOB -- a pre-shared value (printed on the device or stored in a database). - Output OOB -- the device outputs a value (blinks an LED, beeps) for the user to enter on the provisioner. - Input OOB -- the provisioner displays a value for the user to enter on the device (push a button N times).

5. Data Distribution. Over the now-authenticated and encrypted link, the provisioner sends the Provisioning Data PDU containing the NetKey, Key Index, Flags (Key Refresh, IV Update), IV Index, and the assigned unicast address.

Bearers

Provisioning can occur over two bearers:

• PB-ADV -- uses BLE advertising packets. The provisioner and device exchange Generic Provisioning PDUs on the advertising channels. This is the most common bearer for devices without GATT support.
• PB-GATT -- uses a GATT-based connection. The provisioner connects to the device's Mesh Provisioning Service (UUID 0x1827) and exchanges provisioning PDUs over a GATT characteristic. This bearer is necessary when the provisioner cannot send or receive PB-ADV packets (most smartphones).

Post-Provisioning Configuration

After provisioning, the device is part of the network but has minimal configuration. The provisioner then uses the Configuration Client model to:

• Add Application Keys (AppKeys) and bind them to models.
• Set publication addresses (where the node sends messages).
• Add subscription addresses (which group messages the node receives).
• Configure relay, friend, or proxy features.