|
WiFi |
||
|
Bluetooth ProtocolBluetooth is a wireless technology fundamental to modern communication, enabling devices to exchange data over short distances. In this note, we will look into the protocol aspect of the bluetooth. The protocol harmonizes diverse electronics, making wire-free interactions a global standard. It's a cornerstone of the Internet of Things, linking gadgets from headphones to heart monitors with secure, low-energy connectivity. As Bluetooth evolves, it continues to broaden the horizons of seamless, ubiquitous connectivity. Overall State TransitionOverall state flow of bluetooth communication is as follows. When you see this kind of circular state diagram, you'd better select one of the starting point and end point. Otherwise, you will keep cycling through the states and your eye ball would be spinning endlessly -:). For example, I just picket "Stand by" as the first point and "Tx/Rx" as the end point and follow through the path marked in red arrows. As you turn on a bluetooth device, it would be into stand by mode and start "inquire". (This is like broadcasting a message to all direction saying "Is there any one listening to me ? If there is, let me know your address". Through this process, the device may get the response from multiple device. If it finds any device it want to connect, it sends Paging message to the device saying "I want to get connected to you". If it gets the acceptance from the other party, the both party gets into connected mode via a complicated steps which will be described next section.
Once in connected mode, both party can transmit and receive data. But what if there is no data to transmit or recieve for a long time ? It they stay awake during that period, it would waste a lot of battery power. To reduce the waste of the battery life, bluetooth support three levels of energy saving mode, called Sniff, Hold, Park.
In Sniff mode, the device still maintain the synchronization with piconet (network between bluetooth devices) but the Tx/Rx cycle gets reduced. This cycle is called "Sniff Interval" and this interval is programmable and depends on application.
In Hold mode, only the internal clock in the device is running. So in this mode, data transfer is not possible but if there is need for data transfer, it can switch to Active mode very quickly. This HOLD mode can be initiated ether Master or Slave.
In Park mode, the device still maintains the synchronization with piconet (network between bluetooth devices) but it does not transmit/recieve any data.. the device even release its MAC address. It just periodically wake up to listen to Master. If it gets any signal from Master requesting data transaction, it has to go through connection process again. It would take a little longer time/process to recover the connection but it saves energy the most.
Overall Protocol SequenceOverall protocol sequence from the Inquiry to connection setup can be illustrated as follows:
Inquiry ProcedureDevice 1 (the source or master) and Device 2 (the destination or slave). Here's how timing synchronization occurs during this process: this whole process is designed to minimize the need for precise, long-term clock synchronization between devices while still allowing them to establish a connection efficiently. The devices only need to have sufficiently synchronized clocks for the duration of the inquiry and page processes. Once a connection is established, more robust synchronization mechanisms, such as adaptive frequency hopping, take over to maintain synchronization. Device 2 enters an "Inquiry Scan State," where it listens for inquiry packets. It does this periodically based on its internal clock, following a schedule of scan windows (when it listens) and intervals (the time between scan windows). Device 1, which is in an "Inquiry State," sends out inquiry packets on a set sequence of hop frequencies defined for the inquiry process. It does so according to its internal clock, which defines the timing of when these packets are sent. When Device 2 receives an inquiry packet during its scan window, it will switch to the "Inquiry Response State." In this state, Device 2 prepares an inquiry response packet that includes timing information, such as its native clock and Bluetooth device address (BD_ADDR). Device 2 sends the inquiry response packet back to Device 1. This response must be timed precisely to fall within a window when Device 1 expects to receive responses. The timing of this response is critical and is based on the timing information contained in the inquiry packet from Device 1.
Paging ProcedureThis is the process that follows the initial inquiry and device discovery. It's used to establish a communication link between a master device and a slave device. During the entire paging procedure, timing synchronization is crucial. The devices must exchange messages and acknowledge them within specific time slots. The FHS packet is especially important for synchronization as it allows the master to adjust its timing to match the slave's internal clock. This ensures that when the master and slave start their frequency hopping sequences, they are in sync, allowing for a stable and robust communication link. The master device, having obtained the address and clock information of the slave device from the inquiry process, sends a paging message. This message is sent on a frequency determined by the slave's device address and its native clock. The slave device, upon recognizing the paging message addressed to it (since it matches its own address), sends a paging reply to the master. This reply signals to the master that the slave is ready to establish a connection. After the paging reply, the slave sends a Frequency Hop Synchronization (FHS) packet to the master. This packet contains the slave's Bluetooth device address and clock information. The master uses the information in the FHS packet to synchronize its frequency hopping pattern with the slave's clock. The master acknowledges the receipt of the FHS packet by sending a second reply to the slave. This second reply can also contain information for the slave, such as timing correction or any further information needed to complete the synchronization. The slave adjusts its internal clock using the information provided by the master so that both devices are now synchronized. This involves the slave device possibly shifting its native clock to match the clock offset provided by the master. After this exchange of packets and synchronization, the master and slave devices are now synchronized, and a connection is established. They can now begin communicating using their agreed-upon frequency hopping sequence. During the entire paging procedure, timing synchronization is crucial. The devices must exchange messages and acknowledge them within specific time slots. The FHS packet is especially important for synchronization as it allows the master to adjust its timing to match the slave's internal clock. This ensures that when the master and slave start their frequency hopping sequences, they are in sync, allowing for a stable and robust communication link. Connection ProcedureAfter the paging procedure, the devices enter the connection procedure to finalize the establishment of a communication link. During the connection procedure, timing synchronization ensures that the master and slave are still in sync following the frequency hopping sequence established during the paging process. This synchronization is critical for maintaining a robust communication link where data packets are transferred without error and in the correct order. The master device sends an initial poll packet to the slave device. This poll packet is used to confirm that the slave device is ready and listening for communications from the master. It’s a way for the master to verify that the connection is still active after the paging process. The slave device responds to the poll packet from the master, confirming its presence and readiness to communicate. This reply is essential as it signifies that the slave device is in range and has successfully synchronized its clock with the master’s clock, based on the previous paging process. Once the initial polling and response have confirmed that both devices are present and synchronized, they enter the connection mode. In this mode, the two devices have an established communication link and will begin their normal operations for data transfer. The connection mode may involve different states such as active mode, where devices can actively send and receive data; sniff mode, where the device listens for transmissions at reduced power to save energy; hold mode, where the connection is maintained without active data transfer; and park mode, where the slave device is inactive but still synchronized to the master. Example 01 >Following is one example bluetooth protocl log from wiki.wireshark.org - Bluetooth1.cap . Just go through overall sequence first and dig into the detailed parameters in each of the message as it interests you.
Bluetooth HCI H4 [Direction: Sent (0x00)] HCI Packet Type: HCI Command (0x01) Bluetooth HCI Command - Inquiry Command Opcode: Inquiry (0x0401) 0000 01.. .... .... = ogf: Link Control Commands (0x0001) .... ..00 0000 0001 = ocf: 0x0001 Parameter Total Length: 5 LAP: 0x9e8b33 Inquiry Length: 16 Num Responses: 0
Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Command Status Event Code: Command Status (0x0f) Parameter Total Length: 4 Status: Pending (0x00) Number of Allowed Command Packets: 1 Command Opcode: Inquiry (0x0401)
Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Inquiry Result Event Code: Inquiry Result (0x02) Parameter Total Length: 15 Number of responses: 1 BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa) Page Scan Repetition Mode: R1 (0x01) Page Scan Period Mode: P0 (0x00) Page Scan Mode: Mandatory Page Scan Mode (0x00) Class of Device: 0x420204 (Phone - services: Telephony, Networking) .100 0010 1101 1101 = Clock Offset: 0x42dd
Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Inquiry Complete Event Code: Inquiry Complete (0x01) Parameter Total Length: 1 Status: Success (0x00)
Bluetooth HCI H4 [Direction: Sent (0x00)] HCI Packet Type: HCI Command (0x01) Bluetooth HCI Command - Remote Name Request Command Opcode: Remote Name Request (0x0419) 0000 01.. .... .... = ogf: Link Control Commands (0x0001) .... ..00 0001 1001 = ocf: 0x0019 Parameter Total Length: 10 BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa) Page Scan Repetition Mode: R1 (0x01) Page Scan Mode: Mandatory Page Scan Mode (0x00) .000 0000 0000 0000 = Clock Offset: 0x0000 (0 ms) 0... .... .... .... = Clock_Offset_Valid_Flag: false (0)
(6) Command Status (Remote Name Request) Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Command Status Event Code: Command Status (0x0f) Parameter Total Length: 4 Status: Pending (0x00) Number of Allowed Command Packets: 1 Command Opcode: Remote Name Request (0x0419)
Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Remote Name Req Complete Event Code: Remote Name Req Complete (0x07) Parameter Total Length: 255 Status: Page Timeout (0x04) BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa) Remote Name:
Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Connect Request Event Code: Connect Request (0x04) Parameter Total Length: 10 BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa) Class of Device: 0x6a0204 (Phone - services: Telephony, Audio, Capturing, Networking) Link Type: ACL connection (Data Channels) (0x01)
Bluetooth HCI H4 [Direction: Sent (0x00)] HCI Packet Type: HCI Command (0x01) Bluetooth HCI Command - Accept Connection Request Command Opcode: Accept Connection Request (0x0409) 0000 01.. .... .... = ogf: Link Control Commands (0x0001) .... ..00 0000 1001 = ocf: 0x0009 Parameter Total Length: 7 BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa) Role: Remain Slave (0x01)
(10) Command Status (Accept Connection Request) Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Command Status Event Code: Command Status (0x0f) Parameter Total Length: 4 Status: Pending (0x00) Number of Allowed Command Packets: 1 Command Opcode: Accept Connection Request (0x0409)
Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - PIN Code Request Event Code: PIN Code Request (0x16) Parameter Total Length: 6 BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa)
Bluetooth HCI H4 [Direction: Sent (0x00)] HCI Packet Type: HCI Command (0x01) Bluetooth HCI Command - PIN Code Request Reply Command Opcode: PIN Code Request Reply (0x040d) 0000 01.. .... .... = ogf: Link Control Commands (0x0001) .... ..00 0000 1101 = ocf: 0x000d Parameter Total Length: 23 BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa) PIN Code Length: 4 PIN Code: 1234
(13) Command Complete (PIN Code Request Reply) Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Command Complete Event Code: Command Complete (0x0e) Parameter Total Length: 10 Number of Allowed Command Packets: 1 Command Opcode: PIN Code Request Reply (0x040d) 0000 01.. .... .... = ogf: Link Control Commands (0x0001) .... ..00 0000 1101 = ocf: 0x000d Status: Success (0x00) BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa)
Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Connect Complete Event Code: Connect Complete (0x03) Parameter Total Length: 11 Status: Authentication Failure (0x05) Connection Handle: 0x0029 BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa) Link Type: ACL connection (Data Channels) (0x01) Encryption Mode: Encryption Disabled (0x00)
Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Connect Request Event Code: Connect Request (0x04) Parameter Total Length: 10 BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa) Class of Device: 0x6a0204 (Phone - services: Telephony, Audio, Capturing, Networking) Link Type: ACL connection (Data Channels) (0x01)
(16) Accept Connection Request Bluetooth HCI H4 [Direction: Sent (0x00)] HCI Packet Type: HCI Command (0x01) Bluetooth HCI Command - Accept Connection Request Command Opcode: Accept Connection Request (0x0409) 0000 01.. .... .... = ogf: Link Control Commands (0x0001) .... ..00 0000 1001 = ocf: 0x0009 Parameter Total Length: 7 BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa) Role: Remain Slave (0x01)
(17) Command Status (Accept Connection Request) Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Command Status Event Code: Command Status (0x0f) Parameter Total Length: 4 Status: Pending (0x00) Number of Allowed Command Packets: 1 Command Opcode: Accept Connection Request (0x0409)
Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - PIN Code Request Event Code: PIN Code Request (0x16) Parameter Total Length: 6 BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa)
Bluetooth HCI H4 [Direction: Sent (0x00)] HCI Packet Type: HCI Command (0x01) Bluetooth HCI Command - PIN Code Request Reply Command Opcode: PIN Code Request Reply (0x040d) 0000 01.. .... .... = ogf: Link Control Commands (0x0001) .... ..00 0000 1101 = ocf: 0x000d Parameter Total Length: 23 BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa) PIN Code Length: 4 PIN Code: 1234
(20) Command Complete (PIN Code Request Reply) Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Command Complete Event Code: Command Complete (0x0e) Parameter Total Length: 10 Number of Allowed Command Packets: 1 Command Opcode: PIN Code Request Reply (0x040d) 0000 01.. .... .... = ogf: Link Control Commands (0x0001) .... ..00 0000 1101 = ocf: 0x000d Status: Success (0x00) BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa)
Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Link Key Notification Event Code: Link Key Notification (0x18) Parameter Total Length: 23 BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa) Link Key: ec596f3306bba9e53d7b72de47c1404a Key Type: Combination Key (0x00)
Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Connect Complete Event Code: Connect Complete (0x03) Parameter Total Length: 11 Status: Success (0x00) Connection Handle: 0x002a BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa) Link Type: ACL connection (Data Channels) (0x01) Encryption Mode: Encryption only for point-to-point packets (0x01)
(23) Write Link Policy Settings Bluetooth HCI H4 [Direction: Sent (0x00)] HCI Packet Type: HCI Command (0x01) Bluetooth HCI Command - Write Link Policy Settings Command Opcode: Write Link Policy Settings (0x080d) 0000 10.. .... .... = ogf: Link Policy Commands (0x0002) .... ..00 0000 1101 = ocf: 0x000d Parameter Total Length: 4 Connection Handle: 0x002a .... .... .... ...1 = Enable Master Slave Switch: true (1) .... .... .... ..1. = Enable Hold Mode: true (1) .... .... .... .1.. = Enable Sniff Mode: true (1) .... .... .... 1... = Enable Park Mode: true (1)
(24) Page Scan Repetition Mode Change Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Page Scan Repetition Mode Change Event Code: Page Scan Repetition Mode Change (0x20) Parameter Total Length: 7 BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa) Page Scan Repetition Mode: R1 (0x01)
(25) Command Complete (Write Link Policy Settings) Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Command Complete Event Code: Command Complete (0x0e) Parameter Total Length: 6 Number of Allowed Command Packets: 1 Command Opcode: Write Link Policy Settings (0x080d) 0000 10.. .... .... = ogf: Link Policy Commands (0x0002) .... ..00 0000 1101 = ocf: 0x000d Status: Success (0x00) Connection Handle: 0x002a
(26) Change Connection Packet Type Bluetooth HCI H4 [Direction: Sent (0x00)] HCI Packet Type: HCI Command (0x01) Bluetooth HCI Command - Change Connection Packet Type Command Opcode: Change Connection Packet Type (0x040f) 0000 01.. .... .... = ogf: Link Control Commands (0x0001) .... ..00 0000 1111 = ocf: 0x000f Parameter Total Length: 4 Connection Handle: 0x002a .... .... .... ..0. = Packet Type 2-DH1: false (0) .... .... .... .0.. = Packet Type 3-DH1: false (0) .... .... .... 1... = Packet Type DM1: true (1) .... .... ...1 .... = Packet Type DH1: true (1) .... ...0 .... .... = Packet Type 2-DH3: false (0) .... ..0. .... .... = Packet Type 3-DH3: false (0) .... .1.. .... .... = Packet Type DM3: true (1) .... 1... .... .... = Packet Type DH3: true (1) ...0 .... .... .... = Packet Type 2-DH5: false (0) ..0. .... .... .... = Packet Type 3-DH5: false (0) .1.. .... .... .... = Packet Type DM5: true (1) 1... .... .... .... = Packet Type DH5: true (1)
Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Max Slots Change Event Code: Max Slots Change (0x1b) Parameter Total Length: 3 Connection Handle: 0x002a Maximum Number of Slots: 5
(28) Command Status (Change Connection Packet Type) Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Command Status Event Code: Command Status (0x0f) Parameter Total Length: 4 Status: Pending (0x00) Number of Allowed Command Packets: 1 Command Opcode: Change Connection Packet Type (0x040f)
Bluetooth HCI H4 [Direction: Sent (0x00)] HCI Packet Type: HCI Command (0x01) Bluetooth HCI Command - Remote Name Request Command Opcode: Remote Name Request (0x0419) 0000 01.. .... .... = ogf: Link Control Commands (0x0001) .... ..00 0001 1001 = ocf: 0x0019 Parameter Total Length: 10 BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa) Page Scan Repetition Mode: R1 (0x01) Page Scan Mode: Mandatory Page Scan Mode (0x00) .000 0000 0000 0000 = Clock Offset: 0x0000 (0 ms) 0... .... .... .... = Clock_Offset_Valid_Flag: false (0)
(30) Connection Packet Type Changed Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Connection Packet Type Changed Event Code: Connection Packet Type Changed (0x1d) Parameter Total Length: 5 Status: Success (0x00) Connection Handle: 0x002a Usable packet types: DM1 HV1 2-DH1 .... .... .... ..0. = ACL Link Type 2-DH1: False (0) .... .... .... .0.. = ACL Link Type 3-DH1: False (0) .... .... .... 1... = ACL Link Type DM1: True (1) .... .... ...1 .... = ACL Link Type DH1: True (1) .... ...0 .... .... = ACL Link Type 2-DH3: False (0) .... ..0. .... .... = ACL Link Type 3-DH3: False (0) .... .1.. .... .... = ACL Link Type DM3: True (1) .... 1... .... .... = ACL Link Type DH3: True (1) ...0 .... .... .... = ACL Link Type 2-DH5: False (0) ..0. .... .... .... = ACL Link Type 3-DH5: False (0) .1.. .... .... .... = ACL Link Type DM5: True (1) 1... .... .... .... = ACL Link Type DH5: True (1) .... .... ..0. .... = SCO Link Type HV1: False (0) .... .... .0.. .... = SCO Link Type HV2: False (0) .... .... 0... .... = SCO Link Type HV3: False (0)
(31) Command Status (Remote Name Request) Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Command Status Event Code: Command Status (0x0f) Parameter Total Length: 4 Status: Pending (0x00) Number of Allowed Command Packets: 1 Command Opcode: Remote Name Request (0x0419)
Bluetooth HCI H4 [Direction: Sent (0x00)] HCI Packet Type: HCI Command (0x01) Bluetooth HCI Command - Remote Name Request Command Opcode: Remote Name Request (0x0419) 0000 01.. .... .... = ogf: Link Control Commands (0x0001) .... ..00 0001 1001 = ocf: 0x0019 Parameter Total Length: 10 BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa) Page Scan Repetition Mode: R1 (0x01) Page Scan Mode: Mandatory Page Scan Mode (0x00) .000 0000 0000 0000 = Clock Offset: 0x0000 (0 ms) 0... .... .... .... = Clock_Offset_Valid_Flag: false (0)
(33) Command Status (Remote Name Request) Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Command Status Event Code: Command Status (0x0f) Parameter Total Length: 4 Status: Pending (0x00) Number of Allowed Command Packets: 0 Command Opcode: Remote Name Request (0x0419)
Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Remote Name Req Complete Event Code: Remote Name Req Complete (0x07) Parameter Total Length: 255 Status: Other End Terminated Connection: User Ended Connection (0x13) BD_ADDR:000e:6d:072efa (MurataMa_07:2e:fa) Remote Name:
Bluetooth HCI H4 [Direction: Rcvd (0x01)] HCI Packet Type: HCI Event (0x04) Bluetooth HCI Event - Disconnect Complete Event Code: Disconnect Complete (0x05) Parameter Total Length: 4 Status: Success (0x00) Connection Handle: 0x002a Reason: Other End Terminated Connection: User Ended Connection (0x13)
|
||
