bluetooth low energy technology training

5/26/2018 Bluetooth Low Energy Technology Training

1/419

BLUETOOTHLOW ENERGY

All Hands Meeting 19-22 April 2010

Bluetooth SIG Proprietary and Confidential 1


2/419

Agenda Coverage

Comparisons with Bluetooth,

New Models, Gateways, Application Stores

Core Spec : Controller Physical Layer, Direct Test Mode,

Link Layer, Host Controller Interface

lunch break

Core Spec : Host L2CAP, Security Manager, Attribute Protocol, Generic,

Generic Access Profile

afternoon break

Applications / Use Cases Client / Server, State & Behavior,Remote, Proximity, Automation, Medical,

Qualification




3/419

WHAT IS LOW ENERGY?

IT IS NEW TECHNOLOGY

blank sheet of paper design

optimized for ultra low power

different to classic Bluetooth




4/419

NEW TECHNOLOGY?

Yes

efficient discovery / connection procedures

very short packetsasymmetric design for peripherals

client server architecture

No

reuse existing BR radio architecture

reuse ex s ng og ca an p ys ca ranspor sreuse existing L2CAP packets




5/419

BASIC CONCEPTS

Optimize *EVERYTHING* for lowest power consumption

from the h sics to the users

button cells will be main power

source for eri herals

10 billion P2P / Gateway

Smart Energy (meters & displays). ~ 1 billion Gateway HubHome Automation > 5 billion Gateway / Mesh

Health, Wellness, Sports & Fitness > 10 billion P2P / Gateway

Assisted Living > 5 billion Gateway

~

Intelligent Transport Systems > 1 billion ?

M2M (Internet connected devices) > 10 billion Gateway

Over 90% of the next 50 bill ion devices may use a gateway topology




23/419

GATEWAYS, END TO END & APPS

G Internet

Devices talk through gateways to web apps.

They can cause specific apps to be loaded on a gateway device.

Internet apps communicate directly with the device the gateway is just a tunnel.

Gateways are generic.Bluetooth low energy supports this better than any other standard.




24/419

GATEWAYS ARE GENERIC

A Gateway application has limited functionality

It finds out what the device wants to connect to.

It provides a secure, transparent tunnel to that destination.

Handsets can ship with generic gateways apps

Users dont need to load any drivers or software.

Gateways enable Internet connected devices.




25/419

DEVICES SHIP WITH A WEB ADDRESS




26/419

DEVICES SHIP WITH A WEB ADDRESS

www.patientslikeme.com




27/419

THEY CONNECT TO A GENERIC GATEWAY APP




28/419





29/419


Pedometer




30/419

THENCE TO THE WEB

Internet




31/419

AND AUTOMATICALLY TRANSFER DATA

The phone is just a pipe, running a generic application.




32/419

AND AUTOMATICALLY TRANSFER DATA

The phone is just a pipe, running a generic application.




33/419

THE APPS STORE MODEL

The user paradigm has changed

Smart hones are enablin a new a lication market

Today that stops at the phone

Bluetooth low energy allows it to extend to devices

touched.

low energy devices can make Apps selection easy

All Hands Meeting 19-22 April 2010Bluetooth SIG Proprietary and Confidential 33


34/419

DEVICES TELL THE PHONE WHAT THEY ARE



35/419




36/419


e ome er

AcmeModelXYZStepsperMinuteTotalStepsCaloriesUsedFindmeanAPP



37/419

MAKING APPS DOWNLOADS EASY

A low energy device can tell a client device exactly what it can

do, by having its services read.

This can include the location of preferred apps for a smartphone.

A generic application on a handset can use this information to

interrogate an Apps store to provide a list of applications thatare know to work with the device.

The user experience is significantly improved, as choosing acompatible app is made much easier.



38/419

TAILORING THE APPLICATION STORE CHOICE

=

Guaranteed to work = More downloads



39/419

MORNING BREAKreturn at 11:00



40/419

STACK ARCHITECTURE

Apps

Applications

Generic Attribute Profile

osAttribute Protocol Security Manager

Lo ical Link Control and Ada tation Protocol

Host Controller Interface

Controller

Physical Layer

Link Layer Direct Test Mode



41/419

PHYSICAL LAYER

Apps

Applications





Controller

Physical Layer




42/419

PHYSICAL LAYER

Uses 2.4 GHz ISM Band

Industrial Scientific Medical band

License Free with certain rules .

IEEE 802.11, IEEE 802.15



43/419

40 PHYSICAL CHANNELS

f = 2402 + 2k MHz

RF0 1 2 3 4 5 6 7 8 9101112131415161718192021222324252627282930313233343536373839

cy

z z z z z z z z z z z z z z z z z z z z z z z z z z z z z z z z z z z z z z z z

Frequ

e

2402

M

2404

M

2406

M

2408

M

2410

M

2412

M

2414

M

2416

M

2418

M

2420

M

2422

M

2424

M

2426

M

2428

M

2430

M

2432

M

2434

M

2436

M

2438

M

2440

M

2442

M

2444

M

2446

M

2448

M

2450

M

2452

M

2454

M

2456

M

2458

M

2460

M

2462

M

2464

M

2466

M

2468

M

2470

M

2472

M

2474

M

2476

M

2478

M

2480

M



44/419

MODULATION

bit period product BT = 0.5modulation index = 0.5 0.05

PHY Bandwidth = 1 million bits / seconds

Why GFSK?

0 1

Gaussian filter smoothes transitions from zero to one

reduces s ectral width



45/419

GFSK MODULATION EXAMPLE

1

0



46/419

GFSK MODULATION EXAMPLE

1

0


WHEN TRANSMITTING A


47/419

WHEN TRANSMITTING A 0


WHEN TRANSMITTING A


48/419

WHEN TRANSMITTING A 1


POWER


49/419

POWER

Minimum Output Power

0.01 mW -20 dBm

10 mW (10 dBm)

Receiver sensitivity < -70 dBm

.


RANGE


50/419

RANGE

With Tx = 0 dBm and Rx = -70 dBm

Range ~ 30m

With Tx = 10 dBm and Rx = -90 dBm


PHYSICAL LAYER SUMMARY


51/419

PHYSICAL LAYER SUMMARY

2.4 GHz GFSK

Modulation Index = ~0.5

2 MHz channel spacing

30m to further than 100 m


DIRECT TEST MODE


52/419

DIRECT TEST MODE

Apps

Applications





ControllerPhysical Layer



DIRECT TEST MODE


53/419

DIRECT TEST MODE

Used to test Physical Layer

b commandin a device to transmit or receive test ackets

Can also be used to production line tests

Can run over standard HCI interface

-


DIRECT TEST MODE


54/419

DIRECT TEST MODE

Can use 2-wire UART interface

ows a con ro ers o e es e s mp y

Upper TesterController RXDTXD

TXD

RXD

Physical Layer Lower TesterRF (2.4 GHz)


DIRECT TEST MODE


55/419

DIRECT TEST MODE

Can also use standard HCI

an use any ranspor : -w re, , , , e c

Upper TesterController HCI HCI

Physical Layer Lower TesterRF (2.4 GHz)


TEST SEQUENCES


56/419

TEST SEQUENCES

RF Test Command / Event Description

LE_RESET Resets controller to known state

_ _

until told to stop with LE_TEST_END

_ _

until told to stop with LE_TEST_END

LE_TEST_END The test has ended, sto transmittin orreceiving, send LE_PACKET_REPORT to

Tester

LE_STATUS Command received, starting test

LE_PACKET_REPORT Command received, test ended, number ofpackets received


TRANSMITTER TEST


57/419

TRANSMITTER TEST


RECEIVER TEST


58/419

RECEIVER TEST


DIRECT TEST MODE SUMMARY


59/419

DIRECT TEST MODE SUMMARY

Used to test Physical Layer RF

for ualification tests

or for production line tests

Works over

special 2-wire transport


LINK LAYER


60/419

Apps

Applications





ControllerPhysical Layer




LINK LAYER (LL)


61/419

( )

Link Layer State Machine

can have multi le state machines active in device

Advertising Channels & Data Channels



LINK LAYER STATE MACHINE


62/419

Scanning

StandbyAdvertising Initiating

ConnectionSlave Master





63/419

Scanning Scanning

StandbyAdvertising Initiating StandbyAdvertising Initiating

ConnectionSlave Master ConnectionSlave Master

Scannin Scannin








64/419

Scanning Scanning


ConnectionSlave Master ConnectionSlave Master

Scannin Scannin






TWO TYPES OF CHANNELS


65/419

Advertising Channels

Advertisin Channel Packets

Used for Discoverability / Connectability

Data Channel Packets



LINK LAYER CHANNELS


66/419

3 Advertising Channels and 37 Data Channels

LL

370 1 2 3 4 5 6 7 8 91

038111213141516171819202122232425262728293031323334353639

cy


Freque

2402

M

2404

M

2406

M

2408

M

2410

M

2412

M

2414

M

2416

M

2418

M

2420

M

2422

M

2424

M

2426

M

2428

M

2430

M

2432

M

2434

M

2436

M

2438

M

2440

M

2442

M

2444

M

2446

M

2448

M

2450

M

2452

M

2454

M

2456

M

2458

M

2460

M

2462

M

2464

M

2466

M

2468

M

2470

M

2472

M

2474

M

2476

M

2478

M

2480

M



LINK LAYER CHANNELS


67/419

3 Advertising Channels

LL

370 1 2 3 4 5 6 7 8 91

038

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

3639

cy

zz z z z z z z z z z zzz z z z z z z z z z z z z z z z z z z z z z z z z zz

Freque

2402

M

2404

M

2406

M

2408

M

2410

M

2412

M

2414

M

2416

M

2418

M

2420

M

2422

M

2424

M

2426

M

2428

M

2430

M

2432

M

2434

M

2436

M

2438

M

2440

M

2442

M

2444

M

2446

M

2448

M

2450

M

2452

M

2454

M

2456

M

2458

M

2460

M

2462

M

2464

M

2466

M

2468

M

2470

M

2472

M

2474

M

2476

M

2478

M

2480

M



LINK LAYER CHANNELS


68/419

37 Data Channels

LL

370 1 2 3 4 5 6 7 8 91

0381112131415161718192021222324252627282930313233343536

39

cy

zz z z z z z z z z z zzz z z z z z z z z z z z z z z z z z z z z z z z z zz

Freque

2402M

2404M

2406M

2408M

2410M

2412M

2414M

2416M

2418M

2420M

2422M

2424M

2426M

2428M

2430M

2432M

2434M

2436M

2438M

2440M

2442M

2444M

2446M

2448M

2450M

2452M

2454M

2456M

2458M

2460M

2462M

2464M

2466M

2468M

2470M

2472M

2474M

2476M

2478M

2480M



LINK LAYER CHANNELS


69/419

3 Advertising Channels and 37 Data Channels

LL

370 1 2 3 4 5 6 7 8 91

038111213141516171819202122232425262728293031323334353639

cy


Freque

2402M

2404M

2406M

2408M

2410M

2412M

2414M

2416M

2418M

2420M

2422M

2424M

2426M

2428M

2430M

2432M

2434M

2436M

2438M

2440M

2442M

2444M

2446M

2448M

2450M

2452M

2454M

2456M

2458M

2460M

2462M

2464M

2466M

2468M

2470M

2472M

2474M

2476M

2478M

2480M



LINK LAYER CHANNELS


70/419

9 LL Data Channels still available

- . - . - .

LL

370 1 2 3 4 5 6 7 8 91

038111213141516171819202122232425262728293031323334353639

cy


Freque

2402M

2404M

2406M

2408M

2410M

2412M

2414M

2416M

2418M

2420M

2422M

2424M

2426M

2428M

2430M

2432M

2434M

2436M

2438M

2440M

2442M

2444M

2446M

2448M

2450M

2452M

2454M

2456M

2458M

2460M

2462M

2464M

2466M

2468M

2470M

2472M

2474M

2476M

2478M

2480M



ONE PACKET FORMAT


71/419

Not Whitened Whitened

Preambl

Access Address PDU CRC

Protected by CRC



BIT STREAM PROCESSING


72/419

encryption CRC generation whitening

Tx payload

RF interface

decryption CRC checking dewhiteningRx payload



WHITENING


73/419

Avoids long sequences of 0s or 1s

Uses same 7 bit LFSR as BR/EDR 7+ 4+ 0

initialized with LL Channel Index

x0 x4 x7Data out

0 1 2 3 4 5 6 ++

Data in

(LSB first)



PREAMBLE


74/419

Preamble


0 1 0 1 0 1 0 1 0

1 0 1 0 1 0 1 0 1



ACCESS ADDRESS


75/419

Preamble


Access Address (32 bits)

Advertising Packets = 0x8E89BED6

Data Packets = random value per connection



CRC


76/419

Preamble


rotecte y

Cyclic Redundancy Check (24 bits)

x +x +x +x +x +x +x +x

Detects all 1,2,3,4,5,odd bit errors in PDU



ADVERTISING PACKET


77/419

le ingre

ss

eader

ngth

AdvA

Preamb

Advertisi

AccessAd

Adv

ertising

PayloadL

Adverti ser

Address

CRC

0 to 31 bytes of Advertising data

mble

rtising

Address

ngHeader

Length

AdvA

RC

Pre

Adve

Ac

cess

Adv

ertisi

Payloa Advertiser

Address

C



PDU HEADERS


78/419

Preamble

Access AddressHea

der

yload

Lengt

Payload CRC

P

PDU Type RFU TxAdd RxAdd

Advertising channel PDU Header / Payload Length



ADVERTISING PACKET PDU TYPES


79/419

PDU Type Packet Name Description

0000 ADV_IND connectable undirected advertising event_ _

0010 ADV_NONCONN_IND non-connectable undirected advertising event

0011 SCAN_REQ Scanner wants information from Advertiser

_ vert ser g ves more n ormat on to canner

0101 CONNECT_REQ Initiator wants to connect to Advertiser

0110 ADV_DISCOVER_IND non-connectable undirected advertising event



DEVICE ADDRESS


80/419

Public Device Address

company_assigned

company_id0

s TxAdd

RxAdd

Random Device Address

48 bits TxAdd

RxAdd

(48 bits) 1



STANDBY


81/419

Scanning





ADVERTISING


82/419

Passive Scanner Advertiser

Scanning Scanning






PASSIVE SCANNING


83/419



ADVERTISING DATA


84/419

le ingre

ss

eader

ngth

AdvA

Preamb

Advertisi

AccessAd

Advertising

P

ayloadL

Adverti ser

Address

Advertising DataCRC

Advertising Data

,transmitting at +4 dBm,

e empera ure s . ,

I support Battery and Temperature services



ADVERTISING DATA


85/419

le ingre

ss

eader

ngth

AdvA eneral

eFlag

evel=

ata

Service

UUIDs=

ervice,

rvice

Preamb

Advertisi

A

ccessAd

Advertising

P

ayloadL

Adverti ser

Address

Fla

gs=LE

Dis

coverabl

TX

PowerL

4dBm

Service

Tem

perature

=20.5

16bitService

Tem

perature

B

atterySe

CRC

LE General Discoverable

x ower eve = m

Service Data Temperature Service = 20.5 C

Services Supports = Temperature Service, Battery

Service



ADVERTISING DATA


86/419

le ingdress

Header

ngth

AdvA x02

01

x02

0A

x05

16

Service

x05

02

Service

rvice

Preamb

Advertisi

A

ccessAd

Advertising

P

ayloadL

Adverti ser

AddressLength=

Type=0

0x02

Length=

Type=0

0x04

Length=

Type=0

Tem

perature

20.5

Length=

Type=0

Tem

perature

B

atterySe

CRC

Length, Type, Data formatted

Length = length of (Type | Data)

Type = assigned number defined in GAP

Data = typed data defined by GAP or Service



ACTIVE SCANNING

A ti S Di bl Ad ti i


87/419

Active Scanner Discoverable Advertising

Scanning Scanning






ACTIVE SCANNING


88/419



SCAN_REQ


89/419

le ngre

ss

eader

ngth

ScanA AdvA

Preambl

Advertisi

AccessAd

Advertising

P

ayloadLe

Scanner

Address

Advertiser

Address

CRC



SCAN_RSP


90/419

le ngre

ss

eader

ngth

AdvA

Preambl

Advertisi

A

ccessAd

Advertising

P

ayloadLe

Adverti ser

Address

Advertising DataCRC

Device name is Outside Thermostat



SCAN_RSP


91/419

le ngre

ss

eader

ngth

AdvA UUIDs=

ervice,

vice

Preambl

Advertisi

A

ccessAd

Advertising

P

ayloadLe

Adverti ser

Address

Complete Local Name =

Outside Thermostat

16bitService

Tem

perature

B

atterySe

CRC

Services Supports = Temperature Service, Battery



SCAN_RSP


92/419

le ngre

ss

eader

ngth

AdvA x0B

09

x05

02 e

rvice

vice

Preambl

Advertisi

A

ccessAd

Advertising

P

ayloadLe

Adverti ser

AddressLength=0

Type=0

Outside Thermostat

Length=

Type=0

Tem

perature

B

atterySe

CRC

Length, Type, Data formatted

Len th = len th of T e Data

Type = assigned number defined in GAPData = t ed data defined b GAP or Service



INITIATING CONNECTIONS

Initiator Connectable Advertiser


93/419


Scanning Scanning








94/419



CONNECT_REQ


95/419

le ingre

ss

eader

ngth

InitA AdvA ress

t e et

l y tap

A

Preamb

Advertisi

A

ccessAd

Ad

vertising

P

ayloadL

Initiator

Address

Adverti ser

Address

A

ccessAd

CRCIni

WinSiz

WinOffs

Interv

Latenc

Timeo

Channel

Hop/S

CRC

Sent from Initiator to Advertiser

,Access Address, CRCInit, WinSize, WinOffset, Connection

, , , , ,

Sleep Clock Accuracy


Bluetooth SIG Proprietary and Confidential95

DIRECTED CONNECTIONS


96/419



TIME FROM DISCONNECTED TO DATA ~ 3MS (RADIO ACTIVE ~ 1MS)

Time( )

Master Tx Radio Active( )

Slave Tx


97/419

(us) (us)

0 176 ADV_DIRECT_IND

326 CONNECT_REQ 352

1928 Empty Packet 80

2158 144 Attribute Protocol

Handle Value Indication

2452 Empty Packet (Acknowledgement) 80

2682 96 LL_TERMINATE_IND

2928 Empty Packet (Acknowledgement) 80

ADV_DIRECT_IND

CONNECT_REQ Empty Packet Empty Packet Empty Packet

ATT HVI LL_TERMINATE_IND

~



DIRECTED ADVERTISING


98/419

gess

ader

gth

Preambl

Advertisin

Ac

cessAddr

Adv

ertisingH

Pa

yloadLen

Adverti ser

Address

Initiator

Address

CRC

Sent from Advertiser to Initiator

says wan you o connec o me



WHITE LISTS

Because advertising channels will be busy


99/419

Because advertising channels will be busy

sometimes useful to filter out devices ou dont care about

set of devices in advertising packets that will be processed



WHITE LISTS AND LINK LAYER STATES


100/419

Scanning





ADVERTISING FILTER POLICY

Determines how controller will process scan and/or connection


101/419

ete es o co t o e p ocess sca a d/o co ect orequests when as advertiser

The Link Layer shall process scan and connection requests only from

The Link Layer shall process scan and connection requests from all

devices (i.e. the White List is not in use). This is the default on reset

The Link Layer shall process scan requests from all devices and shall onlyprocess connection requests from devices that are in the White List

The Link La er shall rocess connection re uests from all devices and

shall only process scan requests from devices that are in the White List



SCANNER FILTER POLICY

Determines how controller will process advertising packets


102/419

Determines how controller will process advertising packetswhen scanning:

The Link Layer shall process advertising packets only from devicesin the White List

The Link Layer shall process all advertising packets (i.e., the White

.



INITIATOR FILTER POLICY

Determines how controller will process advertising packets


103/419

p g pwhen initiating:

The Link Layer shall process connectable advertising packets fromall devices in the White List

The Link Layer shall ignore the White List and process connectable

Host



WHITE LISTS

No need to send every advertising packet to Host


104/419

y g p

onl send information from devices in white list

a master can automatically connect to a set of devices

allows very fast connections from many devices






105/419

Scanning Scanning






CONNECTIONS

Master Slave


106/419

Scanning Scanning






TOPOLOGY

Slave

-

iser


107/419

Slave

Master/

Scanner

Scanner

Slave

Slave

Advert-iser

Advert-

iser



TOPOLOGY

Slave

-

iser


108/419

Slave

Master/

Initiator

Scanner

Slave

Slave

Advert-iser

Advert-

iser



TOPOLOGY

Slave

-

iser


109/419

Slave

Master/

Scanner

Scanner

Slave

Slave

Slave

Advert-

iser



LIMITS

A single master can address ~231 slaves


110/419

~ 2 billion addressable slaves er master

= .

Can address a slave every ~ 5 ms (assuming 250 ppm clocks)

~



CONNECTIONS

Used to send application data


111/419

reliabl robustl

ultra low power connection mode

connection supervision timeout



DATA PACKET

s h


112/419

le ress

der

ngth

Preamb

AccessAd

DataHe

PayloadL

CRC

0 to 27 bytes of Payload Payload

mble

Address

Header

Length

Length

PCID

RC

Pre

Access

Data

Payloa

L2CAP

L2C C



DATA PACKET

0 to 27 bytes of Payload (unencrypted)CRC t t


113/419

CRC rotects

Data Header

Payload Payload

mble

Address

Header

Length

Length

PCID

RC

Pre

Access

Data

Payloa

L2CAP

L2C C



ENCRYPTED DATA PACKET

4 to 31 bytes of payload lengthMIC i t f P l d CRC t t it


114/419

MIC is art of Pa load CRC rotects it

MIC can be computed / checked in background

Payload

mble

Address

Header

Length

Length

PCID

IC C

Prea

Access

Data

Payloa

L2CAP

L2C

M C



PDU HEADERS


115/419

h

Pre

amble

Access Address

Header

yloa

dLengt

Payload CRC

P

LLID NESN SN MD RFU

Data channel PDU Header / Payload Length



LOGICAL LINK IDENTIFIER

LLID Description


116/419

01 LL Data PDU

Continuation of an L2CAP message

or an Empty PDU

Start of an L2CAP message

omp e e message

11 LL Control PDU



SEQUENCE NUMBERS

SN = Sequence NumberNESN = Next Ex ected Se uence Number


117/419

NESN = Next Ex ected Se uence Number

window size of 1



TRANSMITTING DATA

transmit packet received packet


118/419

different

different

NESN?

NESN?

same

Inc SN

same(nack)

Inc NESN

(new data)

Ignore RX dataTX old data, SN TX new data, SN Rx new data



CONNECTION EVENTS

Masters transmits periodically at a connection eventsConnection Interval sent in CONNECT REQ


119/419

Connection Interval sent in CONNECT REQ_

Connection events continue until MD = 0



CONNECTION EVENTS

Each connection event uses a different channelf = f + ho mod 37


120/419

f = f + ho mod 37

fn fn+1 fn+2 fn+3



LATENCY

Master Latencyhow often the master will transmit to slave


121/419

how often the master will transmit to slave

how often the slave will listen to master

The two latencies dont have to be the same

. .

Slave Latency = Connection Interval * Slave Latency



MORE DATA

Master

MD = 0 MD = 1


122/419

D=

0

send.

Connection event closed

,

no more data.

Master ma continue Slave should

ave

Mlisten

S

l

=1

Slave has more data, Master hasno more data.

Both devices have more data.

Master may continue, Slave should

MD as er may con nue, ave s ou

listen

s en.



CONNECTION EVENTS

More Data bit automatically extends connection events


123/419



PACKET TIMINGS

Peer device transmits 150 s after last packet


124/419

Minimum size packet = 80 s

(Preamble + Access Address + Header + CRC)

Maximum size packet = 328 s

(Preamble + Access Address + Header + Payload + MIC + CRC)

Tx Rx Tx Rx Tx Tx RxRx



MAXIMUM DATA RATE

Asymmetric Tx/Rx Packet Sequence328 + 150 + 80 + 150 = 708 s


125/419

Transmitting 27 octets of application data

~305 kbps

Tx Rx Tx Rx Tx Tx RxRx



ADAPTIVE FREQUENCY HOPPING

Frequency Hopping algorithm is very simplef = f + ho mod 37


126/419

,

If fn is an unused channel, remap to set of good channels

- . - . - .




fn = 0, hop = 7, used = [9, 10, 21, 22, 23, 33, 34, 35, 36]unused f = f + 7 mod 37 = 7 mod 37 7


127/419

0 mod 9 0; used[0] 9

- . - . - .






128/419

7 mod 9 7; used[7] 35

- . - . - .






129/419

14 mod 9 5; used[5] 33

- . - . - .




fn = 21, hop = 7, used = [9, 10, 21, 22, 23, 33, 34, 35, 36]used f = f + 7 mod 37 = 28 mod 37 28


130/419

- . - . - .






131/419

28 mod 9 1; used[1] 10

- . - . - .






132/419

- . - . - .






133/419

5 mod 9 5; used[5] 33

- . - . - .






134/419

12 mod 9 3; used[3] 22

- . - . - .






135/419

19 mod 9 1; used[1] 10

- . - . - .






136/419

26 mod 9 8; used[8] 36

- . - . - .






137/419

- . - . - .





3 d 9 3 d[3] 22


138/419

3 mod 9 3; used[3] 22

- . - . - .






139/419

- . - . - .



Pretty Patterns


140/419



Pretty Patterns


141/419

- .



Pretty Patterns


142/419

- .



Pretty Patterns


143/419

- .



Pretty Patterns


144/419

- . - .



Pretty Patterns


145/419

- . - .- .



LINK LAYER CONTROL PROCEDURES

LLID = 11

Most procedures can only be initiated from Master


146/419

Most procedures can only be initiated from Master

except Version Exchange



LINK LAYER CONTROL PROCEDURES

Name Description

C ti U d t P d U d t th ti i t l


147/419

Connection Update Procedure Update the connection intervals

Channel Ma U date Procedure U date the ada tive fre uenc ho in ma

Encryption Start Procedure Start encryption using a Long Term Key

Encryption Pause Procedure Pause encryption, to change Long Term Key

Feature Exchange Procedure Exchange the current supported feature setVersion Exchange Procedure Exchange the current version information



Opcode Control PDU Name Description

0x00 LL_CONNECTION_UPDATE_REQ Update Connection Intervals

0X01 LL_CHANNEL_MAP_REQ Update Channel Maps

0X02 LL_TERMINATE_IND Disconnect the connection

_ _

0X04 LL_ENC_REQ Encryption Response


148/419

0x05 LL_START_ENC_REQ 3-way Handshake for Starting Encryption0x06 LL_START_ENC_RSP 3-way Handshake for Starting Encryption

0x07 LL_UNKNOWN_RSP Control PDU Unknown

0x08 LL_FEATURE_REQ Master sends Features to Slave

0x09 LL_FEATURE_RSP Slave sends Features to Master

0x0A LL_PAUSE_ENC_REQ Pause Encryption to Refresh Keys

_ _ _

0x0C LL_VERSION_IND Version Exchange

0x0D LL_REJECT_IND Reject Control PDU



CONNECTION UPDATE


149/419



CHANNEL MAP UPDATE


150/419



START ENCRYPTION


151/419



RESTART ENCRYPTION


152/419



FEATURE EXCHANGE


153/419



VERSION EXCHANGE


154/419



VERSION EXCHANGE


155/419



TERMINATE


156/419



TERMINATE


157/419



LINK LAYER ENCRYPTION

Uses AES 128 encryption block

Counter Mode Cipher Block Chaining Message Authentication


158/419

Code




Uses AES 128 encryption block

Counter Mode CBC MAC


159/419




Uses AES 128 encryption blockand CCM as defined b RFC 3610


160/419

- with Block A1

- with Block A2

with Block A0

Preamble

essAddress

ataHeader

loadLength

CAPLength

2CAPCID

MIC

CRC

Acc

Pa L

2 L



AES ENCRYPTION

Plain Text Key

AR (Nr + 1) KeysK0


161/419

( r ) y

SR MCSB AR

i Nr

Repeat Nr - 1

SR MCSB

KE = Key ExpansionAR = Add Round Key

SB = Substitute Bytes

Cipher Text

SR = Shift Rows

MC = Mix Columns

GO = Get Output



AES BLOCK

Plain Text


162/419

AES 128Key

Cipher Text



CIPHER BLOCK CHAINING MESSAGE AUTHENTICATION CODE

Nonce Payload0-15 Payload16-27

+ +


163/419

AES 128Key AES 128Key AES 128Key

MAC

Packet Counter onBit

Initialization Vector

Nonce

(39 bits)

Directi

(64 bits)



AES CCM ENCRYPTION

Block A0Block A1 Block A2


164/419

AES 128KeyAES 128Key AES 128Key

MAC ++ +Payload0-15 Payload16-27

Cipher0-15 Cipher16-27 MIC



AES 128

(Key)Block A1

AES 128

(Key)Block A2

Payload16-27+ +Payload0-15

+ +

0-15 16-26


165/419

AES 128

(Key)

AES 128

(Key)

AES 128

(Key)

AES 128

(Key)Block A0

MIC

P AA H L Cipher 0-15

Cipher16-26

MIC CRC



LIMITS

Maximum 239

packets per LTK per directionEach acket can contain u to 27 octets data

Max 13.5 Terabytes of data per connection


166/419

~

using Restart Encryption Procedure



LINK LAYER SUMMARY

Low Complexity 1 packet format

2 PDU types depending on Advertising / Data Channel

7 Advertising PDU Types


167/419

g yp

7 Link Layer Control Procedures

Useful Features Adaptive Frequency Hopping

ow ower c now e gemen

Very Fast Connections



HOST CONTROLLER INTERFACE

Apps

Applications



168/419




Controller

Physical Layer




HOST CONTROLLER INTERFACE (HCI)

Transport LayerUART

USB


169/419

3-wire UART

Functional Layer



COMMANDS / EVENTS / COMMANDS

Four HCI Packet TypesHCI Command Packet

HCI ACL Data Packet


170/419

HCI Event Packet

Transports describe how to send these HCI Packet Types



UART HCI TRANSPORT LAYER

Each packet type assigned a HCI packet indicatorCommand = 0x01 Data = 0x02 Event = 0x04


171/419

,

0x01 HCI Command Packet

0x02 HCI ACL Data Packet

0x04 HCI Event Packet



UART HCI TRANSPORT LAYER

RS232 SettingsBaud rate : manufacturer s ecific

Data bits : 8


172/419

Stop bits : 1

Flow-off response time : manufacturer specific

-



USB HCI TRANSPORT LAYER

Defines one endpoint for ACL Data PacketsEnd oint out 0x02 / in 0x82

suggested max packet size is 32 or 64


173/419

Uses Control Endpoint for Commands

Uses Interrupt Endpoint for Events

1 ms interval



SECURE DIGITAL HCI TRANSPORT LAYER

Uses SDIO to transport HCI packetsreferences SDIO Card T e-A S ecification


174/419

-0x01 = Command, 0x02 = Data, 0x04 = Event



3-WIRE UART HCI TRANSPORT LAYER

Places all HCI Packets on top of a SLIP layer

RFC 1055


175/419

allows use of long UART wires on product

has support for low power, software flow control



HCI FUNCTIONAL LAYER

Reuses existing HCI commands / events / data packets

exce t where LE is different


176/419

All LE specific HCI events have LE in name



HCI BUFFERS

Dual mode controllers can either:

Expose one set of HCI buffers


177/419

One set for BR/EDR and one set for LE



RANDOM DEVICE ADDRESSES

LE Rand

asks controller to enerate a random number

very good random number using non-linear algorithms


178/419

LE Encrypt

sets the random address used by controller



WHITE LISTS

LE Read Write List Size

gets the size of the controllers white list

LE Clear White List

removes all devices from white list


179/419

removes all devices from white list

LE Add Device To White List

a s a s ng e ev ce o e w e s

LE Remove Device From White List

removes a single device from the white list



ADVERTISING

LE Set Advertising Parameters

sets timing, advertising event type, address to use, channel map,filter olic

LE Read Advertising Channel Tx Power


180/419

LE Set Advertising Data - defines the data to be broadcast

LE Set Scan Response Data - defines the data contained in scanresponses

LE Set Advertising Enable - turn on and off advertising



SCANNING

LE Set Scan Parameters

sets timin filter olic address t e scan t e


181/419

turn on/off scanning

LE Advertising Report



INITIATING

LE Create Connection

set timing, filter policy, target address, address type,connect to white list, connection interval, supervisiontimeout, expected length of communication events


182/419

LE Create Connection Cancel

a connection was created (or cancelled, or timed out)



CONNECTION MANAGEMENT

LE Connection Update

u date connection event timin arameters

connection interval, slave latency, supervision timeout,

ex ected len th of communication events


183/419

ex ected len th of communication events

LE Connection U date Com lete

connect update has succeeded



AFH CHANNEL MAP MANAGEMENT

LE Set Host Channel Classification

which LE data channels are ood / bad

controller still determines if channels are used / unused


184/419

LE Read Channel Map



INFORMATIONAL EXCHANGES

LE Read Local Supported Features

reads what LE features a controller su orts


185/419

requests what a remote device supports

LE Read Remote Used Features Complete



STARTING ENCRYPTION

LE Start Encryption

re uest that encr tion is started on a connection

requires random numbers & LTK


186/419

LE Long Term Key Request

Host gives LTK to Controller for encyption



LUNCHreturn at 13:30


187/419



L2CAP

Apps

Applications




188/419

Attribute Protocol Security Manager



Controller

Physical Layer




L2CAP



189/419

segmentation and reassembly

Provides logical channels



L2CAP PACKETS

All application data is sent using L2CAP packets

Len th is the len th of the L2CAP Information Pa load

CID is the destination logical channel

CID b ith


190/419

CIDs can be either

connection oriented channels (not used in LE)

Length CID Information Payload



FIXED L2CAP CHANNELS

CIDs from 0x0001 to 0x003F are fixed channels

0x0040 to 0xFFFF are d namicall allocated

CID Description Notes

0x0000 Null identifier Not used (ever)


191/419

0x0001 L2CAP Signaling Channel Used over BR/EDR

0x0003 AMP Manager Protocol Used over BR/EDR0x0004 Attribute Protocol Used over LE only

0x0005 LE L2CAP Signaling Channel Used over LE only

0x0006 Security Manager Protocol Used over LE only



LE L2CAP SIGNALING PROTOCOL

Identical to L2CAP Signaling Protocol

except only one command per packet

t d d li it d


192/419

supported commands limited

Connection Parameter Update request



L2CAP SUMMARY

Three fixed channels for LE

Attribute Protocol

LE L2CAP Signaling Protocol


193/419



SECURITY MANAGER

Apps

Applications




194/419

y g



Controller

Physical Layer




SECURITY MANAGER (SM)

Security Manager Protocol

Pairing & Key Distribution

,


195/419

generating hashes

generate short term keys during pairing



SECURITY MANAGER PROTOCOL

Uses L2CAP fixed channel 0x0006

MTU = 23 octets

Best Effort, Basic Mode, Infinite Flush Timeout


196/419

Code Data



BASIC CONCEPTS

Use distributing key model

Slave generates and distributes key information to master

Pairing

au en ca on ase on e r capa es secur y requ remen sside effect is encrypted link / key distribution


197/419

side effect is encrypted link / key distribution

Signing Data

Signing allows authentication of sender without encryption

Bonding

GAP concept device save keys for bonded devices



SM PROTOCOL CODES

Code Name Description

0x01 Pairing Request starts the pairing procedure

0x02 Pairing Response completes pairing exchange

0x03 Pairing Confirm sends confirm value used in pairing

0x05 Pairing Failed oh no, its failed including reason


198/419

0x06 Encryption Information distributed Long Term Key

x aster ent cat on n ormat on use w en reconnect ng to a master

0x08 Identity Information distributed Identity Resolving Key

0x09 Identify Address Information address information used for reconnecting

0x0A Signing Information distributed Signature Key

0x0B Security Request slave wants security master always initiates



PAIRING MODEL

Phase 2 : Authenticate


199/419

n ayer ncryp on



IO CAPABILITIES

No Output No Input No Output No Input No Output Keyboard Only

umer c u pu sp ay n y sp ay es o ey oar sp ay


200/419



IO CAPABILITIES TO ALGORITHM

Display Only Display Yes No Keyboard Only No Input No

Output

Keyboard

Display

Unauthenticated

Unauthenticated

Authenticated

Unauthenticated

Authenticated

Display Yes No Just Works Just Works Passkey Entry Just Works Passkey Entry

Unauthenticated Unauthenticated Authenticated Unauthenticated Authenticated


201/419

Keyboard Only Passkey Entry Passkey Entry Passkey Entry Just Works Passkey Entry

Authenticated Authenticated Authenticated Unauthenticated Authenticated

No Input No

Output

Just Works Just Works Just Works Just Works Just Works

Keyboard

Display

Passkey Entry

Authenticated

Passkey Entry

Authenticated

Passkey Entry

Authenticated

Just Works

Unauthenticated

Passkey Entry

Authenticated



OTHER PAIRING REQUIREMENTS

OOB Data

has an authentication data been exchan ed over OOB

No Bonding / Bonding


202/419

g g

which keys does this device want from peer



ALGORITHMS

Just Works

TK = 0

TK = passkey (6 digit number, 000000 to 999999)


203/419

p y ( g , )

Out Of Band



AUTHENTICATION

Mconfirm = fc1 (TK, Mrand, SlaveADDR)

S = f TK S Master

=


204/419

confirm

Sconfirm

Mrand

Srand



SHORT TERM KEY

Need to generate a Short Term Key

after authentication

= , ,


205/419

=s ran ran



KEY DISTRIBUTION

Many keys can be distributed in both directions

Long Term Key

Signature Resolving Key


206/419



LONG TERM KEY

128 bit random number given by slave to master

If a device can be both master and slave


207/419

LTK = f (EDIV, Rand)

e.g. NIST Special Publication 800-108 could be used



IDENTITY RESOLVING KEY

Two types of address

Public Address

Random Address

GAP defines sub-categories of Random Address


208/419

Non-Resolvable Private Address



RESOLVABLE PRIVATE ADDRESSES

Resolvable addresses need to use a known secret

Identif Resolvin Ke IRK

=


209/419

hash random

(24 bits) (24 bits)

,

random, and check if hash matches



SIGNED DATA

Allows authentication without encryption

Uses SignCounter


210/419

calculated over plain text and SignCounter

plain text SignCounter

(32 bits)

MAC

(64 bits)



SUMMARY

Pairing / Authentication

uses same IO Ca abilities as SSP from v2.1

allows upgrade to public key cryptography


211/419

Resolvable Private Addresses

Allows authentication using Signed Data



ATTRIBUTE PROTOCOL

Apps

Applications




212/419



Controller

Physical Layer




ATTRIBUTE PROTOCOL (ATT)

Client Server Architecture

servers have data

clients request data to/from servers

Protocol Methods


213/419

, , ,

notification, indication, confirmation



CLIENT SERVER ARCHITECTURE

Servers have data, Clients want to use this data

Servers expose Data using Attributes

ServerClient


214/419

DataRequests

Res onsesData

Data



SERVERS EXPOSE DATA USING ATTRIBUTES

Attributes have values

arra of octets

0 to 512 octets in length


215/419

Value

0x04

0x0802



ATTRIBUTES ARE ADDRESSABLE

Each attribute has a handle

used to address an individual attribute b a client

Read (0x0022) => 0x04 ; Read (0x0098) => 0x0802


216/419

Handle Value

0x0022 0x04

0x0098 0x0802



ATTRIBUTES ARE TYPED

Attributes have a type

t e is a UUID determines what the value means

or Generic Access Profile or Generic Attribute Profile


217/419

Handle Type Value

0x0022 Battery State 0x04

0x0098 Temperature 0x0802




Device Name

defined b GAP

formatted as UTF-8

0x54656d70657261747572652053656e736f72 =

Tem erature Sensor


218/419

Tem erature Sensor

Handle Type Value

0x0022 Battery State 0x04





Battery State

defined b Batter State Characteristic s ecification

enumerated value

0x04 = Discharging


219/419

Handle Type Value

0x0022 Battery State Discharging





Temperature

defined b Tem erature Characteristic s ecification

Signed 16 bit Integer in 0.01 C

0x0802 = 2050 * 0.01 C = 20.5 C


220/419

Handle Type Value

0x0022 Battery State Discharging

0x0098 Temperature 20.5 C



ATTRIBUTE TYPE

Type is a UUID

UUIDs are 128 bits in len th

allowing a 16 bit UUID to be defined


221/419

00000000-0000-1000-8000-00805F9B34FB

Same Bluetooth Base UUID as SDP



ATTRIBUTE TYPE

Type is a UUID




222/419

0000xxxx-0000-1000-8000-00805F9B34FB



ATTRIBUTE TYPE

Type is a UUID




223/419

00001234-0000-1000-8000-00805F9B34FB=



ATTRIBUTE HANDLE

Handle is a 16 bit value

0x0000 is reserved shall never be used

0x0001 to 0xFFFF can be assigned to any attributes


224/419

Handles are sequential

0x0104 is after 0x00F8



ATTRIBUTE TYPE

Type is a UUID




225/419

0000xxxx-0000-1000-8000-00805F9B34FB



ATTRIBUTE PERMISSIONS

Attributes values may be:

readable / not readable

writeable / not writeable


226/419

authentication to read / write

encryption / pairing with sufficient strength to read / write




Permissions not discoverable over Attribute Protocol

determined by implication

If request to read an attribute value that cannot be read

Error Response Read Not Permitted


227/419

If request to write an attribute value that requires authentication

Error Response Insufficient Authentication

Client must create authenticated connection and then retry

There is no pending state




Attribute Handles are public information

Attribute Types are public informationAttribute Values can be protected

It is up to the server to not reveal any values that it considersare protected to a client it does not trust enough


228/419

Server responds by saying what is wrong not with value

Read / Write Not Permitted



LOGICAL ATTRIBUTE REPRESENTATION

im lementation

Attribute Attribute Type Attribute Value Attribute

2 octets 2 or 16 octets variable length (0 to 512 octets)

specific

H dl P i i


229/419

Handle Permissions



PROTOCOL METHODS

Protocol Sent by Description

PDU Type

Request Client Client requests something from server always causes a response

Command Client Client commands something to server no response


230/419

Indication Server Server indicates to client new value always causes a confirmation



PROTOCOL IS STATELESS

After transaction complete

no state is stored in rotocol

Request -> Response


231/419

Notification-



SEQUENTIAL PROTOCOL

Client can only send one request at a time

re uest com letes after res onse received in client

indication completes after confirmation received in server


232/419

Commands and Notifications are no response / confirmation

could be dropped if buffer overflows consider unreliable



ATOMIC OPERATIONS

Each request / command is an atomic operation

cannot be affected b another client at the same time

value of attribute(s) undefined


233/419

there is no rollback or transactional processing



ATTRIBUTE GROUPING

Generic Attribute Profile defines a concept of Grouping

Grouping is done by Attribute Type

Grouping TypeAnother Grou in T e

DataData

Another Grouping Type

D t


234/419

Data

Grouping TypeDataAnother Grouping Type

DataData



ATTRIBUTE GROUPING

Generic Attribute Profile defines a concept of Grouping

Grouping is done by Attribute Type

Secondary ServiceCharacteristic

DataData

Characteristic

D t


235/419

Data

Primary ServiceDataCharacteristic

DataData



MTU SIZES

Over BR/EDR

Attribute rotocol uses a d namic channel fixed PSM

MTU negotiated by L2CAP

Over LE


236/419

MTU exchanged b

bluetooth low energy technology training

Documents