Ble 101

BLE 101 Bluetooth Low Energy
Page 1
Agenda
Bluetooth low energy defined Architectural Overview Stack Architecture

Physical Layer Link Layer HCI Layer L2CAP Layer Security Manager Protocol Attribute Protocol Generic Attribute Profile Generic Access Profile Applications
Comparison of LE to BR/EDR
Page 2
Agenda

Page 3
What is Bluetooth low energy?
Evolution of current Bluetooth standard

Open and license free standard Easily integrated within existing Bluetooth technology
Focus on ultra-low power consumption

Ideal for devices with very low battery capacity
Faster connections
I got it I got it I want more Here it is
Page 4
New Technology?
Yes
efficient discovery / connection procedures very short packets asymmetric design for peripherals client server architecture
No
reuse existing BR radio architecture reuse existing HCI logical and physical transports reuse existing L2CAP packets
Page 5
Why Bluetooth low energy?
In the home Remote control Entertainment Assisted living Consumer medical & health In the workplace Factory automation In the car Sensors Displays On the go Sports and fitness Proximity
Page 6
Basic Concepts
Everything optimized for power consumption Button Cell will be the main power supply for peripherals
< 15ma peak current < 1a average current
Page 7
Basic Concepts
Client
Server
Everything has STATE

devices expose their state these are servers
Clients can use the state exposed on servers

read it get current temperature write it increase set point temperature for room
Servers can tell clients when state updates

notify it temperature up to set point
Page 8
Basic Concepts
Client Server Architecture

proven architecture for web-infrastructure
Gateways allow interconnect of internet & low energy

weighing scales send reports to doctor home security web site shows all windows closed assisted living for your parents allows low cost monitoring sports data immediately uploaded via cellular phone
Internet
Page 9
Agenda

Page 10
Operating States and Roles
State Standby Advertising Scanning
State Description Does not transmit or receive packets Broadcasts advertisements in advertising channels Looks for advertisers
Scanning
Initiating
Connection
Initiates connection to advertiser

Advertising Standby Initiating
Master Communicates with device in the Slave Role role, defines timings of transmissions Slave Role Communicates with single device in Master Role
Master/Slave only No scatternet No role switches
Connection
Page 11
Operation States and Roles
Bluetooth low energy devices may have more than one instance
of the Link Layer state machine at any one time
However a Bluetooth low energy device cannot be master and slave at the same time
Multiple State Machine States and Roles Advertising Scanning Initiator Connection Master Slave Advertising No Yes Yes * Yes * Yes * Scanning Yes No Yes Yes Yes Initiating Yes* Yes No Yes No Connection Master Yes * Yes Yes Yes No Slave Yes * Yes No No No
* Only advertising packets that will not result in Link Layer entering a Slave Role
Page 12
Topology Example
Star topology
Master can have multiple link layer connections Slave can have only one link layer connection
Advertiser
Slave Slave Master Scanner
Advertisement
Slave Slave Advertiser Advertiser
Page 13
Topology Example
Initiation of connection requests

Master can simultaneously be scanner and Master Master can simultaneously be initiator and Master
Advertiser
Connection Request
Slave Slave Advertiser Advertiser
Page 14
Topology Example
Master and Slave can both act as Advertiser

Only advertising events that will not result in connection as Slave are allowed
Advertiser
Connected
Slave Slave Slave / Advertiser Advertiser
Page 15
Agenda

Page 16
Stack Architecture
Applications Generic Access Profile
Apps
Generic Attribute Profile

Attribute Protocol Security Manager
Host
Logical Link Control and Adaptation Protocol

Host Controller Interface
Link Layer
Physical Layer
Direct Test Mode
Controller
Page 17
Physical Layer
Applications Generic Access Profile Generic Attribute Profile Attribute Protocol Security Manager
Apps
Host
Logical Link Control and Adaptation Protocol Host Controller Interface Link Layer Physical Layer Direct Test Mode
Controller
Page 18
Spectrum Usage
The 2.4GHz ISM band is a free for all for anyone who wants to
use it.
Direct Radio waves Current 100 kHz 300 GHz Extremely low frequency FM radio (ELF) 88-108 MHz Very low frequency Microwaves (VLF) 300 MHz 300 GHz
Visible light Ultraviolet radiation
X-rays Gamma rays
The 2.4GHz ISM Band is also used by: Microwave Ovens Digital Cordless Phones 802.11b/g
medium wave radio 550-1600 kHz

long wave radio 150-350kHz Infrared radiation
Frequency in hertz (Hz) kHz MHz GHz 0 102 104 106 108 1010
1012
1014
1016
1018
1020
1022
Bluetooth
Page 19
Bluetooth low energy Frequency Plan
2480 2478 2476 2474 2472 2470 2468 2466 2464 2462 2460 2458 2456 2454 2452 2450 2448 2446 2444 2442 2440 2438 2436 2434 2432 2430 2428 2426 2424 2422 2420 2418 2416 2414 2412 2410 2408 2406 2404 2402 MHz
6 6 6 6 6 6 6 6 6 10 9 8 7 6 5 4 3 2 1 0 37 Advertising Data
39
36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11
Lower guard band of 2MHz, upper guard band of 3.5MHz
11 11 11 11 11 11 11 11 11
38
1 1 1 1 1 1 1 1 1 WiFi
Page 20
Modulation Scheme
Data is transmitted using Gaussian Frequency Shift Keying,

GFSK
FSK uses two different frequencies to transmit a binary 1 or 0 For Bluetooth low energy the two frequencies are:
fc + fc - for 1 for 0
where fc = frequency of current hop and = >185kHz
Page 22
Modulation Example
For channel 0 (Frequency 2.402GHz)

To transmit 1 To transmit 0
>185kHz Frequency, GHz 2.404
>185kHz Frequency, GHz 2.404
During one time slot the data can change value every 1s,
so the transmit frequency oscillates back and forth around the center channel frequency.
Page 23
Modulation Example cont.
If the frequency change is allowed to occur instantaneously this

can lead to inter-symbol interference (ISI) at the receiver which makes it difficult to interpret what state the bit is trying to represent. This will result in high bit errors in the transmitted data.
Frequency, GHz
2.402
Page 24
Modulation Example cont.
To reduce the spectral spreading that causes ISI, Bluetooth low

energy uses a 0.5BT Gaussian Filter to slow the transitions between the two frequencies.
Frequency, GHz 2.402
Page 25
Overcoming Interference
Due to the unrestricted nature of the ISM band, Bluetooth low

energy must overcome interference from other systems and minimize its interference on other systems.
Bluetooth low energy does this by using a Frequency Hopping

Spread Spectrum (FHSS) technique.
This spreads the RF power across the spectrum which reduces

interference and the spectral power density.
Page 26
Frequency Hopping Spread Spectrum - FHSS
Bluetooth low energy splits the spectrum up into 37 1MHz wide

channels data channels
FHSS occurs while in a connection The frequency hops follow a hop-length that is pseudo-random
per connection
Communicated in the Connection Request Provides instant adaptive frequency hopping capability Can be updated using a channel update message
Guard Band Guard Band
2.4000 2.4020
2.4800
Frequency, GHz 2.4835
Page 27
Bluetooth low energy Frequency Hopping
Definitions:
Used channel used for the connection Unused channel not used for the connection
Pseudo-random hop length communicated in Connection Request by master

fn+1 = (fn + hop) mod 37
Unused channels are remapped
Page 28
Link Layer
Apps
Host
Controller
Page 29
Bluetooth low energy addresses
Device addresses
Public 48-bit address obtained from IEEE Registration authority BD_ADDR in dual-mode devices
company_assigned [0:23] company_id [24:47]
Private Optional for Bluetooth low energy devices Changes frequently enables privacy
hash [0:23] random [24:47]
Access addresses
32-bit pseudo random access address Changes with each link layer connection
Page 30
Device Filtering
Devices maintain a white list

Storage of device addresses for device filtering
Filter policy can be set to:

Advertiser
Process scan/connection requests from devices in white list Process all scan/connection requests (default advertiser filter policy) Process connection requests from all devices but only scan requests in white list Process scan requests from all devices but only connection requests in white list
Scanner
Process advertising packets from devices in white list Process all advertising packets (default scanner filter policy)
Initiator
Process connectable advertising events from devices in white list Process connectable events only from single device specified by host
Page 31
White Lists
No need to send every advertising packet to Host

only send information from devices in white list
Allows connect to white list semantics

a master can automatically connect to a set of devices will connect when sees adverts from these devices allows very fast connections from many devices
Page 32
Physical Channels
ISM band split into 40 channels of two types

Advertising Channels Data channels
Advertising Channels
Frequencies
2402 (37), 2426 (38), 2480 (39)
Usage
Discovering devices Initiating a connection Broadcasting data
Data Channels
Frequencies
2404-2424 (0-10), 2428-2478 (11-36)
Usage
Communicating between connected devices
Page 33
One Packet Format
Used for Advertising and Data Channel Packets Preamble (0x55, 0xAA)
Frequency synchronization, symbol timing estimation, AGC training Access Address Advertising packets always 0x8e89bed6 Data packets different for each link layer connection Packet Data Unit Defined based upon packet types Not Whitened Whitened
Preamble
Access Address
PDU
CRC
Protected by CRC
Page 34
Bit Stream Processing
CRC
Calculated over entire PDU Detects all 1, 2, 3, 5, and odd bit errors in PDU Shift register is preset Data channel - with value from CONNECT_REQ Advertising channel 0x555555
x0 x1 x3 x4 x6 x9 x10 x24
+
Position 0 LSB 1 2
+
3
+
4 5
+
6 7 8
+
9
+
10 11 12 13 14 15 16 17 18 19 20 21 22 23 MSB
+
Data in (LSB first)
Data Whitening
Random data can contain long strings of 1s or 0s. Long durations at one level can cause an unwanted DC bias to be present in received data which can upset some data slicers. To counter this the PDU and CRC is whitened Uses same LFSR as Bluetooth BR
Page 35
x0
x4
x7
Data out
+
Position 0 1 2 3 4 5 6
+
Data in (LSB first)
Advertising
Scanner
Advertiser
Event started ~0.5ms ~0.5ms
Found device (data)
ADV_IND (data) Adv_Idx= 37 ADV_IND (data) Adv_Idx=38
Advertising Event ADV_IND ADV_DIRECT_IND ADV_NONCONN_IND ADV_DISCOVER_IND
Response packet to advertising event SCAN_REQ Yes No No Yes CONNECT_REQ Yes Yes * No No
ADV_IND (data) Adv_Idx= 39
Event closed
* If initiator address matches

Page 36
Active Scanning
Scanner
Advertiser
Event started
T_IFS 150s

SCAN_REQ Adv_Idx=37 SCAN_RSP (data) Adv_Idx=37 ADV_IND (data) Adv_Idx=38
<1.5ms
Advertising Event ADV_IND ADV_DIRECT_IND ADV_NONCONN_IND ADV_DISCOVER_IND
Response packet to advertising event SCAN_REQ Yes No No Yes CONNECT_REQ Yes Yes * No No
~0.5ms
Event closed
* If initiator address matches
Page 37
Connection
CONNECT_REQ includes the following data:

Transmit window size Transmit window offset Connection interval Slave latency Connection Timeout Hop sequence Channel Map CRC initialization value
Scanner
Advertiser
Event started
T_IFS 150s
ADV_IND (data) Adv_Idx= 37 CONNECT_REQ Adv_Idx=37
Event closed
Advertising Event ADV_IND ADV_DIRECT_IND ADV_NONCONN_IND
Response packet to advertising event SCAN_REQ Yes No No CONNECT_REQ Yes Yes * No
ADV_DISCOVER_IND
Yes
No
Page 38
Connection
Parameter connInterval WindowOffset
Minimum 7.5 msec 0
Maximum 4 seconds connInterval
Scanner
Advertiser
Advertising Event started
WindowSize
1.25 msec
10 msec *
Master
1.25ms < t < WindowOffset+WindowSize T_IFS 150s connInterval
Advertising Event closed Connection Event started
Slave
LL Data/Control packet Channel fn LL Data/Control packet Channel fn LL Data/Control packet Channel fn+1 LL Data/Control packet Channel fn+1
Connection Event closed Connection Event started
T_IFS 150s
Connection Event closed
Page 39
Connection using More Data (MD)
Parameter connInterval
Minimum 7.5 msec
Maximum 4 seconds
Scanner
Advertiser
Advertising Event started
WindowOffset WindowSize
0 1.25 msec
connInterval 10 msec *
Master
1.25ms < t < WindowOffset+WindowSize
T_IFS 150s
Advertising Event closed
Slave
Master MD=0 MD=0 Slave Master closes connection Master transmits Slave listens MD=1 Master transmits Slave listens Master transmits Slave listens
MD=1
LL Data/Control packet Channel fn (MD=1) LL Data/Control packet Channel fn (MD=0) LL Data/Control packet Channel fn (MD=0) LL Data/Control packet Channel fn (MD=0)
Connection Event started
Connection Event closed
Page 40
Connection Termination
Master initiated termination - transmit TERMINATE_IND packets

to slave until:
Acknowledgement from Slave Slave latency + 6 connection events
Slave initiated termination transmit TERMINATE_IND packets

to master until
Acknowledgement from Master 6 connection events
Connection supervision timeout
Page 41
Acknowledgement and Flow Control
Acknowledgements embedded in
header of every Data channel PDU
Single bit Sequence Number (SN) Single bit Next Expected Sequence Number (NESN) Master Slave
Data (SN=0, NESN=0) Data (SN=0, NESN=1)
Packet is retransmitted until the NESN is

different from the SN value in the sent packet
Enables lazy acknowledgement for significant power savings
Data (SN=1, NESN=1) Data (SN=1, NESN=0)
Data (SN=0, NESN=1)

Data (SN=1, NESN=0)
Page 42
Air Interface Packets Advertising Packets

Type 0000 0001 0010 0011 0100 0101 0110 Packet ADV_IND ADV_DIRECT_IND ADV_NONCONN_IND SCAN_REQ SCAN_RSP CONNECT_REQ ADV_DISCOVER_IND Usage Connectable undirected advertising event Connectable directed advertising event Non-connectable undirected advertising event Scan request for further information from advertiser Response to scan request from scanner Connect request by Initiator Discoverable undirected advertising event
Preamble frequency synchronization and AGC

training (10101010) Access Address 0x8e89bedd6 CRC computed over PDU TxAdd, RxAdd PDU type-specific information
Preamble (1 octet) Access Address (4 octets)
Type (4 bits)
RFU TxAdd RxAdd Length (2 bits) (1 bit) (1 bit) (6 bits) Header (16 bits)
RFU (2 bits)
Payload (per Length field in header) PDU CRC (3 octets)
Page 43
Air Interface Packets Advertising PDUs (Undirected)
Type 0000 0010 0110
Packet ADV_IND ADV_NONCONN_IND ADV_DISCOVER_IND
Usage Connectable undirected advertising event Non-connectable undirected advertising event Discoverable undirected advertising event
AdvA contains advertisers public address if

TxAdd=0, or a random address if TxAdd=1 AdvData contains advertising data from the host
AdvA (6 octets)
AdvData (0-31 octets)
Header (16 bits)
Payload (per Length field in header) PDU

CRC (3 octets)
Preamble (1 octet)
Access Address (4 octets)
Page 44
Air Interface Packets Advertising PDUs (Directed)
Type 0001
Packet ADV_DIRECT_IND
Usage Connectable directed advertising event
AdvA contains advertisers public address if

TxAdd=0, or a random address if TxAdd=1 InitA contains initiators public address if RxAdd=0, or random address if RxAdd=1
AdvA (6 octets) Header (16 bits)
InitA (6 octets)
Preamble (1 octet)
Page 45
Air Interface Packets Scanning PDUs
Type 0011 0100
Packet SCAN_REQ SCAN_RSP
Usage Scan request for further information from advertiser Response to scan request from scanner
ScanA contains Scanners public or random

device identified by TxAdd AdvA contains Advertisers public or random device address identified by TxAdd/RxAdd ScanRspData data from advertisers host
Preamble (1 octet) Access Address (4 octets)
SCAN_REQ
SCAN_RSP
ScanA (6 octets)
AdvA (6 octets)
AdrA (6 octets)
ScanRspData (0-31 octets)
Header (16 bits)
Payload (per Length field in header) PDU

CRC (3 octets)
Page 46
Air Interface Packets Initiating PDUs
Type 0101 AA (4 octets)
Packet CONNECT_REQ WinOffset (2 octets)
Usage Connect request by Initiator Interval (2 octets) Latency (2 octets) Timeout (2 octets) ChM (5 octets) Hop (5 bits) SCA (3 bits)
CRCInit WinSize (3 octets) (1 octets)
InitA initiators public/random address based on TxAdd AdvA advertisers public/random address based on RxAdd AA contains Link Layers connection address CRCInit initialization value for CRC calculation WinSize defines timing window for first data packet WinOffset offset of transmit window start Interval time between connection events Latency # times slave can ignore connection events Timeout max time between two correctly received packets before link is considered lost ChM Channel Map Hop Random number seeding hop sequence SCA Sleep Clock Accuracy range
InitA (6 octets)
Header (16 bits)
AdvA (6 octets)
LLData (22 octets)
Preamble (1 octet)
Page 47
Air Interface Packets LL Data Channel
Preamble frequency synchronization and

Field LLID Purpose and Encoding 0x01 = Continuation/empty L2CAP packet 0x02 = Start of an L2CAP packet 0x03 = LL Control packet
AGC training (01010101) or (10101010) Synchronization word 32 bit link layer connection access address CRC computed over PDU MIC Message Integrity Code, for use with encrypted links
LLID (2 bits) NESN (1 bit) SN (1 bit) Header (2 octets) MD (1 bit) RFU (3 bits) Length (5 bits) RFU (3 bits)
NESN
SN MD
Next Expected Sequence Number

Sequence Number More data
Payload (0-27 octets) PDU
MIC (4 octets)
Preamble (1 octet)
Synchronization word (4 octets)
CRC (3 octets)
Page 48
Air Interface Packets LL Control Packets
Opcode 0x00 0x01 0x02
Control packet name LL_CONNECTION_UPDATE_REQ LL_CHANNEL_MAP_REQ LL_TERMINATE_IND
0x03
0x04 0x05 0x06 0x07 0x08 0x09 0x0a 0x0b 0x0c
LL_ENC_REQ
LL_ENC_RSP LL_START_ENC_REQ LL_START_ENC_RSP LL_UNKNOWN_RSP LL_FEATURE_REQ LL_FEATURE_RSP LL_PAUSE_ENC_REQ LL_PAUSE_ENC_RSP LL_VERSION_IND
CtrType (1 octet)
CtrData
LLID 1 1
NESN (1 bit)
SN (1 bit) Header (2 octets)
MD (1 bit)
RFU (3 bits)
Length (5 bits)
RFU (3 bits)
0x0d
LL_REJECT_IND
MIC (4 octets) CRC (3 octets)
Preamble (1 octet)
Page 49
Encryption
Uses CCM algorithm

Counter with CBC-MAC (Cipher Block Chaining-Message Authentication Code) Defined in IETF RFC 3610
32-bit Message Integrity Code on every encrypted packet Based on Encryption Root key in slave
Generates a Long Term Key (LTK) LTK shared with master to allow faster reconnections
Page 50
Packet Timings
Peer device transmits 150 s after last packet

Minimum size packet = 80 s
(Preamble + Access Address + Header + CRC)
Maximum size packet = 328 s

(Preamble + Access Address + Header + Payload + MIC + CRC)
Tx
Rx
Tx
Rx
Tx
Rx
Tx
Rx
Page 51
Maximum Data Rate
Asymmetric Tx/Rx Packet Sequence

328 + 150 + 80 + 150 = 708 s Transmitting 27 octets of application data ~305 kbps
Tx
Rx
Tx
Rx
Tx
Rx
Tx
Rx
Page 52
Applications Generic Access Profile
Apps

Attribute Protocol Security Manager
Host

Link Layer
Physical Layer
Direct Test Mode
Controller
Page 53
Host Controller Interface (HCI)
Defines physical connection between a host (e.g. PC) and a host

controller (e.g. Bluetooth module).
Extension of HCI specified in the Bluetooth Core Specification The specification defines several interfaces:
UART USB SD 3-wire UART
It also defines messages that are passed across the HCI

interface.
Page 54
HCI Commands and Events
Device Setup
Reset
Physical Links
Set host channel classification
Controller Commands & Events

Flow Control Obtain local Information Configuration
Host Flow Control

Set host control Configure white lists
Device Discovery
Advertising Reports Scan Setup
Link Information
RSSI Channel maps
Connection Setup and State

Setup and tear-down of connections
Testing
Places device into special test mode
Remote Information
Obtain remote device information
Generic events
Can occur at any time
Page 55
HCI Commands and Events

Generic Events Command Complete Command Status Hardware Error Device Setup Reset Device Discovery LE Advertising Report LE Set Scan Enable LE Set Scan Parameters Connection Setup Disconnect Command Disconnection Complete LE Connection Complete LE Create Connection Cancel LE Create Connection Remote Information Read Remote Version Information Read Remote Version Information Complete LE Read Remote Used Features LE Read Remote Used Features Complete Connection State LE Connection Update LE Connection Update Complete Physical Links LE Set Host Channel Classification Test LE Receiver Test LE Transmitter Test LE Test End Host Flow Control Host Buffer Size Set Event Mask Set Controller To Host Flow Control Host Number of Completed Packets Data Buffer Overflow LE Add Device to White List LE Clear White List LE Read White List Size LE Remove Device from White List LE Set Event Mask Link Information Read Transmit Power Level Read RSSI LE Read Advertising Channel TX Power LE Read Channel Map Authentication and Encryption Encryption Change Encryption Key Refresh Complete LE Encrypt LE Long Term Key Requested LE Long Term Key Requested Reply LE Long Term Key Requested Negative Reply LE Rand LE Start Encryption
Controller Flow Control Read Buffer Size Number of Completed Packets LE Read Buffer Size Controller Information Read Local Version Information Read Local Supported Commands Read Local Supported Features Read BDADDR LE Read Local Supported Features LE Read Supported States Controller Configuration LE Set Advertise Enable LE Set Advertising Data LE Set Advertising Parameters LE Set Random Address LE Set Scan Response Data LE Set Random Address
Black existing commands Black italicized existing events Red new commands Red italicized new events
Page 56
Apps
Host
Controller
Page 57
Logical Link Control and Adaptation Protocol (L2CAP)
Provides fixed channel data services to upper layer protocols Provides protocol multiplexing capability through concept of channels
Channel Identifier is local name representing a logical channel Channels are bi-directional
L2CAP Length (2 octets)
L2CAP Channel ID (2 octets)
Information Payload (0-23 octets)
LLID NESN (2 bits) (2 bits)
MD (1 bit)
RFU (3 bits)
Length (5 bits)
RFU (3 bits)
MIC (4 octets)
Preamble (1 octet)
CRC (3 octets)
Page 58
L2CAP Channel Types
L2CAP in Bluetooth low energy operates in Basic Mode

Offers only fixed channel types Connection oriented channels are not used in BTle
Channel Type Attribute Protocol Local CID (sending) 0x0004 (fixed) Remote CID (receiving) 0x0004 (fixed)
Signaling
Security Manager Protocol
0x0005 (fixed)
0x0006 (fixed)
0x0005 (fixed)
0x0006 (fixed)
Response timeouts used to terminate channel when remote

endpoint is unresponsive
Page 59
L2CAP Signaling for Bluetooth LE
Code 0x00 0x01 0x12 0x13
Description Reserved Command Reject Connection Parameter Update Request Connection Parameter Update Response Code (1 octet)
Usage Reserved Sent in response when unknown command code or inappropriate response Allows slave device to request new connection parameter targets Master response to slave Connection Parameter Update Request
Identifier (1 octet)
Length (2 octets)
data (0-19 octets)
L2CAP Channel ID (2 octets)
Page 60
L2CAP Signaling Connection Parameter Update
Slave can request update to connection parameters

minimum and maximum connection interval (connInterval) slave latency, i.e. number of times it can ignore connection events from master Connection timeout
Master can choose to accept or reject the parameters
Page 61
Attribute Protocol
Apps
Host
Controller
Page 66
Attribute Protocol (ATT)

servers have data clients request data to/from servers
Servers expose data using Attributes

Client Requests Responses Data Data Data Server
Page 67
The Attributes of Attributes
Attributes have values

Array of up to 512 octets, fixed or variable length
Attributes have handles

Used to address an individual attribute by a client
Attributes have a type

<<UUID>>, determines what the value means Defined by GAP, GATT, Characteristic Specifications
Attributes have permissions

Read, Write May require authentication or authorization to read or write Handle 0x0009 0x0022 0x0098 Type Battery State Temperature Value 0x04 0x0802 Meaning Temperature Sensor Discharging 20.5 C
Page 68
Device Name 0x54656d70657261747572652053656e736f72
Logical Attribute Presentation
2 octets Attribute Handle
2 or 16 octets Attribute Type
variable length (0 to 512 octets) Attribute Value
implementation specific Attribute Permissions
Page 69
Protocol Methods
Protocol PDU Type Request Response
Sent by Description Client Server Client requests something from server always causes a response Server sends response to a request from a client
Command
Notification Indication
Client
Server Server
Client commands something to server no response

Server notifies client of new value no confirmation Server indicates to client new value always causes a confirmation Confirmation to an indication
Confirmation Client

Client can only send one request at a time request completes after response received Server can send only one indication at a time indication completes after confirmation Commands and Notifications can be sent at any time
Page 70
Attribute PDU format
Attribute Opcode (1 octet)
Attribute Parameters (0-22 octets)
L2CAP Channel ID 0x0004 for ATT
Attribute Opcode
bit 6-0 : Method bit 7 : Authentication Signature Flag If 0, then unsigned data If 1 then signed data
Preamble (1 octet)
LLID NESN (2 bits) (2 bits)
MD (1 bit)
RFU (3 bits)
Length (5 bits)
RFU (3 bits)
MIC (4 octets) CRC (3 octets)
Page 71
Attribute Commands
Name Error Response Description Something was wrong with a request
Exchange MTU Request / Response

Find Information Request / Response Find By Type Value Request / Response Read By Group Type Request / Response Read By Type Request / Response
Exchange new ATT_MTU

Find information about attributes Find specific attributes Find specific group attributes and ranges Read attribute values of a given type
Read Read / Response

Read Blob Request / Response Read Multiple Request / Response Write Command Write Request / Response
Read an attribute value

Read part of a long attribute value Read multiple attribute values Write this no response Write an attribute value
Prepare Write Request / Response

Execute Write Request / Response Handle Value Notification Handle Value Indication / Confirmation
Prepare to write a value (long)

Execute these prepared values Notify attribute value no confirmation This attribute now has this value
Page 72
Apps
Host
Controller
Page 73
Generic Attribute Profile (GATT)
Defines framework for using

Generic Attribute Protocol
Generic Access Profile
Configurations and Roles

Client Initiates commands and requests toward server Receives responses, indications, and notifications from server Server Accepts commands and requests from client Sends responses, indications, and notifications to client
Example Application
Request
Client
Response
Server
Page 74
Same client server architecture as Attribute Protocol

except that data is encapsulated in Services data is exposed in Characteristic
Client
Server
Requests
Responses
Service Char.
Service Char.
Service Char.
Page 75
GATT Definitions
Service set of related characteristics and how these are used

Primary Services exposes primary usable functionality of device Can be included by another service Secondary Services intended to be referenced by primary services
Characteristics related attributes that describe state of device

Features available (readable, indicatable, etc.) Handle Representation (units, exponent, data type) i.e. data dictionary
Page 76
GATT uses Attribute Protocol
Attribute Protocol defines a server with a set of attributes

addressable with a handle typed using a UUID Includes data in an attribute value Includes permissions
2 octets Attribute Handle
2 or 16 octets Attribute Type
variable length (0 to 512 octets) Attribute Value
implementation specific Attribute Permissions
Page 77
GATT Attribute Grouping

Handle 0x0001 0x0002 0x0003 0x0004 0x0006 0x000F 0x0010 0x0012 0x0020 0x0021 0x0022 Type Primary Service Characteristic Device Name Characteristic Appearance Primary Service Characteristic Attribute Opcodes Supported Primary Service Characteristic Temperature Celsius Value GAP {r, 0x0003, Device Name} Temperature Sensor {r, 0x0006, Appearance} Thermometer GATT {r, 0x0012, Attribute Opcodes Supported} 0x00003FDF Temperature {r, 0x0022, Temperature Celsius} 0x0802 Permissions R R R R R R R R R R R*
Page 78
<<Characteristics>> Properties
Broadcast Read Write without response Write Notify Indicate Authenticated Signed Writes Extended Properties
Page 79
GATT Features and Procedures

Procedure Server Configuration Primary Service Discovery Relationship Discovery Characteristic Discovery Characteristic Descriptor Discovery Characteristic Value Read Sub-Procedures
Exchange MTU Discovery All Primary Service Discover Primary Service by Service UUID Find Included Services Discover All Characteristics of a Service Discover Characteristics by UUID Discover All Characteristic Descriptors Read Characteristic Value Read Using Characteristic UUID Read Long Characteristic Values Read Multiple Characteristic Values Write Without Response Write Without Response With Authentication Write Characteristic Value Write Long Characteristic Values Reliable Writes Notifications Indications Read Characteristic Descriptors Read Long Characteristic Descriptors Write Characteristic Descriptors Write Long Characteristic Descriptors
Characteristic Value Write
Characteristic Value Notifications Characteristic Value Indications Characteristic Descriptors
Page 80
Generic Access Profile
Apps
Host
Controller
Page 81
Generic Access Profile - GAP
Defines profile roles

Broadcaster Observer Peripheral Central
Defines procedures for:

Discovering identities, names, and basic capabilities Creating bonds Exchange of security information Establishing connections Resolvable Private addresses
Defines Advertising and Scan Response Data formats All profiles are built upon GAP
Page 82
Profile Roles
Broadcaster
Sends advertising events Can include characteristics and service data Doesnt need receiver Can be discoverable if it does have receiver
Scanning
Observer
Receives advertising events Listens for characteristics and service data Doesnt need transmitter Can discover devices if it does have transmitter
Scanning
Advertising
Standby
Initiating
Advertising
Standby
Initiating
Connection
Connection
Page 83
Profile Roles
Peripheral
Has transmitter and receiver Always slave Connectable advertising
Central
Has transmitter and receiver Always master Never advertises
Scanning
Scanning
Advertising
Standby
Initiating
Advertising
Standby
Initiating
Connection
Connection
Page 84
Advertising Data
Tag Value 0x01
Description Advertising data can be sent by broadcaster / discoverable peripheral Flags (LE limited/general Discoverable mode, BR/EDR support)
0x02
0x03 0x06 0x07 0x08 0x09 0x0A 0x12 0x14 0x15 0x16
Non-complete list of 16-bit Service UUIDs

Complete list of 16-bit Service UUIDs Non-complete list of 128-bit Service UUIDs Complete list of 128-bit Service UUIDs Non-complete shortened local name Complete local name Tx Power Level (-127 dBm to +127 dBm) Slave Connection Interval Range (min, max) Service Solicitation for 16 bit Service UUIDs Service Solicitation for 128 bit Service UUIDs Service Data (16 bit Service UUID, service data)
0xFF
Manufacturer Specific Data (Company Identifier Code, data)
Page 85
BTle Applications

Services exposes behavior that have characteristics Use Cases define how to use services on a peer
Client Use Case Use Case Responses Use Case Requests Service Char.
Server Service Char.
Service Char.
Page 86
Use Cases and Services
There is not a one-to-one link between services and use cases Clients implement use cases, Servers implement services Use cases can use multiple services
Client
Device Selection Use Case
Server
Immediate Alert Service Char. Transmit Power Service Char.
Proximity Use Case
Page 87
Applications
Apps
Host
Controller
Page 88
Applications
An Application uses a set of Use Cases

Use Cases use a set of Services on a peer device Services expose Characteristics Services define behavior exposed by Characteristics
Bluetooth SIG creates Use Case, Requirements, and Design

Documents (UCRDD)
Specifies User Scenarios Defines Profiles Includes roles for the Client and Server Services required Defines Services Includes Characteristics and associated data formats
Page 89
Example: Proximity UCRDD
User Scenarios
Leaving a phone behind Leaving keys behind Child straying too far Hospital patient from bed Automatic PC Locking & Unlocking Automatic PC Locking & Authenticated Unlocking
Roles
Proximity Monitor Proximity Reporter
Proximity Profile
Specifies services used Specifies GAP requirements for discoverability/connectability
Services
Link Loss Service Immediate Alert Service Tx Power Service
Page 90
Profiles and Services
Profiles Network Availability Proximity Find Me Soft Button Battery Glucose Meter Heart Rate Belt Weight Scale Device Power Light Switch HID Watchdog
Services Network Availability Immediate Alert Tx Power Link Loss Alert Generic Control Battery Glucose Meter Manufacturer Time Heart Rate Weight Scale HID Watchdog
Page 91
Page 92
Page 93
Page 94
Page 95
Page 96
Page 97
Page 98
Page 99
Page 100
Page 101
Page 102
Agenda

Page 103
Comparison with Classic Bluetooth
Feature RF Channels
BR/EDR 79
LE 40
Notes 2 MHz spacing in LE
Modulation
Modulation Index Max Tx Power
GFSK
0.25 to 0.35 +20 dBm (class 1) +4 dBm (class 2)
GFSK
0.45 to 0.55 +10 dBm
Simple and effective

Wider signal more robust No class structure +10 dBm regulatory limit
Rx Sensitivity (typical)
Range (typical)
-85 dBm
30 meters
-85 dBm
50 meters
Pathloss = 90 dB for BR Pathloss = 95 dB for LE

Modulation Index, increased power for class 2
Page 104
Feature
BR/EDR
LE
Notes
Packet Format
Ack Packet Len 8 octet Packet
6 (BR / EDR)
126 s 214 s
2 (LE)
80 s 144 s
ID, FHS, DM, DH, 2-DH, 3-DH - Advertising / Data

63% shorter 67% shorter
Max Packet Size

Max Data Rate Time to transfer 1Mbyte
2875 s = 1021 octets

2178.1 kb/s DH1 = 18.2 s, DH5 = 8.8 s, 3DH5 = 2.9 s
328 s = 27 octets
305 kb/s 13.9 s (LE)
LE very short
EDR much faster LE less efficient for large packets
CRC Strength
Encryption
16
Safer+
24
AES-128
LE stronger
LE stronger
Page 105
Feature Authentication Acknowledge Topology Discoverable Connectable Discoverable + Connectable LMP PDUs Feature Bits
BR/EDR once immediate flexible Inquiry Scanning 11.25 ms / 1.25 s Page Scanning 11.25 ms / 1.25 s Inquiry + Page Scan 22.5 ms / 1.25 s 75 59
LE every packet sliding window pure star Advertising 1.25 ms / 1.25 s Advertising 1.25 ms / 1.25 s Advertising 1.25 ms / 1.25 s 14 1
Notes more secure lower power LE simpler 10x lower power 10x lower power 20x lower power 5x simpler 59x simpler
Page 106
Feature Connection time LMP negotiation time L2CAP connection setup time
BR/EDR 20 ms (R0 Page Scan) min 5 ms ~ 50 ms min 5 ms ~ 50 ms
LE 2.5 ms no negotiation required uses fixed channel no negotiation required
Notes 8x quicker instant instant
Time to send application data

Time to AFH
30 ms ~ 120 ms
1.25 ms
3 ms
instant instant
10x quicker
no penalty for coexistence no penalty for low power
Time to Sniff Subrating 2.5 ms
Page 107
Feature
Protocols Supported by Host Min protocols for application 1 MB using BR 1 MB using EDR 1 MB using HS
BR/EDR
14 3 (SDP, L2CAP, App Protocol) 8.81 s 2.93 s < 1s
LE
3 2 (ATT, L2CAP) 13.93 s 13.93 s 13.93 s
Notes
Only ATT required for all plain text applications LE uses ATT for service discovery and apps BR 60% faster for data EDR ~5x faster LE very slow
L2CAP overhead
L2CAP configuration options L2CAP commands
4 to 12 octets
7 17
4 octets
0 1
LE basic headers only

Nothing configured in LE LE very simple
Page 108
Agenda

Page 109
Additional Information and Training
Bluetooth low energy specification can be found on the Bluetooth

website, www.bluetooth.org/Technical/Specifications/adopted.htm
Online training is also available on the Bluetooth website,

www.bluetooth.org/Events/Training/LowEnergyTraining.htm
Page 110

Ble 101

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ble 101

Uploaded by

Copyright:

Available Formats

BLE 101 Bluetooth Low Energy

Bluetooth low energy defined Architectural Overview Stack Architecture

Bluetooth low energy defined Architectural Overview Stack Architecture

What is Bluetooth low energy?

Evolution of current Bluetooth standard

Focus on ultra-low power consumption

Why Bluetooth low energy?

Everything has STATE

Clients can use the state exposed on servers

Servers can tell clients when state updates

Client Server Architecture

Gateways allow interconnect of internet & low energy

Bluetooth low energy defined Architectural Overview Stack Architecture

Operating States and Roles

State Standby Advertising Scanning

Initiates connection to advertiser

Master/Slave only No scatternet No role switches

Operation States and Roles

Slave Slave Master Scanner

Initiation of connection requests

Slave Slave Master Scanner

Slave Slave Advertiser Advertiser

Master and Slave can both act as Advertiser

Slave Slave Master Scanner

Bluetooth low energy defined Architectural Overview Stack Architecture

Applications Generic Access Profile

Generic Attribute Profile

Logical Link Control and Adaptation Protocol

Direct Test Mode

Visible light Ultraviolet radiation

X-rays Gamma rays

medium wave radio 550-1600 kHz

Bluetooth low energy Frequency Plan

Lower guard band of 2MHz, upper guard band of 3.5MHz

Data is transmitted using Gaussian Frequency Shift Keying,

where fc = frequency of current hop and = >185kHz

For channel 0 (Frequency 2.402GHz)

>185kHz Frequency, GHz 2.404

>185kHz Frequency, GHz 2.404

Modulation Example cont.

If the frequency change is allowed to occur instantaneously this

Modulation Example cont.

To reduce the spectral spreading that causes ISI, Bluetooth low

Frequency, GHz 2.402

Due to the unrestricted nature of the ISM band, Bluetooth low

Bluetooth low energy does this by using a Frequency Hopping

This spreads the RF power across the spectrum which reduces

Frequency Hopping Spread Spectrum - FHSS

Bluetooth low energy splits the spectrum up into 37 1MHz wide

Frequency, GHz 2.4835

Bluetooth low energy Frequency Hopping

Pseudo-random hop length communicated in Connection Request by master

Unused channels are remapped

Bluetooth low energy addresses

Devices maintain a white list

Filter policy can be set to:

No need to send every advertising packet to Host

Allows connect to white list semantics

ISM band split into 40 channels of two types

One Packet Format

Bit Stream Processing

Found device (data)