BLE Specification
1. Link Layer Specs
Core_V4.0: Vol 6 Part B. 2 AIR INTERFACE PACKETS
1.1 Bluetooth Channels
Bluetooth Channel Frequencies
1.2 LL State Machine
1.2.1 States
- StandBy: no Tx or Rx
- Advertising: Tx & Rx Adv. Packets
- Scanning: Rx Adv. packets
- Initiating: Rx Adv. pkts from a specific device.
- Connection: Connect to a devices
1.2.2 Transition
- Master: Initiating --> Connection.
- Slave: Adverstising --> Connection.
1.2.3 Connection State Rules
- Parallel States machines are possible, but in each one a single state is maintained at a time.
- Within a state machine: Master xor Slave.
- Multiple State machines:
- 1 Salve
- 1 or more Masters.
1.3 Bit Ordering
Little endian
1.4 Packet Format
Preamble (1B) | AA (4B) | PDU (2-39B) | CRC (3B)
- Access Address (AA) : 0x8e89bed6, marks the start of a Bluetooth packet to differentiate from other 2.4GHz communication.
- PDU : Holds the contents of either Advertising and Data packets.
- CRC : 3B calculated over the PDU only.
1.4.1 Control PDU
Header (2B) | Payload (size from header)
Header:
PDU Type (4 bits) | RFU (2 bits) | TxAdd (1 bit) | RxAdd (1 bit) | Length (6 bits) | RFU (2bits)
- PDU Type : one of the 7 adv modes, else reserved.
- ADV_IND (0000), ADV_DIRECT_IND (0001), ADV_NONCONN_IND (0010), SCAN_REQ (0011), SCAN_RSP (0100), CONNECT_REQ (0101), and ADV_SCAN_IND (0110)
- TxAdd and RxAdd: Info specific per PDU type.
- Length: PDU length in Bytes (6-37).
1.4.1.1 Advertising PDUs
ADV_IND (0000), ADV_DIRECT_IND (0001), ADV_NONCONN_IND (0010), ADV_SCAN_IND (0110)
1.4.1.2 Scanning PDUs
SCAN_REQ (0011), SCAN_RSP (0100)
1.4.1.3 Initiating PDUs
CONNECT_REQ (0101)
InitA (6B) | AdvA (6B) | LLData (22B)
LLDATA:
- AA Field (4B): access address. For BT, mostly fixed to 0x8e89bed6.
- CRCInit (3B): Random value generated by LL to be used in CRC calculation. Section 3.1.1 BL.
- WinSize (1B): used to calculate trasmitWindowSize as defined in section 4.5.3.
transmitWindowSize = WinSize * 1.25ms
- WinOffset (2B): used to calculate trasmitWindowOffsetValue as defined in section 4.5.3.
trasmitWindowOffsetValue = WinOffset * 1.25ms
- Interval (2B): used to calculate connInterval as defines in section 4.5.1.
connInterval = Interval * 1.25ms In the range of 7.5ms to 4s Then Interval = 6 to 3200
- Latency (2B): used to calculate connSlaveLatencyValue as defines in section 4.5.1
connSlaveLatencyValue = Latency from CONNECT_REQ. range 0 - ((connSupervisionTimeoutValue/connInterval) -1), which can't exceed 500.
- Timeout (2B): used to calculate connSupervisionTimeoutValue as defines in section 4.5.2
connSupervisionTimeoutValue = Timeout * 10ms. range 100ms to 32s Timeout range --> 10 - 3200 (ms)
- ChM (5B): channelMap to indicate data channels (0-36) used('1')/unused('0') status, LSB = channel 0. Every channel is represented by a single bit. Advertising channels (37, 38, 39) are reserved bits. section 4.5.1.
- Hop (5bits): sets the hopIncrement by a random value from 5-16 used in selecting the data channels. Section 4.5.8.2.
- SCA (3bits): indicate the masterSCA to determine the master's sleep clock. Values from 0-7 to identify clock accuracy ranges . Section 4.2.2.
| SCA | masterSCA (ppm) |
|---|---|
| 0 | 251 - 500 |
| 1 | 151 - 250 |
| 2 | 101 - 150 |
| 3 | 76 - 100 |
| 4 | 51 - 75 |
| 5 | 31 - 50 |
| 6 | 21 - 30 |
| 7 | 0 - 20 |
Note: All section mentioned are in BL spec v4.0 Vol6.
1.4.2 Data Channel PDU
Header (2B) | Payload | MIC (8B)
HEADER:
LLID (2 bits) | NESN (1 bit) | SN (1 bit) | MD (1 bit) | RFU (3 bits) | Length (5 bits) | RFU (3 bits)
1.4.2.1 LL Data PDU
- An Empty PDU send my master to maintain the connection with slave
- LLID: 01
- Length: 00000
- Non Empty data PDU
- LLID: 10
- Length: subject to payload message size.
1.4.2.2 LL Control PDU
- LLID: 11b
- Brief to be extended upon need.
- PDUs used to control the data channel
Control PDU payload
1.4.2.2.1 LL_CONNECTION_UPDATE_REQ
- PDU Length(12B): 0x0c [No MIC included]
- Header:
- opcode (1B): 0x00
- CtrData(11B):
- winSize (1B): transmitWindowSize =WinSize * 1.25 ms. Section 4.5.3.
- winOffset (2B): transmitWindowOffset = WinOffset * 1.25 ms. Section 4.5.3.
- interval (2B): connInterval = Interval * 1.25 ms. Section 4.4.4.
- latency (2B): connSlaveLatency = Latency. Section 4.5.1.
- timeout (2B): connSupervisionTimeout = Timeout * 10 ms. Section 4.5.2.
- instant (2B): connInstant = range of 0 to 65535. Section 5.1.1.
1.4.2.2.2 LL_CHANNEL_MAP_REQ
- PDU Length: 0x08 [No MIC included]
- Header:
- opcode: 0x01
- CtrData (7B):
- ChM (5B): indicate used and unused channels, same as in CONNECT_REQ (Section 2.3.3.1) . Section 4.5.8.
- instant (2B): connInstant = range of 0 to 65535. Section 5.1.1.
1.4.2.2.3 LL_TERMINATE_IND
- PDU Length: 0x02 [No MIC included]
- Header:
- opcode: 0x02
- CtrData(1B):
- Error Code: remote device why the connection is about to be terminated. Standard, [Vol 2] Part D.
1.4.2.2.4 LL_ENC_REQ
- PDU Length(23B): 0x17 [No MIC included]
- Header:
- opcode: 0x03
- CtrData(22B):
- Rand: field contains a random number that is provided by the Host and used with EDIV. [Vol. 3] Part H, Section 2.4.4).
- EDIV: field contains the encrypted diversifier
- SKDm: field contains the master’s portion of the session key diversifier.
- IVm: field contains the master’s portion of the initialization vector.
1.4.2.2.5 LL_ENC_RSP
- PDU Length(13B): 0x0d [No MIC included]
- Header:
- opcode: 0x04
- CtrData(12B):
- SKDs: field shall contain the slave’s portion of the session key diversifier.
- IVs: field shall contain the slave’s portion of the initialization vector.
1.4.2.2.6 LL_START_ENC_REQ
- PDU Length: 0x01 [No MIC included]
- Header:
- opcode: 0x05
- NO CtrData.
1.4.2.2.7 LL_START_ENC_RSP
- PDU Length: 0x01 [No MIC included]
- Header:
- opcode: 0x06
- NO CtrData.
1.4.2.2.8 LL_UNKNOWN_RSP
- PDU Length(2B): 0x02 [No MIC included]
- Header:
- opcode: 0x07
- CtrData(1B):
- UnknownType shall contain the Opcode field value of the received LL Control PDU.
1.4.2.2.9 LL_FEATURE_REQ
- PDU Length: 0x02 [No MIC included]
- Header:
- opcode: 0x08
- CtrData(1B):
- FeatureSet shall contain the set of supported features of the master’s Link Layer.
1.4.2.2.10 LL_FEATURE_RSP
- PDU Length: 0x02 [No MIC included]
- Header:
- opcode: 0x09
- CtrData(1B):
- FeatureSet shall contain the set of used features of the Link Layer of the master or slave.
1.4.2.2.11 LL_PAUSE_ENC_REQ
- PDU Length: 0x01 [No MIC included]
- Header:
- opcode: 0x0A
- NO CtrData
1.4.2.2.12 LL_PAUSE_ENC_RSP
- PDU Length: 0x01 [No MIC included]
- Header:
- opcode: 0x0B
- NO CtrData
1.4.2.2.13 LL_VERSION_IND
1.4.2.2.14 LL_VERSION_IND
- PDU Length (6B): 0x06 [No MIC included]
- Header:
- opcode: 0x0C
- CtrData (5B):
- VersNr (1B): contains the version of the Bluetooth Controller specification (see Bluetooth Assigned Numbers).
- CompId (2B): contains the company identifier of the manufacturer of the Bluetooth Controller (see Bluetooth Assigned Numbers).
- SubVersNr (2B): contains a unique value for each implementation or revision of an implementation of the Bluetooth Controller.
1.4.2.2.15 LL_REJECT_IND
- PDU Length(2B): 0x02 [No MIC included]
- Header:
- opcode: 0x0D
- CtrData (1B):
- Error Code shall contain the reason a request was rejected; see [Vol 2] Part D
2. Air Interface Protocol
Core_V4.0: Vol 6 Part B. 4 AIR INTERFACE PROTOCOL
2.1.4.1 Inter Frame Space
IFS: Time interval between 2 consecutive packets on the same channel. Time from last bit in the previous packet to the first bit in the upcoming one. T_IFS = 150 μs
2.1.4.2 Timing Requirements
LL operates in 2 modes of accuracy active and sleep
- Active: Connection or Advertising states.
- Sleep: Other states.
2.2.1 Active Clock Accuracy
The start of a packet shall be transmitted 150±2 μs after the end of the previous packet.
2.2.2 Sleep Clock Accuracy
A 1 sec connection interval with a total ±1000ppm sleep clock accuracy will give a window widening either side of the anchor point of 1ms plus 16us, assuming that the slave controller was using its sleep clock for almost the complete connection interval.
2.3.4.3 Link Layer Device Filtering
A Host set filter for device based on the current state (advertising, initiating, and Scanning).
It is mainly taking about how each state can handle requests from other devices than the one currently in consideration for connection. To fancy to handle at this point
2.4.1 Non Connection States - StandBy
default state, no activity either Tx or Rx
2.4.2.1 Non Connection States - Advertising - Channel Selection
Host makes selection based on used/unused channels.
2.4.2.2 Non Connection States - Advertising - Advertising Interval
T_advEvent = advInterval + advDelay
- advInterval = x * 0.625ms = 20 to 10240ms
- xrange --> 32 to 16384
- undirected event (scannable or non-connectable), then advInterval < 100ms
- connectable undirected even, then advInterval >= 20ms
- advDelay = random number generated by LL between 0-10ms
2.4.2.3 Non Connection States - Advertising - Connectable Undirected Event (ADV_IND)
-
SEND
- ADV_IND by advertiser.
- Time between two ADV_IND <= 10ms.
- Advertising state closed within interval as shown in the figure below.
-
Response
- scanner OR initiator
- Scanner : SCAN_REQ to request more information on advertiser.
- Initiator: CONNECT_REQ to request entering the connection state.
- LL listens on the same channels.
- If SCAN_REQ contains device address, respond with SCAN_RSP on the same channel, unless blocked by a filter.
- If CONNECT_REQ contains device address, proceed to Connection State in slave role.
- scanner OR initiator
Connectable Advertising State that receives no response
Connectable Advertising State with SCAN_REQ & SCAN_RSP from Scanner
Connectable Advertising State with CONNECT_REQ from Initializer
2.4.3 Scanning
- Two types of scanning:
- Passive: only Rx packets and no TX. This what Ubertooth offers.
- Active: May request an Advertiser for additional info.
- No timing requirements.
- No Channel selection rules.
- Actions:
- Listen on Advertising channels for the scanWindow duration.
- Every 'scanInterval' listen for a complete scanWindow period, where scanInterval is the time between the end of a window and the start of another.
v* Filters apply when receiving advertising PDUs.
Active Scanning
- Exchange SCAN_REQ and SCAN_RSP with an advertiser.
- Run backOff to minimize collision with parameters: backOffCount' & upperLimit. Both set to ONE on entering scanning state.
- Setting backOffCount' & upperLimit:
- LL listens to SCAN_RSP.
- Every two consecutive failures, 'upperLimit is doubled.
- Every two consecutive success, upperLimit is halved.
- upperLimit max value = 256.
- On receiving either ADV_IND and ADV_SCAN_IND, if a SCAN_REQ is needed:
- if backOffCount == ZERO send SCAN_REQ.
- else decrement backOffCount by one.
2.4.4 Initiating
- No timing requirements.
- No Channel selection rules.
- LL listens for the duration of scanWindow every scanInterval.
- scanWindow and scanInterval should be less than or equal 10.24s.
- Responds to advertisers by CONNECT_REQ PDUs if permitted.
2.5 Connection State
- LL enters the Connection state when:
- An initiator sends a CONNECT_REQ.
- An advertiser receives a CONNECT_REQ.
- Connection:
- Created: entering connection state by advertiser or initiator.
- Established: once a data packet is successfully received.
- Roles:
- master: controls timing of the connection event.
- slave
2.5.1 Connection Event
- Connection is a point of synchronization between both master and slave.
- Connection is considered open if both master and slave are engaged in Tx/Rx exchange.
- Master closes connection if received nothing from slave.
- Connection can be terminated by any device.
- Connection start is called anchor point at which master starts data transmission.
- Master ensures connection closes T_IFS before anchor point.
- After slave latency, if nothing received, slave listens on every anchor.
- connEventCounter', a 16-bit event counter maintained by both master and slave.
- incremented by master on every connection event.
- values from 0xFFFF to 0x0000
- synch LL control procedure.
2.5.2 Supervision Timeout
- connSupervisionTimeout max. time between two received Data Packets PDUs before the connection is considered lost.
connSupervisionTimeout > (1+connSlaveLatency) * connInterval Multiple of 10ms Range of 100ms to 32s
- If connSupervisionTimeout == 6 * connInterval THEN connection is lost.
- If connection is lost --> move from Connection to Standby state.
2.5.3 Conn. Event Transmit Window
- CONNECT_REQ determines when master sends first packet on Connection State to set anchor point.
- Three parameters to determine transmit window: tranmistWindowOffset, transmitWindowSize, and connInterval.
- transmitWindow starts at (transmitWindowOffset + 1.25ms) after CONNECT_REQ ends.
- transmitWindowSize == window size.
- connInterval used to calculate window offset and size.
transmitWindowOffset : y*1.25ms, range of [0ms -- connInterval] y --> [0 -- connInterval/1.25ms] y is WindowOffset in CONNECT_REQ packet
transmitWindowSize: x*1.25, range [1.25ms -- min(10ms, (connInterval-1.25ms))] x --> [1 -- min(10ms, (connInterval-1.25ms))/1.25] x is WinSize in CONNECT_REQ packet
Start of first packet after CONNECT_REQ: (1.25ms + transmitWindowOffset) <= first packet <= (1.25ms + transmitWindowOffset + transmitWindowSize)
2.5.4 Connection Setup -- Master
- Notify host of moving to Connection state.
- Initiator switches to Connection state after sending CONNECT_REQ in the master role.
- Master resets TLLconnSupervision(connSuperVisionTimeout).
- use channel index.
- first sent packet sets anchor point.
- second packet within connInterval
2.5.5 Connection Setup -- Slave
- Advertiser switches to connection mode after receiving a CONNECT_REQ to operate in SLAVE mode.
- notify host of operating in SLAVE mode.
- reset TLLconnSupervision.
- first connection event use channel index data to tune the channel.
- Listen to the first packet, within transmit window.
- first received packet determines the anchor point.
- if no packet in first window, try on the next one after connInterval.
- Use next channel from channel index and increment connEventCount
- Slave stays active till receiving a NESN from a master packet.
2.5.6 Closing Conn. Event
- If MD in data packet is set THEN device has more data to send.
- If neither packets set MD, both close connection.
- If either master or slave didn't receive a response, they will close the connection event.
- Two consecutive CRC failure terminates the connection.
2.5.7 Window Widening
- Slave re-synch the anchor point at each connection. This is done to avoid uncertainty.
- slave calculates the window widening using: slaveExpectedAnchorPoint and sleep clock accuracy (SCA) for both master and slave.
windowWidening = ((masterSCA+slaveSCA)/ 1000000) * timeSinceLastAnchor where windowWidening < (connIntervalt/2)-T_IFS) otherwise, terminate connection
- slave has to keep an eye on the windowWidening before any Tx.
- slave listens to windowWidening event starting from slaveExpectedAnchorPoint and for a windowWidening period.
2.5.8 Data Channel Index Selection
- Channel Map:
- used channels: used data channels for the connection. min number is 2.
- unused channels: unused data channels in this connection.
- Channel Selection Algorithm:
- Calculate unmapped channel index.
- mapping the index to a data channel from the unused set.
- Parameters:
- unmappedChannel: unmapped channel index for the current connection event.
- lastUnmappedChannel: unmapped channel index of previous connection event.
- remappingIndex: in case of selection a channel from the unused map, this is used to remap the index to one of the used channels.
- numUsedChannels: number of used channels in the channel map.
unmappedChannel = (lastUnmappedChannel + hopIncrement) mod 37 IF unmappedChannel NOT IN used Channel map remappingIndex = unmappedChannel mod numUsedChannels END lastUnmappedChannel = unmappedChannel of previous connection, 0 in initial connection
Data channel selection Algorithm
2.5.9 ACK & Flow Control
- Parameters:
- transmitSeqNum: 1bit used to identify a pkt sent by LL.
- nextExpectedSeqNum: 1bit used by the peer to either ACK last data pkt or request resending it.
TX & RX ACK checking
- When entering the Connection State, set both to ZERO.
- Transmission:
- New Data PDU:
- SN bit (data pkt header) = transmitSeqNum
- NESN bit = nextExpectedSeqNum
- Resent pkt, no change of SN.
- New Data PDU:
- Receiving:
- If SN bit EQUAL nextExpectedSeqNum
- SAME, new pkt, increment nextExpectedSeqNum
- DIFFERENT, resent pkt
- IF NESN bit EQUAL transmitSeqNum
- SAME: last pkt is not ACK, resend it.
- DIFFERENT: last PDU ACK, inc transmitSeqNum AND send new pkt.
- If SN bit EQUAL nextExpectedSeqNum
3. Logical Links
page 113 4.2 [Vol 2, Part B] of the 4.2 standard.
page 46 4.2 [Vol 6, Part B] of the 4.2 standard.
In short, implement control message exchange between master and slave after using LLID of 11b.
4. Flow Control
v4.2 standard, pages (of pdf not document numbers):
- 419
- 431, 4.2 [Vol 2, Part B]
- 2626
- 2628