Bluetooth Low Energy (BLE) Dariusz Bursztynowski – Warsaw University of Technology

darek@tele.pw.edu.pl

Bigger picture

802.15.4

802.15.5 6loWPAN

CoAP/MQTT

(physical & link layers)

802.15.1

ANT

BLE

WirelessHART … ZigBee

Why BLE?

Need for connectivity of mobile devices with outside world

What is „outside world”? small , task-specific products, innovative, that are are sill to come

low-cost, low bandwidth, extremely low power, low complexity

Idea – a framework to exchange data, so focus on a set of relatively low-level APIs

to give developers freedom to use BLE the way they want and

hide technological complexity

(in contrast to Bluetooth which is oriented towards applications)

No artificial barriers for adoption easy-to-understand data model

no licensing

no fees for accessing the specs

Bluetooth vs BLE - a quick comparison

Traditional Bluetooth connection-oriented

device „connected” means that a link is maintained all the time between peers, even if there is no data to be sent)

streaming support provided

power reduction is possible due to sniff modes (devices can go asleep)

months of battery life-time.

although the power is lower than for other radio standards, it is still too much for coin cells and very energy-efficient applications

BLE – from Bluetooth 4.0 spec. data transfer, no support for a real streaming (rate limit ~125kbit/s)

a new radio, new protocol stack, new profile (i.e., application) architecture

designed to run from coin cells and support an Apps Store mode

range 150 meters LOS, but in reality is closer to several meters

radio standard for a new decade, enabling the Internet of Things

Note: since specification 4.1, L2CAP can create high throughput data channels (why not if it does not impact low-energy features ... ?)

BLE – key facts

Data throughput on a single channel ~125kbit/s in theory, less in practice

designed for sending small chunks of data (exposing state)

not optimised for file transfer

does not support streaming

Since Bluetooth 4.1, high-throughput user data channels at L2CAP

Operating range up to 150 meters LOS, but in reality is closer to just several meters

Network topologies allowed (type of communication) broadcasting & observing

connections (devices are coupled, i.e., associated – a state is needed)

Broadcaster

observer

observer observer

Central device

peripheral device

peripheral device

peripheral device

BLE – key factsheet

Range: below 150m (typically much less)

Output Power: ~ 10mW (10dBm)

Max Current: ~ 15mA

Latency: 3 ms

Topology: Star

Connections: > 2 billion

Modulation: GFSK @ 2.4 GHz

Robustness: Adaptive Frequency Hopping, 24 bit CRC

Security: 128bit AES CCM

Sleep current ~ 1 μA

Modes: Broadcast, Connection

Network topologies supported

Broadcasting & observing

Broadcaster: sends advertising packets to any observer willing to receive

them

Observer – scans the preset frequencies to receive advertising packes

Broadcast packet contains: broadcaster capabilities + custom information (data); larger payload can be sent in two consecutive packets

No security nor privacy of data

Connections (devices are coupled, i.e., associated – a state is needed) To send data in both directions or when there are more than two

payloads to send, encryption is used

Periodical exchange of data between peers

Signalling procedure is used for setting up connections

Broadcaster

observer

observer observer

Central device

peripheral device

peripheral device

peripheral device

connectionless

connection oriented

phone, tablet, ...

Protocol stack (single-mode device*)

Generic Access Profile (GAP)

Generic Attribute Profile (GATT)

Security Manager Protocol (SMP)

Attribute Profile (ATT)

Logical Link Control and Adaptation Protocol (L2CAP)

Link Layer (LL)

Low Energy Physical Layer (PHY)

Application (App) Application

Host

Controller

Host Controller Interface (HCI)

BLE device

* In a dual-mode device, protocol stacks for BLE and classical Bluetooth are present. We do not consider classical Bluetooth here.

Hardware configurations (physical architectures)

Application

Host

Controller

System on chip (SoC)

Application

Host

Controller

Dual IC over HCI

Main CPU

HCI over USB/UART*

Application

Host

Controller

Dual IC (Connectivity device)

Main CPU

Proprietary protocol

Three generic configuration of the HW • Simple sensors opt for SoC for low complexity reasons • Smartphones/tablets opt for Dual IC over HCI • Dual IC with Connectivity device is for special scenarios

*) Universal Asynchronous Receiver/Transmitter

Physical layer

Contains analog communications circurity

Radio uses the 2.4GHz ISM (Industrial, Scientific, and Medical) band

40 channels on ~2MHz spacing, 1MBit GFSK (wider range than Bluetooth BR)

Channel layout is shown in the drawing; out of the 40 channels 37 channels are for connection data

three advertising channels to setup connections and broadcast data

Frequency hopping spread spectrum used on each connection event

Link Layer (LL)

Link Layer (LL) - general

Directly interfaces with PHY , isolates higher layers from PHY Isolated itself from the rest of the layers by HCI (Host Control Interface)

Carries main computational tasks (typically implemented in HW) Preamble generation, access address handling, air protocol framing

CRC generation and computation

Random number generation , encryption (imposed by higher layers)

Defines the following roles Advertiser (sends advertising packets)

Scanner (listens for advertising packets)

Slave (accepts a connection request and follows master’s timing)

Master (initiates a connection and manages it)

Logical tasks (typically software) advertising, scanning

establishing/tearing down connections, changing connection parameters

handling white lists

no connection

connection

SMP ATT SMP ATT

L2CAP L2CAP LL / LL connection

LL connection between devices L2CAP flow between upper protocol entities

HCI (Host Control

Interface)

Link Layer – Bluetooth device address

Bluetooth device address – fundamental identifier of Bluetooth appliance

like Ethernet MAC address

Two types of address Public device address – factory-programmend address, set

according to IEEE registration procedure

Random device address – either pre-programmed or dynamically generated

e.g., when a device manufacturer wants to avoid IEEE registration

if dynamic, set by the GAP layer

Link Layer - advertising mode

• Peripherals (broadcasters) advertise their presence or request connections (broadcast data) to the master (observers). • potential receivers do periodical scanning

• Devices can have a variety of reasons to advertise:

• broadcast promiscuously • transmit signed data to a previously connected device • advertise their presence to a device wanting to connect • reconnect asynchronously due to a local event

• Two modes of scanning operation

• passive scanning (listen for advertisements, never feedbacks to the advertiser)

• Active scanning – the scanner sends Scan request packet in response to advertising packet and the advertiser responds with Scan response packet (only ONCE)

See the example on the next page

Link Layer - advertising mode - example

Example: peripheral advertising packets sniffed(here: passive)

Example sequence

passive active passive

ADV_IND ADV_IND SCAN_RSP ADV_IND

SCAN_REQ

channel 37 channel 38 channel 39

Peripheral peripheral

central

Link Layer - advertising packet (example)

full list of Advertising Data types: https://www.bluetooth.com/specifications/assigned-numbers/generic-access-profile

could also be ADV_DIRECT_IND to indicate Directed connectable mode

Link Layer – connection setup and data exchange

Connection needed for information exchanges longer that two packets or for bidirectional data exchange

always takes place between a specific pair of devices (a „pipe”)

typically the slave announces the need for a connection (by sending specific advertisements)

Actual establishement initiated by the Master (CONNECT_REQ packet)

Device address is used only during connection establishement

within a connection, data packets are marked using unique conncetion identifier (set by the Master)

Features Exclusive – one for a peripheral; peripheral stops sending adverts after

establishing a connection (becomes invisible to other centrals)

A series of bi-directional data exchange (Master-> Slave + Slave->Master)

A bunch of exchanges is called Connection event, one per Connection Interval (see next slide)

both determined by Master per connection, can be changed by Master during conn. lifetime

Reliable

error detection via CRC, repetition until confirmation based on a stop-and wait acknowledgement mechanism

Encrypted

Link Layer – connection setup and data exchange - example

Example: CONNECT_REQ packet sniffed

duration of Connection Interval [ms] (min. time between two subsequent connections)

max time between consecutive packets to consider a connection to be broken

Empty message (invite to send data)

User data message (27 byte payload)

could also be ADV_DIRECT_IND (Directed connectable mode)

e.g., advertises undirected connectable mode

etc. Used as Ack, invite next data if positive ack

Connection Interval

ADV_IND slave

master master CONN_REQ

channel 37 data channel

Logical Link Control and Adaptation Protocol (L2CAP)

Main functionality Multiplexing protocols from upper layers (as for now, ATT and SMP)

No segmentation/reassembly needed (higher layers take care of L2CAP max payload size, e.g. see ATT – queued writes)

Example: packet formats across BLE stack for ATT

L2CAP - general

SMP ATT SMP ATT

L2CAP L2CAP LL connection

LL connection between devices L2CAP flow between upper protocol entities

LL

L2CAP

ATT

L2CAP - more

Routes (multiplexes) two protocols Attribute Protocol , ATT(the basis for data exchange of BLE

applications)

Security Manager Protocol , SMP (provides framework to generate and distribute security keys between peers)

Muxing achieved using a 2-byte channel ID (CID) in L2CAP packets

Since version 4.1 of Bluetooth specification Can create its own user-defined channels for high-throughput data

transfer (new format, additional signalling procedures for flow control - we do not expand on it here)

23 = 27-4

Attribute Protocol (ATT)

ATT – intro ATT vs GATT

Generic Attribute Profile

(GATT)

Attribute Profile (ATT)

Logical Link Control and Adaptation Protocol (L2CAP)

Application

Generic Attribute Profile

(GATT)

Attribute Profile (ATT)

Logical Link Control and Adaptation Protocol (L2CAP)

Application

Structured data at the app level, structure interpreted retrieved using GATT

APP: select peers based on services

discovered, exchange service-

related data

Intro GATT/APPL see structures

ATT sees ordered attributes

GATT – defines strustures and translates them into attributes ATT – find and send elementary data pieces

APPL: provide the service, decide what/when to send, send (talk) using structured data

Attribute Protocol (ATT) – intro, ATT vs GATT

Generic Attribute Profile (GATT) framework that uses the ATT for the discovery of services, read, write, push data grouped as hierarchy of

primary and secondary services, and their characteristics

the exchange of characteristics from one device to another.

A characteristic is a set of data which includes a value and properties. At the ATT level, they all are stored in attributes.

ATT vs GATT while GATT/Applications „see” structured information, for example:

a server runs a ‘temperature sensor’ service that

provides a ‘temperature’ characteristic that uses

an attribute for describing the sensor (i.e., the device)

attribute for storing a value of temperature measurement

yet another attribute for specifying the measurement units

etc.

etc.

ATT defines a flat set of elementary attributes and mechanisms to access them.

Structured data

ATT - overview

ATT perspective: services and characteristics together with their values and properties are all available as attributes

e.g., GATT combines attributes into structures in the form of services, characteristics, values (descriptors), etc.

ATT operates on a flat set of attributes (for accessing them over L2CAP, using right L2CAP connections)

Attribute - elementary data structure piece of information managed by the GATT, structured as:

universally unique identifier (UUID) – globally unique („worldwide”)

specifies the type and nature of data contained in the value

Length: 128 bit for customised, and 16 bit for Bluetooth SIG defined ones

16 bit handle, unique to a given device for a given UUID (attr. instance id)

value represents named information

attribute values can be referenced by either UUID or by handle, depending on the application

ATT offers a simple client-server stateless protocol Based on attributes presented by a device

Client (central) can access server (peripheral) for attributes

Works on top of a dedicated L2CAP channel

ATT – overview cntd

Mode of operation any device can be a client, server or both (regardless of

their Master/Slave roles)

e.g., slave sends server initialted handle indication or notification

the client or server role of a device is determined by the GATT (app)

multiple types of operations are allowed (e.g., read , write)

strict in sequencing

no request can be sent until the response is received and processed

ATT – operations

Set of categories, several operations in each category Each peration has its parameters

Most of them are of type request/response (transactional)

Categories/operations

Error handling Error response

Server configuration Exchange MTU Request/Response

Find information Find information Request/Response

Find by Type/Value (returns handle range for UUID and value)

Read operations Read by type Request/Response (by UUID)

Read Request/Response (by handle)

Read blob Request/Response (read a part of a value by handle)

Read multiple Request/Response

Read by group type Request/Response

ATT – operations cntd

Write operations Write Request/Response

Write command (without response)

Signed write command (like write command, but using a signature)

Queued writes Prepare write Request/Response

Execute write Request/Response

Server initiated (asynchronous push operations to the client initiated by the server)

Handle value indication/confirmation (by handle, expects confirmation)

Handle value notification (as above, no confirmation required)

Generic ATTribute Profile (GATT) services & characteristics

GATT – data structures

GATT provides a framework for handling data structured in a hierarchy

GATT data hierarchy - view of services

GATT server

Service 1 Characteristic 1

Value

Descriptor (optional) ...

Characteristic 2

...

Characteristic 3 Service 2

...

...

...

GATT example: service level

Handle UUID Description

0x0100 0x2800 Service A definition

... ... Service details

0x0150 0x2800 Service B definition

... ... Service details

0x0300 0x2800 Service C definition

... ... Service details

into the service description ...

GATT – data structures (2)

Handle UUID Description Value

0x0100 0x2800 Thermometer service definition UUID 0x1816

0x0101 0x2803 Characteristic: temperature UUID 0x2A2B Value handle: 0x0102

0x0102 0x2A2B Temperature value 20

0x0104 0x2A1F Descriptor: unit Celsius

0x0110 0x2803 Characteristic: date/time UUID 0x2A08 Value handle: 0x0111

0x0111 0x2A08 Date/Time 1/1/1980 12:00

GATT example – single service description two characteristics, one with a descriptor

all are attributes in ATT, and

GATT decomposes this structure into

attributes and retrieves them one by one using ATT

GATT – service example (HRT case)

Heart rate monitor (HRT) – order of accessing data by the client (idea)

GATT server

1

2

3 4

GATT client

1 2

3

4

For a service: Read list of

characteristics

Read list of

services

Read characteristic

Read characteristic

K. Townsend et al. „Getting started with Bluetooth Low Energy”, O’REILLY, 2014.

Generic Access Profile (GAP) advertising & connections

Generic Access Profile (GAP) - scope

Framework that all devices must follow to: broadcast data

discover each other and their services

establish secure connections

negotiate security levels

Generic Access Profile (GAP)

Security Manager (SM)

Logical Link Control and Adaptation Protocol (L2CAP)

Application

Generic Access Profile (GAP)

Security Manager (SM)

Logical Link Control and Adaptation Protocol (L2CAP)

Application

control of discovery establishment of

connections

Link Layer Link Layer

ADVERTISEMENT SCAN

CONNECT convey GAP information

GAP - scope

Framework that all devices must follow to: broadcast data

discover each other and their services

establish secure connections

negotiate security levels

Distinguishes Roles

to be adopted by a device to join a network

Modes (within a role)

state of the device in which defined procedures can be performed

mode results from the role adopted by the device (application)

Procedures and data formats

sequences of actions that enable devices to perform their tasks

Procedure results from the mode (and role), and possibly events occuring

format of Advertising Data carried in ADVERTISING and SCAN_RESPONSE packets.

Different types of information can be announced in AD

e.g., list of GATT services for discovery or Service Data to avoid setting up connections can be included in Advertising Data

GAP – roles, modes, procedures

Roles Broadcaster - undertakes LL (link-layer) advertiser role

Observer - undertakes LL scanner role

Central - corresponding to LL master (initiates a connection)

Peripheral - corresponding to LL (link-layer) slave (accepts the connection)

Note: GAP roles typically stay constant thoughout the lifetime of a device (in GAPP, each device can perform as GAPP client or server, depending on the sender of the request).

Modes/procedures

Procedure Applicable role(s)

Applicable peer mode(s)

Observation Observer Broadcast

Limited discovery Central Limited discoverable

General discovery Central Limited and General discoverable

Name discovery Peripheral, central N/A

Connection establishment Central Connectable

Connection parameter update Peripheral, central N/A

Terminate connection Peripheral, central N/A

Thank you

Quiz questions

What is (are) the main difference(s) between classical Bluetooth and Bluetooth Low Energy (BLE, aka Bluetooth Smart)?

When the advertising mode of communication is sufficient and when connections are necessary?

What is the main role (domain) of GAT (Generic Access Profile)?

What is the main role (domain) of GATT (Generic Attribute Profile)?

What is the role of ATT (Attribute protocol) wrt GATT?

Can a Central be GATT server, GATT client, or both?