Bluetooth Low Energy(BLE)Dariusz Bursztynowski – Warsaw University of Technology

darek@tele.pw.edu.pl

Reminder

802.15.4

802.15.5 6loWPAN

CoAP/MQTT

(physical & link layers)

802.15.1

ANT

BLEWirelessH

ART… ZigBee

Why BLE?

� Need for connectivity of mobile devices with outside world

� What is „outside world”? � small , task-specific products, innovative, that are are sill to come� low-cost, low bandwidth, extremely low power, low complexity

� Idea – a framework to exchange data, so focus on a set of relatively low-level APIs

� to give developers freedom to use BLE the way they want and� hide technological complexity(in contrast to Bluetooth which is oriented towards applications)

� No barriers for adoption� easy-to-understand data model� no licensing� no fees for accessing the specs

Bluetooth vs BLE - a quickcomparison

� Traditional Bluetooth� connection-oriented (device „connected” means that a link is

maintained all the time, even if there is no data to be sent)� streaming support provided

� power reduction is possible due to sniff modes (devices can go asleep)� months of battery life-time.� although the power is lower than for other radio standards, it is still too

much for coin cells and very energy-efficient applications

� BLE – from Bluetooth 4.0 spec.� data transfer, no support for a real streaming (rate limit ~125kbit/s)� a new radio, new protocol stack, new profile (i.e., application)

architecture � designed to run from coin cells and support an Apps Store mode� range 150 meters LOS, but in reality is closer to a couple of meters� radio standard for a new decade, enabling the Internet of Things

� Note: since specification 4.1, L2CAP can create high throughput data channels

BLE – key facts

� Data throughput on a single channel ~125kbit/s in theory, less in practice

� designed for sending small chunks of data (exposing state)� not optimised for file transfer� does not support streaming

� Since Bluetooth 4.1, high-throughput user data channels at L2CAP

� Operating range even 150 meters LOS, but in reality is closer to justseveral meters

� Network topologies allowed, type of communication� broadcasting & observing

� connections (devices are coupled, i.e., associated – a state is needed)

Broadcaster

observer

observerobserver

Central device

peripheraldevice

peripheraldevice

peripheraldevice

BLE – keyfactsheet

� Range: below 150m (typically much less)

� Output Power: ~ 10mW (10dBm)

� Max Current: ~ 15mA

� Latency: 3 ms

� Topology: Star

� Connections: > 2 billion

� Modulation: GFSK @ 2.4 GHz

� Robustness: Adaptive Frequency Hopping, 24 bit CRC

� Security: 128bit AES CCM

� Sleep current ~ 1 μA

� Modes: Broadcast, Connection, Event Data Models Reads, Writes

Network topologies

� Broadcasting & observing

� Broadcaster: sends advertising packets to any observer willing to receivethem

� Observer – scans the preset frequencies to receive advertising packes� Broadcast packet contains: broadcaster capabilities + custom

information (data); larger payload can be sent in two consecutivepackets

� No security nor privacy of data

� Connections (devices are coupled, i.e., associated – a state is needed)� To send data in both directions or when there are more than two

payloads to send, encryption used� Periodical exchange of data between peers so is prive� Signalling procedure is used for setting up connections

Broadcaster

observer

observerobserver

Central device

peripheraldevice

peripheraldevice

peripheraldevice

Protocol stack(single-modedevice*)

Generic Access Profile(GAP)

Generic Attribute Profile(GATT)

Security Manager Protocol (GAP)

Attribute Profile(ATT)

Logical Link Control and Adaptation Protocol (L2CAP)

Link Layer (LL)

Low Energy Physical Layer (PHY)

Application (App)Application

Host

Controller

Host Controller Interface (HCI)

BLE device

* In a dual-mode device, protocol stacks for BLE and classical Bluetooth are present. We do not consider classical Bluetooth here.

Hardware configurations(physicalarchitectures)

Application

Host

Controller

System on chip (SoC)

Application

Host

Controller

Dual IC over HCI

Main CPU

HCI overUSB/UART*

Application

Host

Controller

Dual IC (Connectivity device)

Main CPU

Proprietaryprotocol

Three generic configuration of the HW• Simple sensors opt for SoC for low complexity reasons• Smartphones/tablets opt for Dual IC over HCI• Dual IC with Connectivity device is for special scenarios

*) Universal Asynchronous Receiver/Transmitter

Physical layer

� Contains analog communications circurity

� Radio uses the 2.4GHz ISM (Industrial, Scientific, and Medical) band

� 40 channels on ~2MHz spacing, 1MBit GFSK (larger range thanBluetooth BR)

� Channel layout is shown in the drawing; out of the 40 channels� 37 channels are for connection data and� three channels are advertising channels to setup connections and

broadcast data

� Frequency hopping spread spectrum used on each connection event

Link Layer (LL)

Link Layer (LL) - general

� Directly interfaces with PHY , isolates higher layers from PHY� Isolated itself from the rest of the layers by HCI (Host Control Interface)

� Carries main computational tasks (typically implemented in HW)� Preamble generation, access address handling, air protocol framing� CRC generation and computation� Random number generation , encryption (imposed by higher layers)

� Defines the following roles� Advertiser (sends advertising packets)� Scanner (listens for advertising packets)� Master (initiates a connection and manages it)� Slave (accepts a connection request and follows master’s timing)

� Logical tasks (typically software)� advertising, scanning� establishing/tearing down connections, changing connection

parameters� handling white lists

no connection

connection

SMP

ATT

SMP

ATT

L2CAPL2CAP LL connection

LL connection betweendevicesL2CAP flow between upperprotocol entities

HCI (Host Control Interface)

Link Layer –Bluetooth device address

� Bluetooth device address – fundamental identifier of Bluetooth appliance (like Ethernet MAC address)

� Two types of address� Public device address – factory-programmend address, set

according to registration IEEE procedure� Random device address – either pre-programmed or dynamically

generated� e.g., when a device manufacturer wants to avoid IEEE registration

� if dynamic, set by by the GAP layer

Link Layer -advertisingmode

• Peripherals (broadcasters) advertise their presence or requestconnections (broadcast data) to the master (observers).• potential receivers do periodical scanning

• Device can have a variety of reasons to advertise:• broadcast promiscuously• transmit signed data to a previously connected device• advertise their presence to a device wanting to connect• reconnect asynchronously due to a local event

• Two modes of scanning operation• passive scanning (listen for advertisements, never feedbacks

to the advertiser)• Active scanning – the scanner sends Scan request packet in

response to advertising packet and the advertiser respondswith Scan response packet (only ONCE)

See the example on the next page

Link Layer -advertisingmode -example

Example: peripheral advertising packets sniffed(here: passive)

Example sequence

passive active passive

Link Layer -advertisingpacket(example)

Link Layer –connectionsetup and data exchange

� Connection needed for information exchanges longer that two packets or for bidirectional data exchange

� always takes place between a specific pair of devices (a „pipe”)� typically the slave announces the need for a connection (by sending specific

advertisements)� Actual establishement initiated by the Master (CONNECT_REQ packet)

� Device address is used only during connection establishement

� within a connection, data packets are marked using unique conncetion identifier (set by the Master)

� Features� Exclusive – one for a peripheral; peripheral stops senting adverts after

establishing a connection (becomes invisible to other centrals)

� A series of bi-directional data exchange (Master-> Slave + Slave->Master)

� A bunch of exchanges is called Connection event, one per Connection Interval (see next slide)

� both determined by Master per connection, can be changed by Master during conn. lifetime

� Reliable

� error detection via CRC, repetition until confirmation based on a stop-and wait acknowledgementmechanism

� Encrypted

Link Layer –connectionsetup and data exchange -example

Example: CONNECT_REQ packet sniffed

duration of Connection Interval [ms]

max time between consecutive packets to consider the connection to be broken

Empty message(invite to send data)

User data message(27 byte payload)

could also be ADV_DIRECT_IND(Directed connectable mode)

Unirectedconnectable mode

Used as ack, invitenext data if positiveack

Connection Interval

Logical Link Control and Adaptation Protocol (L2CAP)

� Main functionality� Multiplexing protocols from upper layers (as for now, ATT and SMP)� No segmentation/reassembly needed (higher layers take care of their

payload size, e.g. see ATT – queued writes)

� Example: packet formats across BLE stack for ATT

L2CAP -general

SMP

ATT

SMP

ATT

L2CAPL2CAP LL connection

LL connection betweendevicesL2CAP flow between upperprotocol entities

LL

L2CAP

ATT

L2CAP - more

� Routes (multiplexes) two protocols� Attribute Protocol , ATT(the basis for data exchange of BLE

applications)� Security Manager Protocol , SMP (provides framework to generate

and distribute security keys between peers)� Muxing achieved using a 2-byte channel ID (CID) in L2CAP packets

� Since version 4.1 of Bluetooth specification� Can create its own user-defined channels for high-throughput data

transfer (new format, additional signalling procedures for flowcontrol - we do not expand on it here)

23 = 27-4

Attribute Protocol(ATT)

ATT – introATT vs GATT

Generic AttributeProfile (GATT)

Attribute Profile(ATT)

Logical Link Control and Adaptation Protocol(L2CAP)

Application

Generic AttributeProfile (GATT)

Attribute Profile(ATT)

Logical Link Control and Adaptation Protocol(L2CAP)

Application

Structured data at the appl level

APPS: discoverservices, echange

service-relateddata

� Intro� GATT/APPLs see structures� ATT sees ordered attributes

GATT – translatestructures intoattributes

ATT – find and sendelementary data pieces

APPL: provide the service, decidewhat/when, talk using structured data

AttributeProtocol (ATT) – intro, ATT vsGATT

� Generic Attribute Profile (GATT) framework that uses the ATT for� the discovery of services, and � the exchange of characteristics from one device to another.

� A characteristic is a set of data which includes a value and properties. At the ATT level, they all are stored in attributes.

� ATT vs GATT� GATT/Applications see structured information, for example:� a server runs a ‘temperature sensor’ service that� provides a ‘temperature’ characteristic that uses

� an attribute for describing the sensor (i.e., the device)

� attribute for storing a value of temperature measurement� yet another attribute for specifying the measurement units

Structureddata

ATT - overview

� ATT perspective: services and characteristics together with their valuesare available as attributes

� e.g., GATT gives structure to attributes in the form of services, characteristics, values (descriptors), etc.

� ATT operates on attributes

� Simple client-server stateless protocol� Based on attributes presented by a device� Client (central) can access server (peripheral) for attributes� Works on top of a dedicated L2CAP channel

� Attribute - elementary data structure� stores the information managed by the GATT� universally unique identifier (UUID) – global „worldwide”

� specifies the type and nature of data contained in the value� Length: 128 bit for customised, and 16 bit for Bluetooth SIG defined ones

� 16 bit handle, unique to a given device for a given UUID (attr. instance id)� value represents named information� attribute values can be accessed by either UUID or by handle, depending

on the application

ATT – overviewcntd

� Mode of operation� any device can be a client, server or both (regardless of their

Master/Slave roles)� the client or server role of a device is determined by the GATT (appl)� multiple types of operations are allowed (e.g., read , write)� strict in sequencing

� no request can be sent until the response is received and processed

ATT –operations

� Set of categories, several operations in each category� Each peration has its parameters� Most of them are of type request/response (transactional)

Categories/operations

� Error handling� Error response

� Server configuration� Exchange MTU Request/Response

� Find information� Find information Request/Response� Find by Type/Value (returns handle range for UUID and value)

� Read operations� Read by type Request/Response (by UUID)� Read Request/Response (by handle)� Read blob Request/Response (read a part of a value by handle) � Read multiple Request/Response� Read by group type Request/Response

ATT –operationscntd

� Write operations� Write Request/Response� Write command (without response)� Signed write command (like write command, but using a signature)

� Queued writes� Prepare write Request/Response� Execute write Request/Response

� Server initiated (asynchronous push operations to the client initiatedby the server)

� Handle value indication/confirmation (by handle, expectsconfirmation)

� Handle value notification (as above, no confirmation required)

Generic AttributeProfile (GATT)services & characteristics

GATT – service example (HRT case)

� Heart rate monitor (HRT)

GATT server

1

23

4

GATT client

12

34

Read multiplereq/resp

Read

Read multiple

Read

Generic Access Profile (GAP)advertising & connections

Generic Access Profile (GAP) -scope

� Framework all devices must follow to:� discover each other � broadcast data� establish secure connections � and perform many other operations …

Generic Access Profile(GAP)

Security Manager (SM)

Logical Link Control and Adaptation Protocol(L2CAP)

Application

Generic Access Profile(GAP)

Security Manager (SM)

Logical Link Control and Adaptation Protocol(L2CAP)

Application

DEVICES: learnabout each other,

establishconnections

GAP - scope

� Framework all devices must follow to:� discover each other � broadcast data� establish secure connections � and perform many other operations …

� Distinguishes� Roles

� to be adopted by a device to join a network

� Modes� state of the device in which defined procedures can be performed� mode results from the role adopted

� Procedures� sequences of actions that enable devices to perform their tasks� Procedure results from the mode (and role), and possibly events

GAP – roles, modes, procedures

� Roles� Broadcaster - uses LL advertiser role� Observer - uses LL scanner role� Central - corresp. to LL (link-layer) master (initiates a connection)� Peripheral - corresp. to LL (link-layer) slave (accepts the connection)Note: GAP roles typically stay constant thoughout the lifetime of a device (in GAPP, each device can perform as GAPP client and server, depending of the sender of the request)

� Modes/procedures

Procedure Applicablerole(s)

Applicable peer mode(s)

Observation Observer Broadcast

Limited discovery Central Limited discoverable

General discovery Central Limited and General discoverable

Name discovery Peripheral, central N/A

Connection establishement Central Connectable

Connection parameter update Peripheral, central N/A

Terminate connection Peripheral, central N/A

Thank you J

Quiz questions

� What is(are) the main difference(s) between classical Bluetooth and Bluetooth Low Energy (BLE, aka Bluetooth Smart)?

� When the advertising mode of communication is sufficient and when connections are necessary?

� What is the main role (domain) of GAT (Generic Access Profile)?

� What is the main role (domain) of GATT (Generic AttributeProfile)?

� What is the role of ATT (Attribute protocol) wrt GATT?

� Can a Central be GATT server, GATT client, or both?

� Security manager (SM) provides the ability to generate and exchange security keys to communicate over encrypted links. Question: which one of the topologies, broadcast or connected, isthe one targeted by SM?