Bluetooth Low Energy: a brief overview

Alessandro Pagiaro

Introducted in 4.0, BLE becames pervasive on smartphone since its simplicity and power usage.
Bluetooth devices can be diveded into 3 categories according their Bluetooth version:

Protocol Basics: introduction

Bottom-up
Protocol Basics: introduction

BLE in the device can be seen as 3 components:


  • Application: Logic, UI, Data Handling
  • Host: "Bluetooth things" (GAP, GATT, L2CAP, ATT, SM, HCI)
  • Controller: HCI, LL, PHY

A BLE device can be

  • a master, initializer
  • a slave, advertise ability and accept connection
  • or both

Connections

A master can connect to multiple slaves.
A slave can be connected to multiple masters.

A master usually needs more resource to perform connection.
PHY

This layer is a PHYsical layer.

  • It menages analog communication circuitry
  • It transforms analog signal to digital one

Radio

The frequency used is the 2.4GHz, divided into 40 channels from 2.4000 GHz to 2.4835 GHz.

37 Channels are used for data, 3 for advertising.

Frequency hopping spread spectrum is used to minimize interference 

(channel = (curr_channel + hop) mod 37)
LL

Link Layer

Link Layer defines the following roles:
  • Advertiser (not active connection)
  • Scanner (not active connection)
  • Master (active connection)
  • Slave (active connection)


It provides a reliable data link using a 24-bit CRC and retrasmits packets if errors are detected.

BLE DEVICE ADDRESS
Is a 48 bit number that uniquely identify a device.

There are two types of device addresses:
  • Public device address (fixed, BR/EDR-style)
  • Random device address (programmed or dinamically generated)
    • Static Address (static but not registered to IEEE)
    • Non-resolvable private address
    • Resolvable private address

Advertising & Scanning

BLE has only one packet format and two types of packets: advertising and data packets.

Each advertising packet can carry up 31 bytes of payload. They are sent at fixed rate, defined by advertising interval.

Scanning can be passive or active. The difference is on the replay that scanner emit after receiving a advertising packet.

Advertising packet types can be:

  • Connectable / non-connectable
  • Scannable / non-scannable
  • Direct / Undirect

Connections


Each connection has 3 proprieties:
  • Connection interval (from 7.5ms up to 4s)
  • Slave latency
  • Connection supervision timeout
HCI

Host Controller Interface

Is a standard protocol that allows for the communication between a host and a controller to take place across a serial interface.
L2CAP

Logical Link Control and Adaptation Protocol

Provides two functionalities
  • implements a protocol multiplexer that permits to communicate from the upper layers and encapsulates the packets into standard BLE packet format
  • performs fragmentation and recombination, breaks packet up into chunks that fit into 27-byte maximum payload

It has two main protocol:

  • ATT (Attribute protocol)
  • SMP (Security Manager protocol)

ATT

Attribute protocol

Is a stateless client/server protocol based on attributes presented by a device.

Each server contains data organized as "attributes", each of which is assigned a 16-bit attribute handle, a UUID, a set of permissions and a value.
ATT operations:
  • Error handling
  • Server Configuration
  • Find Information
  • Read Operation
    • Read by type Request/Response (UUID)
    • Read Request/Response (handle)
  • Write operation
    • Write a value and get response
    • Write command
    • Signed Write Command
  • Queued Write (multiple packet write)
  • Server initialization
SM

Security Manager

It is used to

  • Exchange keys
  • Encrypt connection
  • Hide a public BLE


It defines two roles

  • Initiator (master)
  • Responder (slave)

SM protocol supports threee procedures:
  • Pairing (temporary keys)
  • Bonding (permanent keys)
  • Encryption re-establishment

Pairing Algorithm

  • Negotiate a Short Term Key (STK) generation method:
    • Just Works!
    • Passkey Display
    • Out of band (OOB)
  • The connection can use various machanism
    • Encryption (full encryption)
    • Privacy (use a temporary address recognized only by bounded device)
    • Signing (enencrypted but signed packet)
GATT

Generic Attribute Profile

It is build on the ATT and adds a hierarchy and data abstraction model on top of ATT. It is a backbone of BLE data trasfer.
Data are encapsulated in services, with one or more characteristics.
Each service and characteristic is identify by a UUID. A UUID (Universally Unique ID) is a unique 128-bit number used to identify the services. Some UUID are defined in the Bluetooth Specs and are smaller (16 or 32 bits).

The smallest data entity are the attributes. Attribute is an abstract concept for storing data.
Each attribute has some metadata that specific which ATT operation can be executed with some permissions.

The permissions defined are:
  • Access Permission (None | R | W | R&W)
  • Encryption (None | Unauthenticated | Authenticated)
  • Authorization (No Auth | Auth required)

Each attribute has an handle associated with it, used to identify the attribute on a particular GATT server.

The maximum length of data is 512 bytes, by the specification. No restriction exists on data types.

Attributes in a GATT server are grouped into services, each of which can contains zero or more characteristics.
Characteristic is a data container, with declaration and value.

Real World Screenshot

This screenshot refers to my MiBand 2, data are read using bleah on Raspberry Pi 3
Referencies:

  • Wikipedia - https://en.wikipedia.org/wiki/Bluetooth_Low_Energy
  • Getting Started with BLE - OReilly - http://shop.oreilly.com/product/0636920033011.do
  • Bluetooth SIG - https://www.bluetooth.com


Slides avaiable on https://apagiaro.it/BLE-slides