Dominique Chomienne & Michel Eftimakis

NewLogic

Bluetooth is a trademark owned by the Bluetooth

SIG, and licenced to NewLogic

Page 1
 Tutorial Agenda

• Bluetooth Marketing view

• Bluetooth network topology
• Bluetooth protocol
• RF
• Baseband
• LC, LM
• HCI
• L2CAP
• Higher layers
• Bluetooth implementation
• Bluetooth “live” demo !!!
Tutorial

Page 2
 Marketing View

Marketing slides ahead

Tutorial

Page 3
The Last Ten Meters

Page 4
 Systems

Landline

Cable
Replacement

Data/Voice
Access
Points

Personal Ad-hoc
Networks
Page 5
 Target products

Intelligent
Intelligent Devices
Devices Audio
Audio Peripherals
Peripherals
• PCs • Headsets
• Cellular Phones • Speakers
• PDAs • Stereo Receiver

Data
Data Peripherals
Peripherals Embedded
Embedded Applications
Applications
• Mice • Cars: Power lock controls
• Keyboards • Grocery store updates
• Joysticks • Closed Systems
• Cameras • Industrial systems
• Digital Pens • MIDI musical instruments
• Printers
• LAN access points

Page 6
 Usage Models

• Computer to Computer File Transfer

• Dialup Networking
• Synchronization
• 3 in 1 Phone
• Ultimate Headset
• Computer Speakerphone
• Cordless Computer
• Instant Postcard
• Hidden Computing
• Conference Table
• …

Page 7
 Characteristics

• Unlicensed 2.4GHz radio band

• ISM (industrial, scientific,medical) band - Available worldwide
• Also used by Microwave ovens, 802.11, HomeRF…
• Gross data rate of 1 Mbit/s
• Basic 10m range extended to 100m with amplifiers
• TDMA - TDD - Frequency hopping
• Mixed voice / data paths
• Encryption
• Low power
• Low cost
• Extremely small
• Ubiquitous radio link

Page 8
 Market Projections

6000

5000

4000

3000

2000

1000

2001E
2002E
2003E
2004E
2005E
2006E

2001E 2002E 2003E 2004E 2005E 2006E

Total Bluetooth Chipsets (in millions) 48,1 207,7 492,1 921,1 1477 2216
Average Price Per Chipset (in millions of $) 8,50 5,10 4,08 3,26 2,68 2,28
Bluetooth Chip Market Revenue (in millions of $) 409 1059 2008 3006 3953 5042

Source: Merrill Lynch

Page 9
 Who is Bluetooth?

• Harald Blaatand “Bluetooth” II

• King of Denmark 940-981
• Son of Gorm the Old (King of
Denmark) and Thyra Danebod
(daughter of King Ethelred of
England)
• This is one of two Runic stones
erected in his capital city of
Jelling (central Jutland)
• This is the front of the stone
depicting the chivalry of
Harald
• Harald controlled Denmark
and Norway
• Harald thinks mobile PCs and
cellular phones should
seamlessly communicate

Page 10
Network Topology

Tutorial

Page 11
 Piconet - 1

Unit B
Unit C
Unit H

Unit A
Unit F
Unit D

Unit G Unit E
Page 12
 Piconet - 2

• A piconet is characterized by the master

• Frequency hopping scheme
• Access code
• Timing synchronization

• Master determines the bit rate allocated to each slave

• Slaves do not synchronize to the master

• Calculate offsets to master’s Bluetooth clock
• Monitor timing drift

Page 13
 Piconet - 3

• Only one master

• Dynamically selected
• Roles can be switched
• Up to 7 active slaves
• Active piconet
• Up to 255 parked slaves
• Can be reactivated quickly
• No central network structure
• “Ad-hoc” network

Page 14
 Scatternet - 1

Piconet C

Piconet A
Master A

Master C

Piconet B
Master B

Page 15
 Scatternet - 2

Piconet C

Piconet A
Master A

Master C

Piconet B
Master B

Page 16
 Scatternet - 3

• Interconnected piconets
• One master per piconet
• Few devices shared between piconets
• Master/Slave
• Slave/Slave
• Need special features
• No central network structure
• “Ad-hoc” network

Page 17
 Scatternet applications

• Roaming between access points

Network
AP AP

Mobile

• Data exchange across piconets

Mouse Mouse

PC PC

Printer
Keyboard
Headset
Page 18
Protocol

Tutorial

Page 19
 Generalities on protocol stack

API

OBEX
7 Application
RFCOMM SDP TCS
6 Presentation
5 Session L2CAP
4 Transport
3 Network HCI

2 Data link Link Manager

1 Physical Link Controller

ISO OSI Layers

Baseband

Radio

Page 20
 Radio - 1

• Unlicensed 2.4GHz radio band

• ISM (industrial, scientific,medical) band
• Also used by Microwave ovens, 802.11, HomeRF…
• Fast frequency hopping
• 1600 (or 3200) hops/s
• 79 frequencies
• 1 MHz spacing
• 220 µs switching time

79 frequency channels
Frequency
(in MHz)
2402 2480

Page 21
 Radio - 2

• Basic 10m range (with 0 dBm radio)

• Extended 100m range (20 dBm)
• Power classes
• Class 1
• Maximum output power: 100 mW (20 dBm)
• Minimum output power: 1 mW (0 dBm)
• Class 2
• Maximum output power: 2.5 mW (4 dBm)
• Minimum output power: 0.25 mW (-6 dBm)
• Class 3
• Maximum output power: 1 mW (0 dBm)
• RSSI-based power control

Page 22
 Baseband - 1

• TDMA – Time division multiple access

• TDD – Time division duplex

Bluetooth frame
Packet
f(2k) f(2k+1) f(2k+2)

master
t

slave
t

625 µs
Page 23
 Baseband - 2

• Multi-slot Packets
625 µs

f(k) f(k+1) f(k+2) f(k+3) f(k+4) f(k+5)

f(k) f(k+3) f(k+4) f(k+5)

f(k) f(k+5)

Page 24
 Baseband - 3

SCO SCO SCO SCO

Master

Slave 1

Slave 2

Slave 3

Page 25
 Baseband - 4

• Packet format

Access code Packet Hdr Payload

• Packet types
• HV1, HV2, HV3 - Voice packets
• DV - Mixed voice/data
• DM1, DM3, DM5 - Protected data packets
• AUX1, DH1, DH3, DH5 - Unprotected data packets
• NULL, POLL, ID, FHS - Baseband control packets

Page 26
 Baseband - 5

• Data rates

Packet Symmetric Asymmetric

FEC
type max rate (kb/s) max rate (kb/s)
DM1 2/3 108.8 108.8 108.8

DH1 no 172.8 172.8 172.8

DM3 2/3 258.1 387.2 54.4

DH3 no 390.4 585.6 86.4

DM5 2/3 286.7 477.8 36.3

DH5 no 433.9 723.2 57.6

AUX1 no 185.6 185.6 185.6

Page 27
 Baseband - 6

• Data error protection

data redundancy
• FEC (Forward Error Correction)
• 1/3 FEC - Repeat each bit 3 times
• 2/3 FEC - (15,10) shortened Hamming code
• ARQ (Automatic Repeat Request)
• Unnumbered
• CRC (Cyclic Redundancy Check)
• HEC (Header Error Check)
• Payload CRC
• Encryption
• Whitening

Page 28
 Baseband - 7

• Bluetooth native clock

• 3.2 kHz (312.5 µs period) - 25 ppm
• 28-bit free running counter (~ 1 day period)
• Never resynchronized
• Estimated clock for paging slave 2
slave 1
• Piconet clock
• Native clock of the master
• Slaves maintain a relative offset to their master
native clocks
• Drift compensation necessary
slave 4
slave 3

Page 29
 Baseband - 8

• Scatternet case
• Master/Slave units use 1 offset
• Slave/Slave units use 2 offsets
X Y
SLAVE Ay
SLAVE Ax
SLAVE By

SLAVE Cxy
MASTER X native MASTER Y

offset y

offset x

SLAVE Bx SLAVE Dy

Page 30
 Link Controller - 1

• Standby
• Device powered on
• Inquiry Standby
• Discover devices in the area
• Collect addresses
• Page
• Connect to a specific device Inquiry Page
Inquiry Page
Scan Scan
• Inquiry scan
• Discoverable state Slave
• Page scan
• Device waiting to join a piconet Connection Master
• Connection
• Actively on a piconet
• Master or slave

Page 31
 Link Controller - 2

• Modes in connection state

• Active
• Maximum 7 slaves
• Sniff
• Low-power active mode
• Hold
• One-time interval
• Park
• Virtually unlimited number of slaves
• Beacon
• Broadcast communication

Page 32
 Link Controller - 3

• Synchronous Connection-Oriented (SCO) Link

• Circuit switching
• Symmetric, synchronous services
• Slot reservation at fixed intervals
• Asynchronous Connection-Less (ACL) Link
• Packet switching
• (A)symmetric, asynchronous services
• Polling access scheme

Page 33
 Link Controller - 4

• Logical channels
• Control channels:
• LC link control
• LM link manager
• Traffic channels:
• US synchronous user data
• UA asynchronous user data
• UI isochronous user data
• Channel mapping
• Packet header:
• LC
• Packet payload:
• LM, US, UA, UI

Page 34
 Link Manager - 1

• Link Manager: Higher Layers

• Closely Related to
Link Controller L2CAP Voice
• No Real-time Functions HCI

Control User
Data

LMP Link Manager

Link Controller

Radio Frequency

Page 35
 Link Manager - 2

• Piconet management
• Attach and detach slaves
• Master-slave switch
• Establishing ACL and SCO links
• Handling of low power modes: Hold, Sniff, Park
• Link configuration
• Supported features
• Quality of Service, usable packet types
• Power Control
• Security management
• Authentication
• Encryption including key management

Page 36
 Link Manager - 3

• ACL Link Setup and Removal

BasebandConnection
Baseband Connection

Authentication//Pairing
Authentication Pairing (optional)
(optional)

EncryptionSetup
Encryption Setup(optional)
(optional)
Master
Master

Slave
Slave
ExchangeSupported
Exchange SupportedFeatures
Features

SetACL
Set ACLLink
LinkParameters
Parameters

Traffic

Detach
Detach

Page 37
 Link Manager - 4

• SCO Link Setup and Removal

• Setup Negotiation

1. Master-initiated 2. Slave-initiated

Request Request
LMP_sco_req
Master

Slave
LMP_sco_req LMP_sco_req
Master

Slave
LMP_sco_req
Possibly other

Master

Slave
Master
LMP_accepted**

Slave
LMP_accepted
Parameters
LMP_sco_req
LMP_sco_req

LMP_accepted**
LMP_accepted

* or LMP_not_accepted

Page 38
 Link Manager - 5

• Link Information Commands

Requesting information • LMP Version
on Remote Device • Supported Features
• Packet Types
• Low Power Modes
LM

LM
Requesting LM

• Master-Slave Switch

AnsweringLM
Request • Power Control
Request
Requesting

Answering
• SCO Air Mode Parameters
• L2CAP
• Encryption
Reply
Reply • Timing Accuracy
• Clock Offset
• Name of Device

Page 39
 Link Manager - 6

• Security (1): Authentication

• Challenge Response Scheme (ISO/IEC 9798-2)
• 32 Bit - Authentication Code (MAC)
• Authentication of Master, Slave or both

Verifier Claimant
Random No. LMP_au_rand
LMP_au_rand

MAC
Address_B
MAC

Address_B Key
Key LMP_sres
LMP_sres
Compare ?

Page 40
 Link Manager - 7

• Security (2): Pairing

• Authentication requires a common secret key
• Pairing includes:
• Generation of Initialization Key
• Generation of Link Key
• Mutual Authentication

KKinit (LMP_in_rand)
init(LMP_in_rand)
Master
Master

Slave
Slave
LinkKey
Link KUnit
Key: :K KComb
orK
Unitor Comb

MutualAuthentication
Mutual Authentication

Page 41
 Link Manager - 8

• Security (3): Encryption 1. Encryption Mode

• Prerequisites
• Successful authentication
(at least one direction) 2. Key Size
• Common Link Key available
• Negotiation in 3 Steps:

Master
• Using encryption

Master

Slave
Slave
• (Point-to-Point / Broadcast)
3. Start Encryption
• Key size:
• Regulations may occur
• Negotiation based on
preferred and allowed key
length EncryptedTraffic
Encrypted Traffic
• Start encryption
4. Stop Encryption

Page 42
 Link Manager - 9

• Security (4): Key Generation

• Options for Keys
• Unit Key from Master or Slave
• Combination Key: calculated from random numbers (secure
exchange)
• Temporary Key
• Temporary and combination keys can be changed at any time

Page 43
 L2CAP - 1

What is L2CAP?
Applications
TCS SDP RFCOMM

ol
ntr
Data Co
L2CAP
Audio LMP
LMP
Link Manager
Baseband
RF

Page 44
 L2CAP - 2

• Logical Link Control and adaptation Protocol (L2CAP)

• Protocol Multiplexing
• Goal: Pass packets used by a particular network protocol to
the appropriate handler
• Segmentation and Reassembly (SAR)
• Goal: Hide data link packet lengths from network-layer
protocols
• Quality of Service
• Goal: Negotiate and enforce QoS contracts

Page 45
 L2CAP - 3

• Protocol Architecture
• Connection-oriented
• Channel identifier used to label each connection
• Channel is assumed to be full-duplex
• QoS flow specification assigned to each channel direction

• Datagram-based, no Streams
• Packet boundaries are preserved
• L2CAP does NOT perform retransmission
• L2CAP does NOT perform Flow Control

Page 46
 L2CAP - 4

• L2CAP Packet Format

Length DCID Payload

(16 bits) (16 bits) (0-65535 bytes)

• Length
• Specifies the length of the payload in bytes
• Destination Channel ID (DCID)
• Identifies the channel to which the packet will be delivered
• Payload
• Data received from and sent to the network layer
• Maximum transmission unit (MTU) limits payload sizes

Page 47
 L2CAP - 5

• L2CAP Channel Establishment

LinkManager
Link ManagerConnection
Connection

L2CAP_CONNECTION_REQUEST
L2CAP_CONNECTION_REQUEST

L2CAP_CONNECTION_RESPONSE
L2CAP_CONNECTION_RESPONSE

Device BB
Device AA

L2CAP_CONFIGURATION_REQUEST

Device
L2CAP_CONFIGURATION_REQUEST
Device

L2CAP_CONFIGURATION
CONFIGURATION_RESPONSE
_RESPONSE
L2CAP_

L2CAP_CONFIGURATION_REQUEST
L2CAP_CONFIGURATION_REQUEST

L2CAP_CONFIGURATION
CONFIGURATION_RESPONSE
_RESPONSE
L2CAP_

Traffic
Traffic

Page 48
 L2CAP - 6

• Segmentation and Reassembly (SAR)

• Use logical channel information from Baseband
• LCH=10 implies start of an L2CAP packet
• LCH=01 implies continuation of L2CAP packet

L2CAP packet

L2CAP Header L2CAP Payload

Baseband packet
Access Code Header Payload
(72) (54) Header
Payload

Page 49
 L2CAP - 7

• SAR Example
Source Destination
Datagram Datagram

L2CAP Packet L2CAP Packet

f1 f2 f3 f4 f1 f2

DH5 DH1 DH5 DH1 DH5 DH1 DH5 DH1

Page 50
 SDP - 1

Service Discovery Protocol

Applications
TCS SDP RFCOMM

ol
ntr
Data

Co
L2CAP
Audio LMP
LMP
Link Manager
Baseband
RF

Page 51
 SDP - 2

• Protocol Architecture
• Connectionless - Client/Server

• SDP defines How services are represented in the DB

• Server database describes all the services available on a device
(Service records)

• SDP defines How to access to the server DB information

Page 52
 SDP - 3

• SDP Client/Server Model

• Transaction identifier used to label each SDP transaction

Client Application Server Application

SDPRequest
Request
SDP
SDP SDP
Client SDPResponse
Response Server
SDP

• Protocol Data Unit Format

PDU id Transaction Id Parameter Length Parameter 1-N
(1 bytes) (1 bytes) (2 bytes) (Parameter Length bytes)

Page 53
 SDP - 4

• Service Discovery
• Searching for Services
• What are the Services provided by the remote device ?
• IrDA-like printer
• Headset
• AudioGateway
• …
• Browsing for Services
• What are the Service Attributes ?
• e.g. : ( L2CAP, PSM=RFCOMM ), ( RFCOMM, CN=1 ), (
PostscriptStream)

• Accessing to the Services (not in the scope of SDP)

Page 54
 Applications - 1

APPLICATIONS
CTP TCP/IP
Voice HP SPP OBEX PPP
Data
Data
l
rt o
TCS SDP RFCOMM n
Co
Data
L2CAP
Audio
Link Manager
Baseband
RF
Page 55
 Applications - 2

• CTP : Cordless Telephony Profile

• HP : Headset Profile
• SPP : Serial Port Profile
• PPP : Point To Point Protocol
• OBEX : Object Exchange Protocol

Page 56
Implementation

Tutorial

Page 57
 Implementation choices

• Trade-offs (Flexibility, cost, performance, size, power consumption)

Bluetooth module Bluetooth IP + Bluetooth RF

Proc Application
Application ASIC
ASIC
BB BB
ROM/ ROM/
RF Flash RF Flash

Bluetooth single chip Bluetooth IP + RF IP

Application
Application ASIC
ASIC
RF RF BB
BB
ROM/ ROM/
Proc Flash Flash

Page 58
 Integration example

• BOOST integrated approach

• Bluetooth radio
• Bluetooth baseband core
• Bluetooth software stack

Radio Core
ASIC / ASSP
Processor
Application
ROM / Logic
Software RAM
Flash

Page 59
Live Demo

Tutorial

Page 60
References

Tutorial

Page 61
 References

• http://www.bluetooth.com - Bluetooth specifications online

• http://www.newlogic.com
• Books:
• Bluetooth: Connect without Cables - Jennifer Bray & Charles Sturman
• Bluetooth Revealed: The Insider's Guide to an Open Specification for
Global Wireless Communications - Brent A. Miller,Chatschik Bisdikian

Page 62