基于Android P版本分析
BT 启动
我们知道,BT的启动,对应的上层应用的enable方法。
而在enable的过程中,首先会判断mBluetooth变量是否为空,而该变量的类型为AdapterServiceBinder,首次开启的时候为空,所以我们首先先分析一下AdapterService的启动,分析在AdapterService的启动过程中,执行了加载了哪些信息、执行了哪些逻辑;
bluedroid 加载 / 初始化
我们主要关注AdapterService启动的时候,bluedroid做了哪些操作;
基本上可以分为5件事儿:
-
classInitNative:
- 建立JNI和Java层之间的映射调用关系,使用JniCallbacks作为中间件;
- hal_util_load_bt_library:加载so库;
-
AdapterService -- onCreate -- initNative
- init:创建stack_mananger线程,用于管理BT 协议栈的运行;
- set_os_callouts:设置bluedroid用于报警和唤醒锁的操作系统调出功能
- get_profile_interface:创建用于RFCOMM通信的interface
其中stack_manager的init_stack函数也比较重要,其中涉及到了几个点:
-
基本的信号量操作;
-
module相关函数(对其他模块的一些初始化检查操作);
-
btif_init_bluetooth
-
主机和蓝牙芯片相关入口初始化
- 检查并初始化INTEROP_MODULE模块;
- 初始化、获取HCI接口hci_layer_get_interface,并返回hci变量;
- hci->set_data_cb监听post_to_message_loop消息;
-
新创建一个JNI工作队列,用于处理JNI的回调信息;
-
bluedroid Gatt 初始化
AdapterService onCreate方法执行完成之后,bluedroid也就加载和初始化成功。
而在enable逻辑中,会对mBluetooth变量进行多次判空,当AdapterService启动成功之后,mBluetooth便指向了AdapterService,当前不为空,则紧接着执行enable逻辑;
而在真正enable之前,又初始化了GattService,现在低功耗蓝牙(BLE)连接都是建立在GATT协议之上,GATT是一个在蓝牙连接之上的发送和接收很短的数据段的通用规范,这个很短的数据段被称为属性(Attribute)。GattService用于定义和管理输入/输出数据交互。
因为在后续的enable过程中,会涉及到GattService的判断,只有当class == GattService.class的时候,才会执行到enableNative函数中;
bluedroid enable使能
上述的过程,基本上还是用于建立bluedroid和Java之间的回调机制;enable实际的流程是在AdapterService和GattService启动之后执行的。
在这个过程中,主要对应的方法就是enableNative;
在这个方法中,主要实现了如下几个:
-
初始化BTE
-
创建BTU_TASK及启动BTU_TASK;
-
btu_init_core:初始化核心栈控制块
-
btm_init
- btm_inq_db_init
- btm_acl_init
- btm_sec_init
- btm_sco_init
- btm_dev_init
-
l2c_init
-
sdp_init
-
gatt_init
-
SMP_init
-
btm_ble_init
-
-
BTE_initStack:初始化任何可选堆栈组件
- RFCOMM_init
- BNEP_init
- PAN_init
- A2DP_init
- AVRC_init
- GAP_init
- HID_Host_init
-
bta_sys_init:注册BTA系统消息handler、注册BTM通知监听
- bta_sys_register
- BTM_RegisterForDeviceStatusNotify
- bta_ar_init
-
-
初始化HCI、串口相关。启动HCI工作主线程:bt_hc_challback,芯片上电、RF参数初始化;
BT 协议数据包分析
我们在分析BT enable的过程中,在分析到bta_sys_init函数执行完成之后,会在btu_message_loop_run中向上层发送btif_init_ok,用于向JNI线程发送初始化完成的消息,其中该函数中,还执行了BTA_EnableBluetooth,这个过程中,其实是用于start_up Controller,而Controller对应的就是蓝牙芯片的软件层面,或者说是Host向Controller访问的接口;
而在这之前的过程中,都是Host模块的初始化和启动分析;
Controller Start Up
我们分析一下,在controller module的start_up过程中,发送了哪些HCI Command;
在这个过程中,最核心的逻辑就是在启动Controller_Module,在该module的start_up过程中,Host会向Controller module发送需要HCI Command,用于获取蓝牙芯片必要的一些信息;
Reset
yaml
Frame 1: 4 bytes on wire (32 bits), 4 bytes captured (32 bits)
Bluetooth
[Source: host]
[Destination: controller]
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Reset
Command Opcode: Reset (0x0c03)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0000 0011 = Opcode Command Field: Reset (0x003)
Parameter Total Length: 0
[Response in frame: 2]
[Command-Response Delta: 17.899ms]- Source:host,蓝牙协议栈
- Destination:controller,蓝牙芯片
- Direction:Sent,发送
- HCI Packet Type:HCI Command,Host和Controller之间的通信一般常见的有4种:HCI Command、HCI Event、HCI ACL、HCI SCO;
- Command Opcode:Reset
yaml
Frame 2: 7 bytes on wire (56 bits), 7 bytes captured (56 bits)
Bluetooth
[Source: controller]
[Destination: host]
Bluetooth HCI H4
[Direction: Rcvd (0x01)]
HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - Command Complete
Event Code: Command Complete (0x0e)
Parameter Total Length: 4
Number of Allowed Command Packets: 1
Command Opcode: Reset (0x0c03)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0000 0011 = Opcode Command Field: Reset (0x003)
Status: Success (0x00)
[Command in frame: 1]
[Command-Response Delta: 17.899ms]- HCI Packet Type:HCI Event,HCI Command和HCI Event是对应的关系;
- Event Code:Command Complete;
- Status:Success;
- Command Opcode:Reset,Event对应的Opcode;
一般情况下,Source为Host的情况下,对应的HCI Packet Type为HCI Command,而Source为Controller的情况下,对应的HCI Packet Type为HCI Event;
Read Local Version Information
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Read Local Version Information
Command Opcode: Read Local Version Information (0x1001)
0001 00.. .... .... = Opcode Group Field: Informational Parameters (0x04)
.... ..00 0000 0001 = Opcode Command Field: Read Local Version Information (0x001)
Parameter Total Length: 0
[Response in frame: 8]
[Command-Response Delta: 12.938ms]这个Command用于获取本地Controller的版本信息;
yaml
Bluetooth HCI H4
[Direction: Rcvd (0x01)]
HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - Command Complete
Event Code: Command Complete (0x0e)
Parameter Total Length: 12
Number of Allowed Command Packets: 1
Command Opcode: Read Local Version Information (0x1001)
0001 00.. .... .... = Opcode Group Field: Informational Parameters (0x04)
.... ..00 0000 0001 = Opcode Command Field: Read Local Version Information (0x001)
Status: Success (0x00)
HCI Version: 5.1 (0x0a)
HCI Revision: 0
LMP Version: 5.1 (0x0a)
Manufacturer Name: Qualcomm (0x001d)
LMP Subversion: 4025
[Command in frame: 7]
[Command-Response Delta: 12.938ms]- Statue:0x00表示success,0x01-0xFF error code;
- HCI Version:定义HCI层的版本信息,5.1;
- HCI Revision:具体根据实现来定;
- LMP Version:定义LMP或者PAL层的版本信息,5.1;
- Manufacturer Name:Qualcomm,指定生产商;
- LMP Subversion:具体根据实现来定,4025;
Read BD ADDR
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Read BD ADDR
Command Opcode: Read BD ADDR (0x1009)
0001 00.. .... .... = Opcode Group Field: Informational Parameters (0x04)
.... ..00 0000 1001 = Opcode Command Field: Read BD ADDR (0x009)
Parameter Total Length: 0
[Response in frame: 12]
[Command-Response Delta: 1.227ms]如果是BR/EDR Controller,这个command用来获取Bluetooth Controlleraddress,如果是LE Controller,这个command用来获取Public Device Address,如果Controller没有Public Device Address,将返回0x000000000000;如果是BR/EDR/LE Controller,Public Device Address和BD_ADDR是同一个值;
yaml
Bluetooth HCI H4
[Direction: Rcvd (0x01)]
HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - Command Complete
Event Code: Command Complete (0x0e)
Parameter Total Length: 10
Number of Allowed Command Packets: 1
Command Opcode: Read BD ADDR (0x1009)
0001 00.. .... .... = Opcode Group Field: Informational Parameters (0x04)
.... ..00 0000 1001 = Opcode Command Field: Read BD ADDR (0x009)
Status: Success (0x00)
BD_ADDR: BarrotTe_50:67:20 (04:7f:0e:50:67:20)
[Command in frame: 11]
[Command-Response Delta: 1.227ms]- Command Opcode:Read BD ADDR
- Status:Success,0x00表示success;0x01-0xFF error code
- BD_ADDR:BarrotTe_50:67:20 (04:7f:0e:50:67:20),Controller的地址
Read Local Supported Commands
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Read Local Supported Commands
Command Opcode: Read Local Supported Commands (0x1002)
0001 00.. .... .... = Opcode Group Field: Informational Parameters (0x04)
.... ..00 0000 0010 = Opcode Command Field: Read Local Supported Commands (0x002)
Parameter Total Length: 0
[Response in frame: 14]
[Command-Response Delta: 5.28ms]这个Command用来获取本地BR/EDR Controller支持的LMP features;
yaml
Bluetooth HCI H4
[Direction: Rcvd (0x01)]
HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - Command Complete
Event Code: Command Complete (0x0e)
Parameter Total Length: 68
Number of Allowed Command Packets: 1
Command Opcode: Read Local Supported Commands (0x1002)
0001 00.. .... .... = Opcode Group Field: Informational Parameters (0x04)
.... ..00 0000 0010 = Opcode Command Field: Read Local Supported Commands (0x002)
Status: Success (0x00)
Local Supported Commands: ffffff03ceffefffffffff1ff20fe8fe3ff783ff1c00040061ffffff7fbee0fffff0ffff...
[Command in frame: 13]
[Command-Response Delta: 5.28ms]- Statue:Success
- Local Supported Commands:每个bit代表一个LMP features
Read Local Extended Features
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Read Local Extended Features
Command Opcode: Read Local Extended Features (0x1004)
0001 00.. .... .... = Opcode Group Field: Informational Parameters (0x04)
.... ..00 0000 0100 = Opcode Command Field: Read Local Extended Features (0x004)
Parameter Total Length: 1
Page Number: 0
[Response in frame: 16]
[Command-Response Delta: 20.434ms]这个Command用来获取具体Page number里面的extended LMP features;
- Page number:用来设置获取某一页的LMP features / extended LMP feature;Page number = 0时,获取的就是Read Local Supported Features command返回的LMP features;
yaml
Bluetooth HCI H4
[Direction: Rcvd (0x01)]
HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - Command Complete
Event Code: Command Complete (0x0e)
Parameter Total Length: 14
Number of Allowed Command Packets: 1
Command Opcode: Read Local Extended Features (0x1004)
0001 00.. .... .... = Opcode Group Field: Informational Parameters (0x04)
.... ..00 0000 0100 = Opcode Command Field: Read Local Extended Features (0x004)
Status: Success (0x00)
Page Number: 0
Max. Page Number: 2
LMP Features
.... ...1 = 3-slot packets: True
.... ..1. = 5-slot packets: True
.... .1.. = Encryption: True
.... 1... = Slot Offset: True
...1 .... = Timing Accuracy: True
..1. .... = Role Switch: True
.1.. .... = Hold Mode: True
1... .... = Sniff Mode: True
.... ...0 = Park Mode: False
.... ..1. = Power Control Requests: True
.... .1.. = Channel Quality Driven Data Rate: True
.... 1... = SCO Link: True
...1 .... = HV2 packets: True
..1. .... = HV3 packets: True
.0.. .... = u-law Log Synchronous Data: False
0... .... = A-law Log Synchronous Data: False
.... ...1 = CVSD Synchronous Data: True
.... ..1. = Paging Parameter Negotiation: True
.... .1.. = Power Control: True
.... 1... = Transparent Synchronous Data: True
.000 .... = Flow Control Lag: 0 (0 bytes)
1... .... = Broadband Encryption: True
.... ...0 = Reserved: False
.... ..1. = EDR ACL 2 Mbps Mode: True
.... .1.. = EDR ACL 3 Mbps Mode: True
.... 1... = Enhanced Inquiry Scan: True
...1 .... = Interlaced Inquiry Scan: True
..1. .... = Interlaced Page Scan: True
.1.. .... = RSSI with Inquiry Results: True
1... .... = EV3 Packets: True
.... ...0 = EV4 Packets: False
.... ..0. = EV5 Packets: False
.... .0.. = Reserved: False
.... 1... = AFH Capable Slave: True
...1 .... = AFH Classification Slave: True
..0. .... = BR/EDR Not Supported: False
.1.. .... = LE Supported Controller: True
1... .... = 3-slot EDR ACL packets: True
.... ...1 = 5-slot EDR ACL packets: True
.... ..1. = Sniff Subrating: True
.... .1.. = Pause Encryption: True
.... 1... = AFH Capable Master: True
...1 .... = AFH Classification Master: True
..1. .... = EDR eSCO 2 Mbps Mode: True
.0.. .... = EDR eSCO 3 Mbps Mode: False
0... .... = 3-slot EDR eSCO Packets: False
.... ...1 = Extended Inquiry Response: True
.... ..1. = Simultaneous LE and BR/EDR to Same Device Capable Controller: True
.... .0.. = Reserved: False
.... 1... = Secure Simple Pairing: True
...1 .... = Encapsulated PDU: True
..0. .... = Erroneous Data Reporting: False
.1.. .... = Non-flushable Packet Boundary Flag: True
0... .... = Reserved: False
.... ...1 = Link Supervision Timeout Changed Event: True
.... ..1. = Inquiry TX Power Level: True
.... .1.. = Enhanced Power Control: True
.000 0... = Reserved: False
1... .... = Extended Features: True
[Command in frame: 15]
[Command-Response Delta: 20.434ms]- Status:success
- Page number:表示这是返回的第Page number页的LMP feature / extended LMP features;
- Maximum Page Number:最多有多少页;
- Extended LMP Features:每个bit代表一个LMP feature / extended LMP features,0代表不支持,1代表支持;
LMP features 具体的bit位定义
| No | Supported feature | Byte | Bit | value |
|---|---|---|---|---|
| 0 | 3 slot packets | 0 | 0 | true |
| 1 | 5 slot packets | 0 | 1 | true |
| 2 | Encryption | 0 | 2 | true |
| 3 | Slot offset | 0 | 3 | true |
| 4 | Timing accuracy | 0 | 4 | true |
| 5 | Role switch | 0 | 5 | true |
| 6 | Hold mode | 0 | 6 | true |
| 7 | Sniff mode | 0 | 7 | true |
| 8 | Park state | 1 | 0 | false |
| 9 | Power control requests | 1 | 1 | true |
| 10 | Channel quality driven data rate(CQDDR) | 1 | 2 | true |
| 11 | SCO link | 1 | 3 | true |
| 12 | HV2 packets | 1 | 4 | true |
| 13 | HV3 packets | 1 | 5 | true |
| 14 | μ-law log synchronous data | 1 | 6 | false |
| 15 | A-law log synchronous data | 1 | 7 | false |
| 16 | CVSD synchronous data | 2 | 0 | true |
| 17 | Paging parameter negotiation | 2 | 1 | true |
| 18 | Power control | 2 | 2 | true |
| 19 | Transparent synchronous data | 2 | 3 | true |
| 20 | Flow control lag(least significant bit) | 2 | 4 | false |
| 21 | Flow control lag(middle bit) | 2 | 5 | false |
| 22 | Flow control lag(most significant bit) | 2 | 6 | false |
| 23 | Broadcast Encryption | 2 | 7 | true |
| 24 | Reserved | 3 | 0 | false |
| 25 | Enhanced Data Rate ACL 2 Mb/s mode | 3 | 1 | true |
| 26 | Enhanced Data Rate ACL 3 Mb/s mode | 3 | 2 | true |
| 27 | Enhanced inquiry scan | 3 | 3 | true |
| 28 | Interlaced inquiry scan | 3 | 4 | true |
| 29 | Interlaced page scan | 3 | 5 | true |
| 30 | RSSI with inquiry results | 3 | 6 | true |
| 31 | Extended SCO link(EV3 packets) | 3 | 7 | true |
| 32 | EV4 packets | 4 | 0 | false |
| 33 | EV5 packets | 4 | 1 | false |
| 34 | Reserved | 4 | 2 | false |
| 35 | AFH capable slave | 4 | 3 | true |
| 36 | AFH classification slave | 4 | 4 | true |
| 37 | BR/EDR Not Supported | 4 | 5 | false |
| 38 | LE Supported(Controller) | 4 | 6 | true |
| 39 | 3-slot Enhanced Data Rate ACL packets | 4 | 7 | true |
| 40 | 5-slot Enhanced Data Rate ACL packets | 5 | 0 | true |
| 41 | Sniff subrating | 5 | 1 | true |
| 42 | Pause encryption | 5 | 2 | true |
| 43 | AFH capable master | 5 | 3 | true |
| 44 | AFH classification master | 5 | 4 | true |
| 45 | Enhanced Data Rate eSCO 2 Mb/s mode | 5 | 5 | true |
| 46 | Enhanced Data Rate eSCO 3 Mb/s mode | 5 | 6 | false |
| 47 | 3-slot Enhanced Data Rate eSCO packets | 5 | 7 | false |
| 48 | Extended Inquiry Response | 6 | 0 | true |
| 49 | Simultaneous LE and BR/EDR to Same Device Capable(Controller) | 6 | 1 | true |
| 50 | Reserved | 6 | 2 | false |
| 51 | Secure Simple Pairing | 6 | 3 | true |
| 52 | Encapsulated PDU | 6 | 4 | true |
| 53 | Erroneous Data REporting | 6 | 5 | false |
| 54 | Non-flushable Packet Boundary Flag | 6 | 6 | true |
| 55 | Reserved | 6 | 7 | false |
| 56 | Link Supervision Timeout Changed Event | 7 | 0 | true |
| 57 | Inquiry TX Power Level | 7 | 1 | true |
| 58 | Enhanced Power Control | 7 | 2 | true |
| 59 | Reserved | 7 | 3 | false |
| 60 | Reserved | 7 | 4 | false |
| 61 | Reserved | 7 | 5 | false |
| 62 | Reserved | 7 | 6 | false |
| 63 | Extended features | 7 | 7 | true |
Write Simple Pairing Mode
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Write Simple Pairing Mode
Command Opcode: Write Simple Pairing Mode (0x0c56)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0101 0110 = Opcode Command Field: Write Simple Pairing Mode (0x056)
Parameter Total Length: 1
Simple Pairing Mode: enabled (1)
[Response in frame: 18]
[Command-Response Delta: 2.935ms]这个命令用来配置本地Controller是否支持Simple Pairing Mode(写入简单配对模式),如果不设置,默认是不支持的,如果支持,当收到IO capability request时应该作出回应,如果不支持,当收到IO capability request时应该拒绝;
- Simple_Pairing_Mode:0x00表示不支持(默认),0x01表示支持;
这个命令应该在page scan之前执行,最好在HCI Write Scan Enable前面;
yaml
Bluetooth HCI H4
[Direction: Rcvd (0x01)]
HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - Command Complete
Event Code: Command Complete (0x0e)
Parameter Total Length: 4
Number of Allowed Command Packets: 1
Command Opcode: Write Simple Pairing Mode (0x0c56)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0101 0110 = Opcode Command Field: Write Simple Pairing Mode (0x056)
Status: Success (0x00)
[Command in frame: 17]
[Command-Response Delta: 2.935ms]- Status:0x00表示成功,其他表示失败;
Write LE Host Supported
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Write LE Host Supported
Command Opcode: Write LE Host Supported (0x0c6d)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0110 1101 = Opcode Command Field: Write LE Host Supported (0x06d)
Parameter Total Length: 2
LE Supported Host: true (0x01)
Simultaneous LE Host: true (0x01)
[Response in frame: 20]
[Command-Response Delta: 3.749ms]这个命令用于支持BLE command;
- LE Supported Host:true
- Simultaneous LE Host:true
yaml
Bluetooth HCI H4
[Direction: Rcvd (0x01)]
HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - Command Complete
Event Code: Command Complete (0x0e)
Parameter Total Length: 4
Number of Allowed Command Packets: 1
Command Opcode: Write LE Host Supported (0x0c6d)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0110 1101 = Opcode Command Field: Write LE Host Supported (0x06d)
Status: Unsupported Feature or Parameter Value (0x11)
[Command in frame: 19]
[Command-Response Delta: 3.749ms]- Status:0x00表示成功,其他表示失败;
Read Local Extended Features
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Read Local Extended Features
Command Opcode: Read Local Extended Features (0x1004)
0001 00.. .... .... = Opcode Group Field: Informational Parameters (0x04)
.... ..00 0000 0100 = Opcode Command Field: Read Local Extended Features (0x004)
Parameter Total Length: 1
Page Number: 1
[Response in frame: 22]
[Command-Response Delta: 0.989ms]这个Command用来获取具体Page number里面的extended LMP features;
yaml
Bluetooth HCI H4
[Direction: Rcvd (0x01)]
HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - Command Complete
Event Code: Command Complete (0x0e)
Parameter Total Length: 14
Number of Allowed Command Packets: 1
Command Opcode: Read Local Extended Features (0x1004)
0001 00.. .... .... = Opcode Group Field: Informational Parameters (0x04)
.... ..00 0000 0100 = Opcode Command Field: Read Local Extended Features (0x004)
Status: Success (0x00)
Page Number: 1
Max. Page Number: 2
LMP Features
.... ...1 = Secure Simple Pairing Host: True
.... ..1. = LE Supported Host: True
.... .0.. = Simultaneous LE and BR/EDR to Same Device Capable Host: False
.... 0... = Secure Connections Host: False
0000 .... = Reserved: 0x0
Reserved: 00000000000000
[Command in frame: 21]
[Command-Response Delta: 0.989ms]- Status:Success
- Page Number = 1:用来设置获取某一页的LMP features/extended LMP features;Page number为0时,获取的就是Read Local Supported Features command返回的LMP features;
- Maximum Page Number = 2:最多有多少页
- LMP Features:支持的LMP features;
Write Secure Connections Host Support
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Write Secure Connections Host Support
Command Opcode: Write Secure Connections Host Support (0x0c7a)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0111 1010 = Opcode Command Field: Write Secure Connections Host Support (0x07a)
Parameter Total Length: 1
Secure Connection Host Support: Enable (0x01)
[Response in frame: 26]
[Command-Response Delta: 1.76ms]这个命令用于设置安全连接主机;
- Secure Connection Host Support:Enable
yaml
Bluetooth HCI H4
[Direction: Rcvd (0x01)]
HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - Command Complete
Event Code: Command Complete (0x0e)
Parameter Total Length: 4
Number of Allowed Command Packets: 1
Command Opcode: Write Secure Connections Host Support (0x0c7a)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0111 1010 = Opcode Command Field: Write Secure Connections Host Support (0x07a)
Status: Success (0x00)
[Command in frame: 25]
[Command-Response Delta: 1.76ms]- Status:Success
LE Set Event Mask
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - LE Set Event Mask
Command Opcode: LE Set Event Mask (0x2001)
0010 00.. .... .... = Opcode Group Field: LE Controller Commands (0x08)
.... ..00 0000 0001 = Opcode Command Field: LE Set Event Mask (0x001)
Parameter Total Length: 8
LE Event Mask: 0x0000000000021e7f, LE Extended Advertising Set Terminated, LE Extended Advertising Report, LE PHY Update Complete, LE Direct Advertising Report, LE Enhanced Connection Complete, LE Data Length Change, LE Remote Connection P
0000 0000 0000 0000 0000 0000 0000 0... .... .... .... .... .... .... .... .... = Reserved: 0x00000000
.... .... .... .... .... .... .... .0.. .... .... .... .... .... .... .... .... = LE Subrate Changed: False
.... .... .... .... .... .... .... ..0. .... .... .... .... .... .... .... .... = LE BIGInfo Advertising Report: False
.... .... .... .... .... .... .... ...0 .... .... .... .... .... .... .... .... = LE Transmit Power Reporting: False
.... .... .... .... .... .... .... .... 0... .... .... .... .... .... .... .... = LE Path Loss Threshold: False
.... .... .... .... .... .... .... .... .0.. .... .... .... .... .... .... .... = LE Request Peer SCA Complete: False
.... .... .... .... .... .... .... .... ..0. .... .... .... .... .... .... .... = LE BIG Sync Lost: False
.... .... .... .... .... .... .... .... ...0 .... .... .... .... .... .... .... = LE BIG Sync Established: False
.... .... .... .... .... .... .... .... .... 0... .... .... .... .... .... .... = LE Terminate BIG Complete: False
.... .... .... .... .... .... .... .... .... .0.. .... .... .... .... .... .... = LE Create BIG Complete: False
.... .... .... .... .... .... .... .... .... ..0. .... .... .... .... .... .... = LE CIS Request: False
.... .... .... .... .... .... .... .... .... ...0 .... .... .... .... .... .... = LE CIS Established: False
.... .... .... .... .... .... .... .... .... .... 0... .... .... .... .... .... = LE Periodic Advertising Sync Transfer Received: False
.... .... .... .... .... .... .... .... .... .... .0.. .... .... .... .... .... = LE CTE Request Failed: False
.... .... .... .... .... .... .... .... .... .... ..0. .... .... .... .... .... = LE Connection IQ Report: False
.... .... .... .... .... .... .... .... .... .... ...0 .... .... .... .... .... = LE Connectionless IQ Report: False
.... .... .... .... .... .... .... .... .... .... .... 0... .... .... .... .... = LE Channel Selection Algorithm: False
.... .... .... .... .... .... .... .... .... .... .... .0.. .... .... .... .... = LE Scan Request Received: False
.... .... .... .... .... .... .... .... .... .... .... ..1. .... .... .... .... = LE Extended Advertising Set Terminated: True
.... .... .... .... .... .... .... .... .... .... .... ...0 .... .... .... .... = LE Extended Scan Timeout: False
.... .... .... .... .... .... .... .... .... .... .... .... 0... .... .... .... = LE Periodic Advertising Sync Lost: False
.... .... .... .... .... .... .... .... .... .... .... .... .0.. .... .... .... = LE Periodic Advertising Report: False
.... .... .... .... .... .... .... .... .... .... .... .... ..0. .... .... .... = LE Periodic Advertising Sync Established: False
.... .... .... .... .... .... .... .... .... .... .... .... ...1 .... .... .... = LE Extended Advertising Report: True
.... .... .... .... .... .... .... .... .... .... .... .... .... 1... .... .... = LE PHY Update Complete: True
.... .... .... .... .... .... .... .... .... .... .... .... .... .1.. .... .... = LE Direct Advertising Report: True
.... .... .... .... .... .... .... .... .... .... .... .... .... ..1. .... .... = LE Enhanced Connection Complete: True
.... .... .... .... .... .... .... .... .... .... .... .... .... ...0 .... .... = LE Generate DHKey Complete: False
.... .... .... .... .... .... .... .... .... .... .... .... .... .... 0... .... = LE Read Local P-256 Public Key Complete: False
.... .... .... .... .... .... .... .... .... .... .... .... .... .... .1.. .... = LE Data Length Change: True
.... .... .... .... .... .... .... .... .... .... .... .... .... .... ..1. .... = LE Remote Connection Parameter Request: True
.... .... .... .... .... .... .... .... .... .... .... .... .... .... ...1 .... = LE Long Term Key Request: True
.... .... .... .... .... .... .... .... .... .... .... .... .... .... .... 1... = LE Read Remote Features Complete: True
.... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .1.. = LE Connection Update Complete: True
.... .... .... .... .... .... .... .... .... .... .... .... .... .... .... ..1. = LE Advertising Report: True
.... .... .... .... .... .... .... .... .... .... .... .... .... .... .... ...1 = LE Connection Complete: True
[Response in frame: 46]
[Command-Response Delta: 0.725ms]该命令用来启动或屏蔽相关的低功耗蓝牙事件;
上面的Event Mask不一一描述了;
yaml
Bluetooth HCI H4
[Direction: Rcvd (0x01)]
HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - Command Complete
Event Code: Command Complete (0x0e)
Parameter Total Length: 4
Number of Allowed Command Packets: 1
Command Opcode: LE Set Event Mask (0x2001)
0010 00.. .... .... = Opcode Group Field: LE Controller Commands (0x08)
.... ..00 0000 0001 = Opcode Command Field: LE Set Event Mask (0x001)
Status: Success (0x00)
[Command in frame: 45]
[Command-Response Delta: 0.725ms]- Status:Success;
Set Event Mask
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Set Event Mask
Command Opcode: Set Event Mask (0x0c01)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0000 0001 = Opcode Command Field: Set Event Mask (0x001)
Parameter Total Length: 8
.... ...1 = Inquiry Complete: true (0x1)
.... ..1. = Inquiry Result: true (0x1)
.... .1.. = Connect Complete: true (0x1)
.... 1... = Connect Request: true (0x1)
...1 .... = Disconnect Complete: true (0x1)
..1. .... = Auth Complete: true (0x1)
.1.. .... = Remote Name Req Complete: true (0x1)
1... .... = Encrypt Change: true (0x1)
.... ...1 = Change Connection Link Key Complete: true (0x1)
.... ..1. = Master Link Key Complete: true (0x1)
.... .1.. = Read Remote Supported Features: true (0x1)
.... 1... = Read Remote Ver Info Complete: true (0x1)
...1 .... = QoS Setup Complete: true (0x1)
1... .... = Hardware Error: true (0x1)
.... ...1 = Flush Occurred: true (0x1)
.... ..1. = Role Change: true (0x1)
.... 1... = Mode Change: true (0x1)
...1 .... = Return Link Keys: true (0x1)
..1. .... = PIN Code Request: true (0x1)
.1.. .... = Link Key Request: true (0x1)
1... .... = Link Key Notification: true (0x1)
.... ...1 = Loopback Command: true (0x1)
.... ..1. = Data Buffer Overflow: true (0x1)
.... .1.. = Max Slots Change: true (0x1)
.... 1... = Read Clock Offset Complete: true (0x1)
...1 .... = Connection Packet Type Changed: true (0x1)
..1. .... = QoS Violation: true (0x1)
.1.. .... = Page Scan Mode Change: true (0x1)
1... .... = Page Scan Repetition Mode Change: true (0x1)
.... ...1 = Flow Specification Complete: true (0x1)
.... ..1. = Inquiry Result With RSSI: true (0x1)
.... .1.. = Read Remote Ext. Features Complete: true (0x1)
.... 1... = Synchronous Connection Complete: true (0x1)
...1 .... = Synchronous Connection Changed: true (0x1)
..1. .... = Sniff Subrate: true (0x1)
.1.. .... = Extended Inquiry Result: true (0x1)
1... .... = Encryption Key Refresh Complete: true (0x1)
.... ...1 = IO Capability Request: true (0x1)
.... ..1. = IO Capability Response: true (0x1)
.... .1.. = User Confirmation Request: true (0x1)
.... 1... = User Passkey Request: true (0x1)
...1 .... = Remote OOB Data Request: true (0x1)
..1. .... = Simple Pairing Complete: true (0x1)
1... .... = Link Supervision Timeout Changed: true (0x1)
.... ...1 = Enhanced Flush Complete: true (0x1)
.... .1.. = User Passkey Notification: true (0x1)
.... 1... = Keypress Notification: true (0x1)
[Response in frame: 48]
[Command-Response Delta: 0.754ms]该命令用于控制HCI为Host生成哪些事件;
yaml
Bluetooth HCI H4
[Direction: Rcvd (0x01)]
HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - Command Complete
Event Code: Command Complete (0x0e)
Parameter Total Length: 4
Number of Allowed Command Packets: 1
Command Opcode: Set Event Mask (0x0c01)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0000 0001 = Opcode Command Field: Set Event Mask (0x001)
Status: Success (0x00)
[Command in frame: 47]
[Command-Response Delta: 0.754ms]- Status:Success;
Read Local Supported Codecs
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Read Local Supported Codecs
Command Opcode: Read Local Supported Codecs (0x100b)
0001 00.. .... .... = Opcode Group Field: Informational Parameters (0x04)
.... ..00 0000 1011 = Opcode Command Field: Read Local Supported Codecs (0x00b)
Parameter Total Length: 0
[Response in frame: 50]
[Command-Response Delta: 3.624ms]该命令用于读取本地芯片支持的编码格式;
yaml
Bluetooth HCI H4
[Direction: Rcvd (0x01)]
HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - Command Complete
Event Code: Command Complete (0x0e)
Parameter Total Length: 12
Number of Allowed Command Packets: 1
Command Opcode: Read Local Supported Codecs (0x100b)
0001 00.. .... .... = Opcode Group Field: Informational Parameters (0x04)
.... ..00 0000 1011 = Opcode Command Field: Read Local Supported Codecs (0x00b)
Status: Success (0x00)
Number of Supported Codecs: 6
Codecs
Codec: u-Law log (0x00)
Codec: A-law log (0x01)
Codec: CVSD (0x02)
Codec: Transparent (0x03)
Codec: Linear PCM (0x04)
Codec: mSBC (0x05)
Number of Supported Vendor Codecs: 0
Vendor Codecs
[Command in frame: 49]
[Command-Response Delta: 3.624ms]- u-Law log:u-Law算法
- A-law log:A-Law(A律)算法,PCM音频压缩,非均匀量化;
- CVSD:该编码方式的数据传输使用 SCO 或 eSCO 链路。链路的选取是根据本端 Controller是否支持 Enhanced Setup Synchronous Connection指令来决定的,如果支持该命令则创建语音音频链路时使用 eSCO,否则创建 SCO 链路;
- Transparent:透明度;
- Linear PCM:LPCM(线性脉冲编码调制)是一种非压缩音频数字化技术,是一种未压缩的原音重现,是非压缩的数字化技术,码率较大;
- mSBC:该编码方式的数据传输只能使用 eSCO 链路;
Controller Start Up Complete
这个过程就是controller start_up成功之后的reset_complete的逻辑以及对应的响应HCI Command;
Write Inquiry Mode
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Write Inquiry Mode
Command Opcode: Write Inquiry Mode (0x0c45)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0100 0101 = Opcode Command Field: Write Inquiry Mode (0x045)
Parameter Total Length: 1
Inquiry Mode: Results With RSSI or Extended Results (2)
[Response in frame: 56]
[Command-Response Delta: 1.051ms]该命令用于把搜索模式写入到芯片中;
- Inquiry Mode:Results With RSSI or Extended Results (2) -- 查询结果带有RSSI的格式或者额外的查询结果格式,Inquiry Result with RSSI format or Extended Inquiry Result format。Extended Inquiry Result format:除了带有RSSI,可能带有设备名字之类的信息。
Response的Status为Success;
Write Page Scan Type
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Write Page Scan Type
Command Opcode: Write Page Scan Type (0x0c47)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0100 0111 = Opcode Command Field: Write Page Scan Type (0x047)
Parameter Total Length: 1
Scan Type: Interlaced Scan (1)
[Response in frame: 58]
[Command-Response Delta: 1.702ms]该命令用于配置本地BR/EDR Controller的Page Scan Type;
- Scan Type = Interlaced Scan (1):0x00表示标准Scan (默认使用这种模式),0x01表示隔行Scan;
Response的Status为Success;
Write Inquiry Scan Type
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Write Inquiry Scan Type
Command Opcode: Write Inquiry Scan Type (0x0c43)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0100 0011 = Opcode Command Field: Write Inquiry Scan Type (0x043)
Parameter Total Length: 1
Scan Type: Interlaced Scan (1)
[Response in frame: 60]
[Command-Response Delta: 1.911ms]该命令用于写查询扫描类型;
- Scan Type = Interlaced Scan (1):0x00表示标准Scan (默认使用这种模式),0x01表示隔行Scan;
Response的Status为Success;
Write Class of Device
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Write Class of Device
Command Opcode: Write Class of Device (0x0c24)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0010 0100 = Opcode Command Field: Write Class of Device (0x024)
Parameter Total Length: 3
Class of Device: 0x260408 (Audio/Video:Hands-free Device - services: Networking Rendering Audio)
0000 10.. = Minor Device Class: Hands-free Device (0x02)
.... ..00 = Format Type: 0x0
0... .... .... .... = Major Service Classes: Information: False
.0.. .... .... .... = Major Service Classes: Telephony: False
..1. .... .... .... = Major Service Classes: Audio: True
...0 .... .... .... = Major Service Classes: Object Transfer: False
.... 0... .... .... = Major Service Classes: Capturing: False
.... .1.. .... .... = Major Service Classes: Rendering: True
.... ..1. .... .... = Major Service Classes: Networking: True
.... ...0 .... .... = Major Service Classes: Positioning: False
.... .... 00.. .... = Major Service Classes: Reserved: 0x0
.... .... ..0. .... = Major Service Classes: Limited Discoverable Mode: False
.... .... ...0 0100 = Major Device Class: Audio/Video (0x04)
[Response in frame: 62]
[Command-Response Delta: 2.61ms]Class of Device简称CoD,该命令用于向蓝牙芯片写入描述BR / EDR 设备的类型;
CoD用于指出此设备是何种类型,以及支持哪些服务;
- Minor Device Class:Hands-free Device
- Major Service Classes:Networking、Rendering、Audio
- Major Device Class:Audio/Video
通用及设备特定的查询访问码(DIAC)
| # | LAP Value | Usage |
|---|---|---|
| 0 | 0x9E8B33 | 通用/无限查询访问码(GIAC) |
| 1 | 0x9E8B00 | 有限的专用查询访问码(LIAC) |
| 2~63 | 0x9E8B01-0x9E8B32, 0x9E8B34-0x9E8B3F | 保留待将来使用 |
有限查询访问码(LIAC)仅用于限定的时段,在两边均已明确要进入此状态的情况下使用,通常由用户操作;
GIAC是在允许持续扫描通用查询访问码并在查询时响应;
Major Device Class
主要设备类型,定义蓝牙设备的最高粒度级别。设备的主要功能用于确定主要类分组,由5位二进制来表示,共有32中不同的主要类型;
| 12 | 11 | 10 | 9 | 8 | Major Device Class | Desc | Value |
|---|---|---|---|---|---|---|---|
| 0 | 0 | 0 | 0 | 0 | Miscellaneous | 其他 | 0x00 |
| 0 | 0 | 0 | 0 | 1 | Computer(desktop、notebook、PDA、organizer、...) | 计算机(台式机、笔记本、PDA) | 0x01 |
| 0 | 0 | 0 | 1 | 0 | Phone(cellular、cordless、pay phone、modem、...) | 电话(手机、无线、支付电话、调制解调器) | 0x02 |
| 0 | 0 | 0 | 1 | 1 | LAN/Network Access point | LAN/网络接入点 | 0x03 |
| 0 | 0 | 1 | 0 | 0 | Audio/Video (headset, speaker, stereo, video display, VCR, ... | 音频/视频(耳机、扬声器、立体声、视频显示、VCR..... | 0x04 |
| 0 | 0 | 1 | 0 | 1 | Peripheral (mouse, joystick, keyboard, ... ) | 配件(鼠标、游戏杆、键盘 .....) | 0x05 |
| 0 | 0 | 1 | 1 | 0 | Imaging (printer, scanner, camera, display, ...) | 成像(打印、扫描仪、相机、显示 ...) | 0x06 |
| 0 | 0 | 1 | 1 | 1 | Wearable | 可穿戴 | 0x07 |
| 0 | 1 | 0 | 0 | 0 | Toy | 玩具 | 0x08 |
| 0 | 1 | 0 | 0 | 1 | Health | 健康 | 0x09 |
| 1 | 1 | 1 | 1 | 1 | Uncategorized: device code not specified | 未分类:未指定设备代码 | 0x31 |
| X | X | X | X | X | All other values reserved | 所有其他保留值 | 0xXX |
我们可以看到,在Major Device Class中,又可以划分为多个不同类型的细小的种类,例如,Audio/Video中,包含了headset、speaker、stereo等分类,该分类对应的就是Minor Device Class;
Minor Device Class
Minor Device Class 字段(CoD 中的位7至2)应仅在Major Device Class(但独立于服务类字段)环境中解释。因此随着"Major Device Class 字段"的值变动,位的意义也会改变。当Minor Device Class 字段指示设备类时,则应报告Major Device Class,例如也可以用作无线手持设备的手机应在Minor Device Class 中使用"Cellular";
Computer Major Class
| 7 | 6 | 5 | 4 | 3 | 2 | Minor Device Class | Desc | Value |
|---|---|---|---|---|---|---|---|---|
| 0 | 0 | 0 | 0 | 0 | 0 | Uncategorized, code for device not assigned | 未分类,未指定设备代码 | 0x00 |
| 0 | 0 | 0 | 0 | 0 | 1 | Desktop workstation | 台式机工作站 | 0x01 |
| 0 | 0 | 0 | 0 | 1 | 0 | Server-class computer | 服务器类计算机 | 0x02 |
| 0 | 0 | 0 | 0 | 1 | 1 | Laptop | 膝上型电脑 | 0x03 |
| 0 | 0 | 0 | 1 | 0 | 0 | Handheld PC/PDA (clamshell) | 手持 PC/PDA (clamshell) | 0x04 |
| 0 | 0 | 0 | 1 | 0 | 1 | Palm-size PC/PDA | 掌上型 PC/PDA | 0x05 |
| 0 | 0 | 0 | 1 | 1 | 0 | Wearable computer (watch size) | 可穿戴计算机(手表大小) | 0x06 |
| 0 | 0 | 0 | 1 | 1 | 1 | Tablet | 平板电脑 | 0x07 |
| X | X | X | X | X | X | All other values reserved | 所有其他保留值 | 0xXX |
Phone Major Class
| 7 | 6 | 5 | 4 | 3 | 2 | Minor Device Class | Desc | Value |
|---|---|---|---|---|---|---|---|---|
| 0 | 0 | 0 | 0 | 0 | 0 | Uncategorized, code for device not assigned | 未分类,未指定设备代码 | 0x00 |
| 0 | 0 | 0 | 0 | 0 | 1 | Cellular | 手机 | 0x01 |
| 0 | 0 | 0 | 0 | 1 | 0 | Cordless | 无线 | 0x02 |
| 0 | 0 | 0 | 0 | 1 | 1 | Smartphone | 智能手机 | 0x03 |
| 0 | 0 | 0 | 1 | 0 | 0 | Wired modem or voice gateway | 有线调制解调或语音网关 | 0x04 |
| 0 | 0 | 0 | 1 | 0 | 1 | Common ISDN access | 通用 ISDN 接入 | 0x05 |
| X | X | X | X | X | X | All other values reserved | 所有其他保留值 | 0xXX |
Audio/Video Major Class
| 7 | 6 | 5 | 4 | 3 | 2 | Minor Device Class | Desc | Value |
|---|---|---|---|---|---|---|---|---|
| 0 | 0 | 0 | 0 | 0 | 0 | Uncategorized, code for device not assigned | 未分类,未指定设备代码 | 0x00 |
| 0 | 0 | 0 | 0 | 0 | 1 | Wearable Headset Device | 可穿戴耳机设备 | 0x01 |
| 0 | 0 | 0 | 0 | 1 | 0 | Hands-free Device | 免提设备 | 0x02 |
| 0 | 0 | 0 | 0 | 1 | 1 | (Reserved) | (保留) | 0x03 |
| 0 | 0 | 0 | 1 | 0 | 0 | Microphone | 麦克风 | 0x04 |
| 0 | 0 | 0 | 1 | 0 | 1 | Loudspeaker | 扬声器 | 0x05 |
| 0 | 0 | 0 | 1 | 1 | 0 | Headphones | 耳机 | 0x06 |
| 0 | 0 | 0 | 1 | 1 | 1 | Portable Audio | 便携式音频 | 0x07 |
| 0 | 0 | 1 | 0 | 0 | 0 | Car Audio | 汽车音频 | 0x08 |
| 0 | 0 | 1 | 0 | 0 | 1 | Set-top box | 机顶盒 | 0x09 |
| 0 | 0 | 1 | 0 | 1 | 0 | HiFi Audio Device | HiFi 音频设备 | 0x0A |
| 0 | 0 | 1 | 0 | 1 | 1 | VCR | VCR | 0x0B |
| 0 | 0 | 1 | 1 | 0 | 0 | Video Camera | 摄像机 | 0x0C |
| 0 | 0 | 1 | 1 | 0 | 1 | Camcorder | 便携式摄像放像一体机 | 0x0D |
| 0 | 0 | 1 | 1 | 1 | 0 | Video Monitor | 视频监控 | 0x0E |
| 0 | 0 | 1 | 1 | 1 | 1 | Video Display and Loudspeaker | 视频显示器和扬声器 | 0x0F |
| 0 | 1 | 0 | 0 | 0 | 0 | Video Conferencing | 视频会议 | 0x10 |
| 0 | 1 | 0 | 0 | 0 | 1 | (Reserved) | (保留) | 0x11 |
| 0 | 1 | 0 | 0 | 1 | 0 | Gaming/Toy | 游戏/玩具 | 0x12 |
| X | X | X | X | X | X | All other values reserved | 所有其他保留值 | 0xXX |
Major Service Classes
主要和次要设备类用于定义Bluetooth SIG成员希望与其应用程序相关联的设备通用系列。不应仅根据主要或次要设备类的分配而作出有关任何应用的特定功能或特性的假设。
| bit | Major Service Class | Desc |
|---|---|---|
| 13 | Limited Discoverable Mode | 有限可发现模式[Ref #1] |
| 14 | LE audio | 低功耗Audio |
| 15 | (reserved) | 保留 |
| 16 | Positioning(Location identification) | 定位(位置标识) |
| 17 | Networking(LAN,Ad hoc) | 网络(LAN、Ad hoc ...) |
| 18 | Rendering(Printing,Speakers,...) | 渲染(打印、扬声器 ...) |
| 19 | Capturing(Scanner,Microphone,...) | 捕捉(扫描仪、麦克风 ...) |
| 20 | Object Transfer(v-Inbox,v-Folder,...) | 对象传输(v-Inbox、v-Folder ...) |
| 21 | Audio(Speaker,Microphone,Headset service,...) | 音频(扬声器、麦克风、耳机服务 ...) |
| 22 | Telephony(Cordless telephony,Modem,Headset service,...) | 电话(无绳电话、调制解调器、耳机服务 ...) |
| 23 | Informat(WEB-server,WAP-server,...) | 信息(WEB 服务器、WAP 服务器) |
Write Page Timeout
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Write Page Timeout
Command Opcode: Write Page Timeout (0x0c18)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0001 1000 = Opcode Command Field: Write Page Timeout (0x018)
Parameter Total Length: 2
Timeout: 8192 slots (5120 msec)
[Response in frame: 64]
[Command-Response Delta: 0.837ms]该命令用于向蓝牙芯片写入寻呼超时时间;
- Timeout:8192 slots,即5120 ms;
Response的Status为Success;
Write Default Link Policy Settings
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Write Default Link Policy Settings
Command Opcode: Write Default Link Policy Settings (0x080f)
0000 10.. .... .... = Opcode Group Field: Link Policy Commands (0x02)
.... ..00 0000 1111 = Opcode Command Field: Write Default Link Policy Settings (0x00f)
Parameter Total Length: 2
.... .... .... ...1 = Enable Master Slave Switch: true (1)
.... .... .... ..1. = Enable Hold Mode: true (1)
.... .... .... .1.. = Enable Sniff Mode: true (1)
.... .... .... 0... = Enable Park Mode: false (0)
[Response in frame: 66]
[Command-Response Delta: 1.518ms]该命令用于向蓝牙芯片写入默认的连接策略;
- Enable Master Slave Switch = true:支持主设备/从设备开关
| Value | Parameter Description | Desc |
|---|---|---|
| 0x00 | Active mode | |
| 0x01 | Hold mode | 保持模式,蓝牙节能模式中最简单的一种,主从设备将对从设备处于保持模式的时间进行协商 ,一旦连接处于保持模式,此连接就不再支持数据包 |
| 0x02 | Sniff mode | 呼吸模式,通过减少主设备 发送数据 的时隙数并相应减少从设备监听的时隙数,从而达到节省电源的目的; |
| 0x03 | Park State | 休眠模式,暂停模式可以最大限度的节省电源,但是,当设备处于暂停模式时,就不再发送和接收用户数据,也不能维护已经建立的SCO链路; |
| 0x04-0xFF | Reserved for future use |
Response的Status为Success;
Read Local Name
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Read Local Name
Command Opcode: Read Local Name (0x0c14)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0001 0100 = Opcode Command Field: Read Local Name (0x014)
Parameter Total Length: 0
[Response in frame: 68]
[Command-Response Delta: 3.78ms]该命令用于读取芯片的蓝牙名称;
yaml
Bluetooth HCI H4
[Direction: Rcvd (0x01)]
HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - Command Complete
Event Code: Command Complete (0x0e)
Parameter Total Length: 252
Number of Allowed Command Packets: 1
Command Opcode: Read Local Name (0x0c14)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0001 0100 = Opcode Command Field: Read Local Name (0x014)
Status: Success (0x00)
Device Name:
[Command in frame: 67]
[Command-Response Delta: 3.78ms]对应返回的Response的Device Name为空;
Change Local Name
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Change Local Name
Command Opcode: Change Local Name (0x0c13)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0001 0011 = Opcode Command Field: Change Local Name (0x013)
Parameter Total Length: 248
Device Name: HAVAL_6720
[Response in frame: 70]
[Command-Response Delta: 15.528ms]该命令用于设置本地蓝牙名称;
- Device Name = HAVAL_6720:用于设置的蓝牙名称;
Response的Status为Success;
Write Extended Inquiry Response
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - Write Extended Inquiry Response
Command Opcode: Write Extended Inquiry Response (0x0c52)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0101 0010 = Opcode Command Field: Write Extended Inquiry Response (0x052)
Parameter Total Length: 241
FEC Required: true (1)
Extended Inquiry Response Data
Device Name: HAVAL_6720
Length: 11
Type: Device Name (0x09)
Device Name: HAVAL_6720
16-bit Service Class UUIDs
Length: 1
Type: 16-bit Service Class UUIDs (0x03)
32-bit Service Class UUIDs
Length: 1
Type: 32-bit Service Class UUIDs (0x05)
128-bit Service Class UUIDs
Length: 1
Type: 128-bit Service Class UUIDs (0x07)
Unused
[Response in frame: 72]
[Command-Response Delta: 6.164ms]该命令用于把Extended inquiry response写入到芯片;主要用于设备被搜索时回复的Response;
-
FEC Required = true:表示是否需要FEC编码;0x00表示不需要,0x01表示需要
-
Extended Inquiry Response Data:需要设置的extended inquiry response数据,注意这个数据在执行HCI Reset以后不会被保留,初始值是全0;这个对应的就是低功耗蓝牙广播数据类型;
- Device Name:蓝牙设备名称,0x09对应的为Complete Local Name;
- 16-bit Service Class UUIDs:16位服务等级UUID列表,0x03对应的为Complete List of 16-bit Service Class UUIDs,完整列表;
- 32-bit Service Class UUIDs:32位服务等级UUID列表,0x05对应的为Complete List of 32-bit Service Class UUIDs;
- 128-bit Service Class UUIDs:128位服务等级UUID列表,0x07对应的为Complete List of 128-bit Service Class UUIDs;
目前的sent过程中并没有写入任何的Service UUID信息;
Response的Status为Success;
LE Set Random Address
yaml
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - LE Set Random Address
Command Opcode: LE Set Random Address (0x2005)
0010 00.. .... .... = Opcode Group Field: LE Controller Commands (0x08)
.... ..00 0000 0101 = Opcode Command Field: LE Set Random Address (0x005)
Parameter Total Length: 6
BD_ADDR: 76:18:40:57:a8:b2 (76:18:40:57:a8:b2)
[Response in frame: 76]
[Command-Response Delta: 0.76ms]该命令用于设置一个新的Random地址,包括Resolvable private address类型的地址;
- BD_ADDR = 76:18:40:57:a8:b2:本地设备的mac地址;
Resolvable private address应用场景及HCI命令介绍
BLE Resolvable private address的解析和过滤操作是在Link Layer实现的,因而为BLE的广播通信提供了一个相对安全的加密环境。Link Layer以Resolving List的形式,通过HCI向Host提供相关的控制API,以实现相应的功能,相关的HCI命令介绍如下:
- LE Set Random Address Command:设置一个新的Random地址,包括Resolvable private address类型的地址。
- LE Add Device to Resolving List Command:将指定的设备添加到本机的Resolving List中,需要指定的参数包括:需要添加设备的地址(包括地址类型)、需要添加设备的IRK、本设备的IRK。
- LE Remove Device From Resolving List Command:将指定设备从本机的Resolving List中删除。
- LE Clear Resolving List Command:清除本机的Resolving List。
- LE Read Resolving List Size Command:读取本机Resolving List的大小。
- LE Read Peer Resolvable Address Command:读取对端设备解析后的Resolvable private address。
- LE Read Local Resolvable Address Command:读取本机设备解析后的Resolvable private address。
- LE Set Address Resolution Enable Command:禁止/使能地址解析功能。
Response的Status为Success;
Write Extended Inquiry Response
yaml
Bluetooth HCI Command - Write Extended Inquiry Response
Command Opcode: Write Extended Inquiry Response (0x0c52)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0101 0010 = Opcode Command Field: Write Extended Inquiry Response (0x052)
Parameter Total Length: 241
FEC Required: true (1)
Extended Inquiry Response Data
Device Name: HAVAL_6720
Length: 11
Type: Device Name (0x09)
Device Name: HAVAL_6720
16-bit Service Class UUIDs
Length: 15
Type: 16-bit Service Class UUIDs (0x03)
UUID 16: OBEX Object Push (0x1105)
UUID 16: Audio Sink (0x110b)
UUID 16: A/V Remote Control Target (0x110c)
UUID 16: A/V Remote Control (0x110e)
UUID 16: Handsfree (0x111e)
UUID 16: SIM Access (0x112d)
UUID 16: PnP Information (0x1200)
32-bit Service Class UUIDs
Length: 1
Type: 32-bit Service Class UUIDs (0x05)
128-bit Service Class UUIDs
Length: 1
Type: 128-bit Service Class UUIDs (0x07)
Unused
[Response in frame: 100]
[Command-Response Delta: 2.617ms]
- OBEX Object Push
- Audio Sink
- A/V Remote Control Target
- A/V Remote Control
- Handsfree
- SIM Access
- PnP Information
这个过程其实就是为本地蓝牙设备适配对应的Service,在后续的过程中,决定了哪些相关的ProfileService需要被启动;
而且上述涉及到的Service都是通过一次次的write指令写入的,每次只能写入一个Service UUID;
Response的Status为Success;
Write Voice Setting
yaml
Bluetooth HCI Command - Write Voice Setting
Command Opcode: Write Voice Setting (0x0c26)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0010 0110 = Opcode Command Field: Write Voice Setting (0x026)
Parameter Total Length: 2
0000 00.. .... .... = Unused bits: 0x00
.... ..00 .... .... = Input Coding: Linear (0)
.... .... 01.. .... = Input Data Format: 2's complement (1)
.... .... ..1. .... = Input Sample Size: 16 bit (only for Linear PCM) (1)
.... .... ...0 00.. = Linear PCM Bit Position: 0
.... .... .... ..00 = Air Coding Format: CVSD (0)
[Response in frame: 88]
[Command-Response Delta: 5.55ms]该命令用于将Voice Setting写入到芯片,主要是用于语音连接的相关配置;
- Unused bits:
- Input Coding:输入编码方式
- Input Data Format:输入数据格式
- Input Sample Size:采样率
- Linear PCM Bit Position:
- Air Coding Format:空中编码格式
Response的Status为Success;
Write Inquiry Scan Activity
yaml
Bluetooth HCI Command - Write Inquiry Scan Activity
Command Opcode: Write Inquiry Scan Activity (0x0c1e)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0001 1110 = Opcode Command Field: Write Inquiry Scan Activity (0x01e)
Parameter Total Length: 4
Interval: 2048 slots (1280 msec)
Window: 18 slots (11.25 msec)
[Response in frame: 90]
[Command-Response Delta: 19.117ms]该命令用于向芯片写入查询扫描的周期性间隔大小和周期大小;
- Interval:周期性扫描的间隔大小,2048 slots
- Window:周期大小,18 slots
Response的Status为Success;
Write Scan Enable
yaml
Bluetooth HCI Command - Write Scan Enable
Command Opcode: Write Scan Enable (0x0c1a)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0001 1010 = Opcode Command Field: Write Scan Enable (0x01a)
Parameter Total Length: 1
Scan Enable: Inquiry Scan disabled/Page Scan enabled (0x02)
[Response in frame: 94]
[Command-Response Delta: 9.467ms]该命令主要是用于设置Scan Enable的值,其中包含了两种Scan:inquiry Scan、Page Scan;
-
Scan Enable
- Inquiry Scan:disabled
- Page Scan:enabled
inquiry & page
我们描述一下inquiry和page的区分:
-
inquiry:让蓝牙芯片进入发现周围蓝牙设备的模式,对应的返回值为周围蓝牙设备的信号;
-
page:发起连接的蓝牙设备向被连接的蓝牙设备发起连接请求或者是认证,请求即一次page动作。
手机点击请求连接目标蓝牙设备的过程中发送的很多命令都会进行page动作;
inquiry scan和page scan这两个实际上是一个状态的描述,inquiry和page代表的是动作;
- inquiry scan:这就是我们通常看到的可被发现的设备。体现在上层就是我们在android系统中点击设备可被周围什么发现,那设备就处于这样的状态;
- page scan:这个子状态是和page对应的,它就是等待被page的slave所处的状态,换句话说,若想被page到,我们就要处于page scan的状态;
Response的Status为Success;
总结
上述涉及到的HCI Command都是在BT 启动过程中涉及到的一些Command,用于初始化配置Host和Controller模块;