基于Android P版本分析
BT bluedroid BOND
简述
bluedroid和scan流程分析完成之后,我们紧接着就是开始分析配对。
我们需要知道,蓝牙配对是什么。
从UI上来讲,是呈现给用于一个已配对的状态体验;而针对蓝牙设备而言,是两个设备之间的一次消息传递和信任建立;
- 信任建立:我们知道,在两个蓝牙设备首次连接的时候,通常需要进行PIN码确认,除了一些特殊的蓝牙设备,如蓝牙音响、蓝牙耳机之类的功能比较简单的设备,而手机与手机之间的蓝牙互联通常需要PIN码确认,只要当PIN码确认OK之后,蓝牙通路才算打通,手机上会显示已连接的字样;
- PIN码:Personal identification number,简称PIN,PIN码是一串数字构成的通行码,用来认证使用者身份,授权他人进入系统;例如我们创建的蓝牙文件传输,该功能的基础就是蓝牙设备必须已经配对成功,如果没对或者配对失败,是无法访问对应的系统的,也就无法将文件推送过去;
蓝牙配对
蓝牙双端设备通信依赖于极不可靠的无线通信,所以通信过程要机型数据加密和数据完整性校验操作等;
蓝牙配对过程:
- 配对(Pairing):创建一个或多个共享密钥SSK(SharedSecretKeys)的过程;
- 绑定(Bonding):将在配对过程中生成的密钥存储起来的行为,以便在后续连接时使用,创建一个可信任的设备;
- 设备授权(DeviceAuthentication):验证两个设备拥有相同的密钥;
- 消息加密(Encryption):保障消息的机密性;
- 消息完整性(MessageIntegrity):防止伪造消息;
针对Key,如果双方设备不存在可用的Key,则需要通过PIN或者SSP的方式创建一个Key;
Pairing的国策红肿借助PIN码和一串随机的数字以及br_addr地址创建一个初始化的Key;
初始化Key计算成功后就会创建linkkey,linkkey用于后续两设备连接时进行授权,以此来保护通信免受三方攻击和窃听;
bluedroid bond
bond 流程
-
删除之前存在的指定BD_ADDR设备的linkKey,该BD_ADDR设备为远程设备,以车机侧为Master,手机侧为slave,删除的linkKey为master侧保存的slave相关的linkKey;
-
读取远程设备的name,这个name通过scan阶段搜索到的deviceInfo信息中的BD_ADDR来获取对应的RemoteDevice Name;
- 读取Remote Device Name的指令发送之后,Controller进行响应,向上层上报了Remote Host Supported Feature Notification Event,在该阶段中,用于创建设备信息初始化基础参数并记录在数据库中;
- 最后Controller响应HCI_REMOTE_NAME_REQUEST指令,返回REMOTE_NAME_REQUEST_COMPLETE_EVT,首先先取消读取Name的超时监听,然后根据BD_ADDR参数来查询对应的结构体信息,然后就是在该函数中触发ACL链路连接;
-
ACL链路的连接触发逻辑是在HCI_REMOTE_NAME_REQUEST的Response中触发的,发送HCI_CREATE_CONNECTION指令,用于建立和指定设备间的连接,并在指令执行完成之后,host接收到对应的Command_Complete_Evt;
-
Connection_Complete_Evt上报之后,在该Response中,Host向Controller发送了HCI_READ_CLOCK_OFFSET指令,用于读取远程设备的时钟偏移,即进行时钟同步,好进行跳频。结束时host会接收到HCI_READ_CLOCK_OFFSET_COMPLETE事件通知;
-
同样,Connection_Complete_Evt上报之后,且Host已经向Controller发送了HCI_READ_CLOCK_OFFSET指令之后,Host会向Controller发送HCI_WRITE_POLICY_SETTINGS指令,用于设置link策略,即用来设置本地Link Manager在Connection_Handle对应ACL连接上关于Role switch、Park State、Hold Mode、Sniff Mode上的处理策略。在命令完成后,host会接收到HCI_Command_Complete事件通知;
-
link策略Write指令发送之后,设置link监控超时时间,命令执行完毕后host会接收到HCI_Command_Complete事件通知;
-
接下来就是读取版本信息、读取远程设备支持的能力列表、扩展能力列表;
-
接下来是第二个核心点:Authentication Request,发起授权请求,存在两种授权方式:
- 支持SSP:Host下发 HCI_LINK_KEY_REQUEST_NEGATIVE_REPLY 指令;
- 不支持SSP,只支持Authentication:Host下发 HCI_LINK_REQUEST_REPLY 指令;
在配对过程中给用户确认的弹窗,就是基于SSP;
但是由于设备的输入输出不同,SSP采用的方式也不同,比如如果对端不能输入也不能确认,那就无法弹窗提示;
- 因此在进行SSP是,要先了解设备的IO特性,Controller会向Host发送 HCI_IO_CAPABILITY_REQUEST,用于查看设备是否支持输入输出;
双方设备的IO能力检测完成后,就可以选择何种方式的SSP,SSP完成之后,就可以生成对应的linkKey。
至此,Authetication阶段就结束了;
-
在配对或者鉴权完成后的任何时间点都可以发起加密,通过发送 HCI_Set_Connection_Encryption 完成。对链路层加密,加密结束之后Host会接收到HCI_ENCRYPTION_CHANGE事件通知;
在上图中还提及到了Disconnect,但是从目前的情况来看,配对过程中好像没有涉及到这个过程,后续分析涉及到再说;
流程分析
cancelDiscovery
我们开启扫描之后,扫描这个动作会一致持续,直到主动停止或者被其他动作打断才会停止;
扫描之后的动作一般情况下为配对,所以,在配对之前,会调用cancelDiscovery方法向底层发送停止扫描的指令;
createBond
在该阶段,在ACL Connection之前,首先先会通过HCI向Controller发送获取RemoteDevice Name的指令,而在Controller响应该指令的时候,会向Host发送两个Event:
- Remote Supported Host Features Notification event:用于创建设备信息初始化基础参数并记录在数据库中,Link Manager在获取远端设备名字的同时会获取远端设备LMP features的pages 0 和 1;
- Remote Name Request Complete event:用于响应 Remote Name Request Command 指令,返回对应RemoteDevice 的 Name;
在Remote Name Request Complete event对应的响应函数的最后,会通过btm_sec_dd_create_conn函数发送ACL Connection指令;
btm_sec_dd_create_conn
在该函数中,获取到当前激活的acl链路数量,然后发送了 HCI_CREATE_CONNECTION 指令,然后通过alarm_set_on_mloop函数启动了l2cap连接的超时监控;
然后就可以等待HCI_CREATE_CONNECTION 指令对应的HCI_CONNECTION_COMP_EVT 事件,而在该Response中,用于响应Connection Complete阶段需要执行的一些逻辑;
而在HCI_CONNETION_COMP_EVT事件中,主要做了如下几件事:
-
btm_sec_connected
- 设定page状态为false;
- 更新设备记录的时间戳;
- 更新设备类型;
- 记录要连接的设备信息,创建tACL_CONN结构体记录设备信息;
- 开始所需要的安全流程;
-
l2c_link_hci_conn_comp
- 修改acl层的busy状态;
- 修改linkCb中的link_state;
- 发送对端设备信息;
- 更新设备信息,发送HCI_WRITE_POLICY_SETTINGS指令,将link策略设置到芯片中;
- 设定link超时监控;
btm_sec_start_authentication
HCI_CONNECTION_COMP_EVT 事件响应结束后,紧接着再响应 Remote Name Request Complete event 事件;
在 Remote Name Request Complete event 事件中执行完ACL Connection之后,紧接着执行 btm_sec_start_authentication函数,用于启动authentication;
在这个阶段,主要执行了如下几件事:
- 开启授权阶段;
- 修改sm4字段为BTM_SM4_TRUE;
- 更新系统额busy层级达到BTM_BLI_ACL_UP_EVT;
- 双端设备的IO能力检测;
- 修改配对状态为WAIT_LOCAL_IOCAPS;
授权工作结束之后,紧接着就是加密设置;
btu_hcif_encryption_change_evt
建立连接后,链路层可以根据主机的请求对数据包启用加密操作;
- 主机A发送LE Start Encryption HCI命令以请求链路层启动加密。在此过程中,交换两个参数,IV和SKD。
- LL A收到主机的加密请求后,向LL B发送LL_ENC_REQ PDU请求加密。
- LL B收到LL_ENC_REQ PDU后,向主机B发送LE长期密钥请求HCI事件。
- 如果主机B可以提供LTK,则通过LE长期密钥请求应答HCI命令向LL B提供LTK。
- LL B收到LTK后,将使用LL_ENC_ RSP PDU响应LL A.
- LL A收到LL_ENC_ RSP PDU后,可以向LL B发送LL_START_ENC_REQ PDU,启用加密,LL B返回LL_START_ENC_RSP PDU。这两个PDU不携带任何参数。
加密开始后,双方可以安全通信。
协议数据包分析
cancelDiscovery
Inquiry Cancel
yaml
Bluetooth HCI Command - Inquiry Cancel
Command Opcode: Inquiry Cancel (0x0402)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0000 0010 = Opcode Command Field: Inquiry Cancel (0x002)
Parameter Total Length: 0
[Response in frame: 248]
[Command-Response Delta: 4.248ms]对应的返回的Response:
yaml
Bluetooth HCI Event - Command Complete
Event Code: Command Complete (0x0e)
Parameter Total Length: 4
Number of Allowed Command Packets: 1
Command Opcode: Inquiry Cancel (0x0402)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0000 0010 = Opcode Command Field: Inquiry Cancel (0x002)
Status: Success (0x00)
[Command in frame: 247]
[Command-Response Delta: 4.248ms]createBond
Delete Stored Link Key
yaml
Bluetooth HCI Command - Delete Stored Link Key
Command Opcode: Delete Stored Link Key (0x0c12)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0001 0010 = Opcode Command Field: Delete Stored Link Key (0x012)
Parameter Total Length: 7
BD_ADDR: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)
Delete All Flag: Delete only Link Key for specified BD_ADDR (0x00)
[Response in frame: 250]
[Command-Response Delta: 1.239ms]该指令用于删除存放在蓝牙控制器中的单个或多个密钥;
- Link Key:密钥用于设备间连接时认证鉴权并加密相互交互的数据,使得蓝牙技术更具有安全行;
返回对应的Response,Status = Success;
Remote Name Request
yaml
Bluetooth HCI Command - Remote Name Request
Command Opcode: Remote Name Request (0x0419)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0001 1001 = Opcode Command Field: Remote Name Request (0x019)
Parameter Total Length: 10
BD_ADDR: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)
Page Scan Repetition Mode: R1 (0x01)
Page Scan Mode: Mandatory Page Scan Mode (0x00)
.001 0000 1101 0100 = Clock Offset: 0x10d4 (5385 msec)
1... .... .... .... = Clock_Offset_Valid_Flag: true (1)
[Pending in frame: 252]
[Command-Pending Delta: 1.605ms]
[Response in frame: 254]
[Command-Response Delta: 205.412ms]- BD_ADDR:指定要获取Remote Device Name的Address;
返回对应执行发送完成的Response,Status = Success;
Controller对应该执行,会返回或者响应两个HCI Event:
- Remote Host Supported Features Notification
- Remote Name Request Complete
Remote Host Supported Features Notification
yaml
Bluetooth HCI Event - Remote Host Supported Features Notification
Event Code: Remote Host Supported Features Notification (0x3d)
Parameter Total Length: 14
BD_ADDR: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)
LMP Features
.... ...1 = 3-slot packets: True
.... ..1. = 5-slot packets: True
.... .1.. = Encryption: True
.... 1... = Slot Offset: True
...0 .... = Timing Accuracy: False
..0. .... = Role Switch: False
.0.. .... = Hold Mode: False
0... .... = Sniff Mode: False
.... ...0 = Park Mode: False
.... ..0. = Power Control Requests: False
.... .0.. = Channel Quality Driven Data Rate: False
.... 0... = SCO Link: False
...0 .... = HV2 packets: False
..0. .... = HV3 packets: False
.0.. .... = u-law Log Synchronous Data: False
0... .... = A-law Log Synchronous Data: False
.... ...0 = CVSD Synchronous Data: False
.... ..0. = Paging Parameter Negotiation: False
.... .0.. = Power Control: False
.... 0... = Transparent Synchronous Data: False
.000 .... = Flow Control Lag: 0 (0 bytes)
0... .... = Broadband Encryption: False
.... ...0 = Reserved: False
.... ..0. = EDR ACL 2 Mbps Mode: False
.... .0.. = EDR ACL 3 Mbps Mode: False
.... 0... = Enhanced Inquiry Scan: False
...0 .... = Interlaced Inquiry Scan: False
..0. .... = Interlaced Page Scan: False
.0.. .... = RSSI with Inquiry Results: False
0... .... = EV3 Packets: False
.... ...0 = EV4 Packets: False
.... ..0. = EV5 Packets: False
.... .0.. = Reserved: False
.... 0... = AFH Capable Slave: False
...0 .... = AFH Classification Slave: False
..0. .... = BR/EDR Not Supported: False
.0.. .... = LE Supported Controller: False
0... .... = 3-slot EDR ACL packets: False
.... ...0 = 5-slot EDR ACL packets: False
.... ..0. = Sniff Subrating: False
.... .0.. = Pause Encryption: False
.... 0... = AFH Capable Master: False
...0 .... = AFH Classification Master: False
..0. .... = EDR eSCO 2 Mbps Mode: False
.0.. .... = EDR eSCO 3 Mbps Mode: False
0... .... = 3-slot EDR eSCO Packets: False
.... ...0 = Extended Inquiry Response: False
.... ..0. = Simultaneous LE and BR/EDR to Same Device Capable Controller: False
.... .0.. = Reserved: False
.... 0... = Secure Simple Pairing: False
...0 .... = Encapsulated PDU: False
..0. .... = Erroneous Data Reporting: False
.0.. .... = Non-flushable Packet Boundary Flag: False
0... .... = Reserved: False
.... ...0 = Link Supervision Timeout Changed Event: False
.... ..0. = Inquiry TX Power Level: False
.... .0.. = Enhanced Power Control: False
.000 0... = Reserved: False
0... .... = Extended Features: False- BD_ADDR = HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd):对应的Remote Device Address;
- LMP Features:Remote Device 支持的LMP 功能列表;
Remote Name Request Complete
less
Bluetooth HCI Event - Remote Name Request Complete
Event Code: Remote Name Request Complete (0x07)
Parameter Total Length: 255
Status: Success (0x00)
BD_ADDR: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)
Remote Name: dupz
[Command in frame: 251]
[Pending in frame: 252]
[Pending-Response Delta: 203.807ms]
[Command-Response Delta: 205.412ms]- BD_ADDR = HuaweiDe_42:c7:dd:Remote Device Address;
- Remote Name:远端设备名称;
Create ACL Connection
Create Connection
yaml
Bluetooth HCI Command - Create Connection
Command Opcode: Create Connection (0x0405)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0000 0101 = Opcode Command Field: Create Connection (0x005)
Parameter Total Length: 13
BD_ADDR: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)
Packet Type: 0xcc18, DH5, DM5, DH3, DM3, DH1, DM1
1... .... .... .... = DH5: True
.1.. .... .... .... = DM5: True
..0. .... .... .... = 3-DH5: False
...0 .... .... .... = 2-DH5: False
.... 1... .... .... = DH3: True
.... .1.. .... .... = DM3: True
.... ..0. .... .... = 3-DH3: False
.... ...0 .... .... = 2-DH3: False
.... .... 000. .... = Reserved: 0x0
.... .... ...1 .... = DH1: True
.... .... .... 1... = DM1: True
.... .... .... .0.. = 3-DH1: False
.... .... .... ..0. = 2-DH1: False
.... .... .... ...0 = Reserved: False
Page Scan Repetition Mode: R1 (0x01)
Page Scan Mode: Mandatory Page Scan Mode (0x00)
.001 0000 1101 0100 = Clock Offset: 0x10d4 (5385 msec)
1... .... .... .... = Clock_Offset_Valid_Flag: true (1)
Allow Role Switch: Local device may be master, or may become slave after accepting a master slave switch. (0x01)
[Pending in frame: 256]
[Command-Pending Delta: 1.125ms]
[Response in frame: 257]
[Command-Response Delta: 2016.177ms]该指令用于按照指定的Remote Device Address创建ACL链路;
- Packet Type:包类型,列出了Remote Device支持的不同的数据包类型;
针对Packet Type参数,涉及到了蓝牙基带分组的概念,基带分组至少包括:接入码、分组头、有效载荷;
- 接入码用于同步、直流、载频泄漏偏置补偿标识;
- 分组头包含链路信息,确保纠正较多的错误。
针对基带分组,也区分链路类型;
ACL分组
D(M|H)(1|3|5),D代表数据分组,M代表用2/3比例的FEC的中等速率分组;H代表不使用纠错码的高速率分组;1、3、5分别代表分组所占用的时隙数目;
| 类型 | 有效载荷头/字节 | 用户有效载荷/字节 | FEC | CRC | 对称最大速率/kbps | 非对称速率/kbps | |
|---|---|---|---|---|---|---|---|
| 前向 | 后向 | ||||||
| DM1 | 1 | 0~17 | 2/3 | 有 | 108.8 | 108.8 | 108.8 |
| DH1 | 1 | 0~27 | 无 | 有 | 172.8 | 172.8 | 172.8 |
| DM3 | 2 | 0~127 | 2/3 | 有 | 258.1 | 387.2 | 54.4 |
| DH3 | 2 | 0~183 | 无 | 有 | 390.4 | 585.6 | 86.4 |
| DM5 | 2 | 0~224 | 2/3 | 有 | 286.7 | 477.8 | 36.3 |
| DH5 | 2 | 0~339 | 无 | 有 | 433.9 | 723.2 | 57.6 |
| AUX1 | 1 | 0~29 | 无 | 无 | 185.6 | 185.6 | 185.6 |
SCO分组
HV(1|2|3)。HV代表高质量语言分组,1、2、3有效载荷所采用的纠错码方法。1为1/3比例FEC,设备2个时隙发送一个单时隙分组;2为2/3比例FEC,设备4个时隙发送一个单时隙分组;3为不使用纠错码,设备6个时隙发送一个单时隙分组;
| 类型 | 有效载荷头/字节 | 用户有效载荷/字节 | FEC | CRC | 有效载荷长度 | 同步速率/kbps | 占用Tsco数目/语音长度 |
|---|---|---|---|---|---|---|---|
| HV1 | 无 | 10 | 1/3 | 240 bit | 64 | 2/1.25ms | |
| HV2 | 20 | 2/3 | 4/2.5ms | ||||
| HV3 | 30 | 无 | 6/3.75ms | ||||
| DV | 1D | 10+(0-9)D | 2/3D | 有D | 64+57.6D |
返回对应执行发送完成的Response,Status = Pending;
yaml
Bluetooth HCI Event - Connect Complete
Event Code: Connect Complete (0x03)
Parameter Total Length: 11
Status: Success (0x00)
Connection Handle: 0x0003
BD_ADDR: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)
Link Type: ACL connection (Data Channels) (0x01)
Encryption Mode: Encryption Disabled (0x00)
[Command in frame: 255]
[Pending in frame: 256]
[Pending-Response Delta: 2015.052ms]
[Command-Response Delta: 2016.177ms]Controller响应Create Connection指令后向上层上报了Connect Complete事件;
- Status:Success;
- Connection Handle:0x0003,连接句柄,表示本地设备和远端设备之间的ACL连接;
- BD_ADDR:HuaweiDe_42:c7:dd
- Link Type:ACL connection (Data Channels)
- Encryption Mode:加密禁用
Read Clock offset
yaml
Bluetooth HCI Command - Read Clock offset
Command Opcode: Read Clock offset (0x041f)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0001 1111 = Opcode Command Field: Read Clock offset (0x01f)
Parameter Total Length: 2
Connection Handle: 0x0003
[Pending in frame: 260]
[Command-Pending Delta: 1.203ms]
[Response in frame: 277]
[Command-Response Delta: 72.224ms]- Connection Handle:操作句柄,该句柄为ACL Connection Success时生成的Handle;
返回对应执行发送完成的Response,Status = Pending,意为等待状态,该状态代表了指令已经发送成功,但是Controller还未响应该指令的HCI_EVENT;
yaml
Bluetooth HCI Event - Read Clock Offset Complete
Event Code: Read Clock Offset Complete (0x1c)
Parameter Total Length: 5
Status: Success (0x00)
Connection Handle: 0x0003
.001 0000 1101 0110 = Clock Offset: 0x10d6 (5387.5 ms)
[Command in frame: 258]
[Pending in frame: 260]
[Pending-Response Delta: 71.021ms]
[Command-Response Delta: 72.224ms]- Clock Offset:表示master和slave之间的clock的偏差,有了这个值可以加快master和slave之间page的时间;
Read Remote Version Information
yaml
Bluetooth HCI Command - Read Remote Version Information
Command Opcode: Read Remote Version Information (0x041d)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0001 1101 = Opcode Command Field: Read Remote Version Information (0x01d)
Parameter Total Length: 2
Connection Handle: 0x0003
[Pending in frame: 262]
[Command-Pending Delta: 0.622ms]
[Response in frame: 278]
[Command-Response Delta: 73.542ms]该指令用于读取Remote Device 的 Controller的版本信息;
返回对应执行发送完成的Response,Status = Pending;
yaml
Bluetooth HCI Event - Read Remote Version Information Complete
Event Code: Read Remote Version Information Complete (0x0c)
Parameter Total Length: 8
Status: Success (0x00)
Connection Handle: 0x0003
LMP Version: 5.1 (0x0a)
Manufacturer Name: HiSilicon Technologies Col, Ltd. (0x010f)
LMP Subversion: 33561
[Command in frame: 261]
[Pending in frame: 262]
[Pending-Response Delta: 72.92ms]
[Command-Response Delta: 73.542ms]- LMP Version:LMP版本号;
- Manufacturer Nam = HiSilicon Technologies Col, Ltd:生产商名称,深圳市海思半导体有限公司;
- LMP Subversion:用于识别不同的芯片组;
LMP
LMP(Link Manager Protocol):链路管理协议,通常被用来控制和协商两个设备之间的蓝牙连接操作,其中包括配置和控制逻辑传输、逻辑链路、物理链路;
LMP被用于两个LM(Link Manager)之前的交流。所有的LMP消息仅适用于发送和接收设备之间的物理链路、相关逻辑链路和逻辑传输;
Write Link Policy Settings
yaml
Bluetooth HCI Command - Write Link Policy Settings
Command Opcode: Write Link Policy Settings (0x080d)
0000 10.. .... .... = Opcode Group Field: Link Policy Commands (0x02)
.... ..00 0000 1101 = Opcode Command Field: Write Link Policy Settings (0x00d)
Parameter Total Length: 4
Connection Handle: 0x0003
.... .... .... ...1 = Enable Master Slave Switch: true (1)
.... .... .... ..1. = Enable Hold Mode: true (1)
.... .... .... .1.. = Enable Sniff Mode: true (1)
.... .... .... 0... = Enable Park Mode: false (0)
[Response in frame: 267]
[Command-Response Delta: 0.706ms]该指令用于设置当前连线的连接策略;
该指令在发送了Authentication Requested指令之后执行的,无需等待Authentication指令的响应。而且在bluedroid enable的过程中,执行过 Write Default Link Policy Settings指令,用于向Controller写入默认的连接策略,这两个阶段的连接策略配置一致;
- Enable Master Slave Switch:支持主设备/从设备开关;
- Enable Hold Mode:保持模式;
- Enable Sniff Mode:呼吸模式;
- Enable Park Mode:休眠模式;
返回对应执行发送完成的Response,Status = Success;
Write Link Supervision Timeout
yaml
Bluetooth HCI Command - Write Link Supervision Timeout
Command Opcode: Write Link Supervision Timeout (0x0c37)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0011 0111 = Opcode Command Field: Write Link Supervision Timeout (0x037)
Parameter Total Length: 4
Connection Handle: 0x0003
Timeout: 8000 slots (5000 msec)
[Response in frame: 269]
[Command-Response Delta: 0.659ms]改命令用于设置Link Supervision timeout(也就是Link lost时间)监控;
- Timeout:8000 时隙,即5000 ms;
返回对应执行发送完成的Response,Status = Success;
Start Authentication
Authentication Requested
该指令的操作是在Link Key Settings之前就发送了,但是响应Response却是在一段时间之后,不是立马响应;
yaml
Bluetooth HCI Command - Authentication Requested
Command Opcode: Authentication Requested (0x0411)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0001 0001 = Opcode Command Field: Authentication Requested (0x011)
Parameter Total Length: 2
Connection Handle: 0x0003
[Pending in frame: 264]
[Command-Pending Delta: 0.804ms]
[Response in frame: 313]
[Command-Response Delta: 3206.621ms]该指令用于指令连接句柄的两个蓝牙地址进行身份认证;
返回对应执行发送完成的Response,Status = Pending;
最后通过Authentication Complete事件返回Authentication Requested的结果,Status = Success,在Command和Event之间有一段响应时间,在该时间段内,Controller和Host还执行了一些操作;
Link Key Request Negative Reply
yaml
Bluetooth HCI Command - Link Key Request Negative Reply
Command Opcode: Link Key Request Negative Reply (0x040c)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0000 1100 = Opcode Command Field: Link Key Request Negative Reply (0x00c)
Parameter Total Length: 6
BD_ADDR: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)
[Response in frame: 271]
[Command-Response Delta: 0.643ms]该指令的发送已经处于 Start Authentication 阶段了;
该指令用于如果host没有对应BD_ADDR的Link Key,host需要使用Link_Key_Request_Negative_Reply进行回复;该指令主要用于发起SSP。对应的还有一种情况:Host向Controller发送Link Key Request Reply执行,则直接进行Authentication;
- SSP:该场景是在Host没有Remote Device LinkKey的情况下触发,即在这之前没有进行配对过或者是配对已取消,这时双发会发起PIN码确认弹窗;
- Authentication:授权,无论是哪种Link Key Request,最终都会走到这一步,这个需要是进行双端授权动作,可以理解为匹配;
SSP会依赖于设备IO特性,查看设备是否支持输入输出。IO设备有四大类:仅显示无法输入、即可显示又可选择YesNo、仅可输入无法显示、无输入输出;
返回对应执行发送完成的Response,Status = Success;
IO Capability Request
less
Bluetooth HCI Event - IO Capability Request
Event Code: IO Capability Request (0x31)
Parameter Total Length: 6
BD_ADDR: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)IO capability请求事件,可以理解为蓝牙用户请求配对事件;
IO Capability Request Reply
yaml
Bluetooth HCI Command - IO Capability Request Reply
Command Opcode: IO Capability Request Reply (0x042b)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0010 1011 = Opcode Command Field: IO Capability Request Reply (0x02b)
Parameter Total Length: 9
BD_ADDR: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)
IO Capability: Display Yes/No (1)
OOB Data Present: OOB Authentication Data Not Present (0)
Authentication Requirements: MITM Protection Required - Dedicated Bonding. Use IO Capabilty To Determine Procedure, No Secure Connection (3)
[Response in frame: 274]
[Command-Response Delta: 0.706ms]该命令用于当在SSP配对模式下,响应芯片IO capability的请求;
- IO Capability:IO设备特性
| Value | Parameter Description | Desc |
|---|---|---|
| 0x00 | DisplayOnly | 仅显示无法输入 |
| 0x01 | DisplayYesNo | 即可显示又可选择YesNo |
| 0x02 | KeyboardOnly | 仅可输入无法显示 |
| 0x03 | NoInputNoOutput | 无输入输出 |
| 0x04 - 0xFF | Reserved for future use | 保留 |
- OOB Data Present:OOB(out-of-band),定义在指示OOB身份验证数据是否可用时使用的值,传输层协议使用带外数据(out-of-band,OOB)来发送一些重要的数据,如果通信一方有重要的数据需要通知对方时,协议能够将这些数据快速地发送到对方。为了发送这些数据,协议一般不使用与普通数据相同的通道,而是使用另外的通道;
| Value | Parameter Description | Desc |
|---|---|---|
| 0x00 | OOB Authentication data not present | OOB认证数据不存在 |
| 0x01 | OOB Authentication data from remote device present | 接收OOB数据 |
| 0x02 to 0xFF | Reserved for future use | 保留 |
如果在IO Capabilty Request event中已经收到来自BD_ADDR设备的OOB认证数据,则OOB_Data_Present应该设置为:0x01,否则如果在IO Capabilty Request event中没有收到来自BD_ADDR设备的OOB认证数据,则OOB_Data_Present应该设置为0x00;
- Authentication Requirements:身份验证需求
| Value | Parameter Description | Desc |
|---|---|---|
| 0x00 | MITM Protection Not Required -- No Bonding. Numeric comparison with automatic accept allowed. | MITM保护不需要-不需要绑定。允许自动接受的数值比较 |
| 0x01 | MITM Protection Required -- No Bonding. Use IO Capabilities to determine authentication procedure | MITM保护---未绑定。使用IO能力来确定认证过程 |
| 0x02 | MITM Protection Not Required -- Dedicated Bonding. Numeric comparison with automatic accept allowed. | MITM保护不需要-专用绑定。允许自动接受的数值比较 |
| 0x03 | MITM Protection Required -- Dedicated Bonding. Use IO Capabilities to determine authentication procedure | MITM保护需要-专用绑定。使用IO能力来确定认证过程 |
| 0x04 | MITM Protection Not Required -- General Bonding. Numeric Comparison with automatic accept allowed. | MITM保护不需要-一般绑定。允许自动接受的数值比较 |
| 0x05 | MITM Protection Required -- General Bonding. Use IO capabilities to determine authentication procedure. | MITM保护要求-一般Bonding功能。使用IO功能来确定身份验证过程 |
| All other values | Reserved for future use | 保留 |
返回对应执行发送完成的Response,Status = Success;
Read Remote Supported Features
yaml
Bluetooth HCI Command - Read Remote Supported Features
Command Opcode: Read Remote Supported Features (0x041b)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0001 1011 = Opcode Command Field: Read Remote Supported Features (0x01b)
Parameter Total Length: 2
Connection Handle: 0x0003
[Pending in frame: 282]
[Command-Pending Delta: 0.724ms]
[Response in frame: 293]
[Command-Response Delta: 581.252ms]该指令用于读取远程设备Controller所支持的一些功能;
返回对应执行发送完成的Response,Status = Pending;
yaml
Bluetooth HCI Event - Read Remote Supported Features
Event Code: Read Remote Supported Features (0x0b)
Parameter Total Length: 11
Status: Success (0x00)
Connection Handle: 0x0003
LMP Features
.... ...1 = 3-slot packets: True
.... ..1. = 5-slot packets: True
.... .1.. = Encryption: True
.... 1... = Slot Offset: True
...1 .... = Timing Accuracy: True
..1. .... = Role Switch: True
.0.. .... = Hold Mode: False
1... .... = Sniff Mode: True
.... ...0 = Park Mode: False
.... ..1. = Power Control Requests: True
.... .1.. = Channel Quality Driven Data Rate: True
.... 1... = SCO Link: True
...1 .... = HV2 packets: True
..1. .... = HV3 packets: True
.1.. .... = u-law Log Synchronous Data: True
1... .... = A-law Log Synchronous Data: True
.... ...1 = CVSD Synchronous Data: True
.... ..1. = Paging Parameter Negotiation: True
.... .1.. = Power Control: True
.... 1... = Transparent Synchronous Data: True
.100 .... = Flow Control Lag: 4 (1024 bytes)
0... .... = Broadband Encryption: False
.... ...0 = Reserved: False
.... ..1. = EDR ACL 2 Mbps Mode: True
.... .1.. = EDR ACL 3 Mbps Mode: True
.... 1... = Enhanced Inquiry Scan: True
...1 .... = Interlaced Inquiry Scan: True
..1. .... = Interlaced Page Scan: True
.1.. .... = RSSI with Inquiry Results: True
1... .... = EV3 Packets: True
.... ...1 = EV4 Packets: True
.... ..1. = EV5 Packets: True
.... .0.. = Reserved: False
.... 1... = AFH Capable Slave: True
...1 .... = AFH Classification Slave: True
..0. .... = BR/EDR Not Supported: False
.1.. .... = LE Supported Controller: True
1... .... = 3-slot EDR ACL packets: True
.... ...1 = 5-slot EDR ACL packets: True
.... ..1. = Sniff Subrating: True
.... .1.. = Pause Encryption: True
.... 1... = AFH Capable Master: True
...1 .... = AFH Classification Master: True
..1. .... = EDR eSCO 2 Mbps Mode: True
.1.. .... = EDR eSCO 3 Mbps Mode: True
1... .... = 3-slot EDR eSCO Packets: True
.... ...1 = Extended Inquiry Response: True
.... ..1. = Simultaneous LE and BR/EDR to Same Device Capable Controller: True
.... .0.. = Reserved: False
.... 1... = Secure Simple Pairing: True
...1 .... = Encapsulated PDU: True
..0. .... = Erroneous Data Reporting: False
.1.. .... = Non-flushable Packet Boundary Flag: True
0... .... = Reserved: False
.... ...1 = Link Supervision Timeout Changed Event: True
.... ..1. = Inquiry TX Power Level: True
.... .1.. = Enhanced Power Control: True
.000 0... = Reserved: False
1... .... = Extended Features: True
[Command in frame: 279]
[Pending in frame: 282]
[Pending-Response Delta: 580.528ms]
[Command-Response Delta: 581.252ms]该Event可以Remote Host Supported Features Notification event进行比较,当所出状态不同时,该阶段支持的LMP Feature不同;
Read Remote Extended Features
yaml
Bluetooth HCI Command - Read Remote Extended Features
Command Opcode: Read Remote Extended Features (0x041c)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0001 1100 = Opcode Command Field: Read Remote Extended Features (0x01c)
Parameter Total Length: 3
Connection Handle: 0x0003
Page Number: 1
[Pending in frame: 295]
[Command-Pending Delta: 2.212ms]
[Response in frame: 296]
[Command-Response Delta: 80.604ms]该指令用于读取远程设备Controller的扩展功能,是一些非必须的可选功能,比如是否支持BR/EDR和LE,是否支持SSP等;
- Page Number:如果是0x00表示获取一般的LMP features,跟Read Remote Supported Features Command功能是一样的,0x01-0xFF表示获取对应页的LMP extended features。当前读取的是第一页的内容;
返回对应执行发送完成的Response,Status = Pending;
结束后可以接收到HCI_Read_Remote_Extended_Features_Complete事件通知;
Page 1
yaml
Bluetooth HCI Event - Read Remote Extended Features Complete
Event Code: Read Remote Extended Features Complete (0x23)
Parameter Total Length: 13
Status: Success (0x00)
Connection Handle: 0x0003
Page Number: 1
Max. Page Number: 2
LMP Features
.... ...1 = Secure Simple Pairing Host: True
.... ..1. = LE Supported Host: True
.... .1.. = Simultaneous LE and BR/EDR to Same Device Capable Host: True
.... 1... = Secure Connections Host: True
0000 .... = Reserved: 0x0
Reserved: 00000000000000
[Command in frame: 294]
[Pending in frame: 295]
[Pending-Response Delta: 78.392ms]
[Command-Response Delta: 80.604ms]Page 2
这个是对应Page Number = 2的Request 对应的Response;
yaml
Bluetooth HCI Event - Read Remote Extended Features Complete
Event Code: Read Remote Extended Features Complete (0x23)
Parameter Total Length: 13
Status: Success (0x00)
Connection Handle: 0x0003
Page Number: 2
Max. Page Number: 2
LMP Features
.... ...0 = Connectionless Slave Broadcast Master Operation: False
.... ..0. = Connectionless Slave Broadcast Slave Operation: False
.... .0.. = Synchronization Train: False
.... 0... = Synchronization Scan: False
...1 .... = Inquiry Response Notification Event: True
..0. .... = Generalized Interlaced Scan: False
.0.. .... = Coarse Clock Adjustment: False
0... .... = Reserved: False
.... ...1 = Secure Connections Controller: True
.... ..1. = Ping: True
.... .0.. = Reserved: False
.... 0... = Train Nudging: False
...0 .... = Slot Availability Mask: False
Reserved: 000000000000
[Command in frame: 297]
[Pending in frame: 298]
[Pending-Response Delta: 53.795ms]
[Command-Response Delta: 54.728ms]Change Connection Packet Type
yaml
Frame 300: 8 bytes on wire (64 bits), 8 bytes captured (64 bits)
Bluetooth
Bluetooth HCI H4
Bluetooth HCI Command - Change Connection Packet Type
Command Opcode: Change Connection Packet Type (0x040f)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0000 1111 = Opcode Command Field: Change Connection Packet Type (0x00f)
Parameter Total Length: 4
Connection Handle: 0x0003
Packet Type: 0xcc18, DH5, DM5, DH3, DM3, DH1, DM1
1... .... .... .... = DH5: True
.1.. .... .... .... = DM5: True
..0. .... .... .... = 3-DH5: False
...0 .... .... .... = 2-DH5: False
.... 1... .... .... = DH3: True
.... .1.. .... .... = DM3: True
.... ..0. .... .... = 3-DH3: False
.... ...0 .... .... = 2-DH3: False
.... .... 000. .... = Reserved: 0x0
.... .... ...1 .... = DH1: True
.... .... .... 1... = DM1: True
.... .... .... .0.. = 3-DH1: False
.... .... .... ..0. = 2-DH1: False
.... .... .... ...0 = Reserved: False
[Pending in frame: 303]
[Command-Pending Delta: 1.543ms]
[Response in frame: 305]
[Command-Response Delta: 3.552ms]
该指令用于动态的修改一个已建立使用的Packet types;
返回对应执行发送完成的Response,Status = Pending;
yaml
Bluetooth HCI Event - Connection Packet Type Changed
Event Code: Connection Packet Type Changed (0x1d)
Parameter Total Length: 5
Status: Success (0x00)
Connection Handle: 0x0003
Packet Type for ACL: 0xcc18, DH5 may be used, DM5 may be used, DH3 may be used, DM3 may be used, DH1 may be used, DM1 may be used
1... .... .... .... = DH5 may be used: True
.1.. .... .... .... = DM5 may be used: True
..0. .... .... .... = 3-DH5 shall NOT be used: False
...0 .... .... .... = 2-DH5 shall NOT be used: False
.... 1... .... .... = DH3 may be used: True
.... .1.. .... .... = DM3 may be used: True
.... ..0. .... .... = 3-DH3 shall NOT be used: False
.... ...0 .... .... = 2-DH3 shall NOT be used: False
.... .... 000. .... = Reserved: 0x0
.... .... ...1 .... = DH1 may be used: True
.... .... .... 1... = DM1 may be used: True
.... .... .... .0.. = 3-DH1 shall NOT be used: False
.... .... .... ..0. = 2-DH1 shall NOT be used: False
.... .... .... ...0 = Reserved: False
[Command in frame: 300]
[Pending in frame: 303]
[Pending-Response Delta: 2.009ms]
[Command-Response Delta: 3.552ms]User Confirmation Request Reply
yaml
Bluetooth HCI Command - User Confirmation Request Reply
Command Opcode: User Confirmation Request Reply (0x042c)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0010 1100 = Opcode Command Field: User Confirmation Request Reply (0x02c)
Parameter Total Length: 6
BD_ADDR: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)
[Response in frame: 310]
[Command-Response Delta: 1.208ms]该指令用于蓝牙用户请求,可以简单的理解为PIN码确认弹窗;
返回对应执行发送完成的Response,Status = Success;
Set Encryption
直到协议栈接收到Authentication Complete Event之后,我们就可以开始Set Encryption,当加密改变时,所以的与远端设备所有的ACL通信都会关闭;
Set Connection Encryption
yaml
Bluetooth HCI Command - Set Connection Encryption
Command Opcode: Set Connection Encryption (0x0413)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0001 0011 = Opcode Command Field: Set Connection Encryption (0x013)
Parameter Total Length: 3
Connection Handle: 0x0003
Encryption Enable: Link Level Encryption is ON (0x01)
[Pending in frame: 315]
[Command-Pending Delta: 0.523ms]
[Response in frame: 316]
[Command-Response Delta: 19.245ms]该指令用于设置enable/disable连接层的加密
-
Encryption Enable:加密状态
- 0x00:表示Turn Link Level Encryption OFF(关闭连接层加密)
- 0x01:表示Turn Link Level Encryption ON(开启连接层加密)
当本地和远端设备都支持Secure Connections (Controller Support)和Secure Connections (Host Support) features时,如果Connection_Handle的加密是enable,此时设置Encryption_Enable为Turn Link Level Encryption OFF,controller会报错:Encryption Mode Not Acceptable (0x25).
返回对应执行发送完成的Response,Status = Pending;
yaml
Bluetooth HCI Event - Encryption Change
Event Code: Encryption Change (0x08)
Parameter Total Length: 4
Status: Success (0x00)
Connection Handle: 0x0003
Encryption Enable: Unknown (0x02)
[Command in frame: 314]
[Pending in frame: 315]
[Pending-Response Delta: 18.722ms]
[Command-Response Delta: 19.245ms]在实际的Response过程中返回了0x0003,意为Unknown; (这个问题后续确认一下。)