基于Android P版本分析
bluedroid
概述
一般情况下,我们在进行手机和车机的蓝牙配对过程中,会直接为手机和车机进行连接,一般情况下,会为设备赋予几项基本的蓝牙功能;
- 通话音频 - HFP;
- 媒体音频 - A2DP + AVRCP;
- 共享联系人 - PBAP;
HFP
我们先分析HFP协议。
但是这些协议都是属于上层协议,他们都是基于L2CAP实现的;
而RFCOMM协议层位于L2CAP协议层和应用层协议之间,是一个传输层协议,它提供了基于L2CAP协议层之上的模拟串口,完成了对RS232串口的仿真。
在L2CAP链路信道的基础上建立RFCOMM Session(即对等双方RFCOMM层之间的一个链接),并向上层应用提供模拟串口,使得以前遗留下来的基于串口通信的应用程序,能很容易的应用到蓝牙协议之上,保证蓝牙技术与现有技术的融合,以及各种应用之间的互通性。RFCOMM协议层命令的执行和数据的发送都是通过各种帧来完成的;
HFP connect
一般情况下,我们认为AG侧为Headset,它提供音频,而车机侧为HF;
SDP Search
在这个过程中,我们主要执行了如下几件事儿:
- 我们在车机端连接HFP时,会从上层将需要与车机设备进行HFP连接的Remote设备发送到底层,在协议栈中,存在一个连接设备的队列,用于保存将要进行hfp连接的蓝牙设备;
- 需要连接的蓝牙设备保存到connect_queue队列中后,紧接着就是调用了btif_queue_connect_next函数用于处理connect_queue,从队列中获取到对应的Profile并执行对应的connect操作;
- 在对应的Profile的connect操作中,通过SDP进行了服务搜索,同时在SDP服务搜索过程中,确认L2CAP协议连接是否建立,因为在bluedroid中,很多的上层协议都会向L2CAP注册相关服务,例如rfcomm、sdp、gatt等。都是通过L2CA_ConnectReq的方法发送请求;
SDP Search Response
SDP服务搜索完毕之后,会通过bta_hf_client_sdp_cback回调的方式从Controller上报给Host,其中的执行逻辑如下:
- 搜索执行完毕之后,在bta_hf_client_sdp_cback函数中发送了BTA_HF_CLIENT_DISC_INT_RES_EVT事件,通过映射关系分析,对应的处理函数为bta_hf_client_disc_int_res函数;
- 在bta_hf_client_disc_int_res函数中,将服务搜索成功的信息保存到一个tBTA_HF_CLIENT_DATA*类型的变量中,然后发送BTA_HF_CLIENT_DISC_OK_EVT事件;
- BTA_HF_CLIENT_DISC_OK_EVT事件对应的处理函数为bta_hf_client_rfc_do_open函数,在该函数中,调用了RFCOMM_CreateConnection函数,用于连接RFCOMM连接,同时绑定对应的Complete_cb = bta_hf_client_mgmt_cback;
- RFCOMM_CreateConnection函数中,首先先进行dlci设置、信号状态设置等操作,然后调用port_open_continue函数;
- 继续往下会调用RFCOMM_StartReq函数,进行连接,通过发送RFC_MX_EVENT_START_REQ事件,通过与rfcomm协议的状态机判断可知该事件对应的处理函数为rfc_mx_sm_state_idle函数;
- rfc_mx_sm_state_idle函数响应RFC_MX_EVENT_START_REQ事件,同样是通过L2CA_ConnectReq的方法发送Start RFCOMM请求;
RFC Response
我们知道,RFCOMM Complete的回调函数为bta_hf_client_mgmt_cback,在该函数中发送了BTA_HF_CLIENT_RFC_OPEN_EVT事件,而改事件对应两个函数,逻辑如下:
-
bta_hf_client_rfc_open
- bta_sys_conn_open:用于向上层上报rfc的连接状态信息,通过HAL_CBACK的形式上报;
- bta_hf_client_slc_seq:Service Level Connection服务级连接过程,在该过程中,主要用于根据一些条件发送执行的AT指令,然后等待AT指令响应;
-
bta_hf_client_sco_listen:主要是用于建立SCO链路连接;
AT Response
这个过程主要是用于描述一下AT执行响应是如何上报到应用层;
在AT执行响应过程中,其实最核心的部分就是bta_hf_client_at_parse_start函数,在这个函数中确定了各个AT执行响应回调对应的执行函数,其中涉及到了bta_hf_client_parser_cb数组,这个数组就是用于维护AT执行响应回调的执行函数的;
HFP 协议包分析
我们在分析蓝牙数据包的时候,发现在开始SDP服务搜索逻辑之前,首先先发送了Create Connection的HCI_COMMAND指令,该Command涉及的就是ACL链路连接;
ACL链路就是定向发送数据包,用于基本的数据通信;
HCI 协议分析
这个过程其实和配对的过程十分类似,除了一些首次操作的时候需要操作或者是发送的一些指令之外,其他的基本上流程都差不多,可以互相参考;
Create Connection
yaml
Bluetooth HCI Command - Create Connection
Command Opcode: Create Connection (0x0405)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0000 0101 = Opcode Command Field: Create Connection (0x005)
Parameter Total Length: 13
BD_ADDR: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)
Packet Type: 0xcc18, DH5, DM5, DH3, DM3, DH1, DM1
1... .... .... .... = DH5: True
.1.. .... .... .... = DM5: True
..0. .... .... .... = 3-DH5: False
...0 .... .... .... = 2-DH5: False
.... 1... .... .... = DH3: True
.... .1.. .... .... = DM3: True
.... ..0. .... .... = 3-DH3: False
.... ...0 .... .... = 2-DH3: False
.... .... 000. .... = Reserved: 0x0
.... .... ...1 .... = DH1: True
.... .... .... 1... = DM1: True
.... .... .... .0.. = 3-DH1: False
.... .... .... ..0. = 2-DH1: False
.... .... .... ...0 = Reserved: False
Page Scan Repetition Mode: R1 (0x01)
Page Scan Mode: Mandatory Page Scan Mode (0x00)
.011 0011 0101 1011 = Clock Offset: 0x335b (16433.8 msec)
1... .... .... .... = Clock_Offset_Valid_Flag: true (1)
Allow Role Switch: Local device may be master, or may become slave after accepting a master slave switch. (0x01)
[Pending in frame: 820]
[Command-Pending Delta: 5.655ms]
[Response in frame: 821]
[Command-Response Delta: 509.2ms]
该指令用于按照指定的Remote Device Address创建ACL链路;
- Packet Type:包类型,列出了Remote Device支持的不同的数据包类型;
- 接入码用于同步、直流、载频泄漏偏置补偿标识;
- 分组头包含链路信息,确保纠正较多的错误。
返回对应执行发送完成的Response,Status = Pending;
yaml
Bluetooth HCI Event - Connect Complete
Event Code: Connect Complete (0x03)
Parameter Total Length: 11
Status: Success (0x00)
Connection Handle: 0x0006
BD_ADDR: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)
Link Type: ACL connection (Data Channels) (0x01)
Encryption Mode: Encryption Disabled (0x00)
[Command in frame: 819]
[Pending in frame: 820]
[Pending-Response Delta: 503.545ms]
[Command-Response Delta: 509.2ms]
Controller响应Create Connection指令后向上层上报了Connect Complete事件;
- Status:Success;
- Connection Handle:0x0003,连接句柄,表示本地设备和远端设备之间的ACL连接;
- BD_ADDR:HuaweiDe_42:c7:dd
- Link Type:ACL connection (Data Channels)
- Encryption Mode:加密禁用
Read Clock offset
yaml
Bluetooth HCI Command - Read Clock offset
Command Opcode: Read Clock offset (0x041f)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0001 1111 = Opcode Command Field: Read Clock offset (0x01f)
Parameter Total Length: 2
Connection Handle: 0x0006
[Pending in frame: 824]
[Command-Pending Delta: 1.051ms]
[Response in frame: 838]
[Command-Response Delta: 47.019ms]
- Connection Handle:操作句柄,该句柄为ACL Connection Success时生成的Handle;
返回对应执行发送完成的Response,Status = Pending,意为等待状态,该状态代表了指令已经发送成功,但是Controller还未响应该指令的HCI_EVENT;
yaml
Bluetooth HCI Event - Read Clock Offset Complete
Event Code: Read Clock Offset Complete (0x1c)
Parameter Total Length: 5
Status: Success (0x00)
Connection Handle: 0x0006
.011 0011 0101 1010 = Clock Offset: 0x335a (16432.5 ms)
[Command in frame: 822]
[Pending in frame: 824]
[Pending-Response Delta: 45.968ms]
[Command-Response Delta: 47.019ms]
- Clock Offset:表示master和slave之间的clock的偏差,有了这个值可以加快master和slave之间page的时间;
Read Remote Version Information
yaml
Bluetooth HCI Command - Read Remote Version Information
Command Opcode: Read Remote Version Information (0x041d)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0001 1101 = Opcode Command Field: Read Remote Version Information (0x01d)
Parameter Total Length: 2
Connection Handle: 0x0006
[Pending in frame: 826]
[Command-Pending Delta: 0.817ms]
[Response in frame: 839]
[Command-Response Delta: 46.215ms]
该指令用于读取Remote Device 的 Controller的版本信息;
返回对应执行发送完成的Response,Status = Pending;
yaml
Bluetooth HCI Event - Read Remote Version Information Complete
Event Code: Read Remote Version Information Complete (0x0c)
Parameter Total Length: 8
Status: Success (0x00)
Connection Handle: 0x0006
LMP Version: 5.1 (0x0a)
Manufacturer Name: HiSilicon Technologies Col, Ltd. (0x010f)
LMP Subversion: 33561
[Command in frame: 825]
[Pending in frame: 826]
[Pending-Response Delta: 45.398ms]
[Command-Response Delta: 46.215ms]
- LMP Version:LMP版本号;
- Manufacturer Nam = HiSilicon Technologies Col, Ltd:生产商名称,深圳市海思半导体有限公司;
- LMP Subversion:用于识别不同的芯片组;
LMP
LMP(Link Manager Protocol):链路管理协议,通常被用来控制和协商两个设备之间的蓝牙连接操作,其中包括配置和控制逻辑传输、逻辑链路、物理链路;
LMP被用于两个LM(Link Manager)之前的交流。所有的LMP消息仅适用于发送和接收设备之间的物理链路、相关逻辑链路和逻辑传输;
Write Link Policy Settings
yaml
Bluetooth HCI Command - Write Link Policy Settings
Command Opcode: Write Link Policy Settings (0x080d)
0000 10.. .... .... = Opcode Group Field: Link Policy Commands (0x02)
.... ..00 0000 1101 = Opcode Command Field: Write Link Policy Settings (0x00d)
Parameter Total Length: 4
Connection Handle: 0x0006
.... .... .... ...1 = Enable Master Slave Switch: true (1)
.... .... .... ..1. = Enable Hold Mode: true (1)
.... .... .... .1.. = Enable Sniff Mode: true (1)
.... .... .... 0... = Enable Park Mode: false (0)
[Response in frame: 830]
[Command-Response Delta: 4.994ms]
该指令用于设置当前连线的连接策略;
该指令在发送了Authentication Requested指令之后执行的,无需等待Authentication指令的响应。而且在bluedroid enable的过程中,执行过 Write Default Link Policy Settings指令,用于向Controller写入默认的连接策略,这两个阶段的连接策略配置一致;
- Enable Master Slave Switch:支持主设备/从设备开关;
- Enable Hold Mode:保持模式;
- Enable Sniff Mode:呼吸模式;
- Enable Park Mode:休眠模式;
返回对应执行发送完成的Response,Status = Success;
Write Link Supervision Timeout
yaml
Bluetooth HCI Command - Write Link Supervision Timeout
Command Opcode: Write Link Supervision Timeout (0x0c37)
0000 11.. .... .... = Opcode Group Field: Host Controller & Baseband Commands (0x03)
.... ..00 0011 0111 = Opcode Command Field: Write Link Supervision Timeout (0x037)
Parameter Total Length: 4
Connection Handle: 0x0006
Timeout: 8000 slots (5000 msec)
[Response in frame: 834]
[Command-Response Delta: 0.668ms]
改命令用于设置Link Supervision timeout(也就是Link lost时间)监控;
- Timeout:8000 时隙,即5000 ms;
返回对应执行发送完成的Response,Status = Success;
Authentication Requested
该指令的操作是在Link Key Settings之前就发送了,但是响应Response却是在一段时间之后,不是立马响应;
yaml
Bluetooth HCI Command - Authentication Requested
Command Opcode: Authentication Requested (0x0411)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0001 0001 = Opcode Command Field: Authentication Requested (0x011)
Parameter Total Length: 2
Connection Handle: 0x0006
[Pending in frame: 884]
[Command-Pending Delta: 0.682ms]
[Response in frame: 888]
[Command-Response Delta: 84.693ms]
该指令用于指令连接句柄的两个蓝牙地址进行身份认证;
返回对应执行发送完成的Response,Status = Pending;
最后通过Authentication Complete事件返回Authentication Requested的结果,Status = Success,在Command和Event之间有一段响应时间,在该时间段内,Controller和Host还执行了一些操作;
Link Key Request Reply
yaml
Bluetooth HCI Command - Link Key Request Reply
Command Opcode: Link Key Request Reply (0x040b)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0000 1011 = Opcode Command Field: Link Key Request Reply (0x00b)
Parameter Total Length: 22
BD_ADDR: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)
Link Key: 6d35cb027a790e800b76e75250bfad34
[Response in frame: 887]
[Command-Response Delta: 1.087ms]
该命令用于对方请求linkkey的时候,而我们有此link key,我们回复link key,这个HCI_COMMAND区别于Link_Key_Request_Negative_Reply,这个命令是用于在没有可用的LinkKey的情况下使用的指令;
- BD_ADDR:Remote Device Address;
- Link Key = 6d35cb027a790e800b76e75250bfad34:已经存在的可用的LinkKey;
返回对应执行发送完成的Response,Status = Success;
IO Capability Request & User Confirmation Request Reply
我们知道,在首次进行连接的时候,是需要进行配对操作的,而该操作对应的HCI 执行就是Authentication Command,紧接着就是执行SSP,因为在双端的设备中,没有可用的LinkKey,所以在授权过程中,需要进行IO Capability Request请求,同时也需要进行User Confirmation Request Reply指令发送进行用户确认;
Read Remote Supported Features
yaml
Bluetooth HCI Command - Read Remote Supported Features
Command Opcode: Read Remote Supported Features (0x041b)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0001 1011 = Opcode Command Field: Read Remote Supported Features (0x01b)
Parameter Total Length: 2
Connection Handle: 0x0006
[Pending in frame: 841]
[Command-Pending Delta: 0.786ms]
[Response in frame: 847]
[Command-Response Delta: 38.489ms]
该指令用于读取远程设备Controller所支持的一些功能;
返回对应执行发送完成的Response,Status = Pending;
yaml
Bluetooth HCI Event - Read Remote Supported Features
Event Code: Read Remote Supported Features (0x0b)
Parameter Total Length: 11
Status: Success (0x00)
Connection Handle: 0x0006
LMP Features
.... ...1 = 3-slot packets: True
.... ..1. = 5-slot packets: True
.... .1.. = Encryption: True
.... 1... = Slot Offset: True
...1 .... = Timing Accuracy: True
..1. .... = Role Switch: True
.0.. .... = Hold Mode: False
1... .... = Sniff Mode: True
.... ...0 = Park Mode: False
.... ..1. = Power Control Requests: True
.... .1.. = Channel Quality Driven Data Rate: True
.... 1... = SCO Link: True
...1 .... = HV2 packets: True
..1. .... = HV3 packets: True
.1.. .... = u-law Log Synchronous Data: True
1... .... = A-law Log Synchronous Data: True
.... ...1 = CVSD Synchronous Data: True
.... ..1. = Paging Parameter Negotiation: True
.... .1.. = Power Control: True
.... 1... = Transparent Synchronous Data: True
.100 .... = Flow Control Lag: 4 (1024 bytes)
0... .... = Broadband Encryption: False
.... ...0 = Reserved: False
.... ..1. = EDR ACL 2 Mbps Mode: True
.... .1.. = EDR ACL 3 Mbps Mode: True
.... 1... = Enhanced Inquiry Scan: True
...1 .... = Interlaced Inquiry Scan: True
..1. .... = Interlaced Page Scan: True
.1.. .... = RSSI with Inquiry Results: True
1... .... = EV3 Packets: True
.... ...1 = EV4 Packets: True
.... ..1. = EV5 Packets: True
.... .0.. = Reserved: False
.... 1... = AFH Capable Slave: True
...1 .... = AFH Classification Slave: True
..0. .... = BR/EDR Not Supported: False
.1.. .... = LE Supported Controller: True
1... .... = 3-slot EDR ACL packets: True
.... ...1 = 5-slot EDR ACL packets: True
.... ..1. = Sniff Subrating: True
.... .1.. = Pause Encryption: True
.... 1... = AFH Capable Master: True
...1 .... = AFH Classification Master: True
..1. .... = EDR eSCO 2 Mbps Mode: True
.1.. .... = EDR eSCO 3 Mbps Mode: True
1... .... = 3-slot EDR eSCO Packets: True
.... ...1 = Extended Inquiry Response: True
.... ..1. = Simultaneous LE and BR/EDR to Same Device Capable Controller: True
.... .0.. = Reserved: False
.... 1... = Secure Simple Pairing: True
...1 .... = Encapsulated PDU: True
..0. .... = Erroneous Data Reporting: False
.1.. .... = Non-flushable Packet Boundary Flag: True
0... .... = Reserved: False
.... ...1 = Link Supervision Timeout Changed Event: True
.... ..1. = Inquiry TX Power Level: True
.... .1.. = Enhanced Power Control: True
.000 0... = Reserved: False
1... .... = Extended Features: True
[Command in frame: 840]
[Pending in frame: 841]
[Pending-Response Delta: 37.703ms]
[Command-Response Delta: 38.489ms]
该Event可以Remote Host Supported Features Notification event进行比较,当所出状态不同时,该阶段支持的LMP Feature不同;
Read Remote Extended Features
yaml
Bluetooth HCI Command - Read Remote Extended Features
Command Opcode: Read Remote Extended Features (0x041c)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0001 1100 = Opcode Command Field: Read Remote Extended Features (0x01c)
Parameter Total Length: 3
Connection Handle: 0x0006
Page Number: 1
[Pending in frame: 849]
[Command-Pending Delta: 2.237ms]
[Response in frame: 855]
[Command-Response Delta: 26.101ms]
该指令用于读取远程设备Controller的扩展功能,是一些非必须的可选功能,比如是否支持BR/EDR和LE,是否支持SSP等;
- Page Number:如果是0x00表示获取一般的LMP features,跟Read Remote Supported Features Command功能是一样的,0x01-0xFF表示获取对应页的LMP extended features。当前读取的是第一页的内容;
返回对应执行发送完成的Response,Status = Pending;
结束后可以接收到HCI_Read_Remote_Extended_Features_Complete事件通知;
Page 1
yaml
Bluetooth HCI Event - Read Remote Extended Features Complete
Event Code: Read Remote Extended Features Complete (0x23)
Parameter Total Length: 13
Status: Success (0x00)
Connection Handle: 0x0006
Page Number: 1
Max. Page Number: 2
LMP Features
.... ...1 = Secure Simple Pairing Host: True
.... ..1. = LE Supported Host: True
.... .1.. = Simultaneous LE and BR/EDR to Same Device Capable Host: True
.... 1... = Secure Connections Host: True
0000 .... = Reserved: 0x0
Reserved: 00000000000000
[Command in frame: 848]
[Pending in frame: 849]
[Pending-Response Delta: 23.864ms]
[Command-Response Delta: 26.101ms]
Page 2
这个是对应Page Number = 2的Request 对应的Response;
yaml
Bluetooth HCI Event - Read Remote Extended Features Complete
Event Code: Read Remote Extended Features Complete (0x23)
Parameter Total Length: 13
Status: Success (0x00)
Connection Handle: 0x0006
Page Number: 2
Max. Page Number: 2
LMP Features
.... ...0 = Connectionless Slave Broadcast Master Operation: False
.... ..0. = Connectionless Slave Broadcast Slave Operation: False
.... .0.. = Synchronization Train: False
.... 0... = Synchronization Scan: False
...1 .... = Inquiry Response Notification Event: True
..0. .... = Generalized Interlaced Scan: False
.0.. .... = Coarse Clock Adjustment: False
0... .... = Reserved: False
.... ...1 = Secure Connections Controller: True
.... ..1. = Ping: True
.... .0.. = Reserved: False
.... 0... = Train Nudging: False
...0 .... = Slot Availability Mask: False
Reserved: 000000000000
[Command in frame: 856]
[Pending in frame: 859]
[Pending-Response Delta: 31.575ms]
[Command-Response Delta: 33.129ms]
Change Connection Packet Type
yaml
Bluetooth HCI Command - Change Connection Packet Type
Command Opcode: Change Connection Packet Type (0x040f)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0000 1111 = Opcode Command Field: Change Connection Packet Type (0x00f)
Parameter Total Length: 4
Connection Handle: 0x0006
Packet Type: 0xcc18, DH5, DM5, DH3, DM3, DH1, DM1
1... .... .... .... = DH5: True
.1.. .... .... .... = DM5: True
..0. .... .... .... = 3-DH5: False
...0 .... .... .... = 2-DH5: False
.... 1... .... .... = DH3: True
.... .1.. .... .... = DM3: True
.... ..0. .... .... = 3-DH3: False
.... ...0 .... .... = 2-DH3: False
.... .... 000. .... = Reserved: 0x0
.... .... ...1 .... = DH1: True
.... .... .... 1... = DM1: True
.... .... .... .0.. = 3-DH1: False
.... .... .... ..0. = 2-DH1: False
.... .... .... ...0 = Reserved: False
[Pending in frame: 866]
[Command-Pending Delta: 0.721ms]
[Response in frame: 868]
[Command-Response Delta: 1.069ms]
该指令用于动态的修改一个已建立使用的Packet types;
返回对应执行发送完成的Response,Status = Pending;
yaml
Bluetooth HCI Event - Connection Packet Type Changed
Event Code: Connection Packet Type Changed (0x1d)
Parameter Total Length: 5
Status: Success (0x00)
Connection Handle: 0x0006
Packet Type for ACL: 0xcc18, DH5 may be used, DM5 may be used, DH3 may be used, DM3 may be used, DH1 may be used, DM1 may be used
1... .... .... .... = DH5 may be used: True
.1.. .... .... .... = DM5 may be used: True
..0. .... .... .... = 3-DH5 shall NOT be used: False
...0 .... .... .... = 2-DH5 shall NOT be used: False
.... 1... .... .... = DH3 may be used: True
.... .1.. .... .... = DM3 may be used: True
.... ..0. .... .... = 3-DH3 shall NOT be used: False
.... ...0 .... .... = 2-DH3 shall NOT be used: False
.... .... 000. .... = Reserved: 0x0
.... .... ...1 .... = DH1 may be used: True
.... .... .... 1... = DM1 may be used: True
.... .... .... .0.. = 3-DH1 shall NOT be used: False
.... .... .... ..0. = 2-DH1 shall NOT be used: False
.... .... .... ...0 = Reserved: False
[Command in frame: 865]
[Pending in frame: 866]
[Pending-Response Delta: 0.348ms]
[Command-Response Delta: 1.069ms]
Set Connection Encryption
直到协议栈接收到Authentication Complete Event之后,我们就可以开始Set Encryption,当加密改变时,所以的与远端设备所有的ACL通信都会关闭;
yaml
Bluetooth HCI Command - Set Connection Encryption
Command Opcode: Set Connection Encryption (0x0413)
0000 01.. .... .... = Opcode Group Field: Link Control Commands (0x01)
.... ..00 0001 0011 = Opcode Command Field: Set Connection Encryption (0x013)
Parameter Total Length: 3
Connection Handle: 0x0006
Encryption Enable: Link Level Encryption is ON (0x01)
[Pending in frame: 890]
[Command-Pending Delta: 1.452ms]
[Response in frame: 891]
[Command-Response Delta: 85.975ms]
该指令用于设置enable/disable连接层的加密
-
Encryption Enable:加密状态
- 0x00:表示Turn Link Level Encryption OFF(关闭连接层加密)
- 0x01:表示Turn Link Level Encryption ON(开启连接层加密)
当本地和远端设备都支持Secure Connections (Controller Support)和Secure Connections (Host Support) features时,如果Connection_Handle的加密是enable,此时设置Encryption_Enable为Turn Link Level Encryption OFF,controller会报错:Encryption Mode Not Acceptable (0x25).
返回对应执行发送完成的Response,Status = Pending;
yaml
Bluetooth HCI Event - Encryption Change
Event Code: Encryption Change (0x08)
Parameter Total Length: 4
Status: Success (0x00)
Connection Handle: 0x0006
Encryption Enable: Unknown (0x02)
[Command in frame: 889]
[Pending in frame: 890]
[Pending-Response Delta: 84.523ms]
[Command-Response Delta: 85.975ms]
在实际的Response过程中返回了0x0003,意为Unknown; (这个问题后续确认一下。)
总结
在HCI 层面,执行到Encryption阶段,基本上HCI_COMMAND和HCI_EVENT就基本上结束了,在后续过程中再出现了HCI_EVENT基本上就都是Host接收到数据包的Complete Event,可以忽略,不影响正常流程;
应用层协议分析
应用层协议分析,我们根据上述的流程分析可知,针对HFP协议,基本上涉及到SDP、RFCOMM、HFP这三个,我们按照实际的流程来逐一分析涉及到的协议数据包;
L2CAP协议的Command形式为Request-Response,同时一个Sent对应一个Rcvd,即一个Request存在一个Sent和Rcvd;
Information(Extended Features Mask)
Sent Information Request(Extended Features Mask)
yaml
Bluetooth
[Source: BarrotTe_50:67:20 (04:7f:0e:50:67:20)]
[Destination: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)]
Bluetooth HCI H4
[Direction: Sent (0x00)]
HCI Packet Type: ACL Data (0x02)
Bluetooth HCI ACL Packet
.... 0000 0000 0110 = Connection Handle: 0x006
..10 .... .... .... = PB Flag: First Automatically Flushable Packet (2)
00.. .... .... .... = BC Flag: Point-To-Point (0)
Data Total Length: 10
Data
[Connect in frame: 821]
[Disconnect in frame: 1236]
[Source BD_ADDR: BarrotTe_50:67:20 (04:7f:0e:50:67:20)]
[Source Device Name: HAVAL_6720]
[Source Role: Master (1)]
[Destination BD_ADDR: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)]
[Destination Device Name: dupz]
[Destination Role: Slave (2)]
[Last Role Change in Frame: 819]
[Current Mode: Active Mode (0)]
[Last Mode Change in Frame: 821]
Bluetooth L2CAP Protocol
Length: 6
CID: L2CAP Signaling Channel (0x0001)
Command: Information Request
Command Code: Information Request (0x0a)
Command Identifier: 0x02
Command Length: 2
Information Type: Extended Features Mask (0x0002)
该命令用于向Remote Device请求某种Info Type的信息;
- CID:L2CAP通道;
- Information Type = Extended Features Mask:
Value | Type | Desc |
---|---|---|
0x0001 | Connectionless MTU | 无连接的最大传输单元,用来通知对方所能接受数据服务单元的最大尺寸,说明发送方能够接受的有效载荷大小 |
0x0002 | Extended Features Mask | 扩展功能Mask,即支持的extended feature |
0x0003 | Fixed Channels Supported | 固定通道支持 |
Other | Reserved | 保留 |
需要注意几个点:
- 在未通过InfoType = 0x0002确认远端设备的Extended feature的Fixed Channels bit为1之前,不能发送InfoType = 0x0003的Information Request;
- 在未通过InfoType = 0x0003确认远端设备具体支持哪些Fixed Channel之前,不能使用除了L2CAP signaling channel以外的其他Fiexed Channel
- Information Request和Information Response不能使用CID为0x0005的Fixed Channel(LE signaling channel)
Rcvd Information Request(Extended Features Mask)
yaml
Bluetooth L2CAP Protocol
Length: 6
CID: L2CAP Signaling Channel (0x0001)
Command: Information Request
Command Code: Information Request (0x0a)
Command Identifier: 0x02
Command Length: 2
Information Type: Extended Features Mask (0x0002)
Sent Information Response(Extended Features Mask , Success)
yaml
Bluetooth L2CAP Protocol
Length: 12
CID: L2CAP Signaling Channel (0x0001)
Command: Information Response
Command Code: Information Response (0x0b)
Command Identifier: 0x02
Command Length: 8
Information Type: Extended Features Mask (0x0002)
Result: Success (0x0000)
Features: EnhRetransmission Streaming FCS FixedChan
.... .... .... .... .... .... .... ...0 = Flow Control Mode: 0
.... .... .... .... .... .... .... ..0. = Retransmission Mode: 0
.... .... .... .... .... .... .... .0.. = Bi-Directional QOS: 0
.... .... .... .... .... .... .... 1... = Enhanced Retransmission Mode: 1
.... .... .... .... .... .... ...1 .... = Streaming Mode: 1
.... .... .... .... .... .... ..1. .... = FCS: 1
.... .... .... .... .... .... .0.. .... = Extended Flow Specification for BR/EDR: 0
.... .... .... .... .... .... 1... .... = Fixed Channels: 1
.... .... .... .... .... ...0 .... .... = Extended Window Size: 0
.... .... .... .... .... ..0. .... .... = Unicast Connectionless Data Reception: 0
收到有效的Information Request时可以使用information response进行回复,Data字段的包含的内容根据InfoType字段的内容确定;
- Result:Success
Value | Result | Desc |
---|---|---|
0x0000 | Success | 成功 |
0x0001 | Not Supported | 不支持 |
Other | Reserved | 保留 |
- Features:支持的扩展功能;
Feature | Desc | Status |
---|---|---|
Flow Control Mode | 流量控制方式 | 0 |
Retransmission Mode | 重传模式 | 0 |
Bi-Directional QOS | 双向QOS | 0 |
Enhanced Retransmission Mode | 增强重传模式 | 1 |
Streaming Mode | 流模式 | 1 |
FCS | 1 | |
Extended Flow Specification for BR/EDR | BR/EDR扩展流量规范 | 0 |
Fixed Channels | 固定通道 | 1 |
Extended Window Size | 扩展窗口大小 | 0 |
Unicast Connectionless Data Reception | 单播无连接数据接收 | 0 |
Rcvd Information Response(Extended Features Mask , Success)
yaml
Frame 850: 21 bytes on wire (168 bits), 21 bytes captured (168 bits)
Bluetooth
[Source: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)]
[Destination: BarrotTe_50:67:20 (04:7f:0e:50:67:20)]
Bluetooth HCI H4
Bluetooth HCI ACL Packet
Bluetooth L2CAP Protocol
Length: 12
CID: L2CAP Signaling Channel (0x0001)
Command: Information Response
Command Code: Information Response (0x0b)
Command Identifier: 0x02
Command Length: 8
Information Type: Extended Features Mask (0x0002)
Result: Success (0x0000)
Features: EnhRetransmission Streaming FCS FixedChan
.... .... .... .... .... .... .... ...0 = Flow Control Mode: 0
.... .... .... .... .... .... .... ..0. = Retransmission Mode: 0
.... .... .... .... .... .... .... .0.. = Bi-Directional QOS: 0
.... .... .... .... .... .... .... 1... = Enhanced Retransmission Mode: 1
.... .... .... .... .... .... ...1 .... = Streaming Mode: 1
.... .... .... .... .... .... ..1. .... = FCS: 1
.... .... .... .... .... .... .0.. .... = Extended Flow Specification for BR/EDR: 0
.... .... .... .... .... .... 1... .... = Fixed Channels: 1
.... .... .... .... .... ...0 .... .... = Extended Window Size: 0
.... .... .... .... .... ..0. .... .... = Unicast Connectionless Data Reception: 0
Echo
Rcvd Echo Request
yaml
Bluetooth
[Source: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)]
[Destination: BarrotTe_50:67:20 (04:7f:0e:50:67:20)]
Bluetooth HCI H4
Bluetooth HCI ACL Packet
Bluetooth L2CAP Protocol
Length: 22
CID: L2CAP Signaling Channel (0x0001)
Command: Echo Request
Command Code: Echo Request (0x08)
Command Identifier: 0x03
Command Length: 18
Data: 3f0101010a000102030405060708090a1265
Echo requests用于向远端设备请求一个response。一般用于测试连接或者传输vendor specific information
Sent Echo Response
yaml
Bluetooth
[Source: BarrotTe_50:67:20 (04:7f:0e:50:67:20)]
[Destination: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)]
Bluetooth HCI H4
Bluetooth HCI ACL Packet
Bluetooth L2CAP Protocol
Length: 22
CID: L2CAP Signaling Channel (0x0001)
Command: Echo Response
Command Code: Echo Response (0x09)
Command Identifier: 0x03
Command Length: 18
Data: 3f0101010a000102030405060708090a1265
这个command用来回复Echo requests;
Information(Fixed Channels Supported)
Sent Information Request(Fixed Channels Supported)
yaml
Frame 851: 15 bytes on wire (120 bits), 15 bytes captured (120 bits)
Bluetooth
[Source: BarrotTe_50:67:20 (04:7f:0e:50:67:20)]
[Destination: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)]
Bluetooth HCI H4
Bluetooth HCI ACL Packet
Bluetooth L2CAP Protocol
Length: 6
CID: L2CAP Signaling Channel (0x0001)
Command: Information Request
Command Code: Information Request (0x0a)
Command Identifier: 0x03
Command Length: 2
Information Type: Fixed Channels Supported (0x0003)
Rcvd Information Request(Fixed Channels Supported)
yaml
Bluetooth
[Source: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)]
[Destination: BarrotTe_50:67:20 (04:7f:0e:50:67:20)]
Bluetooth HCI H4
Bluetooth HCI ACL Packet
Bluetooth L2CAP Protocol
Length: 6
CID: L2CAP Signaling Channel (0x0001)
Command: Information Request
Command Code: Information Request (0x0a)
Command Identifier: 0x04
Command Length: 2
Information Type: Fixed Channels Supported (0x0003)
Sent Information Response(Fixed Channels Supported, Success)
yaml
Bluetooth
[Source: BarrotTe_50:67:20 (04:7f:0e:50:67:20)]
[Destination: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)]
Bluetooth HCI H4
Bluetooth HCI ACL Packet
Bluetooth L2CAP Protocol
Length: 16
CID: L2CAP Signaling Channel (0x0001)
Command: Information Response
Command Code: Information Response (0x0b)
Command Identifier: 0x04
Command Length: 12
Information Type: Fixed Channels Supported (0x0003)
Result: Success (0x0000)
Fixed Channels Supported:
.... .... .... .... .... .... .... ...0 = Null identifier: 0
.... .... .... .... .... .... .... ..1. = L2CAP signaling channel: 1
.... .... .... .... .... .... .... .0.. = Connectionless reception: 0
.... .... .... .... .... .... .... 0... = AMP Manager protocol: 0
0... .... .... .... .... .... .... .... = AMP Test Manager: 0
Rcvd Information Response(Fixed Channels Supported, Success)
yaml
Bluetooth
[Source: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)]
[Destination: BarrotTe_50:67:20 (04:7f:0e:50:67:20)]
Bluetooth HCI H4
Bluetooth HCI ACL Packet
Bluetooth L2CAP Protocol
Length: 16
CID: L2CAP Signaling Channel (0x0001)
Command: Information Response
Command Code: Information Response (0x0b)
Command Identifier: 0x03
Command Length: 12
Information Type: Fixed Channels Supported (0x0003)
Result: Success (0x0000)
Fixed Channels Supported:
.... .... .... .... .... .... .... ...0 = Null identifier: 0
.... .... .... .... .... .... .... ..1. = L2CAP signaling channel: 1
.... .... .... .... .... .... .... .0.. = Connectionless reception: 0
.... .... .... .... .... .... .... 0... = AMP Manager protocol: 0
0... .... .... .... .... .... .... .... = AMP Test Manager: 0
Fixed Channels Supported代表的InfoType,其中的Data字段保存的就是支持哪些Fixed L2CAP Channels,目前只支持L2CAP signaling channel;
Connection Request
yaml
Bluetooth
[Source: BarrotTe_50:67:20 (04:7f:0e:50:67:20)]
[Destination: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)]
Bluetooth HCI H4
Bluetooth HCI ACL Packet
Bluetooth L2CAP Protocol
Length: 8
CID: L2CAP Signaling Channel (0x0001)
Command: Connection Request
Command Code: Connection Request (0x02)
Command Identifier: 0x04
Command Length: 4
PSM: SDP (0x0001)
Source CID: Dynamically Allocated Channel (0x0052)
[Disconnect in frame: 880]
这个Command用来建立两个设备之间的L2CAP channel;
- PSM(Protocol/Service Multiplexer):表示上层的profile,即使用L2CAP协议通道的应用层协议;
- Source CID:发送connection request端的CID;
yaml
Bluetooth
[Source: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)]
[Destination: BarrotTe_50:67:20 (04:7f:0e:50:67:20)]
Bluetooth HCI H4
Bluetooth HCI ACL Packet
Bluetooth L2CAP Protocol
Length: 12
CID: L2CAP Signaling Channel (0x0001)
Command: Connection Response
Command Code: Connection Response (0x03)
Command Identifier: 0x04
Command Length: 8
Destination CID: Dynamically Allocated Channel (0x0044)
Source CID: Dynamically Allocated Channel (0x0052)
Result: Successful (0x0000)
Status: No further information available (0x0000)
- Destination CID(Destination Channel Identifier):发送connection response的设备的CID;
- Source CID:发送connection request端的CID;
- Result:Successful
- Status:当result=0x0001时,这个字段才有用,表示连接的状态;
Configure Request
yaml
Bluetooth
[Source: BarrotTe_50:67:20 (04:7f:0e:50:67:20)]
[Destination: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)]
Bluetooth HCI H4
Bluetooth HCI ACL Packet
Bluetooth L2CAP Protocol
Length: 12
CID: L2CAP Signaling Channel (0x0001)
Command: Configure Request
Command Code: Configure Request (0x04)
Command Identifier: 0x05
Command Length: 8
Destination CID: Dynamically Allocated Channel (0x0044)
0000 0000 0000 000. = Reserved: 0x0000
.... .... .... ...0 = Continuation Flag: False
Option: MTU
Type: Maximum Transmission Unit (0x01)
Length: 2
MTU: 1024
Configuration request命令用于建立2个L2CAP实体之间的初始传输协议,并且可以对传输协议的Configuration option进行重新协商,只有当一个Configuration option需要进行修改时才需要包含在configuration request里面。
-
Configuration Options:表示需要进行协商的选项,这部分可以有,也可以没有;
- Type:需要进行配置的类型;
- MTU:最大传输单元为1024;
车机侧向手机侧发送了Request之后,手机侧发送一个应答该请求的Response,用于表示接收成功;
yaml
Bluetooth
[Source: BarrotTe_50:67:20 (04:7f:0e:50:67:20)]
[Destination: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)]
Bluetooth HCI H4
Bluetooth HCI ACL Packet
Bluetooth L2CAP Protocol
Length: 10
CID: L2CAP Signaling Channel (0x0001)
Command: Configure Response
Command Code: Configure Response (0x05)
Command Identifier: 0x05
Command Length: 6
Source CID: Dynamically Allocated Channel (0x0044)
0000 0000 0000 000. = Reserved: 0x0000
.... .... .... ...0 = Continuation Flag: False
Result: Success (0x0000)
Configuration Response用来回复Configuration Request的,并且对Configuration Request中的选项进行调整;
- Result:配置成功;
对应的手机侧也会发送一个配置成功的Response给车机侧;
Service Search Attribute Request
yaml
Bluetooth
[Source: BarrotTe_50:67:20 (04:7f:0e:50:67:20)]
[Destination: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)]
Bluetooth HCI H4
Bluetooth HCI ACL Packet
Bluetooth L2CAP Protocol
Length: 27
CID: Dynamically Allocated Channel (0x0044)
[Connect in frame: 861]
[Disconnect in frame: 880]
[PSM: SDP (0x0001)]
Bluetooth SDP Protocol
PDU: Service Search Attribute Request (0x06)
Transaction Id: 0x0000
Parameter Length: 22
Service Search Pattern: Handsfree Audio Gateway
Data Element: Sequence uint8 3 bytes
0011 0... = Data Element Type: Sequence (6)
.... .101 = Data Element Size: uint8 (5)
Data Element Var Size: 3
Data Value
Data Element: UUID 2 bytes
0001 1... = Data Element Type: UUID (3)
.... .001 = Data Element Size: 2 bytes (1)
Data Value
Value: UUID: Handsfree Audio Gateway (0x111f)
Maximum Attribute Byte Count: 1008
Attribute ID List
Data Element: Sequence uint8 12 bytes
0011 0... = Data Element Type: Sequence (6)
.... .101 = Data Element Size: uint8 (5)
Data Element Var Size: 12
Data Value
Attribute ID: Service Class ID List
Data Element: Unsigned Integer 2 bytes
0000 1... = Data Element Type: Unsigned Integer (1)
.... .001 = Data Element Size: 2 bytes (1)
Data Value
Attribute ID: Service Class ID List (0x0001)
Attribute ID: Protocol Descriptor List
Data Element: Unsigned Integer 2 bytes
0000 1... = Data Element Type: Unsigned Integer (1)
.... .001 = Data Element Size: 2 bytes (1)
Data Value
Attribute ID: Protocol Descriptor List (0x0004)
Attribute ID: Bluetooth Profile Descriptor List
Data Element: Unsigned Integer 2 bytes
0000 1... = Data Element Type: Unsigned Integer (1)
.... .001 = Data Element Size: 2 bytes (1)
Data Value
Attribute ID: Bluetooth Profile Descriptor List (0x0009)
Attribute ID: Supported Features (HFP AG)
Data Element: Unsigned Integer 2 bytes
0000 1... = Data Element Type: Unsigned Integer (1)
.... .001 = Data Element Size: 2 bytes (1)
Data Value
Attribute ID: Supported Features (0x0311)
Continuation State: no (00)
该命令用于根据指定的Service Search Pattern来搜索特定的service,然后在搜索到的service里面进行attribute的搜索;
- PDU:传输的消息ID
Value | Parameter Description | Desc |
---|---|---|
N | The PDU ID field identifies the type of PDU.I.e. its meaning and the specific parameters | |
0x01 | SDP_ERROR_RSP | |
0x02 | SDP_SERVICE_SEARCH_REQ | |
0x03 | SDP_SERVICE_SEARCH_REP | |
0x04 | SDP_SERVICE_ATTR_REQ | |
0x05 | SDP_SERVICE_ATTR_REP | |
0x06 | SDP_SERVICE_SEARCH_ATTR_REQ | |
0x07 | SDP_SERVICE_SEARCH_ATTR_REP | |
All other values | Reserved for future use |
-
Transaction Id:传输消息的事务ID,request放可以在0x0000~0xffff之间取任意值,但是response要跟request一致,根据TID来区分是回应哪个request.
-
Service Search Pattern:服务搜索模式,使用UUID列表来定位匹配的服务记录;
-
UUID:可以简单的理解为,一个服务对应一个UUID,且这个UUID是固定的。
-
Attribute ID List:属性列表
在这个属性表中,有几项是必选项:
- Service Class ID List:M
- Protocol Descriptor List:M
- Bluetooth Profile Descriptor List:M
- Supported Features:O,其中HFP AG代表了执行的功能;
SDP_ServiceSearchRequest PDU and SDP_ServiceSearchResponse PDU
SDP客户生成一个SDP_ServiceSearchRequest以定位匹配给定服务搜索模式的服务记录,该服务搜索模式是该PDU的首个参数。一收到该请求,SDP服务器将检查其服务记录数据库,并将返回包含服务记录句柄的SDP_ServiceSearchResponse,该服务记录匹配于给定服务搜索模式。
在SDP服务器器收到一有效服务搜索请求SDP_ServiceSearchRequest时,将生成一个服务请求应答SDP_ServiceSearchResponse。该应答包含与该请求服务搜索模式相匹配的服务记录的服务记录句柄表。
SDP_ServiceAttributeRequest PDU and SDP_ServiceAttributeResponse PDU
SDP客户将生成一个SDP_ServiceAttributeRequest协议数据单元,以从一指定服务记录中检索指定属性值,并提供所需服务的服务记录句柄和从服务记录中检索的属性ID表作为参数;
在SDP服务器收到有效SDP_ServiceAttributeRequest报文时,将生成一个 SDP_ServiceAttributeResponse应答。该应答包含被请求服务记录属性列表(属性ID和属性值);
SDP_ServiceSearchAttributeRequest PDU and SDP_ServiceSearchAttributeResponse PDU
SDP_ServiceSearchAttributeRequest事务综合SDP_ServiceSearchRequest和 SDP_ServiceAttributeRequest 二者功能于一个请求中。作为参数,它既包含服务搜索模式,又包含一张属性表,该属性表从与服务搜索模式匹配的服务记录中检索;
在SDP服务器有效SDP_ServiceSearchAttributeRequest 时将生成一个SDP_ServiceSearchAttributeResponse应答。该应答包含一张服务记录属性表(属性 ID 和属性值),该服务记录要求与所请求的服务搜索模式匹配;
yaml
Bluetooth
[Source: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)]
[Destination: BarrotTe_50:67:20 (04:7f:0e:50:67:20)]
Bluetooth HCI H4
Bluetooth HCI ACL Packet
Bluetooth L2CAP Protocol
Length: 60
CID: Dynamically Allocated Channel (0x0052)
[Connect in frame: 861]
[Disconnect in frame: 880]
[PSM: SDP (0x0001)]
Bluetooth SDP Protocol
PDU: Service Search Attribute Response (0x07)
Transaction Id: 0x0000
Parameter Length: 55
Attribute List Byte Count: 52
Attribute Lists [count = 1]
Data Element: Sequence uint8 50 bytes
0011 0... = Data Element Type: Sequence (6)
.... .101 = Data Element Size: uint8 (5)
Data Element Var Size: 50
Data Value
Attribute List [count = 4] (Handsfree Audio Gateway)
Data Element: Sequence uint16 47 bytes
0011 0... = Data Element Type: Sequence (6)
.... .110 = Data Element Size: uint16 (6)
Data Element Var Size: 47
Data Value
Service Attribute: Service Class ID List (0x1), value = Handsfree Audio Gateway -> Generic Audio
Attribute ID: Service Class ID List
Data Element: Unsigned Integer 2 bytes
0000 1... = Data Element Type: Unsigned Integer (1)
.... .001 = Data Element Size: 2 bytes (1)
Data Value
Attribute ID: Service Class ID List (0x0001)
Value
Data Element: Sequence uint8 6 bytes
0011 0... = Data Element Type: Sequence (6)
.... .101 = Data Element Size: uint8 (5)
Data Element Var Size: 6
Data Value
Data Element: UUID 2 bytes
0001 1... = Data Element Type: UUID (3)
.... .001 = Data Element Size: 2 bytes (1)
Data Value
Value: UUID: Handsfree Audio Gateway (0x111f)
Data Element: UUID 2 bytes
0001 1... = Data Element Type: UUID (3)
.... .001 = Data Element Size: 2 bytes (1)
Data Value
Value: UUID: Generic Audio (0x1203)
Service Attribute: Protocol Descriptor List (0x4), value = L2CAP -> RFCOMM:3
Attribute ID: Protocol Descriptor List
Data Element: Unsigned Integer 2 bytes
0000 1... = Data Element Type: Unsigned Integer (1)
.... .001 = Data Element Size: 2 bytes (1)
Data Value
Attribute ID: Protocol Descriptor List (0x0004)
Value
Data Element: Sequence uint8 12 bytes
0011 0... = Data Element Type: Sequence (6)
.... .101 = Data Element Size: uint8 (5)
Data Element Var Size: 12
Data Value
Protocol #1: L2CAP
Data Element: Sequence uint8 3 bytes
0011 0... = Data Element Type: Sequence (6)
.... .101 = Data Element Size: uint8 (5)
Data Element Var Size: 3
Data Value
Protocol Entry: L2CAP
Data Element: UUID 2 bytes
0001 1... = Data Element Type: UUID (3)
.... .001 = Data Element Size: 2 bytes (1)
Data Value
Value: UUID: L2CAP (0x0100)
Protocol #2: RFCOMM, RFCOMM Channel: 3
Data Element: Sequence uint8 5 bytes
0011 0... = Data Element Type: Sequence (6)
.... .101 = Data Element Size: uint8 (5)
Data Element Var Size: 5
Data Value
Protocol Entry: RFCOMM, RFCOMM Channel: 3
Data Element: UUID 2 bytes
0001 1... = Data Element Type: UUID (3)
.... .001 = Data Element Size: 2 bytes (1)
Data Value
Value: UUID: RFCOMM (0x0003)
Data Element: Unsigned Integer 1 byte (0 bytes if Nil)
0000 1... = Data Element Type: Unsigned Integer (1)
.... .000 = Data Element Size: 1 byte (0 bytes if Nil) (0)
Data Value
RFCOMM Channel: 3 (0x03)
Service Attribute: Bluetooth Profile Descriptor List (0x9), value = Handsfree 1.6
Attribute ID: Bluetooth Profile Descriptor List
Data Element: Unsigned Integer 2 bytes
0000 1... = Data Element Type: Unsigned Integer (1)
.... .001 = Data Element Size: 2 bytes (1)
Data Value
Attribute ID: Bluetooth Profile Descriptor List (0x0009)
Value
Data Element: Sequence uint8 8 bytes
0011 0... = Data Element Type: Sequence (6)
.... .101 = Data Element Size: uint8 (5)
Data Element Var Size: 8
Data Value
Data Element: Sequence uint8 6 bytes
0011 0... = Data Element Type: Sequence (6)
.... .101 = Data Element Size: uint8 (5)
Data Element Var Size: 6
Data Value
Profile Descriptor List #1: Handsfree, Version 1.6
Data Element: UUID 2 bytes
0001 1... = Data Element Type: UUID (3)
.... .001 = Data Element Size: 2 bytes (1)
Data Value
Value: UUID: Handsfree (0x111e)
Data Element: Unsigned Integer 2 bytes
0000 1... = Data Element Type: Unsigned Integer (1)
.... .001 = Data Element Size: 2 bytes (1)
Data Value
Protocol Version: 0x0106
Service Attribute: (HFP AG) Supported Features (0x311), value = (Three Way Calling) (EC and/or Nr Function) (Voice Recognition Function) (Inband Ring Tone Capability) (Wide Band Speech)
Attribute ID: Supported Features
Data Element: Unsigned Integer 2 bytes
0000 1... = Data Element Type: Unsigned Integer (1)
.... .001 = Data Element Size: 2 bytes (1)
Data Value
Attribute ID: Supported Features (0x0311)
Value
Data Element: Unsigned Integer 2 bytes
0000 1... = Data Element Type: Unsigned Integer (1)
.... .001 = Data Element Size: 2 bytes (1)
Data Value
0000 0000 00.. .... = Supported Features: Reserved: 0x000
.... .... ..1. .... = Supported Features: Wide Band Speech: True
.... .... ...0 .... = Supported Features: Attach a Phone Number to a Voice Tag: False
.... .... .... 1... = Supported Features: Inband Ring Tone Capability: True
.... .... .... .1.. = Supported Features: Voice Recognition Function: True
.... .... .... ..1. = Supported Features: EC and/or Nr Function: True
.... .... .... ...1 = Supported Features: Three Way Calling: True
Continuation State: no (00)
该Response中响应了执行的服务记录列表;
汇总
SDP的服务搜索涉及到了多个Feature,这里罗列一下,后续则不一一展开描述;
- Handsfree Audio Gateway
- PnP Information: Attribute Range
- Handsfree
- L2CAP: Attribute Range
- Audio Source
- Phonebook Access Server: Attribute Range
- A/V Remote Control
Disconnection Request
yaml
Bluetooth
[Source: BarrotTe_50:67:20 (04:7f:0e:50:67:20)]
[Destination: HuaweiDe_42:c7:dd (30:aa:e4:42:c7:dd)]
Bluetooth HCI H4
Bluetooth HCI ACL Packet
Bluetooth L2CAP Protocol
Length: 8
CID: L2CAP Signaling Channel (0x0001)
Command: Disconnection Request
Command Code: Disconnection Request (0x06)
Command Identifier: 0x06
Command Length: 4
Destination CID: Dynamically Allocated Channel (0x0044)
Source CID: Dynamically Allocated Channel (0x0052)
[PSM: SDP (0x0001)]
[Connect in frame: 861]
发送disconnection request请求断开L2CAP channel,发送disconnection request以后,在这条L2CAP channel上的数据都应该忽略,同样,收到disconnection request后,也应该停止发送数据。
- Destination CID - DCID (2个字节):收到disconnection request的设备的CID;
- Source CID - SCID (2个字节):发送disconnection request的设备的CID
当收到一个有效的disconnection request时需要用这个Disconnection Response进行回复;
Sent Connection Request & Sent Configure Request(RFCOMM)
我们在之前的流程分析的时候可知,我们都是通过L2CA_ConnectReq的方法发送的上层应用层协议连接指令,所有上述的协议格式统一采用Sent Connection Request,只是后续追加的协议不同;
L2CAP channel采用的传输格式也是相同的;
RFCOMM Channel
RFCOMM使用帧进行通信,RFCOMM帧作为L2CAP数据包中的有效负载数据,在RFCOMM连接建立之前,L2CAP的连接必须建立。
RFCOMM有五种不同的帧类型:
- SABM---Start Asynchronous Balanced Mode (startup command):设置异步平衡模式
- UA---Unnumbered Acknowledgement (response when connected):未编号的确认信息
- DISC---Disconnect (disconnect command):断开连接
- DM---Disconnected Mode (response to a command when disconnected):断开连接模式
- UIH---Unnumbered Information with Header check:未编号的带校验头的信息
SABM, UA, DM和 DISC是底层的控制帧,RFCOMM使用信道,每个信道有一个数据连接链路标识(DLCI),UIH帧上的 DLCI = 0时用作发送控制信息, DLCI≠0时用作发送数据;
HFP AT 指令发送
我们知道,在响应RFCOMM协议连接成功之后,会调用bta_hf_client_slc_seq函数用于Service Level Connection服务级连接,在该过程中,主要用于根据一些条件发送执行的AT指令,然后等待AT指令响应;
而涉及到的AT指令的逻辑,可以参考:蓝牙电话数据包分析中的AT 指令详解模块,这个模块描述的AT指令就是HFP协议在刚刚启动且还没有开始通话工作过程中执行的AT指令流程;