1# 2 3BTstack is a modular dual-mode Bluetooth stack, supporting both 4Bluetooth Basic Rate/Enhanced Date Rate (BR/EDR) as well as Bluetooth 5Low Energy (LE). The BR/EDR technology, also known as Classic Bluetooth, 6provides a robust wireless connection between devices designed for high 7data rates. In contrast, the LE technology has a lower throughput but 8also lower energy consumption, faster connection setup, and the ability 9to connect to more devices in parallel. 10 11Whether Classic or LE, a Bluetooth device implements one or more 12Bluetooth profiles. A Bluetooth profile specifies how one or more 13Bluetooth protocols are used to achieve its goals. For example, every 14Bluetooth device must implement the Generic Access Profile (GAP), which 15defines how devices find each other and how they establish a connection. 16This profile mainly make use of the Host Controller Interface (HCI) 17protocol, the lowest protocol in the stack hierarchy which implements a 18command interface to the Bluetooth chipset. 19 20In addition to GAP, a popular Classic Bluetooth example would be a 21peripheral devices that can be connected via the Serial Port Profile 22(SPP). SPP basically specifies that a compatible device should provide a 23Service Discovery Protocol (SDP) record containing an RFCOMM channel 24number, which will be used for the actual communication. 25 26Similarly, for every LE device, the Generic Attribute Profile (GATT) 27profile must be implemented in addition to GAP. GATT is built on top of 28the Attribute Protocol (ATT), and defines how one device can interact 29with GATT Services on a remote device. 30 31So far, the most popular use of BTstack is in peripheral devices that 32can be connected via SPP (Android 2.0 or higher) and GATT (Android 4.3 33or higher, and iOS 5 or higher). If higher data rates are required 34between a peripheral and iOS device, the iAP1 and iAP2 protocols of the 35Made for iPhone program can be used instead of GATT. Please contact us 36directly for information on BTstack and MFi. 37 38Figure {@fig:BTstackProtocolArchitecture} depicts Bluetooth protocols 39and profiles that are currently implemented by BTstack. 40In the following, we first explain how the various Bluetooth protocols 41are used in BTstack. In the next chapter, we go over the profiles. 42 43 {#fig:BTstackProtocolArchitecture} 44 45 46## HCI - Host Controller Interface 47 48The HCI protocol provides a command interface to the Bluetooth chipset. 49In BTstack, the HCI implementation also keeps track of all active 50connections and handles the fragmentation and re-assembly of higher 51layer (L2CAP) packets. 52 53Please note, that an application rarely has to send HCI commands on its 54own. Instead, BTstack provides convenience functions in GAP and higher 55level protocols that use HCI automatically. E.g. to set the name, you 56call *gap_set_local_name()* before powering up. The main use of HCI 57commands in application is during the startup phase to configure special 58features that are not available via the GAP API yet. How to send a 59custom HCI command is explained in the following section. 60 61### Defining custom HCI command templates 62 63Each HCI command is assigned a 2-byte OpCode used to uniquely identify 64different types of commands. The OpCode parameter is divided into two 65fields, called the OpCode Group Field (OGF) and OpCode Command Field 66(OCF), see [Bluetooth Specification](https://www.bluetooth.org/Technical/Specifications/adopted.htm) - 67Core Version 4.0, Volume 2, Part E, Chapter 5.4. 68 69Listing [below](#lst:hciOGFs) shows the OGFs provided by BTstack in file [src/hci.h](): 70 71~~~~ {#lst:hciOGFs .c caption="{HCI OGFs provided by BTstack.}"} 72 73 #define OGF_LINK_CONTROL 0x01 74 #define OGF_LINK_POLICY 0x02 75 #define OGF_CONTROLLER_BASEBAND 0x03 76 #define OGF_INFORMATIONAL_PARAMETERS 0x04 77 #define OGF_LE_CONTROLLER 0x08 78 #define OGF_BTSTACK 0x3d 79 #define OGF_VENDOR 0x3f 80~~~~ 81 82For all existing Bluetooth 83commands and their OCFs see [Bluetooth Specification](https://www.bluetooth.org/Technical/Specifications/adopted.htm) - 84Core Version 4.0, Volume 2, Part E, Chapter 7. 85 86In a HCI command packet, the OpCode is followed by parameter total 87length, and the actual parameters. The OpCode of a command can be 88calculated using the OPCODE macro. BTstack provides the *hci_cmd_t* 89struct as a compact format to define HCI command packets, see 90Listing [below](#lst:HCIcmdTemplate), and [include/btstack/hci_cmd.h]() 91file in the source code. 92 93~~~~ {#lst:HCIcmdTemplate .c caption="{HCI command struct.}"} 94 95 // Calculate combined ogf/ocf value. 96 #define OPCODE(ogf, ocf) (ocf | ogf << 10) 97 98 // Compact HCI Command packet description. 99 typedef struct { 100 uint16_t opcode; 101 const char *format; 102 } hci_cmd_t; 103~~~~ 104 105Listing [below](#lst:HCIcmdExample) illustrates the *hci_write_local_name* HCI 106command template from library: 107 108~~~~ {#lst:HCIcmdExample .c caption="{HCI command example.}"} 109 110 // Sets local Bluetooth name 111 const hci_cmd_t hci_write_local_name = { 112 OPCODE(OGF_CONTROLLER_BASEBAND, 0x13), "N" 113 // Local name (UTF-8, Null Terminated, max 248 octets) 114 }; 115~~~~ 116 117It uses OGF_CONTROLLER_BASEBAND as OGF, 1180x13 as OCF, and has one parameter with format “N” indicating a null 119terminated UTF-8 string. Table {@tbl:hciCmdParamSpecifier} lists the format 120specifiers supported by BTstack. Check for other predefined HCI commands 121and info on their parameters. 122 123 ------------------- ---------------------------------------------------- 124 Format Specifier Description 125 1,2,3,4 one to four byte value 126 A 31 bytes advertising data 127 B Bluetooth Baseband Address 128 D 8 byte data block 129 E Extended Inquiry Information 240 octets 130 H HCI connection handle 131 N Name up to 248 chars, UTF8 string, null terminated 132 P 16 byte Pairing code, e.g. PIN code or link key 133 S Service Record (Data Element Sequence) 134 ------------------- ---------------------------------------------------- 135 136Table: Supported Format Specifiers of HCI Command Parameter. {#tbl:hciCmdParamSpecifier} 137 138 139### Sending HCI command based on a template {#sec:sendingHCIProtocols} 140 141You can use the *hci_send_cmd* function to send HCI command based on a 142template and a list of parameters. However, it is necessary to check 143that the outgoing packet buffer is empty and that the Bluetooth module 144is ready to receive the next command - most modern Bluetooth modules 145only allow to send a single HCI command. This can be done by calling 146*hci_can_send_command_packet_now()* function, which returns true, 147if it is ok to send. 148 149Listing [below](#lst:HCIcmdExampleLocalName) illustrates how to manually set the 150device name with the HCI Write Local Name command. 151 152~~~~ {#lst:HCIcmdExampleLocalName .c caption="{Sending HCI command example.}"} 153 154 if (hci_can_send_command_packet_now()){ 155 hci_send_cmd(&hci_write_local_name, "BTstack Demo"); 156 } 157~~~~ 158 159Please note, that an application rarely has to send HCI commands on its 160own. Instead, BTstack provides convenience functions in GAP and higher 161level protocols that use HCI automatically. 162 163 164## L2CAP - Logical Link Control and Adaptation Protocol 165 166 167The L2CAP protocol supports higher level protocol multiplexing and 168packet fragmentation. It provides the base for the RFCOMM and BNEP 169protocols. For all profiles that are officially supported by BTstack, 170L2CAP does not need to be used directly. For testing or the development 171of custom protocols, it’s helpful to be able to access and provide L2CAP 172services however. 173 174### Access an L2CAP service on a remote device 175 176L2CAP is based around the concept of channels. A channel is a logical 177connection on top of a baseband connection. Each channel is bound to a 178single protocol in a many-to-one fashion. Multiple channels can be bound 179to the same protocol, but a channel cannot be bound to multiple 180protocols. Multiple channels can share the same baseband connection. 181 182To communicate with an L2CAP service on a remote device, the application 183on a local Bluetooth device initiates the L2CAP layer using the 184*l2cap_init* function, and then creates an outgoing L2CAP channel to 185the PSM of a remote device using the *l2cap_create_channel* 186function. The *l2cap_create_channel* function will initiate 187a new baseband connection if it does not already exist. The packet 188handler that is given as an input parameter of the L2CAP create channel 189function will be assigned to the new outgoing L2CAP channel. This 190handler receives the L2CAP_EVENT_CHANNEL_OPENED and 191L2CAP_EVENT_CHANNEL_CLOSED events and L2CAP data packets, as shown 192in Listing [below](#lst:L2CAPremoteService). 193 194 195~~~~ {#lst:L2CAPremoteService .c caption="{Accessing an L2CAP service on a remote device.}"} 196 197 btstack_packet_handler_t l2cap_packet_handler; 198 199 void l2cap_packet_handler(uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){ 200 bd_addr_t event_addr; 201 switch (packet_type){ 202 case HCI_EVENT_PACKET: 203 switch (hci_event_packet_get_type(packet)){ 204 case L2CAP_EVENT_CHANNEL_OPENED: 205 l2cap_event_channel_opened_get_address(packet, &event_addr); 206 psm = l2cap_event_channel_opened_get_psm(packet); 207 local_cid = l2cap_event_channel_opened_get_local_cid(packet); 208 handle = l2cap_event_channel_opened_get_handle(packet); 209 if (l2cap_event_channel_opened_get_status(packet)) { 210 printf("Connection failed\n\r"); 211 } else 212 printf("Connected\n\r"); 213 } 214 break; 215 case L2CAP_EVENT_CHANNEL_CLOSED: 216 break; 217 ... 218 } 219 case L2CAP_DATA_PACKET: 220 // handle L2CAP data packet 221 break; 222 ... 223 } 224 } 225 226 void create_outgoing_l2cap_channel(bd_addr_t address, uint16_t psm, uint16_t mtu){ 227 l2cap_create_channel(NULL, l2cap_packet_handler, remote_bd_addr, psm, mtu); 228 } 229 230 void btstack_setup(){ 231 ... 232 l2cap_init(); 233 } 234 235~~~~ 236 237### Provide an L2CAP service 238 239To provide an L2CAP service, the application on a local Bluetooth device 240must init the L2CAP layer and register the service with 241*l2cap_register_service*. From there on, it can wait for 242incoming L2CAP connections. The application can accept or deny an 243incoming connection by calling the *l2cap_accept_connection* 244and *l2cap_deny_connection* functions respectively. 245 246If a connection is accepted and the incoming L2CAP channel gets successfully 247opened, the L2CAP service can send and receive L2CAP data packets to the connected 248device with *l2cap_send*. 249 250Listing [below](#lst:L2CAPService) 251provides L2CAP service example code. 252 253~~~~ {#lst:L2CAPService .c caption="{Providing an L2CAP service.}"} 254 255 void packet_handler (uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){ 256 bd_addr_t event_addr; 257 switch (packet_type){ 258 case HCI_EVENT_PACKET: 259 switch (hci_event_packet_get_type(packet)){ 260 case L2CAP_EVENT_INCOMING_CONNECTION: 261 local_cid = l2cap_event_incoming_connection_get_local_cid(packet); 262 l2cap_accept_connection(local_cid); 263 break; 264 case L2CAP_EVENT_CHANNEL_OPENED: 265 l2cap_event_channel_opened_get_address(packet, &event_addr); 266 psm = l2cap_event_channel_opened_get_psm(packet); 267 local_cid = l2cap_event_channel_opened_get_local_cid(packet); 268 handle = l2cap_event_channel_opened_get_handle(packet); 269 if (l2cap_event_channel_opened_get_status(packet)) { 270 printf("Connection failed\n\r"); 271 } else 272 printf("Connected\n\r"); 273 } 274 break; 275 case L2CAP_EVENT_CHANNEL_CLOSED: 276 break; 277 ... 278 } 279 case L2CAP_DATA_PACKET: 280 // handle L2CAP data packet 281 break; 282 ... 283 } 284 } 285 286 void btstack_setup(){ 287 ... 288 l2cap_init(); 289 l2cap_register_service(NULL, packet_handler, 0x11,100); 290 } 291 292~~~~ 293 294### Sending L2CAP Data {#sec:l2capSendProtocols} 295 296Sending of L2CAP data packets may fail due to a full internal BTstack 297outgoing packet buffer, or if the ACL buffers in the Bluetooth module 298become full, i.e., if the application is sending faster than the packets 299can be transferred over the air. 300 301Instead of directly calling *l2cap_send*, it is recommended to call 302*l2cap_request_can_send_now_event(cahnnel_id)* which will trigger an L2CAP_EVENT_CAN_SEND_NOW 303as soon as possible. It might happen that the event is received via 304packet handler before the *l2cap_request_can_send_now_event* function returns. 305The L2CAP_EVENT_CAN_SEND_NOW indicates a channel ID on which sending is possible. 306 307Please note that the guarantee that a packet can be sent is only valid when the event is received. 308After returning from the packet handler, BTstack might need to send itself. 309 310### LE Data Channels 311 312The full title for LE Data Channels is actually LE Connection-Oriented Channels with LE Credit-Based Flow-Control Mode. In this mode, data is sent as Service Data Units (SDUs) that can be larger than an individual HCI LE ACL packet. 313 314LE Data Channels are similar to Classic L2CAP Channels but also provide a credit-based flow control similar to RFCOMM Channels. 315Unless the LE Data Packet Extension of Bluetooth Core 4.2 specification is used, the maximum packet size for LE ACL packets is 27 bytes. In order to send larger packets, each packet will be split into multiple ACL LE packets and recombined on the receiving side. 316 317Since multiple SDUs can be transmitted at the same time and the individual ACL LE packets can be sent interleaved, BTstack requires a dedicated receive buffer per channel that has to be passed when creating the channel or accepting it. Similarly, when sending SDUs, the data provided to the *l2cap_cbm_send_data* must stay valid until the *L2CAP_EVENT_LE_PACKET_SENT* is received. 318 319When creating an outgoing connection of accepting an incoming, the *initial_credits* allows to provide a fixed number of credits to the remote side. Further credits can be provided anytime with *l2cap_cbm_provide_credits*. If *L2CAP_LE_AUTOMATIC_CREDITS* is used, BTstack automatically provides credits as needed - effectively trading in the flow-control functionality for convenience. 320 321The remainder of the API is similar to the one of L2CAP: 322 323 * *l2cap_cbm_register_service* and *l2cap_cbm_unregister_service* are used to manage local services. 324 * *l2cap_cbm_accept_connection* and *l2cap_cbm_decline_connection* are used to accept or deny an incoming connection request. 325 * *l2cap_cbm_create_channel* creates an outgoing connections. 326 * *l2cap_cbm_can_send_now* checks if a packet can be scheduled for transmission now. 327 * *l2cap_cbm_request_can_send_now_event* requests an *L2CAP_EVENT_LE_CAN_SEND_NOW* event as soon as possible. 328 * *l2cap_cbm_disconnect* closes the connection. 329 330## RFCOMM - Radio Frequency Communication Protocol 331 332The Radio frequency communication (RFCOMM) protocol provides emulation 333of serial ports over the L2CAP protocol and reassembly. It is the base 334for the Serial Port Profile and other profiles used for 335telecommunication like Head-Set Profile, Hands-Free Profile, Object 336Exchange (OBEX) etc. 337 338### No RFCOMM packet boundaries {#sec:noRfcommPacketBoundaries} 339 340As RFCOMM emulates a serial port, it does not preserve packet boundaries. 341 342On most operating systems, RFCOMM/SPP will be modeled as a pipe that allows 343to write a block of bytes. The OS and the Bluetooth Stack are free to buffer 344and chunk this data in any way it seems fit. In your BTstack application, you will 345therefore receive this data in the same order, but there are no guarantees as 346how it might be fragmented into multiple chunks. 347 348If you need to preserve the concept of sending a packet with a specific size 349over RFCOMM, the simplest way is to prefix the data with a 2 or 4 byte length field 350and then reconstruct the packet on the receiving side. 351 352Please note, that due to BTstack's 'no buffers' policy, BTstack will send outgoing RFCOMM data immediately 353and implicitly preserve the packet boundaries, i.e., it will send the data as a single 354RFCOMM packet in a single L2CAP packet, which will arrive in one piece. 355While this will hold between two BTstack instances, it's not a good idea to rely on implementation details 356and rather prefix the data as described. 357 358### RFCOMM flow control {#sec:flowControlProtocols} 359 360RFCOMM has a mandatory credit-based flow-control. This means that two 361devices that established RFCOMM connection, use credits to keep track of 362how many more RFCOMM data packets can be sent to each. If a device has 363no (outgoing) credits left, it cannot send another RFCOMM packet, the 364transmission must be paused. During the connection establishment, 365initial credits are provided. BTstack tracks the number of credits in 366both directions. If no outgoing credits are available, the RFCOMM send 367function will return an error, and you can try later. For incoming data, 368BTstack provides channels and services with and without automatic credit 369management via different functions to create/register them respectively. 370If the management of credits is automatic, the new credits are provided 371when needed relying on ACL flow control - this is only useful if there 372is not much data transmitted and/or only one physical connection is 373used. If the management of credits is manual, credits are provided by 374the application such that it can manage its receive buffers explicitly. 375 376 377### Access an RFCOMM service on a remote device {#sec:rfcommClientProtocols} 378 379To communicate with an RFCOMM service on a remote device, the 380application on a local Bluetooth device initiates the RFCOMM layer using 381the *rfcomm_init* function, and then creates an outgoing RFCOMM channel 382to a given server channel on a remote device using the 383*rfcomm_create_channel* function. The 384*rfcomm_create_channel* function will initiate a new L2CAP 385connection for the RFCOMM multiplexer, if it does not already exist. The 386channel will automatically provide enough credits to the remote side. To 387provide credits manually, you have to create the RFCOMM connection by 388calling *rfcomm_create_channel_with_initial_credits* - 389see Section [on manual credit assignement](#sec:manualCreditsProtocols). 390 391The packet handler that is given as an input parameter of the RFCOMM 392create channel function will be assigned to the new outgoing channel. 393This handler receives the RFCOMM_EVENT_CHANNEL_OPENED and 394RFCOMM_EVENT_CHANNEL_CLOSED events, and RFCOMM data packets, as shown in 395Listing [below](#lst:RFCOMMremoteService). 396 397 398~~~~ {#lst:RFCOMMremoteService .c caption="{RFCOMM handler for outgoing RFCOMM channel.}"} 399 400 void rfcomm_packet_handler(uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){ 401 switch (packet_type){ 402 case HCI_EVENT_PACKET: 403 switch (hci_event_packet_get_type(packet)){ 404 case RFCOMM_EVENT_CHANNEL_OPENED: 405 if (rfcomm_event_open_channel_complete_get_status(packet)) { 406 printf("Connection failed\n\r"); 407 } else { 408 printf("Connected\n\r"); 409 } 410 break; 411 case RFCOMM_EVENT_CHANNEL_CLOSED: 412 break; 413 ... 414 } 415 break; 416 case RFCOMM_DATA_PACKET: 417 // handle RFCOMM data packets 418 return; 419 } 420 } 421 422 void create_rfcomm_channel(uint8_t packet_type, uint8_t *packet, uint16_t size){ 423 rfcomm_create_channel(rfcomm_packet_handler, addr, rfcomm_channel); 424 } 425 426 void btstack_setup(){ 427 ... 428 l2cap_init(); 429 rfcomm_init(); 430 } 431 432 433~~~~ 434 435### Provide an RFCOMM service {#sec:rfcommServiceProtocols} 436 437To provide an RFCOMM service, the application on a local Bluetooth 438device must first init the L2CAP and RFCOMM layers and then register the 439service with *rfcomm_register_service*. From there on, it 440can wait for incoming RFCOMM connections. The application can accept or 441deny an incoming connection by calling the 442*rfcomm_accept_connection* and *rfcomm_deny_connection* functions respectively. 443If a connection is accepted and the incoming RFCOMM channel gets successfully 444opened, the RFCOMM service can send RFCOMM data packets to the connected 445device with *rfcomm_send* and receive data packets by the 446packet handler provided by the *rfcomm_register_service* 447call. 448 449Listing [below](#lst:RFCOMMService) provides the RFCOMM service example code. 450 451~~~~ {#lst:RFCOMMService .c caption="{Providing an RFCOMM service.}"} 452 453 void packet_handler(uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){ 454 switch (packet_type){ 455 case HCI_EVENT_PACKET: 456 switch (hci_event_packet_get_type(packet)){ 457 case RFCOMM_EVENT_INCOMING_CONNECTION: 458 rfcomm_channel_id = rfcomm_event_incoming_connection_get_rfcomm_cid(packet); 459 rfcomm_accept_connection(rfcomm_channel_id); 460 break; 461 case RFCOMM_EVENT_CHANNEL_OPENED: 462 if (rfcomm_event_open_channel_complete_get_status(packet)){ 463 printf("RFCOMM channel open failed."); 464 break; 465 } 466 rfcomm_channel_id = rfcomm_event_open_channel_complete_get_rfcomm_cid(packet); 467 mtu = rfcomm_event_open_channel_complete_get_max_frame_size(packet); 468 printf("RFCOMM channel open succeeded, max frame size %u.", mtu); 469 break; 470 case RFCOMM_EVENT_CHANNEL_CLOSED: 471 printf("Channel closed."); 472 break; 473 ... 474 } 475 break; 476 case RFCOMM_DATA_PACKET: 477 // handle RFCOMM data packets 478 return; 479 ... 480 } 481 ... 482 } 483 484 void btstack_setup(){ 485 ... 486 l2cap_init(); 487 rfcomm_init(); 488 rfcomm_register_service(packet_handler, rfcomm_channel_nr, mtu); 489 } 490 491~~~~ 492 493### Slowing down RFCOMM data reception {#sec:manualCreditsProtocols} 494 495RFCOMM’s credit-based flow-control can be used to adapt, i.e., slow down 496the RFCOMM data to your processing speed. For incoming data, BTstack 497provides channels and services with and without automatic credit 498management. If the management of credits is automatic, new credits 499are provided when needed relying on ACL flow control. This is only 500useful if there is not much data transmitted and/or only one physical 501connection is used. See Listing [below](#lst:automaticFlowControl). 502 503~~~~ {#lst:automaticFlowControl .c caption="{RFCOMM service with automatic credit management.}"} 504 void btstack_setup(void){ 505 ... 506 // init RFCOMM 507 rfcomm_init(); 508 rfcomm_register_service(packet_handler, rfcomm_channel_nr, 100); 509 } 510~~~~ 511 512If the management of credits is manual, credits are provided by the 513application such that it can manage its receive buffers explicitly, see 514Listing [below](#lst:explicitFlowControl). 515 516Manual credit management is recommended when received RFCOMM data cannot 517be processed immediately. In the [SPP flow control example](examples/generated/#sec:sppflowcontrolExample), 518delayed processing of received data is 519simulated with the help of a periodic timer. To provide new credits, you 520call the *rfcomm_grant_credits* function with the RFCOMM channel ID 521and the number of credits as shown in Listing [below](#lst:NewCredits). 522 523~~~~ {#lst:explicitFlowControl .c caption="{RFCOMM service with manual credit management.}"} 524 void btstack_setup(void){ 525 ... 526 // init RFCOMM 527 rfcomm_init(); 528 // reserved channel, mtu=100, 1 credit 529 rfcomm_register_service_with_initial_credits(packet_handler, rfcomm_channel_nr, 100, 1); 530 } 531~~~~ 532 533~~~~ {#lst:NewCredits .c caption="{Granting RFCOMM credits.}"} 534 void processing(){ 535 // process incoming data packet 536 ... 537 // provide new credit 538 rfcomm_grant_credits(rfcomm_channel_id, 1); 539 } 540~~~~ 541 542Please note that providing single credits effectively reduces the credit-based 543(sliding window) flow control to a stop-and-wait flow-control that 544limits the data throughput substantially. On the plus side, it allows 545for a minimal memory footprint. If possible, multiple RFCOMM buffers 546should be used to avoid pauses while the sender has to wait for a new 547credit. 548 549### Sending RFCOMM data {#sec:rfcommSendProtocols} 550 551Outgoing packets, both commands and data, are not queued in BTstack. 552This section explains the consequences of this design decision for 553sending data and why it is not as bad as it sounds. 554 555Independent from the number of output buffers, packet generation has to 556be adapted to the remote receiver and/or maximal link speed. Therefore, 557a packet can only be generated when it can get sent. With this 558assumption, the single output buffer design does not impose additional 559restrictions. In the following, we show how this is used for adapting 560the RFCOMM send rate. 561 562When there is a need to send a packet, call *rcomm_request_can_send_now* 563and wait for the reception of the RFCOMM_EVENT_CAN_SEND_NOW event 564to send the packet, as shown in Listing [below](#lst:rfcommRequestCanSendNow). 565 566Please note that the guarantee that a packet can be sent is only valid when the event is received. 567After returning from the packet handler, BTstack might need to send itself. 568 569~~~~ {#lst:rfcommRequestCanSendNow .c caption="{Preparing and sending data.}"} 570 void prepare_data(uint16_t rfcomm_channel_id){ 571 ... 572 // prepare data in data_buffer 573 rfcomm_request_can_send_now_event(rfcomm_channel_id); 574 } 575 576 void send_data(uint16_t rfcomm_channel_id){ 577 rfcomm_send(rfcomm_channel_id, data_buffer, data_len); 578 // packet is handed over to BTstack, we can prepare the next one 579 prepare_data(rfcomm_channel_id); 580 } 581 582 void packet_handler(uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){ 583 switch (packet_type){ 584 case HCI_EVENT_PACKET: 585 switch (hci_event_packet_get_type(packet)){ 586 ... 587 case RFCOMM_EVENT_CAN_SEND_NOW: 588 rfcomm_channel_id = rfcomm_event_can_send_now_get_rfcomm_cid(packet); 589 send_data(rfcomm_channel_id); 590 break; 591 ... 592 } 593 ... 594 } 595 } 596 } 597 598~~~~ 599 600### Optimized sending of RFCOMM data 601 602When sending RFCOMM data via *rfcomm_send*, BTstack needs to copy the data 603from the user provided buffer into the outgoing buffer. This requires both 604an additional buffer for the user data as well requires a copy operation. 605 606To avoid this, it is possible to directly write the user data into the outgoing buffer. 607 608When get the RFCOMM_CAN_SEND_NOW event, you call *rfcomm_reserve_packet_buffer* to 609lock the buffer for your send operation. Then, you can ask how many bytes you can send 610with *rfcomm_get_max_frame_size* and get a pointer to BTstack's buffer with 611*rfcomm_get_outgoing_buffer*. Now, you can fill that buffer and finally send the 612data with *rfcomm_send_prepared*. 613 614 615## SDP - Service Discovery Protocol 616 617The SDP protocol allows to announce services and discover services 618provided by a remote Bluetooth device. 619 620### Create and announce SDP records 621 622BTstack contains a complete SDP server and allows to register SDP 623records. An SDP record is a list of SDP Attribute *{ID, Value}* pairs 624that are stored in a Data Element Sequence (DES). The Attribute ID is a 62516-bit number, the value can be of other simple types like integers or 626strings or can itself contain other DES. 627 628To create an SDP record for an SPP service, you can call 629*spp_create_sdp_record* from with a pointer to a buffer to store the 630record, the server channel number, and a record name. 631 632For other types of records, you can use the other functions in, using 633the data element *de_* functions. Listing [sdpCreate] shows how an SDP 634record containing two SDP attributes can be created. First, a DES is 635created and then the Service Record Handle and Service Class ID List 636attributes are added to it. The Service Record Handle attribute is added 637by calling the *de_add_number* function twice: the first time to add 6380x0000 as attribute ID, and the second time to add the actual record 639handle (here 0x1000) as attribute value. The Service Class ID List 640attribute has ID 0x0001, and it requires a list of UUIDs as attribute 641value. To create the list, *de_push_sequence* is called, which “opens” 642a sub-DES. The returned pointer is used to add elements to this sub-DES. 643After adding all UUIDs, the sub-DES is “closed” with 644*de_pop_sequence*. 645 646To register an SDP record, you call *sdp_register_service* with a pointer to it. 647The SDP record can be stored in FLASH since BTstack only stores the pointer. 648Please note that the buffer needs to persist (e.g. global storage, dynamically 649allocated from the heap or in FLASH) and cannot be used to create another SDP 650record. 651 652### Query remote SDP service {#sec:querySDPProtocols} 653 654BTstack provides an SDP client to query SDP services of a remote device. 655The SDP Client API is shown in [here](appendix/apis/#sec:sdpAPIAppendix). The 656*sdp_client_query* function initiates an L2CAP connection to the 657remote SDP server. Upon connect, a *Service Search Attribute* request 658with a *Service Search Pattern* and a *Attribute ID List* is sent. The 659result of the *Service Search Attribute* query contains a list of 660*Service Records*, and each of them contains the requested attributes. 661These records are handled by the SDP parser. The parser delivers 662SDP_PARSER_ATTRIBUTE_VALUE and SDP_PARSER_COMPLETE events via a 663registered callback. The SDP_PARSER_ATTRIBUTE_VALUE event delivers 664the attribute value byte by byte. 665 666On top of this, you can implement specific SDP queries. For example, 667BTstack provides a query for RFCOMM service name and channel number. 668This information is needed, e.g., if you want to connect to a remote SPP 669service. The query delivers all matching RFCOMM services, including its 670name and the channel number, as well as a query complete event via a 671registered callback, as shown in Listing [below](#lst:SDPClientRFCOMM). 672 673 674~~~~ {#lst:SDPClientRFCOMM .c caption="{Searching RFCOMM services on a remote device.}"} 675 676 bd_addr_t remote = {0x04,0x0C,0xCE,0xE4,0x85,0xD3}; 677 678 void packet_handler (void * connection, uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){ 679 if (packet_type != HCI_EVENT_PACKET) return; 680 681 uint8_t event = packet[0]; 682 switch (event) { 683 case BTSTACK_EVENT_STATE: 684 // bt stack activated, get started 685 if (btstack_event_state_get_state(packet) == HCI_STATE_WORKING){ 686 sdp_client_query_rfcomm_channel_and_name_for_uuid(remote, 0x0003); 687 } 688 break; 689 default: 690 break; 691 } 692 } 693 694 static void btstack_setup(){ 695 ... 696 // init L2CAP 697 l2cap_init(); 698 l2cap_register_packet_handler(packet_handler); 699 } 700 701 void handle_query_rfcomm_event(sdp_query_event_t * event, void * context){ 702 sdp_client_query_rfcomm_service_event_t * ve; 703 704 switch (event->type){ 705 case SDP_EVENT_QUERY_RFCOMM_SERVICE: 706 ve = (sdp_client_query_rfcomm_service_event_t*) event; 707 printf("Service name: '%s', RFCOMM port %u\n", ve->service_name, ve->channel_nr); 708 break; 709 case SDP_EVENT_QUERY_COMPLETE: 710 report_found_services(); 711 printf("Client query response done with status %d. \n", ce->status); 712 break; 713 } 714 } 715 716 int main(void){ 717 hw_setup(); 718 btstack_setup(); 719 720 // register callback to receive matching RFCOMM Services and 721 // query complete event 722 sdp_client_query_rfcomm_register_callback(handle_query_rfcomm_event, NULL); 723 724 // turn on! 725 hci_power_control(HCI_POWER_ON); 726 // go! 727 btstack_run_loop_execute(); 728 return 0; 729 } 730~~~~ 731 732## BNEP - Bluetooth Network Encapsulation Protocol 733 734The BNEP protocol is used to transport control and data packets over 735standard network protocols such as TCP, IPv4 or IPv6. It is built on top 736of L2CAP, and it specifies a minimum L2CAP MTU of 1691 bytes. 737 738### Receive BNEP events 739 740To receive BNEP events, please register a packet handler with 741*bnep_register_packet_handler*. 742 743### Access a BNEP service on a remote device {#sec:bnepClientProtocols} 744 745To connect to a remote BNEP service, you need to know its UUID. The set 746of available UUIDs can be queried by a SDP query for the PAN profile. 747Please see section on [PAN profile](profiles/#sec:panProfiles) for details. 748With the remote UUID, you can create a connection using the *bnep_connect* 749function. You’ll receive a *BNEP_EVENT_CHANNEL_OPENED* on success or 750failure. 751 752After the connection was opened successfully, you can send and receive 753Ethernet packets. Before sending an Ethernet frame with *bnep_send*, 754*bnep_can_send_packet_now* needs to return true. Ethernet frames 755are received via the registered packet handler with packet type 756*BNEP_DATA_PACKET*. 757 758BTstack BNEP implementation supports both network protocol filter and 759multicast filters with *bnep_set_net_type_filter* and 760*bnep_set_multicast_filter* respectively. 761 762Finally, to close a BNEP connection, you can call *bnep_disconnect*. 763 764### Provide BNEP service {#sec:bnepServiceProtocols} 765 766To provide a BNEP service, call *bnep_register_service* with the 767provided service UUID and a max frame size. 768 769A *BNEP_EVENT_INCOMING_CONNECTION* event will mark that an incoming 770connection is established. At this point you can start sending and 771receiving Ethernet packets as described in the previous section. 772 773### Sending Ethernet packets 774 775Similar to L2CAP and RFOMM, directly sending an Ethernet packet via BNEP might fail, 776if the outgoing packet buffer or the ACL buffers in the Bluetooth module are full. 777 778When there's a need to send an Ethernet packet, call *bnep_request_can_send_now* 779and send the packet when the BNEP_EVENT_CAN_SEND_NOW event 780gets received. 781 782 783## ATT - Attribute Protocol 784 785The ATT protocol is used by an ATT client to read and write attribute 786values stored on an ATT server. In addition, the ATT server can notify 787the client about attribute value changes. An attribute has a handle, a 788type, and a set of properties. 789 790The Generic Attribute (GATT) profile is built upon ATT and provides 791higher level organization of the ATT attributes into GATT Services and 792GATT Characteristics. In BTstack, the complete ATT client functionality 793is included within the GATT Client. See [GATT client](profiles/#sec:GATTClientProfiles) for more. 794 795On the server side, one ore more GATT profiles are converted ahead of time 796into the corresponding ATT attribute database and provided by the *att_server* 797implementation. The constant data are automatically served by the ATT server upon client 798request. To receive the dynamic data, such is characteristic value, the 799application needs to register read and/or write callback. In addition, 800notifications and indications can be sent. Please see Section on 801[GATT server](profiles/#sec:GATTServerProfile) for more. 802 803## SMP - Security Manager Protocol {#sec:smpProtocols} 804 805The SMP protocol allows to setup authenticated and encrypted LE 806connection. After initialization and configuration, SMP handles security 807related functions on its own but emits events when feedback from the 808main app or the user is required. The two main tasks of the SMP protocol 809are: bonding and identity resolving. 810 811### LE Legacy Pairing and LE Secure Connections 812 813The original pairing algorithm introduced in Bluetooth Core V4.0 does not 814provide security in case of an attacker present during the initial pairing. 815To fix this, the Bluetooth Core V4.2 specification introduced the new 816*LE Secure Connections* method, while referring to the original method as *LE Legacy Pairing*. 817 818BTstack supports both pairing methods. To enable the more secure LE Secure Connections method, 819*ENABLE_LE_SECURE_CONNECTIONS* needs to be defined in *btstack_config.h*. 820 821LE Secure Connections are based on Elliptic Curve Diffie-Hellman (ECDH) algorithm for the key exchange. 822On start, a new public/private key pair is generated. During pairing, the 823Long Term Key (LTK) is generated based on the local keypair and the remote public key. 824To facilitate the creation of such a keypairs and the calculation of the LTK, 825the Bluetooth Core V4.2 specification introduced appropriate commands for the Bluetooth controller. 826 827As an alternative for controllers that don't provide these primitives, BTstack provides the relevant cryptographic functions in software via the BSD-2-Clause licensed [micro-ecc library](https://github.com/kmackay/micro-ecc/tree/static). 828When using using LE Secure Connections, the Peripheral must store LTK in non-volatile memory. 829 830To only allow LE Secure Connections, you can call *sm_set_secure_connections_only_mode(true)*. 831 832 833### Initialization 834 835To activate the security manager, call *sm_init()*. 836 837If you’re creating a product, you should also call *sm_set_ir()* and 838*sm_set_er()* with a fixed random 16 byte number to create the IR and 839ER key seeds. If possible use a unique random number per device instead 840of deriving it from the product serial number or something similar. The 841encryption key generated by the BLE peripheral will be ultimately 842derived from the ER key seed. See 843[Bluetooth Specification](https://www.bluetooth.org/Technical/Specifications/adopted.htm) - 844Bluetooth Core V4.0, Vol 3, Part G, 5.2.2 for more details on deriving 845the different keys. The IR key is used to identify a device if private, 846resolvable Bluetooth addresses are used. 847 848 849### Configuration 850 851To receive events from the Security Manager, a callback is necessary. 852How to register this packet handler depends on your application 853configuration. 854 855When *att_server* is used to provide a GATT/ATT service, *att_server* 856registers itself as the Security Manager packet handler. Security 857Manager events are then received by the application via the 858*att_server* packet handler. 859 860If *att_server* is not used, you can directly register your packet 861handler with the security manager by calling 862*sm_register_packet_handler*. 863 864The default SMP configuration in BTstack is to be as open as possible: 865 866- accept all Short Term Key (STK) Generation methods, 867 868- accept encryption key size from 7..16 bytes, 869 870- expect no authentication requirements, 871 872- don't require LE Secure Connections, and 873 874- IO Capabilities set to *IO_CAPABILITY_NO_INPUT_NO_OUTPUT*. 875 876You can configure these items by calling following functions 877respectively: 878 879- *sm_set_accepted_stk_generation_methods* 880 881- *sm_set_encryption_key_size_range* 882 883- *sm_set_authentication_requirements* : add SM_AUTHREQ_SECURE_CONNECTION flag to enable LE Secure Connections 884 885- *sm_set_io_capabilities* 886 887 888### Identity Resolving 889 890Identity resolving is the process of matching a private, resolvable 891Bluetooth address to a previously paired device using its Identity 892Resolving (IR) key. After an LE connection gets established, BTstack 893automatically tries to resolve the address of this device. During this 894lookup, BTstack will emit the following events: 895 896- *SM_EVENT_IDENTITY_RESOLVING_STARTED* to mark the start of a lookup, 897 898and later: 899 900- *SM_EVENT_IDENTITY_RESOLVING_SUCCEEDED* on lookup success, or 901 902- *SM_EVENT_IDENTITY_RESOLVING_FAILED* on lookup failure. 903 904 905### User interaction during Pairing 906 907BTstack will inform the app about pairing via theses events: 908 909 - *SM_EVENT_PAIRING_STARTED*: inform user that pairing has started 910 - *SM_EVENT_PAIRING_COMPLETE*: inform user that pairing is complete, see status 911 912Depending on the authentication requirements, IO capabilities, 913available OOB data, and the enabled STK generation methods, 914BTstack will request feedback from 915the app in the form of an event: 916 917 - *SM_EVENT_JUST_WORKS_REQUEST*: request a user to accept a Just Works pairing 918 - *SM_EVENT_PASSKEY_INPUT_NUMBER*: request user to input a passkey 919 - *SM_EVENT_PASSKEY_DISPLAY_NUMBER*: show a passkey to the user 920 - *SM_EVENT_PASSKEY_DISPLAY_CANCEL*: cancel show passkey to user 921 - *SM_EVENT_NUMERIC_COMPARISON_REQUEST*: show a passkey to the user and request confirmation 922 923To accept Just Works/Numeric Comparison, or provide a Passkey, *sm_just_works_confirm* or *sm_passkey_input* can be called respectively. 924Othwerise, *sm_bonding_decline* aborts the pairing. 925 926After the bonding process, *SM_EVENT_PAIRING_COMPLETE*, is emitted. Any active dialog can be closed on this. 927 928### Connection with Bonded Devices 929 930During pairing, two devices exchange bonding information, notably a Long-Term Key (LTK) and their respective Identity Resolving Key (IRK). 931On a subsequent connection, the Securit Manager will use this information to establish an encrypted connection. 932 933To inform about this, the following events are emitted: 934 935 - *SM_EVENT_REENCRYPTION_STARTED*: we have stored bonding information and either trigger encryption (as Central), or, sent a security request (as Peripheral). 936 - *SM_EVENT_REENCRYPTION_COMPLETE*: re-encryption is complete. If the remote device does not have a stored LTK, the status code will be *ERROR_CODE_PIN_OR_KEY_MISSING*. 937 938The *SM_EVENT_REENCRYPTION_COMPLETE* with *ERROR_CODE_PIN_OR_KEY_MISSING* can be caused: 939 940 - if the remote device was reset or the bonding was removed, or, 941 - we're connected to an attacker that uses the Bluetooth address of a bonded device. 942 943In Peripheral role, pairing will start even in case of an re-encryption error. It might be helpful to inform the user about the lost bonding or reject it right away due to security considerations. 944 945 946### Keypress Notifications 947 948As part of Bluetooth Core V4.2 specification, a device with a keyboard but no display can send keypress notifications to provide better user feedback. In BTstack, the *sm_keypress_notification()* function is used for sending notifications. Notifications are received by BTstack via the *SM_EVENT_KEYPRESS_NOTIFICATION* event. 949 950### Cross-transport Key Derivation (CTKD) for LE Secure Connections 951 952In a dual-mode configuration, BTstack generates an BR/EDR Link Key from the LE LTK via the Link Key Conversion functions *h6* , 953(or *h7* if supported) when *ENABLE_CROSS_TRANSPORT_KEY_DERIVATION* is defined. 954The derived key then stored in local LE Device DB. 955 956The main use case for this is connections with smartphones. E.g. iOS provides APIs for LE scanning and connection, but none for BR/EDR. This allows an application to connect and pair with 957a device and also later setup a BR/EDR connection without the need for the smartphone user to use the system Settings menu. 958 959To derive an LE LTK from a BR/EDR link key, the Bluetooth controller needs to support Secure Connections via NIST P-256 elliptic curves. BTstack does not support LE Secure Connections via LE Transport currently. 960 961### Out-of-Band Data with LE Legacy Pairing 962 963LE Legacy Pairing can be made secure by providing a way for both devices 964to acquire a pre-shared secret 16 byte key by some fancy method. 965In most cases, this is not an option, especially since popular OS like iOS 966don’t provide a way to specify it. In some applications, where both 967sides of a Bluetooth link are developed together, this could provide a 968viable option. 969 970To provide OOB data, you can register an OOB data callback with 971*sm_register_oob_data_callback*. 972
