1. BLE protocol stack framework
The BLE protocol stack consists of two parts, the host (Host) and the controller (Controller). The two communicate with each other through the HCI (Host Controller Interface) standard interface. Commonly used single-chip single-mode BLE chips include TI's CC254X, CC26xx , nordic's NRF51288, dailog's DA14580 , etc. The dual-chip dual-mode BT has TI's CC2564.
NRF52832 Hanging fried god~~~~~
The overall structure of the protocol stack is as follows:
The host is a logical entity, which is defined below the application layer and above the HCI layer (Profile), Generic Access Protocol (GAP), Generic Attribute Protocol (GATT), Attribute Protocol (ATT), Security Management Protocol (SMP), logical chain Road Control Adaptation Layer (L2CAP), HCI driver layers. The controller is also a logical entity that defines the HCI firmware, link layer (LL), and physical layer (PHY) layers below the HCI layer.
1. Physical layer specification (PHY)
In terms of radio frequency, BLE works in the free 2.4GHz ISM (Industrial Scientific Medical) frequency band, and its frequency band is 2400-2483.5MHz. The modulation method of BLE is Gaussian Frequency Shift Keying (GFSK), BT=0.5, while the standard Bluetooth technology is 0.35 , the exponent of 0.5 is close to the Gaussian minimum frequency shift keying (GMSK) scheme, which can reduce the power consumption requirements of wireless devices ( the reasons for this are more complicated ) . The lower modulation index also has two benefits, namely improved coverage and enhanced robustness ; binary "1" and "0" sub-tables indicate positive and negative frequency offsets, when using a spectrum analyzer (N9020A) to test frequency offsets The deviation frequency needs to be known in advance; the transmit power range is between -20dBm and +10dBm (when the antenna gain is 0dBi); when the bit error rate is 0.1%, the receiving sensitivity is less than -70dBm; the communication distance can reach 100m; transmission The rate is 1Mbps; the offset to the center frequency between packets should be less than ±150kHz , including the initial frequency compensation and frequency drift; within a packet, the frequency offset should be less than 150kHz, and the maximum frequency offset rate cannot exceed 400Hz /us, generally required to be within ±20PPM.
Compared to traditional Bluetooth, traditional Bluetooth can enhance the data rate and can support a total air bit rate of 2 or 3Mb/s. These modes are called Basic Rate (BR) and Enhanced Data Rate (EDR), respectively. Two modulation modes are defined. Forced mode, called basic rate, uses a shaped binary FM modulation to minimize transceiver complexity. The optional mode is called Enhanced Data Rate, uses PSK modulation and exists in two variants: π/4-DQPSK and 8DPSK. The symbol rate for all modulation procedures is 1 Ms/s. In terms of total over-the-air data rates, the base rate is 1 Mbps, the enhanced data rate using π/4-DQPSK is 2 Mbps, and the enhanced data rate using 8DPSK is 3 Mbps.
In terms of channel structure, the BLE system uses frequency hopping transceivers to provide multiple frequency hopping sequence carriers to resist interference and attenuation. BLE channel is divided into broadcast channel and data channel, the number is 3 and 37 respectively . The system provides two multiplexing schemes: frequency division multiple access and time division multiple access. In the frequency division multiplexing scheme, the frequency interval between 40 channels is 2MHz, and the center frequency is 2402+k*2MHZ, where k is any integer between 0 and 39, and when k is equal to 0, 12, and 39, the channel is Broadcast channel, other values are data channels; in the time division multiplexing scheme, two devices that are communicating send and receive data in a predetermined time unit by polling . Data transmission is to transmit valid data packets in 37 data transmission channels by means of sampling adaptive frequency hopping. This technology is mainly to prevent problems caused by single channel congestion.
1) Why choose 3 channels as broadcast channels? (2.402GHZ, 2.426GHZ, 2.480GHZ )
When BLE broadcasts, three different frequencies are used for three transmissions to improve robustness. The choice of number 3 is actually a balance between robustness and low power consumption . In BLE, if the number of frequencies is only one, then only this frequency is blocked like other technologies, and the whole system will not work; if there are too many frequencies, such as 16, the device will spend a lot of time for the transmission of broadcast data, Will no longer be an "LE" device. And in the code implemented by the BLE protocol stack, the size of the broadcast data packet also has strict requirements, and the maximum packet length cannot exceed 31. This is to reduce the result of implementing LE in a single transmission process, so the broadcast data packet is as short as possible.
2) Bluetooth device addressing
The Bluetooth device is assigned a unique 48-bit Bluetooth device address (BD_ADDR), which comes from the IEEE Registration Authority.
3) To be added
。。。。。
2. Link Layer Specification (LL)
1) The function of the link layer
链路层使用链路协议来控制网络中设备的状态,并且提供管理下层的服务。低功耗蓝牙设备有五个工作状态,分别是:待机状态、广播状态、扫描状态、初始化状态、和连接状态。链路层控制器一个时刻内只允许设备处于上述5个状态之一。
待机状态:默认状态,不能发送接收任何数据包,任何其他状态都可以直接进入待机状态。
广播状态:广播状态可由待机状态切换进入,设备在3个广播信道发送广播数据包,同时在当前信道监听和回复扫描者可能发送的扫描数据包。处于广播状态下的设备称为广播者。
扫描状态:扫描状态可由待机状态切换进入,设备在3个广播信道监听远程设备发出的广播数据包,同时发送扫描数据包,等待广播者的扫描回复信号。处于扫描状态下的设备称为扫描者。
初始化状态:初始化状态可由待机状态切换进入,设备在广播信道监听回复远程设备的广播数据包,从而发起设备之间的连接。处于初始化状态下的设备称为发起者。
连接状态:连接状态可以从初始化状态和广播状态进入,此时发起者作为主设备,确定传输时隙,广播者作为从设备,双方在数据信道以跳频的方式进行数据传输。
2)链路层数据包结构无论是广播信道或者数据信道,链路层仅仅只有一种数据包结构,格式如下所示。
前导码 (1字节) [LSB] |
接入地址 (4 字节) |
协议数据单元 (2~39 字节) |
循环冗余码校验 (3 字节) |
数据包由前导码,接入地址,协议数据单元和循环冗余码校验四部分组成。由于低功耗蓝牙采用短包技术,数据包的长度范围为80位~376位,可以较大程度降低功耗。下面将对各部分进行详细说明。
前导码:前导码共有1个字节,用于接收机执行频率同步、符号定时判断和自动增益控制。广播信道数据包的前导码固定为10101010b;数据信道数据包根据接入地址首位的不同而不同,若接入地址首位为1,则前导码为01010101b,反之为10101010b。
接入地址:所有广播信道数据包的接入地址都为0x8E89BED6;数据信道中接入地址是在初始化状态下产生,来自连接请求数据包接收到的24位随机数,这个随机数应该确保满足以下条件:
1) 不能超过连续6个1或者0;
2) 不能和广播信道数据包的接入地址一样;
3) 必须2位及以上不同于广播信道数据包接入地址;
4) 不能有相同的4字节;
5) 不能超过24个转折点;
6) 在6位最高位中,至少要有2个转折点。
协议数据单元:大小为2字节~39字节,根据不同数据包类型而不同。
3)广播信道协议数据单元:由包头和有效荷载2部分组成。具体格式如下表所示。
包头(16位) |
有效荷载 |
|||||
PDU类型 |
RFU |
TxAdd |
RxAdd |
Length |
RFU |
(由包头中的长度位标志) |
其中PDU类型如下表所示。
PDU 类型 |
数据包名称 |
0000 |
ADV_IND |
0001 |
ADV_DIRECT_IND |
0010 |
ADV_NONCONN_IND |
0011 |
SCAN_REQ |
0100 |
SCAN_RSP |
0101 |
CONNECT_REQ |
0110 |
ADV_SCAN_IND |
0111-1111 |
Reserved |
4)数据信道协议数据单元:由包头、有效荷载和可选的信息完整性检查(MIC)组成,格式如表2‑5所示。信息完整性检查在没有加密的链路连接,或者加密了但数据协议数据单元长度为0的情况下使用。LL DataPDU 是用来发送L2CAP数据,而LL Control PDU是用来控制连接链路的。
数据信道协议数据单元格式如下表所示
包头(16位) |
有效荷载 |
信息 完整性检 (32 位) |
|||||||
LLID |
NESN |
SN |
MD |
RFU |
Length |
RFU |
LL DATA PDU |
LL Control PDU |
|
CRC:3字节的CRC是根据PDU计算的。如果PDU已加密,则CRC根据加密后的PDU计算。CRC多项式的形式自行百度。对于任一个广播信道PDU,移位寄存器应该预设为0x555555;对于每一个数据信道PDU,移位寄存器的预设值在连接状态时,从连接请求PDU中得出。
3、HCI规范HCI是连接主机和控制器的桥梁,提供主机访问下层协议、硬件和控制寄存器的统一接口。HCI实际为三部分:HCI 固件、HCI驱动和实际物理接口。
HCI固件:HCI固件位于蓝牙控制器中,固件主要内容有:中断向量表、堆栈设计、初始化程序和蓝牙处理程序。HCI固件通过访问控制硬件状态寄存器、控制寄存器、事件寄存器、基带命令和链路管理命令执行HCI命令。蓝牙系统的MCU在蓝牙处理程序控制下,会读取来自上层协议栈的命令,然后根据命令配置基带层的相应寄存器。反之基带层接收到信息后反馈给MCU,MCU通过HCI物理接口递交这些信息至上层协议栈,上层协议栈根据这些信息,再产生新的命令进行处理。
HCI驱动:HCI驱动位于蓝牙主机中,也就是协议结构中HCI软件驱动部分。当某个事件触发时,控制器通过事件方式通知主机,主机则接收该事件的异步通知。当主机发现有事件发生时,它将分析收到的事件包并判断事件类型,做出相应的处理。
实际物理接口:作为HCI接口的实际物理实体,位于HCI固件和HCI驱动的中间层,提供可靠的数据传输。蓝牙控制器与主机可以使用不同的数据传输方式进行通信。不同通信方式的数据格式在实际硬件接口均具有特定的封装格式,但是经过HCI层的封装统一,不同类别的通信方式并不会造成主机接收到的HCI事件异步通知无法相互识别的情况。常用的物理接口有USB、UART和RS232三种。下图表示UART作为HCI接口时,主机与控制器的连接图。
4、其他上层协议规范
1)逻辑链路控制适配层(L2CAP)规范
逻辑链路控制适配层位于主机中,采用了协议复用和数据包分段重组技术,负责向高层协议栈提供面向连接的数据服务。它允许高层协议收发数据长度为64K字节。
协议复用技术:因为基带不能够识别全部高层协议的类型标志,所以位于基带上层的逻辑链路控制适配层必须支持识别不同的高层协议。
分段和重组:由于基带定义的空中数据包大小被限定在一定的范围,所以来自上层的较大数据到达逻辑链路控制适配层后,必须进行重新封包成多个小型基带数据包,以适应空中传输规则。相反的,当基带接收到空中包传输到逻辑链路控制适配层后,需要将数据包重组成一个较大的逻辑链路控制适配层数据包,再传输到上层协议。
2)通用访问协议(GAP)规范
通用访问协议规范表示蓝牙设备基本功能,包括工作模式和访问过程。低功耗蓝牙的工作模式有四种,广播、扫描、周边外设和中心主设备。在指定时间,设备只能处于四种模式之一。访问模式包括设备发现、连接模式、认证、服务发现等。
3)属性协议(ATT)规范
属性协议规范将连接中的设备区分成两种角色,即客户机和服务器。客户机与服务器通过固定逻辑链路控制适配层信道通信。客户机发送指令,请求和确认信息至服务器;服务器发送回复,通知和指示至主机。
4)安全管理协议(SMP)规范
安全管理协议产生加密密钥和识别密钥,同时也管理密钥的存储,负责产生随机的地址并通过地址识别设备。在数据加密和配对的过程中,安全管理协议将密钥发送至控制器。
5)通用属性协议(GATT)规范
通用属性协议用于建立数据传输时常用操作和框架。通用属性协议同属性协议一样分为客户机与服务器两个角色。服务器存储属性协议上传输的数据,并且接收来自属性协议上传的请求、指令和确认信息,处理好请求配置好后,则发送指令和通知至客户机。同时,通用属性协议定义了包含在服务器中的数据,即各式服务、关键词。
四、总结
在BLE协议栈的应用开发过程中,整个协议栈一般有各个半导体公司自己开发好,并封装成特定的demo以后供用户使用。整个代码架构遵循二八原则,协议栈抽象成应用底层框架(Framework),半导体公司完成应用开发的80%,剩下的20%则以回调(callback)和接口的方式供应用开发人员调用以实现具体的功能。
BLE的出现是为了实现连接后的数据通信和控制,其初衷是为了完成较少量的数据通信,侧重于通信控制。所以我们可以理解BLE的协议栈包括两大组成部分:一个是BLE连接;另一个是BLE数据传输。前者即对应GAP(General Access Profile),后者对应GATT(General Attribute Profile)。Profile在蓝牙术语里面对应于特定的应用协议规范(可以自己安装标准规范编写实现特定功能的Profile)。
Framework应该完成应用开发的80%工作,剩下20%则是由各个具体应用的具体场景需求来决定的。例如,蓝牙底层连接时怎么握手,应用开发人员不需要关心吧;GATT的characteristics value值的通信过程,不要关心吧。当蓝牙外设有新的数据要传输给主设备时,只需要调用notify或者indicate接口就可以了,至于底层怎么实现,那是协议栈开发人员的工作!
上述仅仅是做一个简要的概括,关于BLE协议栈实现过程中的很多细节问题都没有涉及到,很多东西都需要研究具体的协议栈代码,关于PDU、MTU、payload以及数据传输耗时、连接间隔、从机延时、IOS端的限制等等会单独写一篇博客。
参考:1)蓝牙技术联盟官网