Bluetooth Active Scanning Example
in my last post, Understanding Bluetooth Advertising Packets, I reviewed and consolidated some key elements of advertising packet format and data structure from the Bluetooth Core 4.1 Specification. In this post, I'll review some packets, a relate the specific fields to the spec.
The following packet sequence is between a Fitbit Flex (advertiser) and Bluescan (scanner), on channel 37, using and Ubertooth Bluetooth packet sniffer per this command:
The three packets below show a complete active scan cycle. The advertiser (Fitbit) send out a ADV_IND advertisement, and the BlueScan Android app responds with a SCAN_REQ packet requesting additional data and the Fitbit responds with a SCAN_RESP.
Fitbit advertisement (ADV_IND):
Below is the first packet captured with Ubertooth:
systime=1401827476 freq=2402 addr=8e89bed6 delta_t=673.874 ms 40 21 eb 12 e6 2d bb f5 02 01 06 11 06 ba 56 89 a6 fa bf a2 bd 01 46 7d 6e ca 36 ab ad 05 16 0a 18 07 04 69 6e 34 Advertising / AA 8e89bed6 / 33 bytes Channel Index: 37 Type: ADV_IND AdvA: f5:bb:2d:e6:12:eb (random) AdvData: 02 01 06 11 06 ba 56 89 a6 fa bf a2 bd 01 46 7d 6e ca 36 ab ad 05 16 0a 18 07 04 Type 01 (Flags) 00000110 Type 06 (128-bit Service UUIDs, more available) adab36ca-6e7d-4601-bda2-bffaa68956ba Type 16 (Service Data) UUID: 180a, Additional: 07 04 Data: eb 12 e6 2d bb f5 02 01 06 11 06 ba 56 89 a6 fa bf a2 bd 01 46 7d 6e ca 36 ab ad 05 16 0a 18 07 04 CRC: 69 6e 34
Some items of note:
- The Access Address (AA) is 0x8e89bed6 (this number is used to manage Link Layer connections and is a random number, other this this, for non advertising packets).
- It's on channel 37, which is one of three dedicated advertising channels (37, 38 & 39) of the 40 channels in the Bluetooth spectrum.
- The packet's PDU type is ADV_IND, which indicates a connectable undirected advertising event with the following properties:
- connectable: a scanner can initiate a connection upon seeing this event.
- scannable: a scanner can issue a scan request up seeing one of these
- undirected: this is broadcast, no Bluetooth address is specified
- payload: can contain user data in payload, whereas a directed packet cannot.
BlueScan response (SCAN_REQ):
In response the the previous packet, BlueScan responded with this message.
systime=1401827476 freq=2402 addr=8e89bed6 delta_t=0.336 ms 83 0c 55 87 45 0b 22 ac eb 12 e6 2d bb f5 cc 1c fd Advertising / AA 8e89bed6 / 12 bytes Channel Index: 37 Type: SCAN_REQ ScanA: ac:22:0b:45:87:55 (public) AdvA: f5:bb:2d:e6:12:eb (random) Data: 55 87 45 0b 22 ac eb 12 e6 2d bb f5 CRC: cc 1c fd
Some items to note:
- This packet again uses the advertising channel (37) and Access Address (0x8e89bed6).
- Scan type is SCAN_REQ.
- ScanA is the BT_ADDR (Bluetooth Address) of the scanner (BlueScan Android App) and AdvA is the same random IP of the advertiser.
Fitbit response (SCAN_RSP):
Finally, the Fitbit responds with this:
systime=1401827476 freq=2402 addr=8e89bed6 delta_t=0.326 ms 44 0f eb 12 e6 2d bb f5 05 09 46 6c 65 78 02 0a fa b6 c4 52 Advertising / AA 8e89bed6 / 15 bytes Channel Index: 37 Type: SCAN_RSP AdvA: f5:bb:2d:e6:12:eb (random) ScanRspData: 05 09 46 6c 65 78 02 0a fa Type 09 (Complete Local Name) Flex Type 0a (Tx Power Level) -6 dBm Data: eb 12 e6 2d bb f5 05 09 46 6c 65 78 02 0a fa CRC: b6 c4 52
- Type '0a' and '09' flags are assigned numbers designated by the Bluetooth SIG Generic Access Profile, indicating what the Ubertooth output shows: 'Complete Local Name' and 'Tx Power Level' respectively.