Bluetooth 5 Advertising Extensions demo using Nordic nRF52840

Nordic nRF52840 supports Bluetooth 5 Advertising Extensions but finding working example is not easy. In the whole nRF5_SDK_17.0.0 there is only one example project that is using Bluetooth 5 Advertising Extensions. It is located in 
examples\ble_peripheral\ble_app_rscs 
and is named "nRF Running Speed and Cadence Sensor Example Application".

I have found it by greping the source for:
init.config.ble_adv_extended_enabled
There is no hex file provided so you must compile it. You can do it using Segger Embedded Studio for ARM using supplied project file, or using a method that suits you best. After complication flash the nRF52840-DK board with the compiled hex file.

To check the advertising of the nRF52840-DK board running hte application, I have used a mobile phone that supports Bluetooth 5 Advertising Extensions. It was a Samsung S10e mobile phone running Android 10. To scan I have used the nRF Connect for Mobile app. Here are two screenshots from the app showing the result.

Device information screen

Scanning Advertising Extensions packets


Android mobile phones can provide HCI logs of the communication between Host and Controller. The log file is usually named btsnoop_hci.log. In older phones obtaining such log file was much easier than in Samsung S10e. Here are the steps I have used to get the HCI log:
  1. Turn on "Developer Options" by clicking 7 times on "Settings"->"About phone"->"Software information"->"Build number".
  2. Turn on Bluetooth.
  3. Set "Settings"->"Developer options" -> "Enable Bluetooth HCI snoop log" to "Enable".
  4. Turn off Bluetooth.
  5. Turn on Bluetooth.
  6.  Restart mobile phone.
  7. Scan for Bluetooth 5 Advertising Extensions packets using nRFConnect app.
  8. Obtain btsnoop_hci.log using Android Debug Bridge (adb) tool. I have used platform-tools_r30.0.3-windows.zip archive. The steps to obtain btsnoop_hci.log:
    1. Enable "Settings"->"Developer options" -> "USB Debugging"
    2. Authorize your computer to use USB debugging by clicking "Allow" pop-up window on the mobile phone. You can check the result of this step by running: adb devices
    3. Run: adb shell dumpsys bluetooth_manager
    4. Run: adb bugreport
    5. The last command creates a zip file named "dumpstate.zip" (size 15M in my case)
    6. Extract btsnoop_hci.log from dumpstate.zip from dumpstate.zip\FS\data\log\bt path.
It took me a quite long time to figure it out, and I am not sure is step 6 or 8.3 is needed.

You can open the btsnoop_hci.log in Wireshark and examine the HCI commands that give the result displayed by nRFConnect app. Here is tshark output from the relevant packet from my scan:
tshark.exe -V -r "btsnoop_hci.log" "frame.number >= 865 && frame.number <= 867"
And the output:
Frame 865: 10 bytes on wire (80 bits), 10 bytes captured (80 bits)
    Encapsulation type: Bluetooth H4 with linux header (99)
    Arrival Time: Jul  7, 2020 23:33:47.464727000 Central European Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1594157627.464727000 seconds
    [Time delta from previous captured frame: 0.000091000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 1218.489455000 seconds]
    Frame Number: 865
    Frame Length: 10 bytes (80 bits)
    Capture Length: 10 bytes (80 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    Point-to-Point Direction: Sent (0)
    [Protocols in frame: bluetooth:hci_h4:bthci_cmd]
Bluetooth
Bluetooth HCI H4
    [Direction: Sent (0x00)]
    HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - LE Set Extended Scan Enable
    Command Opcode: LE Set Extended Scan Enable (0x2042)
        0010 00.. .... .... = Opcode Group Field: LE Controller Commands (0x08)
        .... ..00 0100 0010 = Opcode Command Field: LE Set Extended Scan Enable (0x042)
    Parameter Total Length: 6
    Scan Enable: true (0x01)
    Filter Duplicates: false (0x00)
    Duration: 0 (0 msec)
    Period: 0 (0 sec)

Frame 866: 7 bytes on wire (56 bits), 7 bytes captured (56 bits)
    Encapsulation type: Bluetooth H4 with linux header (99)
    Arrival Time: Jul  7, 2020 23:33:47.465579000 Central European Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1594157627.465579000 seconds
    [Time delta from previous captured frame: 0.000852000 seconds]
    [Time delta from previous displayed frame: 0.000852000 seconds]
    [Time since reference or first frame: 1218.490307000 seconds]
    Frame Number: 866
    Frame Length: 7 bytes (56 bits)
    Capture Length: 7 bytes (56 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    Point-to-Point Direction: Received (1)
    [Protocols in frame: bluetooth:hci_h4:bthci_evt]
Bluetooth
Bluetooth HCI H4
    [Direction: Rcvd (0x01)]
    HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - Command Complete
    Event Code: Command Complete (0x0e)
    Parameter Total Length: 4
    Number of Allowed Command Packets: 1
    Command Opcode: LE Set Extended Scan Enable (0x2042)
        0010 00.. .... .... = Opcode Group Field: LE Controller Commands (0x08)
        .... ..00 0100 0010 = Opcode Command Field: LE Set Extended Scan Enable (0x042)
    Status: Success (0x00)
    [Command in frame: 865]
    [Command-Response Delta: 0.852ms]

Frame 867: 102 bytes on wire (816 bits), 102 bytes captured (816 bits)
    Encapsulation type: Bluetooth H4 with linux header (99)
    Arrival Time: Jul  7, 2020 23:33:47.477848000 Central European Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1594157627.477848000 seconds
    [Time delta from previous captured frame: 0.012269000 seconds]
    [Time delta from previous displayed frame: 0.012269000 seconds]
    [Time since reference or first frame: 1218.502576000 seconds]
    Frame Number: 867
    Frame Length: 102 bytes (816 bits)
    Capture Length: 102 bytes (816 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    Point-to-Point Direction: Received (1)
    [Protocols in frame: bluetooth:hci_h4:bthci_evt:btcommon]
Bluetooth
Bluetooth HCI H4
    [Direction: Rcvd (0x01)]
    HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - LE Meta
    Event Code: LE Meta (0x3e)
    Parameter Total Length: 99
    Sub Event: LE Extended Advertising Report (0x0d)
    Num Reports: 1
    Event Type: 0x0001, Connectable, Data Status: Complete
        .... .... .... ...1 = Connectable: True
        .... .... .... ..0. = Scannable: False
        .... .... .... .0.. = Directed: False
        .... .... .... 0... = Scan Response: False
        .... .... ...0 .... = Legacy: False
        .... .... .00. .... = Data Status: Complete (0x0)
        0000 0000 0... .... = Reserved: 0x000
    Peer Address Type: Random Device Address (0x01)
    BD_ADDR: cf:36:cd:43:d9:2b (cf:36:cd:43:d9:2b)
    Primary PHY: LE 1M (0x01)
    Secondary PHY: LE 2M (0x02)
    Advertising SID: 0x00
    TX Power: 127 dBm (not available)
    RSSI: -55 dBm
    Periodic Advertising Interval: 0x0000 (no periodic advertising)
    Direct Address Type: Public Device Address (0x00)
    Direct BD_ADDR: 00:00:00_00:00:00 (00:00:00:00:00:00)
    Data Length: 73
    Advertising Data
        Appearance: Generic: Running Walking Sensor
            Length: 3
            Type: Appearance (0x19)
            Appearance: Generic: Running Walking Sensor (0x0440)
        Flags
            Length: 2
            Type: Flags (0x01)
            000. .... = Reserved: 0x0
            ...0 .... = Simultaneous LE and BR/EDR to Same Device Capable (Host): false (0x0)
            .... 0... = Simultaneous LE and BR/EDR to Same Device Capable (Controller): false (0x0)
            .... .1.. = BR/EDR Not Supported: true (0x1)
            .... ..1. = LE General Discoverable Mode: true (0x1)
            .... ...0 = LE Limited Discoverable Mode: false (0x0)
        16-bit Service Class UUIDs
            Length: 7
            Type: 16-bit Service Class UUIDs (0x03)
            UUID 16: Running Speed and Cadence (0x1814)
            UUID 16: Battery Service (0x180f)
            UUID 16: Device Information (0x180a)
        Device Name: nRF Running Speed and Cadence Sensor Example Application
            Length: 57
            Type: Device Name (0x09)
            Device Name: nRF Running Speed and Cadence Sensor Example Application
The frame 865 is a LE Set Extended Scan Enable command, the frame 866 is Command Complete event acknowledging successful command execution, and finally frame 867 is a LE Meta event with a LE Extended Advertising Report subevent.

Comments

Post a Comment

Popular posts from this blog

Using text2pcap tool

The text2pcap  tool is allowing you to create PCAP filed from text files. Here is a simple example how to convert a text file containing three Bluetooth 5 Advertising Extension packets into PCAP file. sample.txt # ADV_EXT_IND 0.0 0000 00 c1 80 00 d6 be 89 8e 13 0c d6 be 89 8e 47 0d 0010 0c 19 ec f1 95 13 df 41 b2 17 0c c3 1e 00 00 00 # ADV_AUX_IND 0.236250 0000 0e c3 80 00 d6 be 89 8e 13 0c d6 be 89 8e 47 ff 0010 06 18 b2 17 0d 53 00 5d 16 45 23 11 22 33 44 55 0020 66 77 88 99 00 11 22 33 44 55 66 77 88 99 00 11 0030 22 33 44 55 66 77 88 99 00 11 22 33 44 55 66 77 0040 88 99 00 11 22 33 44 55 66 77 88 99 00 11 22 33 0050 44 55 66 77 88 99 00 11 22 33 44 55 66 77 88 99 0060 00 11 22 33 44 55 66 77 88 99 00 11 22 33 44 55 0070 66 77 88 99 00 5d 16 56 34 11 22 33 44 55 66 77 0080 88 99 00 11 22 33 44 55 66 77 88 99 00 11 22 33 0090 44 55 66 77 88 99 00 11 22 33 44 55 66 77 88 99 00a0 00 11 22 33 44 55 66 77 88 99 00 11 22 33 44 55 00b0 ...
Read more

Pcap files and sed

Tshark can produce output that is suitable for text2pcap tool. Here is an example how to format tshark output using sed and preserve packet arrival time. tshark.exe -r test.pcap -V -x -Y "frame.number <= 1" -T text | sed -n -e "/^\( Arrival Time\)\|^\(00\)/p" | sed -e "s/^ Arrival Time\: \([a-zA-Z]\{3\}[0-9\,\.\:\ ]\{5\}\)\([0-9\,\.\:\ ]*\).*/\n\1_\2/" The output: Jan 4, _2021 15:21:00.327645000 0000 00 06 33 01 23 67 06 0a 00 25 a8 82 69 00 00 07 ..3.#g...%..i... 0010 f7 8e 89 be d6 40 20 ee be af 26 64 a1 02 01 16 .....@ ...&d.... 0020 1a 7f 4c 00 02 15 b9 40 7f 30 f5 f8 46 6e af f9 ..L....@.0..Fn.. 0030 25 55 6b 57 fe 2d 64 85 f5 64                   %UkW.-d..d Note that year must be prefixed with _ to allow proper interpretation by text2pcap tool: text2pcap -t "%b %d, _%Y %H:%M:%S." - test_pext2pcap.pcap -l 272 Now we can use sed to manipulate packet contents between tshark and text2pcap: tshark ... | sed ... ...
Read more