CONTENTS
• DEFINITION OF BLUETOOTH
• BASIC CONCEPTS
• TECHNOLOGY
• ARCHITECTUREE
• BLUETOOTH RADIO
• BLUETOOTH BASEBAND
• BLUETOOTH SECURITY
• LINK MANAGERR AND CONTROLLER
• LOGICAL LINK AND ADAPTION LAYER
• CONCLUSION
ABSTRACT
Bluetooth is a standard for small form factor, low cost, short-range radio links between mobile pc’s and mobile phones and other portable devices.
It is essentially a protocol for wireless connectivity of diverse set of devices ranging from PDA, mobile phones,laptops to cooking ooven,fridge,thermostat etc. in home-like environment.Bluetooth came out of the womb of Ericsson some-where around late 90’ss.This is the first bib effort by all the major companies of the world to come out with a global standard for wireless connectivity in home-like environment.
The Bluetooth system has both the point-to-point connection or a point-to-multipoint connection.In point-to-multipoint connection,the channel is shared among several bluetooth units.The Bluetooth system consist of a radio unit,a link control unit and a support unit for link cmanagement and host terminal interface functions.Bluetooth radio operates in the 2.4GIIZ ISM(Industry,scienceand medicine)band.The range of Bluetooth ragdio is anywhere from10m.(hone) to 100m.(Airport Lounge)depending on the power of the transmitter at the antenna.
Bluetooth radio is an integral part of a Bluetooth device as it provides an electrical interface for transfer of packets on a modulated carrier frequency using wireless bearer services(CDMA,GSM,DECT).
Baseband is the physical layer of the Bluetooth which manages physical channels and links apart from other services like error correction,data whitening,hop selection and Bluetooth security.
Baseband lies on top of Bluetooth radio in Bluetooth stack and essentially acts as a link controller and works with link manager for carrying out link level routines like link connection and power control.
Link manager is used for managing the security, link set-up and control. it talks to the other link manager to exchange information and control messages through the link controller using some predefined link-level commands.:L2 CAP provides connection-oriented and connectionless data services to upper layer protocols with protocol multiplexing capability, segmentation and reassembly operation, and group abstractions.
Segmentation and reassembly (SAR) operation are used to improve efficiency by supporting a maximum transmission unit(MTU) size larger than the largest Base band packet.This reduces the overhead by spreading the network and transport packets used by higher layer protocols over the overhead by spreading the network and transport packets used by higher layer protocols over the several base band packets.
Thus Bluetooth proves to be a wave of the future in providing ubiquitous connectivity to devices. Yet it is in its stage of infancy and has to evolve a lot before being commercially deployed.
What is Bluetooth?
Bluetooth is a standard for small form factor, low cost, short-range radio links between mobile pc’s and mobile phones and other portable devices.It is essentially a protocol for wireless connectivity of diverse set of devices ranging from PDA, mobile phones,laptops to cooking ooven,fridge,thermostat etc. in home-like environment.
Bluetooth came out of the womb of Ericsson some-where around late 90’s and is currently led by the Promoter Group of Bluetooth SIG comprising of Ericsson,Nokia,IBBMM,Ttoshiba.Intel,3Com,Motorola ,Lucent technologies and Microsoft.Currently Bluetooth SIG has more than 1400 members and is one of the fastest growing SIG.This is the first big effort by all the major companies of the world to come out with a global standard for wireless connectivity in home-like environment after previous mess of first and second generation in cellular communication.
BLUETOOTH BASICS:
Piconet:-
Devices connected in an ad hoc fashion,that is ,not requiring predefinition and planning,as with a standard network.Two to eight devices and be networked into a piconet.It is peer network,that is once connected,each device has equal access to the others.However,one device is defined as master,and the others as slaves.
Scatternet:-
Several piconets may form a larger scatter net,with each piconet maintaining independence.
Master unit:-
The master in a piconet whose clock and hopping sequence synchronizes the other devices.
Slave unit:-
Devices in a piconet that are not the master.
Scatternet
Piconet
MAC address:-
Three bit address that distinguishes each unit inn piconet.
Parked units:-
Piconet devices that are synchronized but don’t have MAC address.
Sniff and hold mode:-
Power saving mode of a piconet device.
TECHNOLOGY:-
The Bluetooth system has both the point-to-point connection or a point-to-multipoint connection. In point-to-multipoint connection, the channel is shared among several blue tooth units.
The Bluetooth system consists of a radio unit,a link control unit and a support unit for link management and host terminal interface functions. Bluetooth radio operates in the 2.4 GIIZ ISM(Industry,scienceand medicine)band.The range of the Blue tooth radio is anywhere from 10m.(hone) to 100m.(airport lounge) depending on the power of the transmitter at the antenna. Depending on the class of the device,a Bluetooth radio can transmit upto 100mW(20 dBM)to minimum of 1mW(0dBM)of power.It used frequency hopping for low interference and fading,used TDD(Time-Division Duplex)scheme for full duplex transmission and transmits using GFSK(Gaussian Frequency shift keying)modulation.
Bluetooth protocol used a combination of circuit and packet switching.The channel is slotted and slots can be reserved for synchronous packets. Bluetooth protocol stack can support an asynchronous connection-less(ACL)link for data and upto three simultaneous synchronous connection-oriented(SCO)link for voice or a combination of asynchronous data and synchronous(DV packet type). Each voice channel support maximum of 723.2 kb/s uplink and 57.6kb/s downlink(or vice versa) or 433.9kb/s symmetric links.
ARCHITECTURE:-
The stack primarily has a baseband for physical layer and link manager and controller for link layer. The upper layer interface depends on how these two layers are implemented and used with applications. The stack is shown below:
Bluetooth Stack
Applications
JINI WAP
SDP TCP/P RECOMM
Link Manager
ACL SCO
Baseband
Bluetooth Radio
The stack primarily contains a physical level protocol(base band) and a link level protocol(LMP)with a adaptation layer(L2CAP)for upper layer protocols to interact with Bluetooth stack.
BLUETOOTH RADIO
Radio archietecture
Blue tooth radio is an integral part of a Bluetooth device as it provides an electrical interface for transfer of packets on a modulated carrier frequency using wireless bearer services(CDMA,GSM,DECT). The radio operates in the 2.4 GHz ISN(Industrial Scientific Medicine) band which requires a very small and efficient antenna(smart antenna),a good RF frontend(LNA,Up-converter,down-converter)on chip,power controller,GFSK modulator and a transmit/receive switch for it work as a transceiver.
Below we discuss radio archietecture in reference to Bluetooth modem and controller developed by silicon wave.com on two separate chips using high performance silicon-on-insulator(SOI)BICMOS process.
Bluetooth radio modern IC:-
The radio modem performs the GFSK modulation and demodulation symbol and frame timing recovery. The modem also contains a fully integrated radio transceiver and frequency hopping synthesizers on a single chip.This radio essentially looks like below:
Bluetooth Radio Modem
Antenna
Bluetooth controller IC:
The controller implements the base band protocol and fuctions.On the receiver side it performs error detection and de-scrambling.The link controller hardware implements the basic repetitive actions of paging,inquiry,page and inquiry scans etc.It also provides a USB and audio CODEC interface to the host system.the controller is shown below :
FFC De- Whiten Decrypt Rx Buffers USB Audio
Link Controller
FFC Whiten Encrypt Tx Buffers
Radio Modem Interface
Radio bands and channels:-
As said before the Blue tooth radio operates in the 2.4GHz ISM band.In the US and Europe, a band of 83.5MHz is available,in this band,79 RF channels spaced 1 mHz zpart are defined . Japan,Spain and France use only 23 RF channels spaced 1 MHz apart.
Europe and USA 2400-2483.5 MHz F=2402+ k MHz k=0………..78
Japan 2471-2497 MHz F=2473+ k MHz k=0………..22
Spain 2445-2475 MHz F=2449+ k MHz k=0………..22
France 2446-2483.5 MHz F=2454+ k MHz k=0………..22
The channel is represented by a pseudo-random hopping sequence hopping the 79 to 23
RF channels. The hopping sequence is unique for the piconet and is determined by the Bluetooth device address of the master the phase in the hopping sequence is determined by the Bluetooth clock of the master. The channel is divided into time slots, each 625 microbe in length , where each slot corresponds to an RF hop frequency. The nominal hop rate is 1600 hop/s . All Bluetooth units participating in the piconet are time and hop-synchronized to the channel.
Transmitter and Receiver requirements :
Transmitter uses GFSK(Gaussian Frequency Shift Keying) where a binary one is represented by a positive frequency deviation and a binary zero by a negative frequency deviation . The definition of Bluetooth modulated signal is given below :
Modulation GFSK
Modulation index 0.32 +/-1%
BT 0.5 +/-1%
Bit rate 1 Mbps +/-1 ppm
Modulating Data PRBS9
Frequency accuracy better than +-1 ppm
The Bluetooth devices are classified into three power classes depending on the maximum output power of the transmitter . A power controller can be used for limiting and optimization of the output power depending on the power requirements of the device.
Power class Maximum output power Minimum output power
1 100mW(20dBm) 1mW(0dBm)
2 2.5mW(4 dBm) 0.25mW(9-6dBm)
3 1mW(0dBm) N/A
(BER) of 0.1% is met. The requirement for a Bluetooth receiver is an actual sensitivity level of -70 dBm or better .
BLUETOOTH BASEBAND:-
This is the most comprehensive part of the Bluetooth protocol and one which is most important .
Baseband:
Baseband is the physical layer of the Bluetooth which manages physical channels and links apart from other services like error correction , data whitening,hop selection and Bluetooth security . Baseband lies on top of Bluetooth radio in Bluetooth stack and essential acts as a link controller and works with link manager for carrying out link level routines like line connection and power control . Baseband also manages asynchronous and synchronous links , handles packets and does paging and inquiry to access and inquiry the Bluetooth devices . Baseband transceiver applies a time division duplex( TDD)scheme . (alternate transmit and receive).Therefore apart from different hopping frequency(frequency division),the time is also slotted . In the normal connection mode, the master shall always start at even numbered slots and slave transmission shall always start at odd numbered slots(though they may continue to transmit regardless of the number of the slot) .
ACL AND SCO LINKS:-
Baseband handles two types of links SCO (Synchronous Connection Oriented) and ACL(Asynchronous Connection Less) link . The SCI link is a symmetric point to point link between a master and a single slave in the piconet . The master maintains the SCO link and mainly carries voice information . The master can support upto three simultaneous SCO links while slaves can support two or three SCO links . SCO packets are never retransmitted . SCO packets are used for 64 kb/s speech transmission .
The ACL is a point-multipoint link between the master and all that participating on the piconet . In the slots not reserved for the SCO links , the master can establish an ACL link on a per-slot basis to any slave including the slave already engaged in an SCO link (Packet Switched type). Only a single ACL link can exist . For most ACL packets packet retransmission is applied .
Logical channels:
Blue tooth has five logical channels which can be used to transfer different types of information LC(control channel) and LM (link manager) channels are used in the link level which UA . UI and US channels are used to carry asynchronous .
BLUETOOTH ADDRESSING:-
There are basically four types of device addresses in Bluetooth .
BD-ADDR 48 bit bluetooth device address(IEEE80 standard).It is divided into LAP(lower address part of 24 bits).UAP(upper address part of 8 bits) and NAP(nonsignificant address part of 16 bits).
AM-ADDR 3 bit active member address.The all zero AM-ADDR is for broadcast messages.
PM-ADDR 8 bit member address that is assigned to parked slaves .
AR-ADDR The access request address is used by the parked slave to determine the slave-to-master half slot in the access window it is allowed to send access messages .
24 8 16
LAP UAP NAP
Bluetooth packets:
The data on the piconet channel is conveyed in packets . The general packet is shown below . A standard Bluetooth packet
ACCESS CODE(72) HEADER(54) PAY LOAD(0-2745)
* size in bits
Acces code are used for timing synchronization,offset compression,paging and inquiry.There are three different types of access codes.Channel Access Code(CAC),Device Access Code(DAC) and Inquiry Access code(IAC).The channel access code identifies a piconet(unique for a piconet) while DAC is used for paging and its responses.IAC is under for inquiry purposes.The header contains information for packet acknowledgement,packet numbering for out-of=order packet recording, flow control, slave address and error checkfor header.The packet payload can contain either voice field,datd field and both.The packet can occupy more than one slot (Mutli-slot packets) and can contain transmission in the in the next slot.The payload also carries a 16-bit CRC for error detection and correction in the payload.Sco packets do not include CRC.There are five common types of packet,four SCO packets aand seven ACL packets.there brief description is given below.
Error correction
There are three kinds of error correctionschemes:1/3 rate FWC,2/3 rate FEC AND ARQ SCHEME.In 1/3 rate FEC every bit is repeated three times for redundancy,in 2/3 a generator polynomial is used to encode 10bit code to a 15bit code,and in ARQ scheme a packet is retransmitted till an acknowledgement is received(or timeout is exceeded).Bluetooth used fast,unnumbered acknowledgement in which it uses positive and negative acknowledgements by setting appropriate ARQN values.If timeout exceeded ,blue tooth flushes the packet and proceeds with the next.
Blue tooth controller:-
Flow control are synchronization:-
Bluetooth recommends using FIFO queues in ACL and SCO links for transmission and receive link manager fills these queues and link controller empties the queues automatically.
Antenna
ACL
If these RX FIFO queues are full,flow control is used to avoid dropped packets and congestion.If data cannot be received ,a STOP indication is transmitted (inserted) by the link controller of the receiver into the header of the return packet.When the transmitter receives the STOP indication, it freezes its FIFO queues.If receiver is ready it sends a GO packet which resumes the flow again..
We already know that blue tooth transceiver uses a time-division duplex(TDD)scheme.This means that it alternately trasmitts and receives in a synchronize manner.The average timing of master packet transmission must not drift faster than 20ppm relative to the ideal slot timing of 165microseconds.Jitter from average timing should be less than one microsecond.The piconet is synchronized by the system clock of the master.The Blue tooth Device Address(BDADDR)of the master determines the frequency hopping sequence.Master controls the traffic on the channel by acoding scheme.The master never adjusts its system clock during the existence of the piconet.The slaves adopt their native clocks with a timing offset in order to match the master clock.The Blue tooth clocks should have a resolution of 312.5microseconds.
A 20microsecond uncertainty window is allowed around the exact receive time in order for the access correlator for the receiver to search for correct channel accesscode and get synchronized with the transmitter.When a slave returns from the hold mode , it can correlate over a uncertainty window till they don’t overlap slots.A parked slave periodically wakes up to listen to beacons from the master and re-synchronizes its clock offset.
Controller states:
Bluetooth controller operates in two major states: Standby and connection.
There are seven substrates which are used to add slaves or make connections in the piconet . These are page, page scan,inquiry,inquiry scan , master response,slave response and inquiry response .
The Standby state is the default low power state in the blue tooth unit . Only the native clock is running and there is no interaction with any device whatsoever. In the connection , the master and slave can exchange packets, using the channel ( master ) access come and the master blue tooth clock.The hopping scheme used is the channel hopping scheme . Normally a connection between two devices occur in the followinf fashion.First master uses the GIAC and DIAC to inquire about the blue tooth devices in the range(Inquiry scan substate),it response to the master by sending its address and clock information (FHS packet) to the master(Inquiry response substate).After sending the information, the slave may start listening for page messages from the master(page scan).The master after discovering the in range, blue tooth devices may page these devices.
(Page subsatate)for connection setup.the slave in page scan mode if paged by his master will respond (Slave response substate)with its device access code(DAC).The master after receiving the response from the slave , may respond by transmitting the master’s real time clock , master’s BD ADDR,the BCH parity bits and the class of the device(FHS packet).After slave has received this FHS packet , both enter into connection state. A brief note on different states is given in appendix 1.
Connection States
The connection state starts with a POLL packet sent by the master to verify that slave has switched to the master’s timing and channel frequency hopping . The slave can respond with any type of the packet .
A Bluetooth device in connection state can be in anyof the four following states : Active,Hold,Sniff and Park mode. One of the challenges in Bluetooth is to move between these states especially from park to Active and vice versa. A brief note on modes is given in appendix 2 .
BLUETOOTH SECURITY
At the link layer,security is mainted by authentication of the peers and encryption of the information . For this,basic security we need a public address which is unique for each device(BD ADDR)two secret keys(authentication keys and encryption key)and a random number generator. First a device dies the authentication by issuing a challenge , it,s BD ADDR and a link key shared between them . After authentication ,encrytion may be used to communicate . There are four types of link keys : combination key , unit key , temporary key and initialization key .
LINK MANAGER AND CONTROLLER
Link manager is used for managing the security , link set-up and control . It talks to the other link manager to exchange information and control messages through the link controller using some predefined link-level commands. Its support for upper layer protocols is bit hazy but possibly a upper layer interface can be used to execute algorithms for mode management (park, hold, sniff, active),security management , QoS management etc.These algorithms may themselves have some input from the user itself. For example, if the user requests a low power operation (lower range operation in a home or a room), then link manager can negotiate with the other link manager about the power control and both can go into some sort of low power mode according to some pre-set algorithm. Also if the security is not a big issue , a user can decide about the level of security by choosing some reduced security option and therefore inform link manager to go soft on security .
Authentication and Encryption Management
Information Exchange and Request
A Bluetooth link manager can request from other link manager the clock cffset(Master requesting the slave to tell it the current clock offset stored by it which slave itself got from master during some packet exchange),slot offset is the time in microseconds between the strat of the master’s transmission slot in the piconet where the PDU is transmitted and the start of the master’s transmission slot where the BD ADDR device in the pdu is master . It is useful in master-slave switch and inter-piconet communications),timing accuracy (clock drift and jitter),link manager version and information about support for authentication, SCO packets etc.
Mode management and SCO connections
The link manager also handles master-slave switch procedure and mode switching procedures (forcing or requesting a device to change mode to either hold, sniff,or park mode). In parking mode, it has to take care of how to broadcast a message to the parked devices, how to handle becon parameters and how to unpark a parked device gracefully.
A part form above features a link manager can handle power control (Lower or increase the power) and can establish SCO links by reserving slots and negotiating SCO parameters. If a device wants to establish connections using layers above the Link Manager, then it can open connections between the two devices too.
Logical link and Adaptation Layer
L2 CAP provides connection-oriented and connectionless data services to upper layer protocols with protocol multiplexing capability, segmentation and reassembly operation, and group abstractions. L2 CAP permits higher level protocols and applications to transmit and receive L2 CAP packets up to 64 Kilobytes in length. L2 CAP only supports Acl links. L2 CAP uses the concept of channels are identified by Channel Identifiers (CIDS) which represent a logical end point of a connection for each application on a device. (CIDs) which represent a logical end point of a connection for each application on a device. CIDs are 16 bit numbers of which 0x001 to 0x003 Fare reserved for specific L2 CAP functions (0x0001 is a signaling channel, 0x0002 is a connectionless reception channel and rest are reserved or prohibited).
Connection Identifiers (CIDs)
The idea behind L2 CAP is to provide an interface similar to TCP/IP function calls. In NSBLUE, the L2 CAP connections and data are sent in the following manner:
cid = 12cap-> open L2 CAP Connection (ui-> get Context ()):
l2 cap-> send (cid.data.len):
l2 cap-> recv (Cid.data.len):
where’cid’is the channel identifier’ data’ is the pointer to ‘char’ and ‘len’ is the length of the data. ‘getcontext ()’ returns the local contet like ‘Walmart’. ‘JFK Airport’ etc. CID is assigned from a pool of free CIDs (pool can be assigned in blocks to save memory). Secc connection establishment in Bluetooth for more information.
Protocol Multiplexing
1.2 CAP also does multiplexing by using PSM field in the L2 CAP connection request command. 1.2. CAP can multiplex connection requestor upper layer protocols like service Discovery Protocol (PSQM 0x0001), RFCOMM (PSM=0x003) and Telephony Control (PSM = 0x 0005.)
Segmentation and Reassembly
Segmentation and Reassembly (SAR) operation are used to improve efficiency by supporting a maximum transmission unit (MTU) size larger than the largest Baseband packet. Layer protocols over the overhead by spreading the network and transport packets used by higher layer protocols over several baseband packets. L2CAP segments higher layer packets into chunks that can be passed to the Link Manager for transmission and reassemble those chunks into L2CAP packets using information provided thorough HCL and from packet header. SAR in implemented using very little overhead in Baseband packets. The tow L_CH bits defined in the first byte of Baseband payload (also called the frame header). Are used to signal the start and continuation of L2CAP packets (L_CH shall be ‘10’ for the first segment and ‘01’ for a continuation segment. To avoid any reassembly problems due to out of order packets, as received in wire line TCP/IP connections because of ‘window’ based transmissions.
L2CAP Events and Actions
L2 CAP operates using events and commands which it receives or transmits from/to upper or lower layers. These events can be, for instance, a connection request from the upper layer, a data write request or may be a disconnection request. The lower layers can tell L2CAP about incoming connection, disconnection or other requests. If L2 CAP of this unit needs to talk to the L2 CAP on the other unit, then it uses some special commands which are called signaling commands. These commands are generally used to establish connection-oriented channels after a link level connection is created or present. L2CAP has seven operational states : CLOSED, W4_L2 CA_CONNECT _RSP, W4_12cap_CONNECT_RSP, CONFIG, OPEN, W4_12CAP_DICONNECT_RSP. These states further make L2 CAP connections look similar to TCP connections.
CONCLUSION
Thus Bluetooth proves to be a wave of the future in providing ubiquitous connectivity to devices. Yet it is in its stage of infancy and has to evolve a lot before being commercially deployed. t has for its competitor Infrared communication which has already been well established. The question whether Bluetooth will survive or the Infrared communication is answered in a way that they will coexist. Each have their own merits and demerits. The security in Bluetooth is inadequate and has to improve a lot.
In the light of this study, it seems that the security of Bluetooth is still inadequate for any serious, security sensitive work. After the basic problems have been corrected, the more sophisticated security methods may be implemented on the upper levels. The security specification only considers simple issues and the more functional security has to be built above it. This includes the better authorization systems with possible KDCs and distributed secret schemes. The secure routing protocols for larger and hoc networks must also be implemented separately.
BLUETOOTH TECHNOLOGY
No comments:
Post a Comment