How to save the sampling data?

BTLE

BTLE is a free and open-source Software Defined Radio Bluetooth Low Energy (BLE) software suite.

It includes:

btle_rx - BLE sniffer. Besides sniff broadcasting/fixed channel, it can also track channel hopping of a communication link.
btle_tx - Universal BLE packet transmitter. Besides BLE standard, it supports also raw bit mode to generate arbitrary GFSK packet. In this way, you can test non-standard protocol or standard under discussion before chip in the market.

Features

PHY and upper layer are implemented in software (C language). Full Software Defined Radio Flexibility.
BLE standard 1Mbps GFSK PHY.
All ADV and DATA channel link layer packet formats in Core_V4.0 (Chapter 2&3, PartB, Volume 6) are supported.
Sniffer is capable to parse and track channel hopping pattern automatically, not limited to broadcasting channel or fixed channel.

Hardware

Build and Quick test

Make sure your SDR hardware environment (driver/lib) has been setup correctly before run this project.

git clone https://github.com/JiaoXianjun/BTLE.git
cd BTLE/host
mkdir build
cd build
cmake ../                   (default. for HackRF)
cmake ../ -DUSE_BLADERF=1   (only for bladeRF)

make
./btle-tools/src/btle_rx

Above command sniffs on channel 37. You should see many packets on screen if you have BLE devices (phone/pad/laptop) around.

./btle-tools/src/btle_tx 37-DISCOVERY-TxAdd-1-RxAdd-0-AdvA-010203040506-LOCAL_NAME09-SDR/Bluetooth/Low/Energy r500

Above command transmits discovery packets on ADV channel. You should see a device with name "SDR/Bluetooth/Low/Energy" in another BLE sniffer App (such as LightBlue).

To have a faster operation sequence on HACKRF, use following:

#define TRANSFER_COUNT 4
#define TRANSFER_BUFFER_SIZE 4096

in hackrf/host/libhackrf/src/hackrf.c. Then re-compile the HACKRF lib and re-install it. Don't forget to re-compile BTLE to take the HACKRF lib change.

Besides the tools, matlab directory includes algorithm evaluation and other useful scirpts

btle_rx usage

-h --help

Print all arguments/usages.

-c --chan

Channel number. Default value 37 (one of ADV channels). Valid value 0~39 (all ADV and DATA channels).

-g --gain

Rx gain in dB. HACKRF rxvga default 6, valid 0 - 62. bladeRF default is max rx gain 66dB (valid 0 - 66). Gain should be tuned very carefully to ensure best performance under your circumstance. Suggest test from low gain, because high gain always causes severe distortion and get you nothing.

-l --lnaGain

LNA gain in dB (HackRF only). Default 32, valid 0 - 40. Gain should be tuned very carefully to ensure best performance under your circumstance.

-b --amp

Enable amp (HackRF only). Default off.

-a --access

Access address. Default 8e89bed6 for ADV channel 37 38 39. You should specify correct value for data channel according to captured connection setup procedure.

-k --crcinit

Default 555555 for ADV channel. You should specify correct value for data channel according to captured connection setup procedure.

-v --verbose

Verbose mode. Print more information when there is error

-r --raw

Raw mode. After access addr is detected, print out following raw 42 bytes (without descrambling, parsing)

-f --freq_hz (need argument)

This frequency (Hz) will override channel setting (In case someone want to work on freq other than BTLE. More general purpose).

-m --access_mask (need argument)

If a bit is 1 in this mask, corresponding bit in access address will be taken into packet existing decision (In case someone want a shorter/sparser unique word to do packet detection. More general purpose).

-o --hop

This will turn on data channel tracking (frequency hopping) after link setup information is captured in ADV_CONNECT_REQ packet on ADV channel.

-s --filename

Store packets to pcap file.

btle_tx usage

btle_tx packet1 packet2 ... packetX ...  rN

or

btle_tx packets.txt

packets.txt is a text file which has command line parameters (packet1 packet2 ... rN) text. One parameter one line. A line start with "#" is regarded as comment. See packets.txt example

packetX

is one string which describes one packet. All packets compose a packets sequence.

rN

means the sequence will be repeated for N times. If it is not specified, the sequence will only be sent once.

packetX string format

channel_number-packet_type-field-value-field-value-...-Space-value

Each descriptor string starts with BTLE channel number (0~39), then followed by packet_type (RAW/iBeacon/ADV_IND/ADV_DIRECT_IND/etc. See all format examples AT THE END: Appendix ), then followed by field-value pair which is packet_type specific, at last there is Space-value pair (optional) where the value specifies how many millisecond will be waited after this packet sent.

DO NOT use space character " " in a command line packet descriptor. You CAN use space in the txt file packet descriptor.

DO NOT use "-" inside each field. "-" is magic character which is used to separate different fields in packet descriptor.

btle_tx example: Discovery packets

Open LightBlue APP (or other BLE sniffer) in your iPhone/device before this command:

./btle-tools/src/btle_tx ../btle-tools/src/packets_discovery.txt

You will see a device named as "SDR Bluetooth Low Energy" in your LightBlue APP.

Corresponding Command line:

./btle-tools/src/btle_tx 37-DISCOVERY-TxAdd-1-RxAdd-0-AdvA-010203040506-LOCAL_NAME09-SDR/Bluetooth/Low/Energy r40

Note: space " " is replaced by "/" because space " " is not supported in command line.

btle_tx example: Connection establishment

btle_tx 37-ADV_IND-TxAdd-0-RxAdd-0-AdvA-90D7EBB19299-AdvData-0201050702031802180418-Space-1      37-CONNECT_REQ-TxAdd-0-RxAdd-0-InitA-001830EA965F-AdvA-90D7EBB19299-AA-60850A1B-CRCInit-A77B22-WinSize-02-WinOffset-000F-Interval-0050-Latency-0000-Timeout-07D0-ChM-1FFFFFFFFF-Hop-9-SCA-5-Space-1     9-LL_DATA-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-DATA-XX-CRCInit-A77B22-Space-1

Above simulates a Connection establishment procedure between device 1 and device 2. Corresponding descriptor file BTLE/host/btle-tools/src/packets.txt.

The 1st packet -- device 1 sends ADV_IND packet in channel 37.

The 2nd packet -- After device 2 (in scanning state) receives the ADV packet from device 1, device 2 sends CONNECT_REQ packet to request connection setup with device 1. In this request packet, there are device 2 MAC address (InitA), target MAC address (device 1 MAC address AdvA), Access address (AA) which will be used by device 1 in following packet sending in data channel, CRC initialization value for following device 1 sending packet, Hopping channel information (ChM and Hop) for data channel used by device 1, etc.

The 3rd packet -- device 1 send an empty Link layer data PDU in channel 9 (decided by hopping scheme) according to those connection request information received from device 2. ("XX" after field "DATA" means there is no data for this field )

Time space between packets are 1s (1000ms). Tune TI's packet sniffer to channel 37, then above establishment procedure will be captured.

btle_tx example: iBeacon

./btle-tools/src/btle_tx 37-iBeacon-AdvA-010203040506-UUID-B9407F30F5F8466EAFF925556B57FE6D-Major-0008-Minor-0009-TxPower-C5-Space-100     r100

Above command sends iBeacon packet and repeats it 100 times with 100ms time space. Corresponding descriptor file BTLE/host/btle-tools/src/packets_ibeacon.txt. You can use a BLE sniffer dongle to see the packet.

The packet descriptor string:

37-iBeacon-AdvA-010203040506-UUID-B9407F30F5F8466EAFF925556B57FE6D-Major-0008-Minor-0009-TxPower-C5-Space-100

channel 37 (one of BTLE Advertising channel 37 38 39)

iBeacon

packet format key word which means iBeacon format. (Actually it is ADV_IND format in Core_V4.0.pdf)

AdvA

Advertising address (MAC address) which is set as 010203040506 (See Core_V4.0.pdf)

UUID

here we specify it as Estimote’s fixed UUID: B9407F30F5F8466EAFF925556B57FE6D

Major

major number of iBeacon format. (Here it is 0008)

Minor

minor number of iBeacon format. (Here it is 0009)

Txpower

transmit power parameter of iBeacon format (Here it is C5)

Space

How many millisecond will be waited after this packet sent. (Here it is 100ms)

Demos

See a comparison with TI's packet sniffer here: http://sdr-x.github.io/BTLE-SNIFFER/

See btle_rx video demo or btle_rx video demo (in China) and btle_tx video demo 1 or btle_tx video demo 2 (in China)

Appendix: Packet descriptor examples of btle_tx for all formats

RAW packets: (All bits will be sent to GFSK modulator directly)

37-RAW-aad6be898e8dc3ce338c4cb1207730144f9474e0e15eedb378c3bc

ADVERTISING CHANNEL packets (channel 37 for example):

37-IBEACON-AdvA-010203040506-UUID-B9407F30F5F8466EAFF925556B57FE6D-Major-0008-Minor-0009-TxPower-C5
37-ADV_IND-TxAdd-1-RxAdd-0-AdvA-010203040506-AdvData-00112233445566778899AABBCCDDEEFF
37-ADV_DIRECT_IND-TxAdd-1-RxAdd-0-AdvA-010203040506-InitA-0708090A0B0C
37-ADV_NONCONN_IND-TxAdd-1-RxAdd-0-AdvA-010203040506-AdvData-00112233445566778899AABBCCDDEEFF
37-ADV_SCAN_IND-TxAdd-1-RxAdd-0-AdvA-010203040506-AdvData-00112233445566778899AABBCCDDEEFF
37-SCAN_REQ-TxAdd-1-RxAdd-0-ScanA-010203040506-AdvA-0708090A0B0C
37-SCAN_RSP-TxAdd-1-RxAdd-0-AdvA-010203040506-ScanRspData-00112233445566778899AABBCCDDEEFF
37-CONNECT_REQ-TxAdd-1-RxAdd-0-InitA-010203040506-AdvA-0708090A0B0C-AA-01020304-CRCInit-050607-WinSize-08-WinOffset-090A-Interval-0B0C-Latency-0D0E-Timeout-0F00-ChM-0102030405-Hop-3-SCA-4

DATA CHANNEL packets (channel 9 for example):

9-LL_DATA-AA-60850A1B-LLID-1-NESN-0-SN-0-MD-0-DATA-XX-CRCInit-A77B22
9-LL_CONNECTION_UPDATE_REQ-AA-60850A1B-LLID-3-NESN-0-SN-0-MD-0-WinSize-02-WinOffset-0e0F-Interval-0450-Latency-0607-Timeout-07D0-Instant-eeff-CRCInit-A77B22
9-LL_CHANNEL_MAP_REQ-AA-60850A1B-LLID-3-NESN-0-SN-0-MD-0-ChM-1FFFFFFFFF-Instant-0201-CRCInit-A77B22
9-LL_TERMINATE_IND-AA-60850A1B-LLID-3-NESN-0-SN-0-MD-0-ErrorCode-12-CRCInit-A77B22
9-LL_ENC_REQ-AA-60850A1B-LLID-3-NESN-0-SN-0-MD-0-Rand-0102030405060708-EDIV-090A-SKDm-0102030405060708-IVm-090A0B0C-CRCInit-A77B22
9-LL_ENC_RSP-AA-60850A1B-LLID-3-NESN-0-SN-0-MD-0-SKDs-0102030405060708-IVs-01020304-CRCInit-A77B22
9-LL_START_ENC_REQ-AA-60850A1B-LLID-3-NESN-0-SN-0-MD-0-CRCInit-A77B22
9-LL_START_ENC_RSP-AA-60850A1B-LLID-3-NESN-0-SN-0-MD-0-CRCInit-A77B22
9-LL_UNKNOWN_RSP-AA-60850A1B-LLID-3-NESN-0-SN-0-MD-0-UnknownType-01-CRCInit-A77B22
9-LL_FEATURE_REQ-AA-60850A1B-LLID-3-NESN-0-SN-0-MD-0-FeatureSet-0102030405060708-CRCInit-A77B22
9-LL_FEATURE_RSP-AA-60850A1B-LLID-3-NESN-0-SN-0-MD-0-FeatureSet-0102030405060708-CRCInit-A77B22
9-LL_PAUSE_ENC_REQ-AA-60850A1B-LLID-3-NESN-0-SN-0-MD-0-CRCInit-A77B22
9-LL_PAUSE_ENC_RSP-AA-60850A1B-LLID-3-NESN-0-SN-0-MD-0-CRCInit-A77B22
9-LL_VERSION_IND-AA-60850A1B-LLID-3-NESN-0-SN-0-MD-0-VersNr-01-CompId-0203-SubVersNr-0405-CRCInit-A77B22
9-LL_REJECT_IND-AA-60850A1B-LLID-3-NESN-0-SN-0-MD-0-ErrorCode-00-CRCInit-A77B22

Discovery packets: (which can show any name or services in scanner APP, such as LightBlue):

37-DISCOVERY-TxAdd-1-RxAdd-0-AdvA-010203040506-FLAGS-02-LOCAL_NAME09-CA-TXPOWER-03-SERVICE03-180D1810-SERVICE_DATA-180D40-MANUF_DATA-0001FF-CONN_INTERVAL-0006 (-SERVICE_SOLI14-1811)

FLAGS: 0x01 LE Limited Discoverable Mode; 0x02 LE General Discoverable Mode
SERVICE:
0x02 16-bit Service UUIDs More 16-bit UUIDs available
0x03 16-bit Service UUIDs Complete list of 16-bit UUIDs available
0x04 32-bit Service UUIDs More 3a2-bit UUIDs available
0x05 32-bit Service UUIDs Complete list of 32-bit UUIDs available
0x06 128-bit Service UUIDs More 128-bit UUIDs available
0x07 128-bit Service UUIDs Complete list of 128-bit UUIDs available

jiaoxianjun / btle Goto Github PK

btle's Introduction

BTLE

Features

Hardware

Build and Quick test

btle_rx usage

btle_tx usage

Demos

Appendix: Packet descriptor examples of btle_tx for all formats

btle's People

Contributors

Stargazers

Watchers

Forkers

btle's Issues

Recommend Projects

Recommend Topics

Recommend Org