Bluetooth BR/EDR protocol stack

An introduction to Bluetooth BR/EDR protocol. More articles will follow about the various security mechanisms implemented in Bluetooth for secure pairing and attacks.

Introduction

Bluetooth is a low power wireless communication technology operating in the 2.4 GHz range for short-distance data exchange between Bluetooth devices. Bluetooth was developed in 1994 as a replacement for cables and is specified by Bluetooth Special Interest Group (SIG). The specification defines all the functionalities that must be implemented by the Bluetooth communication protocol.

Note that this article is limited to only Bluetooth Basic Rate/Enhanced Data Rate (BT/EDR), which is also known as Bluetooth Classic. There is also Bluetooth Low Energy (aka Bluetooth Smart) which is intended for considerably lower power usage than Bluetooth BR/EDR, but are independent protocols of each other, but can and are often implemented both on Bluetooth devices. Each Bluetooth enabled device has an address of 48 bits long, similar to the MAC address for Ethernet.

Bluetooth Stack Layers

The Bluetooth protocol stack implements the communication on the protocol as defined in the Bluetooth specification. Similar to the OSI layer, the Bluetooth model represents various abstract functions.

Bluetooth protocol layers

The Host Controller Interface (HCI) layer separates the Bluetooth stack in a physical lower and logical upper part. The lower part which is also called
the controller stack contains a radio interface implemented in hardware. The upper part is also called the host stack.

Controller stack (lower part of the stack)

The lower layers Radio and Baseband/Link controller handles the physical wireless transmission. Link manager takes care of connection management and provides a mechanism for authentication and encryption.

Host stack (upper part of the stack)

Logical link control and adaptation control (L2CAP) provides multiplexing, segmentation, and reassembly of the packets for the layer above. Allows multiple channels to share a single link.

Service discovery protocol (SDP) is used to discover the services other devices within the range are supporting and published supported functionalities by exchanging a list of supported services using Universally Unique Identifiers (UUID).

Radiofrequency communication (RFCOMM) emulates serial port connections, which are used to send and receive data. Every RFOMM connection is encapsulated within an L2CAP connection

Bluetooth Network Encapsulation Protocol (BNEP) emulates an Ethernet port over L2CAP, which allows TCP/IP over Bluetooth.

Profiles and applications

On top of the Bluetooth host, stacks are the profiles and applications. Bluetooth defines standards for how Bluetooth should be used with each specific application usage, allowing Bluetooth devices to communicate with each other independently who manufactured the devices. Each application usage is defined by its own profile using specific parameters. The profile presents a high-level API in which the applications can use the Bluetooth stack by calling different API functions. There are many profiles for different purposes.

Personal Area Networking Profile (PAN) uses BNEP protocol for transport over the Bluetooth link

Headset Profile (HSP) used to establish and manage a sound link

Service Discovery Applicaon Profile (SDAP) used to query other Bluetooth devices for supported functionalities

Generic Access Profile (GAP) used to configure the stack and manage connections to different Bluetooth devices

Serial Port Profile (SPP) used to transmit and receive data similar to a standard serial port