Arduino Projects   |   Raspberry Pi   |   Electronic Circuits   |   AVR   |   PIC   |   8051   |   Electronic Projects

Bluetooth Protocol (Part 2): Types, Data Exchange, Security

Written By: 

Bijal Parikh


Bluetooth protocol comprises of a number of protocols which can be divided into four categories. Each of these protocols is responsible for specific type of task and stands on its own. In the previous Bluetooth article we talked about the basic terms, the specific values of power, frequency, range and many more. The concept of master, slaves, Pico nets and scatter net forming ad-hoc network. This part of Bluetooth will deal with the protocols responsible for the working of Bluetooth technology. The four categories in which these protocols are divided are shown below:

Block Diagram Explaining Bluetooth Protocols

Fig. 1: Block Diagram Explaining Bluetooth Protocols

Bluetooth Core Protocols


The baseband enable the radio frequency link between Bluetooth devices to form a Pico-net. Information is exchanged in packets in Bluetooth. A packet is a binary data unit that carries information required by the user which can be routed through a computer network. Both circuit switching and packet switching is used to transfer the packets in the network. Packet-switched networks move data in separate, small blocks -- packets -- based on the destination address in each packet. When received, packets are reassembled in the proper sequence to make up the message. Circuit-switched networks require dedicated point-to-point connections during calls and generally used in telephone lines for exchange.

The Link Manager Protocol

The link manager protocol is responsible for setting a link between two Bluetooth devices. This protocol layer is responsible for security issues like authentication, encryption, exchanging and checking the link and encryption keys.

Logical Link Control and Adaptation - Layer (L2CAP)

The Bluetooth logical link control and adaptation layer supports higher level multiplexing, segmentation and reassembly of packets and quality of service communication and groups. This layer is not responsible for reliability and uses ARQ to ensure it.

Service Discovery Protocol (SDP)

SDP is the basis for discovery of services on all Bluetooth devices. This is essential for all Bluetooth models because with SDP device information, services and the characteristics of the services can be queried and after that connection between two or more Bluetooth devices may be established .Other service discovery protocols such as Jini,UpnP etc. maybe used in conjunction with the Bluetooth SDP protocol.

Bluetooth Protocol Categories

Cable replacement protocol


The RFCOMM protocol is used for the cable replacement option in Bluetooth.  It is a simple transport protocol with additional provisions for emulating the nine circuits of RS232 serial ports over L2CAP part of the Bluetooth protocol stack.   It supports large base for applications that uses serial communication. It provides a reliable data stream, multiple connections, flow control and serial cable line settings.

Telephony Control Protocol

Specification (TCS Binary)

The TCS binary protocol defines the call control signaling for establishment of speech and data calls between two Bluetooth devices. It is bit oriented protocol.

The Host Controller Interface (HCI)

The HCI provides a command interface to the base band controller, link manager and access to the hardware status and control registers. The interface provides a uniform method of accessing the Bluetooth baseband capabilities. The Host control transport layer removes transport dependencies and provides a common driver interface. Three interfaces are defined in the core specification: USB, RS-232, and UART.



PPP, TCP, UDP and IP are standard Internet protocols defined by IETF. These are used as the lower layer protocols for transporting packets or data-grams on their specified IP addresses. OBEX

OBEX is a session protocol defined by IrDA. This protocol is also utilized by Bluetooth thus enabling the possibility for application to use either the Bluetooth radio or IrDA technologies.


Bluetooth may be used as a bearer technology for transporting between a WAP client and a nearby WAP server. WAP operates on top of the Bluetooth stack using PPP and the TCP/IP protocol suite.

Each of these protocols is arranged neatly as layers one above the other forming a stack of protocols. A stack is a pile of objects or things arranged neatly.

 Hence, Bluetooth is defined as layered protocol architecture because each layer supports the layer above and below it.  The complete protocol stack consists of both Bluetooth specific protocols which are clearly defined or developed for Bluetooth like LMP and non-Bluetooth specific that were designed to enable the re-use of existing protocols for various functions. Non-specific protocols can be used with many other platforms like WAP, UDP AND OBEX. These were used to speed up the development of Bluetooth protocol at higher layers at the same time adaptation to work with Bluetooth devices and ensure interoperability. The outline of Bluetooth layers and protocols associated with it are shown below.

An overview of Various Bluetooth Layers and associated protocols

Fig. 2 : An Overview of Various Bluetooth Layers and Associated Protocols


Block Diagram shoiwng various layers and funtions of Bluetooth

Fig. 3: Block Diagram Shoiwng Various Layers and Funtions of Bluetooth

Each of the layers specified above is important in Bluetooth communication and has an internal circuitry to perform the desired task. In this section we will deal with internal details of all the layers.

Internal Details of Bluetooth Protocols

Bluetooth Radio

The Bluetooth radio provides an electrical interface for transfer of packets on a modulated carrier frequency using wireless bearer services like CDMA, GSM. The radio operates in the range of 2.4 GHz. It requires an efficient antenna for transmission and reception, a RF front end which includes UP-convertor, down convertor, power controller, GFSK modulator and a transmitter/receiver switch. 

Bluetooth radio modem IC

The radio modem performs the GFSK modulation and demodulation, symbol and frame time recovery. It has a fully integrated radio transceiver and frequency hopping synthesizer on a single chip. In real life system, the signals that travel between antennas are of much higher frequency and they are known radio frequency. So, to decrease the frequency range analog circuits are normally used for down-conversion at receiver end and similarly up-conversion at transmitting end. An analog to digital convertor is present at receiver side to bring signal in digital domain. Then it is passed on to GFSK demodulator. The Bluetooth modulation scheme is GFSK (Gaussian Frequency Shift Keying). Gaussian frequency shift keying (GFSK) is a modulation method for digital communication found in many standards such as Bluetooth, DECT and Wavenis. It minimizes the trans-receiver complexity by using one for positive frequency deviation and zero for negative frequency deviation. The IC also contains Frequency Hopping synthesizer on the same chip.

Block Diagram of various functions in Bluetooth Radio Modem

Fig. 4: Block Diagram of Various Functions in Bluetooth Radio Modem 


The Bluetooth radio operates in 2.4 GHz ISM band. In US and Europe, a band of 83.5 MHz is available. There are 79 channels spaced 1 MHz apart. Japan, Spain and France use only 23 channels spaced 1 MHz apart.


This is the most important part of Bluetooth protocol. Baseband is the physical layer of Bluetooth which manages physical channels and links. Baseband lies on top of Bluetooth radio. Bluetooth link Controller IC is used to implement the baseband protocol and functions and is interfaced with Bluetooth radio modem IC. Link controller wisely chooses the links and channels to be used and improves the performance of applications. It synchronizes with the layer above it i.e. link manager for carrying out link level routines like link connections and power control. On receiver side it performs error detection, data whitening, hop selection and Bluetooth security. The controller hardware performs the basic functions like repetitive actions of paging, inquiry and page and inquiry scans. It also provides a USB and Audio interface to the host system.

Diagram showing various functions of Baseband layer in bluetooth

Fig. 5: Diagram showing various functions of Baseband Layer in Bluetooth

Baseband also manages links, handles packets and does paging and inquiry to access and inquire about Bluetooth devices. The transmitter applies time division multiplexing apart from frequency division (frequency hopping). In normal connection mode, the master starts at even numbered slots and slave uses odd numbered slots. There are two types of links ACL and SCO links. A link is a two point end to end circuit that connects end users and enables them to communicate even when two separate physical paths are used. Let us move on to ACL and SCO links used in baseband layer.

ACL links – asynchronous connectionless

The ACL links is a point to multipoint link between the master and all slaves participating on the piconet. ACL links carries data information and only a single link can exist. Retransmission of data packets is allowed in ACL links.

SCO links- synchronous connection link

The SCO links is a symmetric point to point link between a master and a single slave. It can carry both data and voice information but it mainly carries voice information. The master can support up-to two to three SCO links. SCO packets are never re- transmitted.


 A channel is a high speed two way communication between two devices. For example a computer and its peripheral device. There are five different types of channels present in the Bluetooth which can be used to transfer different types of information. LC (control channel) and LM (link manager) channel s are used in the link level part of communication. UA, UI and US are used to carry asynchronous, iso-synchronous and synchronous user information.


An address is a name or token that identifies a component in the network. There are basically four device addresses as shown below.



48 bit Bluetooth device address (IEEE802 standard). It is divided into LAP (Lower Address Part of 24 bits), UAP (Upper Address Part of 8 bits) and NAP (Non-significant Address Part of 16 bits).




3 bit active member address. The all zero AM_ADDR is for broadcast messages.


8-bit member address that is assigned to parked slaves


It is used by parked slave to determine whether it is allowed to send access messages.


A Bluetooth address fields division:











The data on the piconets is conveyed in packets. A packet is shown below.



PAYLOAD [0-2745]


The access code is used for timing synchronization, paging and inquiry. There are three different types of access codes ; Channel access code which identifies a piconet; Device access code is used for paging and its responses  and Inquiry access code is for inquiry purposes. The header contains information of packet acknowledgement, packet numbering , flow control, slave address and error check. The packet payload represents voice field, data field or both. There are five common type of packets, four SCO and seven ACL packets.











Carries device access code (DAC) or inquiry access code (IAC). Occupies one slot.




NULL packet is used to get link information and flow control and has no payload. Occupies one slot. Not acknowledged.




No payload. Acknowledged. Used by master to poll the slaves to know whether they are up or not. Occupies one slot.




A special control packet for disclosing Bluetooth device address and the clock of the sender. Used in page master response, inquiry response and frequency hop synchronization.




To support control messages in any link type and carry regular user data also. Occupies one slot.




Carries 10 information bytes. Typically used for voice transmission. 1/3 FEC encoded. Occupies one slot.




Carries 20 information bytes. Typically used for voice transmission. 2/3 FEC encoded. Occupies one slot.




Carries 30 information bytes. Typically used for voice transmission. Not FEC encoded. Occupies one slot.




Combined data-voice packet. Voice field not protected by FEC. Data field 2.3 FEC encoded. Voice field is never retransmitted but data field can be.




Carries 18 information bytes. 2/3 FEC encoded. Occupies one slot.




Carries 28 bytes information. Not FEC encoded. Occupies one slot.




Carries 123 information bytes. 2/3 FEC encoded. Occupies three slots.




Carries 185 information bytes. Not FEC encoded. Occupies three slots.




Carries 226 information bytes. 2/3 FEC encoded. Occupies five slots.




Carries 341 information bytes. Not FEC encoded. Occupies five slots.




Carries 30 information bytes. Resembles DH1 but no CRC code. Occupies one slot.

 Bluetooth Core Protocols


There are three types of error correction schemes: 1/3 rate FEC, 2/3 FEC and ARQ scheme. In 1/3 rate every bit is repeated three times for redundancy, in 2/3 a polynomial is generated to encode 10 bit code to a 15 bit code and in ARQ scheme a packet is transmitted till an acknowledgement is received. It uses positive and negative acknowledgement values by setting appropriate ARQN values. IF timeout is exceeded, Bluetooth device flushes the packet and proceed to next one.


Bluetooth uses the concept of first in first out FIFO queues in ACL and SCO links for transmission and reception. Link manager fills the queues and link controller empties them automatically.

Flow Control And Synchronization in Bluetooth Core Protocol

Fig. 6: Flow Control And Synchronization in Bluetooth Core Protocol

If the reception queues are full, flow control is used to avoid the dropping of packets and congestion. If data is not received a STOP indication is transmitted by Link controller of the receiver into header of the return packet. When the transmitter receives the STOP indication it freezes its FIFO queues. Again when receiver is ready it sends a packet which resumes the flow again.


The state is a last known or current status of an application or a process. Bluetooth operates in two states Standby and connection.  There are seven sub-states which are used to add slaves or make connections in Pico-net. These are shown in the figure:

Standby-State Used in Bluetooth Core Protocol

Fig. 7: Standby-State Used in Bluetooth Core Protocol

Image showing Connection Controller State Used In Bluetooth System

Fig. 8: Image showing Connection Controller State Used In Bluetooth System

The standby state is the default low power state used when there is no interaction between the devices. In connection state the master and slave can exchange packets using channel access code.




This sub-state is used by the master to activate and connect to a slave. Master sends page messages by transmitting slave's device access code (DAC) in different hop channels.


In this sub-state, a slave listens for its own device access code (DAC) for duration of scan window. The slave listens at a single hop frequency (derived from its page hopping sequence) in this scan window


Slave responds to master's page message in this sub-state which is resulted if slave correlates in the page scan sub-state to the master's page message. Slave enters Connection state after receiving FHS packet from master.


Master reaches this sub-state after it receives slave's response to its page message for it. Master sends a FHS packet to slave and if slave replies then master enters Connection state.


Inquiry is used to find the identity of the Bluetooth devices in the close range. The discovering unit collects the Bluetooth device addresses and clocks of all units that respond to the inquiry message.


In this state, the Bluetooth devices are listening for inquiries from other devices. In this scanning device may listen for general inquiry access code (GIAC) or dedicated inquiry access codes (DIAC).


For inquiry, only slave responds but not the master. The slave responds with the FHS packet which contains the slave's device access code, native clock and some other slave information.


Block Diagram Explaining How Connection is Established Between Two Bluetooth Devices

Fig. 9: Block Diagram Explaining How Connection is Established Between Two Bluetooth Devices

A connection between two devices follows a particular way. First master inquires about Bluetooth devices in the range. If any Bluetooth device is listening for these inquires (inquiry scan sub-state), it responds to master by sending address and clock information (FHS packet) to the master 9 inquiry response state. After sending the information, the slave starts listening for the page messages from the master (page scan). Then master after discovering the Bluetooth devices in the range may page these devices (page sub-state) for connection setup. The slave in the page scan mode will respond if paged by the master (slave response sub-state). The master after receiving the response from the slave may respond by transmitting the master real time, masters BD-ADDR, the parity bits and the class of device (FHS packet). Once they both receive this FHS packet they enter in connection state.


A connection state starts with a packet sent by master to verify that slave has switch to the masters timing and channel frequency hopping. The slave can respond by sending any type of packet. Various connection states are


In this mode both master and slave actively participates on the channel by listening, transmitting or receiving. Master and slave both synchronize with each other.


In this mode slave rather than listening to the master’s message for that slave, it sniffs on the specified time slots for its messages. Hence it can go to sleep mode to save power.


In this mode , a device temporary does not support the ACL packets and goes to low power sleep mode to allow activities like page scan, page inquiry etc.


When slave does not wants to participate in Pico-net but still wants to synchronize in the channel it goes into park mode which is a low power activity.


Cable Replacement Protocols


Bluetooth security is very important to allow keyless doors and automatic billing super stores. At link layer it is maintained by authentication and encryption. First a device does authentication by issuing a challenge and other device has to then send a response to that challenge. The BD-ADDR and link key is shared between them.  After authentication encryption may be used to communicate. There are four types of keys: combination, unit, temporary and initialization.

Link Manager and controller

Link manager is used for managing the security, link set-up and control. It communicates with other link manager to exchange information and control messages through link controller by using some pre-defined link level commands. Once the connection has been setup, it can have up to three SCO connections created across it, or its mode can be changed, either to a low power mode or to a test mode (these are useful for certification of Bluetooth devices by testing authorities and for a manufacture’s production line testing of devices). When the connection is no longer required, LMP can cause disconnection.

It has less support for upper layers but it can be improved by using a upper layer interface which allows it to execute algorithms for mode management (park, hold, sniff, active), security management, QoS etc. For example if user requests low power then link manager can negotiate with other link manager about the power control and both can go into the same mode according to the pre-set algorithm

The Link Manager (LM) converts the commands into operations at the Baseband level, managing the following operations.

 1)      Attaching slaves to Pico-nets, and allocating their active member addresses.

2)      Breaking connections to detach Slaves from a Pico-net.

3)      Configuring the link including Master/Slave switches

4)      Establishing ACL and SCO links.

5)      Putting connections into Low Power modes: Hold, Sniff and Park.

6)      Controlling test modes.            


Authentication Module

It is a process of identifying a device in a network usually based on username and password to ensure security. It is also a way to allow devices in a networked system to gain the access to the other device. The link manager protocol ensures the authentication in the Pico-net or scatter net.


Encryption module

The translation of data into a secret code is known as encryption. It is the most effective way to achieve data security because we need a secret key or password that enables to decrypt it. Unencrypted data is plain text while decrypt is called cipher text.


Apart from authentication and encryption there are many other functions as shown in figure.

Block Diagram showing various functions of cable replacment protocols in Bluetooth

Fig. 10: Block Diagram Showing Various Functions of Cable Replacment Protocols in Bluetooth

All the functions are specified below.

Adopted Protocols

Summary of Bluetooth Adopted Protocols

Fig. 11: Summary of Bluetooth Adopted Protocols


The HCI is a command interface to baseband, link manager and access to hardware status and control registers. This interface provides a uniform method of accessing Bluetooth baseband capabilities.


The Logical Link Control and Adaptation Protocol (L2CAP) accept data from the higher layers of Bluetooth stack and from applications and sends it over the lower layers. It passes packets either to the Host Controller Interface (HCI), or in a host-less system, L2CAP passes packets directly to the Link Manager. These are some functions performed by L2CAP.


·        Multiplexing higher layer protocols and allowing them to share lower layer links. L2CAP uses PSM field in the L2CAP Connection Request Command. L2CAP can multiplex connection requests to upper layer protocols like Service Discovery Protocol, RFCOMM and Telephony Control.

·       Segmentation and reassembly to allow transfer of larger packets

It is used to improve efficiency by supporting a maximum transmission unit size larger than the largest baseband packet. L2CAP segments higher layer packets into chunks that can be passed on to the link manager for transmission and reassembles those chunks into L2CAP packets using information provided by HCI and packet header.

·         Group management and one way transmission to a group of other Bluetooth devices

{C}r·           Quality of service management for higher layer protocols.

{C}{·         L2CAP events and commands

L2CAP operates using events and commands which it receives or transmits from/to upper or lower layers. These events can be a connection request, a data write request or may be a disconnection request. The lower layer can tell L2CAP about the incoming connections, request and disconnections. If L2CAP of one unit needs to talk to other L2CAP then it uses some special commands called signaling commands.

Various signaling commands used in L2CAP are



























Telephony Control Protocol


The RFCOMM protocol is used for the cable replacement option in Bluetooth.  It is a simple transport protocol with additional provisions for emulating the 9 circuits of RS232 serial ports over  L2CAP part of the Bluetooth protocol stack.   It supports large base for applications that uses serial communication. It provides a reliable data stream, multiple connections, flow control and serial cable line settings. There are two types of devices that can be connected using RFCOMM

Device 1 -are the communication end points such as computers and printers.

Device 2 -are those that are part of communication segment

Service Discovery Protocol (SDP)

SDP is the basis for discovery of services on all Bluetooth devices. This is essential for all Bluetooth models because with SDP device information, services and the characteristics of the services can be queried and after that connection between two or more Bluetooth devices may be established .Other service discovery protocols such as Jini, UpnP etc. maybe used in conjunction with the Bluetooth SDP protocol.

Audio/video control transport protocol (AVCTP)

The music control buttons on a stereo headset use this protocol to control the music player. It is used by remote control to transfer AV/C commands over an L2CAP channel. In the protocol stack, AVCTP is bound to L2CAP.

Audio/video data transport protocol (AVDTP)

It is also bound to L2CAP layer to be used by advance audio distribution to stream music to stereo headsets over L2CAP layer.

 Object exchange (OBEX)

OBEX is a session protocol defined by IrDA. This protocol is also utilized by Bluetooth thus enabling the possibility for application to use either the Bluetooth radio or IrDA technologies.


It is a specification which decides the way in which a device uses a Bluetooth technology. The profile provides standards which manufacturers follow to allow devices to use Bluetooth in an intended parameter. A Bluetooth profile resides on top of the Bluetooth Core Specification and (optionally) additional protocols. While the profile may use certain features of the core specification, specific versions of profiles are rarely tied to specific versions of the core specification. For example, there are HFP1.5 implementations using both Bluetooth 2.0 and Bluetooth 1.2 core specifications. Examples of profiles are

 Low Energy Attribute Protocol (ATT)

It is similar to SDP but specially adapted and simplified for Low Energy Bluetooth. It allows a client to read and/or write certain attributes exposed by the server in a non-complex, low-power friendly manner. Bound to L2CAP.

Low Energy Security Manager Protocol (SMP)

This is used by Bluetooth Low Energy Implementations for pairing and transport specific key distribution. In the protocol stack, SMP is bound to L2CAP.




which language you use for cod of microcontroler  projects


Assembly language I use for cod.

In other language we can use? Or only using assembly language

Embedded c