IoT Connectivity Part I
Syllabus
This module will cover the following
• Introduction to Bluetooth
• Bluetooth Low Energy (BLE)
• BLE profiles
• New features in Bluetooth 5
• ZigBee
2 © 2020 Arm Limited
Bluetooth technology
• Wireless technology working in the 2.4GHz band, initially targeting serial communication between devices without cables
• First short-link wireless prototypes in the 1990s, standard later managed by the Bluetooth Spatial Interest Group (SIG), which currently has more than 35,000 members
• Standard advanced to version 5.2 in January 2020, but many devices still follow Bluetooth 2.0 specification (also known as Bluetooth classic)
• Core functionality: enable a range of embedded devices to connect (and pair) with each other and exchange data (securely)
• Example applications: Wireless speakers, wearables, Internet- connected blood pressure monitors
3 © 2020 Arm Limited
Bluetooth architecture
Wireless Personal Area Network (WPAN)
• Central ↔ peripheral architecture
• Central can have up to seven active slave
devices
• Up to 255 “parked” devices – low-power state,
only respond to activation from master
• A Bluetooth network set-up by a central device is called a piconet
• Some devices can act as peripheral in one piconet and as central in another piconet → scatternet
• Four classes of devices: communications range between ~0.5m and ~100m
4 © 2020 Arm Limited
Bluetooth architecture
Centralized communications paradigm
• Channel time slotted; Time Division Duplex (TDD) multiplexing, i.e., uplink and downlink separated by different time slots
• Central polls peripherals for transmissions
• Central also controls the piconet clock and maintains synchronization of the peripherals
• Peripheral devices can be simple that reduces implementation costs
• Peripheral-to-peripheral communication not allowed
5 © 2020 Arm Limited
Bluetooth protocol stack
Bluetooth 5.2 core specification exceeds 3,000 pages.
Unlike OSI or TCP/IP reference models, separation between different layers not precise
Different applications (profiles) may implement different protocol stacks (36 profiles available with Bluetooth Classic)
Some layers encountered in all profiles
Certain profiles act as building blocks for other profiles – e.g., the Generic Access Profile (GAP) is responsible for connection establishment between master/slave
6 © 2020 Arm Limited
Bluetooth protocol stack
• Low level functionality on chip, applications in software → HCI enables mutual interaction
• Physical layer is quite unique (frequency hopping and Gaussian Frequency Shift Keying)
• Link control encompasses both physical and medium access control functions, including slot timing and grouping
• Link manager establishes “logical” channels
7 © 2020 Arm Limited
Radio layer
• Bluetooth operates in the 2.4GHz Industrial, Scientific, and Medical (ISM) band
• Unlicensed spectrum shared with other technologies (Wi-Fi, ZigBee, microwave ovens)
• Signals are transmitted using a technique called Frequency Hopping Spread Spectrum (FHSS) that mitigates cross-technology interference → each transmission on a different channel, peers switch pseudo-randomly between channels (hopping)
• Data modulated using Gaussian Frequency Shift Keying (GFSK) at 1Mb/s (Basic Rate – BR) or using Differential Quadrature Phase Shift Keying (DQPSK) at 2Mb/s or 3Mb/s (Enhanced Data Rate – EDR)
8 © 2020 Arm Limited
Radio layer
Spectrum divided into 79 channels of 1MHz width
• Pseudo-random hopping sequence derived from part of the central’s address (through a set of XOR and permutation operations)
• Adaptive frequency hopping (AFH) may be used to reduce interference from other devices operating in the same band
• Devices hop 1,600 times/sec → the duration of a slot is 625μs
• Packets can occupy 1, 3, or 5 slots
• Carrier frequency does not change during
a packet transmission
9 © 2020 Arm Limited
Link layer
Bluetooth device address (BD_ADDR)
• Each device has a 48-bit extended unique identifier (EUI-48)
• Most significant 3 bytes assigned to the
manufacturer by IEEE Registration Authority
is divided into
• Non-significantaccesspart(NAP):2bytes • Upperaddresspart(UAP):1byte
• Least significant 3 bytes specifically assigned
to each single device by manufacturer
• Loweraddresspart(LAP)
• Sixty-fourofthesereserved(1forgeneral,63for
dedicated inquiry messages)
10 © 2020 Arm Limited
Link layer
Frame format
• •
Data and control information encapsulated into frames that start with an “Access Code” and a “Header”
Payload is optional (some frames used for device discovery, connection establishment, etc.) and 16-bit Cyclic Redundancy Check (CRC) computed on payloads
11
© 2020 Arm Limited
Access Codes
Consisting of preamble, sync word, and optionally trailer
Sync words
• Generate information sequence
• The LAP (most of the time of the master)
• Append 6 bits to form together with the LAP
MSB a 7-bit Barker sequence
• XOR with part of a known 64-bit PN sequence
• Generate 64-bit codeword using encoded info
and known block code generator polynomial
• XOR codeword with the same PN sequence
Types of access codes
• Channel Access Code (CAC) – used to identify piconet
• Device Access Code (DAC) – used for signaling (e.g., communicate master clock to slaves)
• Inquiry Access Code (IAC) is of two types:
• General (0x9E8B33 used for device discovery) • Dedicated
• Access code is not encoded further and is always transmitted at 1Mb/s → LAP appears in clear
12 © 2020 Arm Limited
Bluetooth header
• Addr identifies to which of the seven active peripherals the frame is addressed (Access Code contains central’s LAP)
• Type identifies the frame type, the Forward Error Correction (FEC) mechanisms used to encode the payload, and how many slots will be used to transmit the frame
• F (flow) signals if the slave’s buffer is full
• A (acknowledgement) is used to piggyback acknowledgement onto a data frame
• S (sequence bit) is used for detecting retransmissions
13 © 2020 Arm Limited
Bluetooth header
• Header error check (HEC) generated using a linear-feedback shift register (LFSR), whose internal 8-bit state is initialized with the central’s UAP
• Whole header is scrambled (“whitened”) using another LFSR, whose 7-bit state is initialized with bits 𝑐!, … , c” of the central’s clock (clk) and by setting the bit in position 6 to 1 → the goal is to avoid long sequences of all zero/one bits
• The whitened header is FEC-encoded with coding rate 1/3 (i.e., every bit of the information is repeated three times)
• Payload is also whitened with the same LFSR initialized with a part of the central’s clock
14 © 2020 Arm Limited
Exercise
A peripheral wants to transmit 450 bytes of information using Bluetooth basic rate @ 1Mb/s.
How long will it take?
15 © 2020 Arm Limited
Exercise
A peripheral wants to transmit 450 bytes of information using Bluetooth basic rate @ 1Mb/s.
How long will it take?
Packet length: 72b (access code) + 54b (header) + 450*8b (payload) +16b (CRC) = 3,742b
At 1Mb/s this would require 3,742us.
16 © 2020 Arm Limited
Exercise
Slot size is 625us, Tx can occupy 1, 3, or 5 slots. That is 625, 1875, or 3125us.
Packet cannot fit in 5 slots. How much info can you put into 5 slots then? 3,125b – 72b – 54b – 16b = 2,983b
BUT max payload is 2,744b.
17 © 2020 Arm Limited
Exercise
So you need another transmission for 450*8 – 2,744 = 856b of data
With access code, header and CRC, this comes to 998b which is more than 1 slot, but less than 3.
In one slot you can put 625 – 72 – 54 – 16 = 483b
18 © 2020 Arm Limited
Exercise
So we have
• First transmission 5 slots (2,744b) – 3,125us
• Master polls – 625us
• Second transmission 1 slot (483b) – 625us
• Master polls – 625us
• Third transmission 450*8-2744-483 = 373b
Add access code, header, CRC -> 72+54+373+16 = 515b -> 515us Total: 3,125+625*3+515 = 4,265us
Effective rate: 450*8/4,625 = 844kb/s
19 © 2020 Arm Limited
Error detection and correction
• Cyclic Redundancy Check (CRC) computed on the payload using a 16-bit LFSR, initialized with the UAP, and the eight right-most bits set to zero.
• CRC recomputed at receiver to detect if the packet transmission experienced errors.
• Forward error correction (FEC) is applied on the header and can be also applied to
payload, to increase information redundancy and robustness to errors
• FEC with rates 1/3 and 2/3 supported, that is each information bit is repeated three times and respectively the packet is encoded with a polynomial that on an average produces one redundant bit for every 2 bits of information.
20 © 2020 Arm Limited
Logical Link Control Adaptation (L2CAP)
• Determines to which protocol to pass the packets (multiplexing)
• Configures payload sizes between 48 bytes and 64 kilobytes (default MTU is 672 bytes)
• Segmentation of large packets and reassembly
• Can perform CRC checks and retransmissions when required
• Not all applications may need to use L2CAP (e.g., audio streaming applications that transmit samples continuously)
21 © 2020 Arm Limited
Link management protocol (LMP)
Connection set-up
• Central aiming to discover devices it wants to be connected to (slaves) enters the “inquiry” substate.
• Sends inquiry packets to over 32 wake-up carriers, equally distributed over the 79MHz range, hopping following a pseudo-random sequence.
• Discoverable device enters the “inquiry scan” substate every 1.28 seconds → listens for inquiries for 11.25ms, while hopping according to own sequence
22 © 2020 Arm Limited
Link management protocol (LMP)
Connection set-up
• Device receiving inquiry packet remains on the same channel and starts back-off, suspending activity for a random number of time slots, uniformly distributed in [0, 1024) range
• Then returns to “inquiry scan” substate
• When receiving a second inquiry, it responds with a Frequency Hopping Synchronization (FHS) packet that contains its address and clock offset
• Then enters “page scan” substate.
• Central that wishes to connect enters “page”
substate when receiving FHS.
23 © 2020 Arm Limited
Link management protocol (LMP)
Connection set-up
• Central hops on the sequence derived from the slave’s address; sends “page” messages to connect
• Page messages contains 24-bit Device Address Code (DAC) derived from the slave’s address
• Peripheral responds with a “page response” in the next slot that contains a slave ID
• Central sends FHS; peripheral uses a part of the central’s address and clock to derive the hopping sequence; confirms with second “page response”
• Central assigns 3-bit Active Member Address (AMA); both move into “CONNECTION” state
• Pairing will follow if link needs to be secured
24 © 2020 Arm Limited
Central
Peripheral
Bluetooth Low Energy (BLE)
Also known as Bluetooth Smart
• A number of revisions to the Bluetooth protocol introduced with Core v4.0 specification to facilitate adoption on constrained low-powered devices (including IoT)
• Changes introduced include the following:
• Faster procedure to set up a connection
• Shorter transmission range (and therefore lower transmit power)
• Number of peripherals that can be attached to central is implementation
dependent (no longer limited to seven)
• More applications (profiles) supported and user-defined profiles allowed
• Radio interface more power efficient
25 © 2020 Arm Limited
Bluetooth Low Energy (BLE)
• •
Physical layer is largely the same (FHSS, GFSK modulation), but the spectrum is divided into 40 channels, each with 2MHz bandwidth
Channels 37, 38, and 39 are used to continuously advertise a device’s presence (numerology is logical; these channels are not adjacent in the frequency domain)
26
© 2020 Arm Limited
BLE connection set-up
• Rapid device discovery
• Dedicated advertisement channels
• Periodic advertisement interval between 20ms and 10.24s plus a random delay chosen by each device
between 0 and 10ms to avoid collisions
• Four types of advertisement packets:
• ADV_IND – Used by the peripheral to request connection to any central device
• ADV_DIRECT_IND – Connection request directed at a specific central device
• ADV_NONCONN_IND – Used by non-connectable devices (BLE beacons) that advertise some
information to any device listening in proximity
• ADV_SCAN_IND – Similar to ADV_NONCONN_IND, with optional additional information that can be
retrieved via scan responses
27 © 2020 Arm Limited
BLE connection set-up
• Hopping sequence agreement much simpler
• If a connection request is accepted, a hop increment is agreed and the two peers use
that to compute the next channel index from the current one, modulo 37
• A channel map can also be agreed between peers, i.e., some channels can be avoided
• The central also assigns an address to a connecting peripheral that is generated randomly (thereby ensuring identity privacy)
• This access address will uniquely identify the physical channel between two devices
• Hopping interval can also be renegotiated after connection set-up, e.g. to save energy
28 © 2020 Arm Limited
BLE data frame format
• Preamble much shorter
• 4-byte access address (AA) identifies recipient
• 24-bit CRC
29 © 2020 Arm Limited
BLE stack
• Several new profiles introduced
• Generic Attribute Profile (GATT) – set of procedures for discovering and accessing attributes (service specific)
• Attribute Protocol (ATT) – mandatory for all data transfers
• Generic Access Profile (GAP) controls advertisement and connections, device roles (central/peripheral)
30 © 2020 Arm Limited
Profiles
• Used to describe an application and collection of services offered (blood pressure monitoring, device information service, etc.)
• Services are collections of characteristics that define the behavior of part of a device
• Characteristics are attribute types that have a name, uniform type identifier, and
assigned number (UUID)
• From an application perspective, profiles extend across the protocol stack, as they select relevant features from host protocols/profiles
• Each profile makes use of a particular set of GATT services – it is possible for a user/developer to define custom profiles
31 © 2020 Arm Limited
BLE data transfer and power saving
• Data exchange always initiated by the central (master)
• Last packet during a connection always sent by the peripheral (slave)
• Master can instruct slave about next connection interval to allow sleep
32 © 2020 Arm Limited
LE pairing
Known as LE legacy pairing in Bluetooth 5
• If the communication is meant to be secure (i.e., have data confidentiality guarantees), the connection set-up is followed by a pairing procedure to establish link encryption
• Three phases: I/O capabilities exchange, association, key distribution
• Devices first exchange I/O capabilities to determine what association method to use
• Three association modes:
• Just Works (all zero sequence, suitable for devices with no display or input)
• PassKey entry (6-digit PIN shown on one device, typed on the second) • Out of band (e.g., Near Field Communication)
33 © 2020 Arm Limited
Securing connections
• After the IO capabilities are exchanged, a temporary key (TK) is generated; the short term key (STK) is derived
• On the link secured using STK, a Long-Term Key (LTK) is transmitted, to be used for securing all communication, along with
• An Identity Resolving Key (IRK) to support private device addresses, and
• A Connection Signature Resolving Key (CSRK), to support data signing
• Intercepting the initial communication may allow an attacker to brute force the TK
• The STK may be computed as the other data is sent in clear and the methodology is known
• LTK could be compromised – problem addressed in later revisions of the standard
34 © 2020 Arm Limited
Bluetooth 5
• Specification released in August 2018; two new subversions released since then
• Four physical layer modes (all GFSK based)
• LE Uncoded 1M – symbol rate: 1Msym/s, data rate: 1Mb/s • LE Uncoded 2M – symbol rate: 2Msym/s, data rate: 2Mb/s • LE Coded S = 2, symbol rate: 1Msym/s, data rate: 500Kb/s • LE Coded S = 8, symbol rate: 1Msym/s, data rate: 125Kb/s
Coded packets can increase the range, as parts of the frames are FEC encoded to combat bit error due to signal fading; this also diminishes the effective data rate
35 © 2020 Arm Limited
BLE coded packets
• Preamble is never coded; the packet is split into two blocks
• Access address, coding indicator (CI), and first terminator (TERM1, 3 bits) are always
coded in S = 8 mode
• CI indicate the type of encoding used in the second part of the packet (S = 8 or S = 2)
36 © 2020 Arm Limited
LE coding
• Both blocks FEC encoded with rate 1⁄2. Two polynomials used:
G0(x)=1+x+x2 +x3
G1 (x) = 1 + x2 + x3
• Bit coming from G0 transmitted first, then bit coming from G1
• Pattern mapper is then used to convert each bit from the encoder into P symbols, depending on whether S = 2 or S = 8 scheme used
Bit from FEC encoder
Output sequence (S = 2)
Output sequence (S = 8)
0
0
0011
1
1
1100
37 © 2020 Arm Limited
Bitstream processing
38 © 2020 Arm Limited
Bluetooth 5.1 positioning
• Bluetooth 5.1 introduces new features that enable positioning for IoT applications
• Core idea: Direction-finding through phase delay between signals arriving at different antennas;
phase delay:
𝜑 = 2𝜋𝑑cos𝜃, 𝜆
• where d is the distance between antennas, λ is the signal’s wavelength (both known)
• 𝜑 can be measured; angle of arrival is computed
as:
𝜃 = arccos 𝜆𝜑 2𝜋𝑑
39 © 2020 Arm Limited
Bluetooth 5.1 positioning
• Given energy efficiency requirements, single receiver chain is used;
• Solution: Switch rapidly between antennas
• Constant Tone Extension (CTE) follows CRC to indicate switching pattern
• Problem with this approach: CTE not protected by CRC, hence switching pattern may be affected by channel errors
40 © 2020 Arm Limited
ZigBee
Low power low rate personal area networking technology
• Zigbee operates in the 868MHz band in Europe (915MHz in the US and Australia)
• Multiple channels in the 2.4GHz band are also allowed
• Data rates: 20kb/s in the 868MHz band, 250kb/s in the 2.4GHz band
• Applications: Home/building automation, industrial control
• Three types of device:
• ZigBee coordinator (ZC) – sends beacons that
manage network-specific addresses
• ZigBee router (ZR) – runs some application and
can also forward packets between other ZigBee
nodes
• ZigBee end device (ZED) – reduced functionality,
communicates only with ZC/ZR
Star or peer-to-peer network topologies
41
© 2020 Arm Limited
Protocol stack
• •
PHY and MAC layers follow IEEE 802.15.4 standard
Network layer, application support sublayer, and application framework are specified by the ZigBee alliance
42
© 2020 Arm Limited
PHY and MAC layers
• Transmission using Direct Sequence Spread Spectrum (DSSS) – robust to noise.
• Multiple access modes
• CSMA/CA
• If channel is busy, then it waits for random time(back-off factor) frame before transmission
• if channel is idle, then transmit;
• otherwise repeat back-off factor;
• Once the data is received it sends back an ACK
• Beacon mode
• time divided into 16 equal slots;
• coordinator sends beacon;
• attached devices may contend but need to align
transmission to slot boundaries;
• up to seven guaranteed time slots (GTS)
43 © 2020 Arm Limited
Data frame structure
• SHR– synchronization header
• PHR – physical layer header
• MHR – MAC layer header
• MFR – MAC footer
44 © 2020 Arm Limited
Network layer (NWK)
Handles
• Network start up
• Neighbor discovery
• New device configuration
• Topology specific routing
• Security
• Links encrypted using AES-128 (128-bit symmetric encryption)
• Key assumed known by all parties (e.g., provisioned at device manufacturing) • A device may not have a pre-configured key → key sent over the air in clear
(Security issues: short window when this can be eavesdropped)
45 © 2020 Arm Limited
Application Support Sublayer (APS)
• Maintains binding and groups tables
• Responsible for discovering devices and application services
• Provides communication end-points for ZigBee applications
• Initiates and responds to binding requests between end-points
• Filters packets intended for non-registered end-points
• Also performs message fragmentation and reassembly
• Ensures reliable data transport, i.e., frame error checking, retransmissions
46 © 2020 Arm Limited