Guide to Nordic Bluetooth BLE for Beginner

This guide provide a certain direction to learn and understand about Bluetooth BLE using Nordic tools and microcontroller.

The learning process with Nordic product can be very overwhelming. This guide provide a means to understand Bluetooth progressively.

  1. Read the bookInside Bluetooth low energyby Naresh Gupta
    This book contains all the technical names of Bluetooth. It is important to know that these names exist. You do not need to read this book in detail for a start. Just a brief read-through of the features available in BLE. You will need to be aware of the wording convention used in Bluetooth Low Energy. Just be aware of the terminology used in the book as it is very helpful when you navigate with the following tools and working with the source-code in nRF SDK. This book can act as a dictionary for you to understand what those terms mean.
    Another book is “Getting Started with Bluetooth Low Energy: Tools And Techniques For Low-Power Networking” by Kevin Townsend. The content is more relevant to Nordic microcontroller chip product.
  2. Play with nRF Connect apps “Bluetooth Low Energy” using the nRF52840-Dongle
  3. A short introduction and familiarisation to nRF52840-DK board.
  4. Learning how Bluetooth connects.
  5. (Optional) Play radio test with RSSI Viewer, with the application example “Radio Test Example”
  6. Watch video of how Nordic works, and what is Nordic SoftDevices (Bluetooth stack from Nordic)
  7. Start with nRF SDK (blinky application)
    Learning how Bluetooth connects.

    Application: ble_central -> ble_app_blinky_c
    Application: ble_peripheral-> ble_app_blinky
  8. Reference about the Cortex M4 C++ programming and the Nordic API for Bluetooth programming.

<- Back to Bluetooth Resources Page

Bluetooth Sniffing using Wireshark & nRF52 DK Board

This section shows how to setup a tool for sniffing of Bluetooth protocol and learn about the Bluetooth devices through reverse engineering of the Bluetooth protocol.

What you need.

Download nRF Sniffer Files

Download the latest nRF Sniffer “” from Nordic website. Unzip the files into a directory.

You will notice that there is a folder named “hex“. This is the hex files to turn the various Nordic nRF Bluetooth boards into a sniffer tool.

  • sniffer_pca10000_129d2b3.hex
  • sniffer_pca10001_129d2b3.hex
  • sniffer_pca10028_129d2b3.hex
  • sniffer_pca10031_129d2b3.hex (for nRF51 Dongle, small size)
  • sniffer_pca10040_129d2b3.hex (for nRF52 DK board)
  • sniffer_pca10056_129d2b3.hex (for nRF52840-DK board)
  • sniffer_pca10068_129d2b3.hex

Inside contains the *.hex file for the nRF Bluetooth board. This file is a firmware to program the hardware board and turns it into a Bluetooth sniffer tools for sniffing Bluetooth communication.

It also contain some script program plugin for Wireshark software to work seamlessly with the nRF sniffer hardware. The files is all inside the folder “extcap” to be copy later into wireshark folder.

Turn nRF52 DK into a Bluetooth Sniffer board

The board I am using is nRF52 DK board. So prepare the hex file “sniffer_pca10056_xxxxxxx.hex”. Connect the board to the computer.

Go to nRF Connect -> Programmer software.

If you have not install nRF Connect, you can download from this Nordic website.

Once you are in the Programmer program, (top left corner) select the device that shows “PCA10040”. This the board model of the nRF52 DK board that we are using.

You should see success message in the Log messages below the application. After a few seconds, the connection will be ready, and you will notice that the <Read> button on the right column of the application is enabled.

Now click on the button that says “Add HEX file”. Browse and select the correct hex file for this PCA10040 board.

Once you choose the hex file, you will be back onto the main window. The file memory layout display will be refresh with a orange block. The button for the <Erase & write> will be enabled too. Click this button to program the PCA10040 board with this sniffer firmware.

The <Read> button will be grayed off during this firmware programming period. When the firmware finish flashing, you will also notice the button is enabled back.

Now your board has become a Bluetooth data sniffer.

Wireshark installation

Wireshark is a very popular communication protocol analyzing tools. Download and install Wireshark onto your system.

After installation, go to the menu -> Help ->About Wireshark.
Go to the tab Folders. Double click on the link next to the name Personal Extcap path. This will open up the folder from your Window explorer.

From the files that you have downloaded earlier, copy all the files from the folder “extcap” onto this new directory from Wireshark program.

Press Ctrl+Esc and type in “cmd” from the search field. You will the Command Prompt app appear on the menu. Right click it and click on the “Run as administrator“. This is important to give administrator right when you key in the command in the following section.

Go to the directory “extcap”. Key in the following command in the command prompt.

pip3 install -r requirements.txt

Once installed, key in the following command to check if the installation is correct and is working.

nrf_sniffer_ble.bat --extcap-interfaces
C:\Program Files\Wireshark\extcap>nrf_sniffer_ble.bat --extcap-interfaces

extcap {version=3.0.0}{display=nRF Sniffer for Bluetooth LE}{help=}
interface {value=COM16}{display=nRF Sniffer for Bluetooth LE COM16}
control {number=0}{type=selector}{display=Device}{tooltip=Device list}
control {number=1}{type=string}{display=Passkey / OOB key}{tooltip=6 digit temporary key or 16 byte Out-of-band (OOB) key in hexadecimal starting with '0x', big endian format. If the entered key is shorter than 16 bytes, it will be zero-padded in front'}{validation=\b^(([0-9]{6})|(0x[0-9a-fA-F]{1,32}))$\b}
control {number=2}{type=string}{display=Adv Hop}{default=37,38,39}{tooltip=Advertising channel hop sequence. Change the order in which the siffer switches advertising channels. Valid channels are 37, 38 and 39 separated by comma.}{validation=^\s*((37|38|39)\s*,\s*){0,2}(37|38|39){1}\s*$}{required=true}
control {number=3}{type=button}{role=help}{display=Help}{tooltip=Access user guide (launches browser)}
control {number=4}{type=button}{role=restore}{display=Defaults}{tooltip=Resets the user interface and clears the log file}
control {number=5}{type=button}{role=logger}{display=Log}{tooltip=Log per interface}
value {control=0}{value= }{display=All advertising devices}{default=true}

Enable the nRF Sniffer capture tool in Wireshark

Refresh the interfaces in Wireshark, go to Capture -> Refresh Interfaces (or pressing F5). You should see that nRF Sniffer is displayed as one of the interfaces on the start page.

Go to Capture -> Options, to untick other communication interface that is not relating to the Bluetooth. We only want to see communication data from Bluetooth. If all interfaces are enabled, the data captured will be massive and difficult to find Bluetooth data.

Select View -> Interface Toolbars > nRF Sniffer for Bluetooth LE, to enable the sniffer interface menu bar to appear below the file menu in the Wireshark program.

Adding Wireshark profile

Go to Help -> About Wireshark. Select the Folders tab. Go to the link Personal configuration, and double click on the link to open up the folder. There is this profile folder. Open up this profile folder.

Copy the folder “…\Profile_nRF_Sniffer_Bluetooth_LE\” to this into this profile folder. Your directory path should look like the following, “C:\Users\xxx\AppData\Roaming\Wireshark\profiles\Profile_nRF_Sniffer_Bluetooth_LE\

Go to the menu select Edit > Configuration Profiles. Select the new “Profile_nRF_Sniffer_Bluetooth_LE” profile. This is the configuration of how the data display is setup for easy viewing.

Start Sniffing

Press Ctrl+E or go to menu Capture -> Start to start capturing the Bluetooth packets. You can select the exact Bluetooth device that you want to listen/sniff.

Further installation reference

You can refer to this link for the installation and setup process.

Sniffer Packet Explain (Bluetooth BLE Protocol)

I have two nRF52840-DK boards, with one programmed as a Peripheral which advertise (broadcast), and another one programmed as a Central to do scanning (searching).

  • Blinky Peripheral (examples->ble_peripheral->ble_app_blinky)
  • Blinky Central (examples->ble_central->ble_app_blinky_c)

To keep learning simple, we evaluate step by step. We switch off the Blinky Central module.

Advertising Packet Transmitted from Blinky

Blinky being a peripheral will boardcast advertising packet to allow other Bluetooth device to locate it. We will study what is inside an advertise packet of this peripheral from Nordic Bluetooth Blinky example.

Packet captured from the Blinky Peripheral

The period of blinky sending advertising packet is about 1msec

From this packet, I can see two part of data. One is from the sniffer itself, displaying the channel that it is sniffing, the RSSI (signal strength).

The other is the BLE Link Layer data sent from the peripheral displaying the address, and its peripheral device name.

Received Signal Strength Indicator
RSSI: -17dBm (Very Good Signal Strength)
RSSI: -35dBm (Good)
RSSI: -50dBm (Ok)
RSSI: -70dBm (Poor)

The delta time (end to start): 498us
is the time delay of the end of the previous data packet to the start of the current packet. It is the idling time between packet data transmission.

The delta time (start to start): 802us
is the time delay of the start of the previous data packet to the start of the current packet. It is the time period of the transmission. (transmission frequency of the packet)

Packet Information from the Sniffer

Is probably added information from the sniffer itself. It tells us about the information of the packet. Eg. Timing, RSSI, packet counting, data direction, transmitting channel, etc…

The data in this block is

10 2f 00 02 85 2e 06 0a 01 26 26 00 00 f2 01 00 00

10 | Board: 16

2f 00 02 85 2e 06 | Header
                    2f 00 | Length of payload: 47
                    02    | Protocol version: 2
                    85 2e | Packet counter: 11909
                    06    | Packet ID: 6

0a | Length of packet: 10 (assuming byte number of payload including itself)

01 26 26 00 00 f2 01 00 00 | Payload
                             01    | Flag
                                   | b7 RFU: 0
                                   | b6-b4 PHY: LE 1M (0)
                                   | b3 MIC: 0
                                   | b2 Encrypted: No (0)
                                   | b1 Direction: Slave -> Master (0)
                                   | b0 CRC: OK (1)
                             26    | Channel 38
                             26    | RSSI -38
                             00 00 | Event counter: 0

The advertising channel for the newer Bluetooth BLE protocol can only be at channel 37, 38, 39.

Advertising data display pickup from nRF Connect Bluetooth Low Energy apps.

Device Name: Nordic_Blinky
Address: C0:C9:71:80:51:A0
RSSI: -32dBm
Address type: RandomStatic
Advertising type: Connectable undirected
– LeGeneralDiscMode
– BrEdrNotSupported
– LeOnlyLimitedDicsMode
– LeOnlyGeneralDicsMode
Appearance: 00-00

Packet BLE Link Layer Data from the Blinky Peripheral

The data is from the Peripheral device, advertising to let other bluetooth device aware on its existence.

The data in this block is

d6 be 89 8e 60 1c a0 51 80 71 c9 c0 03 19 00 00
02 01 06 0e 09 4e 6f 72 64 69 63 5f 42 6c 69 6e
6b 79 69 8d 92

d6 be 89 8e | Access Address: 0x8e89bed6

60 1c       | Packet Header (PDU Type: ADV_IND)
              60 | 
                 | b7 Reserved: False (0)
                 | b6 Tx Address: Random (1)
                 | b5 Channel Selection Algorithm: #2
                 | b4 RFU: 0
                 | b3-b0 PDU Type: ADV_IND (0x0)

              1c | Length: 28 (assume Advertising Address (6bytes) + Advertising Data (22bytes)

a0 51 80 71 c9 c0 | Advertising Address: C0:C9:71:80:51:A0

03 19 00 00 02 01 06 0e 09 4e 6f 72 64 69 63 5f 42 6c 69 6e 6b 79 69 8d 92
                  | Advertising Data
                    03 19 00 00 | Appearance: Unknown
                                  03    | Length: 3
                                  19    | Type: Appearance (0x19)
                                  00 00 | Appearance: Unknown (0x0000)
                    02 01 06    | Flags
                                  02    | Length: 2
                                  01    | Type: Flags (0x01)
                                  06    | 
                                          b7-b5 Reserved
                                          b4    Simultaneous LED to Host (false)
                                          b3    Simultaneous LED to Controller (false)
                                          b2    BR/EDR Not Supported: true
                                          b1    LE General Discoverable Mode: true
                                          b0    LE Limited Discoverable Mode: false
                    0e 09 4e 6f 72 64 69 63 5f 42 6c 69 6e 6b 79
                                | Device Name
                                  0e    | Length: 14
                                  09    | Type: Device Name (0x09)
                                  4e 6f 72 64 69 63 5f 42 6c 69 6e 6b 79
                                        | Device Name: Nordic_Blinky
                    69 8d 92    | CRC: 0x96b149

PDU Type: ADV_IND means Undirected Advertising. To broadcast itself to a Bluetooth Central device for a connection.

Scan Response Detected from Blinky

After looking at the the advertising packet from Blinky, I also notice Blinky transmitting out another packet.

Scan Request Packet to Blinky Peripheral

From the packet no. 37, I can see that Blinkly is transmitting a packet. Looking at the end of the “Info” column, I see SCAN_RSP. This is a scan response from Blinky

Looking at a packet before this packet, I can see packet no.36 (source=74:41b0:1d:47:c5) sending out a SCAN_REQ scan request packet. It is other Bluetooth device sending a scan request to Blinky. You can see from the RSSI of -76dBm that this device is quite a distance away from my Blinky device.

As the front data are from Nordic BLE Sniffer, we will skip that and proceed to look at only the data from the Bluetooth Low Energy Link Layer only.

The Access Address (AA) is the same as the previous evaluation that we did. After some research, it is found that this Access Address is standardise to 0x8E89BED6. It is a preamble signal to identify the radio communication on the physical link.

d6 be 89 8e c3 0c c5 47 1d b0 41 74 a0 51 80 71
c9 c0 9a aa f7

d6 be 89 8e | Access Address: 0x8e89bed6

c3 0c       | Packet Header: PDU Type: SCAN_REQ
              c3 | 
                 | b7 Rx Address: Random (1)
                 | b6 Tx Address: Random (1)
                 | b5 Channel Selection Algorithm: #1 (0)
                 | b4 RFU: 0
                 | b3-b0 PDU Type: SCAN_REQ (0b0011)

              0c | Length: 12 (Scanning Address (6bytes) + Advertising Address (6bytes))

c5 47 1d b0 41 74 | Scanning Address: 74:41:b0:1d:47:c5

a0 51 80 71 c9 c0 | Advertising Address: C0:C9:71:80:51:A0

9a aa f7          | CRC: 0x5955ef

Scan Response Packet from Blinky Peripheral

Now going back to look at the Scan Response packet.

d6 be 89 8e 44 18 a0 51 80 71 c9 c0 11 07 23 d1
bc ea 5f 78 23 15 de ef 12 12 23 15 00 00 2a 92

d6 be 89 8e | Access Address: 0x8e89bed6

44 18       | Packet Header: PDU Type: SCAN_RSP
              44 | 
                 | b7 Reserved: False
                 | b6 Tx Address: Random (1)
                 | b5 Channel Selection Algorithm: #1 (0)
                 | b4 RFU: 0
                 | b3-b0 PDU Type: SCAN_RSP (0b0100)
              18 | Length: 24 (Advertising Address (6bytes) + Scan Response Data (18bytes))

a0 51 80 71 c9 c0 | Advertising Address: C0:C9:71:80:51:A0

11 07 23 d1 bc ea 5f 78 23 15 de ef 12 12 23 15 00 00
                  | Scan Response Data (advertising data)
                    11 | Length: 17
                    07 | Type: 128-bit Service Class UUIDs (0x07)
                    23 d1 bc ea 5f 78 23 15 de ef 12 12 23 15 00 00
                       | Custom UUID: 00001523-1212-efde-1523-785feabcd123

2a 92 d0          | CRC: 0x54490b

The scan response returns the data type 128-bit Service Class. This is the long form UUID 00001523-1212-efde-1523-785feabcd123, which identify the service provided by this Bluetooth peripheral.

How CRC is computed?

CRC is 0x54490b base on the hex data of 2a 92 do

Probing a Connection to Blinky

The following uses nRF Connect to connect to the Blinky board.

Connected to Blinky

This screen shot shows what data will be read to this nRF software when the Blinky gets connected.

This data will be verified with the data communication after the module is connected. We will dive into the data packet details later. We should be able to see all the data as reflected in this nRF Bluetooth app.

The nRF software uses nRF52 Dongle as the bluetooth device to scan for Blinky device. The nRF52 Dongle MAC address is C6:ED:E6:6C:28:CD

Packet Capture to show nRF scanning for Blinky board.

This packets shows Blinky sending advertise packets to broadcast to other bluetooth. It also shows that the nRF software is sending out scan request to check out the blinky device which was advertising itself frequently. The scan request message from nRF to the Blinky is observed to be about 400ms apart. About 2 scan request message per second.

Blinky responsed to the scan request sending back more detail about itself.

Packet Capture to show nRF scan request connection to Blinky

The nRF apps get to connect with Blinky about 135ms after its scan request.

This connection started at packet no. 962, with the nRF Connect connects to the Blinky.

After the connection, the source and destination MAC address seems to be no longer appear.

There will be no more advertising from the Blinky.

Communication is only between nRF apps (Master) and the Blinky (Slave). Period of communication is about 5-10msec.

PDU is no longer indicated after the connection. PDU is for higher level BLE device discovery and connection process.
Type of PDU available

Packet Capture to show nRF disconnect from Blinky

When nRF apps disconnect from the Blinky, the Control Opcode: LL_TERMINATE_IND can be observed. Slave response, and shortly after return to its disconnected state and begin to advertise again. Advertise period is about 10msec.

Service Discovery packets after connected

Shortly after the Blinky gets a request to be connected at packet 962, the GATT discovery starts popping out from packet 967 (time 2.845sec) to packet 1036 (time 3.100sec)

Packet 967 from master has a starting handle of 0x0001 to 0xffff, seems to be master asking for services that within these range from the slave.

Packet 970 from slave response with 2 services. One at handle 0x0001, the other at handle 0x000a.

Packet 971 packet from master is almost the same as packet 967. Only the starting handle is different thsi time. It is at 0x000b. This is perhaps master is probing from the slave whether if there are more services from the handle range 0x000b to 0xffff.

The slave response at packet 974 with a handle at 0x000b (which is unknown) with a UUID of 23d1bcea5f782315deef121223150000.

Handle 0x000b eventually stop at packet 978.

The master send a packet no. 981 for a range from starting handle: 0x0001 to 0x0009. Seems that the master understand the messages from slave and starts to adjust its range. It is note that this master has change its read request from “Read By Group Type Request” to “Read By Type Request”.

At packet no. 984, the slave returns even more information. Information about the Generic Access service block.

The master continue to probe at packet 985. Slave packet 988 returns the remain information from the Generic Access service block.

Packet no. 989 to 1004 is master probing deeper (Read Request) from the Generic Access service for more detailed information.

The master starts from “Read By Group Request” (packet 967 to 974) to “Read by Type Request” (packet 981 to 988), and finally “Read Request” (packet 989 to 1004).

These are the GAP profile from what I can see on the Wireshark screen.

Then the master process to Find Information from packet 1007 to 1029. These are the GATT characteristic as displayed.

The last 2 packets (packet 1033, 1036) are Read Request from GAP Profile’s Device Name.

Summary of the connection.

The connection happens at packet no. 962 (time: 2.829sec), and ends at packet no. 2350 (time: 8.027sec).

Within the connection period from packet no. 962 to 2350, the GATT protocol appear. GATT communication (ATT L2CAP protocol) start on packet no. 967 (2.845sec) and ends at packet no. 1036 (3.1sec).

The GATT packets are filtered out from Wireshark. It is noted that it took a total of 28 packets (ATT L2CAP protocol), to complete exposing Blinky’s GATT services to the master device.

Average RSSI maintain good at around –35dBm.

Generic Access Service information can be detected at packet no. 970

Generic Attribute Service information can be detected at packet no. 970

Going through the connected packets one at a time.

The following sniff data using wireshark can be downloaded from here.
You can open this file with Wireshark to go through the connection in details.

Connection to Blinky

We are more or less familiar with how data are presented in the bytes level. We will now focus more on the data information instead of the bytes level.

Connect Request Packet

This packet data and the usual data structure to take note. The Bluetooth Low Energy Link Layer packet is always consist of size part.

Bluetooth Low Energy Link Layer

  • Access Address (preamble data)
  • Packet Header (what this packet is about)
  • Initator Address (who request the connection)
  • Advertising Address (the peripheral device to accept this connection)
  • Link Layer Data (the data)
  • CRC (data integrity checking)

Access Address: 0x8e89bed6 (the usual fixed preamble data at the beginning of the BLE data packet)

Packet Header

PDU Type: Connect_REQ (0x5)
Data Length: 34 (address + link layer data)

Initator Address: c6:ed:e6:6c:28:cd

Advertising Address: c0:c9:71:80:51:a0

Link Layer Data

An new Access Address is assigned as 0xc8bb66dc
CRC Init: 0x64fb60
Window Size: 5 (6.25msec)
Window Offset: 0 (0msec)
Interval: 6 (7.5msec)
Latency: 0
Timeout: 400 (4000msec)
Channel Map: ff ff ff ff 1f (default RF Ch 0, 12, 39 for advertising)
Hop: 9
Sleep Clock Accuracy: 0 to 20ppm (7)

CRC: 0x784e01

Hop: 9 means to hop 9 channel away from the current channel. New channel = (curr_channel + hop) mod 37

Connected (Master packet 963)

10 13 00 02 97 16 06 0a 0b 09 21 00 00 ef 04 00
00 dc 66 bb c8 01 00 d0 b6 c8

10 13 00 02 97 16 06 0a 0b 09 21 00 00 ef 04 00 00 | Nordic BLE Sniffer

dc 66 bb c8 01 00 d0 b6 c8 | Bluetooth Low Energy Link Layer

It is noted that the communication Channel is 9. The previous channel during the advertising and connection packet was at Ch 39. This current channel 9 could be the result of the channel hopping.

Access Address: 0xc8bb66dc
The access address is different from the previous one. This same access address is used through out the connection period.

It is noted that the Master & Slave Address being keep tracked. However the address is no where to be found in the packet. This means that the addresses should be tracked by the Wireshark program, probably through the Access Address 0xc8bb66dc

There is only the data header with no data. The data header format has changed. It is different from the format before the connection.
– LLID: L2CAP message
– Next Expected Sequence Number: 0
– Sequence Number: 0 [OK]
– More Data: False
– RFU: 0
– Length: 0

Connected (Slave packet 964)

This slave packet looks very similar from the master packet. The Access Address is the same. The next expected sequence number is 1.

– LLID: L2CAP message
– Next Expected Sequence Number: 0
– Sequence Number: 1 [OK]
– More Data: False
– RFU: 0
– Length: 0

It is observed that both the Next Expected Sequence Number and the Sequence Number keep rotating in sequence 00 01 11 10 ….. It is a sequence number using 2 bits.

More Data could mean if there are more following packets coming which is related to this current packet.

It is also observed that for every pair of master/slave packet, the channel hop by 9 ch.
Ch9, 18, 27, 36, 8, 17, 26, 35, 7, …….
The channel keep hopping. There is also an event counter on the sniffer which will increment for each pair of master/s;ave communication.

The delta delay between the Master and Slave pair is about 150us gap, 230us packet period.

The delta delay between the Slave and Master of the next pair is about 7190us gap, 7270us packet period.

First Attribute Protocol (Master packet 967)

dc 66 bb c8 02 0b 07 00 04 00 10 01 00 ff ff 00
28 4c d0 f3

dc 66 bb c8 | Access Address
02 0b       | Data Header, LLID: Start of L2CAP, Data Length: 11
07 00 04 00 10 01 00 ff ff 00 28 | Bluetooth L2CAP Protocol
                  07 00 | Length: 7
                  04 00 | CID: Attribute Protocol (0x0004)
   10 01 00 ff ff 00 28 | Bluetooth Attribute Protocol
                     10 | Opcode 0x10
                  01 00 | Starting Handler: 0x0001
                  ff ff | Ending Handle: 0xffff
                  00 28 | UUID GATT Primary Service Declaration 0x2800     

This packet seems to be sending a command to start the GATT.

The slave seems to reply nothing (packet 968) like the previous slave response. Seems more like an acknowledge purpose to the master device.

This is followed by Master sending nothing (Master packet 969).

It is noted that packet 968 and 969 doing nothing is labelled as the LE LL protocol (Low Energy Link Layer).

The attribute data packet 967 and 970 are labelled as ATT L2CAP (Logical link control and adaptation protocol).

First Attribute Response Protocol (Slave packet 970)

This is noted in the sniffer wireshark that this packet 970 is the response that is requested from packet 967 (GATT Service request 0x2800). The tools is keeping track of the messages.

More data can be seen by this slave response. The slave is returning 2 groups of attribute data.

  • UUID: Generic Access Profile (0x1800)
    • Handle ID (0x0001)
    • End Handle ID (0x0009)
  • UUID: Generic Attribute Profile (0x1801)
    • Handle ID (0x000a)
    • End Handle ID (0x000a)

Other observation on the bluetooth communication

In this observation on the bluetooth pad lock, it was noted that during the CONNECT_REQ, the Channel Map turns out to be FF FF FF 07 00. This is very different from the previous observation which is FF FF FF FF 1F. In the previous observation, all the channels are active except for the advertising channel 37, 38, 39.

Base on this difference and some research from online, I would assume that the purpose of this Channel Map is probably to map out the available channel for use. In the previous observation, except for the 3x advertising channel, all the channels are available for use. So it means that in this new observation channel 27 to 36 (or RF Channel 29 to 38) may not be available for use. Let’s looking into the other packet to see if this understanding is true.

Note that RF channel is the physical radio frequency channel. The RF channel for advertising is RF Channel 0, 12, 39. The corresponding Channel number for these 3 advertising channel is data digitally represented in decimal as 37, 38, 39. Please take note of the difference…..

The Hop number is found to be 5. Meaning that for every pair of data packet communicated, the next channel will increment by 5, to the next channel. This Channel Map should be determine by the CENTRAL device connecting to the PERIPHERAL device. It is probably representing which channel is busy and to be avoided.

The connect request from Master started on channel 37. This is followed by Master communicating at channel 5 on the next packet. The slave responded on channel 5. Next following two packet is channel 10. Next pair is at channel 15. Next is channel 20. Next pair is at channel 25. Then it jump straight into channel 3 fromo Master. Followed by response at channel 3 too by the slave. Then next pair are channel 8, 3, 8, 13, 18, 23, 1, 6, 1, 1, 6, 11, 16, 21, 26, 4, 9, 4, 9, 9, 14, 19, 24, 2, 7, 2, 7, 12, 17, 22, 0, 5, 0, 5, 10, 15, 20, 25, etc… (from packet<1194> to packet<1282>)

It is note that the channel can sometimes go backward, sometimes remains the same. For this observation, it is always on the lower channels. Could be be that there are data corruption and there is a need from the master to repeat using the channel? How did the slave knows that the master has switch backward to the previous communicating channel?

One thing noted is that there isn’t channel 27 to 36 appearing. Which proves the purpose of the channel map. It determines which channel can be used for the communication, and communicated to the slave device during the connection request. From channel 23 to channel 1, is exactly 5 hops away from the next available channels. Those not available is not counted in the hopping.

One possible explanation that I can imagine could be that the receiver board may not have acknowledge or captured the packet, prompting the sender to do a resend on the same channel or even move backward to the previous channel.

Wireshark Filter Operator for digging out the data.

nRF Variables in Wireshark

You can select a variable for the filter by right clicking the variable and click on -> Apply as Filter -> Selected (to pick them up) or Not Selected (to hide them)

btle.advertising_address == c0:c9:71:80:51:a0 ||
btle.scanning_address != 74:41:b0:1d:47:c5


  • ==
  • !=
  • >
  • <
  • >=
  • <=
  • contains “???”
  • ~ eg. matches "acme\.(org|com|net)"
  • &
  • &&
  • ||

<- Back to Bluetooth Resources Page

BLE Blinky Application

This is a simple application that demonstrate a Bluetooth server device and a client device.

In this example I am using nRF52840-DK (PCS10056) board

BLE Blinky Application Example

This application program flashes a Bluetooth server onto nRF52840-DK board. It advertise and waits for a client to connect to it.

This application board can be connected via

  • BLE Blinky Client application
  • nRF Connect program
  • nRF Blinky apps on a Andriod Smart Phone

Location of the source code:
…\nRF SDK\examples\ble_peripheral\ble_app_blinky


BLE Blinky Client Application Example

This application program flashes a Bluetooth client onto nRF52840-DK board. It connects to the server.

Pressing a Button 1 on one board will result in LED 3 lighted up in the other board.

Location of the source code:
…\nRF SDK\examples\ble_central\ble_app_blinky_c


nRF Connect program Example

Start scan on the program to search for the Bluetooth device named “Nordic_Blinky”. Connect to it.

Browse through the services, there is one that starts with 00001523xxxxx… Under this service, there is a attribute ID starting with 00001525xxxx… This is the input that acts like a switch on the actual board. Change the number in this field to 00 or 01 and see the LED 3 lights up on the nRF52840-DK server board. Under this service, there is also an attribute ID 00001524. Here there is a play button. Click on the play button to receive notification from the server board. When the button 1 is pressed on the server board, you should see that this value will change according to the physical button pressed.

The whole experiment is similar to the BLE Blinky Client Application board.

nRF Blinky apps on a Andriod Smart Phone

<- Back to Bluetooth Resources Page

Setup to Test Radio


Examples related to RF test

Radio Test Example

Setup Spectrum Analyser Board

Open the software nRF Connect -> RSSI Viewer.

Program one of the board to view the frequency spectrum. When you select the board inside the RSSI Viewer, it will assist you to flash in the RSSI Viewer firmware.

Setup RF Transmitter Board

On another board, load in the firmware for the example
Hardware peripheral examples – > Radio Test Example

This can be found from the SDK directory
F:\…..\nRF5 (SDK)\examples\peripheral\radio_test\hex

Connect this board to a console.

Key in the command “start_tx_carrier“. This will make the board transmit at a frequency. You should notice that frequency (at channel 0) spike up from the RSSI Viewer on the spectrum analyser board. You can change the frequency to transmit using the command “start_channel” followed by again the command “start_tx_carrier“. Example to change transmitting RF at channel 20.

start_channel 20

You can also change the transmit power using the command “output_power” followed again by the command “start_tx_carrier” to start transmitting at the new power set.

The command “cancel” switch off everything.

The command “parameters_print” display the current settings.

Key in the command “start_tx_sweep“. You will see the frequency sweeping from the left (lower frequency) to the right (higher frequency). You can use the command “time_on_channel” to set a sweep delay (from 1ms to 99ms) to make the sweeping slower. You can also control the channel (frequency) range to sweep using the command “start_channel” and “end_channel“.

Issue with Radio Test example

No idea how to send and receive data for the radio test.

<- Back to Bluetooth Resources Page

Learning how Bluetooth connects

A useful experiment to learn how Bluetooth connects using nRF52840-DK kit

nRF52840-DK Example: BLE Interactive Command Line Interface

This example tutorial from Nordic is a sample program to help engineer learns about Bluetooth practise.

The following are some documentation about this example to practise.

What you need?

You will need at least two development board to play around with the advertise, scanning for Bluetooth devices, and connection.

The source code and *.hex provided by Nordic are for nRF52840-DK (PCA10056) and nRF52832-DK (PCA10040) boards. In this example, I am using two sets of nRF52840-DK board.

The example used is
nRF5 (SDK) -> Examples -> BLE Central and Peripheral -> Experimental -> BLE App Interactive -> PCA10056

The *.hex file can be found from this directory. Source codes are here as well.
\…..\nRF5 (sdk)\examples\ble_central_and_peripheral\experimental\ble_app_interactive\pca10056\s140\ses\Output\Release\Exe

Flash both boards with the same firmware.

Playing with the Bluetooth connectivity through console

Once the firmware is flash, the USB connection is also the virtual com port. Connect them to the PC and open the port using a serial console like MobaXterm.

Serial port settings: Baudrate is 115200bps, 8 bits data, 1 stop bit, no parity, no hardware control.

Once connected through com port, you can start to issue commands

Root Commands

  • advertise           - Turn advertising on or off.
  • bonded_devices      - List bonded_devices.
  • connect             - <address/peer_id> Establish a connection with a device.
  • connected_devices   - Display connected devices and security information on each connection.
  • device_name         - <name> Set device name.
  • devices             - List available (advertising) devices.
  • disconnect          - <address> Disconnect from a device.
  • gatt                - GATT Client procedures.
  • key_reply           - <key> Enter passkey displayed by another device (for pairing mode: “Passkey Entry”).
  • nfc_read            - <subcmd> Turn on NFC reader (requires additional hardware) <on/off>.
  • numeric             - Confirm or reject a numerical value (for pairing mode: “Numerical Comparison”).
  • pair                - <subcmd> <address> <option> Initiate pairing with a connected device.
  • parameters          - <subcmd> Change or request new Link Layer or GATT parameters.
  • privacy             - Set privacy settings.
  • remove_bond         - <subcmd> Remove a bonded device.
  • scan                - Turn scanning on or off.

LED Indicators

LED indicators to help us see the state that the Bluetooth is in.

  • LED 1: Means board is scanning for Bluetooth devices
  • LED 2: Means board is connected to a BLE Peripheral device.
  • LED 3: Means board is advertising itself. (boardcast)
  • LED 4: Means board is connected to a BLE Central device.

You can set the name for the board using the command “device_name“. This name is volatile and not permanent. The name will be gone after a reset. Key in this command to set a name “Board 1” & “Board 2” to differential this two board.
eg. “device_name Board 1”

Key in the command “scan on“, you will notice that LED 1 will be lighted up. After this key in the command “devices“, you will get to see a list of nearby Bluetooth devices advertising themselves (broadcasting their ID). The command “devices” will only display the list when the board has its scanning activated.

You will not be able to see the other Bluetooth board that you have because that board has not yet started its advertising.

For the other board, key in the command “advertise on“. You will notice the LED 3 on this board lighted up.

On the first board which is still on the scanning mode, key in the command “devices”. You will get to see a list of Bluetooth devices. This time round you should be able to see the other board, its Bluetooth address ID and its device name.

On the first board, key in the command “connect” follow by the board ID of the other board that I want to connect. When connecting, both board will display messages about the connection. This first board will have LED 2 lighted up, indicating that it is connected to a peripheral board, while the other board has its LED 4 lighted up indicating that it is connected to a central board.

You can check the connected device using the command “connected_devices

In the process of connection, I tried to make another connection from the Board 1 (central) to Board 2 (peripheral). It is known that a central device can make multiple connection to various peripheral devices. In this experiment I notice that it is possible for the Bluetooth peripheral to receive multiple connection. Each connection is reference by a handler ID.

Pairing is a temporary exchange of security features. Security key are exchanged. Bonding is a permanent exchange of security features. It just means the the security key that is exchanged are saved and be used for any future connection. Bonding can only be executed after pairing is done. It is simply saving the security keys on both side.

After the Connection

After the connection you can proceed to use the other commands “pair“, “parameters” and “gatt“.

Technical Name Recap

The GAP (Generic Access Profile) defines the discovery, connection and link management part of Bluetooth. Central (usually connected to multiple peripheral) and peripheral (usually a single connection to the central) are both related to GAP.

The GATT (Generic Attribute Profile) is one of the data communication method after the Bluetooth devices are connected. The Bluetooth device is the server serving the data, while the one accessing it is the client.

<- Back to Bluetooth Resources Page

Bluetooth GATT Protocol for Bluetooth Low Energy (BLE 4.0)

GATT protocol

GATT is a protocol style of exchange data over the wireless Bluetooth connection that is introduced for BLE 4.0.

The Bluetooth connection can consist of many services. A service is like data channel or view as a data object passing to and from the Bluetooth device. Inside each service can consist of many data attributes which is also known as the characteristic. Characteristic is simply the data that is associated with a standard defined label.

GATT protocol

  • Service 1
    • Characteristic 1A
    • Characteristic 1B
    • Characteristic 1C
  • Service 2
    • Characteristic 2A
  • Service 3
    • Characteristic 3A
    • Characteristic 3B

Reference on GATT:

– Handler (16 bit ID as and address for the attribute) <- is it address for the Service?
– Permission
– UUID identify the data attribute type in the data block.

Hands-on GATT protocol

One useful tool in learning the new GATT Protocol designed for Bluetooth Low Energy (BLE4.0 and above) is using the nRF Connect’s Bluetooth Low Energy apps from Nordic. You can install the nRF Connect software to have access to this app.

The following example uses nRF52840 Dongle as a sniffer.

When in the BLE apps, select the dongle device to start.

On the right side, click on the button <Start scan> to scan for nearby Bluetooth devices.

Bluetooth devices is constantly sending our advertisement broadcast so that other Bluetooth client can detect it and be able to connect to it.

In the following example, a BLE device is detected by the scan process. The device name ending with “…..-172AFE04”. Select the device and click on the <Connect> button.

Device Name: …..-172AFE04
Address: D4:ED:17:2A:FE:04
Address type: RandomStatic
Services: Battery Service
Appearance: 00-00

The column on the left represents the nRF52840-Dongle which is now a Central Bluetooth device. The right column is displaying the connected Bluetooth Peripheral (server) device name “…..-172AFE04”. The central is a Bluetooth client device which can connect to one or more peripheral devices. Each peripheral (server) can only accept one connection from the central (client) Bluetooth device. Once the peripheral is connected, they will stop their advertisement broadcast. Other Bluetooth devices will not be able to see and connect to them.

In the connected peripheral Bluetooth device with name ending with “…..-172AFE04”, along the connection line, there is a lock icon. Hover your mouse to check up the connection information. The configuration icon inside the device box have option that allows you to disconnect the Bluetooth connection of the central device to the peripheral device.

Inside the peripheral device, you will notice the following section of data. These are the GATT Services available from this server peripheral Bluetooth device.

  • Generic Access
  • Generic Attribute
  • FFE0
  • FFE5
  • Legacy DFU

Generic Access

Type UUID: 0x1800

Device Name…..-172AFE04
Appearance00 00
Peripheral Preferred Connection Parameters (optional)20 00 30 00 00 00 90 01
Peripheral Privacy Flag (optional)

Generic Attribute

Type UUID: 0x1801

Service Changed (optional)

GATT Service: FFE0

Type UUID: 0xFFE0

Characteristic is FFE4.
is a notify service.

Characteristic User Description
64 65 76 69 63 2D 3E 70 68 6F 6E 65
which represent a string

Client Characteristic Configuration
00 00

GATT Service: FFE5

Type UUID: 0xFFE5

Characteristic is FFE9.
is a writeWoResp write service.

Characteristic User Description
70 68 6F 6E 65 2D 3E 64 65 76 69 63 65
which represent a string

Legacy DFU

GATT Service in detail (xml)

An overview of the service “generic-access” data structure.

Max data size of an attribute is 512 bytes


Generic Access Service data structure

– InformativeText

– Characteristics

– Configurations

<- Back to Bluetooth Resources Page

AT Command for NB-IoT communication

Hardware used is nRF9160 modem.

Set terminal software to the following setting.

  • Baudrate: 115200bps
  • Data bits: 8 bits
  • Stop bit: 1 bit
  • Parity: None
  • No hardware handshaking

Note that ↵ means sending of char 0x0D 0x0A (<CR><LF>)

//Test if modem is connected
🡲 AT ↵
🡰 OK ↵

//Get the modem firmware version
🡰 352656100032351 ↵

//Get IMEI number
🡰 352656100032351 ↵

//Sim Activation
🡲 AT+CFUN=0 ↵     //turn  off cellular functionality
🡰 OK ↵
🡲 AT+CFUN=1 ↵     //turn  on cellular functionality
🡰 OK ↵

//PDP Context Configuration (configure how the data packet be accepted by the telecom)

Maybe useful AT commands

AT+CGPADDR       //show IP address allocated by the network

AT Command for iBasis SIM card using nRF9160 (with help from iBasis technical team)

AT+CFUN=0                           //Power of the modem every time that you change the access mode LTE-M or NB-IoT

AT%XSYSTEMMODE=1,0,1,0              //Enable LTE-M1

AT%XSYSTEMMODE=0,1,0,0              //Enable NB-IOT

AT+CGDCONT=0,"IP","ibasis.iot"      //Configure APN (Optional)

AT%XBANDLOCK=1,"10001000000000000"  //Lock the specific band for your testing, put 1 at the position of specific band (17 and 13 on this example, this is Optional)

AT+CPSMS=0                          //Disable PSM

AT+CFUN=1                           //Enable modem

AT%XSIM?                            //Enable UICC

AT+CFUN?                            //Register

AT+COPS?                            //Search network available

AT Command useful reference with other modems

AT+CSTT               //specify APN
AT-CIPPING            //ping to server to check connectivity

Reference AT command for other modems

<- Back to Bluetooth Resources Page

Nordic Bluetooth Resources Page

For beginner learning Bluetooth using Nordic microcontroller chip. Please go to this page “Guide to Nordic Bluetooth BLE for Beginner

Possible source of formal training to Nordic nRF microcontroller programming.

Notes: Possible point of improving Bluetooth product.

  • Company Identity. Register for an unique company ID code, and implement into Bluetooth product. Display of Nordic ID 0x0059 as the company ID can be a security breach.

Nordic nRF9160 Certification

Certification resources referred by AVNET (Nordic Product Distributor)

Digital Locks Resources

Nice Article collection

Bluetooth (Technical Overview)

Bluetooth protocol operates at 2.4GHz, same as ZigBee and WiFi, working in the same unlicensed ISM frequency band.

Each network (Piconets) consist of a coordinating Master and many connecting Slaves.

Bluetooth Profile

Bluetooth profile is like the many various protocol of bluetooth communication. Some profile are for keyboards, some for storage, some for audio. Here are a list of commonly used profiles.

  • Serial Port Profile (SPP), or sometimes known as UART
  • Human Interface Device (HID)
  • Hands-Free Profile (HFP)
  • Headset Profile (HSP)
  • Advanced Audio Distribution Profile (A2DP)
  • A/V Remote Control Profile (AVRCP)
  • Generic Attribute Profile (GATT), custom profile communication using Attribute Protocol (ATT) between the master and slave.

GATT is typically used for proprietary project that uses custom communication through the use of exchanging attribute data (Attribute Protocol, ATT).

A temperature sensor device can be acting as a server providing a service to expose the temperature reading.

A mobile smart phone is this case is a client, sending commands, requests and accepts incoming notifications/indications from the server.

The ATT attributes is made up of 4 components.

  • Attribute Handle (the address of this attribute during the connection session)
    2 bytes address (0x0001-0xFFFF)
  • Attribute Type (UUID Universally Unique Identifier)
    2 or 16 bytes
  • Attribute Value
    Variable length data.
  • Attribute Permissions
Bluetooth Attribute Protocol

Bluetooth Versions

  • Bluetooth v1.2
  • Bluetooth v2.1 + EDR (enhanced data rate)
  • Bluetooth v3.0 + HS
  • Bluetooth v4.0 (BLE, Bluetooth Low Energy)


Reverse Engineering (Bluetooth)


<- Back to Bluetooth Resources Page