Hubbry Logo
List of Bluetooth protocolsList of Bluetooth protocolsMain
Open search
List of Bluetooth protocols
Community hub
List of Bluetooth protocols
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
List of Bluetooth protocols
List of Bluetooth protocols
List of Bluetooth protocols
View on Wikipedia
from Wikipedia

The wireless data exchange standard Bluetooth uses a variety of protocols. Core protocols are defined by the trade organization Bluetooth SIG. Additional protocols have been adopted from other standards bodies. This article gives an overview of the core protocols and those adopted protocols that are widely used.

The Bluetooth protocol stack is split in two parts: a "controller stack" containing the timing critical radio interface, and a "host stack" dealing with high level data. The controller stack is generally implemented in a low cost silicon device containing the Bluetooth radio and a microprocessor. The host stack is generally implemented as part of an operating system, or as an installable package on top of an operating system. For integrated devices such as Bluetooth headsets, the host stack and controller stack can be run on the same microprocessor to reduce mass production costs; this is known as a hostless system.

Controller stack

[edit]

Asynchronous connection-oriented logical transport (ACL)

[edit]

The normal type of radio link used for general data packets using a polling TDMA scheme to arbitrate access. It can carry packets of several types, which are distinguished by:

  • length (1, 3, or 5 time slots depending on required payload size)
  • Forward error correction (optionally reducing the data rate in favour of reliability)
  • modulation (Enhanced Data Rate packets allow up to triple data rate by using a different RF modulation for the payload)

A connection must be explicitly set up and accepted between two devices before packets can be transferred.

ACL packets are retransmitted automatically if unacknowledged, allowing for correction of a radio link that is subject to interference. For isochronous data, the number of retransmissions can be limited by a flush timeout; but without using L2PLAY retransmission and flow control mode or EL2CAP, a higher layer must handle the packet loss.

ACL links are disconnected if there is nothing received for the supervision timeout period; the default timeout is 20 seconds, but this may be modified by the master.

[edit]

The type of radio link used for voice data. A SCO link is a set of reserved time slots separated by the SCO interval Tsco which is determined during logical link establishment by the Central device. Each device transmits encoded voice data in the reserved timeslot. There are no retransmissions, but forward error correction can be optionally applied. SCO packets may be sent every 1, 2, or 3 time slots.

Enhanced SCO (eSCO) links allow greater flexibility in setting up links: they may use retransmissions to achieve reliability, allow for a wider variety of packet types and for greater intervals between packets than SCO, thus increasing radio availability for other links.

[edit]

Used for control of the radio link between two devices, mobile dmv, querying device abilities and power control. Implemented on the controller.

Host Controller Interface (HCI)

[edit]

Standardized communication between the host stack (e.g., a PC or mobile phone OS) and the controller (the Bluetooth integrated circuit (IC)). This standard allows the host stack or controller IC to be swapped with minimal adaptation.

There are several HCI transport layer standards, each using a different hardware interface to transfer the same command, event and data packets. The most commonly used are USB (in PCs) and UART (in mobile phones and PDAs).

In Bluetooth devices with simple functionality (e.g., headsets), the host stack and controller can be implemented on the same microprocessor. In this case the HCI is optional, although often implemented as an internal software interface.

[edit]

This is the LMP equivalent for Bluetooth Low Energy (LE), but is simpler. It is implemented on the controller and manages advertisement, scanning, connection and security from a low-level, close to the hardware point of view from Bluetooth perspective.

Host stack

[edit]
[edit]

L2CAP is used within the Bluetooth protocol stack. It passes packets to either the Host Controller Interface (HCI) or, on a hostless system, directly to the Link Manager/ACL link.

L2CAP's functions include:

  • Multiplexing data between different higher layer protocols.
  • Segmentation and reassembly of packets.
  • Providing one-way transmission management of multicast data to a group of other Bluetooth devices.
  • Quality of service (QoS) management for higher layer protocols.

L2CAP is used to communicate over the host ACL link. Its connection is established after the ACL link has been set up.

In basic mode, L2CAP provides packets with a payload configurable up to 64 kB, with 672 bytes as the default MTU, and 48 bytes as the minimum mandatory supported MTU. In retransmission and flow control modes, L2CAP can be configured for reliable or asynchronous data per channel by performing retransmissions and CRC checks. Reliability in either of these modes is optionally and/or additionally guaranteed by the lower layer Bluetooth BDR/EDR air interface by configuring the number of retransmissions and flush timeout (time after which the radio will flush packets). In-order sequencing is guaranteed by the lower layer.

The EL2CAP specification adds an additional enhanced retransmission mode (ERTM) to the core specification, which is an improved version of retransmission and flow control modes. ERTM is required when using an AMP (Alternate MAC/PHY), such as 802.11abgn.

Bluetooth network encapsulation protocol (BNEP)

[edit]

BNEP[1] is used for delivering network packets on top of L2CAP. This protocol is used by the personal area networking (PAN) profile. BNEP performs a similar function to Subnetwork Access Protocol (SNAP) in Wireless LAN.

In the protocol stack, BNEP is bound to L2CAP.

Radio frequency communication (RFCOMM)

[edit]

The Bluetooth protocol RFCOMM is a simple set of transport protocols, made on top of the L2CAP protocol, providing emulated RS-232 serial ports (up to sixty simultaneous connections to a Bluetooth device at a time). The protocol is based on the ETSI standard TS 07.10.

RFCOMM is sometimes called serial port emulation. The Bluetooth serial port profile (SPP) is based on this protocol.

RFCOMM provides a simple reliable data stream to the user, similar to TCP. It is used directly by many telephony related profiles as a carrier for AT commands, as well as being a transport layer for OBEX over Bluetooth.

Many Bluetooth applications use RFCOMM because of its widespread support and publicly available API on most operating systems. Additionally, applications that used a serial port to communicate can be quickly ported to use RFCOMM.

In the protocol stack, RFCOMM is bound to L2CAP.

Service discovery protocol (SDP)

[edit]

Used to allow devices to discover what services each other support, and what parameters to use to connect to them. For example, when connecting a mobile phone to a Bluetooth headset, SDP will be used to determine which Bluetooth profiles are supported by the headset (headset profile, hands free profile, advanced audio distribution profile, etc.) and the protocol multiplexer settings needed to connect to each of them. Each service is identified by a Universally Unique Identifier (UUID), with official services (Bluetooth profiles) assigned a short form UUID (16 bits rather than the full 128).

In the protocol stack, SDP is bound to L2CAP.

Telephony control protocol (TCS)

[edit]

Also referred to as telephony control protocol specification binary (TCS binary)

Used to set up and control speech and data calls between Bluetooth devices. The protocol is based on the ITU-T standard Q.931, with the provisions of Annex D applied, making only the minimum changes necessary for Bluetooth.

TCS is used by the intercom (ICP) and cordless telephony (CTP) profiles. The telephone control protocol specification is not called TCP, to avoid confusion with transmission control protocol (TCP) used for Internet communication.

Audio/video control transport protocol (AVCTP)

[edit]

Used by the remote control profile to transfer AV/C commands over an L2CAP channel. The music control buttons on a stereo headset use this protocol to control the music player.

In the protocol stack, AVCTP is bound to L2CAP.

Audio/video data transport protocol (AVDTP)

[edit]

Used by the advanced audio distribution profile to stream music to stereo headsets over an L2CAP channel. Intended to be used by video distribution profile.

In the protocol stack, AVDTP is bound to L2CAP.

Object exchange (OBEX)

[edit]
Main article: OBject EXchange

Object exchange (OBEX; also termed IrOBEX) is a communications protocol that facilitates the exchange of binary objects between devices. It is maintained by the Infrared Data Association but has also been adopted by the Bluetooth Special Interest Group and the SyncML wing of the Open Mobile Alliance (OMA).

In Bluetooth, OBEX is used for many profiles that require simple data exchange (e.g., object push, file transfer, basic imaging, basic printing, phonebook access, etc.).

Low Energy Attribute Protocol (ATT)

[edit]

Similar in scope to SDP but specially adapted and simplified for Low Energy Bluetooth. It allows a client to read and/or write certain attributes exposed by the server in a non-complex, low-power friendly manner.

In the protocol stack, ATT is bound to L2CAP.

Low Energy Security Manager Protocol (SMP)

[edit]

This is used by Bluetooth Low Energy implementations for pairing and transport specific key distribution.

In the protocol stack, SMP is bound to L2CAP.

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

List of Bluetooth protocols

View on Grokipedia
from Grokipedia
The list of Bluetooth protocols comprises the standardized set of communication protocols defined by the (Bluetooth SIG) to enable short-range wireless connectivity in the 2.4 GHz ISM band, supporting data exchange, voice, and audio streaming between interoperable devices with features like low power consumption, , and adaptive frequency hopping for interference mitigation. These protocols form a layered known as the , which has evolved through successive versions of the Core Specification, from the inaugural version 1.0 released in July 1999 to the latest version 6.2 issued in November 2025. At the foundation, the core system protocols include the (radio/PHY) for signal transmission, the protocol for Basic Rate/Enhanced Data Rate (BR/EDR) link operations, the Low Energy Link Layer (LL) for Low Energy (LE) operations, and the Link Manager Protocol (LMP) for BR/EDR link setup and control, and the and Adaptation Protocol (L2CAP) for multiplexing and data segmentation. Higher in the stack, protocols such as the Host Controller Interface (HCI) provide an optional boundary between the controller (physical/link layers) and host (upper layers), while the Service Discovery Protocol (SDP) enables device capability querying in BR/EDR, and for LE, the Attribute Protocol (ATT) and Security Manager Protocol (SMP) handle data access, service structuring, and pairing/encryption. Transport and application-specific protocols extend functionality, including RFCOMM for emulating serial ports, the A/V Distribution Transport Protocol (AVDTP) for audio/video data streaming, the Bluetooth Network Encapsulation Protocol (BNEP) for IP networking, and the Mesh Protocol for many-to-many device topologies introduced in 2017. Key milestones in protocol development include the introduction of (LE) in Core Specification version 4.0 (June 2010), which added LL, ATT, GATT, and SMP to support ultra-low-power applications like sensors and wearables, and recent version 6.2 enhancements such as shorter LE connection intervals (down to 375 µs) for improved responsiveness in human-interface devices and amplitude-based attack resilience for secure ranging.

Physical Layer

BR/EDR Physical Layer

The BR/EDR serves as the foundational component of the Bluetooth protocol stack, managing the transmission and reception of radio signals in the unlicensed 2.4 GHz Industrial, Scientific, and Medical () band through (FHSS) techniques. This layer ensures robust communication by rapidly switching frequencies to avoid interference, operating across 79 distinct RF channels, each 1 MHz wide, spanning 2400 MHz to 2483.5 MHz. The system employs a standard hop rate of 1600 hops per second, enabling pseudo-random frequency changes that enhance security and reliability in shared spectrum environments. For Basic Rate (BR) operations, the utilizes Gaussian (GFSK) modulation with a between 0.28 and 0.35, supporting a nominal data rate of 1 Mbps. Enhanced Data Rate (EDR) builds on this by incorporating schemes—specifically π/4-differential quadrature (π/4-DQPSK) for 2 Mbps and 8-differential (8-DPSK) for 3 Mbps—applied to the while retaining GFSK for and header portions. Bluetooth devices are categorized by power classes to balance range and power consumption: Class 1 devices transmit at up to 100 mW (20 dBm) for ranges of approximately 100 meters, Class 2 at 2.5 mW (4 dBm) for up to 10 meters, and Class 3 at 1 mW (0 dBm) for up to 1 meter. The was first specified in 1.0, released in July 1999 by the (SIG), establishing the core radio framework for short-range wireless connectivity. EDR enhancements arrived with 2.0 + EDR in November 2004, tripling the effective data throughput for applications like audio streaming without altering the fundamental hopping or channel structure. Subsequent updates in 5.0 (December 2016) introduced features like the Slot Availability Mask to coordinate time slots and reduce interference with co-located radios, while coded PHY extensions—primarily for LE—indirectly supported BR/EDR by improving overall utilization in dense deployments. In the context of 2025 advancements, Bluetooth 6.0 (adopted September 2024) introduces Frame Space Updates allowing negotiable Inter-Frame Spaces (50-1000 μs) and new Link Layer Control Procedures to improve coexistence with other 2.4 GHz technologies like for BR/EDR operations in crowded environments. Subsequent versions 6.1 (May 2025) and 6.2 (November 2025) introduce no major changes to the BR/EDR , with enhancements primarily targeting LE features. These updates ensure sustained performance for legacy BR/EDR devices in modern environments. The works in tandem with the protocol to encapsulate into RF-compatible packets for transmission.

LE Physical Layer

The Low Energy (LE) Physical Layer, part of the Bluetooth radio specifications, is designed for ultra-low power consumption in short-range wireless communication, enabling applications in battery-operated devices such as wearables and sensors. It operates in the 2.4 GHz Industrial, Scientific, and Medical (ISM) band, spanning from 2400 MHz to 2483.5 MHz, utilizing 40 radio frequency (RF) channels spaced 2 MHz apart, with center frequencies at 2402 MHz + k × 2 MHz where k ranges from 0 to 39. The modulation scheme employs Gaussian Frequency Shift Keying (GFSK), supporting the LE 1M PHY at a data rate of 1 Mbps with a modulation index of 0.45 to 0.55, and the LE 2M PHY at 2 Mbps with a narrower bandwidth-time product (BT=0.5) for improved spectral efficiency. Additionally, the LE Coded PHY, introduced for extended range, uses forward error correction with coding rates S=2 (500 kbps) or S=8 (125 kbps), allowing repetition of bits to enhance robustness over distance. To facilitate device discovery and connection establishment, the LE Physical Layer distinguishes between advertising and data channels: channels 37, 38, and 39 (centered at 2402 MHz, 2426 MHz, and 2480 MHz, respectively) are dedicated to , while the remaining 37 channels (0–36) handle data transmission with adaptive frequency hopping (AFH) to mitigate interference. This low-duty cycle operation minimizes energy use by transmitting short bursts, contrasting with continuous streaming in other modes. The LE Physical Layer relies on the Low Energy Link Layer for managing channel access and packet transmission timing. Introduced in the Bluetooth Core Specification version 4.0 in June 2010, the LE Physical Layer focused on power efficiency for intermittent data exchange. Key enhancements arrived in version 5.0 (December 2016), adding the LE 2M PHY for doubled throughput, the LE Coded PHY enabling ranges up to 500 meters in line-of-sight scenarios through increased error correction, and a stable to reduce sensitivity variations. Version 5.4 (February 2023) refined periodic advertising with sync support for better synchronization in networks, while version 6.0 (September 2024) integrated using a new LE 2M 2BT PHY (BT=2.0) for precise distance measurement via phase-based ranging, supporting up to 72 channels for enhanced accuracy in location services. Core Specification 6.2 (November 2025) added amplitude-based attack detection for to enhance security in ranging applications. Regarding power profiles, the transmitter supports output levels from -20 dBm to +20 dBm across defined power classes (e.g., Class 1 at 10–100 mW for longer range), while receiver sensitivity for the LE 1M PHY is typically around -95 dBm at a (BER) of 0.1%, enabling reliable links at low signal strengths.

Controller Layer

Baseband Protocol

The protocol in operates at the link controller layer, responsible for the that formats binary into structured packets for transmission over the . It handles the assembly of packets consisting of an access code for and identification, a header containing addressing and control information, and a carrying the actual . Additionally, it manages precise timing through slotted operations (e.g., 625 μs slots for BR/EDR), between devices using clock offsets, and error detection primarily via a 16-bit (CRC) appended to the in packets. This ensures reliable packet validation, with erroneous packets discarded to maintain link integrity. For Basic Rate/Enhanced Data Rate (BR/EDR) modes, the supports various packet types tailored to different use cases. DM packets provide at medium rates with (FEC) for improved reliability in noisy environments, such as DM1 (up to 17 bytes in one slot) or DM5 (up to 224 bytes in five slots). DH packets enable higher rates without FEC for efficiency, exemplified by DH1 (up to 27 bytes) or DH5 (up to 339 bytes). ID packets, lacking a header or , are short (68 bits) and used solely for device and discovery to initiate connections. In Low Energy (LE) mode, the baseband employs a unified packet format across advertising and data channels, emphasizing low power. Advertising (ADV) packets, such as ADV_IND for connectable undirected events, broadcast device presence on fixed channels (37, 38, 39) with up to 31 bytes of payload for service data. DATA packets on connected data channels support bidirectional transfers, with DATA channel PDUs consisting of a 2-octet header and a payload of 0 to 251 octets, and a separate 3-octet CRC appended for error detection. A core feature of the BR/EDR is (FHSS), which mitigates interference by rapidly switching across 79 one-MHz channels in the 2.4 GHz ISM band (1,600 hops per second). The pseudo-random hopping sequence is generated using the master's Device Address (BD_ADDR) lower address part () as the input parameter and the native clock (CLK) to determine the phase, ensuring unique patterns while allowing slaves to synchronize via frequency hop synchronization (FHS) packets. LE, by contrast, uses fixed frequencies for advertising but applies similar hopping (37 channels) for data connections. The baseband protocol was introduced in the initial Bluetooth Core Specification version 1.0 in 1999, establishing the foundational link control for wireless personal area networks. Subsequent evolutions, particularly in 5.0 (2016), enhanced LE capabilities with the LE Coded PHY, incorporating (FEC) using repetition coding (S=2 or S=8) to extend range up to fourfold while maintaining low power, at effective rates of 125 kbps or 500 kbps. These advancements build on the core packet handling without altering the fundamental BR/EDR structure.

Asynchronous Connection-Oriented (ACL) Transport

The Asynchronous Connection-Oriented (ACL) transport serves as the primary logical transport in Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) for packet-oriented, asymmetric data exchange in non-real-time applications, such as bulk transfers for or between devices. It enables reliable, bi-directional communication with variable packet sizes, supporting payloads up to 1021 bytes in enhanced configurations like 3-DH5 packets under Enhanced Data Rate (EDR) modes. Key features of the ACL transport include Automatic Repeat reQuest (ARQ) for error detection and retransmission of corrupted packets, ensuring without strict timing constraints, as well as flow control to prevent buffer overflows during transmission. It also utilizes multi-slot packets that occupy 1, 3, or 5 time slots (each 625 μs) to increase efficiency and throughput for larger data bursts. Bandwidth for ACL is allocated dynamically by the link controller's resource manager, prioritizing reservations for synchronous links like SCO/eSCO while adapting to varying traffic demands in the . The ACL transport was first defined in the 1.0 specification in 1999 as the default asynchronous link for communication, providing a foundation for data-centric operations beyond voice. Enhancements in 2.1 (2007) introduced Secure Simple Pairing, accelerating ACL channel establishment with improved security for data exchanges. Further refinements in 5.0 (2016) optimized BR/EDR throughput for ACL by enhancing EDR modulation schemes, enabling up to 3 Mbps effective rates in supported packets. In a , the ACL transport maps to one dedicated channel per slave-master device pair, multiplexed over the using a 3-bit Logical Transport Address (LT_ADDR) in packet headers for routing. By 2025, ACL remains essential for legacy audio peripherals and high-bandwidth BR/EDR applications, though its adoption has declined in favor of (LE) for power-efficient IoT connectivity. The Synchronous Connection-Oriented (SCO) link provides a symmetric, point-to-point transport in Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) for time-critical applications, such as real-time voice transmission at a fixed rate of 64 kbps using 1-slot packets. It operates without retransmissions to minimize latency, tolerating up to 8% , which is acceptable for audio where brief errors are less perceptible than delays. SCO reserves specific time slots on the , supporting up to three concurrent links per central device, and employs time-division duplexing (TDD) to enable full-duplex communication. The link utilizes dedicated voice-oriented packet types optimized for synchronous data: HV1 packets carry 10 bytes of payload with 1/3 (FEC) for robustness in noisy environments; HV2 packets transport 20 bytes using 2/3 FEC; and HV3 packets handle 30 bytes without FEC to maximize throughput at the cost of higher error susceptibility. A variant, DV packets, combines 80 bits of voice with 1-10 bytes of data, applying 2/3 FEC only to the data portion. These packets are routed directly to a synchronous I/O interface, ensuring predictable delivery for applications like cordless telephony. Introduced in the Bluetooth Core Specification version 1.0 in 1999, SCO was designed primarily for voice-centric use cases, including integration with headset and hands-free profiles that rely on its low-latency characteristics. It evolved significantly in version 1.2 (released November 2003) through the introduction of enhanced SCO (eSCO), which adds a retransmission window of up to 120 ms, support for 1-3 slot packets, and advanced FEC options to improve link reliability and audio quality without sacrificing synchrony. eSCO packets, such as (no FEC, up to 30 bytes) and EV4 (2/3 FEC, up to 120 bytes), enable higher effective rates up to 288 kbps while maintaining compatibility with legacy SCO setups. Since the introduction of Low Energy (LE) Audio in Bluetooth Core Specification version 5.2 (January 2020), which leverages isochronous channels and the Low Complexity Communication Codec (LC3), SCO and eSCO have been increasingly supplanted by these features for superior efficiency, lower power consumption, and broadcast capabilities in modern audio devices. This shift addresses SCO's limitations in multipoint scenarios and energy use, promoting LC3 over traditional CVSD encoding for profiles like hearing aids and wireless speakers. The Link Management Protocol (LMP) is a protocol in the Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) controller layer, responsible for controlling and negotiating all aspects of the physical link between two connected devices, including setup, supervision, and teardown. It enables devices to establish reliable connections by managing link parameters and ensuring compatibility through feature exchange, operating independently of higher-layer protocols while interfacing with the host via the Host Controller Interface (HCI). Introduced in the initial Bluetooth Core Specification version 1.0 in 1999, LMP has evolved to support advanced BR/EDR features, with significant updates in subsequent versions to enhance reliability and security. LMP performs essential functions for link management, including supervision to detect and respond to connection losses by monitoring packet acknowledgments and timeouts, role switching to dynamically alter master-slave roles for optimized topology, power control to adapt transmission power levels and reduce interference, clock offset adjustment to align native clocks between devices for better synchronization, and feature negotiation to identify mutual capabilities such as Enhanced Data Rate (EDR) support for higher throughput. For instance, during connection setup, LMP exchanges feature sets via dedicated PDUs, allowing devices to agree on EDR usage if both support it, thereby enabling data rates up to 3 Mbps. These functions ensure efficient link operation in varying radio environments, prioritizing link stability over exhaustive parameter tuning. Security in LMP encompasses , , and procedures tailored to BR/EDR links. Authentication employs a challenge-response mechanism, where the challenging device sends a 128-bit , and the responding device computes a response using the E1 on a shared link key, verifying identity without revealing the key. keys, also 128-bit, are generated from the link key and a via the E0 , securing data on the air interface. modes include legacy pairing from early specifications, secure simple pairing (SSP) introduced in Bluetooth 2.1 for , and secure numeric comparison in SSP for user-verified short authentication codes, reducing vulnerability to passive . LMP communicates via Protocol Data Units (PDUs), compact messages carried over the Access Code and packet headers, including types for inquiry response to share device address and clock information during discovery, detach to gracefully release links with an , and supervision timeout to configure monitoring intervals for error detection. These PDUs support concise, event-driven exchanges, with opcodes defining actions like "LMP_inq_rsp" for responses or "LMP_detach" for termination. In Core Specification 5.0 (2016), LMP incorporated enhancements compatible with BR/EDR, such as support for resolvable private addresses to obscure device identities during inquiries, building on LE privacy mechanisms.

Host Controller Interface (HCI)

The Host Controller Interface (HCI) serves as a standardized protocol for communication between the host subsystem—typically handling higher-layer protocols—and the controller subsystem, which manages the radio and functions. It abstracts the controller's hardware specifics, providing a uniform set of commands, events, and data exchanges that enable the host to configure, control, and monitor operations. This design facilitates across diverse implementations and supports split-stack architectures, where the controller is often realized in dedicated hardware like a chip, while the host runs in software on a processor. HCI commands are organized into four main groups based on their fields. Link control commands manage connections, such as HCI_Create_Connection for initiating a link and HCI_Disconnect for terminating one. Link policy commands handle connection parameters, including HCI_Hold_Mode for suspending transfer and HCI_Sniff_Mode for low-power periodic listening. Controller and commands configure hardware settings, exemplified by HCI_Reset to reinitialize the controller and HCI_Set_Event_Mask to filter incoming events. Informational commands retrieve device details, like HCI_Read_Local_Version_Information to query the version and supported features. These categories ensure comprehensive control over functionality from the host side. Data flows through HCI via distinct packet types directed between host and controller. The host sends commands to issue instructions, while the controller responds with events, such as HCI_Command_Complete_Event to confirm command execution or HCI_Hardware_Error_Event to report failures. Asynchronous connection-less (ACL) data packets carry general user data bidirectionally, and synchronous connection-oriented (SCO) data packets support real-time audio like voice calls. Flow control relies on a credit-based system, where the controller uses the HCI_Host_Number_Of_Completed_Packets event to signal available buffer space, preventing overflows. Transport layers include UART for serial connections, USB for high-speed plugging, and SDIO for embedded card interfaces, each with defined packet framing and error handling. Introduced in the Bluetooth Core Specification version 1.0 in 1999, HCI has evolved to accommodate new capabilities. 5.0 in 2016 expanded LE support with additional commands and events for extended range, higher data rates, and advertising enhancements. Introduced in Core Specification version 5.2 (2020), isochronous (ISO) data packets and events like HCI_LE_CIS_Established enable coordinated audio streaming. The 6.0 specification (September 2024) adds vendor-specific extensions via opcode group 0x3F for channel sounding APIs, enabling secure, centimeter-level distance measurements between devices. The Low Energy Link Layer (LE LL) is a core component of the (LE) protocol stack, responsible for managing the physical radio channel, device states, and low-power communication procedures to enable efficient, short-range wireless connections. Introduced in the Bluetooth Core Specification version 4.0, adopted on June 30, 2010, it defines the foundational mechanisms for LE operation, distinguishing it from classic by prioritizing ultra-low power consumption for battery-operated devices such as sensors and wearables. The LE LL operates on the 2.4 GHz band using 40 channels (37 data channels and 3 advertising channels), employing (GFSK) modulation at 1 Mbps, with later enhancements for extended range and data rates. It supports roles—now termed central and peripheral—where the central device controls connection timing, and the peripheral responds, facilitating one-to-many topologies in IoT applications. The LE LL defines five primary states: (broadcasting packets to announce presence), scanning (listening for advertisements), initiating (responding to advertisements to start connections), connection (maintaining bidirectional exchange), and standby (idle with minimal power use). These states support undirected (non-connectable broadcasts), directed (targeted to specific devices), and periodic (scheduled broadcasts for ). Connection establishment occurs through procedures where an initiator sends a CONNECT_IND or AUX_CONNECT_REQ packet during scanning, negotiating parameters such as connection interval (7.5 ms to 4 s in 1.25 ms steps), peripheral latency (up to 499 events skipped for power savings), and supervision timeout (100 ms to 32 s in 10 ms steps). channel selection uses a 37-channel hop map derived from the access address and connection event counter, pseudo-randomly avoiding interference while maintaining through hopping. Briefly, the LE LL integrates with the Security Manager Protocol (SMP) for link-layer key exchange during connection setup. LE LL packets consist of a (1 octet for LE 1M PHY or 2 octets for LE 2M/ Coded PHY), a 4-octet access address (fixed for or random for connections), a (PDU) of 2–255 octets ( or data types), and a 3-octet CRC for error detection. The LE Coded PHY, introduced in Bluetooth 5.0 (adopted December 6, 2016), uses (S=2 or S=8 coding) to extend range up to 400 m in line-of-sight while reducing data rate to 125 or 500 kbps, ideal for robust IoT links. Key updates in Bluetooth 5.0 include extended sets (up to 255 bytes per PDU across primary and secondary channels) and periodic enhancements for better synchronization. Bluetooth 5.4 (adopted February 7, 2023) added Periodic Advertising with Responses (PAwR), enabling bidirectional communication from a central device to multiple low-power peripherals, such as electronic shelf labels, with encrypted credentials for security. Bluetooth 6.0 (adopted September 3, 2024) introduces decision-based filtering, allowing scanners to process primary packets and decide on secondary channel access, and advertiser monitoring via HCI events to detect in/out-of-range devices, reducing unnecessary scanning duty cycles. Power-saving is inherent to LE LL design, achieved through sleep modes in standby and peripheral states (with clock accuracies of ±500 ppm for sleep and ±50 ppm active), reduced duty cycles in and scanning (e.g., intervals up to 10.24 s), and negotiable connection parameters that minimize . In 2025 IoT deployments, 6.0's monitoring enhancements enable scalable mesh networks by optimizing connection maintenance, supporting thousands of devices with lower latency and energy use for applications like and smart homes. Core Specification 6.2 (November 2025) further enhances LE LL with shorter connection intervals down to 375 µs for better responsiveness in human-interface devices and improved security against amplitude-based attacks in for precise ranging.

Host Layer

The Logical Link Control and Adaptation Protocol (L2CAP) serves as a and adaptation layer in the host stack, bridging the controller and higher-layer protocols for both Basic Rate/Enhanced Data Rate (BR/EDR) and Low Energy (LE) transports. It enables efficient data exchange by supporting protocol via unique Channel Identifiers (CIDs), which allow multiple logical channels to share a single physical link. L2CAP performs segmentation and reassembly of upper-layer service data units (SDUs) up to 65,535 bytes into smaller protocol data units (PDUs) suitable for the underlying transport, while providing per-channel flow control and retransmission to ensure (QoS). L2CAP operates in distinct modes to balance reliability, latency, and throughput. The Basic mode delivers simple, connectionless or connection-oriented transfer without retransmissions, ideal for low-overhead scenarios. Retransmission mode adds reliability through acknowledgments, sequence numbering, and a supervision timer to monitor channel timeouts and enforce QoS parameters like flush timeouts. From Bluetooth version 2.1 onward, Enhanced Retransmission Mode (ERTM) introduces advanced features such as selective retransmission, improved flow control via transmit/receive sizes, and error recovery, while Streaming Mode supports unreliable, ordered delivery for time-sensitive applications without acknowledgments. For LE, credit-based flow control mode (introduced in version ) uses sender/receiver credits to regulate data flow dynamically, preventing buffer overflows in connection-oriented channels. Introduced in the inaugural Bluetooth Core Specification 1.0 (1999) for BR/EDR, L2CAP was extended in version 4.0 (2010) to support LE with simplified signaling and fixed channels, including CID 0x0004 for the Attribute Protocol (ATT) and CID 0x0006 for the Security Manager Protocol (SMP), alongside dynamic channel allocation for custom services. It facilitates co-location of BR/EDR and LE protocols on the same device, sharing the radio but using separate logical links. Key evolutions include larger MTU support in version 4.2 (2014), enabling SDUs up to thousands of bytes for improved efficiency, and credit-based flow control in version 5.0 (2016) for scalable LE data channels. L2CAP inherently supports both connection-oriented channels (requiring setup via signaling commands like Connect Request) for reliable, bidirectional communication and connectionless channels (using fixed CID 0x0002) for one-way or broadcast data without dedicated setup. In version 6.0 (2024), L2CAP gains extensions for isochronous channels in LE Audio, including Isochronous Adaptation Layer (ISOAL) enhancements like unsegmented framed PDUs to minimize latency and in time-synchronized audio streams.

Service Discovery Protocol (SDP)

The Service Discovery Protocol (SDP) is a core component of the Bluetooth host layer that enables client devices to query and discover available services on remote Bluetooth devices, along with their characteristics such as supported protocols and profiles, facilitating dynamic connections in ad-hoc networks. Introduced in the Bluetooth Core Specification version 1.0 in 1999, SDP operates primarily over Basic Rate/Enhanced Data Rate (BR/EDR) transports and uses a client-server model where the querying device acts as the SDP client and the target device hosts the SDP server. It relies on the Logical Link Control and Adaptation Protocol (L2CAP) for channel allocation and transport, typically using L2CAP channel identifier 0x0003 for SDP connections. In the SDP database model, services are represented as service records identified by 128-bit Universally Unique Identifiers (UUIDs), which may use 16-bit or 32-bit short forms for efficiency, with each record containing a collection of attributes that describe the service's capabilities. Key attributes include the Protocol Descriptor List, which specifies the required to access the service (e.g., L2CAP followed by RFCOMM), and the Bluetooth Profile Descriptor List, which identifies supported profiles such as the Advanced Audio Distribution Profile (A2DP) for discovering audio streaming capabilities. This structure supports a hierarchical organization, allowing services to be grouped under classes for broader discovery, and enables through the Public Browse Group using the predefined UUID 0x1002 for root-level of all available services. SDP procedures encompass service search, service attribute search, and full database retrieval to efficiently query remote databases without overwhelming the link. In a service search, the client sends a ServiceSearchRequest PDU specifying up to 12 UUIDs or service classes to retrieve matching handles; service attribute search uses ServiceAttributeRequest or ServiceSearchAttributeRequest PDUs to fetch specific attributes by ID (e.g., 0x0001 for ServiceClassIDList) or ranges for complete records. Full database retrieval iterates over attribute IDs from 0x0000 to 0xFFFF, while responses include continuation states for large datasets to handle transaction limits. Caching mechanisms, via attributes like ServiceRecordState and ServiceDatabaseState, allow clients to store and validate query results, reducing redundant requests and supporting offline operation until state changes are detected. While SDP remains essential for BR/EDR profile adoption—such as verifying A2DP support before establishing an audio sink connection—its role has diminished in (LE) scenarios introduced in version 4.0, where the Attribute Protocol (ATT) and Generic Attribute Profile (GATT) provide lighter-weight discovery for LE attributes. Minor updates in Bluetooth 4.0 ensured SDP compatibility with dual-mode devices by mapping LE services indirectly, but SDP continues as the primary discovery method for BR/EDR.

Bluetooth Network Encapsulation Protocol (BNEP)

The Bluetooth Network Encapsulation Protocol (BNEP) is a host-layer protocol designed to transport common networking protocols, such as IEEE 802.3/Ethernet, over Bluetooth connections by encapsulating Ethernet II and 802.3 frames into Logical Link Control and Adaptation Protocol (L2CAP) packets. This encapsulation enables the emulation of Ethernet networking within Bluetooth personal area networks (PANs), supporting both unicast and multicast traffic to facilitate data exchange among devices. Introduced in the Bluetooth Core Specification version 1.1, BNEP plays a key role in PAN profiles by allowing devices to form ad hoc networks for sharing resources, such as internet access in tethering applications. BNEP operates on a session-based model, with services identified by 16-bit UUIDs such as 0x1115 for the PAN User (PANU) role, 0x1116 for , and 0x1117 for Group ad-hoc Network (GN), and relies on control packets to manage connections and traffic flow. These control packets handle setup and completion of sessions, as well as the application of filters, including multi-address filters for selective destination addressing and protocol filters to permit or block specific network protocols. The protocol supports distinct roles within PANs, such as the for providing gateway access to external networks and the Group ad-hoc Network (GN) role for peer-to-peer routing among devices. Discovery of BNEP-capable services occurs via the Service Discovery Protocol (SDP). BNEP packets feature a compact format consisting of a 2-byte length field, a 1-byte type field (distinguishing control from data packets), and the encapsulated Ethernet payload, limited to a maximum of 1500 bytes to align with standard sizes. This structure ensures efficient transmission over L2CAP channels while maintaining compatibility with Ethernet-based applications. Primarily utilized in the PAN profile, BNEP enables scenarios like device-to-device networking and mobile hotspot functionality, where serves as a wireless bridge for IP traffic.

Radio Frequency Communication (RFCOMM)

The Radio Frequency Communication (RFCOMM) protocol emulates traditional serial ports over connections, enabling legacy applications to communicate wirelessly without hardware modifications. Based on the ETSI TS 07.10 standard with -specific extensions, RFCOMM operates as a above the Logical Link Control and Adaptation Protocol (L2CAP), providing framing, , and error recovery for asynchronous data streams. It supports up to 60 multiplexed virtual serial channels per device pair, allowing multiple concurrent connections while maintaining the appearance of independent serial ports to upper-layer applications. RFCOMM incorporates modem control signals such as Request to Send (RTS), Clear to Send (CTS), and (DTR), along with line status events to replicate behavior. Flow control is managed through a mandatory credit-based mechanism, where devices exchange credits to regulate data transmission and prevent buffer overflows on a per-channel basis. The protocol defines specific frame types for connection management and data transfer, including Set Asynchronous Balanced Mode (SABM) for establishing links, Unnumbered Acknowledgment (UA) for confirming connections, Disconnected Mode (DM) for rejection or termination, and Unnumbered Information with Header (UIH) for user data payloads. These frames ensure reliable, ordered delivery akin to a replacement. RFCOMM stacks directly over L2CAP using the fixed Protocol/Service Multiplexer (PSM) value of 0x0003 to identify its traffic, with dynamic Channel Identifiers (CIDs) assigned for each session. It supports optional 9-bit data mode for applications requiring additional addressing or parity bits, and port negotiation occurs through the Service Discovery Protocol (SDP) to match serial port parameters between devices. Introduced in the 1.0 specification, RFCOMM emulates (UART) functionality at speeds up to 115.2 kbps, making it suitable for point-to-point serial applications like Object Exchange (OBEX) over and wireless printing. Services using RFCOMM are registered via SDP for discovery. As of 2025, RFCOMM's adoption has declined in favor of USB interfaces and (LE) alternatives for new low-power and high-speed designs, though it remains prevalent in industrial and legacy systems requiring serial compatibility.

Control Protocol (TCS)

The Control Protocol (TCS), also known as TCS Binary, is a bit-oriented protocol designed for cordless signaling and control within the ecosystem. It enables the establishment and management of speech and data calls between Bluetooth-enabled devices, such as mobile phones and headsets, by providing connection-oriented signaling over the and Adaptation Protocol (L2CAP). Introduced in the initial 1.0 specification in 1999, TCS draws from established telecommunications standards, including the ETSI TS 07.10 multiplexer protocol for serial emulation and the Recommendation Q.931 for call signaling procedures, adapting these for wireless personal area networks. TCS supports essential telephony functions, including call control for setup, alerting, connection, and clearing of calls through dedicated messages like SETUP, ALERTING, and CONNECT. It also facilitates group management within Wireless User Groups (WUGs), allowing devices to create, add, or remove members, distribute configurations, and manage access rights for multi-device scenarios. Mobility features, such as handoff procedures, enable seamless call transfers between devices, leveraging the WUG structure and master roles to maintain continuity during movement. Additionally, TCS handles supplementary services like Dual Tone Multi-Frequency (DTMF) signaling via START/STOP DTMF messages and caller identification through parameters such as the Calling Party Number in setup messages. Audio transport for these calls occurs over Synchronous Connection-Oriented (SCO) links. The protocol's packet structure is binary-encoded and transported over L2CAP channels using Protocol/Service Multiplexer (PSM) value 0x0005, with messages categorized as invoke, result, or types, each carrying parameters like phone numbers (e.g., Called Number). Devices assume specific roles: the gateway, typically a that initiates calls and manages external network connections as the WUG master; and the terminal, such as a headset that receives calls and operates as a WUG member or slave. The associated Cordless Telephony Profile uses UUID 0x02 to identify services in . TCS was primarily utilized in early profiles for and hands-free applications but has been largely superseded by modern alternatives like (VoIP) integrations and Low Energy (LE) Audio features in Bluetooth 5.2 and later, with no specification updates after Bluetooth 3.0 in 2010.

Audio/Video Control Transport Protocol (AVCTP)

The Audio/Video Control Transport Protocol (AVCTP) provides a reliable transport mechanism for exchanging Audio/Video Control (AV/C) commands and responses between Bluetooth devices, enabling remote control of multimedia functions such as play, pause, and volume adjustment. It operates exclusively over connection-oriented channels of the Logical Link Control and Adaptation Protocol (L2CAP), utilizing Protocol/Service Multiplexer (PSM) value 0x0017 for signaling. AVCTP supports fragmentation and reassembly of messages to handle payloads larger than the L2CAP MTU, ensuring ordered delivery without retransmission at the protocol level. The protocol is foundational for profiles like the Audio/Video Remote Control Profile (AVRCP), which uses AVCTP to implement HID-like pass-through commands for intuitive AV device interaction, such as button presses on a remote or headset. AVCTP operates in two primary modes: non-browsing and . The non-browsing mode facilitates basic unit commands (e.g., power on/off, play status) and vendor-specific extensions as specified in AVRCP 1.0, allowing simple control transactions without media navigation. In contrast, the mode, added in AVRCP 1.3, enables advanced features like UID-based metadata queries for searching and retrieving track information, details, and across media databases. These UID () operations support efficient querying of large media libraries by referencing item UIDs rather than sequential scanning, improving responsiveness in connected scenarios. Vendor-specific commands in both modes permit proprietary extensions, such as custom equalizer settings, while maintaining through standardized AV/C framing. The AVCTP packet structure begins with a 3-octet header comprising a 4-bit transaction label for matching commands to responses, a 2-bit packet type (single packet, start of fragment, continue, or end), a 1-bit command/response (C/R) indicator, and a 16-bit Profile Identifier (PID) to specify the control profile in use (e.g., 0x110E for AVRCP). Following the header is the message body, which carries AV/C unit info or vendor data, with optional fragmentation headers for multi-packet transfers. Services using AVCTP are discovered via the Service Discovery Protocol (SDP) with the associated UUID, such as 0x110E for AVRCP remotes. Introduced in the Bluetooth Core Specification version 1.2, AVCTP received significant updates in the AVRCP 1.6 profile revision (published June ), which enhanced absolute volume control by allowing the source device to set precise volume levels on the sink independently of relative adjustments. Further evolution in Bluetooth Core Specification 6.0 (adopted September 2024) integrates AVCTP for companion control in LE Audio ecosystems, supporting low-latency command signaling alongside isochronous streams. By 2025, this integration has enabled sub-20ms control latency in wireless earbuds for synchronized AV interactions, as demonstrated in recent LE Audio implementations.

Audio/Video Data Transport Protocol (AVDTP)

The Audio/Video Data Transport Protocol (AVDTP) is a host-layer protocol designed for streaming synchronized audio and video data over Basic Rate/Enhanced Data Rate (BR/EDR) connections. Introduced in the Core Specification version 1.2 in November 2003, AVDTP provides mechanisms for multiple streams, ensuring (QoS), and managing stream lifecycle to support multimedia applications like wireless headphones and speakers. It operates atop the and Adaptation Protocol (L2CAP) using the Protocol Service Multiplexer (PSM) value 0x0019 for signaling, enabling reliable data transport over asynchronous connection-oriented (ACL) links. AVDTP serves as the foundational for profiles such as the Advanced Audio Distribution Profile (A2DP), facilitating high-quality audio distribution between source and sink devices. Stream establishment in AVDTP relies on a dedicated signaling entity that handles discovery, configuration, and control of media streams. During setup, devices negotiate parameters including types, content protection (e.g., for ), and options to match capabilities and requirements. This involves exchanging capabilities via Service Discovery Protocol (SDP) records and issuing commands like SET_CONFIGURATION to agree on stream endpoints. Once configured, streams are explicitly opened for active transmission or closed to release resources, with all signaling occurring over a single L2CAP channel per endpoint to minimize overhead. These procedures ensure seamless integration with control protocols like AVCTP for managing playback states. AVDTP's transport entity supports flexible modes for data delivery, including single-channel streaming for simple audio feeds and multi-channel configurations for complex scenarios like stereo or . To maintain , the protocol defines flushing points—specific timestamps or sequence points in the —that allow receivers to align audio and video timing, preventing desynchronization issues in playback. Data packets are segmented and reassembled via L2CAP, with optional retransmission for reliability. Initially, AVDTP required mandatory support for the (SBC) codec to ensure interoperability for compressed audio at bitrates up to 345 kbps. The protocol was extended in version 1.3, adopted by the SIG in 2012, to accommodate vendor-specific codecs, enabling higher-fidelity options like or proprietary formats while retaining SBC as the baseline. This evolution broadened AVDTP's applicability in consumer audio devices. For A2DP, the associated service class UUID is 0x110B, used during SDP discovery to identify compatible sinks. Although AVDTP continues to underpin BR/EDR audio streaming, the Bluetooth Core Specification version 5.2 introduced LE Isochronous Channels in 2019, paving the way for the LE Audio standard that replaces AVDTP-based transport for new low-energy audio implementations, effectively deprecating it for such use cases by 2025.

(OBEX)

(OBEX) is a compact, binary session protocol designed for exchanging objects such as files, vCards, and images between devices over short-range wireless links. Originally developed by the Infrared Data Association (IrDA) in 1996 for infrared communications, it was adopted by the and introduced in the Bluetooth Core Specification version 1.0 in 1999 to enable efficient data transfers in -enabled devices. The protocol operates on a simple client-server request-response model, where the client initiates operations and the server responds accordingly, supporting reliable transfers through mechanisms like acknowledgments and aborts. Core operations include Connect to establish a session and negotiate parameters, Disconnect to terminate the session, Put to push an object to the server (equivalent to ), Get to pull an object from the server (equivalent to ), and SetPath to navigate directories by setting the current path. It also supports Abort to cancel ongoing multi-packet operations and, in advanced modes, Action operations for tasks like copying or moving objects. Multipart objects are handled by allowing data to be sent in chunks using Body and End-of-Body headers, facilitating the transfer of large files without buffering the entire object in memory. OBEX uses a header-based format where each packet includes operation codes, response codes, and optional headers encoded as 1-byte identifiers followed by variable-length values, such as the Authentication Challenge header for MD5-based and the Body Length header to specify object size. These headers enable features like , description, and type identification for transferred objects. In Bluetooth implementations, OBEX typically runs over the RFCOMM transport for serial-like emulation or L2CAP for direct data channel access, providing a lightweight layer atop the host stack. Key profiles leveraging include the Object Push Profile (OPP) for simple one-way pushes like vCard sharing, the File Transfer Profile (FTP) for bidirectional file access and management, and the Basic Imaging Profile (BIP) for image exchanges. Services using are identified via 128-bit UUIDs in the Target and Who headers, with the WAN UUID header (ID 0x10) used to uniquely identify network clients in certain sessions. Version 1.5 of the specification, released in 2009, introduced session capabilities exchange through operations like CreateSession, SuspendSession, and ResumeSession, along with Single Response Mode for handling multiple outstanding requests efficiently. As of 2025, remains in persistent use for applications like contact sharing via OPP in mobile and wearable devices, with adaptations in environments leveraging the Attribute Protocol (ATT) for structured object access in profiles such as , particularly since Bluetooth 5.1 enhancements improved LE efficiency.

Attribute Protocol (ATT)

The Attribute Protocol (ATT) is a within the (LE) specification that enables a server device to expose a structured set of attributes and their values to a client device for discovery, reading, and writing. Introduced in Core Specification version 4.0, ATT operates as a simple, stateless client-server protocol layered over the and Adaptation Protocol (L2CAP), facilitating efficient data exchange in resource-constrained environments. In the client-server model, the server maintains a database of attributes, each uniquely identified by a 16-bit handle ranging from 0x0001 to 0xFFFF, with 0x0000 . Each attribute consists of a type defined by a (UUID), either 16-bit for Bluetooth SIG-adopted types or 128-bit for custom ones; a value represented as an octet string up to 512 octets; and permissions enforced by higher-layer protocols, including readability, writability, requirements, , and . The client initiates operations to interact with these attributes, while the server responds accordingly, ensuring controlled access based on the attribute's permissions. ATT supports a range of operations for attribute manipulation, including:
  • Read operations: ATT_READ_REQ for a single attribute by , and ATT_READ_BLOB_REQ for subsequent portions of long attributes exceeding the MTU.
  • Write operations: ATT_WRITE_REQ for reliable writes with response, ATT_WRITE_CMD for unreliable writes without response, and prepared write sequences (ATT_PREPARE_WRITE_REQ and ATT_EXECUTE_WRITE_REQ) for atomic multi-attribute updates.
  • Notification and indication: ATT_HANDLE_VALUE_NTF for unconfirmed server-initiated pushes of value changes, and ATT_HANDLE_VALUE_IND for confirmed indications requiring client acknowledgment.
These operations are transported over a fixed L2CAP channel with Connection Identifier (CID) 4 in LE mode, established after an ACL connection. ATT also includes ATT_SIGNED_WRITE_CMD for write operations that provide data origin without link , using a based on the client's identity key. handling occurs via ATT_ERROR_RSP Protocol Data Units (PDUs), which include specific response codes such as 0x01 (Invalid Handle), 0x05 (Insufficient ), and 0x08 (Insufficient ) to indicate failures like permission violations. Additionally, MTU via ATT_EXCHANGE_MTU_REQ and ATT_EXCHANGE_MTU_RSP allows dynamic adjustment of the maximum PDU size, defaulting to 23 octets but negotiable up to 251 octets since 4.2 enhancements for longer attribute handling. Bluetooth Core Specification version 5.1 introduced Enhanced ATT Throughput (EATT), which extends the protocol to support multiple parallel outstanding requests over Enhanced ATT bearers using L2CAP's Enhanced Credit Based Flow Control Mode, improving efficiency for applications requiring concurrent transactions. ATT serves as the foundational transport mechanism for the Generic Attribute Profile (GATT), which organizes attributes into services and characteristics for higher-level LE profiles. Security for ATT operations, such as and , is managed by the Security Manager Protocol (SMP).

Security Manager Protocol (SMP)

The Security Manager Protocol (SMP) is a key component of the (LE) host layer, responsible for facilitating pairing, bonding, and the distribution of security keys between devices to establish secure communications. Introduced in the Bluetooth Core Specification version 4.0 in 2010, SMP operates over a dedicated and Adaptation Protocol (L2CAP) channel with a fixed Channel Identifier (CID) of 6, enabling lightweight security procedures tailored for low-power devices. It provides cryptographic tools and algorithms to generate temporary and long-term keys, ensuring , , and while supporting man-in-the-middle (MITM) protection through various association models. SMP enables attribute protection via the Attribute Protocol (ATT) by supplying the necessary keys for encrypted and signed data exchanges. SMP supports multiple pairing methods to accommodate different device input/output (I/O) capabilities, including Just Works (no user interaction, suitable for devices without displays or keyboards), Passkey Entry (user enters a 6-digit numeric code on one device to verify on another), Numeric Comparison (devices display a 6-digit number for user confirmation of match), and (OOB) mechanisms using alternative channels like NFC for . These methods are part of the legacy pairing from Bluetooth 4.0, but version 4.2 (2014) introduced association models under LE Secure Connections, which enhance by incorporating Diffie-Hellman (ECDH) key agreement using the NIST P-256 curve to derive a Long Term Key (LTK) resistant to . MITM protection is enforced by requiring during pairing, with higher levels mandating user confirmation or OOB data to prevent unauthorized interception. Key generation in SMP involves several types: the Temporary Key (), a 128-bit value derived from the selected pairing method (e.g., zero-filled for Just Works or user-entered for Passkey); the Short Term Key (STK), generated from the via AES-128 for temporary session use in legacy ; the LTK, a 128-bit key for long-term and re-bonding; and the Connection Signature Resolving Key (CSRK), used for authenticating signed data packets. In LE Secure Connections, ECDH replaces legacy key derivation with a more robust process: each device generates a public-private key pair, exchanges public keys, computes a , and derives the LTK using AES-CMAC for and enhanced MITM resistance. SMP handles re-bonding by reusing stored LTKs from prior bonding, allowing devices to skip full while verifying security levels and distributing updated keys if needed. SMP procedures begin with a Request from the initiator, specifying I/O capabilities, requirements (e.g., flag, MITM flag), and maximum key size, followed by a Pairing Response from the responder to confirm parameters. If is required post-connection, a Security Request can trigger pairing or using existing keys. follows pairing, where keys like LTK, Identity Resolving Key (IRK), and CSRK are exchanged in encrypted packets using the STK or LTK. Major updates include Bluetooth 5.0 (2016), which added features such as IRK for resolving private addresses and Resolvable Private Addresses (RPAs) to prevent tracking by randomizing device identities during and scanning. Bluetooth 5.3 (2021) introduced key size control enhancements, allowing the host to enforce minimum key lengths for better in , alongside support for key encapsulation in isochronous channels for LE Audio.

References

  1. https://www.bluetooth.com/specifications/specs/
  2. https://www.bluetooth.com/blog/just-released-bluetooth-core-6-2/
  3. https://www.bluetooth.com/wp-content/uploads/2022/05/the-bluetooth-le-primer-v1.2.0.pdf
  4. https://www.bluetooth.com/specifications/specs/mesh-protocol-1-1-1/
  5. https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-54/out/en/br-edr-controller/radio-specification.html
  6. https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-54/out/en/architecture%2C-mixing%2C-and-conventions/architecture.html
  7. https://www.mathworks.com/help/bluetooth/gs/comparison-of-bluetooth-bredr-and-bluetooth-le.html
  8. https://www.intel.com/pressroom/archive/releases/1999/Mp072699.htm
  9. https://www.phonearena.com/news/Bluetooth-2.0-announced_id406
  10. https://www.bluetooth.com/wp-content/uploads/2019/03/Bluetooth_5-FINAL.pdf
  11. https://www.ezurio.com/resources/blog/bluetooth-6-what-s-new-in-the-latest-bluetooth-release
  12. https://www.mathworks.com/help/bluetooth/ug/bluetooth-protocol-stack.html
  13. https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-60/out/en/low-energy-controller/physical-layer-specification.html
  14. https://www.silabs.com/documents/public/user-guides/ug103-14-fundamentals-ble.pdf
  15. https://www.mathworks.com/help/bluetooth/ug/bluetooth-packet-structure.html
  16. https://novelbits.io/bluetooth-low-energy-ble-complete-guide
  17. https://www.analog.com/en/resources/technical-articles/understanding-architecture-bluetooth-low-energy-stack.html
  18. https://www.mokosmart.com/guide-on-different-bluetooth-versions/
  19. https://www.silabs.com/blog/the-new-and-improved-bluetooth-6-0
  20. https://www.bluetooth.com/specifications/specs/core-specification-6-0/
  21. https://www.allaboutcircuits.com/technical-articles/dive-into-the-bluetooth-low-energy-physical-layer-the-basics-of-ble-phy-radio/
  22. https://argenox.com/library/bluetooth-low-energy/maximizing-bluetooth-low-energy-ble-range
  23. https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-54/out/en/br-edr-controller/baseband-specification.html
  24. https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-54/out/en/low-energy-controller/link-layer-specification.html
  25. https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-54/out/en/consolidated-table-of-contents---compliance-requirements/version-history-and-acknowledgments.html
  26. https://engweb.eng.wayne.edu/ad/ad57/ad5781/public_html/BluetoothWeb/BTooth_Spec1.0B_Vol1.pdf
  27. https://novelbits.io/bluetooth-low-energy-vs-bluetooth-classic-br-edr/
  28. https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-54/out/en/br-edr-controller/baseband-specification.html#UUID-524b54f4-e721-5760-6682-5510aef2ccf2
  29. https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-54/out/en/br-edr-controller/baseband-specification.html#UUID-feeddc2a-32af-5a17-476a-2f083695f108
  30. https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-54/out/en/br-edr-controller/baseband-specification.html#UUID-eef96c4d-35d7-5dcf-56e4-45fb241bc7bf
  31. https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-54/out/en/br-edr-controller/baseband-specification.html#UUID-338b32fe-8a0a-53b7-d346-cdca2548ee73
  32. https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-54/out/en/br-edr-controller/baseband-specification.html#UUID-e5ea5856-c31c-9302-bf18-27ff3414a0c6
  33. https://www.bluetooth.com/core-specification-6-feature-overview/
  34. https://www.bluetooth.com/learn-about-bluetooth/feature-enhancements/le-audio/
  35. https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-60/out/en/host-controller-interface/host-controller-interface-functional-specification.html
  36. https://www.bluetooth.com/bluetooth-resources/whats-new-in-bluetooth-core-5-4-an-overview/
  37. https://www.bluetooth.com/blog/now-available-new-version-of-the-bluetooth-core-specification/
  38. https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-54/out/en/host/logical-link-control-and-adaptation-protocol-specification.html
  39. https://www.bluetooth.com/specifications/specs/bluetooth-network-encapsulation-protocol-1-0/
  40. https://www.bluetooth.com/specifications/assigned-numbers/
  41. https://www.bluetooth.com/specifications/specs/personal-area-networking-profile-1-0/
  42. https://www.bluetooth.com/specifications/specs/rfcomm-1-2/
  43. https://ptgmedia.pearsoncmg.com/imprint_downloads/informit/bookreg/9780130661067/cr_ch10.pdf
  44. https://www.bluetooth.com/blog/bluetooth-technology-advancements-in-2024-and-expected-trends-in-2025/
  45. http://www.tscm.com/BluetoothSpec.pdf
  46. https://www.etsi.org/deliver/etsi_ts/101300_101399/101369/07.01.00_60/ts_101369v070100p.pdf
  47. https://www.itu.int/rec/T-REC-Q.931
  48. http://rfc.nop.hu/bluetooth/AVCTP_SPEC_V13r00.pdf
  49. https://www.silabs.com/documents/public/application-notes/AN986.pdf
  50. https://www.bluetooth.com/wp-content/uploads/Files/Specification/Assigned_Numbers.pdf
  51. https://audioxpress.com/article/wireless-audio-ultra-low-latency-audio-transmission-over-bluetooth-le-audio
  52. https://www.btnode.ethz.ch/pub/uploads/Documentation/BT_Core_v1_2.pdf
  53. https://www.bluetooth.com/specifications/specs/advanced-audio-distribution-profile-1-2/
  54. https://www.sciencedirect.com/science/article/abs/pii/S0140366404003408
  55. https://www.iis.fraunhofer.de/content/dam/iis/en/doc/ame/Whitepaper/LC3plus_Bluetooth-A2DP-profile.pdf
  56. https://www.bluetooth.com/wp-content/uploads/2020/01/Bluetooth_5.2_Feature_Overview.pdf
  57. https://novelbits.io/bluetooth-version-5-2-le-audio/
  58. https://btprodspecificationrefs.blob.core.windows.net/ext-ref/IrDA/OBEX15.pdf
  59. https://www.bluetooth.com/wp-content/uploads/2025/04/MAP_v1.4.3_showing_changes_from_MAP_v1.4.2.pdf
  60. https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-54/out/en/host/attribute-protocol--att-.html
  61. https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-54/out/en/host/attribute-protocol--att-.html#UUID-9a2dc3de-5db8-cf7c-b394-3f13af7a11fa
  62. https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-54/out/en/host/attribute-protocol--att-.html#UUID-4158738b-a430-2251-0ba8-b433a01bbd52_table-idm13358911224772
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.