Author | Fu Dongjie Shanghai Kongan Trusted Software Innovation Research InstituteSource | Jianyuan LaboratoryCommunity | Add WeChat ID “TICPShanghai” to join the “Shanghai Kongan 51fusa Security Community”
01
Introduction
The Bluetooth protocol has evolved through multiple versions since its inception in 1999, continuously improving its functionality, and has become one of the most important short-range wireless communication standards globally. It is widely used in consumer electronics, the Internet of Things, automotive electronics, and medical devices, such as mobile phones, speakers, and in-car entertainment systems.
The Bluetooth protocol stack is defined by the Bluetooth Special Interest Group (SIG) and systematically defines the complete communication process from physical layer radio frequency signal processing to application layer data interaction through a carefully designed hierarchical structure. This article mainly analyzes and introduces the architecture of the Bluetooth protocol stack based on Bluetooth version 5.2. The Bluetooth core system adopts a flexible architecture of “Host + Controller”, divided into the Host subsystem and the Controller subsystem, which generally communicate through the standardized Host Controller Interface (HCI) protocol.
02
Bluetooth Architecture and Design
After the release of Bluetooth version 4.0, to better match the diverse requirements of the Internet of Things and audio devices for power consumption and transmission rates, Bluetooth technology gradually evolved into two branches: Classic Bluetooth (BR/EDR) and Low Energy Bluetooth (BLE). Classic Bluetooth (BR/EDR) supports higher data rates, suitable for high-volume scenarios such as audio transmission; Low Energy Bluetooth (LE) focuses on ultra-low power consumption and low cost, suitable for power-sensitive applications such as IoT and wearable devices. In this context, the hardware architecture of Bluetooth has gradually formed two forms: single-mode and dual-mode. Single-mode devices support only one of either Low Energy Bluetooth (BLE) or Classic Bluetooth (BR/EDR), while dual-mode devices can integrate both types of controllers, balancing high speed and low power consumption, truly achieving “one device for multiple uses” and flexibly adapting to complex application scenarios.
The Bluetooth protocol stack is shown in the figure below, covering both Classic Bluetooth and Low Energy Bluetooth, divided into three main modules: Controller subsystem, Host Controller Interface (HCI), and Host subsystem.
The Controller subsystem is the hardware core of the Bluetooth protocol stack, directly responsible for the transmission and reception of radio frequency signals and basic link control, including modulation and demodulation of radio frequency signals, frequency hopping, link management, and data packet transmission and reception. Its design directly determines the wireless communication performance, power consumption, and anti-interference capability of the device.
The Host Controller Interface standardizes the interaction information and format between the Controller subsystem and the Host subsystem.
The Host subsystem is the intelligent core of the Bluetooth protocol stack, running on the main processor of the device, carrying most of the logical processing and decision-making functions of the protocol stack. It controls the radio frequency hardware through HCI and provides rich interfaces for upper-layer applications.
2.1 Controller Subsystem
The Controller subsystem, as the hardware core of Bluetooth functionality, is located at the bottom of the protocol stack, directly managing the wireless radio frequency link and basic connection control. The Controller subsystem includes the Physical Layer (PHY), Link Layer (LL), Link Layer Management Protocol (LMP), and Link Layer Control Protocol (LLCP). The Physical Layer (PHY) transmits and receives radio waves, completing analog-to-digital conversion, while the Link Layer (LL) constructs links, manages frequency modulation, and data flow. The Link Management Protocol (LMP) and Link Layer Control Protocol (LLCP) provide fine control over link security, power consumption, and behavior based on Classic and Low Energy modes, respectively.
1) Physical Layer (PHY)
The Physical Layer is the hardware foundation of Bluetooth communication, directly controlling the radio frequency chip and antenna, achieving the conversion between digital signals and radio waves. Its main functions include:
Modulation and Demodulation: Using Gaussian Frequency Shift Keying (GFSK) and other modulation methods to convert digital bit streams into radio frequency signals for transmission and demodulating received signals back into data.
Channel and Frequency Management: Operating in the 2.4 GHz ISM band (2402–2480 MHz). Classic Bluetooth uses 79 physical channels, while Low Energy Bluetooth (BLE) uses 40 channels, employing Adaptive Frequency Hopping (AFH) to detect and avoid interference channels in real-time, enhancing anti-interference capability.
Multi-Mode Modulation Support (BLE):
· LE 1M PHY: Default mode, 1 Mb/s rate, strong compatibility.
· LE 2M PHY: Rate increased to 2 Mb/s, reducing transmission time and power consumption.
· LE Coded PHY: Enhances reception sensitivity through forward error correction coding, supporting long-distance communication (4 times the distance), with rates reduced to 125/500 Kb/s.
Power Consumption and Signal Control: Dynamically adjusts transmission power to optimize energy consumption and detects received signal strength.
2) Link Layer (LL)
The Link Layer serves as the hub connecting the Physical Layer and upper-layer protocols, responsible for managing logical communication links between devices. Its main functions include:
Frame Construction and Verification: Encapsulates upper-layer data into frame structures, adding addresses, types, and checksums (CRC) to ensure data integrity.
Device Discovery and Connection Control:
· Broadcasting and Scanning (Low Energy Bluetooth): Manages broadcast channels, handling broadcast messages (device discovery) and scan requests.
· Paging and Inquiry (Classic Bluetooth): Executes device discovery and connection initialization.
Connection Management and Optimization:
· Frequency Hopping Synchronization: The master device synchronizes the switching of channels in sequence to avoid interference.
· Timing Management: Controls connection intervals, supervises timeout parameters, balancing real-time performance and power consumption.
· Acknowledgment and Retransmission: Ensures reliable frame transmission through acknowledgment mechanisms, automatically retransmitting on failure.
Low Power Strategy: Designs sleep/wake timing to allow devices to enter deep sleep during idle times, achieving the ultra-low power characteristics of Low Energy Bluetooth.
3) Link Layer Management Protocol (LMP)
The Link Layer Management Protocol is a control protocol unique to Classic Bluetooth, responsible for managing established connection links. Its main functions include:
Link Establishment and Security: Manages the entire process of pairing, authentication, and encryption.
Link Configuration and Management: Negotiates connection parameters, such as switching master/slave roles and adjusting transmission power to save energy.
Link Maintenance and Control: Manages connection retention, sleep, and sniff modes to ensure service quality.
Logical Transmission Management: Manages different logical channels for synchronous connection-oriented (SCO/eSCO, mainly for audio) and asynchronous connection (ACL, mainly for data).
4) Link Layer Control Protocol (LLCP)
The Link Layer Control Protocol is the control protocol for Low Energy Bluetooth. Its design philosophy is entirely different from that of the Link Layer Management Protocol, being more lightweight, efficient, and fast to meet the ultra-low power requirements of IoT devices. Its main functions include:
Connection Control: Manages the establishment, update (such as connection interval updates), and termination of connections.
Link Feature Management: Handles functions such as encryption initiation and channel mapping updates.
Connection Parameter Update Request: The slave device can actively request the master device to change connection parameters (such as interval, latency, etc.) to optimize power consumption or throughput.
Channel Selection Algorithm: Controls which radio frequency channel is used for communication.
2.2 Host Controller Interface (HCI)
HCI is not a specific hardware layer but a crucial standard interface protocol. It provides a bidirectional command and data channel between the host and the controller, being key to implementing the host-controller separation architecture. HCI strictly defines the following types of packets:
· HCI Command Packet: Sent from the host to the controller to query or control the controller’s state (e.g., initiating a connection command).
·HCI Event Packet: Sent from the controller to the host to report status or confirm command execution results (e.g., connection complete event).
· HCI ACL Data Packet: Responsible for bidirectional transmission of upper-layer application data between the host and controller.
· HCI SCO Data Packet: Used for bidirectional transmission of real-time voice data, primarily for voice transmission in Classic Bluetooth, reserving fixed bandwidth for synchronous voice streams to ensure low latency, but typically does not perform error retransmission, prioritizing smoothness. Mainly used for voice calls in Classic Bluetooth headsets.
· HCI ISO Data Packet: Designed for the core functions of the next generation of LE Audio, it supports synchronized reception of audio streams by multiple devices, forming the basis for Bluetooth audio sharing and multi-channel audio, providing more powerful and flexible synchronous data transmission capabilities than SCO.
These packets can be transmitted through various physical transmission methods, the most common being UART (serial, low cost), USB (high speed, plug and play), and SDIO (commonly used in embedded devices), which need to be adapted through corresponding transport layer drivers during design.
2.3 Host Subsystem
The Host subsystem includes the Logical Link Control and Adaptation Protocol (L2CAP), Security Management Protocol (SMP), Attribute Protocol (ATT), Generic Attribute Profile (GATT), and Generic Access Profile (GAP). These protocols and profiles work together to build the advanced capabilities of Bluetooth devices for interconnectivity, service discovery, and secure communication, supporting a wide application ecosystem from audio transmission to IoT sensing.
1) Core Basic Protocols and Profiles
· Logical Link Control and Adaptation Protocol (L2CAP)
The L2CAP layer is located at the bottom of the Host subsystem, acting as a “traffic hub” connecting upper and lower layers. Its core functions include three aspects: protocol multiplexing, distinguishing multiple data streams from upper-layer protocols or applications through different Channel Identifiers (CID); packet segmentation and reassembly, dividing large upper-layer packets into segments suitable for transmission at the link layer and reassembling them at the receiving end; and data channel management, managing connection-oriented channels (addressed based on CID) and unconnected channels (using Protocol/Service Multiplexer PSM for registration addressing).
· Generic Access Profile (GAP)
GAP is the “general charter” for Bluetooth device external interactions, defining device roles (Broadcaster, Observer, Peripheral, and Central), discovery processes (discoverable mode), connection processes (connectable mode), and broadcast data formats (including device name, service UUID, and other key information).
2) Low Energy Bluetooth (BLE)
· Security Management Protocol (SMP)
The Security Management Protocol is the security cornerstone of Low Energy Bluetooth communication, managing the entire process of pairing, bonding, and encryption. Its security process includes establishing shared keys during pairing, persisting stored keys during bonding, and using LTK for encryption to establish secure communication. In terms of security algorithms, it supports LE Secure Connections (based on ECDH algorithm) and various association models (Numeric Comparison, Passkey Entry, Just Works, OOB) to adapt to different application scenarios.
· Attribute Protocol (ATT) and Generic Attribute Profile (GATT)
ATT adopts a client-server (C/S) model, abstracting data into Attribute units, each containing a handle, type, value, and permissions. It defines a streamlined operation protocol, such as information lookup, read requests, write requests, notifications, and indications.
GATT is built on top of ATT, specifying the organization and structure of attribute data, adopting a hierarchical data model: a Service is a collection of data that accomplishes a specific function, declared by the primary service; a Characteristic is a single data value and its associated information within a service, serving as the basic unit of actual interaction; a Descriptor provides additional definitions, configurations, or information for characteristic values. This clear hierarchical structure ensures strong semantic consistency and interoperability for data exchange between different devices.
3) Classic Bluetooth (BR/EDR)
· Service Discovery Protocol (SDP)
As the core mechanism for service discovery in Classic Bluetooth, SDP is used to query the services and their characteristics provided by the peer device, including service categories, protocol stack information, and service attributes. It adopts a client-server architecture, where the client queries the service records and attributes provided by the server.
· Application Profile Architecture
Classic Bluetooth primarily relies on profiles to define application layer functionality. A profile is essentially a detailed cooperation agreement that precisely defines how devices should invoke the capabilities of the underlying protocol stack to accomplish a specific task.
Common examples of Classic Bluetooth profiles include:
03
Conclusion
The Bluetooth protocol stack, with its highly structured and modular layered design, successfully constructs an adaptable and scalable communication framework, perfectly accommodating a wide range of scenarios from high-speed data sensing to low-power IoT. Through continuous evolution with technologies such as LE Audio and Mesh networking, it not only demonstrates strong backward compatibility but also embodies the core capability of the standard to integrate cutting-edge technological innovations to meet future diverse application needs, solidifying its foundational position in the field of short-range wireless communication. As the application scope of Bluetooth technology continues to expand, the security of its protocol stack becomes increasingly critical.
Shanghai Kongan has independently developed the SmartRocket TestSec automated intelligent fuzzing penetration testing platform to address the common network security risks and potential vulnerabilities in industrial control system communication networks.This product is based on black-box testing technology, achieving full-stack coverage capabilities for the industrial control software ecosystem, enabling deep security testing of key layers such as protocol stacks, business applications, databases, and operating system kernels.
In terms of functional architecture, TestSec innovatively integrates dynamic fuzz testing and penetration attack simulation into a dual-engine system. TestSec is equipped with an intelligent mutation engine that supports fuzz testing for multiple protocols such as Bluetooth HCI, L2CAP, SDP, SMP, PBAP, etc. Taking the SDP protocol as an example:
(1) Protocol Structure Deconstruction: Conducts field-level mutation fuzz testing on various message formats of the SDP protocol.
(2) Deep Monitoring System: Integrates traffic monitoring, memory state tracking, and abnormal behavior perception modules, constructing an intrusive/non-intrusive monitoring suite to monitor the network.
(3) Intelligent Feedback Mechanism: Real-time collection of response data from the tested object, dynamically analyzing system status and evaluating testing effectiveness, thereby intelligently optimizing fuzz message generation strategies.
Additionally, the tool also supports penetration attacks on Bluetooth, including replay attacks, tampering attacks, and common Bluetooth network attacks such as Low Energy Bluetooth man-in-the-middle attacks. Users can also develop custom use cases based on their needs, combined with the tool’s basic interfaces.
By constructing a three-dimensional testing matrix from the software behavior layer to the protocol logic layer, the SmartRocket TestSec automated intelligent fuzzing penetration testing platform can conduct security testing throughout the entire lifecycle of the target network, ensuring the stability of the operating environment and effectively enhancing the system’s resistance to attacks.
Glossary of Terms
References:
1. Zhao Yiling. Research and Design of Industrial IoT Mobile Development Based on Low Energy Bluetooth[D]. Qilu University of Technology, 2025. DOI:10.27278/d.cnki.gsdqc.2025.000291.
2. Li Xiang. Design and Implementation of Bluetooth Protocol Stack[D]. Xi’an University of Electronic Science and Technology, 2007.
3. Liang Junxue, Yu Bin. USB Device Driver for Linux Bluetooth Protocol Stack[J]. Computer Engineering, 2008,(09):273-275.
Previous Articles Click the link to read the original text
1. Shanghai Kongan Automotive Network Security Solutions
2. Detailed Introduction to the Functions of the Automated Intelligent Fuzzing Penetration Testing Tool TestSec
3. Security Attacks on SOME/IP Protocol
4. Security Attacks on TCP Protocol
5. Basic Principles of TLS Protocol and Wireshark Analysis
6. Overview of Security Attacks and Defense Technologies for Intelligent Connected Vehicles
7. Analysis of Security Attack Cases on Automotive Networks
