Setting up a Bluetooth Packet Transport Link

Tancred Lindholm
Department of Computer Science
Helsinki University of Technology
ctl@cs.hut.fi

ABSTRACT
Data transmission between Bluetooth devices will be presented from a low-level
perspective, in terms of the OSI ISO model the physical and link layers. The issues
presented in the paper are derived from the task of setting up a packet transport
mechanism between two Bluetooth devices.
The physical characteristics of the radio link are presented and Bluetooth packet
types are briefly introduced. The Bluetooth term piconet is defined, and the set up
and operation of a piconet, including device discovery, paging and data transmission
issues, are presented. The paper ends with a short discussion.

Keywords
bluetooth, frequency hopping, piconet, packet, inquiry, paging

1. Introduction
Bluetooth technology makes it possible to form wireless
ad-hoc networks of relatively high bandwidth at a moderate
cost [4]. In this paper, data transmission between Bluetooth
devices will be presented from a low-level perspective, in
terms of the OSI ISO model, the physical and link layers.
The issues presented in the paper are derived from a
potential real-world use case.
The paper is mainly based on the Bluetooth Specification
version 1.0B [1], parts A: Radio Specification and B:
Baseband Specification
In section 2 the case, establishing a packet transport
mechanism between two devices, which defines the topic
of this paper is presented.
Section 3 and 4 introduces Bluetooth communications:
usage of the physical medium (radio signals) and packet
formats defined for Bluetooth.
It is not assumed that the devices know of each others
existence a priori; thus the devices need to discover each
other before a link can be set up. This is described in
section 5.

Once the devices know of each other, they need set up a

transport mechanism, utilizing the physical medium and
available packet formats. Section 5 also deals with this in
more detail.
Once a connection is established, there are quite few things
that need to be considered: What happens when packets are
lost or if the receive buffer fills up? How do the devices
share the radio link? Section 6 presents these issues.

2. Case: Establishing a packet transport

mechanism
Mr. Smith enters his office, carrying a PDA in his
briefcase. Within seconds, he sits down in front of the
computer in his office. He notices that synchronization of
the PDA and his computer is already in progress. A
moment later he has finished up the ad for the companys
AntiSpam email filter he scribbled down on the PDA
yesterday. He promptly e-mails it to 20 million
unsuspecting Internet users.
Assuming the PDA and the computer in the scenario above
are equipped with Bluetooth, it is possible to perform the
synchronization without any user intervention (e.g. having
at least to take the PDA out of the briefcase). In order for

any data to be transferred, a link needs to be established

between the devices.
The aspects of Bluetooth covered in this paper are derived
from this need to establish a link. Most networks transfer
data using packets, so we are particularly interested in
establishing a packet transport mechanism between two
devices, a common use case in networking,
Once such a mechanism has been established, one can start
adding higher-level protocols such as the familiar Internet
protocols IP, TCP, UDP and, on top of that, to name a few,
HTTP and FTP. This eventually leads us back to the
automatic file transfer implied by the scenario.

3. Physical Link Characteristics

3.1 Radio Specification

instance, an interfering signal on RF channel 42 will only

disturb traffic when the Bluetooth channel uses the same
RF channel, i.e. only ca 1,3 % of the time on a 79 channel
system. See figure 1.
In asynchronous peer-to-peer communications Bluetooth
supports a maximum data transfer rate of 723kb/s
asymmetric (using 57.6 kb/s in the return direction) and
434 kb/s symmetric. [1, p. 41]
Up to 8 devices may be active on a Bluetooth channel,
more can be accommodated by temporarily parking
active devices.

2
1 .
.

Bluetooth operates in the 2.4 GHz ISM (IndustrialScientific-Medical) band. The operational frequency band
is divided into 79 (or 23 in some counties1) RF channels,
spaced 1 MHz apart. The bit rate is 1Mb/s per channel. [1,
p. 44]

3
.

Bluetoot uses a modulation scheme called Gaussian

Frequency Shift Keying (GFSK, also known as GMSK
[2]). A binary one is represented as a positive frequency
deviation and a zero by a negative deviation from the RF
channel center frequency. Compared to other modulation
schemes, GFSK has the following advantages [2, 3]

Constant envelope, allowing high RF amplifier

efficiency

Narrow power spectrum: adjacent channel interference

is minimized

Good bit error rate (BER) performance

GFSK modulation is also used in GSM systems [3].

3.2 Bluetooth channel
A Bluetooth channel is defined as a pseudo-random
hopping sequence trough the 79 (or 23) RF channels. The
channel is divided into time slots of 625S, i.e. 1600 slots
per second. The frequency is changed2 each time a new
time slot, or hop begins.
Thus, a data transmission on a single BT channel could use
the RF channels 4,77,43,21,9,8,61... The frequency switch
takes place in the beginning of each time slot.
The frequency hopping scheme is adopted to make
Bluetooth more insensitive to interference from other
devices (such as a microwave oven or a baby monitor). For
1

RF Regulations in Spain, France and Japan prevent

Bluetooth from utilizing all 79 channels. However, work
on harmonisation of the frequencies used and number of
RF channels is in progress [1, p. 19]
There are some exceptions to this, e.g. multi-slot packets

4
.

Figure 1. Bluetooth RF channel hopping. The channel is

on the vertical axis and time on the horizontal. Two
channels are active (1 and 2). 3) Indicates a collision (both
channels hop on the same RF frequency. 4) Indicates
interference generated by another appliance, causing three
packets to be lost.
3.3 Data whitening
Before transmission of a Bluetooth packet, both the header
and payload are scrambled using a data whitening word in
order to minimize DC bias caused by e.g. a payload
consisting of all zeroes [1, p. 79]. The simple scrambling
scheme, motivated by radio engineering issues, should not
be mistaken for payload data encryption, which is
accomplished using a stream cipher called E0 [1, p. 159].

4. Bluetooth Links and Packets

4.1 Bluetooth Link Types
Between two (or more) Bluetooth devices two types of
links can be established:

Synchronous Connection-Oriented (SCO) link

Asynchronous Conncetionless Link (ACL)

Both link types use a packet-based transport mechanism.

The SCO link is typically used for time-bounded data, such
as voice. In practice, an SCO link is implemented by
reserving time slots at a regular interval for data exchange.
The ACL link works as a traditional packet-switched
network: packets are transmitted only when necessary. In
this paper, only the ACL type of link will be considered.
SCO links use very similar means of data transport, though.
4.2 Bluetooth Packet Format
The standard Bluetooth packet consists of three parts: the
access code, the header and the payload (see figure 2). [1 p.
47]

Figure 2. Standard Bluetooth packet format

4.3 The Access Code
The 72-bit3 access code is mainly used to identify packets
transmitted over a Bluetooth channel: all data packets sent
on the channel share the same access code. In addition, the
access code is used for device paging (finding out if a
specific device is in range) and inquiries (used to discover
new devices). A Bluetooth device monitors the access code
of each packet; if the device is not directly or indirectly
addressed, the rest of the packet is ignored [1, p. 48]. The
access code is very fault-tolerant (the minimum Hamming
distance between code words is 14 [1 p. 144]), so up to 6
bit errors can be corrected. The access code is also used to
determine receiver timing.
4.4 The Packet Header
The 18-bit packet header
information [1, p. 51]:

contains

the

following

A 3-bit target device address, which addresses an

active device on the Bluetooth channel. A broadcast
address is also provided.

A 4-bit type code. Identifies the type of data or control

packet.

Fields for flow control, sequencing and packet

acknowledgement.

An 8-bit header CRC

To protect the header from transmission errors each bit is

repeated three times in row (the Bluetooth spec refers to
this as 1/3 FEC encoding) yielding a total length of 54 bits.
4.5 The Packet Payload
The payload part (0 to 2745 bits) of the packet carries the
actual data. For ACL links, the payload begins with an 83

The access code is 68 bits in some cases.

or 16-bit header, which indicates the length of the data

packet and provides fields for logical channels and flow
control. The header also supports fragmentation of data
packets. [1, pp. 62]
The careful reader notices that during the Bluetooth time
slot of 625S you can send a maximum of 625 bits; how
are then 2745 bit packets possible? The answer is that a
packet may span up to five time slots, during which the
channel frequency is kept constant. [1, p. 44]
4.6 Packet Types
Bluetooth supports a wide variety of packet types
depending on the type of link, throughput and bit fault
tolerance. On SCO links packets for low, medium and high
quality voice as well as combined data and voice are
supported. For ACL links 1, 3 and 5 slot packets using
medium (5 check bits for each 10 bits) and high (no
additional check bits) data rates are supported. [1, pp. 55]
For the sample case, we will use single-slot, high data rate
packets, which [1] refers to as DH1 packets. The payload in
such a packet is not encoded with any additional parity bits.
A DH1 packet has a maximum carrying capacity of 30
bytes [1, p. 60].

5. Connection Establishment: Forming a

Piconet
5.1 The Piconet
Piconet is Bluetooth terminology for the devices
participating on a Bluetooth channel. To establish a
connection between two (or more) devices, the devices
need to select a channel and subsequently join it. This is
referred to as forming a piconet. [1, p. 41]
Piconets employ a Master/Slave topology: each piconet has
a master and one or more slaves. A Bluetooth device may
simultaneously participate in multiple piconets, either as
master or slave. A device can not, however, be master in
more than one piconet [1, p. 123]. This is due to the fact
that the hardware address of the master defines the
Bluetooth channel, and hence the piconet. A group of
piconets, between which connections exist, is called a
scatternet. See figure 3.
5.2 Piconet Timing
In order to determine when a new time slot starts the
Bluetooth devices on the piconet need to be synchronized
to a common clock. For this purpose, each Bluetooth
device has a free-running clock (i.e. a clock that is not
related to any external timing source), which ticks every
312.5S and has a period of 228-1 ticks. The clock of the
master device is used to clock the piconet. [1, pp. 95]
Each slave determines the offset between its internal clock
and the master clock when joining the piconet, and
henceforth corrects its internal clock with the offset thus

obtained. As the clocks are free-running, the offset needs to

be adjusted regularly. [1, pp. 95]

the device listens for packets with special inquiry access

codes. The RF channel is determined by the sequence
r(n,mB) by setting n to a special inquiry address (common
to all devices) and mB to bits 12-16 of the device clock. The
RF channel hopping sequence is thus determined by the
inquiry address and the sequence phase by the device clock.
The RF channel changes every 1.28s.
To discover other devices A enters the inquiry state. This
state can be entered both from the connection and
standby states.

Figure 3. Piconets with a single slave operation (a), a

multi-slave operation (b) and a scatternet operation (c).
[1, p. 42]
5.3 Piconet Formation
Figure 4 shows an overview of the states of a Bluetooth
link. The arrows indicate possible state transitions.
Forming a piconet from scratch, such as the example
case, consists of three phases:
1.

Inquiry. During this phase the device initiating the

connection scans its neighbourhood for Bluetooth
devices. As a result of the scan, the hardware address
of the device(s) to connect to is (are) discovered. [1, p.
108]

2.

Paging. During this phase the connection is negotiated.

This mainly involves informing the slave of the
Bluetooth channel to use and synchronizing the clock
of the slave to the channel. [1, pp. 99]

3.

Connection. The connection has been set up, and data

can be transmitted between the devices.

When inquiring for devices A sends an inquiry packet on

two alternating sets of frequencies, each containing 16
frequencies. Sending the inquiry packet on all frequencies
in one of the sets takes 16 time slots, i.e. 10mS. The
frequency sets consists of the 32 frequencies in the hopping
sequence r(n,mA). Both devices use the same n (the special
inquiry address), but as the clocks cannot be assumed to be
synchronized, the values mA and mB will most likely differ.
But, as B changes frequency only every 1.28s (enough time
to send 128 inquiry sets), mA and mB will meet at some
instant, and the inquiry packet will be received by B. See
figure 5.
Once the slave receives the inquiry packet it waits a
random amount of slots (0-1023) and then sends a response
packet containing its hardware address, native clock and
other slave information. The response is sent on a
transmission frequency derived from the receive frequency.
The random delay is to avoid collisions from other devices
responding.

In the following sections, the device initiating the

connection, and which becomes the master is referred to as
A. The second device, which becomes the slave, is quite
surprisingly called B.
5.4 The Inquiry Procedure
The procedure of A discovering B is not entirely trivial,
considering that both of devices are changing RF channels
in
a randomized fashion, and furthermore, are
unsynchronized. A simple scheme with a paging channel
could have been used, but it would be very sensitive to
interference. Instead the following scheme [1, pp. 101, pp.
108] is used:
Let r(n,m)[0,79] be a pseudo-random frequency hopping
sequence indexed by n[0,248-1] and m[0,31].
Furthermore, n: r(n,m1)=r(n,m2) m1=m2, i.e. each
frequency appears only once for a given n.
In order to be discovered B regularly enters the inquiry
scan state to watch for inquiries. During the inquiry scan

Figure 4. State diagram for Bluetooth link. [1, p.98]

Unless the response packet is lost, A now has knowledge of

Bs hardware address and an estimate of its clock. Should
the response packet be lost, the inquiry procedure
continues.

6. Data Transmission
In the previous section a connection between two Bluetooth
devices A and B was established. In this section,
asynchronous packet trafficking on this connection will be
considered.
6.1 Media Access

1.

2.

4.
3.

With the term media access one understands the means

and procedures used by a device to gain access to the
transmission medium. On a Bluetooth channel media
access is handled by dividing the time slots into two
groups: master-to-slave and slave-to-master slots. The
master can only initiate transfer in even-numbered slots
(the slots being numbered by the Bluetooth channel clock)
and replies from the slave can only be transmitted in oddnumbered slots [1, p. 44]. A slave may only transmit in the
slave-to-master slot if it was addressed in the previous
master-to-slave slot4 [1, p. 94]. See figure 6. It is up to the
master to reserve enough slave-to-master channel capacity.
[1, p. 112]

Figure 5. Device B (2) is in the inquiry scan state.

Device A (1) is in the inquiry state, and switly scans 16
frequencies. The 8th frequency matches that of B (3),
amd B sends an inquiry response (4). Axes are as in
figure 1.
5.5 Paging
Using the information from an inquiry (hardware address
and clock of B) A can page B, in order to establish a
connection.
In order to answer paging requests B regularly enters the
page scan state. As the device clocks are still not
synchronized, a frequency hopping scheme similar to the
inquiry procedure is used to get trough the first packet. [1,
pp. 108]
When paging, A enters the page state and transmits
packets (in a similar way to inquiry packets) containing
Bs Device Access Code (DAC). The DAC is generated
from Bs hardware address.
When B detects a packet with its DAC, it sends a response
packet, which contains only the DAC of B.
Upon reception of Bs response to the paging, A enters the
master response state and transmits its own hardware
address and clock information.
Upon acknowledgement from B, the connection is
established; A being the master and B the slave.
Henceforth, both units use a frequency hopping sequence
and access code determined by As hardware address.
Synchronization is also achieved, as B can offset its clock
according to the clock information received from A.

Figure 6. Master/Slave transmit and receive timings

6.2 Packet Acknowledgement and Flow Control
When transmitting data or data/voice packets an
unnumbered ARQ (Automatic Repeat Request) scheme is
used. Such packets are retransmitted until an
acknowledgement of successful reception is received, or a
timeout occurs. The acknowledgement (either positive or
negative) is piggy-backed onto the header of the return
packet. A missing acknowledgement (e.g. the return packet
was lost) is treated as a negative acknowledgement. [1, pp.
68]
In case of master-to-slave transmission, the return packet is
sent in the subsequent time slot. When the slave transmits
the return packet is received the next time the master
addresses the slave.
In order to distinguish the cases when a packet was
successfully received, but the acknowledgement was lost

Some exceptions to this, involving SCO links and

broadcast messages, exist.

and successful acknowledgement, a 1-bit sequencing

number is used. If a packet it resent, the sequence number
is held; this way the recipient will detect duplicate packets.
[1, pp. 68]
If the receive buffer fills up, a Bluetooth device may stop
the transmission by resetting the FLOW field in the return
packet. This stop signal does not affect control packets. If
the return packet is not received, a go signal is assumed.
[1, pp. 52]
6.3 Modes of Operation in the Connected State
Bluetooth devices can enter several modes of operation
while connected. The modes reflect different levels of
activity and availability on the channel; typically a device
can save channel bandwidth and power by entering a
suitable mode. The modes [1, pp. 112] are described below.
6.4 Active
The Bluetooth device actively participates on the channel
and listens for all packets addressed to it. The device holds
one of the 7 Active Member (AM) addresses on the
piconet.
6.5 Sniff
The listening duty of the device is reduced. The master is
only allowed to start transmission to the device in certain
slots. The device ignores transmissions on other slots.
6.6 Hold

8. Discussion and Conclusions

The paper presented the lower layers of Bluetooth
communication from the viewpoint of establishing a packet
connection between two devices.
On the physical level, Bluetooth uses a spread spectrum
model, which is relatively insensitive to interference. The
pseudo-random frequency hopping should guarantee that
performance degrades gracefully, as the number of
overlapping piconets increase.
On the link level, the strong influence of the funding
telecom companies is visible: special packet types have
been provided for synchronous (voice) transmissions.
Whether it is wise to provide this functionality at the link
layer, at the expense of protocol complexity remains to be
seen. Bluetooth also provides a device discovery scheme,
something very important for ad-hoc networking.
The master/slave architecture has both benefits and
drawbacks. An important benefit is that it simplifies the
connection setup considerably. Drawbacks include limited
slave-slave communication capabilities (the packets must
be sent trough the master, or another piconet must be
formed between the slaves) and performance penalties.
The various packet types, in combination with several lowpower modes increase protocol complexity, which
increases
the
likelihood
of
buggy
protocol
implementations. One should ask if all these types and
modes are necessary, and if theyre worth the increased risk
of faulty implementations.

The device can temporarily be put in hold mode, meaning

that it does not support any ACL traffic on the channel for
some time interval. The time interval is negotiated when
the hold mode is set up. The device still keeps its AM
address, though.

9. REFERENCES

6.7 Park

2. Guo, Y. Philips FM/IF systems for GMSK/GFSK

receivers, Philips Semiconductors 1997
http://www.semiconductors.com/acrobat/applicationnot
es/AN1997.pdf. Referred 5/10/2000

The device gives up its AM address in exchange for a

Parked Member (PM) address (the number of available PM
addresses is huge), and no longer participates in traffic on
the channel. During this low-power state the device
regularly wakes up to resynchronize to the channel and to
check for unpark messages. By on-demand parking and
unparking of members, a piconet of more than 7 members
can be accommodated.

7. Releasing the connection

The connection between two Bluetooth devices can be
closed anytime by the master or the slave by sending a
detach or reset command. [1, p. 208]

1. Bluetooth SIG, Specification of the Bluetooth System

Version 1.0B volume 1, 1999.
http://www.bluetooth.com/developer/specification/core
_10_b.pdf. Referred 5/10/2000

3. Markovic, V. Gaussian Minimum Shift Keying.

Presentation given in course Advanced Course in
Digital Transmission at Tampere University of
Technology, 1999
http://www.cs.tut.fi/kurssit/83090/S13.ps. Referred
5/10/2000
4. Oraskari, Jyrki, Bluetooth 2000
http://www.hut.fi/~joraskur/bluetooth.html