BlueZ LE Remote Used Features
I'm using BlueZ for handling BLE devices. I have compiled it from source, and wrote a wrapper around it.
I'm searching for this tiny bit of information:
- What is "LE Read Remote Used Features" command for?
- Which features can it read?
- Is this mandatory for connecting to a BLE device?
- Is it safe to disable querying it after connection?
- Is it possible to increase the timeout for the reception of this command's response?
My problem is that my solution works with some devices already (can connect to them), but with a particular device, many times connection fails due to timeout.
I've created a sniff with btmon when the connection fails:
# btmon
Bluetooth monitor ver 5.50
= Note: Linux version 4.19.97-v7l+ (armv7l) 0.742019
= Note: Bluetooth subsystem version 2.22 0.742027
= New Index: AA:BB:CC:DD:EE:FF (Primary,UART,hci0) [hci0] 0.742030
= Open Index: AA:BB:CC:DD:EE:FF [hci0] 0.742033
= Index Info: AA:BB:CC:D.. (Cypress Semiconductor Corporation) [hci0] 0.742035
@ MGMT Open: bluetoothd (privileged) version 1.14 {0x0001} 0.742038
@ MGMT Open: btmon (privileged) version 1.14 {0x0002} 0.742321
< HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7 #1 [hci0] 4.737267
Type: Passive (0x00)
Interval: 60.000 msec (0x0060)
Window: 30.000 msec (0x0030)
Own address type: Public (0x00)
Filter policy: Ignore not in white list (0x01)
> HCI Event: Command Complete (0x0e) plen 4 #2 [hci0] 4.737714
LE Set Scan Parameters (0x08|0x000b) ncmd 1
Status: Success (0x00)
< HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #3 [hci0] 4.737767
Scanning: Enabled (0x01)
Filter duplicates: Enabled (0x01)
> HCI Event: Command Complete (0x0e) plen 4 #4 [hci0] 4.738160
LE Set Scan Enable (0x08|0x000c) ncmd 1
Status: Success (0x00)
> HCI Event: LE Meta Event (0x3e) plen 42 #5 [hci0] 6.099681
LE Advertising Report (0x02)
Num reports: 1
Event type: Connectable undirected - ADV_IND (0x00)
Address type: Public (0x00)
Address: FF:EE:DD:CC:BB:AA
Data length: 30
Flags: 0x06
LE General Discoverable Mode
BR/EDR Not Supported
Company: Apple, Inc. (76)
Type: iBeacon (2)
UUID: 669a0c20-0008-6c91-e411-015500e22ea9
Version: 48661.62728
TX power: -59 dB
RSSI: -78 dBm (0xb2)
< HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #6 [hci0] 6.099747
Scanning: Disabled (0x00)
Filter duplicates: Disabled (0x00)
> HCI Event: Command Complete (0x0e) plen 4 #7 [hci0] 6.101862
LE Set Scan Enable (0x08|0x000c) ncmd 1
Status: Success (0x00)
< HCI Command: LE Create Connection (0x08|0x000d) plen 25 #8 [hci0] 6.101916
Scan interval: 60.000 msec (0x0060)
Scan window: 60.000 msec (0x0060)
Filter policy: White list is not used (0x00)
Peer address type: Public (0x00)
Peer address: FF:EE:DD:CC:BB:AA
Own address type: Public (0x00)
Min connection interval: 30.00 msec (0x0018)
Max connection interval: 50.00 msec (0x0028)
Connection latency: 0 (0x0000)
Supervision timeout: 420 msec (0x002a)
Min connection length: 0.000 msec (0x0000)
Max connection length: 0.000 msec (0x0000)
> HCI Event: Command Status (0x0f) plen 4 #9 [hci0] 6.102446
LE Create Connection (0x08|0x000d) ncmd 1
Status: Success (0x00)
> HCI Event: LE Meta Event (0x3e) plen 19 #10 [hci0] 7.476997
LE Connection Complete (0x01)
Status: Success (0x00)
Handle: 64
Role: Master (0x00)
Peer address type: Public (0x00)
Peer address: FF:EE:DD:CC:BB:AA
Connection interval: 48.75 msec (0x0027)
Connection latency: 0 (0x0000)
Supervision timeout: 420 msec (0x002a)
Master clock accuracy: 0x00
@ MGMT Event: Device Connected (0x000b) plen 43 {0x0002} [hci0] 7.477047
LE Address: FF:EE:DD:CC:BB:AA
Flags: 0x00000000
Data length: 30
Flags: 0x06
LE General Discoverable Mode
BR/EDR Not Supported
Company: Apple, Inc. (76)
Type: iBeacon (2)
UUID: 669a0c20-0008-6c91-e411-015500e22ea9
Version: 48661.62728
TX power: -59 dB
@ MGMT Event: Device Connected (0x000b) plen 43 {0x0001} [hci0] 7.477047
LE Address: FF:EE:DD:CC:BB:AA
Flags: 0x00000000
Data length: 30
Flags: 0x06
LE General Discoverable Mode
BR/EDR Not Supported
Company: Apple, Inc. (76)
Type: iBeacon (2)
UUID: UUID
Version: 48661.62728
TX power: -59 dB
< HCI Command: LE Read Remote Used... (0x08|0x0016) plen 2 #11 [hci0] 7.477210
Handle: 64
> HCI Event: Command Status (0x0f) plen 4 #12 [hci0] 7.479342
LE Read Remote Used Features (0x08|0x0016) ncmd 1
Status: Success (0x00)
> HCI Event: Command Complete (0x0e) plen 14 #13 [hci0] 7.479357
LE Read Remote Used Features (0x08|0x0016) ncmd 1
Status: Success (0x00)
00 00 00 00 00 00 00 00 00 00 ..........
> HCI Event: LE Meta Event (0x3e) plen 12 #14 [hci0] 7.993969
LE Read Remote Used Features (0x04)
Status: Connection Timeout (0x08)
Handle: 64
Features: 0x2d 0x00 0x00 0x00 0x00 0x00 0x00 0x00
LE Encryption
Extended Reject Indication
Slave-initiated Features Exchange
LE Data Packet Length Extension
> HCI Event: Disconnect Complete (0x05) plen 4 #15 [hci0] 7.994591
Status: Success (0x00)
Handle: 64
Reason: Connection Timeout (0x08)
@ MGMT Event: Device Disconnected (0x000c) plen 8 {0x0002} [hci0] 8.027693
LE Address: FF:EE:DD:CC:BB:AA
Reason: Connection timeout (0x01)
@ MGMT Event: Device Disconnected (0x000c) plen 8 {0x0001} [hci0] 8.027693
LE Address: FF:EE:DD:CC:BB:AA
Reason: Connection timeout (0x01)
The connection first succeeds, but then my device executes a "LE Read Remote Used Features" HCI Command which times out after 500ms causes the whole connection to fail.
This is my reason for hunting the answers for the questions above.
Daniel2 Answers
Answers to all your questions can be found in the Bluetooth Core specification in the Link Layer chapter.
What happens is that the connection drops to the remote device. Bad signal quality? Bad antenna? Bad clock accuracy? The connection timeout happens after the specified supervision timeout if no packets (possibly empty) are received within this time.
Now it just happens that the first thing BlueZ sends is a remote feature request. If any other packets were sent instead, you'd likely get the same result (connection timeout).
Use a BLE link layer sniffer instead to see what really happens.
EmilI had a similar problem, here are my findings:
What is "LE Read Remote Used Features" command for?
I do not know exactly this command is not specified in the Bluetooth Specification. But different chipsets can have it and this command can be enabled at the HCI initialization.
Which features can it read?
After increasing the timeout from 500ms to the upper limit 32000ms the result was as follows:
Handle: 128
HCI Event: Command Status (0x0f) plen 4
LE Read Remote Used Features (0x08|0x0016) ncmd 1
Status: Success (0x00)
HCI Event: LE Meta Event (0x3e) plen 11
LE Data Length Change (0x07)
Handle: 128
Max TX octets: 251
Max TX time: 17040
Max RX octets: 251
Max RX time: 17040
HCI Event: LE Meta Event (0x3e) plen 12
LE Read Remote Used Features (0x04)
Status: Success (0x00)
Handle: 128
Features: 0x7f 0xfb 0x46 0x07 0x00 0x00 0x00 0x00
LE Encryption
Connection Parameter Request Procedure
Extended Reject Indication
Slave-initiated Features Exchange
LE Ping
LE Data Packet Length Extension
LL Privacy
LE 2M PHY
Stable Modulation Index - Transmitter
LE Coded PHY
LE Extended Advertising
LE Periodic Advertising
Channel Selection Algorithm #2
LE Power Class 1
Unknown features (0x0000000007460000)
Is this mandatory for connecting to a BLE device?
As this is not specified in the Bluetooth Spec, I would guess no, it's not.
Is it safe to disable querying it after connection?
In my case the culprit was not this command that sabotaged the connection. I'd advice to increase the timeout amount and see what happens.
Is it possible to increase the timeout for the reception of this command's response?
If you were issue this command separately and if it included such a parameter, then yes why not? In my case it's using what ever Supervision timeout I have provided to the (Extended)Create Connection command.
Ali I. DemirelUser contributions licensed under CC BY-SA 3.0