Bluetooth源码分析(三)蓝牙配对流程

先附上总结的时序图:

蓝牙配对时序图.png

1 UI

蓝牙配对开始于settings设备列表 /packages/apps/Settings/src/com/android/settings/bluetooth/DeviceListPreferenceFragment.java中。
DeviceListPreferenceFragment是蓝牙扫描到的设备列表,点击其中一个蓝牙设备,调用onPreferenceTreeClick方法开始蓝牙的配对过程。

    @Override
    public boolean onPreferenceTreeClick(PreferenceScreen preferenceScreen,
            Preference preference) {
        if (KEY_BT_SCAN.equals(preference.getKey())) {
            mLocalAdapter.startScanning(true);
            return true;
        }

        if (preference instanceof BluetoothDevicePreference) {
            BluetoothDevicePreference btPreference = (BluetoothDevicePreference) preference;
            CachedBluetoothDevice device = btPreference.getCachedDevice();
            mSelectedDevice = device.getDevice();
            //配对连接
            onDevicePreferenceClick(btPreference);
            return true;
        }

        return super.onPreferenceTreeClick(preferenceScreen, preference);
    }

在本地onDevicePreferenceClick方法中调用/packages/apps/Settings/src/com/android/settings/bluetooth/BluetoothDevicePreference.java的onClicked方法:

      void onClicked() {
          Context context = getContext();
          int bondState = mCachedDevice.getBondState();// 获取设备的绑定状态

          final MetricsFeatureProvider metricsFeatureProvider =
                  FeatureFactory.getFactory(context).getMetricsFeatureProvider();
          if (mCachedDevice.isConnected()) {
              metricsFeatureProvider.action(context,
                      MetricsEvent.ACTION_SETTINGS_BLUETOOTH_DISCONNECT);
              askDisconnect(); // 已连接,询问是否断开连接
          } else if (bondState == BluetoothDevice.BOND_BONDED) {
              metricsFeatureProvider.action(context,
                      MetricsEvent.ACTION_SETTINGS_BLUETOOTH_CONNECT);
              mCachedDevice.connect(true);// 已绑定,则进行连接
          } else if (bondState == BluetoothDevice.BOND_NONE) {
              metricsFeatureProvider.action(context,
                      MetricsEvent.ACTION_SETTINGS_BLUETOOTH_PAIR);
              if (!mCachedDevice.hasHumanReadableName()) {
                  metricsFeatureProvider.action(context,
                      MetricsEvent.ACTION_SETTINGS_BLUETOOTH_PAIR_DEVICES_WITHOUT_NAMES);
              }
              pair();// 如果未绑定,则进行配对
          }
      }

这里先获取mCachedDevice的绑定状态,如果已经连接,则询问是否断开;如果已经绑定未连接,则开始连接;如果未连接也未绑定,则开始配对。这里我们先看配对。配对调用的是本地的pair方法:

      private void pair() {
          if (!mCachedDevice.startPairing()) {
              Utils.showError(getContext(), mCachedDevice.getName(),
                      R.string.bluetooth_pairing_error_message);
          }
      }

pair方法会调用/frameworks/base/packages/SettingsLib/src/com/android/settingslib/bluetooth/CachedBluetoothDevice.java中的startPairing,启动配对


2 framework

    public boolean startPairing() {
        // Pairing is unreliable while scanning, so cancel discovery
        // 配对时,如果正在扫描,则取消扫描
        if (mLocalAdapter.isDiscovering()) {
            mLocalAdapter.cancelDiscovery();
        }
        // 开始配对
        if (!mDevice.createBond()) {
            return false;
        }
        // 标识位,配对完成后,自动连接
        mConnectAfterPairing = true;  // auto-connect after pairing
        return true;
    }

createBond调用/frameworks/base/core/java/android/bluetooth/BluetoothDevice.java
中的createBond方法:

      public boolean createBond(int transport) {
          final IBluetooth service = sService;
          if (service == null) {
              Log.e(TAG, "BT not enabled. Cannot create bond to Remote Device");
              return false;
          }
          if (TRANSPORT_AUTO > transport || transport > TRANSPORT_LE) {
              throw new IllegalArgumentException(transport + " is not a valid Bluetooth transport");
          }
          try {
              Log.i(TAG, "createBond() for device " + getAddress()
                      + " called by pid: " + Process.myPid()
                      + " tid: " + Process.myTid());
              return service.createBond(this, transport);
          } catch (RemoteException e) {
              Log.e(TAG, "", e);
          }
          return false;
      }

createBond接着调用IBluetooth的createBond方法,通过aidl方式调用蓝牙远程服务。


3 Bluetooth app

和蓝牙扫描一样,实现IBluetooth接口的类是AdapterServiceBinder,AdapterServiceBinder实现IBluetooth.Stub接口,是/packages/apps/Bluetooth/src/com/android/bluetooth/btservice/AdapterService的私有内部类,AdapterServiceBinder收到的操作,都会转交AdapterService处理,所以会调用AdapterService的createBond方法。

     boolean createBond(BluetoothDevice device, int transport) {
        enforceCallingOrSelfPermission(BLUETOOTH_ADMIN_PERM,
            "Need BLUETOOTH ADMIN permission");
        DeviceProperties deviceProp = mRemoteDevices.getDeviceProperties(device);
         //属性检查
        if (deviceProp != null && deviceProp.getBondState() != BluetoothDevice.BOND_NONE) {
            return false;
        }

        // Pairing is unreliable while scanning, so cancel discovery
        // Note, remove this when native stack improves
        cancelDiscoveryNative();// 配对过程,取消扫描
        // 给配对的状态机发消息,创建了BondStateMachine.CREATE_BOND
        Message msg = mBondStateMachine.obtainMessage(BondStateMachine.CREATE_BOND);
        msg.obj = device;
        msg.arg1 = transport;
        mBondStateMachine.sendMessage(msg);
        return true;
    }

createBond 方法会检查一下远程设备属性信息,取消蓝牙扫描任务,将配对任务转交mBondStateMachine,由状态机处理该信息。

@Override
        public boolean processMessage(Message msg) {

            BluetoothDevice dev = (BluetoothDevice)msg.obj;

            switch (msg.what) {
                case CREATE_BOND:
                    OobData oobData = null;
                    if (msg.getData() != null) {
                        oobData = msg.getData().getParcelable(OOBDATA);
                    }

                    result = createBond(dev, msg.arg1, oobData, false);
                    break;
                    ........................省略.................................
                    }
            }

BondStateMachine处理服务发送过来的BondStateMachine.CREATE_BOND消息 ,在processMessage 中调用 BondStateMachine的createBond 方法:

      private boolean createBond(BluetoothDevice dev, int transport, OobData oobData,
              boolean transition) {
          if (dev.getBondState() == BluetoothDevice.BOND_NONE) {
              infoLog("Bond address is:" + dev);
              byte[] addr = Utils.getBytesFromAddress(dev.getAddress());
              boolean result;
              if (oobData != null) {// 判断是否借助其他硬件进行无绑定配对
                  result = mAdapterService.createBondOutOfBandNative(addr, transport, oobData);
              } else {
                  result = mAdapterService.createBondNative(addr, transport);// 调用到JNI层,进行配对
              }

              if (!result) {
                  sendIntent(dev, BluetoothDevice.BOND_NONE, BluetoothDevice.UNBOND_REASON_REMOVED);
                  return false;
              } else if (transition) {
                  transitionTo(mPendingCommandState);
              }
              return true;
          }
          return false;
      }

createBondNative方法实现在/packages/apps/Bluetooth/jni/com_android_bluetooth_btservice_AdapterService.cpp中:

  static jboolean createBondNative(JNIEnv* env, jobject obj, jbyteArray address,
                                   jint transport) {
    ALOGV("%s", __func__);

    if (!sBluetoothInterface) return JNI_FALSE;

    jbyte* addr = env->GetByteArrayElements(address, NULL);
    if (addr == NULL) {
      jniThrowIOException(env, EINVAL);
      return JNI_FALSE;
    }
    // 调用到hal层的配对函数
    int ret = sBluetoothInterface->create_bond((RawAddress*)addr, transport);
    env->ReleaseByteArrayElements(address, addr, 0);
    return (ret == BT_STATUS_SUCCESS) ? JNI_TRUE : JNI_FALSE;
  }

这里通过create_bond这个方法调用到了蓝牙协议栈里面。


4 蓝牙协议栈

create_bond方法位于/system/bt/btif/src/bluetooth.cc:

  static int create_bond(const RawAddress* bd_addr, int transport) {
    /* sanity check */
    if (!interface_ready()) return BT_STATUS_NOT_READY;

    return btif_dm_create_bond(bd_addr, transport);
  }

create_bond方法调用/system/bt/btif/src/btif_dm.cc的btif_dm_create_bond方法:

  bt_status_t btif_dm_create_bond(const RawAddress* bd_addr, int transport) {
    btif_dm_create_bond_cb_t create_bond_cb;
    create_bond_cb.transport = transport;
    create_bond_cb.bdaddr = *bd_addr;

    BTIF_TRACE_EVENT("%s: bd_addr=%s, transport=%d", __func__,
                     bd_addr->ToString().c_str(), transport);
    // 如果如果不是未配对状态,则取消配对
    if (pairing_cb.state != BT_BOND_STATE_NONE) return BT_STATUS_BUSY;

    btif_stats_add_bond_event(*bd_addr, BTIF_DM_FUNC_CREATE_BOND,
                              pairing_cb.state);// 添加了绑定事件

    // 这里create_bond_cb在上面已经传入了要绑定的蓝牙地址,
    // 会分别发送给底层两部分,最后会调用btif_dm_generic_evt
    btif_transfer_context(btif_dm_generic_evt, BTIF_DM_CB_CREATE_BOND,
                          (char*)&create_bond_cb,
                          sizeof(btif_dm_create_bond_cb_t), NULL);

    return BT_STATUS_SUCCESS;
  }

btif_dm_create_bond方法最终调用了本地的btif_dm_generic_evt方法,传入BTIF_DM_CB_CREATE_BOND事件:

 static void btif_dm_generic_evt(uint16_t event, char* p_param) {
    BTIF_TRACE_EVENT("%s: event=%d", __func__, event);
    switch (event) {
      ...........................省略.....................................
      case BTIF_DM_CB_CREATE_BOND: {// 根据传入的事件,走这里进行配对
        pairing_cb.timeout_retries = NUM_TIMEOUT_RETRIES;
        btif_dm_create_bond_cb_t* create_bond_cb =
            (btif_dm_create_bond_cb_t*)p_param;
        btif_dm_cb_create_bond(create_bond_cb->bdaddr, create_bond_cb->transport);
      } break;
      ...........................省略......................................
    }
 }

这里又调用本地的btif_dm_cb_create_bond方法:

  static void btif_dm_cb_create_bond(const RawAddress& bd_addr,
                                     tBTA_TRANSPORT transport) {
     bool is_hid = check_cod(&bd_addr, COD_HID_POINTING);
    // 这里开始回调,将绑定状态变成绑定中
    bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDING);
    ............................省略..................................
    if (is_hid && (device_type & BT_DEVICE_TYPE_BLE) == 0) {
      bt_status_t status;
      status = (bt_status_t)btif_hh_connect(&bd_addr);
      if (status != BT_STATUS_SUCCESS)
        bond_state_changed(status, bd_addr, BT_BOND_STATE_NONE);
    } else {
      BTA_DmBondByTransport(bd_addr, transport);// 第一次调用会走这里
    }
    /*  Track  originator of bond creation  */
    pairing_cb.is_local_initiated = true;
  }

BTA_DmBondByTransport方法位于\system\bt\bta\dm\bta_dm_api.c:

void BTA_DmBondByTransport(BD_ADDR bd_addr, tBTA_TRANSPORT transport)
{
    // 调用bta的bta_dm_bond方法
    do_in_bta_thread(FROM_HERE, base::Bind(bta_dm_bond, bd_addr, transport));
}

这里通过do_in_bta_thread调用/system/bt/bta/dm/bta_dm_act.cc里面的bta_dm_bond方法,进入bta进程:

void bta_dm_bond (tBTA_DM_MSG *p_data)
{
    tBTM_STATUS status;
    tBTA_DM_SEC sec_event;
    char        *p_name;

    if (p_data->bond.transport == BTA_TRANSPORT_UNKNOWN)
        status = BTM_SecBond ( p_data->bond.bd_addr, 0, NULL, 0 );
    else
        status = BTM_SecBondByTransport ( p_data->bond.bd_addr, p_data->bond.transport, 0, NULL, 0 );

    if (bta_dm_cb.p_sec_cback && (status != BTM_CMD_STARTED))
    {

        memset(&sec_event, 0, sizeof(tBTA_DM_SEC));
        bdcpy(sec_event.auth_cmpl.bd_addr, p_data->bond.bd_addr);
        p_name = BTM_SecReadDevName(p_data->bond.bd_addr);
        if (p_name != NULL)
        {
            memcpy(sec_event.auth_cmpl.bd_name, p_name, (BD_NAME_LEN-1));
            sec_event.auth_cmpl.bd_name[BD_NAME_LEN-1] = 0;
        }

/*      taken care of by memset [above]
        sec_event.auth_cmpl.key_present = FALSE;
        sec_event.auth_cmpl.success = FALSE;
*/
        sec_event.auth_cmpl.fail_reason = HCI_ERR_ILLEGAL_COMMAND;
        if (status == BTM_SUCCESS)
        {
            sec_event.auth_cmpl.success = TRUE;
        }
        else
        {
            /* delete this device entry from Sec Dev DB */
            bta_dm_remove_sec_dev_entry(p_data->bond.bd_addr);
        }
        bta_dm_cb.p_sec_cback(BTA_DM_AUTH_CMPL_EVT, &sec_event);// 配对事件回调
    }
}

然后来到\system\bt\stack\btm\btm_sec.c的BTM_SecBondByTransport 方法:

tBTM_STATUS BTM_SecBondByTransport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
                                    UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
{
    tBT_DEVICE_TYPE     dev_type;
    tBLE_ADDR_TYPE      addr_type;

    BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
    /* LE device, do SMP pairing */
    if ((transport == BT_TRANSPORT_LE && (dev_type & BT_DEVICE_TYPE_BLE) == 0) ||
        (transport == BT_TRANSPORT_BR_EDR && (dev_type & BT_DEVICE_TYPE_BREDR) == 0))
    {
        return BTM_ILLEGAL_ACTION;
    }
    return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
}

调用本地btm_sec_bond_by_transport方法,这个方法内容很多,着重看这段代码:

 if (!controller_get_interface()->supports_simple_pairing())//这里做一个判断,看是否支持简单配对方式
    {
        /* The special case when we authenticate keyboard.  Set pin type to fixed */
        /* It would be probably better to do it from the application, but it is */
        /* complicated */
        if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
            && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)
            && (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED)) {
            btm_cb.pin_type_changed = TRUE;
            btsnd_hcic_write_pin_type (HCI_PIN_TYPE_FIXED);// 这里就在和hci层打交道
        }
    }

这里调用system/bt/stack/hcic/hcicmds.cc的btsnd_hcic_write_pin_type方法通过HCI向底层发送命令进行控制

void btsnd_hcic_write_pin_type (UINT8 type)
{
    BT_HDR *p = (BT_HDR *)osi_malloc(HCI_CMD_BUF_SIZE);
    UINT8 *pp = (UINT8 *)(p + 1);

    p->len    = HCIC_PREAMBLE_SIZE + HCIC_PARAM_SIZE_WRITE_PARAM1;
    p->offset = 0;

    UINT16_TO_STREAM (pp, HCI_WRITE_PIN_TYPE);
    UINT8_TO_STREAM  (pp, HCIC_PARAM_SIZE_WRITE_PARAM1);

    UINT8_TO_STREAM (pp, type);

    btu_hcif_send_cmd (LOCAL_BR_EDR_CONTROLLER_ID,  p);//这里是向hci层发命令,
}

可以看出,这里是通过和hci层的通信,host告诉controlor蓝牙地址、数据、命令等,从而控制其底层硬件发起配对操作。具体btu如何与hci通信,过程也是很繁琐,可以参考《Android BT STACK BTU 和 HCI之间的消息传递》这篇文章。
到此绑定的流程就结束了。有一个遗留问题就是绑定状态是如何返回给上层的呢?


5 配对状态改变的回传

上文我们在bta里面调用/system/bt/bta/dm/bta_dm_act.cc里面的bta_dm_bond方法,进行配对,这个方法里面有这样一段代码:

bta_dm_cb.p_sec_cback(BTA_DM_AUTH_CMPL_EVT, &sec_event);

这个就是bta的回调函数,回调事件是BTA_DM_AUTH_CMPL_EVT,根据这个事件标志,我们找到了 /system/bt/btif/src/btif_dm.cc里面的btif_dm_upstreams_evt方法,这个方法就是用于向上层回调消息的,相关代码是:

     case BTA_DM_AUTH_CMPL_EVT:
        btif_dm_auth_cmpl_evt(&p_data->auth_cmpl);
        break;

可以看到是调用这个函数,返回配对完成的事件,这个函数代码很多这里就不引用了,无论配对成功还是失败,这里都会用 bond_state_changed这个方法进行处理:

  static void bond_state_changed(bt_status_t status, const RawAddress& bd_addr,
                                 bt_bond_state_t state) {
    btif_stats_add_bond_event(bd_addr, BTIF_DM_FUNC_BOND_STATE_CHANGED, state);

    // Send bonding state only once - based on outgoing/incoming we may receive
    // duplicates
    if ((pairing_cb.state == state) && (state == BT_BOND_STATE_BONDING)) {
      // Cross key pairing so send callback for static address
      if (!pairing_cb.static_bdaddr.IsEmpty()) {
        auto tmp = bd_addr;
        HAL_CBACK(bt_hal_cbacks, bond_state_changed_cb, status, &tmp, state);
      }
      return;
    }

    if (pairing_cb.bond_type == BOND_TYPE_TEMPORARY) state = BT_BOND_STATE_NONE;

    BTIF_TRACE_DEBUG("%s: state=%d, prev_state=%d, sdp_attempts = %d", __func__,
                     state, pairing_cb.state, pairing_cb.sdp_attempts);

    auto tmp = bd_addr;
    HAL_CBACK(bt_hal_cbacks, bond_state_changed_cb, status, &tmp, state);

    if (state == BT_BOND_STATE_BONDING) {
      pairing_cb.state = state;
      pairing_cb.bd_addr = bd_addr;
    } else if ((state == BT_BOND_STATE_NONE) &&
        ((bd_addr == pairing_cb.bd_addr) ||
        (bd_addr == pairing_cb.static_bdaddr))) {
       memset(&pairing_cb, 0, sizeof(pairing_cb));
    }else{
      if ((!pairing_cb.sdp_attempts)&&
            ((bd_addr == pairing_cb.bd_addr) ||
            (bd_addr == pairing_cb.static_bdaddr)))
        memset(&pairing_cb, 0, sizeof(pairing_cb));
      else
        BTIF_TRACE_DEBUG("%s: BR-EDR service discovery active", __func__);
    }
  }

可以发现也是通过HAL_CBACK(bt_hal_cbacks, bond_state_changed_cb, status, &tmp, state);这样的方法进行回调的,bond_state_changed_cb这个函数在bluetooth.h被定义对应的是com_android_bluetooth_btservice_AdapterService.cpp里的bond_state_changed_callback,关键代码如下:

  sCallbackEnv->CallVoidMethod(sJniCallbacksObj, method_bondStateChangeCallback,
                                 (jint)status, addr.get(), (jint)state);

这里将bondStateChangeCallback方法对应到jni的method_bondStateChangeCallback方法

  jclass jniCallbackClass =
        env->FindClass("com/android/bluetooth/btservice/JniCallbacks");
  ........................省略................................
  method_bondStateChangeCallback =
        env->GetMethodID(jniCallbackClass, "bondStateChangeCallback", "(I[BI)V");

就找到了JniCallbacks.java里面的bondStateChangeCallback方法

    void bondStateChangeCallback(int status, byte[] address, int newState) {
          mBondStateMachine.bondStateChangeCallback(status, address, newState);
      }

接下来便进入了/packages/apps/Bluetooth/src/com/android/bluetooth/btservice/BondStateMachine.java状态机里面:

      void bondStateChangeCallback(int status, byte[] address, int newState) {
          BluetoothDevice device = mRemoteDevices.getDevice(address);

          if (device == null) {
              infoLog("No record of the device:" + device);
              // This device will be added as part of the BONDING_STATE_CHANGE intent processing
              // in sendIntent above
              device = mAdapter.getRemoteDevice(Utils.getAddressStringFromByte(address));
          }

          infoLog("bondStateChangeCallback: Status: " + status + " Address: " + device
                  + " newState: " + newState);

          Message msg = obtainMessage(BONDING_STATE_CHANGE);
          msg.obj = device;

          if (newState == BOND_STATE_BONDED)
              msg.arg1 = BluetoothDevice.BOND_BONDED;
          else if (newState == BOND_STATE_BONDING)
              msg.arg1 = BluetoothDevice.BOND_BONDING;
          else
              msg.arg1 = BluetoothDevice.BOND_NONE;
          msg.arg2 = status;

          sendMessage(msg);
      }

状态机里面通过sendMessage进行配对状态的变更。
到此,配对流程就分析结束了。

作者:猫疏
链接:https://www.jianshu.com/p/0b748b11fa62

你可能感兴趣的:(Bluetooth源码分析(三)蓝牙配对流程)