Android Bluetooth | 蓝牙配对源码分析

好厚米们,我又来了!

这次分享的是蓝牙设备执行配对动作时Android源码的执行流程。

下面先来说下,应用层是如何发起蓝牙配对的:

( ps:大多数业务逻辑,都是扫描到可用设备后,点击可用设备 -> 发起配对。)

这里我直接略过点击可用设备的步骤哈,扫描到第一个可用设备后,我直接通过扫描信息进行配对

public class MainActivity extends AppCompatActivity {
    private BluetoothAdapter mBluetoothAdapter;
    private BluetoothDevice mBluetoothDevice;
    private BluetoothLeScanner scanner = BluetoothAdapter.getDefaultAdapter().getBluetoothLeScanner();

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        ScanCallback scanCallback = new ScanCallback() {
            @SuppressLint("MissingPermission")
            @Override
            public void onScanResult(int callbackType, ScanResult result) {
                super.onScanResult(callbackType, result);
           
                //将扫描到的设备信息取出来,为蓝牙设备赋值
                mBluetoothDevice = result.getDevice();
                //通过蓝牙设备,调用配对方法
                mBluetoothDevice.createBond();
            }
            @Override
            public void onScanFailed(int errorCode) {
                super.onScanFailed(errorCode);
                // 扫描失败处理
            }
        };
        // 开始扫描
        if (scanner != null) {
            ScanSettings settings = new ScanSettings.Builder()
                    .setScanMode(ScanSettings.SCAN_MODE_LOW_LATENCY)
                    .build();
            // 添加过滤条件
            List filters = new ArrayList<>();
            //权限检查
            if (ActivityCompat.checkSelfPermission(this, Manifest.permission.BLUETOOTH_SCAN) != PackageManager.PERMISSION_GRANTED) {
                // TODO: Consider calling
                //    ActivityCompat#requestPermissions
                // here to request the missing permissions, and then overriding
                //   public void onRequestPermissionsResult(int requestCode, String[] permissions,
                //                                          int[] grantResults)
                // to handle the case where the user grants the permission. See the documentation
                // for ActivityCompat#requestPermissions for more details.
                return;
            }
            scanner.startScan(filters, settings, scanCallback);
        }
            // 停止扫描
        if (scanner != null) {
            scanner.stopScan(scanCallback);
        }

        mBluetoothAdapter.startDiscovery();

    }
}

由上面的代码可以看出,配对动作的执行依赖

 //通过蓝牙设备,调用配对方法
 BluetoothDevice.createBond();

下面就进入到了FWK层

执行BluetoothDevice.createBond()后,会进入到BluetoothDevice.java中执行

BluetoothDevice.java - OpenGrok cross reference for /frameworks/base/core/java/android/bluetooth/BluetoothDevice.java

 public boolean createBond() {
           final IBluetooth service = sService;
          if (service == null) {
             Log.e(TAG, "BT not enabled. Cannot create bond to Remote Device");
              return false;
          }
           try {
              Log.i(TAG, "createBond() for device " + getAddress()
                      + " called by pid: " + Process.myPid()
                      + " tid: " + Process.myTid());
                //通过service接口执行配对动作
              return service.createBond(this, TRANSPORT_AUTO);
           } catch (RemoteException e) {
               Log.e(TAG, "", e);
          }
           return false;
      }

而这个service,我们来看下其声明

private static volatile IBluetooth sService;

//后来在上面的配对方法中,为此接口赋值
final IBluetooth service = sService;

本质上就是IBluetooth接口,不过在Android 10中,IBluetooth接口一共有两个。

Android Bluetooth | 蓝牙配对源码分析_第1张图片应用层下发配对动作时,所用的IBludetooth接口是/system/bt/service/common/android/bluetooth/

此接口的具体代码如下(太多了,各位厚米自己点连接看下就行):

IBluetooth.aidl - OpenGrok cross reference for /system/bt/binder/android/bluetooth/IBluetooth.aidl

即通过这个AIDL接口调用蓝牙远程服务。

下面进入了Bluetooth 服务层

而这个接口的实现类,在AdaperServiceBinder中,部分代码如下:

PS:AdaperServiceBinder写在AdapterService.java中

AdapterService.java - OpenGrok cross reference for /packages/apps/Bluetooth/src/com/android/bluetooth/btservice/AdapterService.java

private static class AdapterServiceBinder extends IBluetooth.Stub {
        //在Binder类中继承了IBluetooth.Stub

        private AdapterService mService;

        AdapterServiceBinder(AdapterService svc) {
            mService = svc;
        }

        public void cleanup() {
            mService = null;
        }

        public AdapterService getService() {
            if (mService != null && mService.isAvailable()) {
                return mService;
            }
            return null;
        }

        //发起配对

        @Override
        public boolean createBond(BluetoothDevice device, int transport) {
            if (!Utils.checkCallerAllowManagedProfiles(mService)) {
                Log.w(TAG, "createBond() - Not allowed for non-active user");
                return false;
            }

            //实例化蓝牙服务
            AdapterService service = getService();
            
            if (service == null) {
                return false;
            }
            //调用蓝牙服务中的createBond方法
            return service.createBond(device, transport, null);
        }
}

 即,应用层触发的配对动作,最后会通过AIDL接口以及AIDL实现类,最终传递到蓝牙服务层的AdapterService.java中,下面看下AdapterService.java中是如何进行配对的,部分代码如下:

boolean createBond(BluetoothDevice device, int transport, OobData oobData) {
        //检查蓝牙相关的配对,连接,发现,配对,等权限是否持有
        enforceCallingOrSelfPermission(BLUETOOTH_ADMIN_PERM, "Need BLUETOOTH ADMIN permission");
        //获取下设备的属性
        DeviceProperties deviceProp = mRemoteDevices.getDeviceProperties(device);
        if (deviceProp != null && deviceProp.getBondState() != BluetoothDevice.BOND_NONE) {
            //如果当前设备已经配对或者设备属性为空那么返回false
            return false;
        }
        //设置本地设备的绑定状态
        mRemoteDevices.setBondingInitiatedLocally(Utils.getByteAddress(device));

        // Pairing is unreliable while scanning, so cancel discovery
        // Note, remove this when native stack improves
        //取消扫描,具体参见上边的英文。
        cancelDiscoveryNative();

        //构建一个含有配对动作的MSG消息
        Message msg = mBondStateMachine.obtainMessage(BondStateMachine.CREATE_BOND);
        //并将设备以及transport传入消息中
        msg.obj = device;
        msg.arg1 = transport;

        if (oobData != null) {
            Bundle oobDataBundle = new Bundle();
            oobDataBundle.putParcelable(BondStateMachine.OOBDATA, oobData);
            msg.setData(oobDataBundle);
        }
        //将消息发送给配对相关的状态机,并返回true
        mBondStateMachine.sendMessage(msg);
        return true;
    }

到这里,就开始进入BondStateMachine.java中进行消息的处理了~ ,先来看下这个状态机中的状态:

BondStateMachine.java - OpenGrok cross reference for /packages/apps/Bluetooth/src/com/android/bluetooth/btservice/BondStateMachine.java

  //该状态机名为BondStateMachine.java
  //其中定义了两个状态

  //PendingCommandState是等待蓝牙配对命令的状态
  private PendingCommandState mPendingCommandState = new PendingCommandState();

  //StableState是指已经完成蓝牙配对的状态
  private StableState mStableState = new StableState();

综上所述,发送配对msg后,会进入PendingCommandState状态下进行处理,部分代码如下:

  private class PendingCommandState extends State {
        private final ArrayList mDevices = new ArrayList();

        @Override
        public void enter() {
            infoLog("Entering PendingCommandState State");
            BluetoothDevice dev = (BluetoothDevice) getCurrentMessage().obj;
        }

        @Override
        public boolean processMessage(Message msg) {
            BluetoothDevice dev = (BluetoothDevice) msg.obj;
            DeviceProperties devProp = mRemoteDevices.getDeviceProperties(dev);
            boolean result = false;
            if (mDevices.contains(dev) && msg.what != CANCEL_BOND
                    && msg.what != BONDING_STATE_CHANGE && msg.what != SSP_REQUEST
                    && msg.what != PIN_REQUEST) {
                deferMessage(msg);
                return true;
            }

            switch (msg.what) {
                case CREATE_BOND:
                    //接到建立连接消息后
                    OobData oobData = null;
                    if (msg.getData() != null) {
                    //为oob数据赋值
                        oobData = msg.getData().getParcelable(OOBDATA);
                    }
                    //调用createBond方法,建立配对
                    result = createBond(dev, msg.arg1, oobData, false);
                    break;

                    //其余代码已省略...
}

        可以看到,接收到含有CREATE_BOND的msg之后,会调用createBond方法,部分代码如下:

private boolean createBond(BluetoothDevice dev, int transport, OobData oobData,
            boolean transition) {
                //如果当前的配对状态为NONE,则开始执行配对,否则直接返回false
        if (dev.getBondState() == BluetoothDevice.BOND_NONE) {
            infoLog("Bond address is:" + dev);
            //将设备的地址转换为addr的数组
            byte[] addr = Utils.getBytesFromAddress(dev.getAddress());
            boolean result;
            //根据是否有oobData来选择对应的协议栈接口方法建立配对关系
            if (oobData != null) {
                result = mAdapterService.createBondOutOfBandNative(addr, transport, oobData);
            } else {
                //先看无oobdata的建立配对,此处直接调用了协议栈提供的接口,也就是调用到JNI层
                result = mAdapterService.createBondNative(addr, transport);
            }
            StatsLog.write(StatsLog.BLUETOOTH_BOND_STATE_CHANGED,
                    mAdapterService.obfuscateAddress(dev), transport, dev.getType(),
                    BluetoothDevice.BOND_BONDING,
                    oobData == null ? BluetoothProtoEnums.BOND_SUB_STATE_UNKNOWN
                            : BluetoothProtoEnums.BOND_SUB_STATE_LOCAL_OOB_DATA_PROVIDED,
                    BluetoothProtoEnums.UNBOND_REASON_UNKNOWN);
                    //如果建立成功 配对状态写入StatsLog
            if (!result) {
                StatsLog.write(StatsLog.BLUETOOTH_BOND_STATE_CHANGED,
                        mAdapterService.obfuscateAddress(dev), transport, dev.getType(),
                        BluetoothDevice.BOND_NONE, BluetoothProtoEnums.BOND_SUB_STATE_UNKNOWN,
                        BluetoothDevice.UNBOND_REASON_REPEATED_ATTEMPTS);
                // Using UNBOND_REASON_REMOVED for legacy reason
                sendIntent(dev, BluetoothDevice.BOND_NONE, BluetoothDevice.UNBOND_REASON_REMOVED);
                return false;
            } else if (transition) {
                //如果传入了需要转换的状态,则进行转换
                transitionTo(mPendingCommandState);
            }
            return true;
        }
        return false;
    }

       根据oobData分别调用不同的协议栈接口,我们主要先分析下createBondNative(addr, transport)方法。

com_android_bluetooth_btservice_AdapterService.cpp - OpenGrok cross reference for /packages/apps/Bluetooth/jni/com_android_bluetooth_btservice_AdapterService.cpp

//承接上面代码中调用JNI层接口的动作  result = mAdapterService.createBondNative(addr, transport);

//最终会传递到一个.cpp文件中 -> com_android_bluetooth_btservice_AdapterService.cpp

//代码如下:

static jboolean createBondNative(JNIEnv* env, jobject obj, jbyteArray address,
                                 jint transport) {
  ALOGV("%s", __func__);

  if (!sBluetoothInterface) return JNI_FALSE;

  jbyte* addr = env->GetByteArrayElements(address, NULL);
  if (addr == NULL) {
    jniThrowIOException(env, EINVAL);
    return JNI_FALSE;
  }

  //调用hal(硬件层)的配对方法,传入要配对的地址以及传输方式
  int ret = sBluetoothInterface->create_bond((RawAddress*)addr, transport);
  env->ReleaseByteArrayElements(address, addr, 0);
  return (ret == BT_STATUS_SUCCESS) ? JNI_TRUE : JNI_FALSE;
}

进入蓝牙协议栈处理

执行完,上述代码,就会进入蓝牙协议栈的逻辑处理。

执行create_bond方法,部分代码如下

bluetooth.cc - OpenGrok cross reference for /system/bt/btif/src/bluetooth.cc

static int create_bond(const RawAddress* bd_addr, int transport) {
  /* sanity check */
  if (!interface_ready()) return BT_STATUS_NOT_READY;

  //返回btif_dm_create_bond方法的配对结果
  return btif_dm_create_bond(bd_addr, transport);
}

而执行create_bond方法后会返回btif_dm_create_bond方法的配对结果,btif_dm_create_bond方法的部分代码如下:

btif_dm.cc - OpenGrok cross reference for /system/bt/btif/src/btif_dm.cc

bt_status_t btif_dm_create_bond(const RawAddress* bd_addr, int transport) {
  btif_dm_create_bond_cb_t create_bond_cb;
  create_bond_cb.transport = transport;
  create_bond_cb.bdaddr = *bd_addr;

  BTIF_TRACE_EVENT("%s: bd_addr=%s, transport=%d", __func__,
                   bd_addr->ToString().c_str(), transport);
  //如果配对状态不为NONE,则返回一个BUSY状态
  if (pairing_cb.state != BT_BOND_STATE_NONE) return BT_STATUS_BUSY;

  btif_stats_add_bond_event(*bd_addr, BTIF_DM_FUNC_CREATE_BOND,
                            pairing_cb.state);

  //将BTIF_DM_CB_CREATE_BOND事件发送到btif_dm_generic_evt方法中进行处理
  btif_transfer_context(btif_dm_generic_evt, BTIF_DM_CB_CREATE_BOND,
                        (char*)&create_bond_cb,
                        sizeof(btif_dm_create_bond_cb_t), NULL);

  //表示对配动作启动
  return BT_STATUS_SUCCESS;
}

事件传入 btif_dm_generic_evt后,btif_dm_generic_evt会根据不同的事件进行处理,当case到配对事件时,会执行如下代码:

static void btif_dm_generic_evt(uint16_t event, char* p_param) {
  BTIF_TRACE_EVENT("%s: event=%d", __func__, event);
  switch (event) {
    //省略部分代码
    case BTIF_DM_CB_CREATE_BOND: {
      pairing_cb.timeout_retries = NUM_TIMEOUT_RETRIES;
      btif_dm_create_bond_cb_t* create_bond_cb =
          (btif_dm_create_bond_cb_t*)p_param;
        //这里会调用本地的btif_dm_cb_create_bond方法
      btif_dm_cb_create_bond(create_bond_cb->bdaddr, create_bond_cb->transport);
    } break;

//省略部分代码
}

而调用btif_dm_cb_create_bond方法时,会回调配对状态的变化,部分代码如下:

tatic void btif_dm_cb_create_bond(const RawAddress& bd_addr,
                                   tBTA_TRANSPORT transport) {
  bool is_hid = check_cod(&bd_addr, COD_HID_POINTING);
  bond_state_changed(BT_STATUS_SUCCESS, bd_addr, BT_BOND_STATE_BONDING);
  //省略部分代码,咱们只看状态回调,上面就已经开始将状态转换为“绑定中”
 if (is_hid && (device_type & BT_DEVICE_TYPE_BLE) == 0) {
    bt_status_t status;
    status = (bt_status_t)btif_hh_connect(&bd_addr);
    if (status != BT_STATUS_SUCCESS)
      bond_state_changed(status, bd_addr, BT_BOND_STATE_NONE);
  } else {
    BTA_DmBondByTransport(bd_addr, transport);
  }
  /*  Track  originator of bond creation  */
  pairing_cb.is_local_initiated = true;

}

而最终会调用BTA_DmBondByTransport去向下传递进而完成配对动作的向下传递,这部分代码偏向硬件,我就不过多叙述了,主要还是看下状态如何回调到应用层的。(PS:主要是二两也不太会,怕说错了误人子弟)

配对状态是如何回调到应用层的呢?

回调的位置还是在http://aospxref.com/android-10.0.0_r47/xref/system/bt/btif/src/btif_dm.cc

 方法bond_state_changed负责接收状态的改变并回调给上层,部分代码如下:

static void bond_state_changed(bt_status_t status, const RawAddress& bd_addr,
                               bt_bond_state_t state) {
  btif_stats_add_bond_event(bd_addr, BTIF_DM_FUNC_BOND_STATE_CHANGED, state);

  //检查设备的配对是否在进行中
  if ((pairing_cb.state == state) && (state == BT_BOND_STATE_BONDING)) {
    // Cross key pairing so send callback for static address
    if (!pairing_cb.static_bdaddr.IsEmpty()) {
      auto tmp = bd_addr;
   //回调bond_state_changed_cb
      HAL_CBACK(bt_hal_cbacks, bond_state_changed_cb, status, &tmp, state);
    }
    return;
  }

    //判断是否为临时配对 如果是state设置为BT_BOND_STATE_NONE
  if (pairing_cb.bond_type == BOND_TYPE_TEMPORARY) state = BT_BOND_STATE_NONE;

  BTIF_TRACE_DEBUG("%s: state=%d, prev_state=%d, sdp_attempts = %d", __func__,
                   state, pairing_cb.state, pairing_cb.sdp_attempts);

  auto tmp = bd_addr;
  HAL_CBACK(bt_hal_cbacks, bond_state_changed_cb, status, &tmp, state);

  int dev_type;
  if (!btif_get_device_type(bd_addr, &dev_type)) {
    dev_type = BT_DEVICE_TYPE_BREDR;
  }

  if (state == BT_BOND_STATE_BONDING ||
      (state == BT_BOND_STATE_BONDED && pairing_cb.sdp_attempts > 0)) {
    // Save state for the device is bonding or SDP.
    pairing_cb.state = state;
    pairing_cb.bd_addr = bd_addr;
  } else {
    pairing_cb = {};
  }
}

而回调bond_state_changed_cb要通知到应用层,就需要从下往上,通过JNI然后再通过蓝牙服务最终传递到应用层。

而bond_state_changed_cb是如何通知到JNI的呢?这就需要了解另一个文件

bluetooth.h - OpenGrok cross reference for /system/bt/include/hardware/bluetooth.h

在bluetooth.h中,bond_state_changed_cb方法被声明成bond_state_changed_callback,如下:

typedef struct {
  /** set to sizeof(bt_callbacks_t) */
  size_t size;
  adapter_state_changed_callback adapter_state_changed_cb;
  adapter_properties_callback adapter_properties_cb;
  remote_device_properties_callback remote_device_properties_cb;
  device_found_callback device_found_cb;
  discovery_state_changed_callback discovery_state_changed_cb;
  pin_request_callback pin_request_cb;
  ssp_request_callback ssp_request_cb;
   //在这里 在这里!
  bond_state_changed_callback bond_state_changed_cb;
  acl_state_changed_callback acl_state_changed_cb;
  callback_thread_event thread_evt_cb;
  dut_mode_recv_callback dut_mode_recv_cb;
  le_test_mode_callback le_test_mode_cb;
  energy_info_callback energy_info_cb;
} bt_callbacks_t;

而最终这个bluetooth.h会被com_android_bluetooth_btservice_AdapterService.cpp引用,

com_android_bluetooth_btservice_AdapterService.cpp - OpenGrok cross reference for /packages/apps/Bluetooth/jni/com_android_bluetooth_btservice_AdapterService.cpp部分代码如下:


#include 
//引用bluetooth.h

//配对状态改变回调
static void bond_state_changed_callback(bt_status_t status, RawAddress* bd_addr,
                                        bt_bond_state_t state) {
  //用于处理回调函数
  CallbackEnv sCallbackEnv(__func__);
  if (!sCallbackEnv.valid()) return;

  if (!bd_addr) {
    ALOGE("Address is null in %s", __func__);
    return;
  }

  ScopedLocalRef addr(
      sCallbackEnv.get(), sCallbackEnv->NewByteArray(sizeof(RawAddress)));
  if (!addr.get()) {
    ALOGE("Address allocation failed in %s", __func__);
    return;
  }
  sCallbackEnv->SetByteArrayRegion(addr.get(), 0, sizeof(RawAddress),
                                   (jbyte*)bd_addr);
 //调用Java层的回调函数,将对应状态以及地址和绑定状态作为参数传递
  sCallbackEnv->CallVoidMethod(sJniCallbacksObj, method_bondStateChangeCallback,
                               (jint)status, addr.get(), (jint)state);
}

顺便看下,它是如何映射到JNI的回调方法的,代码如下:

jclass jniCallbackClass =
      env->FindClass("com/android/bluetooth/btservice/JniCallbacks");

 method_bondStateChangeCallback =
      env->GetMethodID(jniCallbackClass, "bondStateChangeCallback", "(I[BI)V");

通过此回调就算是通知到了JNI的接口

JniCallbacks.java - OpenGrok cross reference for /packages/apps/Bluetooth/src/com/android/bluetooth/btservice/JniCallbacks.java

 其中回调部分的代码如下:

 void bondStateChangeCallback(int status, byte[] address, int newState) {
          mBondStateMachine.bondStateChangeCallback(status, address, newState);
       }

可以看到,这个状态的回调会再次通知到配对的状态机,而状态发生更新后,状态机通过接收对应的msg,来进行相应状态的转换或者其他代码的执行,代码如下:

void bondStateChangeCallback(int status, byte[] address, int newState) {
        BluetoothDevice device = mRemoteDevices.getDevice(address);

        if (device == null) {
            infoLog("No record of the device:" + device);
            // This device will be added as part of the BONDING_STATE_CHANGE intent processing
            // in sendIntent above
            device = mAdapter.getRemoteDevice(Utils.getAddressStringFromByte(address));
        }

        infoLog("bondStateChangeCallback: Status: " + status + " Address: " + device + " newState: "
                + newState);

        Message msg = obtainMessage(BONDING_STATE_CHANGE);
        msg.obj = device;

        if (newState == BOND_STATE_BONDED) {
            msg.arg1 = BluetoothDevice.BOND_BONDED;
        } else if (newState == BOND_STATE_BONDING) {
            msg.arg1 = BluetoothDevice.BOND_BONDING;
        } else {
            msg.arg1 = BluetoothDevice.BOND_NONE;
        }
        msg.arg2 = status;

        sendMessage(msg);
    }

至此,整个配对的流程就梳理完了。

整个配对流程较冗长,但是我也实在不想分两篇来写,各位厚米多担待。

而且从JNI到蓝牙协议栈的处理梳理的并不到位,如果有懂行的大佬欢迎交流~

ps:我也是小白,刚看蓝牙源码不久,如果有哪里解释的不对,欢迎各位大神指点!

文章会同步上传到公众号上(二两仙气儿),欢迎同好一起交流学习。

你可能感兴趣的:(Android,Bluetooth开发,android,开发语言)