蓝牙开发测试常用工具：hcitool hcidump

   虽然，Android 4.2已经将蓝牙协议栈替换为Bluedroid,但从了解低层实现的角度BlueZ，仍是有个好的入口。因为bluedroid tools有限。

  如果只是想查看源码，下面的链接会很方便：

https://android.googlesource.com/platform/external/bluetooth/bluez/+/android-4.1.2_r1

android / platform/external/bluetooth/bluez / android-4.1.2_r1

1. .gitignore
2. .mailmap
3. AUTHORS
4. Android.mk
5. COPYING
6. COPYING.LIB
7. ChangeLog
8. CleanSpec.mk
9. INSTALL
10. MODULE_LICENSE_GPL
11. Makefile.am
12. Makefile.tools
13. NEWS
14. NOTICE
15. README
16. TODO
17. ThirdPartyProject.prop
18. acinclude.m4
19. attrib/
20. audio/
21. bluez.pc.in
22. bootstrap
23. bootstrap-configure
24. btio/
25. common/
26. compat/
27. configure.ac
28. cups/
29. doc/
30. gdbus/
31. health/
32. input/
33. lib/
34. network/
35. plugins/
36. sap/
37. sbc/
38. scripts/
39. serial/
40. src/
41. test/
42. tools/
43. tracer/

1. [android-platform] BlueZ vs. Bluedroid stack on JB? - Grokbase

   grokbase.com › ... › android-platform › October 2012‎

   翻译此页

   2012年10月8日 – Is it going to replace the BlueZ stack with the Bluedroid stack in ...Question regarding qualification and tools for bluedroid · Support for non ...

2. Blue Creation - Android 4.2 integrates Broadcom Bluedroid stack!

   www.bluecreation.com/.../android-dumps-bluez-and-integrates-broadcom-...

   All we gathered until now is that Bluedroid was contributed by Broadcom and is .....regard to internet gain e-mails artful multinational companies globe this tool, ...

  下面的连接，供参考备忘：

蓝牙HCI 协议分析 之 数据包.txt - 记事本_百度文库

蓝牙 hci 命令

蓝牙测试经验  hcidump

hcidump抓取 log :
 1 打开蓝牙

 2 用adb shell 登陆android设备 并且用 "hcidump  -w /sdcard/hcilog
 3 开始测试

 4 测试完成，停止stop the hcidump 然后分析 "hcilog" file.

C:\Users\kang-ibm>adb shell
$ hcidump -B -w /sdcard/hcilog
hcidump -B -w /sdcard/hcilog
hcidump: permission denied  (权限不够，su)

http://fecbob.pixnet.net/blog/post/35756993

• 理解hcidump -x的輸出

# hcidump -x

< HCI Command: Vendor (0x3f|0x0280) plen 5

09 01 00 00 00

> HCI Event: Command Status (0x0f) plen 4

00 01 80 FE

> HCI Event: Command Complete (0x0e) plen 6

01 80 FE 00 09 00

< HCI Command: Vendor (0x3f|0x0280) plen 5

03 7C A5 01 00

> HCI Event: Command Status (0x0f) plen 4

00 01 80 FE

> HCI Event: Command Complete (0x0e) plen 10

01 80 FE FF 03 15 7C A5 01 00

< 表示發出hci命令

> 表示收到回應

hcidump從kernel接收原始資料，對應kernel中send_general_cmd的3個kvec，包含三部分：

第一部分kvec[0]: packet類型

第二部分kvec[1]: 為message header，包含opcode和data length。hcidump顯示的0x3f|0x0280中，前面部分為opcode的高6bit，表示ogf，後面為低10bit，表示ocf

第三部分kvec[2]: hcidump列印出的buffer。在發出的命令中，第一個位元組表示表示命令idx，後面的四個位元組表示val

藍牙驅動會在發送命令後用kernel_recvmsg從kernel socket接收消息。接收的消息可能如下所示：

Response: 04 0e 0a 01 80 fe 00 03 00 7c a5 01 00

Event: 04 ff 05 82 00 00 00 00

對這個消息的解釋視vendor做法。對於我現在做的這個產品來說，它是這樣解析這些消息的：

buf[1]: 0e表示命令的response，ff表示event

buf[2]:表示長度

buf[3]~buf[n]:為hcidump列印出的buffer

static int xxxxx_hci_send_general_cmd(struct mrvl8xxx_device *dev, uint8_t ogf,

uint32_t ocf, uint8_t idx, uint32_t val, uint32_t len)

{

struct socket *sock = dev->sock;

uint8_t type = HCI_COMMAND_PKT;

struct kvec vec[3];

struct hci_command_hdr hc;

struct msghdr msg;

char cmdbuf[8];

uint8_t cmdlen;

int err = 0;

dev->request.idx = idx;

dev->request.val = val;

dev->request.len = len;

cmdbuf[0] = idx;

memcpy(&cmdbuf[1], &val, len);

cmdlen = len + 1;

hc.opcode = ((ogf & OGF_MASK) << OGF_SHIFT | (ocf & OCF_MASK));

hc.plen = cmdlen;

vec[0].iov_base = &type;

vec[0].iov_len = 1;

vec[1].iov_base = &hc;

vec[1].iov_len = HCI_COMMAND_HDR_SIZE;

vec[2].iov_base = cmdbuf;

vec[2].iov_len = cmdlen;

memset(&msg, 0, sizeof(msg));

err = kernel_sendmsg(sock, &msg, vec, 3, cmdlen+4);

if (err < 0)

printk(KERN_ERR "[fm] mrvl8xxx_hci_sendcmd: failed to kernel_sendmsg, return: %d\n", err);

return err;

}

shadow 发表在 痞客邦 PIXNET 留言(0) 引用(0) 人气()

转自：http://ggyytony0921.blogspot.com/2011/09/bluetooth-3.html

BlueTooth要怎麼進測試模式要怎麼搞-3

• 6. FAE是這麼說滴

以下是FAE所提供的兩個HCI command

實際上操作的結果:
# hcitool cmd 0x03 0x1a 0x03
hcitool cmd 0x03 0x1a 0x03
< HCI Command: ogf 0x03, ocf 0x001a, plen 1
  03
> HCI Event: 0x0e plen 4
  01 1A 0C 00

# hcitool cmd 0x06 0x03
hcitool cmd 0x06 0x03
< HCI Command: ogf 0x06, ocf 0x0003, plen 0
> HCI Event: 0x0e plen 4
  01 03 18 00
  
說明:
1.0
HCI OGF  OCF  para1
hcitool cmd 0x03 0x1a 0x03
引述FAE的描述
"進入測試模式前, 需要下 Page 694 的 7.3.18 Write Scan Enable Command (參數 0x03) 讓模組可以被測試機找到"

1.1
"hcitool cmd 0x03 0x1a 0x03"
OGF=0x03 OCF=0x1a > 這各是參考到 7.3.18 Write Scan Enable Command
"0x03" 參數"0x03"是指 Inquiry Scan enabled + Page Scan enabled.

1.2
"HCI Event: 0x0e plen 4"
"0x0e" 根據7.7.14 Command Complete Event, 是指host端的command已經完成了
"plen 4" 是HCI event的長度
"01 1A 0C 00" 根據7.7.14 Command Complete Event,
"01"表示HCI command的packet的數目(的確只有一個packet)
"1A 0C" 其實是由host HCI command的OGF(MSB-6bit)+OCF(LSB-10bit)組成的 000011 + 0000011010 = 0000 1100 0001 1010 = 0x0C1A
"0" 根據7.3.18 Write Scan Enable Command "0"表示 Write_Scan_Enable command succeeded.

2.0
HCI OGF  OCF
hcitool cmd 0x06 0x03
引述FAE的描述
"Page 774 的 7.6.3 Enable Device Under Test Mode Command 則有進入 DUT 模式的 HCI command, 請參考."

2.1
"hcitool cmd 0x06 0x03"
OGF=0x06 OCF=0x3 > 這各是參考到 7.6.3 Enable Device Under Test Mode Command

2.2
"HCI Event: 0x0e plen 4"
"0x0e" 根據7.7.14 Command Complete Event, 是指host端的command已經完成了
"plen 4" 是HCI event的長度
"01 1A 0C 00" 根據7.7.14 Command Complete Event,
"01"表示HCI command的packet的數目(的確只有一個packet)
"03 18" 其實是由host HCI command的OGF(MSB-6bit)+OCF(LSB-10bit)組成的 000110 + 0000000011 = 0001 1000 0000 0011 = 0x1803
"0" 根據7.6.3 Enable Device Under Test Mode Command, "0"表示 Write_Scan_Enable command succeeded.

• 7.結論

1.
測試模式的進入似乎是由BT spec所規範了.
所以只要是用HCI command的話應該是一體適用的.
這意味著只要是通過BT spec 2.1的藍芽裝置通通可以使用這一個方法進入測試模式.

2.
整個測試的流程
待測物進入測試模式 -> BT測試治具規畫好測試項目(公司用的是安捷倫N4010A PC端程式remote control)
-> 測試治具會自動完成與待測物的溝通並且收集test plan的相關數據 -> 透過PC端的程式把治具上的數據log下來.

3.
實際上前面1~5點都是BT學習過程的自high內容,真的solution是在第6點的時候才真的可以解決.

官方文档

http://linux.die.net/man/8/hcidump

hcidump(8) - Linux man page

Name

hcidump  - Parse HCI data

Synopsis

hcidump [-h]
hcidump [option [option...]] [filter]

Description

hcidump reads raw HCI data coming from and going to a Bluetooth device (which can be specified with the option -i, default is the first available one) and prints to screen commands, events and data in a human-readable form. Optionally, the dump can be written to a file rather than parsed, and the dump file can be parsed in a subsequent moment.

Options

-h

Prints usage info and exits

-i  <hciX>

Data is read from  hciX, which must be the name of an installed Bluetooth device. If not specified, and if -r option is not set, data is read from the first available Bluetooth device.

-l  <len> , --snap-len= <len>

Sets max length of processed packets to  len.

-p  <psm> , --psm= <psm>

Sets default Protocol Service Multiplexer to  psm.

-m  <compid> , --manufacturer= <compid>

Sets default company id for manufacturer to  compid.

-w  <file> , --save-dump= <file>

Parse output is not printed to screen, instead data read from device is saved in file  file. The saved dump file can be subsequently parsed with option  -r.

-r  <file> , --read-dump= <file>

Data is not read from a Bluetooth device, but from file  file. file is crated with option  -w.

-s  <host> , --send-dump= <host>

Parse output is not printed to screen, instead data read from device is send to host  host.

-n  <host> , --recv-dump= <host>

Data is not read from a Bluetooth device, but from host  host.

-t,  --timestamp

Prepend a time stamp to every packet.

-a,  --ascii

For every packet, not only is the packet type displayed, but also all data in ASCII.

-x,  --hex

For every packet, not only is the packet type displayed, but also all data in hex.

-X,  --ext

For every packet, not only is the packet type displayed, but also all data in hex and ASCII.

-R,  --raw

For every packet, only the raw data is displayed.

-C,  --cmtp=<psm>

Sets the PSM value for the CAPI Message Transport Protocol.

-H,  --hcrp=<psm>

Sets the PSM value for the Hardcopy Control Channel.

-O,  --obex=<channel>

Sets the RFCOMM channel value for the Object Exchange Protocol.

-P,  --ppp=<channel>

Sets the RFCOMM channel value for the Point-to-Point Protocol.

-D,  --pppdump=<file>

Extract PPP traffic with pppdump format.

-A,  --audio=<file>

Extract SCO audio data.

-B,  --btsnoop

Use the BTSnoop file format.

-V,  --verbose

Enables a more verbose decoding of every packet.

-Y,  --novendor

Don't display any vendor commands or events and don't show any pin code or link key in plain text.

-N,  --noappend

No appending to existing files. Always create new files.

Filters

filter is a space-separated list of packet categories: available categories are  lmp ,  hci ,  sco ,  l2cap ,  rfcomm ,  sdp ,  bnep ,  cmtp ,  hidp ,  hcrp ,  avdtp ,  avctp , obex ,  capi  and  ppp . If filters are used, only packets belonging to the specified categories are dumped. By default, all packets are dumped.

Authors

Written by Maxim Krasnyansky < [email protected] > and Marcel Holtmann < [email protected] >

man page by Fabrizio Gennari <[email protected]>

Analysing Bluetooth Keyboard Traffic with hcidump

转自：http://www.cnblogs.com/wzh206/archive/2010/06/03/1750989.html

Use hcidump tool to analysis BlueZ communication error

http://www.leilife.cn/?p=384

http://wenku.baidu.com/view/e1d89aed172ded630b1cb620.html

HCI Bluetooth adaptor with Linux and Bluez

http://firmware2android.wordpress.com/2013/01/07/hci-bluetooth-adaptor-with-linux-and-bluez/