From URL: https://github.com/cozybit/onboarding/wiki/bluedroid-notes
1. Start by diving into external/bluetooth/bluedroid
2. Enable debug messages in external/bluetooth/bluedroid/conf/bt_stack.conf
for instance...
TRC_BTIF=5
TRC_BTM=5
Rebuild, reflash and see in adb logcat...
D/bt-btm ( 1868): BTM_GetHCIConnHandle
D/bt-btif ( 1868): in, bd addr:00:1f:f3:af:a2:3b, prop type:1, len:9
D/BtGatt.btif( 1204): btif_gattc_update_properties BLE device name=JloDev len=6 dev_type=2
More info on debugging here:
https://wiki.mozilla.org/B2G/Bluetooth-bluedroid
and
https://github.com/eric30/bluedroid-log-tool
3. Rebuild
. build/envsetup.sh # only first time
lunch # only first time
cd external/bluetooth/bluedroid
mm
4. Push
adb sync
5. Reload the framework
adb shell stop
adb shell start
6. Example of how to trace a call:
1. API: http://developer.android.com/guide/topics/connectivity/bluetooth-le.html
2. Pick a function, say BluetoothManager.getAdapter()
3. Goto: frameworks/base/core/java/android/bluetooth
4. Implemented in BluetoothManager.java, interface defined in IBluetooth.aidl
BluetoothManager.getAdapter() returns the adapter returned by BluetoothAdapter.getDefaultAdapter()
5. BluetoothAdapter.getDefaultAdapter binds to BLUETOOTH_MANAGER_SERVICE
6. Service is implemented here: frameworks/base/services/java/com/android/server/BluetoothManagerService.java
7. a bit lost here, but this service is bound to *another service*. The other services we connect to are:
com.android.bluetooth.gatt.GattService
and
com.android.bluetooth.btservice.AdapterService
8. And these two live here: packages/apps/Bluetooth/src/com/android/bluetooth/btservice
9. And those services define native functions, defined here: packages/apps/Bluetooth/jni
10. These native functions call Android's BT HAL interface, defined here: hardware/libhardware/include/hardware/bluetooth.h
11. bluedroid implements this HAL, and we know it lives here: external/bluetooth/bluedroid
12. And bluedroid allows vendors to provide their own bluetooth driver *below* their stack. bt-vendor
Another more interesting call tree:
1. API: BluetoothAdapter.startLeScan()
2. BluetoothAdapter.java:
public boolean startLeScan (...)
3. IBluetoothManager.getBluetoothGatt()
in frameworks/base/services/java/com/android/server
# This Gatt is the bluetooth service (i.e. under
# packages/apps/Bluetooth/src/com/android/bluetooth). The Bluetooth
# framework service is just a minimal services used to decoupling the
# Bluetooth client from the specific Bluetooth stack implementation.
4. # Now the client has an instance of the bt gatt service and can call it directly
IBluetoothGatt.registerClient(uuid)
implemented in packages/apps/Bluetooth/src/com/android/bluetooth/gatt/GattService.java
5. jni is gattClientRegisterAppNative()
implemented in packages/apps/Bluetooth/jni/com_android_bluetooth_gatt.cpp
6. Previous function calls register_client, a callback defined in the bluetooth HAL
hardware/libhardware/include/hardware/bt_gatt_client.h
7. Bluedroid now defines the callbacks for btgatt_client_interface_t, in btif/src/btif_gatt_client.c
register_client is actually called btif_gattc_register_app()
That is for calls _from_ android into _bluedroid_
8. The HAL also defines callbacks for bluedroid calls _into_ Android. For register client, this is register_client_cb,
defined in the HAL file hardware/libhardware/include/hardware/bt_gatt_client.h
and invoked by bluedroid in external/bluetooth/bluedroid/btif/src/btif_gatt_client.c, with macro HAL_CBACK(bt_gatt_callbacks, client->register_client_cb, ...
9. The same function will handle all the BTIF_GATTC_REGISTER_APP event will also implement BTIF_GATTC_SCAN_START, etc.
10.And following with SCAN_START... yet another message: bta_sys_sendmsg(BTA_DM_API_BLE_OBSERVE_EVT, ...)
-> tBTA_DM_API_BLE_OBSERVE
-> bta_dm_ble_observe
-> BTM_BleObserve
7. Onto my goal: enter advertising mode.
How? Hijack scanning above. Funtion BTM_BleObserve could call BTM_BleSetAdvParams?
Need to craft arguments...
int_min > BTM_BLE_ADV_INT_MIN = 0x20, pick 0x500
int_max < BTM_BLE_ADV_INT_MAX = 0x4000, pick 0x1000
p_dir_bda can be NULL, in fact that is what we want
We also want to call GATT_Listen() so BTM_BLE_CONNECTABLE is set.
In fact, GATT_Listen() seems to start advertising...
Hmmm, looks like the hal defines also a btgatt_server_interface_t that is not hooked up to jni. Only the gatt client is (btgatt_interface_t *)
Redefine goal: start a gatt server. hack it to it does advertising. How?
1. public BluetoothGattServer BluetoothManager::openGattServer(Context context, BluetoothGattServerCallback callback)
# This creates a new BluetoothGattServer and connects it to an IBluetoothGatt service.
2. On BluetoothGattServer we can now registerCallback() which will send a registerServer() call to the IBluetoothGatt service.
3. Confirming that that makes it all the way down...
registerServer() -> gattServerRegisterAppNative(uuid) -> hal:btgatt_server_interface_t->register_server () -> bludroid:btif_gatts_register_app() ->
-> BTIF_GATTS_REGISTER_APP -> BTA_GATTS_AppRegister -> BTA_GATTS_API_REG_EVT -> bta_gatts_register -> GATT_Register() -> ...
Yes.
4. Now you can BluetoothGattServer::addService() which will parse the given service and convert it into calls to:
beginServiceDeclaration()
*addIncludedService()
*addCharacteristic()
*addDescriptor()
endServiceDeclaration()
The bt service will convert those into native calls:
gattServerAddServiceNative()
gattServerAddCharacteristicNative()
gattServerAddDescriptorNative()
gattServerStartServiceNative()
which correspond to
btif_gatts_add_service()
btif_gatts_add_characteristic()
btif_gatts_add_descriptor()
btif_gatts_start_service()
5. This last function will call:
BTIF_GATTS_START_SERVICE -> BTA_GATTS_StartService -> BTA_GATTS_API_START_SRVC_EVT -> bta_gatts_start_service -> GATTS_StartService
But the above sequence does not seem to ever turn on LE advertisements. This seems to happen in GATT_Listen() which is never called.
So the plan would be:
1. ask JLO to help me write an app that makes the three calls above:
BluetoothManager::openGattServer
<create a minimal service>
BluetoothGattServer::addService
2. confirm the above call trace is accurate and that we see GATT_TRACE_API0 ("GATTS_StartService") log messages.
3. modify GATTS_StartService to start listening/advertising and pray
by just adding a call to GATT_Listen:
diff --git a/stack/gatt/gatt_api.c b/stack/gatt/gatt_api.c
index ef437e1..b2422e6 100644
--- a/stack/gatt/gatt_api.c
+++ b/stack/gatt/gatt_api.c
@@ -542,6 +542,7 @@ tGATT_STATUS GATTS_StartService (tGATT_IF gatt_if, UINT16 service_handle,
GKI_freebuf (GKI_remove_from_queue (&gatt_cb.pending_new_srv_start_q, p_buf));
}
+ GATT_Listen(gatt_if, TRUE, 0);
return GATT_SUCCESS;
}
6. Now write an app that will:
1. public BluetoothGattServer BluetoothManager::openGattServer(Context context, BluetoothGattServerCallback callback)
# This creates a new BluetoothGattServer and connects it to an IBluetoothGatt service.
2. On BluetoothGattServer we can now registerCallback() which will send a registerServer() call to the IBluetoothGatt service.
3. Now you can BluetoothGattServer::addService() which will parse and install the given service
7. And voila! When you run the app, the device will enter peripheral mode and advertise the new service.
Tested with iPhone LightBlue app.
The logs:
D/bt-att (12063): GATTS_CreateService(success): handles needed:3 s_hdl=40 e_hdl=42 uuid128[134a] is_primary=1
D/BtGatt.btif(12063): btif_gatts_add_characteristic
D/BtGatt.btif(12063): btgatts_handle_event: Event 2006
D/BtGatt.btif(12063): btapp_gatts_handle_cback: Event 9
D/BtGatt.btif(12063): btif_gatts_start_service
I/bt-att (12063): GATTS_StartService
I/bt-att (12063): GATT_Listen gatt_if=4
D/bt-att (12063): read_attr_value uuid=0x2803 perm=0x1 sec_flag=0x0 offset=0 read_long=0
Yeah!