BLE:主動(dòng)掃描 vs. 被動(dòng)掃描

BLE (Bluetooth Low Energy) 設(shè)備可以通過(guò)掃描發(fā)現(xiàn)周圍的其他 BLE 設(shè)備。當(dāng) BLE 設(shè)備執(zhí)行掃描時(shí)便處在 scanning state。該狀態(tài)是 BLE 設(shè)備在 LL (Link Layer) 的狀態(tài)之一。它與其他幾種 LL 狀態(tài)構(gòu)成了如下?tīng)顟B(tài)機(jī):

處于 scanning state 的 BLE 設(shè)備被稱為 scanner。對(duì)應(yīng)的,當(dāng) BLE 設(shè)備想讓其他設(shè)備發(fā)現(xiàn)自己時(shí)會(huì)處在 advertising state。此時(shí) BLE 設(shè)備被稱為 advertiser。

Scanning Type

BLE 設(shè)備主要可執(zhí)行兩種掃描 active scanning 和 passive scanning(更復(fù)雜的掃描情況可參考 ref 2)。具體使用何種掃描方式由 HCI_LE_Set_Scan_Parameters command 控制。該命令中有一個(gè) LE_Scan_Type 參數(shù),當(dāng)設(shè)為 0x00 時(shí)執(zhí)行 passive scanning:

Bluetooth HCI Command - LE Set Scan Parameters
    Command Opcode: LE Set Scan Parameters (0x200b)
    Parameter Total Length: 7
    Scan Type: Passive (0x00)
    Scan Interval: 16 (10 msec)
    Scan Window: 16 (10 msec)
    Own Address Type: Public Device Address (0x00)
    Scan Filter Policy: Accept all advertisements, except directed advertisements not addressed to this device (0x00)

當(dāng)設(shè)為 0x01 時(shí)執(zhí)行 active scanning:

Bluetooth HCI Command - LE Set Scan Parameters
    Command Opcode: LE Set Scan Parameters (0x200b)
    Parameter Total Length: 7
    Scan Type: Active (0x01)
    Scan Interval: 16 (10 msec)
    Scan Window: 16 (10 msec)
    Own Address Type: Public Device Address (0x00)
    Scan Filter Policy: Accept all advertisements, except directed advertisements not addressed to this device (0x00)
    [Response in frame: 2]
    [Command-Response Delta: 1.784ms]

其他的值目前均被保留。HCI_LE_Set_Scan_Parameters command 只是配置了掃描的參數(shù),要真正開(kāi)始掃描還需要發(fā)送 HCI_LE_Set_Scan_Enable command:

Bluetooth HCI Command - LE Set Scan Enable
    Command Opcode: LE Set Scan Enable (0x200c)
    Parameter Total Length: 2
    Scan Enable: true (0x01)
    Filter Duplicates: true (0x01)

Passive scanning 的數(shù)據(jù)流如下[3]:

Active scanning 的數(shù)據(jù)流如下[4]:

Active Scanning 與 Passive Scanning 的隱蔽性

對(duì)于 passive scanning,它僅在 LL 上安靜地接收空中飄過(guò)的各種 advertising PDUs,絕不會(huì)主動(dòng)發(fā)送其他數(shù)據(jù)。因此 passive scanning 很隱蔽,不會(huì)暴露 scanner 的任何信息。

對(duì)于 active scanning,它除了像 passive scanning 一樣接收空中的 advertising PDUs,還會(huì)主動(dòng)向 advertiser 發(fā)送 SCAN_REQ PDU,然后接收 advertiser 響應(yīng)的 SCAN_RSP PDU,從而獲取 advertiser 更多的信息:

不過(guò) SCAN_REQ PDU 會(huì)攜帶 scanner 的 address,即上圖中的 ScanA 字段。這可能會(huì)暴露 scanner 的身份。因此在執(zhí)行 active scanning 時(shí),我們最好使用 spooftooph 偽造自己的 BD_ADDR,防止真實(shí) BD_ADDR 被暴露。

解析掃描結(jié)果

不論是 active scanning 還是 passive scanning,掃描的結(jié)果均以 HCI_LE_Advertising_Report event 的形式返回給 host。該 event 攜帶的 Event_Type parameter 有如下 5 種取值[5],說(shuō)明了掃描結(jié)果來(lái)自于哪一種 advertising PDU:

Value Description
0x00 ADV_IND PDU
0x01 ADV_DIRECT_IND PDU
0x02 ADV_SCAN_IND PDU
0x03 ADV_NONCONN_IND PDU
0x04 SCAN_RSP PDU
All other values RFU

對(duì)于返回的結(jié)果,passive scanning 與 active scanning 的區(qū)別體現(xiàn)在 SCAN_RSP PDU 上。Active scanning 有能力返回 SCAN_RSP PDU,而 passive scanning 不可能返回 SCAN_RSP PDU。

具體掃描得到的數(shù)據(jù)存儲(chǔ)在 Data 參數(shù)中。該參數(shù)也有協(xié)議定義的格式,簡(jiǎn)單的說(shuō)它是一個(gè) AD (Advertising Data) structure 數(shù)組。AD structure 的格式如下[6]:

+--------+-------------------+
| Length | Data              |
+--------+-------------------+
         | AD Type | AD Data |
         +-------------------+

其中 AD Type 的含義由 GAP (Generic Access Profile) 定義。

這里舉兩個(gè)例子。比如 passive scanning 返回的掃描結(jié)果如下:

Bluetooth HCI Event - LE Meta
    Event Code: LE Meta (0x3e)
    Parameter Total Length: 30
    Sub Event: LE Advertising Report (0x02)
    Num Reports: 1
    Event Type: Connectable Undirected Advertising (0x00)
    Peer Address Type: Public Device Address (0x00)
    BD_ADDR: Espressi_9c:07:06 (24:0a:c4:9c:07:06)
    Data Length: 18
    Advertising Data
        Flags
            Length: 2
            Type: Flags (0x01)
            1.   .... = Reserved: 0x0
            ...0 .... = Simultaneous LE and BR/EDR to Same Device Capable (Host): false (0x0)
            .... 0... = Simultaneous LE and BR/EDR to Same Device Capable (Controller): false (0x0)
            .... .1.. = BR/EDR Not Supported: true (0x1)
            .... ..1. = LE General Discoverable Mode: true (0x1)
            .... ...0 = LE Limited Discoverable Mode: false (0x0)
        Tx Power Level
            Length: 2
            Type: Tx Power Level (0x0a)
            Power Level (dBm): -21
        16-bit Service Class UUIDs
            Length: 3
            Type: 16-bit Service Class UUIDs (0x03)
            UUID 16: Unknown (0x00ff)
        Device Name: BLECTF
            Length: 7
            Type: Device Name (0x09)
            Device Name: BLECTF
    RSSI: -65dBm

再比如 Active scanning 因 SCAN_RSP PDU 返回掃描結(jié)果如下:

Bluetooth HCI Event - LE Meta
    Event Code: LE Meta (0x3e)
    Parameter Total Length: 22
    Sub Event: LE Advertising Report (0x02)
    Num Reports: 1
    Event Type: Scan Response (0x04)
    Peer Address Type: Public Device Address (0x00)
    BD_ADDR: Espressi_9c:07:06 (24:0a:c4:9c:07:06)
    Data Length: 10
    Advertising Data
        Flags
            Length: 2
            Type: Flags (0x01)
            1.   .... = Reserved: 0x0
            ...0 .... = Simultaneous LE and BR/EDR to Same Device Capable (Host): false (0x0)
            .... 0... = Simultaneous LE and BR/EDR to Same Device Capable (Controller): false (0x0)
            .... .1.. = BR/EDR Not Supported: true (0x1)
            .... ..1. = LE General Discoverable Mode: true (0x1)
            .... ...0 = LE Limited Discoverable Mode: false (0x0)
        Tx Power Level
            Length: 2
            Type: Tx Power Level (0x0a)
            Power Level (dBm): -21
        16-bit Service Class UUIDs
            Length: 3
            Type: 16-bit Service Class UUIDs (0x03)
            UUID 16: Unknown (0x00ff)
    RSSI: -68dBm

實(shí)戰(zhàn)中 Active Scanning 不一定比 Passive Scanning 更有效

在情報(bào)收集階段,我們很關(guān)心目標(biāo)設(shè)備的名字。但是廠商給出設(shè)備名稱的位置是不確定的。設(shè)備名稱可能位于 advertising data 也可能位于 scan response data。因此有時(shí)使用 passive scanning 也能獲取目標(biāo)設(shè)備的名字。

另外,廠商不一定使用 GAP 定義的 AD Type 0x09 (Complete Local Name) 來(lái)存儲(chǔ)設(shè)備的名字。因?yàn)?GAP 還定義了 AD Type 0xFF (Manufacturer Specific Data),廠商也可能把設(shè)備的名字放在其中并定義自己的解析規(guī)則。

因此在無(wú)法偽裝 BD_ADDR 時(shí),可以直接試試 passive scanning 能否解決問(wèn)題。

References

  1. BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 6, Part B page 2857, Figure 1.1: State diagram of the Link Layer state machine
  2. BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 6, Part D page 3114, 4 SCANNING STATE
  3. BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 6, Part D page 3114, 4.1 PASSIVE SCANNING
  4. BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 6, Part D page 3115, 4.2 ACTIVE SCANNING
  5. BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 4, Part E page 2382, 7.7.65.2 LE Advertising Report event
  6. BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C page 1392, BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C page 1392
  7. Assigned numbers and GAP
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容