Baseband Controller, Packet Types & Link Controller States

bluetooth tutorial April 21, 2026 · 0 Comment

 

 

πŸ“‘ Wireless Systems Engineering β€” Lecture Series Β |Β  Bluetooth Classic Protocol Stack

⚑ Module 3 · Baseband Controller | Bluetooth Classic

Baseband Controller, Packet Types
& Link Controller States

A practical, code-grounded walkthrough of how Bluetooth Classic manages packet exchanges, synchronous voice, and connection state transitions at the baseband layer.

3Major States
13+ACL Packet Types
2178kb/s Peak EDR
7Substates

πŸ”‘ Key Terms in This Lecture

Baseband Controller Piconet ACL Packets SCO / eSCO DH5 / 3-DH5 FHS Packet NULL Packet Link Manager Inquiry & Paging PARK State EV Packets HV Packets BlueZ Stack BR / EDR

Why This Topic Matters

Hello studentsΒ  in this lecture i will explain you what Baseband Controller, Packet Types
& Link Controller States The baseband layer sits immediately above the physical radio in the Bluetooth architecture. It is the part of the protocol that actually assembles bits into packets, controls timing, manages retransmissions, and choreographs how two or more devices share a piconet channel. Everything from a wireless speaker to a heart-rate monitor depends on these mechanisms operating correctly every few milliseconds.

In this lecture of Baseband Controller, Packet Types
& Link Controller States we cover three tightly connected areas. First, we examine the special control packets used at startup β€” NULL, FHS, and DM1 β€” and understand precisely what role each plays before a stable data link exists. Second, we do a deep dive into ACL and synchronous packet formats, comparing throughput figures and understanding which packet type to choose for a given application. Third, we trace the state machine that every Bluetooth device moves through from cold-boot to an active piconet connection, and examine each substate in detail.

Where relevant, reference snippets from the Linux BlueZ kernel stack are included to show how these protocol concepts translate directly into real systems code.

Lecture Outline

Β§ 1 β€” Control Packets: NULL, FHS & DM1

Before a piconet channel is established, a small set of control packets carry the minimum information needed to synchronise clocks and exchange addresses. We study each one and see why they are designed the way they are.

NULL Packet FHS Packet BD_ADDR Clock Synchronisation DM1 Packet
Β§ 2 β€” ACL Packet Types & Throughput Analysis

Asynchronous Connection-Less (ACL) packets carry the majority of data traffic in Bluetooth Classic. The specification defines a rich set of packet types for Basic Rate (BR) and Enhanced Data Rate (EDR) links, each balancing payload size, slot usage, and error protection differently.

DM/DH Series 2-DH / 3-DH EDR Symmetric vs Asymmetric Packet Negotiation Max Throughput
Β§ 3 β€” Synchronous Packet Types: SCO & eSCO

Voice calls and time-critical audio use synchronous packets β€” HV, DV (SCO) and EV (eSCO). These packets sacrifice retransmission flexibility in the voice section to guarantee isochronous delivery at 64 kb/s, while eSCO adds a windowed retransmission mechanism for better data integrity.

HV1/2/3 DV Packet EV3/4/5 2-EV / 3-EV EDR 64 kb/s PCM Voice
Β§ 4 β€” Link Controller State Machine

A Bluetooth device is always in one of three major states (STANDBY, CONNECTION, PARK) plus up to seven substates used during device discovery and connection establishment. Understanding these transitions is essential for debugging connectivity issues and designing power-efficient applications.

STANDBY State CONNECTION State PARK State Inquiry & Page Substates Master / Slave Roles

Β§ 1 β€” Control Packets Before the Piconet is Up

When two Bluetooth devices first interact, neither one has yet established a shared hopping sequence or a common channel. A small but critical set of special-purpose control packets handles the initialization phase. These packets are defined in the Baseband specification and are handled by the Link Controller hardware before the higher-level Link Manager Protocol (LMP) even gets involved.

NULL Packet

The NULL packet carries no user data β€” its sole function is acknowledgement. When a Master sends a data packet to a Slave and the Slave has nothing to transmit in return, it responds with a NULL packet. This tells the Master that the transmission was received without error and that the link is still alive. Think of it as a lightweight “ACK” at the baseband level that keeps the polling cycle running without wasting bandwidth on empty DM1 packets.

πŸ’‘ Exam Insight The NULL packet has no payload and no CRC. It occupies exactly one slot and carries only the access code and header. This is why it is the cheapest acknowledgement mechanism available at the baseband layer.

FHS β€” Frequency Hop Synchronisation Packet

The FHS packet is used for frequency hop synchronisation β€” either before a piconet channel is established for the first time, or when a role switch changes which device is acting as Master (since the hopping sequence is derived from the Master’s clock and address).

The FHS packet carries two pieces of information that are critical for synchronisation:

  • BD_ADDR of the sender β€” a 48-bit device address, similar in concept to a MAC address.
  • Clock value of the sender at transmission time β€” the Slave uses this to align its own clock offset and predict the hop sequence.

Crucially, if the FHS packet needs to be retransmitted (because no acknowledgement was received), the clock value is refreshed before each retransmission rather than replaying the stale timestamp. This ensures the clock information is always accurate at the moment it arrives, regardless of how many retransmission attempts were needed.

βœ… Design Insight Refreshing the clock value on every retransmission is a subtle but important design decision. A stale clock value would corrupt the hop synchronisation β€” the Slave would compute an incorrect channel sequence and immediately lose the connection after it was “established.”

DM1 β€” Data Medium Rate, 1-Slot

The DM1 packet bridges control and data. It is the workhorse of the Link Manager β€” used to exchange LMP control messages between devices during connection setup, parameter negotiation, and encryption handshakes. However, DM1 can also carry regular user data, which makes it a useful fallback when devices cannot agree on a higher-performance packet type.

Its payload supports 0–17 bytes, giving a symmetric maximum rate of 108.8 kb/s β€” modest by modern standards, but perfectly adequate for control traffic where payload size is small and reliability matters more than throughput.

Β§ 2 β€” ACL Packet Types & Throughput Analysis

Asynchronous Connection-Less (ACL) links carry bursty data traffic β€” file transfers, protocol exchanges, and application data. The Bluetooth baseband defines a rich menu of packet types, categorised by data rate (Basic Rate vs. Enhanced Data Rate) and slot duration (1, 3, or 5 slots). Selecting the right packet type is a genuine engineering decision that affects throughput, latency, and power consumption.

Naming Convention

The naming scheme encodes useful information. DM = Data Medium-rate; DH = Data High-rate. A prefix of 2 or 3 indicates the EDR modulation scheme (Ο€/4-DQPSK for 2Γ— or 8DPSK for 3Γ—). The trailing number (1, 3, 5) is the number of slots the packet occupies. So 3-DH5 means: EDR at 3Γ— rate, high-rate coding, 5-slot packet.

Complete ACL Packet Type Reference

Type Payload (bytes) Sym. Max (kb/s) Asym. Fwd (kb/s) Asym. Rev (kb/s) Notes
DM1 0–17 108.8 108.8 108.8 Control traffic default
DH1 0–27 172.8 172.8 172.8 BR, 1-slot, no FEC
DM3 0–121 258.1 387.2 54.4 BR, 3-slot, medium rate
DH3 0–183 390.4 585.6 86.4 BR, 3-slot, high rate
DM5 0–224 286.7 477.8 36.3 BR, 5-slot, medium rate
DH5 0–339 433.9 723.2 57.6 Max BR throughput (asymmetric)
AUX1 0–29 185.6 185.6 185.6 No CRC β€” unreliable channel test
2-DH1 0–54 345.6 345.6 345.6 EDR 2Γ—, 1-slot
2-DH3 0–367 782.9 1174.4 172.8 EDR 2Γ—, 3-slot
2-DH5 0–679 869.1 1448.5 115.2 EDR 2Γ—, 5-slot
3-DH1 0–83 531.2 531.2 531.2 EDR 3Γ—, 1-slot
3-DH3 0–552 1177.6 1766.4 235.6 EDR 3Γ—, 3-slot
3-DH5 0–1021 1306.9 2178.1 177.1 Max EDR throughput (asymmetric)

Choosing the Right Packet Type

The choice of packet type is not made by the application directly β€” it is negotiated by the two devices’ Link Managers at the time the ACL connection is created. Each device advertises which packet types it supports, and only mutually-supported types are used. After negotiation, the link controller selects among the agreed types based on channel conditions.

From an application design perspective, the key insights are:

  • File transfer / download: Use 3-DH5 if EDR is available, otherwise DH5. These give maximum asymmetric throughput (data flows heavily in one direction; acknowledgements flow in the other).
  • Interactive protocols: DH1 or 2-DH1 give lower latency since you do not wait for a 5-slot window to complete before responding.
  • Constrained devices: DM packets include FEC (Forward Error Correction) which reduces payload size but improves reliability in noisy environments. DH packets sacrifice FEC for raw throughput.
⚠️ Common Misconception Bigger packets are not always better. A 5-slot packet takes 5Γ— as long to transmit as a 1-slot packet. On a congested piconet with multiple Slaves, this creates latency for other devices. Packet type selection is always a throughput-versus-latency trade-off.

BlueZ: ACL Connection & Packet Type Negotiation

In the Linux BlueZ stack, ACL connection creation and packet type selection is handled in the HCI (Host Controller Interface) layer. The hci_conn structure tracks the negotiated packet types per connection. The relevant source is in the BlueZ kernel tree under net/bluetooth/hci_conn.c:

BlueZ β€” hci_conn.c (simplified) /* Create ACL connection β€” packet types are passed to the controller */ struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst, u8 sec_level, u8 auth_type) { struct hci_conn *acl; acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst); if (!acl) { acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER); if (!acl) return ERR_PTR(-ENOMEM); } /* hdev->pkt_type reflects the negotiated packet types (DH1, DH3, DH5, 2-DH1 … 3-DH5 etc.) stored per-adapter */ acl->pkt_type = hdev->pkt_type; if (!test_and_set_bit(HCI_CONN_POWER_SAVE, &acl->flags)) hci_conn_enter_active_mode(acl, BT_POWER_FORCE_ACTIVE_OFF); return acl; }

πŸ”— BlueZ Source: lib/hci.c β€” Packet type definitions & HCI helpers πŸ”— Kernel Source: net/bluetooth/hci_conn.c β€” ACL connection management

Β§ 3 β€” Synchronous Packet Types: SCO & eSCO

Bluetooth Classic was designed from day one to support wireless telephony and voice calls. This required a connection type fundamentally different from ACL β€” one that guarantees delivery at regular intervals regardless of channel noise. That is the role of synchronous links: SCO (Synchronous Connection-Oriented) and its enhanced successor eSCO.

SCO: HV and DV Packets

SCO uses HV (High Quality Voice) packets. Three variants exist β€” HV1, HV2, and HV3 β€” each carrying progressively more payload per packet (10, 20, and 30 bytes respectively) but all delivering a net voice rate of 64 kb/s. The difference is in Forward Error Correction: HV1 uses the most redundant FEC (1/3 rate) and HV3 uses none, relying on the application to tolerate occasional lost frames.

A crucial property of all HV packets: there is no CRC, and lost packets are never retransmitted. For voice, this is correct β€” replaying a stale audio frame would sound worse than the brief silence that comes from skipping it. The speech codec (typically CVSD or mSBC) handles concealment of lost frames.

The DV (Data-Voice) packet is a hybrid. It splits its payload into a voice section (which behaves like an HV packet β€” no CRC, no retransmission) and a data section (which includes CRC and is retransmitted on error). This makes DV useful when a headset needs to carry both a voice call and a small trickle of data simultaneously on the same SCO link.

eSCO: EV Packets with Windowed Retransmission

eSCO is an evolution of SCO that adds CRC protection and a retransmission window on all packets (EV series). If the receiver does not acknowledge within the retransmission window, the packet is sent again. This makes eSCO far more robust for high-quality audio codecs like aptX or mSBC that cannot tolerate any packet loss.

Type Payload (bytes) Sym. Rate (kb/s) Notes
HV1 10 64 SCO, 1/3 FEC, no CRC
HV2 20 64 SCO, 2/3 FEC, no CRC
HV3 30 64 SCO, no FEC, no CRC β€” most common for telephony
DV 10 voice + 0–9 data 64 + 57.6 SCO hybrid β€” voice + data sections
EV3 1–30 96 eSCO BR, CRC + retransmission
EV4 1–120 192 eSCO BR
EV5 1–180 288 eSCO BR
2-EV3 1–60 192 eSCO EDR 2Γ—
2-EV5 1–360 576 eSCO EDR 2Γ—
3-EV3 1–90 288 eSCO EDR 3Γ—
3-EV5 1–540 864 Maximum eSCO throughput

BlueZ: SCO Connection Setup

In BlueZ, SCO connections are created via hci_connect_sco(). The voice setting (which determines whether HV1/2/3 or EV packets are used, and which codec is active) is configured at the HCI level before connection establishment:

BlueZ β€” hci_conn.c (SCO) /* Setting up an SCO link for 64kb/s voice (CVSD codec) */ struct hci_conn *hci_connect_sco(struct hci_dev *hdev, bdaddr_t *dst, __u16 setting, struct bt_codec *codec) { struct hci_conn *acl, *sco; acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING); if (IS_ERR(acl)) return acl; sco = hci_conn_hash_lookup_ba(hdev, SCO_LINK, dst); if (!sco) { sco = hci_conn_add(hdev, SCO_LINK, dst, HCI_ROLE_MASTER); if (!sco) { hci_conn_drop(acl); return ERR_PTR(-ENOMEM); } } sco->setting = setting; /* e.g. BT_VOICE_CVSD_16BIT */ hci_conn_hold(sco); return sco; }

πŸ”— Kernel Source: net/bluetooth/hci_conn.c β€” SCO/eSCO connection handling

βœ… Practical Note Modern Bluetooth headsets almost always use eSCO (EV3 or 2-EV3) rather than SCO, because eSCO’s windowed retransmission dramatically improves audio quality in noisy RF environments. The switch from HV3 to EV3 was a key improvement in Bluetooth 1.2.

Β§ 4 β€” Link Controller State Machine

Every Bluetooth Classic device runs a state machine in its Link Controller hardware. At any given moment the device is in one of three major states, with seven substates used during the transitions between them. Getting a firm mental model of this state machine is essential β€” it is the foundation of every connection establishment and power-management sequence in the Bluetooth specification.

The Three Major States

⚑ STANDBY

The default, low-power resting state. The device may clock-gate most hardware. It can wake to listen for inquiry/page messages, or initiate its own inquiry or paging procedure.

πŸ”— CONNECTION

An active piconet is running. Packets are exchanged between Master and one or more Slaves. The device that initiates paging becomes the Master. Left via DETACH or RESET.

πŸŒ™ PARK

A Slave stays synchronised with the piconet clock but releases its Active Member Address. It wakes periodically to resynchronise and check whether the Master has traffic for it.

Inside CONNECTION: Active, Sniff & Hold Modes

During the CONNECTION state, a device can further reduce power consumption by entering one of three sub-modes negotiated via LMP:

  • Active mode: The device participates in every Master polling slot. Highest power, lowest latency.
  • Sniff mode: The Slave listens only during agreed sniff intervals (e.g., every 100 ms). Most common power-saving mode for HID and sensor profiles.
  • Hold mode: The Slave suspends ACL activity for a negotiated hold period, during which it can scan for other piconets or enter a deep-sleep cycle.

The Seven Substates

Substates are transient β€” a device enters them to perform a specific discovery or connection operation and then moves on. They are grouped into two categories:

Device Discovery Substates

These three substates implement the inquiry procedure, which allows a device to discover what other Bluetooth devices are in range without knowing their addresses in advance:

  • Inquiry Scan: The device periodically listens on the two inquiry scan frequencies, waiting for an ID packet from a device performing an inquiry. A device in this substate is “discoverable.”
  • Inquiry: The device broadcasts ID packets across all inquiry hop frequencies and collects FHS responses from devices in inquiry scan mode. The result is a list of BD_ADDRs and clock offsets for nearby devices.
  • Inquiry Response: After a device in inquiry scan receives an inquiry ID packet, it enters this transient state and transmits an FHS packet back to the inquiring device.

Connection Establishment Substates

Once a device knows the address of its target (from a prior inquiry or from stored pairing info), these four substates execute the paging procedure to build the actual connection:

  • Page Scan: The device listens on its own page scan hop frequencies. A device in this substate is “connectable.”
  • Page: The initiating device (which will become Master) sends page ID packets to the specific BD_ADDR it wants to connect to, using the target’s predicted page scan hop sequence.
  • Slave Response: Upon receiving a page ID packet, the paged device enters this state, sends a Slave response (its own ID packet), and waits for the Master’s FHS.
  • Master Response: After receiving the Slave response, the Master sends its FHS packet (containing its BD_ADDR and clock) and transitions to full connection mode after receiving the Slave’s second acknowledgement.

Connection Establishment Flow (Visual Summary)

Discovery Phase:

STANDBY β†’ Inquiry β†’ Inquiry Scan (remote) β†’ Inquiry Response (FHS) β†’ STANDBY

Connection Phase:

Page (Master) β†’ Page Scan (Slave) β†’ Slave Response β†’ Master Response (FHS) β†’ CONNECTION

BlueZ: Triggering Inquiry & Page from Userspace

In BlueZ, the inquiry procedure is initiated via the hci_inquiry ioctl, which eventually triggers the HCI Inquiry command. The paging sequence is driven by hci_create_conn() in the kernel. From userspace tooling, hcitool scan exercises the inquiry substates and hcitool cc <bdaddr> exercises the paging substates:

BlueZ β€” hci_core.c (inquiry) /* Kick off an inquiry β€” device enters the INQUIRY substate */ int hci_inquiry(void __user *arg) { struct hci_inquiry_req ir; if (copy_from_user(&ir, arg, sizeof(ir))) return -EFAULT; /* ir.num_rsp = max responses to collect ir.length = inquiry duration (units of 1.28 s) ir.lap = 0x9E8B33 for general inquiry (GIAC) */ return hci_req_sync(hdev, hci_inq_req, (unsigned long)&ir, timeout, &status); }

πŸ”— Kernel Source: net/bluetooth/hci_core.c β€” Inquiry & connection state management πŸ”— BlueZ Tools: hcitool.c β€” Userspace inquiry and connection commands

πŸ’‘ Role Switch Note After the paging procedure, the paging device always becomes Master. If the application layer wants the other device to be Master (for example, a headset taking control of a phone), it must request a role switch via an LMP message after the initial connection is established. This triggers a new FHS exchange to re-synchronise hop sequences under the new Master’s clock.

🎯 Self-Test Questions

Work through these before the next tutorial session. Answers can be derived from the material above and the BlueZ source code.

1 Why is the clock value inside an FHS packet refreshed on each retransmission, rather than being sent unchanged?
2 A Bluetooth headset needs to stream high-quality audio at ~576 kb/s. Which eSCO packet type supports this, and what modulation scheme does it use?
3 What is the difference in maximum asymmetric throughput between a DH5 and a 3-DH5 packet? Calculate the ratio.
4 A Slave device in PARK state wants to send data to the Master urgently. Describe the state transitions it must go through to re-enter the CONNECTION state.
5 In the BlueZ kernel source, which structure field stores the negotiated ACL packet type for a given connection, and in which file is it defined?

Continue Your Bluetooth Journey

Next up: Link Manager Protocol (LMP), L2CAP segmentation, and the Security Manager pairing flow.

I hope you have learnt Baseband Controller Packet Types & Link Controller States.

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2026 embeddedpathashala.com - WordPress Video Theme by WPEnjoy