The SBrick Protocol
===================
The advertisement data
----------------------
The advertisement data contains the full device name, and some
manufacturer specific data. The latter contains security and battery
voltage information, and is available in the "scan response" packets
in response to active scanning.
Vengit Limited manufacture specific data fields
-----------------------------------------------
We use manufacturer specific data in AD to advertise product type,
battery reading and other data currently not in the Bluetooth
specification.
The manufacturer specific data starts with a length octet, that
describes the whole length of this field. After the length octet, the
company identifier for Vengit limited follows in little endian order.
After these four bytes, the actual data payload follows.
<01> <98>
The manufacturer specific data records can be read as:
<1: data length (1-255)>
Every record begins with a length octet, and a record identifier octet
that determines the type of the record.
The manufacturer specific data field may be present in both
advertisement data, and scan response data packets, even at the same
time.
Vengit Limited manufacturer specific data records:
00 Product type
00 <1: Product ID> <2: HW major/minor version> <2: FW major/minor version>
00 - SBrick
Example 1: 02 00 00 - Product SBrick
Example 2: 06 00 00 04 00 04 01 - Product SBrick, HW 4.0, FW 4.1
01 BlueGiga ADC sensor raw reading
01 <1: channel> <2: raw sensor reading>
Example, battery reading '12f0' on SBrick: 04 01 00 12 F0
Example, temperature reading '12f0': 04 01 0e 12 F0
02 Device Identifier
02
Example, SBrick device ID: 07 02 0D 23 FC 19 87 63
03 Simple Security status
05
00: Freely accessible
01: Authentication needed for some functions
Example manufacturer specific data for SBrick, containing device ID with
hw/sw revision, with battery readings and device ID:
1A FF 01 98 06 00 00 04 00 04 02 04 01 0E 12 f0 07 02 0D 23 FC 19 87 63
02 03 00
The GATT database
-----------------
The following service and characteristics are accessible:
1. Generic GAP service
2. Device information service
5. OTA service
6. Remote control service
Generic GAP service - 1800
--------------------------
Only contains the device name and appeareance characteristics.
The device name (2a00) is always "SBrick", and the appeareance (2a01) is
always 0384 a.k.a. "generic remote control", according to the Bluetooth
Specification.
Device information - 180a
-------------------------
Contains mandatory device information fields.
Model number string - 00: "SBrick". Same as the "Product type" above.
Firmware revision string
Hardware revision string
Software revision string
These are version information strings. The "firmware" and "software"
revision string are always the same.
The revision string consist of a major and a minor revision,
separated by a dot. (Example: 4.1 - Major is 4, minor is 1.)
A firmware is ONLY compatible with a hardware, if their MAJOR
REVISION NUMBER IS EXACTLY THE SAME.
Manufacturer string - "Vengit Ltd."
OTA service - 1d14d6ee-fd63-4fa1-bfa4-8f47b42119f0
--------------------------------------------------
The OTA service is compatible with BlueGiga's OTA solution, one can
use BLEGui to upload a new firmware.
OTA control - f7bf3564-fb6d-4e53-88a4-5e37e0326063
--------------------------------------------------
This characteristic can be used to send OTA-specific commands:
02 Reset DFU pointer
Resets the DFU flash pointer to zero. Can be used when reading back
firmware image. This is only useful for debugging / testing
purposes.
03 Reboot into DFU mode
After successfully transmitting the firmware image, the device can
be booted into DFU mode with this command. In this mode, the device
checks the flash memory for a firmware image, and calculates the
checksum. If the checksum is correct, the firmware image is
transferred into the program memory. This procedure takes
approximately five seconds. After this, the firmware clears up the
user flash. During flash clearing, the ID LED blinks quickly for
about one and a half seconds.
The characteristic can also be read. The value read back is the DFU
pointer, or the number of bytes written into flash. The application
might want to check the DFU pointer, and compare it with the firmware
size. If the thow sizes are different, the deivce MUST be restarted
with the "0x12 Reboot" command, and the user must be informed about
the failure. The user flash is cleared upon reboot, and the firmware
upload can be attempted again.
OTA data - 984227f3-34fc-4045-a5d0-2c581f81a153
-----------------------------------------------
This characteristic can be used to transfer the firmware image in 20
byte packages.
After successfully uploading the firmware, the application MUST issue
a command "0x03 Reboot into DFU mode" on the control characteristic
to restart the device into DFU mode.
This characteristic can also be read to check the written firmare, or
blank-check the flash. One must reset the DFU pointer with comman 0x02
on the control characteristic before attempting a readback. This
feature is probably not that useful fin normal circumstances, as it was
developed to aid development / debugging.
Remote control service - 4dc591b0-857c-41de-b5f1-15abda665b0c
-------------------------------------------------------------
This service contains two characteristics:
* Quick Drive: allows remote control with small data packets. Very
limited functionality.
* Remote control commands: allows full control, more verbose and slower
than quick drive.
The Quick Drive characteristic should be used in situations where
multiple channels must be updated quickly. It uses less bandwidth
than issueing commands at the Remote control commands characteristic.
The Remove control commands characteristic allows full control over
SBrick.
Remote control commands - 2b8cbcc-0e25-4bda-8790-a15f53e6010f
-------------------------------------------------------------
Commands can be issued by writing data to this characteristic. A command
always starts with the command identifier byte, after wich parameters
may follow. A single BLE write operation can only send a single command.
Certain commands can return a value. The returned value can be read
from the characteristic. The central can also subscribe to notifications
on this characteristic, so renturn values will be sent promptly when
available.
Commands with no return values will issue no notification, and the
characteristic value will not change.
The "SUPER" note means that the operation require superwisor privileges.
All commands might throw exceptions. These exceptions manifest themselves
as BLE level errors, with error codes in the user-defined error range.
The possible exceptions are the following:
0x80 ERROR_LENGTH Invalid command length
0x81 ERROR_PARAM Invalid parameter
0x82 ERROR_COMMAND No such command
0x83 ERROR_NOAUTH No authentication needed
0x84 ERROR_AUTH Authentication error
0x85 ERROR_DOAUTH Authentication needed
0x86 ERROR_AUTHOR Authorization error
The possible commands are following.
00 Break
00 ...
At least one, at most four channels can be given
(The default is all channels are freewheeling)
Return: -
01 Drive
01 ...
(The default is all channels are freewheeling)
Return: -
02 Need authentication?
02
If superwisor password is set, this will return true.
This exact information is reflected in the "simple security"
field in manufacturer specific data.
Return:
00 - Authentication not needed
01 - Authentication needed
03 Is authenticated?
03
Returns wether the current session is authenticated. This will always
return true, if there's no superwisor password set.
Return:
00 - Not authenticated
01 - Authenticated
04 Get user ID
04
Returns the authenticated user ID.
Return: User ID if authenticated, undefined if not.
05 Authenticate
05 <1 byte user ID> <8 byte password>
New sessions are unauthenticated if password set.
New sessions are authenticated if password is not set.
Return: -
06 Clear password (SUPER)
06 00: clears superwisor password. This will "open" SBrick, anyone
connecting will get superwisor rights. Guest password will also
be cleared.
06 01: clear only guest password, rendering guests unable to
authenticate.
Return: -
07 Set password (SUPER)
07 <8 byte password>: set the password
Return: -
08 Set authentication timeout (SUPER)
08 <0.1 seconds x N, minimum 0.5, maximum 5 seconds, 1 byte>
Return: -
09 Get brick ID
09
Return:
0A Quick Drive Setup
0A
At least one, at most five channels can be given.
Default: First five channels adcending order
Return: -
0B Set watchdog timeout
0B
The recommended watchdog frequency is 0.2-0.5 seconds, but a smaller
and many larger settings are also available.
Writing a zero disables the watchdog. By default watchdog is
disabled on every boot and disconnect, so every session begins with
a disabled watchdog.
Return: -
0C Query ADC
0C
The ADC channels are read at every 2 seconds. These values are stored
in variables, and this query simply reads those variables. Because of
this, ADC data can be up to 2 seconds old.
Temperature can be read on channel 0x0E, voltage on 0x00.
Return:
2 byte, little endian, 12 bit resolution ADC reading on given channel.
Value is stored MSB. (Must be divided by 16)
All ADC channels are using the internal 1.24V reference.
The PSU voltage is dropped through a 10:1 voltage divider.
VPSU = ADC / 16 / 2047 * 1.24
Temperature can be calibrated as: ((ADC / 16 / 2047 * 1.24) - 0.75) / 2.43
((Output voltage in volts) - temperature output @ 0°C) / Temperature coefficient
Where 1.6 is an offset, and may be calibrated for each device
0D Set up channel excitation pattern
0D <0: one-shot, 1:repeat> ( > ) ...
Up to 8 patterns can be defined. 0 length patters are valid, and mean "no pattern".
Return: -
0E Pattern - Channel connection setup
0E (Up to 8 connections)
Return: -
0F Pattern - Event connection setup
0F ... (Up to 8 connections)
Return: -
10 Send event
10
Events can be used to trigger patterns.
Event range: 0-255. Events 0-127 are reserved for system use.
Special events:
0: Boot
1: Connection established
2: Disconnected
128-255: User events
11 Erase user flash on next reboot (compromises OTA!)
11
Return: -
12 Reboot
12
After issueing this command, the remote device will gracefully
terminate the connection, and reboot in normal (non-DFU) mode.
To reboot in DFU mode and possibly update firmware, use the OTA
service.
Return: -
13 Break with PWM support
13 ...
(The default is all channels are freewheeling)
Return: -
Quick Drive - 489a6ae0-c1ab-4c9c-bdb2-11d373c1b7fb
--------------------------------------------------
The purpose of this characteristic is to make remote contgrolling possible
using as little bandwidth as possible. A two-channel race car can be
controlled by sending only two bytes: one for the accelerator and one
for steering.
One can write (no response) 0-5 byte data packets to this characteristic
to drive channels. Breaking is not possible.
The characteristic can be thought of as a five byte register. Each byte
in the register conrtols one channel. With the 0x0A "Quick Drive Setup"
command, one can configure which byte controls which channel. The default
is that byte 0 controls channel 0, byte 1 conrtols channel 1, and so on.
Quick Drive is the recommended way to control models where low latency
is expected, and there might be dozens of models in the same area.
Since each channel is driven with one byte, the direction and the PWM
information must be fitted into that single byte. This is done in the
following way:
Example: "Drive forward (clockwise) 255"
1 1 1 1 1 1 1 0 <- Direction bit
_ _ _ _ _ _ _ _
MSb LSb
Example:
writing the byte string 00FFFE00 will turn channel #1 CCW full speed,
channel #2 CW full speed, and set channels #0 and #3 freewheeling.