BLE scan 在bluedroid的实现中,有两个接口:一个是discovery,一个是ble observe,这两者有什么区别呢?
这里追了一下代码发现,inquiry 是上层调用search 相关的接口的实现函数,ble observe 是调用GATT scan的接口的实现函数,这篇文章分析一下,在调用GATT 接口实现scan的流程。
GATT的服务代码逻辑在哪里实现的呢?其核心代码的实现是bluedroid里面,但是,上层的应用是不可能直接调用协议栈的代码的,其实在bluedroid上面还会进行封装一个GATT的服务,其实现在package/app/Bluetooth下面的GattService.java,这里面实现了关于GATT相关的各种接口,应用层的代码通过binder 调用绑定到这些接口,并完成一系列的调用。
看一下GattService.java的实现:
/** * Handlers for incoming service calls */ private static class BluetoothGattBinder extends IBluetoothGatt.Stub implements IProfileServiceBinder { private GattService mService; public BluetoothGattBinder(GattService svc) { mService = svc; } public boolean cleanup() { mService = null; return true; }... @Override public void startScan(int appIf, boolean isServer, ScanSettings settings, List filters, List storages, String callingPackage) { GattService service = getService(); if (service == null) return; service.startScan(appIf, isServer, settings, filters, storages, callingPackage); } public void stopScan(int appIf, boolean isServer) { GattService service = getService(); if (service == null) return; service.stopScan(new ScanClient(appIf, isServer)); } ... } 可以看到其代码中实现了一个BluetoothGattBinder,这个上层应用程序在绑定完成的时候,会得到这个binder接口。我们也可以看到,这个binder实现的也是GATT相关的基本的接口。
分析一下startScan接口,发现其是调用到另一个service 的startScan的接口,那这个service 是哪里来的呢?其实这个service就是GATTService本身,在initBinder的时候,将this 指针传入。
protected IProfileServiceBinder initBinder() { return new BluetoothGattBinder(this); } 我们的重点是分析startScan 这个接口的流程,现在我们看GATTService是如何实现这个接口的
void startScan(int appIf, boolean isServer, ScanSettings settings, Listfilters, List
> storages, String callingPackage) {... final ScanClient scanClient = new ScanClient(appIf, isServer, settings, filters, storages); ... mScanManager.startScan(scanClient); }
新建了一个scanClient 类,并将此类传入到mScanManager.startScan中:
void startScan(ScanClient client) { sendMessage(MSG_START_BLE_SCAN, client); } 此时的代码走到了ScanManager.java里面,不管上层的代码如何流转,我们知道,最后肯定还是调用到JNI 的接口,然后到达bluedroid里面,接着看:
// Handler class that handles BLE scan operations. private class ClientHandler extends Handler {... @Override public void handleMessage(Message msg) { ScanClient client = (ScanClient) msg.obj; switch (msg.what) { case MSG_START_BLE_SCAN://处理事件 handleStartScan(client); break; case MSG_STOP_BLE_SCAN: handleStopScan(client); break;... } } void handleStartScan(ScanClient client) {//处理scan的实现函数 Utils.enforceAdminPermission(mService);... // Begin scan operations. if (isBatchClient(client)) { mBatchClients.add(client); mScanNative.startBatchScan(client); } else { mRegularScanClients.add(client); mScanNative.startRegularScan(client); if (!mScanNative.isOpportunisticScanClient(client)) { mScanNative.configureRegularScanParams(); } } }... } 这边分析一下startBatchScan是vendor command 相关,那么一般都是调用到mScanNative.startRegularScan,这边已经调用到了native层面,具体看看其实现:
void startRegularScan(ScanClient client) { if (isFilteringSupported() && mFilterIndexStack.isEmpty() && mClientFilterIndexMap.isEmpty()) { initFilterIndexStack(); } if (isFilteringSupported()) { configureScanFilters(client); } // Start scan native only for the first client. if (numRegularScanClients() == 1) { gattClientScanNative(true); } } 这边继续往下调用到gattClientScanNative(true) :这里调用到JNI 层,其实现在文件com_android_bluetooth_gatt.cpp
static void gattClientScanNative(JNIEnv* env, jobject object, jboolean start){ if (!sGattIf) return; sGattIf->client->scan(start);} 到这里就很明确了,其最终调用的是sGattIf中client 的scan的接口,那其接口是怎么样的呢?
其是在bluetooth.c里面通过get_profile_interface 来获取GATT的interface的,
static const btgatt_interface_t btgattInterface = { sizeof(btgattInterface), btif_gatt_init, btif_gatt_cleanup, &btgattClientInterface, &btgattServerInterface,}; 中的client 的接口如下:
const btgatt_client_interface_t btgattClientInterface = { btif_gattc_register_app, btif_gattc_unregister_app, btif_gattc_scan, btif_gattc_open, btif_gattc_close, btif_gattc_listen,...} 那其实调用的就是:btif_gattc_scan
static bt_status_t btif_gattc_scan( bool start ){ CHECK_BTGATT_INIT(); btif_gattc_cb_t btif_cb; return btif_transfer_context(btgattc_handle_event, start ? BTIF_GATTC_SCAN_START : BTIF_GATTC_SCAN_STOP, (char*) &btif_cb, sizeof(btif_gattc_cb_t), NULL);} 这里将处理的流程transfer到bt_jni_workqueue_thread线程了,从这个线程的名字来看,主要是处理从JNI 下来的事件。看看具体做了什么:
static void btgattc_handle_event(uint16_t event, char* p_param){... btif_gattc_cb_t* p_cb = (btif_gattc_cb_t*) p_param; if (!p_cb) return; switch (event) {... case BTIF_GATTC_SCAN_START: btif_gattc_init_dev_cb(); BTA_DmBleObserve(TRUE, 0, bta_scan_results_cb);//调用的是这个函数 break;... 继续看BTA_DmBleObserve,注意第一个参数是true,表示开始scan,第二个参数是持续时间,0表示一直持续:
extern void BTA_DmBleObserve(BOOLEAN start, UINT8 duration, tBTA_DM_SEARCH_CBACK *p_results_cb){ tBTA_DM_API_BLE_OBSERVE *p_msg; APPL_TRACE_API("BTA_DmBleObserve:start = %d ", start); if ((p_msg = (tBTA_DM_API_BLE_OBSERVE *) GKI_getbuf(sizeof(tBTA_DM_API_BLE_OBSERVE))) != NULL) { memset(p_msg, 0, sizeof(tBTA_DM_API_BLE_OBSERVE)); p_msg->hdr.event = BTA_DM_API_BLE_OBSERVE_EVT;//向bt_workqueue_thread发送BTA_DM_API_BLE_OBSERVE_EVT p_msg->start = start; p_msg->duration = duration; p_msg->p_cback = p_results_cb; bta_sys_sendmsg(p_msg); } }
看了一下代码发现bt_workqueue_thread 是处理事件的主线程,bta_sys_sendmsg(p_msg); 这个函数是将消息发送到btu_bta_msg_queue,而这个queue是和bt_workqueue_thread绑定的,队列里面的消息都会在这个线程里面处理:
void bta_sys_sendmsg(void *p_msg){ if (btu_bta_msg_queue) fixed_queue_enqueue(btu_bta_msg_queue, p_msg);} 那现在 关于scan的event 的处理已经来到了另一个线程:bt_workqueue_thread,那么该队列里面有了数据线程如何处理?
fixed_queue_register_dequeue(btu_bta_msg_queue, thread_get_reactor(bt_workqueue_thread), btu_bta_msg_ready, NULL);
根据上面的代码,我们知道会调用到btu_bta_msg_ready:
void btu_bta_msg_ready(fixed_queue_t *queue, UNUSED_ATTR void *context) { BT_HDR *p_msg = (BT_HDR *)fixed_queue_dequeue(queue);//消息出列 bta_sys_event(p_msg);} 也就是先让消息处理,然后再调用bta_sys_event来处理:那至此我们知道,凡是调用到bta_sys_sendmsg,那最终处理的函数都是bta_sys_event来处理,而这个函数的处理方式也是一种dispatch的机制:
void bta_sys_event(BT_HDR *p_msg){... /* get subsystem id from event */ id = (UINT8) (p_msg->event >> 8); /* verify id and call subsystem event handler */ if ((id < BTA_ID_MAX) && (bta_sys_cb.reg[id] != NULL)) { freebuf = (*bta_sys_cb.reg[id]->evt_hdlr)(p_msg); }...} 其思想就是找到该事件对应的处理函数,这些event的高8bit 是属于事件的类型,或者称为主事件,而event的低8 bit是事件的子类,或者称为子事件。处理的过程是先通过主事件找到事件的处理函数handler(当然肯定是事先注册好的),然后在该处理函数中处理子事件。
那该事件的处理函数handler 是什么呢?
/*********************************************************************************** Function bta_sys_register**** Description Called by other BTA subsystems to register their event** handler.****** Returns void*********************************************************************************/void bta_sys_register(UINT8 id, const tBTA_SYS_REG *p_reg){ bta_sys_cb.reg[id] = (tBTA_SYS_REG *) p_reg; bta_sys_cb.is_reg[id] = TRUE;} 这里是注册的地方,根据函数的注释,是BTA 的子系统注册自己的event 的处理函数 时候所调用的。下图很容易看出有哪些模块调用这个注册函数
对于BTA_DM_API_BLE_OBSERVE_EVT 这个event 可知其主事件是BTA_ID_DM = 1 ,其注册 的地方在BTA_EnableBluetooth:
bta_sys_register (BTA_ID_DM, &bta_dm_reg );
那现在我们知道,其处理的函数的入口就是bta_dm_reg:
static const tBTA_SYS_REG bta_dm_reg ={ bta_dm_sm_execute, bta_dm_sm_disable}; BOOLEAN bta_dm_sm_execute(BT_HDR *p_msg){ UINT16 event = p_msg->event & 0x00ff;//取出子事件 /* execute action functions */ if(event < BTA_DM_NUM_ACTIONS) { (*bta_dm_action[event])( (tBTA_DM_MSG*) p_msg); } return TRUE;} 这里我们发现,其设计还是比较巧妙,每个event 对应的处理函数,是在一个大的数组中,用事件的子事件(低8bit)来寻址,这有点分页的意味了。
这里该事件真正的处理函数是bta_dm_ble_observe:并调用如下代码:
((status = BTM_BleObserve(TRUE, p_data->ble_observe.duration, bta_dm_observe_results_cb, bta_dm_observe_cmpl_cb))!= BTM_CMD_STARTED)
这里我们发现,函数调用已经进入到stack里面了,BTM_BleObserve,看看其具体实现,这里我们应该还记得,这里的第二个参数传进来的时候是0:
tBTM_STATUS BTM_BleObserve(BOOLEAN start, UINT8 duration, tBTM_INQ_RESULTS_CB *p_results_cb, tBTM_CMPL_CB *p_cmpl_cb){... UINT32 scan_interval = !p_inq->scan_interval ? BTM_BLE_GAP_DISC_SCAN_INT : p_inq->scan_interval;//发现参数是优先使用inquiry的参数 UINT32 scan_window = !p_inq->scan_window ? BTM_BLE_GAP_DISC_SCAN_WIN : p_inq->scan_window;... if (start) { /* shared inquiry database, do not allow observe if any inquiry is active */ if (BTM_BLE_IS_OBS_ACTIVE(btm_cb.ble_ctr_cb.scan_activity))//如果有observe 直接返回 { BTM_TRACE_ERROR("%s Observe Already Active", __func__); return status; } btm_cb.ble_ctr_cb.p_obs_results_cb = p_results_cb; btm_cb.ble_ctr_cb.p_obs_cmpl_cb = p_cmpl_cb; status = BTM_CMD_STARTED; /* scan is not started */ if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity))//没有其他的scan 行为才继续执行 { /* allow config of scan type */ p_inq->scan_type = (p_inq->scan_type == BTM_BLE_SCAN_MODE_NONE) ? BTM_BLE_SCAN_MODE_ACTI: p_inq->scan_type;... p_inq->scan_duplicate_filter = BTM_BLE_DUPLICATE_DISABLE; status = btm_ble_start_scan();//开始scan } if (status == BTM_CMD_STARTED) { btm_cb.ble_ctr_cb.scan_activity |= BTM_LE_OBSERVE_ACTIVE; if (duration != 0) /* start observer timer */ btu_start_timer (&btm_cb.ble_ctr_cb.obs_timer_ent, BTU_TTYPE_BLE_OBSERVE, duration);//这里注意,如果duration设置了,那么经过一定时间就会超时,然后会停止scan,如果没有设置这个值,就会一直scan } } 这里注意一下代码中有这样一句注释:shared inquiry database, do not allow observe if any inquiry is active,说明oberve的优先级还是很低的。从代码中也 可以看出只有当没有其他的scan的行为,observe才会继续进行。另外对于scan type 是active还是passive的问题,当p_inq->scan_interval 没有设置的话,就使用active,否则就使用当前的设置值。从这也可以看出,active 是优先被使用的。
最后看看btm_ble_start_scan的实现,这个就很简单了,直接通过HCI 来发送命令了:
tBTM_STATUS btm_ble_start_scan(void){ tBTM_BLE_INQ_CB *p_inq = &btm_cb.ble_ctr_cb.inq_var; tBTM_STATUS status = BTM_CMD_STARTED; /* start scan, disable duplicate filtering */ if (!btsnd_hcic_ble_set_scan_enable (BTM_BLE_SCAN_ENABLE, p_inq->scan_duplicate_filter))//HCI command { status = BTM_NO_RESOURCES; } else { if (p_inq->scan_type == BTM_BLE_SCAN_MODE_ACTI) btm_ble_set_topology_mask(BTM_BLE_STATE_ACTIVE_SCAN_BIT);//更新拓扑 else btm_ble_set_topology_mask(BTM_BLE_STATE_PASSIVE_SCAN_BIT); } return status;}
scan结果的回报:
前面注册的时候,我们看到
case BTIF_GATTC_SCAN_START: btif_gattc_init_dev_cb(); BTA_DmBleObserve(TRUE, 0, bta_scan_results_cb); break;
其回调函数是bta_scan_results_cb,当搜索结果上来的时候,该函数会被调用:
static void bta_scan_results_cb (tBTA_DM_SEARCH_EVT event, tBTA_DM_SEARCH *p_data){... switch (event) { case BTA_DM_INQ_RES_EVT: {... } break; case BTA_DM_INQ_CMPL_EVT: {... } btif_transfer_context(btif_gattc_upstreams_evt, BTIF_GATT_OBSERVE_EVT, (char*) &btif_cb, sizeof(btif_gattc_cb_t), NULL);} 代码中针对BTA_DM_INQ_RES_EVT和BTA_DM_INQ_CMPL_EVT 都会有自己的一些处理,但是最后都要经过btif_gattc_upstreams_evt的处理,并且是event = BTIF_GATT_OBSERVE_EVT
看具体的代码实现:
case BTIF_GATT_OBSERVE_EVT: { btif_gattc_cb_t *p_btif_cb = (btif_gattc_cb_t*) p_param;... BTIF_STORAGE_FILL_PROPERTY(&properties, BT_PROPERTY_TYPE_OF_DEVICE, sizeof(dev_type), &dev_type); btif_storage_set_remote_device_property(&(p_btif_cb->bd_addr), &properties); HAL_CBACK(bt_gatt_callbacks, client->scan_result_cb, &p_btif_cb->bd_addr, p_btif_cb->rssi, p_btif_cb->value); break; } 上面做的主要就是保存设备的属性,以及向上层汇报相关的设备信息:使用bt_gatt_callbacks中的 client->scan_result_cb,接口。
那这个接口是哪里来的呢?
static bt_status_t btif_gatt_init( const btgatt_callbacks_t* callbacks ){ bt_gatt_callbacks = callbacks; return BT_STATUS_SUCCESS;} 发现是gatt 模块init的时候赋值的,那么我们就知道其callback 来源于JNI层面:
static const btgatt_callbacks_t sGattCallbacks = { sizeof(btgatt_callbacks_t), &sGattClientCallbacks, &sGattServerCallbacks}; static const btgatt_client_callbacks_t sGattClientCallbacks = { btgattc_register_app_cb, btgattc_scan_result_cb,//此函数 btgattc_open_cb,... 通过JNI方法的回调:
void btgattc_scan_result_cb(bt_bdaddr_t* bda, int rssi, uint8_t* adv_data){... sCallbackEnv->CallVoidMethod(mCallbacksObj, method_onScanResult , address, rssi, jb);//调用method_onScanResult ... checkAndClearExceptionFromCallback(sCallbackEnv, __FUNCTION__); }
这个方法的实现是在java层,那到底对应于哪一个文件呢?
int register_com_android_bluetooth_gatt(JNIEnv* env){ int register_success = jniRegisterNativeMethods(env, "com/android/bluetooth/gatt/ScanManager$ScanNative", sScanMethods, NELEM(sScanMethods)); register_success &= jniRegisterNativeMethods(env, "com/android/bluetooth/gatt/AdvertiseManager$AdvertiseNative", sAdvertiseMethods, NELEM(sAdvertiseMethods)); return register_success & jniRegisterNativeMethods(env, "com/android/bluetooth/gatt/GattService", sMethods, NELEM(sMethods));} 发现sMethods对应于"com/android/bluetooth/gatt/GattService" ,那我们知道其实现是在GattService.java里面。看具体的实现:
void onScanResult(String address, int rssi, byte[] adv_data) { if (VDBG) Log.d(TAG, "onScanResult() - address=" + address + ", rssi=" + rssi); List remoteUuids = parseUuids(adv_data); for (ScanClient client : mScanManager.getRegularScanQueue()) { if (client.uuids.length > 0) { int matches = 0; for (UUID search : client.uuids) { for (UUID remote: remoteUuids) { if (remote.equals(search)) { ++matches; break; // Only count 1st match in case of duplicates } } } if (matches < client.uuids.length) continue; } if (!client.isServer) { ClientMap.App app = mClientMap.getById(client.clientIf); if (app != null) { BluetoothDevice device = BluetoothAdapter.getDefaultAdapter() .getRemoteDevice(address); ScanResult result = new ScanResult(device, ScanRecord.parseFromBytes(adv_data), rssi, SystemClock.elapsedRealtimeNanos()); // Do no report if location mode is OFF or the client has no location permission // PEERS_MAC_ADDRESS permission holders always get results if (hasScanResultPermission(client) && matchesFilters(client, result)) { try { ScanSettings settings = client.settings; if ((settings.getCallbackType() & ScanSettings.CALLBACK_TYPE_ALL_MATCHES) != 0) { app.callback.onScanResult(result); } } catch (RemoteException e) { Log.e(TAG, "Exception: " + e); mClientMap.remove(client.clientIf); mScanManager.stopScan(client); } } } } else { ServerMap.App app = mServerMap.getById(client.clientIf); if (app != null) { try { app.callback.onScanResult(address, rssi, adv_data); } catch (RemoteException e) { Log.e(TAG, "Exception: " + e); mServerMap.remove(client.clientIf); mScanManager.stopScan(client); } } } } } 到这里呢,协议栈就将关于设备的信息上传到bluetooth.apk了,在这个函数里面,我们可以看到其最终调用到app.callback.onScanResult(address, rssi, adv_data);,这边应该是回调到更上一层应用。