transmit 5 p transmits *something* but does not show up in android drone apps.

[MichiganBroadband]

In summary BT5 long range test does not work or show up in android remoteID apps that I am testing. It transmits something And it does show up in NRF Connect app on my Android phone.
Phone is a Samsung S23ultra.
OpendroneID app says it is supporting Coded Phy and Extended Advertising.
But nothing shows up in the APP when "I transmit 5 p". When testing transmit, NRF Connect APP on phone shows MAC, signal, Device type:(unknown), Advertising type: Bluetooth Advertising Extension, Data status: Complete, Primary PHY:LE Coded, Secondary PHY: LE Coded, AdvertisingSet ID:0 So it seems to be "working" transmitting something but not showing up in the remoteid android apps that I have tested. Transmitter is using "A BT5 USB adapter/dongle of the brand ONVIAN and with the chipset RTL8761B" As is mentioned in the Readme here.

While transmitting displayed is: ./transmit 5 p Supported Low Energy Bluetooth features: Features: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Supported Low Energy Bluetooth features: Features: 0xbd 0x5f 0x66 0x00 0x00 0x00 0x00 0x00 LE Encryption Extended Reject Indication Slave-initiated Features Exchange LE Ping LE Data Packet Length Extension Extended Scanner Filter Policies LE 2M PHY Stable Modulation Index - Transmitter Stable Modulation Index - Receiver LE Coded PHY LE Extended Advertising Channel Selection Algorithm #2 Connection CTE Request Connection CTE Response Antenna Switching During CTE Transmission (AoD) Antenna Switching During CTE Reception (AoA) Supported Low Energy Bluetooth features: Features: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 The transmit power is set to 0 dBm

I also sent Gabriel an email that I am interested in participating here. My email to him contained some additional (and repeated) details as follows:

I was able to get the Linux transmitter to work.
It works on Bluetooth 4,
but is not working on bluetooth5 Long Range + Extended Advertising Which is of course what I am most interested in.

I can tell that the Bluetooth radio is actually transmitting something when I "transmit 5 p" or "transmit 5" As I have a spectrum analyzer and microwave audible power envelope detector nearby.

I am using the Android OPenDroneID 3.4.3 app on a Samsung S23 And also using DroneScanner (dronetag) v1.5.2

Both apps decode/display properly when I "transmit l"

I am using a common/popular Realtek USB BT5 adaptor.
A RTL8761B as is mentioned worked in the documentation for Linux Transmitter.

I am looking to participate and may need a little help on software matters.
Right now I'm not sure why the BT5 functions are not working as expected.

If you have access to- or try this hardware on your end there is a current bug in Debian that requires you to switch firmware files. But it seems to work fine after you do this.

See: https://bugs.kali.org/view.php?id=8216

Also I believe I am testing with identical hardware that is referenced as working at : https://github.com/opendroneid/transmitter-linux

"A BT5 USB adapter/dongle of the brand ONVIAN and with the chipset RTL8761B has been tested on a PC with Ubuntu 20.04 and proven to be able to successfully transmit in Long Range mode."

Mine is the same and even same brand.

[friissoren]

The log trace you copied seems okay.

Are you using sudo when starting the transmission?

I just tried with two USB Bluetooth modules that I had lying here. The tiny one on the left side gives the following dmesg trace when plugging it in:

[  584.179072] usb 1-7: new full-speed USB device number 38 using xhci_hcd
[  584.328345] usb 1-7: New USB device found, idVendor=0bda, idProduct=8771, bcdDevice= 2.00
[  584.328357] usb 1-7: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  584.328362] usb 1-7: Product: Bluetooth Radio
[  584.328365] usb 1-7: Manufacturer: Realtek
[  584.328368] usb 1-7: SerialNumber: 00E04C239987
[  584.333049] Bluetooth: hci0: RTL: examining hci_ver=0a hci_rev=000b lmp_ver=0a lmp_subver=8761
[  584.334015] Bluetooth: hci0: RTL: rom_version status=0 version=1
[  584.334028] Bluetooth: hci0: RTL: loading rtl_bt/rtl8761bu_fw.bin
[  584.334142] Bluetooth: hci0: RTL: loading rtl_bt/rtl8761bu_config.bin
[  584.334191] Bluetooth: hci0: RTL: cfg_sz 6, total sz 27814
[  584.474026] Bluetooth: hci0: RTL: fw version 0x09a98a6b

And the other one gives this:

[  903.559374] usb 1-7: new full-speed USB device number 39 using xhci_hcd
[  903.708687] usb 1-7: New USB device found, idVendor=0bda, idProduct=8771, bcdDevice= 2.00
[  903.708699] usb 1-7: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  903.708703] usb 1-7: Product: Bluetooth Radio
[  903.708707] usb 1-7: Manufacturer: Realtek
[  903.708710] usb 1-7: SerialNumber: 00E04C239987
[  903.713057] Bluetooth: hci0: RTL: examining hci_ver=0a hci_rev=000b lmp_ver=0a lmp_subver=8761
[  903.713988] Bluetooth: hci0: RTL: rom_version status=0 version=1
[  903.714005] Bluetooth: hci0: RTL: loading rtl_bt/rtl8761bu_fw.bin
[  903.714129] Bluetooth: hci0: RTL: loading rtl_bt/rtl8761bu_config.bin
[  903.714185] Bluetooth: hci0: RTL: cfg_sz 6, total sz 27814
[  903.854059] Bluetooth: hci0: RTL: fw version 0x09a98a6b

I.e. the same. They must have the same chip internally.

Both of these were able to get data through to a Samsung Galaxy S10 phone, using the sudo ./transmit 5 p command (and sudo ./transmit l). However, I did notice that doing sudo ./transmit 5 did not work for some reason. I am not sure but I seem to have a recollection that this last command did work with the Bluetooth chipset that was built into the Z490 motherboard I had some time ago.

They are both ordered from China/AliExpress. The tiny one didn't have any packaging when it arrived.

That ONVIAN dongle with the chipset RTL8761B, that is mentioned, was something that one other user tried. I don't have that exact HW myself. However, based on his comment, I ordered those two other dongles, since they seemed to match the chipset.

[MichiganBroadband]

Yes I am using sudo.
I also tried running directly as root and it behaves the same. Does not decode anything in both droneID apps on a Samsung s23 ultra.
sudo ./transmit l works fine and shows up on both android apps. But this is not what I am after.
I really want to see the BT5 long range work. :)

sudo ./transmit 5 p and sudo ,.transmit 5

both actually transmit somethnig but it does not show up in the two Android remtoe ID apps But as detailed above DOES show up in the Android NFC Connect app.
and shows BT5 coded LE PHY in the details.

I do not know how to tell if "coded PHY" is actually the 2bits per or 8bits per symbol variant. (500kbps or 128kbps) Can you tell me where this is set in the source code? and how it can be verified when transmitting? btmon?
Also which variant are the Android RemoteID apps scanning for, one or both? btmon during transmit: Bluetooth monitor ver 5.66 = Note: Linux version 6.0.0-kali3-amd64 (x86_64) 0.672360 = Note: Bluetooth subsystem version 2.22 0.672366 = New Index: 8C:88:2B:03:BC:E1 (Primary,USB,hci0) [hci0] 0.672368 = Open Index: 8C:88:2B:03:BC:E1 [hci0] 0.672370 = Index Info: 8C:88:2B:0.. (Realtek Semiconductor Corporation) [hci0] 0.672372 @ MGMT Open: bluetoothd (privileged) version 1.22 {0x0001} 0.672374 @ RAW Open: transmit (privileged) version 2.22 {0x0002} 187.818467 @ RAW Close: transmit {0x0002} 187.818619 @ RAW Open: transmit (privileged) version 2.22 {0x0002} [hci0] 187.818720 < HCI Command: Reset (0x03|0x0003) plen 0 #1 [hci0] 187.818814

HCI Event: Command Complete (0x0e) plen 4 #2 [hci0] 187.901232 Reset (0x03|0x0003) ncmd 3 Status: Success (0x00) < HCI Command: LE Set Advertise En.. (0x08|0x000a) plen 1 #3 [hci0] 187.902112 Advertising: Disabled (0x00) HCI Event: Command Complete (0x0e) plen 4 #4 [hci0] 187.904231 LE Set Advertise Enable (0x08|0x000a) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended Adv.. (0x08|0x0039) plen 2 #5 [hci0] 187.904355 Extended advertising: Disabled (0x00) Number of sets: Disable all sets (0x00) HCI Event: Command Complete (0x0e) plen 4 #6 [hci0] 187.907230 LE Set Extended Advertising Enable (0x08|0x0039) ncmd 2 Status: Success (0x00) < HCI Command: LE Remove Advertisi.. (0x08|0x003c) plen 1 #7 [hci0] 187.907358 Handle: 0 Address: 00:00:00:00:00:00 (OUI 00-00-00) HCI Event: Command Complete (0x0e) plen 4 #8 [hci0] 187.910230 LE Remove Advertising Set (0x08|0x003c) ncmd 2 Status: Command Disallowed (0x0c) < HCI Command: LE Remove Advertisi.. (0x08|0x003c) plen 1 #9 [hci0] 187.910356 Handle: 1 HCI Event: Command Complete (0x0e) plen 4 #10 [hci0] 187.913230 LE Remove Advertising Set (0x08|0x003c) ncmd 2 Status: Command Disallowed (0x0c) < HCI Command: LE Read Local Supp.. (0x08|0x0003) plen 0 #11 [hci0] 187.913292 HCI Event: Command Complete (0x0e) plen 12 #12 [hci0] 187.916229 LE Read Local Supported Features (0x08|0x0003) ncmd 2 Status: Success (0x00) Features: 0xbd 0x5f 0x66 0x00 0x00 0x00 0x00 0x00 LE Encryption Extended Reject Indication Peripheral-initiated Features Exchange LE Ping LE Data Packet Length Extension Extended Scanner Filter Policies LE 2M PHY Stable Modulation Index - Transmitter Stable Modulation Index - Receiver LE Coded PHY LE Extended Advertising Channel Selection Algorithm #2 Connection CTE Request Connection CTE Response Antenna Switching During CTE Transmission (AoD) Antenna Switching During CTE Reception (AoA) < HCI Command: Reset (0x03|0x0003) plen 0 #13 [hci0] 187.916408 HCI Event: Command Complete (0x0e) plen 4 #14 [hci0] 187.928229 Reset (0x03|0x0003) ncmd 3 Status: Success (0x00) < HCI Command: LE Set Extended A.. (0x08|0x0036) plen 25 #15 [hci0] 187.928315 Handle: 0x01 Properties: 0x0000 Min advertising interval: 950.000 msec (0x05f0) Max advertising interval: 950.000 msec (0x05f0) Channel map: 37, 38, 39 (0x07) Own address type: Random (0x01) Peer address type: Public (0x00) Peer address: 00:00:00:00:00:00 (OUI 00-00-00) Filter policy: Allow Scan Request from Any, Allow Connect Request from Any (0x00) TX power: Host has no preference (0x7f) Primary PHY: LE Coded (0x03) Secondary max skip: 0x00 Secondary PHY: LE Coded (0x03) SID: 0x00 Scan request notifications: Disabled (0x00) HCI Event: Command Complete (0x0e) plen 5 #16 [hci0] 187.931224 LE Set Extended Advertising Parameters (0x08|0x0036) ncmd 2 Status: Success (0x00) TX power (selected): 0 dbm (0x00) < HCI Command: LE Set Advertising.. (0x08|0x0035) plen 7 #17 [hci0] 187.931277 Advertising handle: 0x01 Advertising random address: C0:96:21:16:8B:C2 (Static) HCI Event: Command Complete (0x0e) plen 4 #18 [hci0] 187.934229 LE Set Advertising Set Random Address (0x08|0x0035) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended Ad.. (0x08|0x0039) plen 8 #19 [hci0] 187.934494 Extended advertising: Enabled (0x01) Number of sets: 1 (0x01) Entry 0 Handle: 0x01 Duration: 0 ms (0x00) Max ext adv events: 0 HCI Event: Command Complete (0x0e) plen 4 #20 [hci0] 187.937228 LE Set Extended Advertising Enable (0x08|0x0039) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended A.. (0x08|0x0037) plen 35 #21 [hci0] 187.937360 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d0002123137333435323737313530303030303030303030000000 HCI Event: Command Complete (0x0e) plen 4 #22 [hci0] 187.940229 LE Set Extended Advertising Data (0x08|0x0037) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended A.. (0x08|0x0037) plen 35 #23 [hci0] 188.040516 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d0102424644333435344237373845353635433234423730000000 HCI Event: Command Complete (0x0e) plen 4 #24 [hci0] 188.043221 LE Set Extended Advertising Data (0x08|0x0037) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended A.. (0x08|0x0037) plen 35 #25 [hci0] 188.143495 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d001226b50000d8b52b1988851fce9808ac0870084a63150e0100 HCI Event: Command Complete (0x0e) plen 4 #26 [hci0] 188.146214 LE Set Extended Advertising Data (0x08|0x0037) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended A.. (0x08|0x0037) plen 35 #27 [hci0] 188.246492 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d002210023f003fab013132333435363738393031323334353637 HCI Event: Command Complete (0x0e) plen 4 #28 [hci0] 188.249206 LE Set Extended Advertising Data (0x08|0x0037) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended A.. (0x08|0x0037) plen 35 #29 [hci0] 188.349474 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d0122113132333435363738393031323334353637383930313233 HCI Event: Command Complete (0x0e) plen 4 #30 [hci0] 188.352199 LE Set Extended Advertising Data (0x08|0x0037) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended A.. (0x08|0x0037) plen 35 #31 [hci0] 188.452471 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d0222123132333435363738393031323334353637383930313233 HCI Event: Command Complete (0x0e) plen 4 #32 [hci0] 188.455184 LE Set Extended Advertising Data (0x08|0x0037) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended A.. (0x08|0x0037) plen 35 #33 [hci0] 188.555402 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d0032004d696c616e20466c7965727320323032332d2d2d000000 HCI Event: Command Complete (0x0e) plen 4 #34 [hci0] 188.558184 LE Set Extended Advertising Data (0x08|0x0037) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended A.. (0x08|0x0037) plen 35 #35 [hci0] 188.658434 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d00420410270000f0d8ffff010000d007d00712f907d51cac0100 HCI Event: Command Complete (0x0e) plen 4 #36 [hci0] 188.661177 LE Set Extended Advertising Data (0x08|0x0037) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended A.. (0x08|0x0037) plen 35 #37 [hci0] 188.761410 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d00520046494e38376173747264676531326b3800000000ac0100 HCI Event: Command Complete (0x0e) plen 4 #38 [hci0] 188.764172 LE Set Extended Advertising Data (0x08|0x0037) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Advertise E.. (0x08|0x000a) plen 1 #39 [hci0] 188.864445 Advertising: Disabled (0x00) HCI Event: Command Complete (0x0e) plen 4 #40 [hci0] 188.867162 LE Set Advertise Enable (0x08|0x000a) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended Ad.. (0x08|0x0039) plen 2 #41 [hci0] 188.867309 Extended advertising: Disabled (0x00) Number of sets: Disable all sets (0x00) HCI Event: Command Complete (0x0e) plen 4 #42 [hci0] 188.870161 LE Set Extended Advertising Enable (0x08|0x0039) ncmd 2 Status: Success (0x00) < HCI Command: LE Remove Advertis.. (0x08|0x003c) plen 1 #43 [hci0] 188.870305 Handle: 0 Address: 00:00:00:00:00:00 (OUI 00-00-00) HCI Event: Command Complete (0x0e) plen 4 #44 [hci0] 188.873154 LE Remove Advertising Set (0x08|0x003c) ncmd 2 Status: Command Disallowed (0x0c) < HCI Command: LE Remove Advertis.. (0x08|0x003c) plen 1 #45 [hci0] 188.873265 Handle: 1 HCI Event: Command Complete (0x0e) plen 4 #46 [hci0] 188.876161 LE Remove Advertising Set (0x08|0x003c) ncmd 2 Status: Success (0x00) @ RAW Close: transmit {0x0002} [hci0] 188.876293

[MichiganBroadband]

ScreenShot showing (sudo ./transmit 5) RX on NFR Connect app.

[MichiganBroadband]

Also if you try to transmit with this dongle yourself keep in mind there is a Debian bug where you have to switch/rename the firmware files I mentioned above in the post. :)

For reference and if helpful:

https://bugs.kali.org/view.php?id=8216

-and-

https://www.spinics.net/lists/linux-bluetooth/msg103399.html

[friissoren]

On the Android receiver side, it is not possible to distinguish between the S2 and S8 code phy modes. They are both turned on via the API and it then depends on the underlying HW and driver SW, which of those is actually being listened to and whether it listens to both the primary and/or the secondary one and how often. See some of the comments here.

On the transmitter side, as far as I could see, the coded PHY gets turned on here, but again, it is not possible to tell the underlying HW and driver SW exactly which mode to use and whether it should be used for both the primary and secondary PHY.

In your screenshot from the nRF connect app, it looks like it sees something but for whatever reason doesn't receive all the data? I have attached a screenshot from the S10 phone when receiving from the little dongle pictured earlier.

I also took a log from btmon on the transmit side and tried to compare that against what you provided. I didn't really see any significant difference. log.txt

I am not sure how else to help with this. This must have something to do with the HW and/or SW driver on either the transmitter or receiver side. Those are unfortunately difficult to debug. Do you have any chance to try either a different Bluetooth dongle or a different receiver phone?

We don't have the S23 as a confirmed device in the receiver list yet, but since the S10, S20, S21 and S22 are all good, you could imagine that also the S23 is okay? Please be aware that Samsung usually makes two different variants for different regions and they have entirely different chipset internally (Exynos vs Snapdragon).

[MichiganBroadband]

Wow yeah, it's obvious yours has that big blob of data and mine does not :(
No "Service Data" But shows "Data Status Complete" I think that means not truncated/cut off so it got something completely. I wish I had access to anther phone like an S10.
Everything else I currently have access to is only BT4. I don't have any newer DJI drones with remoteID nor access to a $300US module that transmits it yet.
I was going to try one of my Intel BT5 bluetooth cards. (combo/wifi/63/BT5 AX201/211) to see how that behaves.
The fact that NRF Connect is not showing the data blob like yours is likely ( or obvious almost) why it's not showing up in the remoteID apps.
I'm sorta suspecting the phone which sucks as I can't really do much about that :(
Getting a new phone to play with this was part of my decision to get a new phone.
It's the Snapdragon/US version.
I have a friend with a DJI-3 drone but you guessed it.
Like everyone else he wants to hold off on "forced" remote ID.
It's a pain in the ass as DJI makes you keep the phone usb connected to the remote/goggles with it.
Otherwise you get a giant remote ID error on the display with no way to turn it off.
But it would be nice to also have access to a "real" remtoteID transmitter for reference.

[MichiganBroadband]

I tried with completely different Bluetooth transmitter hardware.
Intel (WiFi 6E Bluetooth 5.2 Card | Intel WiFi 6E AX210)
This is a PCIe card that has Intel Wifi and Intel Bluetooth on the board.
The Bluetooth still uses a USB interface, there is a breakaway cable that just plugs into a USB port on the motherboard. I am seeing same exact over the air results with NRF Connect and no data blob. I will need to find another phone or receiver to test with (not easy to find).
And I also need to see what happens with my S23 Ultra with an actual RemoteID transmitter if I can ever get near one.

_edit
I meant to include this for the Intel Bluetooth: [ 8456.893792] usb 2-7: USB disconnect, device number 4 [ 8481.648279] usb 2-7: new full-speed USB device number 5 using ohci-pci [ 8481.886843] usb 2-7: New USB device found, idVendor=8087, idProduct=0032, bcdDevice= 0.00 [ 8481.886860] usb 2-7: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 8481.899840] Bluetooth: hci0: Firmware timestamp 2022.51 buildtype 1 build 56683 [ 8481.904753] bluetooth hci0: firmware: direct-loading firmware intel/ibt-0041-0041.sfi [ 8481.904772] Bluetooth: hci0: Found device firmware: intel/ibt-0041-0041.sfi [ 8481.904901] Bluetooth: hci0: Boot Address: 0x100800 [ 8481.904907] Bluetooth: hci0: Firmware Version: 107-51.22 [ 8481.904913] Bluetooth: hci0: Firmware already loaded [ 8482.058253] Bluetooth: MGMT ver 1.22 _endedit

When using the Intel Bluetooth while transmitting it spits out "Command 0x37 returned error 0x7" Each time it transmits. And then "Command 0xA returned error 0xC" when it completes. Also at the beginning it prints "

But appears to be working same as the Realtek dongle with exception of this new line error output on each TX.
And error 0xc when it is finished.
Also noted different from the Realtek: This spits out "The transmit power is set to 7 dBm" at the beginning of transmitting whereas with the Realtek connected it spit out "The transmit power is set to 7 dBm" I can see by field strength measurement the transmit power (actual over the air signal power) is actually about the same. and is in the +7dBm area as was the Realtek despite that printing out zero dBm as it was transmitting.

./transmit 5 p Supported Low Energy Bluetooth features: Features: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Command 0x39 returned error 0xC Supported Low Energy Bluetooth features: Features: 0xff 0x59 0x01 0x38 0xae 0x00 0x00 0x00 LE Encryption Connection Parameter Request Procedure Extended Reject Indication Slave-initiated Features Exchange LE Ping LE Data Packet Length Extension LL Privacy Extended Scanner Filter Policies LE 2M PHY LE Coded PHY LE Extended Advertising Channel Selection Algorithm #2 Minimum Number of Used Channels Procedure Remote Public Key Validation Connected Isochronous Stream - Master Connected Isochronous Stream - Slave Unknown features (0x000000ae00000000) Supported Low Energy Bluetooth features: Features: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 The transmit power is set to 7 dBm Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0xA returned error 0xC

btmon

Bluetooth monitor ver 5.66 = Note: Linux version 6.0.0-kali3-amd64 (x86_64) 0.027603 = Note: Bluetooth subsystem version 2.22 0.027610 = New Index: 8C:B8:7E:53:F3:21 (Primary,USB,hci0) [hci0] 0.027612 = Open Index: 8C:B8:7E:53:F3:21 [hci0] 0.027613 = Index Info: 8C:B8:7E:53:F3:21 (Intel Corp.) [hci0] 0.027616 @ MGMT Open: bluetoothd (privileged) version 1.22 {0x0001} 0.027619 @ RAW Open: transmit (privileged) version 2.22 {0x0002} 16.760861 @ RAW Close: transmit {0x0002} 16.761016 @ RAW Open: transmit (privileged) version 2.22 {0x0002} [hci0] 16.761136 < HCI Command: Reset (0x03|0x0003) plen 0 #1 [hci0] 16.761257

HCI Event: Command Complete (0x0e) plen 4 #2 [hci0] 16.856547 Reset (0x03|0x0003) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Advertise Enable (0x08|0x000a) plen 1 #3 [hci0] 16.856911 Advertising: Disabled (0x00) HCI Event: Command Complete (0x0e) plen 4 #4 [hci0] 16.859544 LE Set Advertise Enable (0x08|0x000a) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended Advertising Enable (0x08|0x0039) plen 2 #5 [hci0] 16.859830 Extended advertising: Disabled (0x00) Number of sets: Disable all sets (0x00) HCI Event: Command Complete (0x0e) plen 4 #6 [hci0] 16.862544 LE Set Extended Advertising Enable (0x08|0x0039) ncmd 1 Status: Command Disallowed (0x0c) < HCI Command: LE Remove Advertising Set (0x08|0x003c) plen 1 #7 [hci0] 16.862835 Handle: 0 Address: 00:00:00:00:00:00 (OUI 00-00-00) HCI Event: Command Complete (0x0e) plen 4 #8 [hci0] 16.865543 LE Remove Advertising Set (0x08|0x003c) ncmd 1 Status: Command Disallowed (0x0c) < HCI Command: LE Remove Advertising Set (0x08|0x003c) plen 1 #9 [hci0] 16.865838 Handle: 1 HCI Event: Command Complete (0x0e) plen 4 #10 [hci0] 16.868544 LE Remove Advertising Set (0x08|0x003c) ncmd 1 Status: Command Disallowed (0x0c) < HCI Command: LE Read Local Supported Features (0x08|0x0003) plen 0 #11 [hci0] 16.868827 HCI Event: Command Complete (0x0e) plen 12 #12 [hci0] 16.871543 LE Read Local Supported Features (0x08|0x0003) ncmd 1 Status: Success (0x00) Features: 0xff 0x59 0x01 0x38 0xae 0x00 0x00 0x00 LE Encryption Connection Parameter Request Procedure Extended Reject Indication Peripheral-initiated Features Exchange LE Ping LE Data Packet Length Extension LL Privacy Extended Scanner Filter Policies LE 2M PHY LE Coded PHY LE Extended Advertising Channel Selection Algorithm #2 Minimum Number of Used Channels Procedure Remote Public Key Validation Connected Isochronous Stream - Central Connected Isochronous Stream - Peripheral LE Power Control Request LE Power Control Request LE Path Loss Monitoring Connection Subrating Channel Classification < HCI Command: Reset (0x03|0x0003) plen 0 #13 [hci0] 16.871955 HCI Event: Command Complete (0x0e) plen 4 #14 [hci0] 16.895545 Reset (0x03|0x0003) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended Advertising Parameters (0x08|0x0036) plen 25 #15 [hci0] 16.896131 Handle: 0x01 Properties: 0x0000 Min advertising interval: 950.000 msec (0x05f0) Max advertising interval: 950.000 msec (0x05f0) Channel map: 37, 38, 39 (0x07) Own address type: Random (0x01) Peer address type: Public (0x00) Peer address: 00:00:00:00:00:00 (OUI 00-00-00) Filter policy: Allow Scan Request from Any, Allow Connect Request from Any (0x00) TX power: Host has no preference (0x7f) Primary PHY: LE Coded (0x03) Secondary max skip: 0x00 Secondary PHY: LE Coded (0x03) SID: 0x00 Scan request notifications: Disabled (0x00) HCI Event: Command Complete (0x0e) plen 5 #16 [hci0] 16.898528 LE Set Extended Advertising Parameters (0x08|0x0036) ncmd 1 Status: Success (0x00) TX power (selected): 7 dbm (0x07) < HCI Command: LE Set Advertising Set Random Address (0x08|0x0035) plen 7 #17 [hci0] 16.898716 Advertising handle: 0x01 Advertising random address: 2F:1C:45:7C:59:C2 (Non-Resolvable) HCI Event: Command Complete (0x0e) plen 4 #18 [hci0] 16.901542 LE Set Advertising Set Random Address (0x08|0x0035) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Extended Advertising Enable (0x08|0x0039) plen 8 #19 [hci0] 16.901827 Extended advertising: Enabled (0x01) Number of sets: 1 (0x01) Entry 0 Handle: 0x01 Duration: 0 ms (0x00) Max ext adv events: 0 HCI Event: Command Complete (0x0e) plen 4 #20 [hci0] 16.904542 LE Set Extended Advertising Enable (0x08|0x0039) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 35 #21 [hci0] 16.904687 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d0002123137333435323737313530303030303030303030000000 HCI Event: Command Complete (0x0e) plen 4 #22 [hci0] 16.907542 LE Set Extended Advertising Data (0x08|0x0037) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 35 #23 [hci0] 17.007829 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d0102424644333435344237373845353635433234423730000000 HCI Event: Command Complete (0x0e) plen 4 #24 [hci0] 17.010541 LE Set Extended Advertising Data (0x08|0x0037) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 35 #25 [hci0] 17.110827 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d001226b50000d8b52b1988851fce9808ac0870084a63150e0100 HCI Event: Command Complete (0x0e) plen 4 #26 [hci0] 17.113534 LE Set Extended Advertising Data (0x08|0x0037) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 35 #27 [hci0] 17.213813 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d002210023f003fab013132333435363738393031323334353637 HCI Event: Command Complete (0x0e) plen 4 #28 [hci0] 17.216530 LE Set Extended Advertising Data (0x08|0x0037) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 35 #29 [hci0] 17.316808 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d0122113132333435363738393031323334353637383930313233 HCI Event: Command Complete (0x0e) plen 4 #30 [hci0] 17.319526 LE Set Extended Advertising Data (0x08|0x0037) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 35 #31 [hci0] 17.419797 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d0222123132333435363738393031323334353637383930313233 HCI Event: Command Complete (0x0e) plen 4 #32 [hci0] 17.422525 LE Set Extended Advertising Data (0x08|0x0037) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 35 #33 [hci0] 17.522808 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d0032004d696c616e20466c7965727320323032332d2d2d000000 HCI Event: Command Complete (0x0e) plen 4 #34 [hci0] 17.525518 LE Set Extended Advertising Data (0x08|0x0037) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 35 #35 [hci0] 17.625802 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d00420410270000f0d8ffff010000d007d00712f907d51cac0100 HCI Event: Command Complete (0x0e) plen 4 #36 [hci0] 17.628514 LE Set Extended Advertising Data (0x08|0x0037) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 35 #37 [hci0] 17.728791 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0x1f Service Data: Unknown (0xfffa) Data: 0d00520046494e38376173747264676531326b3800000000ac0100 HCI Event: Command Complete (0x0e) plen 4 #38 [hci0] 17.731510 LE Set Extended Advertising Data (0x08|0x0037) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Advertise Enable (0x08|0x000a) plen 1 #39 [hci0] 17.831781 Advertising: Disabled (0x00) HCI Event: Command Complete (0x0e) plen 4 #40 [hci0] 17.834508 LE Set Advertise Enable (0x08|0x000a) ncmd 1 Status: Command Disallowed (0x0c) < HCI Command: LE Set Extended Advertising Enable (0x08|0x0039) plen 2 #41 [hci0] 17.834686 Extended advertising: Disabled (0x00) Number of sets: Disable all sets (0x00) HCI Event: Command Complete (0x0e) plen 4 #42 [hci0] 17.837506 LE Set Extended Advertising Enable (0x08|0x0039) ncmd 2 Status: Success (0x00) < HCI Command: LE Remove Advertising Set (0x08|0x003c) plen 1 #43 [hci0] 17.837654 Handle: 0 Address: 00:00:00:00:00:00 (OUI 00-00-00) HCI Event: Command Complete (0x0e) plen 4 #44 [hci0] 17.841505 LE Remove Advertising Set (0x08|0x003c) ncmd 1 Status: Unknown Advertising Identifier (0x42) < HCI Command: LE Remove Advertising Set (0x08|0x003c) plen 1 #45 [hci0] 17.841652 Handle: 1 HCI Event: Command Complete (0x0e) plen 4 #46 [hci0] 17.845505 LE Remove Advertising Set (0x08|0x003c) ncmd 1 Status: Success (0x00) @ RAW Close: transmit

[MichiganBroadband]

OK this is interesting.
With the Intel hardware I am getting a small bit of data.
It's not large as your screenshot shows.
And this is on my same S23 ultra.

[MichiganBroadband]

Also I only see this small data block if I ./transmit 5 And no data block ever if I ./transmit 5p But with Realtek never see any data block if I do either the "5" or "5 p" command.

[MichiganBroadband]

Also small datablock is the same size every time. cuts off at same place.

[gabrielcox]

That last screenshot looks like a standard BT Legacy (BT4 style) packet format (messages type 0x0, protocol version 0x2) for RID rather than the series of messages encapsulated in a "MessagePack" (Message Type 0xF, Protocol Version 0x2). Can you try sending a message pack will several encapsulated messages (ID, Location/Vector, System)?

I think you may be close if you do that ^^^ .

[MichiganBroadband]

Hi Gabriel,

This is actually an extra very helpful clue.

As it sits I discovered today that with the Intel Bluetooth5 I get very intermittent “small block of data” in NRF Connect as shown showing up but ONLY if I do not send a MessagePack.
Which completely explains why my datablock is “smaller” than the other example from friissoren. So it's working a little and intermittent.
It is also showing up in the droneID apps BT5 when I do this. It's not consistent but some are getting decoded and showing up. I'm also getting those two new errors printed with the Intel BT5. I'm almost certain that it's not working at all whatsoever even without messagepacks on the Realtek BT5 I will double check this is the case.
And for certain no printed errors on the Realtek when transmitting.

[MichiganBroadband]

This is a bit of a mess. In NRF Connect With the intel USB it shows every once in awhile like maybe one in 20-30 times when transmitting "5" (without messageblocks) Sometimes it shows up after 5 or 6 tries transmitting and always shows the single message (UAS ID) when it works this way. Seems like it decodes far more often in NRF connect than it does in either dronedID app I am testing. This is the ONLY config that has worked and very very intermittently and most the time not.
When transmitting "5 m" it shows up in NRF connect every single time reliably but with no data field (blank).
Which of course shows nothing in the DroneID apps. bud decodes consistently/reliably in NRF Connect. If I put the Realtek back in (Intel removed/unplugged) everything restarted/power cycled.
Both transmit modes decode in NRF connect every time, reliably but has zero data length problem.
The fact that I can send "5" no messageblocks and it shows up in the DroneID apps (both of them) every once in a great while and only on the Intel BT5 is some kind of progress so far.
It's a mess but it did actually work a little.
And I'm certain that was not BT4, it was 5 coded PHY.
No clue which of the two coded PHY does as there's no way I have to tell but it's one of them for certain. I will try other phones and hopefully an actual DJI3 drone sometime when I am able as well.
But I suspect the transmitter more than I suspect the receiver (my phone at this point).

[friissoren]

It is possible that there is some problems with the transmit interval and the time between changing the content of the messages being sent. You could try first to experiment with changing the transmit interval: (Keep in mind that those fields are little endian, when you modify them)

• HCI extended advertising API ("4", "5", "5 p")
• HCI Legacy advertising API ("l")

Possibly also modify the interval between changing the content of the message data. This will probably only have an effect when not using message packs.

• No message packs used
• Message packs used

BTW: If you manage to find a DJI drone that transmits remote ID, it will most likely not be using Bluetooth, but will use the Wi-Fi Beacon transmit method. To increase the chance of receiving those signals, disable the Wi-Fi scan throttling on the Android device.

[MichiganBroadband]

In regard to the DJI comment:
My understanding in order to be compliant is that the device needs to simultaniously transmit three signals: Wi-Fi, BT4 advertisements (legacy) and BT5 extended range.
I expect that the DJI(3) and newer drones which are listed as compliant and any module such as a dronetag.
I think that any compliant type device is sending all three types simultaniously.
Certainly correct me if I'm wrong and I may need to go back and read the spec.
But I'm pretty sure it's all three at once, not just one of any of them.
So I think if I were to get my hands on or near a Newer DJI drone with latest firmware I'd be able to test all three.

[MichiganBroadband]

I'd like to really keep going at this and make some more progress.
Is it ok to keep posting notes and questions here? I could see this getting long and detailed here and hard to folllow or reference. Or is there a preferred email list or discord or IRC or forum to continue any collaboration and bringing on any other interested people who would like to work on it?
Should I create a forum or anything like that.
Or just keep at it here as I am now?
Thanks!

[MichiganBroadband]

I have never been able to send a successful"message packs" transmission.
They always send but show blank data field in NRF Connect.
With Intel or Realtek hardware.

[gabrielcox]

Regarding minimum RID requirements, it's "(Wi-Fi Beacon OR (BT5 AND BT4))". This is defined in the RID MOC to the Part 89 rule.

I believe (but not 100% sure) DJI may have taken the WiFi Beacon (only) route since many of their products already have Wi-Fi radios integrated. The reason a phone has to be in the base station is likely because the (required) operator location is acquired from the phone (again, not 100% sure, but this would be a compliant method of implementation).

[MichiganBroadband]

Hey, Thanks for the clarification. Really good to know. I will study this further as well. I’m a bit surprised that Wi-Fi alone meets the requirement and from lots of experience pretty much know what performance/range to expect from it 😊 But that’s just how my mind works.

I also sent a message to dronetag asking them what they have implemented in their modules. -SG

[MichiganBroadband]

Bad to worse I might need to take a breather.
Yesterday I was able to get very intermittent decodes only in non-message pack BT5. coded PHY.
Now I cannot get it to decode/work at all whatsoever.
And in NRF connect it is now rarely showing any decode but still receives a short packet once in a great while with many transmit tries.
Not consistent at all and different than before and I have not changed anything at all.
A bit frustrating just trying to find a base to start from.
This is only on the Intel Blutooth5. The Realtek is 100% consistent, I get a decode on NRF connect every single transmission regardless of message packs or not. but NO data.

On the intel I was getting data or non-message packs yesterday and decode BT5 in opendroneID app once in a great while.
But getting RX in NFR connect every time, and zero data on message packs.

Anyhow I have a mess to sort out. I'm working on getting somebody to lend me a note-10 and a fold-2 that have BT5 to see if they behave any differently.
I am not a programmer so I will need to learn how to do that part of this.
I have some familiarity and a comfort level diving into this but much of it is new to me in the source code work.

[MichiganBroadband]

dronetag is doing BT4+BT5 no wifi.
And I need to get my hands on a DJI to find out for sure what they are doing.
And probably WIFI like you suggested.
I would not be surprised if they were actually able to do BT4+BT5+wifi in their baseband chipset.
Although I realize they most likely could not do the wifi without significantly impacting performance on their occusync2 stuff.
But they also may have more powerful hardware in the V3 drones vs what's in the older Mavic2 and Mavic pro stuff.

[MichiganBroadband]

The confusion thickens -> But it is also working "better" on a different phone type. I got access to a Motorola Moto G Stylus (2021) phone Android 11. While using the Realtek Bluetooth transmitter It actually works and displays when I ./transmit 5 p In NRF Connect (large packet) but only one, but it consistently decodes one transmission every time.
But does not update during the course of the transmitting until you issue the command again and transmit a new random mac address.
In NRF connect it shows the large data when ./transmit 5 P
But NRF only shows zero length when ./transmit 5
Whereas my Samsung S23 ultra shows zero length data when ./transmit 5 p
But shows small single block of data when ./transmit 5

In summary on this report. Realtek USB adaptor:

When ./transmit 5 p S23ultra shows RX but zero length data. Motorola Sylus G (2021) shows RX and full data once.
Also works and shwos in both android remoteID apps.

When ./transmit 5
Motorola does not RX anything.
Samsung S23 shows RX but zero length data.
Remote ID apps show nothing (because of zero length data).

Further note (additional aside data):

Verified that setting scan options to only LE coded PHY in NRF connect works as expected on Samsung. it only decodes/shows LE Long Range coded.

On the motorola it ignores this settings and shows both RX of legacy BT4 and 5 LE coded events regardless of this setting.

At this point I still have no idea if we are sending malformed transmissions or if the phones are being less selective on what is valid or not to display a valid received transmission.

I not have a solid handle on this or known good starting point to work from yet.
It's a bit frustrating.
I am trying to narrow it down to anything that makes sense.
It's cool to see it sorta work albiet very broken and very inconsistent so far.

When you "sudo ./transmit 5 p"

Can you tell me how many valid "tranmissions" are going out? It "transmits" for around for 40 seconds and then exits.

On the motorola I am only seeing ONE transmission when this is done.
It does not update once it shows up.
It sees it once and does not see it again until the command is entered again.
It is working consistently this way on the Motorola phone.
I get one valid RX every time I issue the command.

[MichiganBroadband]

It's not all doom & gloom.
Just mostly doom & gloom.

[friissoren]

On the motorola I am only seeing ONE transmission when this is done

That is to be expected. The transmitter-linux program never changes the data. It is just a static hard-coded chunk that it sends out over and over again when using "5 p", since it sends all the data in a message pack, i.e. everything at the same time. See the beginning of the Readme.

You should be able to see that it still receives new data packets by following the Last Seen and Msg Delta data fields on the INFO page in the receiver app.

In this loop, it sends the same message pack data 10 times before exiting. You could modify the code so that within each loop-iteration, it changes something in the uasData data structure, calls create_message_pack() to recreate the encoded message pack data structure and then call send_bluetooth_message_pack().

[MichiganBroadband]

Thanks, and this is what I expected or how I expected it is working.
I am just noting that the Motorola phone only receives this ONCE and not ten times.
Correction, sometimes I get two of the ten transmitted sets. It does not update on each transmission.
I usually get only one of the ten and sometimes I get a second one received before it is completed sending ten. IF things were working perfectly I would expect we should receive each transmitted update.
This is some sort of progress.
It works on the Motorola - average of receiving one of the ten transmissions. sometimes two of them
And continues to not work on the S23 ultra.
Any suggestions on what I should do with the Samsung? They guys at Dronetag say they think the S23 should work but they do not have one to test with their product. Because it's a flagship product and follows other products that work that they have tested.

[MichiganBroadband]

Motorola phone gets this and no error.

[MichiganBroadband]

Samsung s23 ultra gets this error.

[MichiganBroadband]

I am still really struggling with this greatly.
And not finding ANY consistency between bluetooth hardware and phones.
Every different bluetooth hardware behaves differently and every phone capable of BT5 behaves differently.
The older Motorola Stylus (2021) is the only phone that has ever decoded "5 p" and does not receive all of them.
It receives it every 18 seconds during a test try.

Intel Bluetooth: Is tranmitting -something- on air as seen by spectrum analyzer and microwave power detector But is not seen at all on NRF Connect.

./transmit 5 p Supported Low Energy Bluetooth features: Features: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Command 0x39 returned error 0xC Supported Low Energy Bluetooth features: Features: 0xff 0x59 0x01 0x38 0xae 0x00 0x00 0x00 LE Encryption Connection Parameter Request Procedure Extended Reject Indication Slave-initiated Features Exchange LE Ping LE Data Packet Length Extension LL Privacy Extended Scanner Filter Policies LE 2M PHY LE Coded PHY LE Extended Advertising Channel Selection Algorithm #2 Minimum Number of Used Channels Procedure Remote Public Key Validation Connected Isochronous Stream - Master Connected Isochronous Stream - Slave Unknown features (0x000000ae00000000) Supported Low Energy Bluetooth features: Features: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 The transmit power is set to 10 dBm Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0x37 returned error 0x7 Command 0xA returned error 0xC

Bluetooth monitor ver 5.66 = Note: Linux version 6.1.0-kali5-amd64 (x86_64) 0.322075 = Note: Bluetooth subsystem version 2.22 0.322080

@ MGMT Open: bluetoothd (privileged) version 1.22 {0x0001} 0.322090 @ RAW Open: transmit (privileged) version 2.22 {0x0002} 12.904005 @ RAW Close: transmit {0x0002} 12.904019 @ RAW Open: transmit (privileged) version 2.22 {0x0002} [hci0] 12.904042 < HCI Command: Reset (0x03|0x0003) plen 0 #1 [hci0] 12.904109

HCI Event: Command Complete (0x0e) plen 4 #2 [hci0] 13.061752 Reset (0x03|0x0003) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Advertise Enable (0x08|0x000a) plen 1 #3 [hci0] 13.061971 Advertising: Disabled (0x00) HCI Event: Command Complete (0x0e) plen 4 #4 [hci0] 13.062746 LE Set Advertise Enable (0x08|0x000a) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended Advertising Enable (0x08|0x0039) plen 2 #5 [hci0] 13.062926 Extended advertising: Disabled (0x00) Number of sets: Disable all sets (0x00) HCI Event: Command Complete (0x0e) plen 4 #6 [hci0] 13.063718 LE Set Extended Advertising Enable (0x08|0x0039) ncmd 1 Status: Command Disallowed (0x0c) < HCI Command: LE Remove Advertising Set (0x08|0x003c) plen 1 #7 [hci0] 13.063877 Handle: 0 Address: 00:00:00:00:00:00 (OUI 00-00-00) HCI Event: Command Complete (0x0e) plen 4 #8 [hci0] 13.064718 LE Remove Advertising Set (0x08|0x003c) ncmd 1 Status: Command Disallowed (0x0c) < HCI Command: LE Remove Advertising Set (0x08|0x003c) plen 1 #9 [hci0] 13.064815 Handle: 1 HCI Event: Command Complete (0x0e) plen 4 #10 [hci0] 13.065718 LE Remove Advertising Set (0x08|0x003c) ncmd 1 Status: Command Disallowed (0x0c) < HCI Command: LE Read Local Supported Features (0x08|0x0003) plen 0 #11 [hci0] 13.065891 HCI Event: Command Complete (0x0e) plen 12 #12 [hci0] 13.066701 LE Read Local Supported Features (0x08|0x0003) ncmd 1 Status: Success (0x00) Features: 0xff 0x59 0x01 0x38 0xae 0x00 0x00 0x00 LE Encryption Connection Parameter Request Procedure Extended Reject Indication Peripheral-initiated Features Exchange LE Ping LE Data Packet Length Extension LL Privacy Extended Scanner Filter Policies LE 2M PHY LE Coded PHY LE Extended Advertising Channel Selection Algorithm #2 Minimum Number of Used Channels Procedure Remote Public Key Validation Connected Isochronous Stream - Central Connected Isochronous Stream - Peripheral LE Power Control Request LE Power Control Request LE Path Loss Monitoring Connection Subrating Channel Classification < HCI Command: Reset (0x03|0x0003) plen 0 #13 [hci0] 13.066923 HCI Event: Command Complete (0x0e) plen 4 #14 [hci0] 13.089752 Reset (0x03|0x0003) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended Advertising Parameters (0x08|0x0036) plen 25 #15 [hci0] 13.089958 Handle: 0x01 Properties: 0x0000 Min advertising interval: 950.000 msec (0x05f0) Max advertising interval: 950.000 msec (0x05f0) Channel map: 37, 38, 39 (0x07) Own address type: Random (0x01) Peer address type: Public (0x00) Peer address: 00:00:00:00:00:00 (OUI 00-00-00) Filter policy: Allow Scan Request from Any, Allow Connect Request from Any (0x00) TX power: Host has no preference (0x7f) Primary PHY: LE Coded (0x03) Secondary max skip: 0x00 Secondary PHY: LE Coded (0x03) SID: 0x00 Scan request notifications: Disabled (0x00) HCI Event: Command Complete (0x0e) plen 5 #16 [hci0] 13.090692 LE Set Extended Advertising Parameters (0x08|0x0036) ncmd 1 Status: Success (0x00) TX power (selected): 10 dbm (0x0a) < HCI Command: LE Set Advertising Set Random Address (0x08|0x0035) plen 7 #17 [hci0] 13.090813 Advertising handle: 0x01 Advertising random address: 44:AF:07:4B:7C:DC (Resolvable) HCI Event: Command Complete (0x0e) plen 4 #18 [hci0] 13.091690 LE Set Advertising Set Random Address (0x08|0x0035) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Extended Advertising Enable (0x08|0x0039) plen 8 #19 [hci0] 13.091737 Extended advertising: Enabled (0x01) Number of sets: 1 (0x01) Entry 0 Handle: 0x01 Duration: 0 ms (0x00) Max ext adv events: 0 HCI Event: Command Complete (0x0e) plen 4 #20 [hci0] 13.092690 LE Set Extended Advertising Enable (0x08|0x0039) ncmd 2 Status: Success (0x00) < HCI Command: LE Set Extended Advertising Data (0x08|0x0037) plen 238 #21 [hci0] 13.092757 Handle: 0x01 Operation: Complete extended advertising data (0x03) Fragment preference: Minimize fragmentation (0x01) Data length: 0xea Service Data: Unknown (0xfffa) Data: 0d00f2190902123131323632343135304139304533414531454330000000024246443334353442373738453536354332344237300000001226b500005816af1e38cdffff9808ac0870084a63150e01002210023f003fab0131323334353637383930313233343536372211313233343536373839303132333435363738393031323322123132333435363738393031323334353637383930313233320044726f6e65204944207465737420666c696768742d2d2d420410270000f0d8ffff010000d007d00712f907d51cac0100520046494e38376173747264676531326b3800000000ac0100 HCI Event: Command Complete (0x0e) plen 4 #22 [hci0] 13.093719 LE Set Extended Advertising Data (0x08|0x0037) ncmd 1 Status: Memory Capacity Exceeded (0x07)

3.888311] Bluetooth: Core ver 2.22 [ 3.888334] NET: Registered PF_BLUETOOTH protocol family [ 3.888336] Bluetooth: HCI device and connection manager initialized [ 3.888340] Bluetooth: HCI socket layer initialized [ 3.888342] Bluetooth: L2CAP socket layer initialized [ 3.888346] Bluetooth: SCO socket layer initialized [ 3.920638] usbcore: registered new interface driver btusb [ 3.927996] Bluetooth: hci0: Device revision is 0 [ 3.928001] Bluetooth: hci0: Secure boot is enabled [ 3.928002] Bluetooth: hci0: OTP lock is enabled [ 3.928003] Bluetooth: hci0: API lock is enabled [ 3.928004] Bluetooth: hci0: Debug lock is disabled [ 3.928005] Bluetooth: hci0: Minimum firmware build 1 week 10 2014 [ 3.928006] Bluetooth: hci0: Bootloader timestamp 2019.40 buildtype 1 build 38 [ 3.931482] bluetooth hci0: firmware: direct-loading firmware intel/ibt-0041-0041.sfi [ 3.931489] Bluetooth: hci0: Found device firmware: intel/ibt-0041-0041.sfi [ 3.931538] Bluetooth: hci0: Boot Address: 0x100800 [ 3.931540] Bluetooth: hci0: Firmware Version: 107-51.22 [ 4.274941] Bluetooth: BNEP (Ethernet Emulation) ver 1.3 [ 4.274946] Bluetooth: BNEP filters: protocol multicast [ 4.274950] Bluetooth: BNEP socket layer initialized [ 5.321496] Bluetooth: hci0: Waiting for firmware download to complete [ 5.322040] Bluetooth: hci0: Firmware loaded in 1357947 usecs [ 5.322206] Bluetooth: hci0: Waiting for device to boot [ 5.348025] Bluetooth: hci0: Device booted in 25313 usecs [ 5.348420] bluetooth hci0: firmware: direct-loading firmware intel/ibt-0041-0041.ddc [ 5.348431] Bluetooth: hci0: Found Intel DDC parameters: intel/ibt-0041-0041.ddc [ 5.350080] Bluetooth: hci0: Applying Intel DDC parameters completed [ 5.353063] Bluetooth: hci0: Firmware timestamp 2022.51 buildtype 1 build 56683 [ 5.428349] Bluetooth: MGMT ver 1.22 [ 7.094352] Bluetooth: RFCOMM TTY layer initialized [ 7.094360] Bluetooth: RFCOMM socket layer initialized [ 7.094365] Bluetooth: RFCOMM ver 1.11

[MichiganBroadband]

Had an opportunity to try a friend's Samsung Fold2. a bit older than the s23. Same problem with truncated data and error 0x16. When testing with Realtek usb transmitter.

[cospan]

This might be relevant.

First off, thanks for this repo; it's really helpful!

I am using the Intel Killer AX1675i

I have encountered the same issue described above, so I added an HCI command to read back the maximum advertising length. Here is the relevant part of the btmon dump:

< HCI Command: LE Read Maximum Adve.. (0x08|0x003a) plen 0  #21 [hci0] 6.924049
> HCI Event: Command Complete (0x0e) plen 6                 #22 [hci0] 6.924938
      LE Read Maximum Advertising Data Length (0x08|0x003a) ncmd 1
        Status: Success (0x00)
        Max length: 160

Perhaps I am mistaken but it seems as though the maximum size of a data transfer is 160 and when we try and send the full packet of 234 with command 0x37 we get the response Status: Memory Capacity Exceeded (0x07)

I don't know if this 160 size is a limitation of the physical card or a kernel configuration.

Here is a patch for my modification to bluetooth.c

--- bluetooth.c 2024-03-02 08:14:56.907790093 -0500
+++ bluetooth.mod.c 2024-03-02 08:14:51.019822150 -0500
@@ -200,6 +200,12 @@
     send_cmd(dd, ogf, ocf, buf, sizeof(buf));
 }

+static void hci_le_get_max_advertisement_data_length(int dd){
+    uint8_t ogf = OGF_LE_CTL; // Opcode Group Field. LE Controller Commands
+    uint16_t ocf = 0x3A;      // Opcode Command Field: LE Read Maximum Advertising Data Length command
+    send_cmd(dd, ogf, ocf, NULL, 0);
+}
+
 static void hci_le_set_advertising_set_random_address(int dd, uint8_t set, const uint8_t *mac) {
     if (!mac)
         return;
@@ -383,6 +389,7 @@

     if (config->use_bt5)
         hci_le_set_extended_advertising_enable(device_descriptor, config);
+    hci_le_get_max_advertisement_data_length(device_descriptor);
 }

 void send_bluetooth_message(const union ODID_Message_encoded *encoded, uint8_t msg_counter, struct config_data *config) {

Here is the full dump of the btmon for reference

Bluetooth monitor ver 5.64
= Note: Linux version 6.5.0-14-generic (x86_64)                        0.578739
= Note: Bluetooth subsystem version 2.22                               0.578740
= New Index: 8C:17:59:3F:39:EF (Primary,USB,hci0)               [hci0] 0.578741
= Open Index: 8C:17:59:3F:39:EF                                 [hci0] 0.578742
= Index Info: 8C:17:59:3F:39:EF (Intel Corp.)                   [hci0] 0.578742
@ MGMT Open: bluetoothd (privileged) version 1.22             {0x0001} 0.578742
@ RAW Open: transmit (privileged) version 2.22                {0x0002} 6.633883
@ RAW Close: transmit                                         {0x0002} 6.633887
@ RAW Open: transmit (privileged) version 2.22         {0x0002} [hci0] 6.633892
< HCI Command: Reset (0x03|0x0003) plen 0                    #1 [hci0] 6.633964
> HCI Event: Command Complete (0x0e) plen 4                  #2 [hci0] 6.903063
      Reset (0x03|0x0003) ncmd 2
        Status: Success (0x00)
< HCI Command: LE Set Advertise Enable (0x08|0x000a) plen 1  #3 [hci0] 6.903478
        Advertising: Disabled (0x00)
> HCI Event: Command Complete (0x0e) plen 4                  #4 [hci0] 6.904016
      LE Set Advertise Enable (0x08|0x000a) ncmd 2
        Status: Success (0x00)
< HCI Command: LE Set Extended Adver.. (0x08|0x0039) plen 2  #5 [hci0] 6.904145
        Extended advertising: Disabled (0x00)
        Number of sets: Disable all sets (0x00)
> HCI Event: Command Complete (0x0e) plen 4                  #6 [hci0] 6.905044
      LE Set Extended Advertising Enable (0x08|0x0039) ncmd 1
        Status: Command Disallowed (0x0c)
< HCI Command: LE Remove Advertising.. (0x08|0x003c) plen 1  #7 [hci0] 6.905290
        Handle: 0
> HCI Event: Command Complete (0x0e) plen 4                  #8 [hci0] 6.905942
      LE Remove Advertising Set (0x08|0x003c) ncmd 1
        Status: Command Disallowed (0x0c)
< HCI Command: LE Remove Advertising.. (0x08|0x003c) plen 1  #9 [hci0] 6.906067
        Handle: 1
> HCI Event: Command Complete (0x0e) plen 4                 #10 [hci0] 6.906938
      LE Remove Advertising Set (0x08|0x003c) ncmd 1
        Status: Command Disallowed (0x0c)
< HCI Command: LE Read Local Suppor.. (0x08|0x0003) plen 0  #11 [hci0] 6.907048
> HCI Event: Command Complete (0x0e) plen 12                #12 [hci0] 6.907942
      LE Read Local Supported Features (0x08|0x0003) ncmd 1
        Status: Success (0x00)
        Features: 0xff 0x59 0x01 0x38 0xae 0x00 0x00 0x00
          LE Encryption
          Connection Parameter Request Procedure
          Extended Reject Indication
          Peripheral-initiated Features Exchange
          LE Ping
          LE Data Packet Length Extension
          LL Privacy
          Extended Scanner Filter Policies
          LE 2M PHY
          LE Coded PHY
          LE Extended Advertising
          Channel Selection Algorithm #2
          Minimum Number of Used Channels Procedure
          Remote Public Key Validation
          Connected Isochronous Stream - Central
          Connected Isochronous Stream - Peripheral
          Unknown features (0x000000ae00000000)
< HCI Command: Reset (0x03|0x0003) plen 0                   #13 [hci0] 6.908174
> HCI Event: Command Complete (0x0e) plen 4                 #14 [hci0] 6.920937
      Reset (0x03|0x0003) ncmd 2
        Status: Success (0x00)
< HCI Command: LE Set Extended Adv.. (0x08|0x0036) plen 25  #15 [hci0] 6.921000
        Handle: 0x01
        Properties: 0x0000
        Min advertising interval: 950.000 msec (0x05f0)
        Max advertising interval: 950.000 msec (0x05f0)
        Channel map: 37, 38, 39 (0x07)
        Own address type: Random (0x01)
        Peer address type: Public (0x00)
        Peer address: 00:00:00:00:00:00 (OUI 00-00-00)
        Filter policy: Allow Scan Request from Any, Allow Connect Request from Any (0x00)
        TX power: Host has no preference (0x7f)
        Primary PHY: LE Coded (0x03)
        Secondary max skip: 0x00
        Secondary PHY: LE Coded (0x03)
        SID: 0x00
        Scan request notifications: Disabled (0x00)
> HCI Event: Command Complete (0x0e) plen 5                 #16 [hci0] 6.921937
      LE Set Extended Advertising Parameters (0x08|0x0036) ncmd 1
        Status: Success (0x00)
        TX power (selected): 10 dbm (0x0a)
< HCI Command: LE Set Advertising S.. (0x08|0x0035) plen 7  #17 [hci0] 6.922037
        Advertising handle: 0x01
        Advertising random address: CE:B1:20:98:82:E1 (Static)
> HCI Event: Command Complete (0x0e) plen 4                 #18 [hci0] 6.922937
      LE Set Advertising Set Random Address (0x08|0x0035) ncmd 1
        Status: Success (0x00)
< HCI Command: LE Set Extended Adve.. (0x08|0x0039) plen 8  #19 [hci0] 6.923033
        Extended advertising: Enabled (0x01)
        Number of sets: 1 (0x01)
        Entry 0
          Handle: 0x01
          Duration: 0 ms (0x00)
          Max ext adv events: 0
> HCI Event: Command Complete (0x0e) plen 4                 #20 [hci0] 6.923936
      LE Set Extended Advertising Enable (0x08|0x0039) ncmd 2
        Status: Success (0x00)
< HCI Command: LE Read Maximum Adve.. (0x08|0x003a) plen 0  #21 [hci0] 6.924049
> HCI Event: Command Complete (0x0e) plen 6                 #22 [hci0] 6.924938
      LE Read Maximum Advertising Data Length (0x08|0x003a) ncmd 1
        Status: Success (0x00)
        Max length: 160
< HCI Command: LE Set Extended Ad.. (0x08|0x0037) plen 238  #23 [hci0] 6.925054
        Handle: 0x01
        Operation: Complete extended advertising data (0x03)
        Fragment preference: Minimize fragmentation (0x01)
        Data length: 0xea
        Service Data (UUID 0xfffa): 0d00f2190902123131323632343135304139304533414531454330000000024246443334353442373738453536354332344237300000001226b500005816af1e38cdffff9808ac0870084a63150e01002210023f003fab0131323334353637383930313233343536372211313233343536373839303132333435363738393031323322123132333435363738393031323334353637383930313233320044726f6e65204944207465737420666c696768742d2d2d420410270000f0d8ffff010000d007d00712f907d51cac0100520046494e38376173747264676531326b3800000000ac0100
> HCI Event: Command Complete (0x0e) plen 4                 #24 [hci0] 6.925936
      LE Set Extended Advertising Data (0x08|0x0037) ncmd 1
        Status: Memory Capacity Exceeded (0x07)
< HCI Command: LE Set Extended A.. (0x08|0x0037) plen 238  #25 [hci0] 10.926444
        Handle: 0x01
        Operation: Complete extended advertising data (0x03)
        Fragment preference: Minimize fragmentation (0x01)
        Data length: 0xea
        Service Data (UUID 0xfffa): 0d01f2190902123131323632343135304139304533414531454330000000024246443334353442373738453536354332344237300000001226b500005816af1e38cdffff9808ac0870084a63150e01002210023f003fab0131323334353637383930313233343536372211313233343536373839303132333435363738393031323322123132333435363738393031323334353637383930313233320044726f6e65204944207465737420666c696768742d2d2d420410270000f0d8ffff010000d007d00712f907d51cac0100520046494e38376173747264676531326b3800000000ac0100
> HCI Event: Command Complete (0x0e) plen 4                #26 [hci0] 11.186559
      LE Set Extended Advertising Data (0x08|0x0037) ncmd 1
        Status: Memory Capacity Exceeded (0x07)
< HCI Command: LE Set Advertise En.. (0x08|0x000a) plen 1  #27 [hci0] 15.187093
        Advertising: Disabled (0x00)
> HCI Event: Command Complete (0x0e) plen 4                #28 [hci0] 15.446137
      LE Set Advertise Enable (0x08|0x000a) ncmd 1
        Status: Command Disallowed (0x0c)
< HCI Command: LE Set Extended Adv.. (0x08|0x0039) plen 2  #29 [hci0] 15.446462
        Extended advertising: Disabled (0x00)
        Number of sets: Disable all sets (0x00)
> HCI Event: Command Complete (0x0e) plen 4                #30 [hci0] 15.447081
      LE Set Extended Advertising Enable (0x08|0x0039) ncmd 2
        Status: Success (0x00)
< HCI Command: LE Remove Advertisi.. (0x08|0x003c) plen 1  #31 [hci0] 15.447167
        Handle: 0
> HCI Event: Command Complete (0x0e) plen 4                #32 [hci0] 15.449013
      LE Remove Advertising Set (0x08|0x003c) ncmd 1
        Status: Unknown Advertising Identifier (0x42)
< HCI Command: LE Remove Advertisi.. (0x08|0x003c) plen 1  #33 [hci0] 15.449126
        Handle: 1
> HCI Event: Command Complete (0x0e) plen 4                #34 [hci0] 15.451012
      LE Remove Advertising Set (0x08|0x003c) ncmd 1
        Status: Success (0x00)
@ RAW Close: transmit                                 {0x0002} [hci0] 15.451112