What is the iBeacon Bluetooth Profile

Question

I'd like to create my own iBeacon with some Bluetooth Low Energy dev kits. Apple has yet to release a specification for iBeacons, however, a few hardware developers have reverse Engineered the iBeacon from the AirLocate Sample code and started selling iBeacon dev kits.

So what is the iBeacon Bluetooth Profile?

Bluetooth Low Energy uses GATT for LE profile service discovery. So I think we need to know the Attribute Handle, Attribute Type, Attribute Value, and maybe the Attribute Permissions of the iBeacon attribute. So for an iBeacon with a UUID of E2C56DB5-DFFB-48D2-B060-D0F5A71096E0, a major value of 1 and a minor value of 1 what would the Bluetooth GATT profile service be?

Here are some assumptions I've made from the discussion on Apple's forums and through the docs.

1. You only need to see the profile service (GATT) of a Bluetooth peripheral to know it is an iBeacon.

2. The Major and Minor keys are encoded somewhere in this profile service

Heres some companies with iBeacon Dev Kits that seem to have this figure out already:

• http://redbearlab.com/ibeacon/
• http://kontakt.io/

Hopefully, in time we will have a profile posted on Bluetooth.org like these: https://www.bluetooth.org/en-us/specification/adopted-specifications

Answer 1

For an iBeacon with ProximityUUID E2C56DB5-DFFB-48D2-B060-D0F5A71096E0, major 0, minor 0, and calibrated Tx Power of -59 RSSI, the transmitted BLE advertisement packet looks like this:

d6 be 89 8e 40 24 05 a2 17 6e 3d 71 02 01 1a 1a ff 4c 00 02 15 e2 c5 6d b5 df fb 48 d2 b0 60 d0 f5 a7 10 96 e0 00 00 00 00 c5 52 ab 8d 38 a5

This packet can be broken down as follows:

d6 be 89 8e # Access address for advertising data (this is always the same fixed value)
40 # Advertising Channel PDU Header byte 0.  Contains: (type = 0), (tx add = 1), (rx add = 0)
24 # Advertising Channel PDU Header byte 1.  Contains:  (length = total bytes of the advertising payload + 6 bytes for the BLE mac address.)
05 a2 17 6e 3d 71 # Bluetooth Mac address (note this is a spoofed address)
02 01 1a 1a ff 4c 00 02 15 e2 c5 6d b5 df fb 48 d2 b0 60 d0 f5 a7 10 96 e0 00 00 00 00 c5 # Bluetooth advertisement
52 ab 8d 38 a5 # checksum

The key part of that packet is the Bluetooth Advertisement, which can be broken down like this:

02 # Number of bytes that follow in first AD structure
01 # Flags AD type
1A # Flags value 0x1A = 000011010  
   bit 0 (OFF) LE Limited Discoverable Mode
   bit 1 (ON) LE General Discoverable Mode
   bit 2 (OFF) BR/EDR Not Supported
   bit 3 (ON) Simultaneous LE and BR/EDR to Same Device Capable (controller)
   bit 4 (ON) Simultaneous LE and BR/EDR to Same Device Capable (Host)
1A # Number of bytes that follow in second (and last) AD structure
FF # Manufacturer specific data AD type
4C 00 # Company identifier code (0x004C == Apple)
02 # Byte 0 of iBeacon advertisement indicator
15 # Byte 1 of iBeacon advertisement indicator
e2 c5 6d b5 df fb 48 d2 b0 60 d0 f5 a7 10 96 e0 # iBeacon proximity uuid
00 00 # major 
00 00 # minor 
c5 # The 2's complement of the calibrated Tx Power

Any Bluetooth LE device that can be configured to send a specific advertisement can generate the above packet. I have configured a Linux computer using Bluez to send this advertisement, and iOS7 devices running Apple's AirLocate test code pick it up as an iBeacon with the fields specified above. See: Use BlueZ Stack As A Peripheral (Advertiser)

This blog has full details about the reverse engineering process.

Answer 2

It seems to based on advertisement data, particularly the manufacturer data:

4C00 02 15 585CDE931B0142CC9A1325009BEDC65E 0000 0000 C5

<company identifier (2 bytes)> <type (1 byte)> <data length (1 byte)>
    <uuid (16 bytes)> <major (2 bytes)> <minor (2 bytes)> <RSSI @ 1m>

• Apple Company Identifier (Little Endian), 0x004c
• data type, 0x02 => iBeacon
• data length, 0x15 = 21
• uuid: 585CDE931B0142CC9A1325009BEDC65E
• major: 0000
• minor: 0000
• meaured power at 1 meter: 0xc5 = -59

I have this node.js script working on Linux with the sample AirLocate app example.

Answer 3

Just to reconcile the difference between sandeepmistry's answer and davidgyoung's answer:

02 01 1a 1a ff 4C 00

Is part of the advertising data format specification [1]

  02 # length of following AD structure
  01 # <<Flags>> AD Structure [2]
  1a # read as b00011010. 
     # In this case, LE General Discoverable,
     # and simultaneous BR/EDR but this may vary by device!

  1a # length of following AD structure
  FF # Manufacturer specific data [3]
4C00 # Apple Inc [4]
0215 # ?? some 2-byte header

Missing from the AD is a Service [5] definition. I think the iBeacon protocol itself has no relationship to the GATT and standard service discovery. If you download RedBearLab's iBeacon program, you'll see that they happen to use the GATT for configuring the advertisement parameters, but this seems to be specific to their implementation, and not part of the spec. The AirLocate program doesn't seem to use the GATT for configuration, for instance, according to LightBlue and or other similar programs I tried.

References:

1. Core Bluetooth Spec v4, Vol 3, Part C, 11
2. Vol 3, Part C, 18.1
3. Vol 3, Part C, 18.11
4. https://www.bluetooth.org/en-us/specification/assigned-numbers/company-identifiers
5. Vol 3, Part C, 18.2

Answer 4

If the reason you ask this question is because you want to use Core Bluetooth to advertise as an iBeacon rather than using the standard API, you can easily do so by advertising an NSDictionary such as:

{
    kCBAdvDataAppleBeaconKey = <a7c4c5fa a8dd4ba1 b9a8a240 584f02d3 00040fa0 c5>;
}

See this answer for more information.

Answer 5

It’s very simple, it just advertises a string which contains a few characters conforming to Apple’s iBeacon standard.

Answer 6

iBeacon Profile contains 31 Bytes which includes the followings

1. Prefix - 9 Bytes - which include s the adv data and Manufacturer data
2. UUID - 16 Bytes
3. Major - 2 Bytes
4. Minor - 2 Bytes
5. TxPower - 1 Byte