Bluetooth filter driver

OSR_Community_User · June 22, 2007, 9:20am

I need to write a Bluetooth filter driver to test some of the low level functions of the Vista Bluetooth stack for my undergrad thesis.
I am a newbie in driver development, my question is:
how can I attach to the Bluetooth driver (bthport.sys) service?
Here is the code I use in my DriverEntry routine, after IoCreateDevice, to try to do this:

pDeviceContext = (PDEVICE_EXTENSION)pDeviceObject->DeviceExtension;

RtlInitUnicodeString(&usDeviceToFilter, L"\Device\bthport");

NtStatus = IoAttachDevice(pDeviceObject,
&usDeviceToFilter,
&pDeviceContext->pNextDeviceInChain);

if (NT_SUCCESS (NtStatus))
{
DbgPrint(“OK!!!\r\n”);
}
else DbgPrint(“NO!\r\n”);

Each time I load the driver, DebugView shows that IoAttachDevice fails.
I use OSR Driver Loader to load the drivers. I noticed that bthport service is never running on my computer, and even if I start it manually IoAttachDevice fails. Using DeviceTree I saw that bthport, once started and running, doesn’t have any device associated.
Just to try, I also compiled using \device\bthenum0 and \device\bthpan and since those devices exist, IoAttachDevice ends successfully.
I thought I had to use Bthport because on the WDK documentation I read: “A profile driver communicates with its device by submitting IRPs down the driver stack to the primary driver of the Bluetooth driver stack, Bthport.sys.”
How can I do? If I can’t use bthport, which device should I attach to?
Thanks,
Davide

Doron_Holan · June 22, 2007, 10:29am

What do you want to test in the stack? That will dictate where you
driver will be located. Once we determine the location, we can create
an INF to install your driver so you will not be attaching to a stack by
name. I would strongly suggest you use KMDF for your filter, it will
save you a lot of headache (for instance, you should be using
IoAttachDeviceToDeviceStack, not IoAttachDevice) and time will let you
focus in on what you what to demonstrate/prove instead of the mechanics
of getting a driver to just work w/out doing anything else.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@studio.unibo.it
Sent: Friday, June 22, 2007 6:22 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Bluetooth filter driver

I need to write a Bluetooth filter driver to test some of the low level
functions of the Vista Bluetooth stack for my undergrad thesis.
I am a newbie in driver development, my question is:
how can I attach to the Bluetooth driver (bthport.sys) service?
Here is the code I use in my DriverEntry routine, after IoCreateDevice,
to try to do this:

pDeviceContext = (PDEVICE_EXTENSION)pDeviceObject->DeviceExtension;

RtlInitUnicodeString(&usDeviceToFilter, L"\Device\bthport");

NtStatus = IoAttachDevice(pDeviceObject,
&usDeviceToFilter,
&pDeviceContext->pNextDeviceInChain);

if (NT_SUCCESS (NtStatus))
{
DbgPrint(“OK!!!\r\n”);
}
else DbgPrint(“NO!\r\n”);

Each time I load the driver, DebugView shows that IoAttachDevice fails.
I use OSR Driver Loader to load the drivers. I noticed that bthport
service is never running on my computer, and even if I start it manually
IoAttachDevice fails. Using DeviceTree I saw that bthport, once started
and running, doesn’t have any device associated.
Just to try, I also compiled using \device\bthenum0 and
\device\bthpan and since those devices exist, IoAttachDevice ends
successfully.
I thought I had to use Bthport because on the WDK documentation I read:
“A profile driver communicates with its device by submitting IRPs down
the driver stack to the primary driver of the Bluetooth driver stack,
Bthport.sys.”
How can I do? If I can’t use bthport, which device should I attach to?
Thanks,
Davide

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · June 22, 2007, 12:01pm

I am mainly interested in querying bluetooth interfaces in order to use IOCTL_INTERNAL_BTH_SUBMIT_BRB to test L2CAP functions and getting information about remote devices. By the way, is there any chance that RSSI and/or Link Quality will be exposed to kernel-mode drivers?
Thanks,
Davide

Doron_Holan · June 22, 2007, 1:20pm

You don’t need to query for any interfaces to use
IOCTL_INTERNAL_BTH_SUBMIT_BRB. What l2cap functions do you want to
test? Any particular protocols or just l2cap? You cannot arbitrarily
send l2cap connect requests to bthport, you have to do it through an
enumerated PDO which would be enumerated for a specific remote device’s
protocol.

No, RSSI and LQ are not exposed nor will they be. RSSI is meaningless,
the values themselves are not standardized so you have to know the local
radio’s manufacturer to know what the values mean and by the time the
RSSI is low enough that you might lose the connect, you will have lost
it already. RSSI is quite binary, either you are connected or not; you
will not hover on the edge of almost being disconnected. LQ is too
ephemeral to be of any use to any protocol driver.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@studio.unibo.it
Sent: Friday, June 22, 2007 9:03 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Bluetooth filter driver

I am mainly interested in querying bluetooth interfaces in order to use
IOCTL_INTERNAL_BTH_SUBMIT_BRB to test L2CAP functions and getting
information about remote devices. By the way, is there any chance that
RSSI and/or Link Quality will be exposed to kernel-mode drivers?
Thanks,
Davide

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · June 22, 2007, 2:38pm

My first aim was to test BRB_L2CA_OPEN_CHANNEL, BRB_L2CA_PING and maybe BRB_ACL_GET_MODE.
I don’t need any particular protocol. Anyway, since the “ping” BRB is shown as a L2CAP function, I suppose a new channel is created by the lower stack levels…
About the query for Bluetooth interfaces, if I can avoid it, it’s ok.
Thanks for your help
Davide

Doron_Holan · June 22, 2007, 7:02pm

An l2cap ping does not create an l2cap channel, it only creates an hci
connection and then sends the l2cap ping packet. Again, I am not clear
on what do you want to do. Do you want to create an l2cap channel and
then see what the attributes of the channel are? What remote Bluetooth
device are you going to connect to ?

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@studio.unibo.it
Sent: Friday, June 22, 2007 11:41 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Bluetooth filter driver

My first aim was to test BRB_L2CA_OPEN_CHANNEL, BRB_L2CA_PING and maybe
BRB_ACL_GET_MODE.
I don’t need any particular protocol. Anyway, since the “ping” BRB is
shown as a L2CAP function, I suppose a new channel is created by the
lower stack levels…
About the query for Bluetooth interfaces, if I can avoid it, it’s ok.
Thanks for your help
Davide

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · June 23, 2007, 4:14am

Yes, I am interested in the BRB_L2CA_OPEN_CHANNEL to retrieve channel attributes.
About the l2cap PING, I thought it could be useful because part of my thesis work is creating a new set of command-line Bluetooth commands; some of them will be used for a Bluetooth proximity system. There are some bluetooth devices acting as servers, holding information about their location. We know that RSSI is not available, so a fast way to know if my laptop’s location has not changed can be sending a ping request to the last server found and seeing if it is already there. Only if it doesn’t reply we will start a new device inquiry, which is a more time consuming operation.
I hope I’ve made things a little bit clearer…
Davide

Doron_Holan · June 23, 2007, 10:41am

Like I mentioned earlier, I don’t think you find any coherency in the
RSSI values you might get and they will not have any meaning for you.
Also, for you to get RSSI data, you must have an HCI connection to the
remote radio already. This means that you will know when you go out of
range of the location server b/c the HCI connection will be lost (and in
terms of the MSFT Bluetooth stack, you only get the HCI connection if
you establish an l2cap connection and you will be notified of the l2cap
connection loss).

The easiest way to get an l2cap connection for you is to expose a
service on your location service which is RFCOMM based. Use a custom /
non standardized 128 bit UUID for the service ID. By using RFCOMM you
can create a socket in user mode and connect to the location server.
When the connection breaks, you know something has changed. If you
really really really want to write a driver, expose an l2cap service on
the location server, again using a custom 128 UUID that is not in the
spec as well as a 128 bit protocol UUID that is not in the spec, then
enable that service in the bth device UI, a device stack will be
enumerated and your driver will be the function driver (not filter
driver) for that stack. You can then send an brb you want to that
remote BTH address.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@studio.unibo.it
Sent: Saturday, June 23, 2007 1:16 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Bluetooth filter driver

Yes, I am interested in the BRB_L2CA_OPEN_CHANNEL to retrieve channel
attributes.
About the l2cap PING, I thought it could be useful because part of my
thesis work is creating a new set of command-line Bluetooth commands;
some of them will be used for a Bluetooth proximity system. There are
some bluetooth devices acting as servers, holding information about
their location. We know that RSSI is not available, so a fast way to
know if my laptop’s location has not changed can be sending a ping
request to the last server found and seeing if it is already there. Only
if it doesn’t reply we will start a new device inquiry, which is a more
time consuming operation.
I hope I’ve made things a little bit clearer…
Davide

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · June 23, 2007, 12:00pm

Many thanks for the clarification!
So I think I’ll use IOCTL_BTH_SDP_CONNECT and IOCTL_BTH_SDP_DISCONNECT from user-mode or, as you suggested, a socket connection instead of getting mad trying to do a l2cap ping.
If I need to write a driver to use BRBs and I need help, I’ll make you know.
Thanks again,
Davide