What Is Bluetooth Channel Sounding?

Bluetooth^® Core Specification v6.0 [2] introduces a new capability called Bluetooth Channel Sounding (CS), which facilitates secure fine ranging between two Bluetooth devices.

Overview of Bluetooth CS

Bluetooth CS is the latest addition to the Bluetooth positioning features that enables one device to detect the presence, distance, and direction of another. The CS capability enables secure, precise ranging between devices, and has these other advantages:

Uses the established distance measurement methods of phase-based ranging (PBR) and round-trip timing (RTT).
Supports multilevel security to reduce the risk of wireless ranging attacks.
Facilitates high-accuracy distance measurement, enhancing distance awareness for Bluetooth-connected devices.

The Bluetooth CS feature enables more precise distance calculations between two Bluetooth devices than the first-generation methods, which use the received signal strength indicator (RSSI) and path loss. The accuracy of the RSSI and path loss measurements depends on the environmental conditions and how the application layer (APP) uses the CS functionality. The technical flexibility of CS enables you to prioritize aspects of ranging such as security, accuracy, or latency. Recognizing that applications vary, the design of CS accommodates these different requirements. The configurability of the CS functionality gives applications control over key system capabilities and behaviors, enabling its operation to align with the specific priorities of the application.

The Bluetooth CS capability specifies these two roles for the LE devices: the Initiator and the Reflector.

The Initiator is the device that calculates the distance to another device, the Reflector, by exchanging CS waveforms. CS takes place in a one-to-one topology, with communication between one device in the Initiator role and one device in the Reflector role.

These Bluetooth Toolbox features enable you to create and configure Bluetooth LE CS physical layer (PHY) waveforms.

bleCSConfig — Use this object to specify the configuration parameters for generating a Bluetooth LE CS PHY waveform.
bleCSWaveform — Use this function to generate a Bluetooth LE CS PHY waveform using a configuration specified by a bleCSConfig object.

The DeviceRole property of the bleCSConfig object enables you to specify the role of the Bluetooth LE device as Initiator or Reflector. To learn how you can generate and visualize a Bluetooth LE CS PHY waveform between an Initiator and a Reflector, see the Generate and Visualize Bluetooth LE Channel Sounding PHY Waveform example.

CS Use Cases

Bluetooth CS introduces true distance awareness to a broad spectrum of Bluetooth-connected devices, providing a wealth of opportunities to envision and craft innovative experiences. These are some of the key use cases of Bluetooth CS.

Keyless vehicle entry — This application facilitates zonal detection through ranging to verify approaching users and unlock the vehicle. It employs Bluetooth ranging by using the established connection between data channels, specifically between the key fob or phone and the anchor points of the vehicle.
Smart locks — You can remotely operate smart locks through a smart device and permit access only when an authorized device is within a designated proximity to the lock. By using CS, you can improve the precision and dependability of these devices, thereby enhancing their security.
Geofencing — This application automates and enhances network security by limiting access to designated areas and monitoring the movement of smart devices. CS can optimize geofencing applications, boosting network performance and reliability.
Warehouse management — This application involves storing goods, tracking their movement, controlling inventory, and managing various operations and logistics within a warehouse. CS can enhance the efficiency and optimization of warehouse management systems.
Asset tracking — This application uses CS to enhance the precision of location tracking for any asset.

Distance Measurement Methods in CS

The Bluetooth Core Specification v6.0 [2] supports both the PBR and RTT distance measurement methods. Bluetooth Special Interest Group (SIG) expects PBR to serve as the primary and most accurate distance measurement method, with RTT providing additional security. Using CS, PBR can measure distances up to approximately 150 meters before encountering distance ambiguity. By incorporating RTT alongside PBR, applications can detect and resolve distance ambiguities, enabling you to measure longer distances.

PBR

Bluetooth CS employs PBR to achieve precise distance measurements between the Initiator and the Reflector. This figure shows an Initiator and a Reflector exchanging radio frequency (RF) signals using the frequencies f1 and f2.

The Initiator and the Reflector perform these steps to compute the distance d between them.

The Initiator transmits a signal at a known frequency, f1.
The Reflector receives this f1 signal at its antenna and records its phase.
The Reflector then echoes the received signal back to the Initiator, transmitting at the same frequency, f1, and ensures that the initial phase matches the receive phase of the incoming signal from the Initiator. This confirms that the return signal continues the phase and frequency of the original signal from the Initiator.
The Initiator then measures the receive phase of the signal arriving from the Reflector, denoted as Pf1.
Next, the Initiator selects a new frequency, f2, repeats the previous steps, and measures the phase of the received signal as Pf2.
The Initiator calculates the difference between the phase values measured for frequencies f1 and f2, specifically (Pf2 – Pf1).

With both the phase difference and the frequency difference (f2 – f1), the initiator computes the distance by using this equation.

$d = (\frac{c \times (P f 1 - P f 2)}{4 π (f 2 - f 1)}) \mod (\frac{c}{(f 2 - f 1)})$

where, c is the speed of light, (f2 – f1) is the frequency separation, and (Pf2 – Pf1) is the phase difference.

To learn how you can estimate the distance between Bluetooth LE devices using the PBR distance measurement method, see the Estimate Distance Between Bluetooth LE Devices by Using Channel Sounding and Phase-Based Ranging example.

RTT

Bluetooth CS integrates a secondary ranging method known as RTT. RTT in a communication channel, measures the time taken for a signal to travel from the Initiator to the Reflector and back. Estimating the distance involves assessing the time of flight (ToF), which is the time taken for a packet exchange between the Initiator and the Reflector. Both devices record the time of arrival (ToA) and the time of departure (ToD). By analyzing the differences between ToA and ToD for both the Initiator and the Reflector, you can obtain the data required to accurately estimate the distance between them. This figure shows the various time intervals that exist in a communication between an Initiator and a Reflector.

This table describes each time interval.

Time Intervals Used in Computing Distance Using RTT

Time Interval	Description
ToD_I	Time of departure from the Initiator. This is the time at which the Initiator starts transmitting the signal over the air.
ToA_R	Time of arrival at the Reflector. This is the time at which the signal from the Initiator arrives at the antenna of the Reflector.
ToD_R	Time of departure from the Reflector. This is the time at which the Reflector starts transmitting the signal over the air.
ToA_I	Time of arrival at the Initiator. This is the time at which the signal from the Reflector arrives at the antenna of the Initiator.

The Initiator and Reflector perform these steps to compute the distance between them.

The Initiator begins the CS SYNC procedure by sending the initial packet in the CS SYNC packet exchange. The Reflector receives this packet from the Initiator and then transmits a response back. The CS SYNC packet exchange evaluates the physical characteristics of the transmission channel. This exchange is bidirectional, with the Initiator and the Reflector taking turns sending and receiving RF signals. This equation determines the total time from when the Initiator sends the CS SYNC packet to when the response packet returns to the antenna of the Initiator.

$t_{I n i t i a t o r} = T o A_{I} - T o D_{I}$
The Initiator and Reflector calculates the total time starting from the moment a CS SYNC packet arrives at the antenna of the Reflector device to the moment when the Reflector device transmits the response CS SYNC packet.

$t_{R e f l e c t o r} = T o D_{R} - T o A_{R}$
The Initiator and Reflector calculates the RTT of the CS SYNC packet. This difference signifies the total flight time of the CS SYNC packet, encompassing the time ToF₁ it takes to travel from the Initiator to the Reflector and the time ToF₂ it takes for the response CS SYNC packet to travel back from the Reflector to the Initiator.

$R T T = t_{I n i t i a t o r} - t_{R e f l e c t o r} = (T o A_{I} - T o D_{I}) - (T o D_{R} - T o A_{R}) = T o F_{1} + T o F_{2}$
Assuming both devices operate on the same time base and maintain line-of-sight conditions without reflections, the propagation channel exhibits symmetry between the transmissions from the Initiator to the Reflector and from the Reflector back to the Initiator. Consequently, ToF₁ and ToF₂ must be identical.

$T o F_{1} = T o F_{2} = T o F$
The Initiator and Reflector derives the ToF from the RTT.

$\begin{array}{l} R T T = T o F_{1} + T o F_{2} = 2 \times T o F \\ T o F = \frac{R T T}{2} = \frac{(T o A_{I} - T o D_{I}) - (T o D_{R} - T o A_{R})}{2} \end{array}$
This equation computes the distance between the two devices by using the TOF at the Initiator device.

$d = T o F \times c = \frac{(T o A_{I} - T o D_{I}) - (T o D_{R} - T o A_{R})}{2} \times c$
,
where d is the distance between Initiator and Reflector, and c is the speed of light.

To learn how you can estimate the distance between the Bluetooth LE devices using the RTT distance measurement method, see the Estimate Distance Between Bluetooth LE Devices by Using Channel Sounding and Round-Trip Timing example.

Bluetooth Core Specification v6.0 [2] outlines the RTT and PBR distance measurement methods, but CS does not mandate a specific algorithm for calculating distance estimates. This flexibility enables device manufacturers to tailor solutions to various use cases, balancing computational complexity with required accuracy and adapting to different radio environments. Examples include simple phase difference calculation and fast Fourier transform (FFT) based methods.

In the real world, accurately measuring distance is more complex. To produce satisfactory results, real devices used in practical situations must address these challenges.

Complications from multipath propagation of the radio signals
Accuracy and stability of the frequencies of the generated signals
Stability of the internal clocks, and the accuracy and resolution of timestamps
Distance ambiguity in phase-based ranging
Network security

Technical Specifications of CS

These are some of the key technical specifications of CS that the Bluetooth Core Specifications v6.0 defines.

Physical Channels

This table shows the mapping of CS channel indices to RF physical channels, and indicates which channel indices are allowed for CS communication.

CS Physical Channel Mapping

CS Channel Index	RF Center Frequency (MHz)	Allowed
0	2402	No
1	2403	No
2	2404	Yes
22	2424	Yes
23	2425	No
24	2426	No
25	2427	No
26	2428	Yes
76	2478	Yes
77	2479	No
78	2480	No

CS specifies 79 RF channels within the 2.4 GHz Industrial, Scientific and Medical (ISM) band and assigns a new channel index to each channel.

CS Procedures

Bluetooth CS occurs through a series of procedures. Each procedure comprises multiple CS events, which are further divided into CS subevents. The smallest time division in this hierarchy is the CS step, where the devices transmit and receive packets or tones. This figure shows the structure of Bluetooth CS procedures.

These are some of the key configurable variables through which you can control the structural aspects of Bluetooth CS procedures.

Configurable Variables of CS Procedures

Configurable The Variable	Description
Number of CS procedure repetitions	The number of CS procedure repetitions to execute before ending Bluetooth CS. Valid values are in the range [0, 65535].
Number of subevents per event	Number of subevents anchored off the same asynchronous connection-oriented logical (ACL) event. Valid values are in the range [1, 16].
Subevent interval	Time interval between the beginning of a CS subevent and the beginning of the next CS subevent within the same CS event. Valid values are 0, or in the range [625, 40959375] μs. A value of 0 indicates that no division into subevents occurs.
Duration of each subevent	The first subevent in each event starts at the same time as the event, offset from the relevant ACL connection event.
Number of steps per subevent	The number of CS steps in each subevent. Valid values are in the range [2, 160]. Note that each procedure can contain a maximum of 256 steps.

The start times for all procedures, events, subevents, and steps are directly or indirectly linked to a specified connection event within the underlying LE ACL connection. In the first instance of the CS procedure, the first event and subevent start simultaneously, scheduled to occur at an offset from the selected connection event anchor point. The first subevent in each event starts concurrently with the event, offset from the corresponding ACL connection event. You can configure the number of subevents per event, and subevents occur once per subevent interval. Each subevent consists of at least two steps, which can vary depending on how the application employs CS. The duration of these steps can also vary based on the configuration.

CS Packets

CS uses a specific modulated bit sequence known as a CS SYNC packet that the Initiator and Reflector exchange. This figure shows the format of a CS SYNC packet.

The preamble is 8 bits when transmitting or receiving on the LE 1M PHY and 16 bits when transmitting or receiving on the LE 2M and the LE 2M 2BT PHYs.
Each CS access address is a bit sequence that the CS deterministic random bit generator (DRBG) cryptographically generates. The DRBG enables the link layer (LL) of the LE device to generate random bit sequences. For more information about DRGB, see Volume 6, Part E, Section 3, and Volume 6 Part H, Section 4.8 of [2]. This figure shows the ordered bit assignment of the CS access address.
Devices communicating with CS generate a common set of CS access addresses. The Initiator and Reflector devices use these addresses for synchronization, security, and RTT calculations. For each CS step transmitting a CS SYNC packet, you must have two CS access addresses. These addresses are derived from four 32-bit DRBG output vectors. The vectors create four bit sequences: s0, s1, s2, and s3, in the order they are generated. Each sequence is constructed directly from the ordered DRBG bit output, with the first DRBG bit forming the most significant bit (MSB), bit 32 of the sequence, the second bit forming bit 31, and so on, until the last bit forms the least significant bit (LSB), bit 0. The CS access address transmits the least significant bit first, proceeding from bit 0 to bit 31.
You can use the bleCSWaveform function to get the access address of the CS packet.
The CS trailer is a sequence of 4 bits, alternating between values of 0 and 1. This figure shows that the trailer value is 1010 (in transmission order) when the MSB value of the CS access address is 0, and 0101 when the MSB value is 1.
The optional sounding sequence consists of bits alternating between 0 and 1, starting with a 0 as the first bit (LSB) in transmission order. To enhance resilience against spoofing attacks, the Initiator partially overwrites the sequence by one or two marker signals. The Initiator selects the positions and bit patterns of the marker signals independently for each CS SYNC transmission. The marker signal is 4 bits long, with two possible configurations chosen randomly, seeded by the CS DRBG. The CS DRBG generates a single random bit. If this bit is 0, the marker signal is 1100 in transmission order. If the bit is 1, the marker signal is 0011. If the transmission requires the second marker bit, the Initiator repeats this selection process for a 96-bit sounding sequence.
Each marker signal overwrites four consecutive bits of the sounding sequence, starting at a position determined by the random number generation function hr1. A 32-bit sounding sequence can use a single marker starting at bit number hr1(29). For a 96-bit sounding sequence, one or two markers: the first marker always starts at bit number hr1(64), and the second, if used, starts at hr1(75) + 67. If the starting position for the second marker exceeds 92, the sounding sequence omits the second marker. This figure shows the construction of the sounding sequence with a single marker inserted.
The sounding sequence transmits starting with the LSB and ending with the MSB.
The optional random sequence payload consists of a sequence of randomized bits, generated individually for each CS SYNC transmission. The random sequence is directly constructed from the ordered bit output of the DRBG, with the first DRBG bit occupying the MSB of this field, corresponding to the position equal to the sequence length minus one. The last DRBG bit occupies the least significant bit at position 0, as shown in this figure.

The SequenceLength and SequenceType properties of the bleCSConfig object enable you to specify the length and type of the sequence in the optional field, respectively.

Additionally, the Bluetooth Core Specifications v 6.0 [2] defines two extended CS packet formats.

This figure shows the format of a CS packet consisting of a CS SYNC packet followed by a CS Tone packet, and separated by a guard duration of 10 microseconds.

This figure shows the format of a CS packet consisting of a CS Tone packet followed by a CS_SYNC packet, and separated by a guard duration of 10 microseconds.

CS Steps

CS steps focus on either calibration or acquiring low-level measurements for use by the APP in a distance measurement method. During these steps, the Initiator and the Receiver exchange the CS packets. If you use RTT as the distance measurement method, the Initiator and Reflector exchange CS SYNC packets. If you use PBR as the distance measurement method, the Initiator and Reflector exchange CS Tone packets. Each step has an associated mode that specifies its goal and the type of activity it involves. The Bluetooth Core Specification v 6.0 defines these four CS step modes. To specify the step mode for generating a CS waveform, configure the StepMode property of the bleCSConfig object.

mode-0 — Mode-0 focuses on calibration, addressing clock drift and frequency generation inaccuracies present in all devices. These issues affect both the RTT and PBR distance measurement methods. Mode-0 step enables the Initiator to assess the frequency deviation of signals transmitted by the Reflector compared to those from the Transmitter. This figure shows the CS SYNC packet format of the Initiator operating in mode-0.
The AAI field specifies the access address of the Initiator.
This figure shows the CS SYNC packet format of the Reflector operating in mode-0.
The AAR field specifies the access address of the Reflector. The Reflector sends a CS SYNC packet followed by a CS Tone packet, with a guard interval separating the two packets.
mode-1 — In the mode-1 step, the Initiator and the Reflector computes the RTT of a CS SYNC packet. The Initiator measures the ToD when sending the initial CS SYNC packet. Upon receiving the CS SYNC packet from the Reflector, the Initiator measures the ToA. Support for mode-1 step is mandatory.
This figure shows the CS SYNC packet format of the Initiator operating in mode-1.
This figure shows the CS SYNC packet format of the Reflector operating in mode-1.
In mode-1, the Initiator and Reflector transmit a CS SYNC packets with optional sounding or random sequences.
mode-2 — Mode-2 step facilitate PBR. The process begins with the Initiator transmitting a CS Tone packet on a selected channel through each available antenna path. Following a ramp-down time and interlude period, the Reflector responds by transmitting a CS Tone packet on the same frequency as the received tone, using each of its antenna paths. Support for mode-2 step is mandatory.
This figure shows the CS Tone packet format of the Initiator and Reflector operating in mode-2.
The Initiator and Reflector transmit the CS Tone packet N_AP times, where N_AP is the number of antenna paths between the two devices. The valid values of N_AP are 1:1, 1:2, 1:3, 1:4, and 2:2.
mode-3 — A mode-3 step facilitates both RTT calculation and PBR through the combined exchange of CS SYNC and CS Tone packets. Support for mode-3 is optional. Applications that aim to integrate PBR and RTT, but discover that the Initiator and Reflector do not support mode-3, can alternatively use a step mode sequence integrating both mode-2 and mode-1 steps.
This figure shows the CS SYNC packet format of the Initiator operating in mode-3.
In mode-3, the Initiator transmits a CS SYNC packet followed by an amplitude shift keying (ASK) modulated CS Tone packet N_AP times.
This figure shows the CS SYNC packet format of the Reflector operating in mode-3.
In mode-3, the Reflector transmits an ASK-modulated CS Tone packet N_AP times, followed by a CS SYNC packet.

References

[1] Bluetooth Technology Website. “Bluetooth Technology Website | The Official Website of Bluetooth Technology.” Accessed November 22, 2024. https://www.bluetooth.com/.

[2] Bluetooth Core Specifications Working Group. "Bluetooth Core Specification" v6.0. https://www.bluetooth.com/specifications/specs/core-specification-6-0/.

[3] Bluetooth Technology Website. “Bluetooth® Channel Sounding: A Technical Overview.” Accessed November 5, 2024. https://www.bluetooth.com/channel-sounding-tech-overview/