Skip to lesson content
BackBluetooth LE Unplugged™

Bluetooth LE Unplugged™

Novel BitsNovel Bits
Novel Bits Learning Hub
  • 1.1 Welcome & Course Overview6 min
  • 1.2 Setting Up Your BleuIO Dongles10 min
  • 1.3 Understanding AT Commands5 min
  • 1.4 Bluetooth LE Roles5 min
  • 1.5 Your First Scan6 min
  • 1.6 Exploring Scan Results7 min
  • 2.1 Bluetooth LE vs. Classic Bluetooth8 min
  • 2.2 The Protocol Stack, Layer by Layer8 min
  • 2.3 GAP: Roles, Modes, and Discovery7 min
  • 2.4 GATT: The Data Model7 min
  • 2.5 How AT Commands Map to the Stack7 min
  • 3.1 How Bluetooth LE Advertising Works10 min
  • 3.2 Building Custom Advertising Data14 min
  • 3.3 Scan Response and Extended Data11 min
  • 3.4 iBeacon Advertising9 min
  • 3.5 Scan Filtering and RSSI14 min
  • 3.6 Advertising Parameters Deep Dive12 min
  • 4.1 The Connection Process4 min
  • 4.2 Your First Connection10 min
  • 4.3 Connection Parameters Explained10 min
  • 4.4 Low-Latency vs. Low-Power Configurations10 min
  • 4.5 Connection Failures and Recovery9 min
  • 5.1 The GATT Hierarchy5 min
  • 5.2 Discovering the GATT Database7 min
  • 5.3 UUIDs, Handles, and Properties6 min
  • 5.4 Creating a Custom GATT Service16 min
  • 5.5 Standard vs. Custom Services5 min
  • 6.1 Reading Characteristics8 min
  • 6.2 Writing Characteristics13 min
  • 6.3 Notifications: Server-Pushed Data14 min
  • 6.4 Indications vs. Notifications14 min
  • 6.5 Bidirectional Communication with SPS10 min
  • 7.1 Connection Troubleshooting7 min
  • 7.2 GATT Error Codes8 min
  • 7.3 Role and State Confusion8 min
  • 7.4 Factory Reset Procedure7 min
  • 7.5 Troubleshooting Checklist11 min
  • 8.1 Bluetooth LE Security Overview12 min
  • 8.2 Just Works Pairing12 min
  • 8.3 Passkey Entry Pairing14 min
  • 8.4 Numeric Comparison Pairing15 min
  • 8.5 Bonding and Reconnection19 min
  • 8.6 Security Levels and Protected Characteristics17 min
  • 9.1 MTU Negotiation19 min
  • 9.2 Throughput Optimization17 min
  • 9.3 Write Without Response and Throughput Tuning17 min
  • 9.4 Power Optimization10 min
  • 9.5 Advertising Interval Optimization10 min
  • 9.6 PHY Options and Limitations7 min
  • 9.7 Performance Comparison Summary16 min
  • 10.1 Bluetooth LE Address Types8 min
  • 10.2 Resolvable Private Addresses11 min
  • 10.3 Identity Resolution and Bonded Scanning14 min
  • 10.4 Privacy in Production14 min
  • 11.1 Python Serial Communication18 min
  • 11.2 Building a Command Helper15 min
  • 11.3 Automated Scanning13 min
  • 11.4 Using the bleuio Library14 min
  • 11.5 Automated Connect-Read-Disconnect14 min
  • 11.6 Data Logging and CSV Export12 min
  • 11.7 Auto-Execute Commands14 min
  • 11.8 Error Handling and Robustness14 min
  • 12.1 CTF Introduction and Setup7 min
  • 12.2 Challenge: Hidden Device5 min
  • 12.3 Challenge: GATT Treasure Hunt5 min
  • 12.4 Challenge: Crack the Code6 min
  • 12.5 Challenge: The Whisper6 min
  • 12.6 Challenge: The Impostor6 min
  • 12.7 Challenge Debrief and Bonus Challenges9 min
  • 13.1 Sniffer Hardware and Software Setup19 min
  • 13.2 Installing Wireshark and the nRF Sniffer Plugin15 min
  • 13.3 Capturing Advertising Packets9 min
  • 13.4 Capturing Connection Establishment8 min
  • 13.5 Capturing Read and Write Operations8 min
  • 13.6 Capturing Notifications and Indications9 min
  • 13.7 Wireshark Basics for Bluetooth LE14 min
  • 13.8 Capture Exercise: Full Lifecycle11 min
  • 14.1 Advanced Wireshark Filters for Bluetooth LE13 min
  • 14.2 Filtering by Operation and Handle11 min
  • 14.3 Analyzing Connection Parameter Negotiation8 min
  • 14.4 Tracing a Read/Write Cycle8 min
  • 14.5 Tracing Notification Subscriptions8 min
  • 14.6 Capturing Just Works Pairing7 min
  • 14.7 Capturing Passkey and Numeric Comparison9 min
  • 14.8 Building a Capture Analysis Workflow13 min
  • 14.9 Capture Analysis Cheat Sheet6 min
  • 15.1 Correlating Sniffer and AT Command Output8 min
  • 15.2 Debugging Connection Failures8 min
  • 15.3 Debugging Parameter Rejections8 min
  • 15.4 Debugging GATT Errors8 min
  • 15.5 Android vs. iOS Connection Behavior11 min
  • 15.6 Production Debugging Workflows12 min
  • 15.7 Debugging Toolkit Summary10 min
Prev
Next

1.5 Your First Scan

Introduction

So far you've set up your dongles, learned the AT command basics, and configured your devices for their roles. Now let's bring it all together with your first real Bluetooth LE interaction: one dongle will broadcast its presence, and the other will discover it.

This is how every Bluetooth LE connection begins in the real world: a peripheral advertises, a central scans, and they find each other. By the end of this lesson, you'll have seen this happen with your own hardware.

How Bluetooth LE Discovery Works

Before we start typing commands, let's understand what's happening at the protocol level.

Bluetooth LE uses three dedicated advertising channels (channels 37, 38, and 39) for device discovery. These three channels are spread across the 2.4 GHz band to minimize interference. If one channel is blocked by Wi-Fi or a microwave oven, the other two still work.

When a peripheral advertises, it broadcasts small packets of data on these three channels in a repeating cycle. In legacy advertising, the advertising data is between 0 and 31 bytes (31 is the spec's maximum for legacy advertising PDUs). Bluetooth 5.0 introduced extended advertising, which can carry much larger payloads on secondary channels; we'll cover that in Module 3. When a central scans, it listens on those same three channels for advertising packets. If the timing aligns (and it usually does within a few hundred milliseconds), the central hears the peripheral's advertisement.

This is a deliberately simple system, designed to be fast, low-power, and reliable even in noisy radio environments. I've always appreciated how elegant this design is. Three channels is all it takes for reliable discovery.

Advertising and scanning sequence showing peripheral broadcasting on channels 37, 38, 39 and central scanning until channels align

Advertising and scanning: the peripheral broadcasts on all three channels each advertising interval while the central hops between them. Discovery happens when the channels align.

Step 1: Start Advertising from the Peripheral (Black) Dongle

Let's make the peripheral (black) dongle visible. In the peripheral dongle's terminal, first set a custom name in the advertising data so you can easily spot your dongle in scan results:

AT+ADVDATA=0B:09:50:45:52:49:50:48:45:52:41:4C
OK

ADVERTISING DATA: 0B095045524950484552414C

This encodes the name "PERIPHERAL" in the advertising packet. In hex, each byte has a meaning: 0B is the length (11 bytes follow), 09 is the AD type for "Complete Local Name," and the remaining 10 bytes are the ASCII codes for the letters P E R I P H E R A L. We'll explore the full Length-Type-Value format in Module 3; for now, just know this is how you set the name other devices see when scanning.

Now switch to peripheral mode:

AT+PERIPHERAL
OK

The peripheral dongle is now in peripheral-only role. Start advertising:

AT+ADVSTART
Advertising type: GAP_CONN_MODE_UNDIRECTED Advertising interval minimum: 1100 maximum: 1100

ADVERTISING...

The peripheral (black) dongle is now broadcasting advertising packets on channels 37, 38, and 39 with the name "PERIPHERAL" included in its advertising data.

AT+ADVSTART returns ERROR?

Two common causes:

  1. Wrong role: You're in Central mode. Only Peripheral or Dual role can advertise. Run AT+PERIPHERAL first.
  2. Already advertising: On some firmware versions this is an error. Run AT+ADVSTOP first, then try again.

You can verify it's advertising:

AT+GAPSTATUS
Peripheral role

Not Connected

Advertising

The status now shows "Advertising." The dongle is actively sending packets roughly every 700 ms (the default advertising interval of 1100 units, where each unit is 0.625 ms).

Step 2: Scan from the Central (White) Dongle

Now let's listen for that advertisement. Switch the central dongle into central mode:

AT+CENTRAL
OK

Then run a 5-second scan:

AT+GAPSCAN=5
SCANNING...

[01] Device: [1]75:ED:05:F9:CC:74  RSSI: -46
... (25 more devices trimmed for readability) ...
[27] Device: [0]<PERIPHERAL-ADDRESS>  RSSI: -13 (PERIPHERAL)
... (21 more devices trimmed for readability) ...
[48] Device: [1]C5:66:E5:11:D4:1C  RSSI: -83
SCAN COMPLETE

That's a list of every Bluetooth LE device advertising near you. In a typical home or office it's common to see anywhere from 20 to 60+ devices in a single short scan, especially if you're near phones, laptops, fitness trackers, smart home hubs, or other people's devices in a dense building. Bluetooth LE is everywhere. One of those lines is your peripheral (black) dongle; look for the MAC address you wrote down earlier. The [0] prefix means a public address (manufacturer-assigned), while [1] means a random address.

Note: The scan output in this lesson (and other broad scans throughout the course) is trimmed for readability; ... (N more devices trimmed for readability) ... replaces the devices we omitted to keep the output short. Your actual scan will look similar but will list every device in full.

Tip: All our scan exercises use a timer (AT+GAPSCAN=5 scans for 5 seconds). If you ever run AT+GAPSCAN without a timer, the scan runs indefinitely. Press Ctrl+C to stop it.

Tip: The scan duration accepts whole seconds only (minimum 1). Using AT+GAPSCAN=0 or AT+GAPSCAN with no parameter starts an indefinite scan that runs until you press Ctrl+C. Decimal values like AT+GAPSCAN=0.5 return ERROR.

Notice the (PERIPHERAL) label at the end of your dongle's line: AT+GAPSCAN decodes the Complete Local Name from each device's advertising data and shows it in parentheses automatically. That's your peripheral (black) dongle. Devices that don't include a name in their advertising data show up without a label.

Key Takeaway: Every Bluetooth LE device you've ever connected to (smartwatches, fitness trackers, smart light bulbs) went through exactly this advertising-and-scanning process. You just did it manually with AT commands.

Command Quick Reference

CommandWhat It Does
AT+ADVDATA=<hex>Set advertising data (name, flags, etc.)
AT+PERIPHERALSwitch to peripheral role
AT+ADVSTARTStart advertising
AT+GAPSTATUSCheck current role and advertising/connection state
AT+CENTRALSwitch to central role
AT+GAPSCAN=NScan for N seconds

Summary

In this lesson, we:

  • Learned how Bluetooth LE discovery works (advertising on channels 37, 38, 39; scanning to listen)
  • Started advertising from the peripheral (black) dongle and scanned from the central (white) dongle
  • Saw your own device appear in scan results

You should now be able to make one dongle advertise and discover it from another, the fundamental building block of every Bluetooth LE interaction.

What's Next

In the next lesson, we'll dig deeper into scan results: what the RSSI numbers mean, how to control scan duration, and what happens when a device stops advertising.