Android 7 btsnoop代码介绍

本文假设你有btsnoop的概念，会在以上基础上进行android 7的btsnoop的代码介绍，如果你没有btsnoop相关的基础，那么移步到大专兰看btsnoop的概念，再来看本文，协议栈大专栏以及btsnoop的相关的文章连接如下：

一篇文章足够你学习蓝牙技术，提供史上最全的蓝牙技术（传统蓝牙/低功耗蓝牙）文章总结，文档下载总结（2020/12/11更新）_Wireless_Link的博客-CSDN博客_蓝牙eir

蓝牙协议栈学习/开发利器-BTSNOOP介绍_Wireless_Link的博客-CSDN博客_btsnoop

本文通过以下几个内容来介绍下Android 7的btsnoop

1）btsnoop的分类

2）btsnoop的启动以及结束实现

3）btsnoop的写入实现以及调用

一.Btsnoop的分类

我们可以看到Android7的AOSP代码中有3中btsnoop的实现，分别是btsnoop，btsnoop_net，btsnoop_mem,下面我们就要分别介绍下：

1.btsnoop

此方式就是普通的btsnoop，把hci的数据写入到文件中，然后导出文件来查看，文件源码跟头文件分别是：

system/bt/hci/src/btsnoop.c

system/bt/hci/include/btsnoop.h

2.btsnoop_net

此方式是通过socket来调试btsnoop,这种方式会把hci数据写入到local host的tcp 8872端口上，然后配合自己敲的指令，来实时抓取log,文件源码是：

system/bt/hci/src/btsnoop_net.c

这个功能的使用文档在

system/bt/doc

3.btsnoop_mem

此方式是通过把btsnoop的数据抓下来，在btif层保存到一个ring buffer中，然后通过dump的方式在通过dprintf打印出来！，文件源码跟头文件分别是：

system/bt/hci/src/btsnoop_mem.c

system/bt/hci/include/btsnoop_mem.h

二.btsnoop的启动实现

btsnoop的启动分为以下几个步骤：

1）模块启动

2）模块启动的源码分析

下面我们就一一分析下以上几个步骤

1.模块启动

Android的协议栈把很多功能都分成了一个个的子模块，叫做module，通过module_init来初始化，通过module_start_up来开始，通过module_shut_down来结束，module的实现不在本文章的讨论范围内，我们只需要知道模块提前根据以下结构体注册，然后每个函数指针调用到特定的函数即可！

typedef struct {
  const char *name;
  module_lifecycle_fn init;
  module_lifecycle_fn start_up;
  module_lifecycle_fn shut_down;
  module_lifecycle_fn clean_up;
  const char *dependencies[];
} module_t;

btsnoop的module结构体如下：

EXPORT_SYMBOL const module_t btsnoop_module = {
  .name = BTSNOOP_MODULE,
  .init = NULL,
  .start_up = start_up,
  .shut_down = shut_down,
  .clean_up = NULL,
  .dependencies = {
    STACK_CONFIG_MODULE,
    NULL
  }
};

因为btsnoop没有init函数，只有startup跟shurdown函数，分别调用位置如下：

void bte_main_enable()
{
    APPL_TRACE_DEBUG("%s", __FUNCTION__);
    
    module_start_up(get_module(BTSNOOP_MODULE)); //模块启动
    module_start_up(get_module(HCI_MODULE));
    
    BTU_StartUp();
}

void bte_main_disable(void)
{
    APPL_TRACE_DEBUG("%s", __FUNCTION__);
 
    module_shut_down(get_module(HCI_MODULE)); //模块结束
    module_shut_down(get_module(BTSNOOP_MODULE));
 
    BTU_ShutDown();
}

2. btsnoop的启动以及结束实现

2.1 btsnoop的开启

btsnoop的startup函数实现如下：

static future_t *start_up(void) {
  module_started = true;
  update_logging();
 
  return NULL;
}

static void update_logging() {
  bool should_log = module_started &&
    (logging_enabled_via_api || stack_config->get_btsnoop_turned_on());
 
  if (should_log == is_logging)
    return;
 
  is_logging = should_log;
  if (should_log) {
    btsnoop_net_open();
 
    const char *log_path = stack_config->get_btsnoop_log_path();
 
    // Save the old log if configured to do so
    if (stack_config->get_btsnoop_should_save_last()) {
      char last_log_path[PATH_MAX];
      snprintf(last_log_path, PATH_MAX, "%s.%" PRIu64, log_path,
               btsnoop_timestamp());
      if (!rename(log_path, last_log_path) && errno != ENOENT)
        LOG_ERROR(LOG_TAG, "%s unable to rename '%s' to '%s': %s", __func__, log_path, last_log_path, strerror(errno));
    }
 
    logfile_fd = open(log_path, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
    if (logfile_fd == INVALID_FD) {
      LOG_ERROR(LOG_TAG, "%s unable to open '%s': %s", __func__, log_path, strerror(errno));
      is_logging = false;
      return;
    }
 
    write(logfile_fd, "btsnoop\0\0\0\0\1\0\0\x3\xea", 16);
  } else {
    if (logfile_fd != INVALID_FD)
      close(logfile_fd);
 
    logfile_fd = INVALID_FD;
    btsnoop_net_close();
  }
}

startup主要是update_logging函数的实现，我们来分析一下

我们看到是否开启要依赖于should_log这个变量，这个变量为true就做一些动作，比如btsnoop写文件的open,btsnoop_net的开启，如果为false就做btsoop写文件的关闭以及btsnoop_net的关闭。

那么shoud_log都会依赖于什么呢？他的条件是这样的module_started && (logging_enabled_via_api || stack_config->get_btsnoop_turned_on());

首先会依赖于module_started ，我们可以看到btsnoop startup的时候就把这个设置为true了，那么其他两个条件是从什么地方而来呢？

logging_enabled_via_api

config_hci_snoop_log-》btsnoop_get_interface()->set_api_wants_to_log(enable)-》logging_enabled_via_api = value，可以看出来config_hci_snoop_log这个bluetooth.c中的hal实现，所以这个是跟上层jni调用，由上层来决定

那么stack_config->get_btsnoop_turned_on()这个条件呢？其中函数实现是get_btsnoop_turned_on

static bool get_btsnoop_turned_on(void) {
  return config_get_bool(config, CONFIG_DEFAULT_SECTION, BTSNOOP_TURNED_ON_KEY, false);
}

所以看代码我们可以得出他是从"/etc/bluetooth/bt_stack.conf" 配置文件中读取BtSnoopLogOutput的key value来决定。

基于以上条件，我们就能进入正式的开启文件等动作了，我们通过代码注释来解析

if (should_log) {
    //btsnoop net的open，这个稍后分析
    btsnoop_net_open();
    // 通过/etc/bluetooth/bt_stack.conf配置文件的BtSnoopFileName value值来决定btsnoop的路径
    // 默认路径是/data/misc/bluedroid/btsnoop_hci.log
    const char *log_path = stack_config->get_btsnoop_log_path(); 
 
    // 通过/etc/bluetooth/bt_stack.conf配置文件的BtSnoopSaveLog value值来决定是否保存上一次的
    // btsnoop,这个功能主要是会把上一次的snoop修改名称，做一个备份
    // Save the old log if configured to do so
    if (stack_config->get_btsnoop_should_save_last()) {
      char last_log_path[PATH_MAX];
      snprintf(last_log_path, PATH_MAX, "%s.%" PRIu64, log_path,
               btsnoop_timestamp());
      if (!rename(log_path, last_log_path) && errno != ENOENT)
        LOG_ERROR(LOG_TAG, "%s unable to rename '%s' to '%s': %s", __func__, log_path, last_log_path, strerror(errno));
    }
 
    // 常规的打开文件，保存路径就是我们上面从解析文件中得到的
    logfile_fd = open(log_path, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH);
    if (logfile_fd == INVALID_FD) {
      LOG_ERROR(LOG_TAG, "%s unable to open '%s': %s", __func__, log_path, strerror(errno));
      is_logging = false;
      return;
    }
    // 写btsnoop的file header format，里面值不懂的可以回头看看我们的btsnoop的概念
    write(logfile_fd, "btsnoop\0\0\0\0\1\0\0\x3\xea", 16);
  }

现在回头来看看btsnoop_net的open

// 如果定义的宏，并且为TRUE，就创建一个现成，执行listen_fn_函数
void btsnoop_net_open() {
#if (!defined(BT_NET_DEBUG) || (BT_NET_DEBUG != TRUE))
  return;               // Disable using network sockets for security reasons
#endif
 
  listen_thread_valid_ = (pthread_create(&listen_thread_, NULL, listen_fn_, NULL) == 0);
  if (!listen_thread_valid_) {
    LOG_ERROR(LOG_TAG, "%s pthread_create failed: %s", __func__, strerror(errno));
  } else {
    LOG_DEBUG(LOG_TAG, "initialized");
  }
}
 
 
static void *listen_fn_(UNUSED_ATTR void *context) {
 
  prctl(PR_SET_NAME, (unsigned long)LISTEN_THREAD_NAME_, 0, 0, 0);
 
  // 创建一个TCP的socket
  listen_socket_ = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
  if (listen_socket_ == -1) {
    LOG_ERROR(LOG_TAG, "%s socket creation failed: %s", __func__, strerror(errno));
    goto cleanup;
  }
 
  int enable = 1;
  if (setsockopt(listen_socket_, SOL_SOCKET, SO_REUSEADDR, &enable, sizeof(enable)) == -1) {
    LOG_ERROR(LOG_TAG, "%s unable to set SO_REUSEADDR: %s", __func__, strerror(errno));
    goto cleanup;
  }
 
  // 设置IP地址为local host，也就是本地交互，设置端口号为8872
  struct sockaddr_in addr;
  addr.sin_family = AF_INET;
  addr.sin_addr.s_addr = htonl(LOCALHOST_);
  addr.sin_port = htons(LISTEN_PORT_);
  if (bind(listen_socket_, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
    LOG_ERROR(LOG_TAG, "%s unable to bind listen socket: %s", __func__, strerror(errno));
    goto cleanup;
  }
 
  // 启动socket监听
  if (listen(listen_socket_, 10) == -1) {
    LOG_ERROR(LOG_TAG, "%s unable to listen: %s", __func__, strerror(errno));
    goto cleanup;
  }
 
  // 有设备接入 ，发送btsnoop的header file format过去
  for (;;) {
    int client_socket;
    OSI_NO_INTR(client_socket = accept(listen_socket_, NULL, NULL));
    if (client_socket == -1) {
      if (errno == EINVAL || errno == EBADF) {
        break;
      }
      LOG_WARN(LOG_TAG, "%s error accepting socket: %s", __func__, strerror(errno));
      continue;
    }
 
    /* When a new client connects, we have to send the btsnoop file header. This allows
       a decoder to treat the session as a new, valid btsnoop file. */
    pthread_mutex_lock(&client_socket_lock_);
    safe_close_(&client_socket_);
    client_socket_ = client_socket;
 
    OSI_NO_INTR(send(client_socket_, "btsnoop\0\0\0\0\1\0\0\x3\xea", 16, 0));
    pthread_mutex_unlock(&client_socket_lock_);
  }
 
cleanup:
  safe_close_(&listen_socket_);
  return NULL;
}

2.2 btsnoop的关闭

{
    if (logfile_fd != INVALID_FD)
      close(logfile_fd); //关闭掉btsnoop的文件描述符
 
    logfile_fd = INVALID_FD;
    btsnoop_net_close(); // 关闭掉btsnoop_net
  }
void btsnoop_net_close() {
#if (!defined(BT_NET_DEBUG) || (BT_NET_DEBUG != TRUE))
  return;               // Disable using network sockets for security reasons
#endif
 
  if (listen_thread_valid_) {
    shutdown(listen_socket_, SHUT_RDWR);
    pthread_join(listen_thread_, NULL);
    safe_close_(&client_socket_);
    listen_thread_valid_ = false;
  }
}

三.btsnoop的写入实现以及调用

1.btsnoop的写入实现

首先他是通过capture接口来向外开放

static void capture(const BT_HDR *buffer, bool is_received) {
  const uint8_t *p = buffer->data + buffer->offset;
 
  btsnoop_mem_capture(buffer);
 
  if (logfile_fd == INVALID_FD)
    return;
 
  switch (buffer->event & MSG_EVT_MASK) {
    case MSG_HC_TO_STACK_HCI_EVT:
      btsnoop_write_packet(kEventPacket, p, false);
      break;
    case MSG_HC_TO_STACK_HCI_ACL:
    case MSG_STACK_TO_HC_HCI_ACL:
      btsnoop_write_packet(kAclPacket, p, is_received);
      break;
    case MSG_HC_TO_STACK_HCI_SCO:
    case MSG_STACK_TO_HC_HCI_SCO:
      btsnoop_write_packet(kScoPacket, p, is_received);
      break;
    case MSG_STACK_TO_HC_HCI_CMD:
      btsnoop_write_packet(kCommandPacket, p, true);
      break;
  }
}

static void btsnoop_write_packet(packet_type_t type, const uint8_t *packet, bool is_received) {
  int length_he = 0;
  int length;
  int flags;
  int drops = 0;
  switch (type) {
    case kCommandPacket:
      length_he = packet[2] + 4;
      flags = 2;
      break;
    case kAclPacket:
      length_he = (packet[3] << 8) + packet[2] + 5;
      flags = is_received;
      break;
    case kScoPacket:
      length_he = packet[2] + 4;
      flags = is_received;
      break;
    case kEventPacket:
      length_he = packet[1] + 3;
      flags = 3;
      break;
  }
 
  uint64_t timestamp = btsnoop_timestamp();
  uint32_t time_hi = timestamp >> 32;
  uint32_t time_lo = timestamp & 0xFFFFFFFF;
 
  length = htonl(length_he);
  flags = htonl(flags);
  drops = htonl(drops);
  time_hi = htonl(time_hi);
  time_lo = htonl(time_lo);
 
  btsnoop_write(&length, 4);
  btsnoop_write(&length, 4);
  btsnoop_write(&flags, 4);
  btsnoop_write(&drops, 4);
  btsnoop_write(&time_hi, 4);
  btsnoop_write(&time_lo, 4);
  btsnoop_write(&type, 1);
  btsnoop_write(packet, length_he - 1);
}
static void btsnoop_write(const void *data, size_t length) {
  if (logfile_fd != INVALID_FD)
    write(logfile_fd, data, length);
 
  btsnoop_net_write(data, length);
}
void btsnoop_net_write(const void *data, size_t length) {
#if (!defined(BT_NET_DEBUG) || (BT_NET_DEBUG != TRUE))
  return;               // Disable using network sockets for security reasons
#endif
 
  pthread_mutex_lock(&client_socket_lock_);
  if (client_socket_ != -1) {
    ssize_t ret;
    OSI_NO_INTR(ret = send(client_socket_, data, length, 0));
 
    if (ret == -1 && errno == ECONNRESET) {
      safe_close_(&client_socket_);
    }
  }
  pthread_mutex_unlock(&client_socket_lock_);
}

以上代码我觉得除了格式之外没有什么可讲的，如果你对为什么这么写格式不了解，我还是建议你回头看看。btsnoop的概念，下面我们来说明下调用地方

2.btsnoop的写入调用

通过以下函数实现来获取到btsnoop的interface函数操作

const hci_t *hci_layer_get_interface() {
  buffer_allocator = buffer_allocator_get_interface();
  hal = hci_hal_get_interface();
  btsnoop = btsnoop_get_interface(); // 通过这个interface来实现
  hci_inject = hci_inject_get_interface();
  packet_fragmenter = packet_fragmenter_get_interface();
  vendor = vendor_get_interface();
  low_power_manager = low_power_manager_get_interface();
 
  init_layer_interface();
  return &interface;
}

host->controller方向的写入实现，通过这个调用btsnoop->capture(packet, false);

static void transmit_fragment(BT_HDR *packet, bool send_transmit_finished) {
  uint16_t event = packet->event & MSG_EVT_MASK;
  serial_data_type_t type = event_to_data_type(event);
 
  btsnoop->capture(packet, false);
  hal->transmit_data(type, packet->data + packet->offset, packet->len);
 
  if (event != MSG_STACK_TO_HC_HCI_CMD && send_transmit_finished)
    buffer_allocator->free(packet);
}

controller->host方向的写入实现，这个函数比较复杂，你们暂时只需要知道调用了btsnoop->capture(packet, false)写入到btsnoop即可，因为其他实现暂时不在我们本文章套路范围之内

static void hal_says_data_ready(serial_data_type_t type) {
  packet_receive_data_t *incoming = &incoming_packets[PACKET_TYPE_TO_INBOUND_INDEX(type)];
 
  uint8_t byte;
  while (hal->read_data(type, &byte, 1) != 0) {
    switch (incoming->state) {
      case BRAND_NEW:
        // Initialize and prepare to jump to the preamble reading state
        incoming->bytes_remaining = preamble_sizes[PACKET_TYPE_TO_INDEX(type)];
        memset(incoming->preamble, 0, PREAMBLE_BUFFER_SIZE);
        incoming->index = 0;
        incoming->state = PREAMBLE;
        // INTENTIONAL FALLTHROUGH
      case PREAMBLE:
        incoming->preamble[incoming->index] = byte;
        incoming->index++;
        incoming->bytes_remaining--;
 
        if (incoming->bytes_remaining == 0) {
          // For event and sco preambles, the last byte we read is the length
          incoming->bytes_remaining = (type == DATA_TYPE_ACL) ? RETRIEVE_ACL_LENGTH(incoming->preamble) : byte;
 
          size_t buffer_size = BT_HDR_SIZE + incoming->index + incoming->bytes_remaining;
          incoming->buffer = (BT_HDR *)buffer_allocator->alloc(buffer_size);
 
          if (!incoming->buffer) {
            LOG_ERROR(LOG_TAG, "%s error getting buffer for incoming packet of type %d and size %zd", __func__, type, buffer_size);
            // Can't read any more of this current packet, so jump out
            incoming->state = incoming->bytes_remaining == 0 ? BRAND_NEW : IGNORE;
            break;
          }
 
          // Initialize the buffer
          incoming->buffer->offset = 0;
          incoming->buffer->layer_specific = 0;
          incoming->buffer->event = outbound_event_types[PACKET_TYPE_TO_INDEX(type)];
          memcpy(incoming->buffer->data, incoming->preamble, incoming->index);
 
          incoming->state = incoming->bytes_remaining > 0 ? BODY : FINISHED;
        }
 
        break;
      case BODY:
        incoming->buffer->data[incoming->index] = byte;
        incoming->index++;
        incoming->bytes_remaining--;
 
        size_t bytes_read = hal->read_data(type, (incoming->buffer->data + incoming->index), incoming->bytes_remaining);
        incoming->index += bytes_read;
        incoming->bytes_remaining -= bytes_read;
 
        incoming->state = incoming->bytes_remaining == 0 ? FINISHED : incoming->state;
        break;
      case IGNORE:
        incoming->bytes_remaining--;
        if (incoming->bytes_remaining == 0) {
          incoming->state = BRAND_NEW;
          // Don't forget to let the hal know we finished the packet we were ignoring.
          // Otherwise we'll get out of sync with hals that embed extra information
          // in the uart stream (like H4). #badnewsbears
          hal->packet_finished(type);
          return;
        }
 
        break;
      case FINISHED:
        LOG_ERROR(LOG_TAG, "%s the state machine should not have been left in the finished state.", __func__);
        break;
    }
 
    if (incoming->state == FINISHED) {
      incoming->buffer->len = incoming->index;
      btsnoop->capture(incoming->buffer, true);
 
      if (type != DATA_TYPE_EVENT) {
        packet_fragmenter->reassemble_and_dispatch(incoming->buffer);
      } else if (!filter_incoming_event(incoming->buffer)) {
        // Dispatch the event by event code
        uint8_t *stream = incoming->buffer->data;
        uint8_t event_code;
        STREAM_TO_UINT8(event_code, stream);
 
        data_dispatcher_dispatch(
          interface.event_dispatcher,
          event_code,
          incoming->buffer
        );
      }
 
      // We don't control the buffer anymore
      incoming->buffer = NULL;
      incoming->state = BRAND_NEW;
      hal->packet_finished(type);
 
      // We return after a packet is finished for two reasons:
      // 1. The type of the next packet could be different.
      // 2. We don't want to hog cpu time.
      return;
    }
  }
}