hcitool

Monitor & Configure Bluetooth connections

hcitool [-i ] [command [command parameters]]

Monitor & Configure Bluetooth connections and send special commands to Bluetooth devices.

-i hciX The command is applied to hciX, an installed Bluetooth device. Default first available .

COMMANDS

inq Inquire remote devices, address, clock offset and class are output.
Command times out after 10 seconds.
Inquiring ...
    60:FB:42:83:72:48   clock offset: 0x22ef    class: 0x38010c
     MacBookPro
As seen by hcidump -t -X
19:35:34.767470 < HCI Command: Inquiry (0x01|0x0001) plen 5
    lap 0x9e8b33 len 8 num 0
19:35:34.768011 > HCI Event: Command Status (0x0f) plen 4
    Inquiry (0x01|0x0001) status 0x00 ncmd 1

19:35:45.010964 > HCI Event: Inquiry Complete (0x01) plen 1
    status 0x00

19:35:50.314392 < HCI Command: Inquiry (0x01|0x0001) plen 5
    lap 0x9e8b33 len 8 num 0
19:35:50.314981 > HCI Event: Command Status (0x0f) plen 4
    Inquiry (0x01|0x0001) status 0x00 ncmd 1

19:36:00.557232 > HCI Event: Inquiry Complete (0x01) plen 1
    status 0x00

19:36:04.842860 < HCI Command: Inquiry (0x01|0x0001) plen 5
    lap 0x9e8b33 len 8 num 0
scan




lescan [--duplicates]
Inquire remote devices. Outputs address and device name. .
> hcitool scan
Scanning ...
    60:FB:42:83:72:48   smackerpro
    > hcitool lescan  # Does not stop
LE Scan ...
C4:C1:A5:FB:6D:46 (unknown)
C4:C1:A5:FB:6D:46 RuuviBoot
F2:C0:C6:43:AD:03 (unknown)
F7:FA:74:4A:1E:1A (unknown)
F0:85:49:CD:59:EB (unknown)
F0:85:49:CD:59:EB One
D3:51:78:72:EC:0F (unknown) ^C

--duplicates shows (annoying) duplicate s

Once an lescan has been issued subsequent attempts will report:

Set scan parameters failed: Input/output error

tip: export b='60:FB:42:83:72:48' and use $b for other commands

name bdaddr output device name of remote device times out after 5 seconds.
 hcitool name 60:FB:42:83:72:48 
smackerpro
info bdaddr output device name, version and supported features of remote device with Bluetooth address bdaddr.
 hcitool info $b
Requesting information ...
    BD Address:  60:FB:42:83:72:48 OUI Company: Apple (60-FB-42) 
Device Name: smackerpro
    LMP Version: 2.1 (0x4) LMP Subversion: 0x21d0
    Manufacturer: Broadcom Corporation (15)
    Features page 0: 0xff 0xff 0x8f 0xfe 0x9b 0xff 0x79 0x83 Following not in order
        <3-slot packets> <5-slot packets> <encryption> <slot offset> 
        <timing accuracy> <role switch> <hold mode> <sniff mode> 
        <park state> <RSSI> <channel quality> <SCO link> <HV2 packets> <HV3 packets> 
        <u-law log> <A-law log> <CVSD> <paging scheme> 
        <power control> <transparent SCO> <broadcast encrypt> 
        <interlaced iscan> <interlaced pscan> <inquiry with RSSI> <enhanced iscan> 
        <extended SCO> <EV4 packets> <EV5 packets>
        <AFH cap. slave> <AFH class. slave> <AFH cap. master> <AFH class. master> 
        <sniff subrating> <pause encryption>
        <EDR eSCO 2 Mbps> <EDR eSCO 3 Mbps> 
        <EDR ACL 2 Mbps> <EDR ACL 3 Mbps> 
        <3-slot EDR ACL> <5-slot EDR ACL> 
        <3-slot EDR eSCO> 
        <extended inquiry> <simple pairing> 
        <encapsulated PDU> <err. data report> <non-flush flag> <LSTO> 
        <inquiry TX power> <extended features> 
    Features page 1: 01 00 00 00 00 00 00 00

  BD Address:  4C:32:75:97:3B:AE 
Device Name: smacpro    
    LMP Version:  (8) LMP Subversion: 2199
    Manufacturer: Broadcom Corporation (15)
    Features page 0: bf fe cf fe db ff 7b 87  (in addition to those for smackerpro)
        <LE support> <LE and BR/EDR> <EPC> 
            but does not report <hold mode> or <park state>
    Features page 1: 07 00 00 00 00 00 00 00
    Features page 2: 3F 0B 00 00 00 00 00 00 
con Display active connections
 Connections:
    < ACL 4C:32:75:97:3B:AE handle 12 state 1 lm SLAVE 
or null

Always returns 0 !

cc
[--role=m|s]
[--pkt-type=ptypes] bdaddr
Create connection
m (stay master) or s (allow role switch, become slave if the peer wants master). Default m.
ptype is a comma-separated list DM1, DM3, DM5, DH1, DH3, DH5, HV1, HV2, HV3. Default all
hcitool cc $b;hcitool lq $b
Link quality: 255
Can't create connection: Connection timed out

Always returns 0 !

These commands require a connection cc $b
At any moment a particular bluetooth device may not accept a connection.
Trying again may be successful!
rssi bdaddr received signal strength
 hcitool cc $b  && d hcitool rssi $b
RSSI return value: -22
lq bdaddr link quality
 hcitool cc $b  && d hcitool lq $b 
Link quality: 255
tpl bdaddr [1] Display transmit power level ; 1 for maximum
afh bdaddr AFH channel map
 hcitool cc $b && d hcitool afh $b
AFH map: 0x00000000000000000000
lp bdaddrr [lpol] With no value, displays link policy
If value is given, sets the link policy settings. Possible values are RSWITCH, HOLD, SNIFF and PARK.
 hcitool cc $b && d hcitool lp  $b
Link policy settings: RSWITCH SNIFF 
Returns 1 if "HCI read_link_policy_settings request failed: Input/output error"
lst bdaddr [slots] With no value, displays link supervision timeout.
is given, sets connection to value slots, or to infinite if value is 0.
 hcitool cc $b && d hcitool lst $b 
Link supervision timeout: 32000 slots (20 000.00 msec)
clkoff bdaddr Display the clock offset
clock [bdaddr] [0] Display the clock 0 for the local clock or 1 for the piconet clock (default).
  hcitool cc $b && d hcitool clock  $b 1
Clock:    0xe9c4ba6
Accuracy: 0.00 msec
  hcitool cc $b && d hcitool clock  $b 0
Can't create connection: Connection timed out
Clock:    0x24209d6
Accuracy: 0.00 msec
 hcitool cc $b && d hcitool clock  $b 1 && d hcitool clock  $b 0  ; usually fails
Clock:    0xe9ddb45
Accuracy: 0.00 msec
Clock:    0x24bf4e4
Accuracy: 0.00 msec
       
auth bdaddr Request authentication
sr bdaddr role Switch role
cpt bdaddr ptypes Change packet types comma-separated list of packet types
enc bdaddr [encrypt enable] Enable or disable the encryption
key bdaddr Change the connection link key
 
lewlsz Read size of LE White List
lewladd Add device to LE White List
lewlrm Remove device from LE White List
lewlclr Clear LE White list
 
lecc Create a LE Connection
lecup LE Connection UpdateAccuracy: 0.00 msec
ledc Disconnect a LE Connection
dc bdaddr [reason] Delete connection. reason is a decimal error codes. Default is 19 for user ended connections.
dev Display local devices
 hcitool dev                                               
Devices:
    hci0    B8:27:EB:96:64:43
cmd ogf ocf [parameters] Submit an arbitrary command to local device. ogf, ocf and parameters are hexadecimal. Example:
 hcitool cmd 0x3f 0x15
< HCI Command: ogf 0x3f, ocf 0x0015, plen 0
> HCI Event: 0x0e plen 6
  01 15 FC 30 14 16
spinq Start periodic inquiry process. No inquiry results are output
epinq Exit periodic inquiry process.
HELP
Commands:
    dev     Display local devices
    inq     Inquire remote devices
    scan    Scan for remote devices
    name    Get name from remote device
    info    Get information from remote device
    spinq   Start periodic inquiry
    epinq   Exit periodic inquiry
    cmd     Submit arbitrary HCI commands
    con     Display active connections
    cc      Create connection to remote device
    dc      Disconnect from remote device
    sr      Switch master/slave role
    cpt     Change connection packet type
    rssi    Display connection RSSI
    lq      Display link quality
    tpl     Display transmit power level
    afh     Display AFH channel map
    lp      Set/display link policy settings
    lst     Set/display link supervision timeout
    auth    Request authentication
    enc     Set connection encryption
    key     Change connection link key
    clkoff  Read clock offset
    clock   Read local or remote clock

    lescan  Start LE scan
    lewladd Add device to LE White List
    lewlrm  Remove device from LE White List
    lewlsz  Read size of LE White List
    lewlclr Clear LE White list
    lecc    Create a LE Connection
    ledc    Disconnect a LE Connection
    lecup   LE Connection Update

Inquiry scan (slave)

An unconnected Bluetooth device that wants to be "discovered" by a master device will periodically enter the inquiry scan state; in this state, the device activates its receiver and listens for inquiries.
It must enter this state at least every 2.56 seconds (4096 slots).
It listens on a channel, for at least 10ms (16 slots).
A different channel is selected every 1.28 seconds (2048 slots).
The channels and the hopping sequence are calculated from the general inquiry address.

Inquiry (master)

When commanded to enter the inquiry state, the master device starts to transmit, using 16 channels used for inquiries.
During every even numbered slot it transmits two ID packets on two channels and
during the following slot it listens on those channels for a slave's response (an FHS packet).
In the next two time slots 1/16th second aka 625ms it uses the next two channels, the hopping sequence (of 16 channels) repeats every 10ms (16 slots).
The 16 slot sequence must be repeated at least 256 times (i.e. for at least 2.56 seconds) before switching to the other set of channels.

Don't bother using a null address

 hcitool info 00:00:00:00:00:00
Requesting information ...
    BD Address:  00:00:00:00:00:00
    OUI Company: XEROX CORPORATION (00-00-00)
    Features: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
see notes

In order to run without root i.e. without sudo:

sudo setcap 'cap_net_raw,cap_net_admin+eip' `which hcitool`
sudo setcap 'cap_net_raw,cap_net_admin+eip' `which hcidump`


hci0:   Type: BR/EDR  Bus: UART
    BD Address: B8:27:EB:96:64:43  ACL MTU: 1021:8  SCO MTU: 64:1
    UP RUNNING 
    RX bytes:3405617 acl:720 sco:0 events:100851 errors:0
    TX bytes:33782 acl:720 sco:0 commands:1749 errors:0
    Features: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87
    Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3 
    Link policy: RSWITCH SNIFF 
    Link mode: SLAVE ACCEPT 
    Name: 'piw'
    Class: 0x0c0000
    Service Classes: Rendering, Capturing
    Device Class: Miscellaneous, 
    HCI Version: 4.1 (0x7)  Revision: 0x145
    LMP Version: 4.1 (0x7)  Subversion: 0x2209
    Manufacturer: Broadcom Corporation (15) 

hciconfig

configure Bluetooth devices

hciconfig [-a] [hciX] [command [command parameters]]

hciX is the name of a Bluetooth device Without device lists all devices.

If no command is given, outputs basic information on device hciX only. i.e. interface type, BD address, ACL MTU, SCO MTU, flags (up, init, running, raw, page scan enabled, inquiry scan enabled, inquiry, authentication enabled, encryption enabled).

 > hciconfig
hci0:   Type: BR/EDR  Bus: UART
    BD Address: B8:27:EB:96:64:43  ACL MTU: 1021:8  SCO MTU: 64:1
    UP RUNNING 
    RX bytes:4906690 acl:0 sco:0 events:156404 errors:0
    TX bytes:19644 acl:0 sco:0 commands:1020 errors:0

-a, --all Includes: features, packet type, link policy, link mode, name, class, version.

 > hciconfig -a
hci0:   Type: BR/EDR  Bus: UART
    BD Address: B8:27:EB:96:64:43  ACL MTU: 1021:8  SCO MTU: 64:1
    UP RUNNING 
    RX bytes:4906690 acl:0 sco:0 events:156404 errors:0
    TX bytes:19644 acl:0 sco:0 commands:1020 errors:0
    Features: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87
    Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3 
    Link policy: RSWITCH SNIFF 
    Link mode: SLAVE ACCEPT 
    Name: 'piw'
    Class: 0x0c0000
    Service Classes: Rendering, Capturing
    Device Class: Miscellaneous, 
    HCI Version: 4.1 (0x7)  Revision: 0x145
    LMP Version: 4.1 (0x7)  Subversion: 0x2209
    Manufacturer: Broadcom Corporation (15)
up Open and initialize HCI device.
down Close HCI device.
reset Reset HCI device.
rstat Reset statistic counters.
[no]auth Enable authentication (sets device to security mode 3).
[no]encrypt Enable encryption (sets device to security mode 3).
[no]secmgr Enable security manager
[no]piscan Enable page and inquiry scan.
iscan Enable inquiry scan, disable page scan.
pscan Enable page scan, disable inquiry scan.
delkey bdaddr deletes the stored link key for bdaddr from the device.
for the following, hcix is required
If no argument is specified command displays the current setting.
de All report
hci0:    Type: Primary  Bus: UART
    BD Address: B8:27:EB:08:E2:A5  ACL MTU: 1021:8  SCO MTU: 64:1
then information

These exxamples are for Raspian strech on a

ptype [type[,type...] packet types, DM1, DM3, DM5, DH1, DH3, DH5, HV1, HV2, HV3
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3 
name [name] local name (??)
Name: 'class' 
class [class] class is a 24-bit hex number, See section 1.2 of the Bluetooth Assigned Numers
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous, 
voice [voice] is a 16-bit hex number describing the voice setting.
Voice setting: 0x0060 (Default Condition)
Input Coding: Linear
Input Data Format: 2's complement
Input Sample Size: 16 bit
# of bits padding at MSB: 0
Air Coding Format: CVSD 
iac [iac]
IAC: 0x9e8b33
inqtpl [level]
Inquiry transmit power level: 0
inqmode [mode]
Inquiry mode: Inquiry with RSSI or Extended Inquiry
inqdata [data]
FEC disabled
09 09 70 69 39 33 67 72  61 66 02 0a 00 09 10 02 
00 6b 1d 46 02 32 05 05  03 0e 11 0c 11 00 00 00 
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
…
Complete local name: 'pi93graf'
TX power level: 0
Device ID with 8 bytes data
Complete service classes: 0x110e 0x110c 
inqtype [type]
Inquiry scan type: Standard Inquiry Scan
inqparams [win:int]
 Inquiry interval: 4096 slots (2560.00 ms), window: 18 slots (11.25 ms)
pageparms [win:int]
Page interval: 2048 slots (1280.00 ms), window: 18 slots (11.25 ms)
pageto [to]
Page timeout: 8192 slots (5120.00 ms) 
afhmode [mode]
AFH mode: Enabled
sspmode [mode]
Simple Pairing mode: Enabled
aclmtu mtu:pkt Sets ACL MTU to mtu bytes and buffer size to pkt
scomtu mtu:pkt Sets SCO MTU to mtu bytes and buffer size to pkt
oobdata Get local OOB data (invalidates previously read data).
sudo hciconfig hci0  oobdata
hci0:   Type: Primary  Bus: UART
BD Address: B8:27:EB:08:E2:A5  ACL MTU: 1021:8  SCO MTU: 64:1
OOB Hash:   63 52 be ed e3 7c 5a 03 8f c0 50 2b e3 ce 98 66
Randomizer: a2 40 b9 0a 1e db 5e 90 10 94 7f 5e 1d e2 59 33
       
commands
hciconfig hci0 commands
hci0:   Type: Primary  Bus: UART
    BD Address: B8:27:EB:08:E2:A5  ACL MTU: 1021:8  SCO MTU: 64:1
    Commands: Octet 0  = 0xff (Bit 0 1 2 3 4 5 6 7)
          Octet 1  = 0xff (Bit 0 1 2 3 4 5 6 7)
          Octet 2  = 0xff (Bit 0 1 2 3 4 5 6 7)
          Octet 3  = 0x03 (Bit 0 1)
          Octet 4  = 0xcc (Bit 2 3 6 7)
          Octet 5  = 0xff (Bit 0 1 2 3 4 5 6 7)
          Octet 6  = 0xef (Bit 0 1 2 3 5 6 7)
          Octet 7  = 0xff (Bit 0 1 2 3 4 5 6 7)
          Octet 8  = 0xff (Bit 0 1 2 3 4 5 6 7)
          Octet 9  = 0xff (Bit 0 1 2 3 4 5 6 7)
          Octet 10 = 0xec (Bit 2 3 5 6 7)
          Octet 11 = 0x1f (Bit 0 1 2 3 4)
          Octet 12 = 0xf2 (Bit 1 4 5 6 7)
          Octet 13 = 0x0f (Bit 0 1 2 3)
          Octet 14 = 0xe8 (Bit 3 5 6 7)
          Octet 15 = 0xfe (Bit 1 2 3 4 5 6 7)
          Octet 16 = 0x3f (Bit 0 1 2 3 4 5)
          Octet 17 = 0xf7 (Bit 0 1 2 4 5 6 7)
          Octet 18 = 0x8f (Bit 0 1 2 3 7)
          Octet 19 = 0xff (Bit 0 1 2 3 4 5 6 7)
          Octet 20 = 0x1c (Bit 2 3 4)
          Octet 22 = 0x04 (Bit 2)
          Octet 24 = 0x61 (Bit 0 5 6)
          Octet 25 = 0xf7 (Bit 0 1 2 4 5 6 7)
          Octet 26 = 0xff (Bit 0 1 2 3 4 5 6 7)
          Octet 27 = 0xff (Bit 0 1 2 3 4 5 6 7)
          Octet 28 = 0x7f (Bit 0 1 2 3 4 5 6)
          Octet 29 = 0xf8 (Bit 3 4 5 6 7)
          Octet 30 = 0xff (Bit 0 1 2 3 4 5 6 7)
          Octet 31 = 0xff (Bit 0 1 2 3 4 5 6 7)
          Octet 32 = 0xff (Bit 0 1 2 3 4 5 6 7)
          Octet 33 = 0xff (Bit 0 1 2 3 4 5 6 7)
          Octet 34 = 0x07 (Bit 0 1 2)
          Octet 35 = 0x08 (Bit 3)
          Octet 41 = 0x08 (Bit 3)
    'Inquiry' 'Inquiry Cancel' 'Periodic Inquiry Mode' 
    'Exit Periodic Inquiry Mode' 'Create Connection' 'Disconnect' 
    'Add SCO Connection' 'Cancel Create Connection' 
    'Accept Connection Request' 'Reject Connection Request' 
    'Link Key Request Reply' 'Link Key Request Negative Reply' 
    'PIN Code Request Reply' 'PIN Code Request Negative Reply' 
    'Change Connection Packet Type' 'Authentication Requested' 
    'Set Connection Encryption' 'Change Connection Link Key' 
    'Master Link Key' 'Remote Name Request' 'Cancel Remote Name Request' 
    'Read Remote Supported Features' 'Read Remote Extended Features' 
    'Read Remote Version Information' 'Read Clock Offset' 
    'Read LMP Handle' 'Sniff Mode' 'Exit Sniff Mode' 'QoS Setup' 
    'Role Discovery' 'Switch Role' 'Read Link Policy Settings' 
    'Write Link Policy Settings' 'Read Default Link Policy Settings' 
    'Write Default Link Policy Settings' 'Flow Specification' 
    'Set Event Mask' 'Reset' 'Set Event Filter' 'Flush' 'Read PIN Type' 
    'Write PIN Type' 'Read Stored Link Key' 'Write Stored Link Key' 
    'Delete Stored Link Key' 'Write Local Name' 'Read Local Name' 
    'Read Connection Accept Timeout' 'Write Connection Accept Timeout' 
    'Read Page Timeout' 'Write Page Timeout' 'Read Scan Enable' 
    'Write Scan Enable' 'Read Page Scan Activity' 
    'Write Page Scan Activity' 'Read Inquiry Scan Activity' 
    'Write Inquiry Scan Activity' 'Read Authentication Enable' 
    'Write Authentication Enable' 'Read Encryption Mode' 
    'Write Encryption Mode' 'Read Class Of Device' 'Write Class Of Device' 
    'Read Voice Setting' 'Write Voice Setting' 
    'Read Automatic Flush Timeout' 'Write Automatic Flush Timeout' 
    'Read Num Broadcast Retransmissions' 
    'Write Num Broadcast Retransmissions' 'Read Transmit Power Level' 
    'Read Synchronous Flow Control Enable' 
    'Set Host Controller To Host Flow Control' 'Host Buffer Size' 
    'Host Number Of Completed Packets' 'Read Link Supervision Timeout' 
    'Write Link Supervision Timeout' 'Read Number of Supported IAC' 
    'Read Current IAC LAP' 'Write Current IAC LAP' 
    'Set AFH Channel Classification' 'Read Inquiry Scan Type' 
    'Write Inquiry Scan Type' 'Read Inquiry Mode' 'Write Inquiry Mode' 
    'Read Page Scan Type' 'Write Page Scan Type' 
    'Read AFH Channel Assessment Mode' 'Write AFH Channel Assessment Mode' 
    'Read Local Version Information' 'Read Local Supported Features' 
    'Read Local Extended Features' 'Read Buffer Size' 'Read BD ADDR' 
    'Read Failed Contact Counter' 'Reset Failed Contact Counter' 
    'Get Link Quality' 'Read RSSI' 'Read AFH Channel Map' 'Read BD Clock' 
    'Read Loopback Mode' 'Write Loopback Mode' 
    'Enable Device Under Test Mode' 'Setup Synchronous Connection' 
    'Accept Synchronous Connection' 'Reject Synchronous Connection' 
    'Read Extended Inquiry Response' 'Write Extended Inquiry Response' 
    'Refresh Encryption Key' 'Sniff Subrating' 'Read Simple Pairing Mode' 
    'Write Simple Pairing Mode' 'Read Local OOB Data' 
    'Read Inquiry Response Transmit Power Level' 
    'Write Inquiry Transmit Power Level' 
    'Read Default Erroneous Data Reporting' 
    'Write Default Erroneous Data Reporting' 'IO Capability Request Reply' 
    'User Confirmation Request Reply' 
    'User Confirmation Request Negative Reply' 
    'User Passkey Request Reply' 'User Passkey Request Negative Reply' 
    'Remote OOB Data Request Reply' 'Write Simple Pairing Debug Mode' 
    'Enhanced Flush' 'Remote OOB Data Request Negative Reply' 
    'Send Keypress Notification' 'IO Capability Request Negative Reply' 
    'Read Encryption Key Size' 'Set Event Mask Page 2' 
    'Read Enhanced Transmit Power Level' 'Read LE Host Support' 
    'Write LE Host Support' 'LE Set Event Mask' 'LE Read Buffer Size' 
    'LE Read Local Supported Features' 'LE Set Random Address' 
    'LE Set Advertising Parameters' 'LE Read Advertising Channel TX Power' 
    'LE Set Advertising Data' 'LE Set Scan Response Data' 
    'LE Set Advertise Enable' 'LE Set Scan Parameters' 
    'LE Set Scan Enable' 'LE Create Connection' 
    'LE Create Connection Cancel' 'LE Read White List Size' 
    'LE Clear White List' 'LE Add Device To White List' 
    'LE Remove Device From White List' 'LE Connection Update' 
    'LE Set Host Channel Classification' 'LE Read Channel Map' 
    'LE Read Remote Used Features' 'LE Encrypt' 'LE Rand' 
    'LE Start Encryption' 'LE Long Term Key Request Reply' 
    'LE Long Term Key Request Negative Reply' 'LE Read Supported States' 
    'LE Receiver Test' 'LE Transmitter Test' 'LE Test End' 

       
features
hciconfig hci0 features
hci0:   Type: Primary  Bus: UART
    BD Address: B8:27:EB:08:E2:A5  ACL MTU: 1021:8  SCO MTU: 64:1
    Features page 0: 0xbf 0xfe 0xcf 0xfe 0xdb 0xff 0x7b 0x87
        <3-slot packets> <5-slot packets> <encryption> <slot offset> 
        <timing accuracy> <role switch> <sniff mode> <RSSI> 
        <channel quality> <SCO link> <HV2 packets> <HV3 packets> 
        <u-law log> <A-law log> <CVSD> <paging scheme> <power control> 
        <transparent SCO> <broadcast encrypt> <EDR ACL 2 Mbps> 
        <EDR ACL 3 Mbps> <enhanced iscan> <interlaced iscan> 
        <interlaced pscan> <inquiry with RSSI> <extended SCO> 
        <EV4 packets> <EV5 packets> <AFH cap. slave> 
        <AFH class. slave> <LE support> <3-slot EDR ACL> 
        <5-slot EDR ACL> <sniff subrating> <pause encryption> 
        <AFH cap. master> <AFH class. master> <EDR eSCO 2 Mbps> 
        <EDR eSCO 3 Mbps> <3-slot EDR eSCO> <extended inquiry> 
        <LE and BR/EDR> <simple pairing> <encapsulated PDU> 
        <err. data report> <non-flush flag> <LSTO> <inquiry TX power> 
        <EPC> <extended features> 
    Features page 1: 0x0b 0x00 0x00 0x00 0x00 0x00 0x00 0x00
    Features page 2: 0x7f 0x0b 0x00 0x00 0x00 0x00 0x00 0x00 
       
version
  HCI Version: 4.2 (0x8)  Revision: 0x118
    LMP Version: 4.2 (0x8)  Subversion: 0x6119
    Manufacturer: Broadcom Corporation (15)
revision
Firmware 24.97 / 25
lm [mode] link mode.
MASTER or SLAVE mean, ask to become master or to remain slave when a connection request comes in.
NONE or a comma-separated list MASTER and ACCEPT . NONE sets link policy to the default behaviour of remaining slave and not accepting baseband connections when there are no listening AF_BLUETOOTH sockets.
ACCEPT accept baseband connections even when there are no listening AF_BLUETOOTH sockets.
MASTER ask to become master if a connection request comes in.
Link mode: SLAVE ACCEPT 
dmesg|grep -i blue|more
[    9.521389] Bluetooth: Core ver 2.22
[    9.521475] Bluetooth: HCI device and connection manager initialized
[    9.521494] Bluetooth: HCI socket layer initialized
[    9.521506] Bluetooth: L2CAP socket layer initialized
[    9.521540] Bluetooth: SCO socket layer initialized
[    9.550942] Bluetooth: HCI UART driver ver 2.3
[    9.550954] Bluetooth: HCI UART protocol H4 registered
[    9.550959] Bluetooth: HCI UART protocol Three-wire (H5) registered
[    9.551122] Bluetooth: HCI UART protocol Broadcom registered
[    9.831008] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[    9.831014] Bluetooth: BNEP filters: protocol multicast
[    9.831025] Bluetooth: BNEP socket layer initialized

Errors

In some cases
hcitool lescan    # no  required
Set scan parameters failed: Input/output error
A following sequence has been known to help
 hciconfig hci0 down
 hciconfig hci0 up 
 service bluetooth restart
 service dbus restart
 hciconfig hci0 reset
hcidump
Continuous Bluetooth Device Discovery "Inquisition"

github

gatttool

bluetoothctl


hciattach

attach serial devices via UART HCI to BlueZ stack

hciattach [-b] [-n] [-p] [-t timeout] [-s speed] [-l] [-r] tty [type|id ] [no]]sleep] [[no]flow]] [bdaddr

Attach a serial UART to the Bluetooth stack as HCI transport interface.

-l |sort List all available configurations.
any          0x0000,0x0000
3com         0x0101,0x0041
3wire        0x0000,0x0000
amp          0x0000,0x0000
ath3k        0x0000,0x0000
bboxes       0x0160,0x0002
bcm2035      0x0a5c,0x2035
bcm43xx      0x0000,0x0000
bcm43xx-3wire0x0000,0x0000
bcsp      0x0000,0x0000
bgb2xx    0x0000,0x0000
billionton0x0279,0x950b
bt2000c   0x022d,0x2000
comone    0xffff,0x0101
csr       0x0000,0x0000
digi      0x0000,0x0000
ericsson  0x0000,0x0000
intel     0x0000,0x0000
inventel  0x0000,0x0000
qualcomm  0x0000,0x0000
philips   0x0000,0x0000
picocard  0x025e,0x1000
sitecom   0x0279,0x950b
socket    0x0104,0x0096
st        0x0000,0x0000
stlc2500  0x0000,0x0000
swave     0x0000,0x0000
tdk       0x0105,0x4254
texas     0x0000,0x0000
texasalt  0x0000,0x0000
xircom    0x0105,0x080a
zoom      0x0279,0x950b
-b Send break.
-n Don't detach from controlling terminal.
-p output the PID when detaching.
-t timeout initialization timeout. (Default is 5 seconds.)
-s speed initial speed instead of the hardware default.
9600, 19200, 38400, 57600, 115200, 230400, 460800, 921600
N.B. 921600 may cause problems espically on raspberry pi.
Note also that /usr/bin/btuart sets speed to 3000000 .
-r Set to raw mode (the kernel and bluetoothd will ignore it).
tty the serial device to attach. leading /dev can be omitted. Examples: /dev/ttyS1 ttyS2
type|id Type:
any Unspecified HCI_UART interface, no vendor specific options
ericsson
digi Digianswer based cards
xircom PCMCIA cards: Credit Card Adapter and Real Port Adapter
csr CSR Casira serial adapter or BrainBoxes serial dongle (BL642)
bboxes BrainBoxes PCMCIA card (BL620)
swave Silicon Wave kits
bcsp Serial adapters using CSR chips with BCSP Serial Protocol
ath3k Atheros AR300x based
intel
IDs (manufacturer id, product id)
0x0105, 0x080a Xircom PCMCIA cards: Credit Card Adapter and Real Port Adapter
0x0160, 0x0002 BrainBoxes PCMCIA card (BL620)
[no]sleep Enables hardware specific power management feature.
[no]flow hardware flow control is forced on the serial link ( CRTSCTS).
bdaddr example: b8:27:eb:e3:a4:6c
Some devices (like the STLC2500) do not store the Bluetooth address in hardware memory, it must be uploaded during initialization .

Example

From raspberry pi:
/usr/bin/btuart
#!/bin/sh
# speed of 921600 has been known to cause errors use 460800 instead (https://blog.ruuvi.com/rpi-gateway-6e4a5b676510)     
HCIATTACH=/usr/bin/hciattach
SERIAL=`cat /proc/device-tree/serial-number | cut -c9-`        # example : 98490ec6  use only last 6 digits
B1=`echo $SERIAL | cut -c3-4`  #  49  actually    BYTE4, 5 and 6 since first 3 bytes are raspberry pi defined as    B8:27:EB
B2=`echo $SERIAL | cut -c5-6`  #  0e     xor AA => A4
B3=`echo $SERIAL | cut -c7-8`  #  c6     xor AA => 6C
BDADDR=`printf b8:27:eb:%02x:%02x:%02x $((0x$B1 ^ 0xaa)) $((0x$B2 ^ 0xaa)) $((0x$B3 ^ 0xaa))`   # example: b8:27:eb:e3:a4:6c

uart0="`cat /proc/device-tree/aliases/uart0`"      #  /soc/serial@7e201000
serial1="`cat /proc/device-tree/aliases/serial1`"  #  /soc/serial@7e201000

if [ "$uart0" = "$serial1" ] ; then
    uart0_pins="`wc -c /proc/device-tree/soc/gpio@7e200000/uart0_pins/brcm\,pins | cut -f 1 -d ' '`" 
                                                        # 00 00 00 1e 00 00 00 1f  00 00 00 20 00 00 00 21 i.e. 16
    if [ "$uart0_pins" = "16" ] ; then          # pi zero w
        $HCIATTACH /dev/serial1 bcm43xx 3000000 flow - $BDADDR     # looks like flow is important
    else
        $HCIATTACH /dev/serial1 bcm43xx 921600 noflow - $BDADDR
    fi
else
    $HCIATTACH /dev/serial1 bcm43xx 460800 noflow - $BDADDR
fi

rfkill

enable and disable wireless devices

rfkill [options] [command] [id|type]
-J
--json
Use JSON output format.
-n
--noheadings
Do not print a header line.
-o
--output
Specify which output columns to print. Use --help to get a list of available columns.
--output-all Output all available columns.
-r
--raw
Use the raw output format.
--help
--version
help
event Listen for rfkill events and display them on stdout.
list [id|type …] List the current state of all available devices.
Check with list command id or type scope as appropriate before setting block or unblock.
Special all type string will match everything.
Multiple id or type arguments is supported.
block id|type [] Disable the device.
unblock id|type [] Enable the device.
If the device is hard-blocked, for example via a hardware switch, it will remain unavailable though it is now soft-unblocked.

EXAMPLES

rfkill -r      
ID TYPE DEVICE SOFT HARD
0 wlan phy0 unblocked unblocked
1 bluetooth hci0 unblocked unblocked

rfkill --output ID,TYPE
rfkill block all
rfkill unblock wlan
rfkill block bluetooth uwb wimax wwan gps fm nfc

see bluetoothctl