How do iBeacons work?

iBeacons are certainly a trending topic recently. They allow indoor positioning, letting your phone know that you are in range of a beacon. This can have many applications: from helping you to find your car in a parking garage, through coupons and location-aware special offers in retail, to a whole lot of apps that we can’t imagine right now.

Will iBeacons become the lighthouses of our times?

There are many posts about what iBeacons are and what can be done with them, but from a technical perspective, how do they work? The underlying technology is Bluetooth LE, so …

What is Bluetooth LE?

Bluetooth Low Energy (BLE, official page, wikipedia) is a part of the Bluetooth 4.0 specification, which was released back in 2010. It originated in 2006 in Nokia as Wibree, but has since been merged into Bluetooth. It is a different set of protocols than “classic” Bluetooth, and devices are not backwards-compatible. Hence you can now encounter three type of devices:

  • Bluetooth: supporting only the “classic” mode
  • Bluetooth Smart Ready: supporting both “classic” and LE modes
  • Bluetooth Smart: supporting only the LE mode

LogoBluetoothSmartReady

Newer smartphones (iPhone 4S+, SG3+), laptops, tablets, are all equipped with full Bluetooth 4.0 and hence “Smart Ready”. Beacons, on the other hand, only support the low energy protocols (which allows them to work on a single battery for a really long time) and hence they implement “Bluetooth Smart”. Older devices, like peripherals, car systems, older phones usually support only the classic Bluetooth protocol.

The main focus in BLE is of course low energy consumption. For example, some beacons can transmit a signal for 2 years on a single cell battery (the batteries are usually not replaceable, you’ll probably just replace the beacon when they stop working). Both “classic” and LE Bluetooth use the same spectrum range (2.4 GHz – 2.4835 GHz). The BLE protocol has lower transfer rates, however it’s not meant to stream a lot of data, but rather for discovery and simple communication. In terms on range, both LE and “classic” Bluetooth signal can reach up to 100 meters.

How does BLE communication work?

BLE communication consists of two main parts: advertising and connecting.

Advertising is a one-way discovery mechanism. Devices which want to be discovered can transmit packets of data in intervals from 20 ms to 10 seconds. The shorter the interval, the shorter the battery life, but the faster the device can be discovered. The packets can be up to 47 bytes in length and consist of:

  • 1 byte preamble
  • 4 byte access address
  • 2-39 bytes advertising channel PDU
  • 3 bytes CRC

bluetooth le packet

For advertisement communication channels, the access address is always 0x8E89BED6. For data channels, it is different for each connection.

The PDU in turn has its own header (2 bytes: size of the payload and its type – whether the device supports connections, etc.) and the actual payload (up to 37 bytes).

Finally, the first 6 bytes of the payload are the MAC address of the device, and the actual information can have up to 31 bytes.

BLE devices can operate in a non-connectable advertisement-only mode (where all the information is contained in the advertisement), but they can also allow connections (and usually do).

After a device is discovered, a connection can be established. It is then possible to read the services that a BLE device offers, and for each service its characteristics (this is also known as an implementation of a GATT profile). Each characteristic provides some value, which can be read, written, or both. For example a smart thermostat can expose one service for getting the current temperature/humidity readings (as characteristics of that service) and another service and characteristic to set the desired temperature. However, as beacons don’t use connections, I’ll skip the details. If you want to read more about connecting to BLE devices, Apple’s Core Bluetooth guide provides a good overview, even if you are not an iOS developer. For articles which are even more technical, take a look at EE times (Introduction to BLE, Making the most out of BLE advertising mode).

How do beacons use BLE?

Beacons use only the advertisement channel. As the “beacon” name suggests, they transmit packets of data in regular intervals, and this data can be then picked up by devices like smartphones. Hence iBeacons are simply a specific usage of BLE advertisements, with some additional support on the iOS side.

If you try to intercept an iBeacon advertisement packet, for example coming from an Estimote beacon, you’ll see the following data:

1
02 01 06 1A FF 4C 00 02 15 B9 40 7F 30 F5 F8 46 6E AF F9 25 55 6B 57 FE 6D 00 49 00 0A C5

(to capture such data, if you have OSX, an additional XCode download contains a Bluetooth scanner and a packet logger. For Windows, see for example here)

The data above already has the preamble, fixed access address, advertisement PDU header and MAC address removed; it is only the advertisement data – 30 bytes, so it fits nicely in the 31 byte limit.

What makes a BLE advertisement an iBeacon one? The format is fixed by Apple. To break it down (see also SO):

1
2
3
4
5
02 01 06 1A FF 4C 00 02 15: iBeacon prefix (fixed)
B9 40 7F 30 F5 F8 46 6E AF F9 25 55 6B 57 FE 6D: proximity UUID (here: Estimote’s fixed UUID)
00 49: major
00 0A: minor
C5: 2’s complement of measured TX power

bluetooth le ibeacon packet

What follows is that if you want to experiment with beacons, you don’t really need any special devices. If you have a newer phone (e.g. iPhone 4S+, SG3+) or a Bluetooth 4 laptop (e.g. Retina MacBook), you can turn any of these devices into an iBeacon transmitter and receiver. For iPhones, see for example the “Locate iB” app in AppStore. For MacOS, see here. And of course, you can use Raspberry Pi as a beacon as well.

Breaking down the iBeacon format

Apart from the fixed iBeacon prefix (02 01 ... 15), what is the meaning of the other components?

The proximity UUID (B9 ... 6D in our example), is an identifier which should be used to distinguish your beacons from others. If, for example, beacons where used to present special offers to customers in a chain of stores, all beacons belonging to the chain would have the same proximity UUID. The dedicated iPhone application for that chain would scan in the background for beacons with the given UUID.

The major number (2 bytes, here: 0x0049, so 73) is used to group a related set of beacons. For example, all beacons in a store will have the same major number. That way the application will know in which specific store the customer is.

The minor number (again 2 bytes, here: 0x000A, so 10) is used to identify individual beacons. Each beacon in a store will have a different minor number, so that you know where the customer is exactly.

Measuring distance

The final field, TX power, is used to determine how close you are to a beacon. This can be presented either as rough information (immediate/far/out of range) or as a more precise measurement in meters (you can convert to feet of course ;) ). How is it done?

The TX power (here: 0xC5 = 197, 2’s complement = 256-197 = -59 dBm) is the strength of the signal measured at 1 meter from the device (RSSI – Received Signal Strength Indication). As the strength of the signal decreases predictably as we get further, knowing the RSSI at 1 meter, and the current RSSI (we get that information together with the received signal), it is possible to calculate the difference. iOS has this built-in, for other platforms, it needs to be hand-coded, see this SO answer for a specific algorithm.

Obstacles such as furniture, people or communication congestion can weaken the signal. Hence the distance is only an estimate.

iOS integration

iOS comes with some additional integration with iBeacons. Your app can receive notifications when a beacon comes into range – but not only when the app is in the foreground, also when it is in the background! An app can subscribe to region enter/exit events, so that it is partially woken up even if it isn’t running. In response to such events, the app can send e.g. a local push notification, prompting the user to open the app and see the in-store promotion (which can be for example fetched from the internet), or other relevant content.

More precisely, when the phone isn’t active, iOS goes into a low-power monitoring mode: only iBeacon region enter/exit events are detected. When the phone and app are active, you can enter ranging mode, which enables you to detect the signal strength and estimate the distance more precisely.

Note that it can take some time for your phone to detect a beacon. Firstly, the beacons transmit the advertisements from time to time. Secondly, if your phone isn’t active, it monitors for bluetooth signals only sometimes as well. For a beacon to be detected, these two intervals must overlap. In practice, it can take up to 15 minutes to detect a beacon.

For a step-by-step guide to writing an iOS iBeacon application, see here. Beacon manufacturers also often provide dedicated SDKs which help in writing beacon-enabled applications. See for example Estimote’s iOS SDK and Android one.

How can I get some beacons?

Beacons are currently a scarce resource; you often have to wait a couple of weeks to get some; but certainly availability will become better and better.

Hence the fastest option is to build a “softbeacon”: turn your iPhone/Android/MacBook/other laptop/RaspberryPi into one (as described above).

Your second option is to try and order some beacons:

  • pre-order Estimote beacons; 3 for $99
  • Kontakt beacons come in a couple of packages; 4 for $99, 10 for $279
  • RaspberryPi kits from RadiusNetworks: 1 for $99
  • RedBearLab offers BLE shields for Arduino for $30
  • Bleu sells USB-iBeacon dongles. 1 for $40, 5 for $150

Alternatives

iBeacons isn’t the only proximity BLE-based technology. Qualcomm is developing its own beacons, Gimbal, together with iOS and Android SDKs. They will offer a similar feature set, however the format of the BLE advertisement may be different. My developer kit is on its way, so I haven’t tested them yet, but the beacons certainly look interesting – especially because of the pricing – $5/basic beacon.

What’s next?

Now the only thing left to do is to develop some beacon-enabled applications! For this purpose, keep SoftwareMill in mind: we are always on the lookout for interesting projects just waiting to be developed :).

sml_mainlogo_rgb

  • Vim Ninja

    I can be wrong, but heard that Qualcomm beacons are for really short range tracking (in centimeters) so imho it make them less practical for most of the purposes mentioned at the beginning of the article.

  • http://www.warski.org/ Adam Warski

    I don’t think so, e.g. here: https://developer.qualcomm.com/mobile-development/add-advanced-features/context-aware-gimbal/context-aware-gimbal-proximity-beacons the standard BLE range of 50 meters is mentioned, so I think these will be quite regular beacons.

  • jmzc

    Does it make any sense to define different packet format ? Couldn’t be standarized ? I’ve got a store and I want to use ‘beacons’ , must I broadcast every vendor packet format ?

  • http://www.warski.org/ Adam Warski

    Well, it probably would make sense to standardise, and maybe the packet format won’t be different (I don’t know), but since big companies are at play here …

    Anyway, you won’t have to broadcast every vendor packet format, only the one that your dedicated application uses.

  • Steve Brokaw

    Great writeup. You can also get beacons from bleu.io

  • http://www.warski.org/ Adam Warski

    Thanks for the info – added to the list.

  • http://www.warski.org/ Adam Warski

    Just tried the Qualcomm beacons – their range is at least 5 meters + one concrete wall ;)

    Though the format of the advertisement is different, e.g.:
    11 07 AD 77 00 C6 A0 00 99 B2 E2 11 4C 24 8A 4A 0C 96 0C FF 8C 00 67 EE E2 C1 E2 F7 CE 4A 33

    For a start it’s 31 bytes (not 30), and has a different prefix.

  • Andy

    Nice Post!

    If you wish to know even more about iBeacons, feel free to download my white-paper titled “iBeacon Bible” from http://www.gaia-matrix.com

    Andy Cavallini

  • Dominik Pich

    whats your experience with accuracy of proximity detection with beacons?

    we found the values to be quite inaccurate + HIGHLY volatile.

    the only thing we could say with a level of certainty was if the beacon was REALLY close or REALLY far

  • http://www.warski.org/ Adam Warski

    I wouldn’t say it’s that bad, you can say with a high degree of certainty if the object is very far away/far away/close/immediate, but for sure it’s not an “indoor GPS”.

    One of the solutions that I’ve seen is averaging a couple of measurements, but then of course you get slower position updates. However I haven’t tried this yet, so I’ll be able to tell you more in a week or two :)

  • Neil Young

    Nice blog.

    You wrote:

    “This happens if the app goes in to the background if you don’t tell iOS to keep the BT service running.”

    From my experiences it is not possible to keep the iBeacon advertisement alive, if the app goes into the background. Do I miss something?

  • http://www.warski.org/ Adam Warski

    Which fragment do you mean exactly?

    If it’s the one I think it is, then I meant the other way round – when the phone is the receiver, not the transmitter. iPhone listens to BT advertisements all the time (when BT is on), and even if the app is in the background, it is woken up for a short period of time if an advertisement is received.

  • Oren Zomer

    The third byte of the iBeacon prefix is: 1A, i.e. 02 01 1A 1A FF 4C 00 02 15 instead of 02 01 06 1A FF 4C 00 02 15. This what I saw in my experience with an app that simulates an iBeacon, and from other blogs.

    See: http://developer.radiusnetworks.com/2013/10/01/reverse-engineering-the-ibeacon-profile.html

  • http://www.warski.org/ Adam Warski

    Hmm at least the iBeacons I have transmit with a prefix 02 01 06 1A (…). Weird :)

  • saipavan rapolu

    hi, iam new to the ibeacon concept, can you please give any sample code for working with roximity ibeacon for android…pls

  • jasmine
  • jasmine
  • jasmine
  • Scott James Remnant

    Keep parsing …

    AD has a format of where is the byte length of the following type and data combined, is the type of that field and is annoyingly variable length, and then is the actual data.

    So:

    02 01 1A = a field of 2 bytes long, type 01, data 1A

    Type 0x01 – That’s “flags” according to https://www.bluetooth.org/en-us/specification/assigned-numbers/generic-access-profile

    Grab the core spec supplement to parse:

    1A would be:
    LE General Discoverable Mode
    Simultaneous LE & BR/EDR to Same Device capable (controller)
    Simultaneous LE & BR/EDR to Same Device capable (host)

    while 06 would be:

    LE General Discoverable Mode

    BR/EDR Not Supported

    This is exactly the different you’d expect between a fully capable controller like an iPhone in the first case, and a dumb single-mode chip in the second

    1A FF 4C 00 02 15 … = a field of 26 bytes long, type FF 4C 00 02 15

    FF is “Manufacturer specific data” – first two bytes are manufacturer code

    guess who 0x004C is … ;-)

    https://www.bluetooth.org/en-us/specification/assigned-numbers/company-identifiers

    So that just leaves 02 15 as the identifier for an iBeacon itself

    (1 + 2 + 1 + 26 = 30, which is the packet length you’re seeing)

  • Scott James Remnant

    11 = packet of 17 bytes length, type 07 = 128-bit service UUID, followed by 16 bytes of a UUID

    0C FF 8C 00 = packet of 12 bytes length, vendor specific, allocated by “Gimbal Inc. (formerly Qualcomm Labs, Inc. and Qualcomm Retail Solutions, Inc.)​”

    the interesting bit is therefore the 67 EE E2 C1 E2 F7 CE 4A 33 part, that’s the beacon data itself

  • http://www.warski.org/ Adam Warski

    Nice clarification, thanks a lot!

  • Olivier

    Hi, great article, what I do not understand is the item related to Tx Power. All examples I have seen, including yours, has the TX power on 1 byte, and not 2 as advertised.

    The advertisement I get from my iBeacon is:

    iBEACON PREFIX:9 UUID:16 MAJ:2 MIN:2 TX POW:1 8 Bytes
    0201061AFF4C000215 EBEFD08370A247C89837E7B5634DF524 0001 0001 C5 13 096A61616C6565

    In this example, should the Tx Power be C5 or C5 13?

  • http://www.warski.org/ Adam Warski

    It’s one byte. Where did you see the two byte variant?

  • Olivier

    In the blue diagram above, it shows: TX Power: 2 bytes

  • http://www.warski.org/ Adam Warski

    Ah, that’s a typo in the diagram :) Thanks for spotting!

  • captaink99

    I would assume that once the app assumes initial connection with the Beacon — then the beacon can talk to the device even if the app goes into background mode.

  • http://www.warski.org/ Adam Warski

    There’s no “connection” really, beacons simply transmit (like a lighthouse). Although iOS can treat beacon signals seen previously differently from new ones.

  • Edna Sanchez

    if this is a typo, where is the 31st byte? where would it go?
    9 + 16 + 2 + 2 + 1 = 30
    the only other diagram I spotted online showed the tx power having 2 bytes, but i’m not sure which one is correct.

  • http://www.warski.org/ Adam Warski

    It’s “up to” 31 bytes. iBeacon advertisements use 30. Others, for example Gimbal beacons, transmit 31 bytes.

  • Neil Rader

    Hi there, we have an iBeacon app for a special project we are doing, but running into trouble with the slow “connect” time between the beacon and smartphone (10-15 seconds). Is this normal? Can anything be done about it? Otherwise, the only useful applications are ones that can ensure the user is near a beacon for 15 seconds. Thanks!

  • http://www.warski.org/ Adam Warski

    If the app isn’t active, iPhone scans for beacons only from time to time (to conserve energy), and you can’t impact that. The newer the iOS version, the better the responsiveness (at least there was a difference in recent iOS 7 updates).

  • Neil Rader

    Thanks, Adam – much appreciated. We also found a coding problem that seems to have helped on some models…

  • Mohamed

    Nice blog ..thanks!
    I have some trouble in locating iBeacon in the BLE protocol stack. is it an independent profile that interacts with the link layer to set the AdvData section of its packet? is it an app built on the GATT profile? i hope to find a technical documentation that can explains this.

  • http://www.warski.org/ Adam Warski

    iBeacons use a small portion of the BLE spec, specifically the advertisements. There are some links in the article which explain this. Also the BLE specification can be of help. It is not an app built on the GATT profile.

  • Keith Kelsch

    I am curious about how to program or code beacons for use. Say you are using a platform to integrate multiple beacons in different and unrelated venues. How do you program each beacon for specific venues. Trying to find the best info on this.

  • http://www.warski.org/ Adam Warski

    The only thing you can program in a beacon are the major and minor ids. Apart from that, it’s up to your application to use e.g. the major to differentiate between venues.

  • Keith Kelsch

    Adam,
    Thanks. Do most beacons come with a pre-programed minor ID? I am trying to understand the reading and programing mechanics of beacons and the security of them, what they actually have built in and what is programed as far as ID’s are concerned. Also, any idea on the best source to purchase beacons? This blog is very helpful.

  • http://www.warski.org/ Adam Warski

    Yes, all beacons come with some major/minor IDs, the exact values depend on the vendor. Usually the major is fixed, minor is random.

    There’s really no security to beacons. It’s very easy to create a copy of beacon, transmitting the same data. There are some non-iBeacon, but BLE based solutions, with built-in security, such as Gimbals.

    As for purchasing, I recommend Estimote and Kontakt.io.

  • Akshay

    Hi,

    Can I know that How can I communicate between BLE to BLE ?
    If one BLE has temperature sensor built, then How could I request from another BLE to read the temperature ?

  • http://www.warski.org/ Adam Warski

    That’s not really the scope of this post, but it depends what your other BLE supports. There are e.g. C APIs which allow you to establish BLE connections. I suppose each platform will have their own set.