Bluetooth Frequency Hopping: How Classic Bluetooth Avoids Interference
The 2.4GHz band is a battleground. WiFi, Bluetooth, Zigbee, microwave ovens, baby monitors, and wireless keyboards all compete for the same slice of spectrum. That Bluetooth headset you're wearing manages to stay connected through all of that noise - and the reason is frequency hopping spread spectrum (FHSS).
Classic Bluetooth hops to a new frequency 1,600 times per second. By the time interference has corrupted one packet, the radio has already moved somewhere else. It's a clever solution to a crowded spectrum problem, and understanding it helps explain why BLE - Bluetooth Low Energy - works so differently from its older sibling.
graph TD
subgraph BAND["2.4GHz ISM Band (2400-2483.5 MHz)"]
subgraph WIFI["WiFi Channels (20/40 MHz wide)"]
W1["Ch 1
2412 MHz"]
W6["Ch 6
2437 MHz"]
W11["Ch 11
2462 MHz"]
end
subgraph BT_CLASSIC["Classic Bluetooth (79 x 1MHz channels)"]
BT1["Ch 0
2402 MHz"]
BT_MID["Ch 39
2441 MHz"]
BT79["Ch 78
2480 MHz"]
BT1 -.->|"1600 hops/sec"| BT_MID
BT_MID -.->|"pseudo-random
sequence"| BT79
end
subgraph BLE_ADV["BLE Advertising (3 fixed channels)"]
A37["Ch 37
2402 MHz"]
A38["Ch 38
2426 MHz"]
A39["Ch 39
2480 MHz"]
end
subgraph OTHER["Other 2.4GHz Devices"]
ZIGBEE["Zigbee
(2 MHz channels)"]
MW["Microwave Ovens
(broadband noise)"]
BABY["Baby Monitors"]
end
end
WIFI ---|"Overlap causes
interference"| BT_CLASSIC
OTHER ---|"Broadband
interference"| BT_CLASSIC
The crowded 2.4GHz ISM band - Bluetooth's 79 narrow 1MHz channels share spectrum with WiFi's wide 20MHz channels, Zigbee, microwave ovens, and other devices.
The 2.4GHz Band and Why It's So Crowded
The 2.4GHz ISM band runs from 2.400GHz to 2.4835GHz - that's 83.5MHz of usable spectrum. It's unlicensed, meaning any device can use it without a radio license as long as it stays within power limits. That's why it's so popular and so contested.
WiFi 802.11b/g/n/ax all operate here. Bluetooth classic and BLE operate here. Zigbee and Z-Wave home automation devices operate here. Thread, used by Matter smart home devices, operates here. When your neighbor runs a WiFi speed test while you're on a Bluetooth call, you're both fighting for the same airspace.
The fundamental problem with interference is that two transmitters on the same frequency at the same time cause collisions - the receiving radio sees a garbled signal and has to request a retransmission. The more devices in the band, the more collisions, the worse performance gets.
Frequency hopping is one answer to this problem. Instead of camping on one frequency and fighting interference there, a hopping radio moves around so fast that any given interference source only damages a small fraction of its packets.
stateDiagram-v2
[*] --> BasicFHSS: Connection established
state BasicFHSS {
[*] --> Ch23: Slot 1
Ch23 --> Ch67: Slot 2 (625us later)
Ch67 --> Ch02: Slot 3
Ch02 --> Ch45: Slot 4
Ch45 --> Ch71: Slot 5
note right of Ch23: Pseudo-random sequence
from clock + device address
note right of Ch71: All 79 channels used
1600 hops/second
}
BasicFHSS --> AFHDetection: WiFi interference detected
on channels 20-40
state AFHDetection {
[*] --> Classify: Monitor packet loss per channel
Classify --> MarkBad: Channels with high error rate
MarkBad --> UpdateMap: Remove bad channels from map
UpdateMap --> ShareMap: Exchange channel map with peer
}
AFHDetection --> AdaptiveFHSS: Channel map updated
state AdaptiveFHSS {
[*] --> Ch02a: Slot 1
Ch02a --> Ch45a: Slot 2
Ch45a --> Ch67a: Slot 3
Ch67a --> Ch71a: Slot 4
note right of Ch02a: Only good channels used
Min 20 channels required
note right of Ch71a: Avoids WiFi-occupied
frequency range
}
From basic FHSS to Adaptive Frequency Hopping - Bluetooth detects interference, classifies channels as good or bad, and restricts hopping to clean frequencies while maintaining at least 20 channels.
Classic Bluetooth FHSS: 79 Channels, 1,600 Hops per Second
Classic Bluetooth (also called BR/EDR - Basic Rate/Enhanced Data Rate) divides the 2.4GHz band into 79 channels, each 1MHz wide, starting at 2.402GHz. The radio hops through these channels in a pseudo-random sequence that both the master and slave device know in advance - they synchronize on the sequence during connection setup.
The hop rate is 1,600 hops per second in normal mode, meaning the radio spends 625 microseconds on each channel. Data packets can span multiple slots (up to 5 slots or 3.125ms for longer packets), but the frequency changes after each packet exchange.
The sequence is derived from the master device's Bluetooth address (BD_ADDR) and the clock. Because both devices derive the same sequence from the same inputs, they always land on the same channel at the same time. An outside observer who doesn't know the sequence sees what appears to be random frequency jumping.
This is a significant security and anti-eavesdropping property. Without knowing the hopping sequence, a passive attacker can't reconstruct a Classic Bluetooth conversation by listening on one channel - the data is spread across all 79 frequencies. Specialized equipment like a Ubertooth One can reconstruct the sequence by brute-forcing it from observed packets, but it's not trivial.
The 79 channels give Classic Bluetooth a huge amount of spectrum diversity. Even if several channels are being heavily used by WiFi, the radio spends only a fraction of its time there. The impact of any single interference source is proportional to how many of those 79 channels it occupies.
graph LR
subgraph ADV["BLE Advertising Channels (Fixed)"]
direction TB
CH37["Ch 37 - 2402 MHz
Below WiFi Ch 1"]
CH38["Ch 38 - 2426 MHz
Between WiFi Ch 1 and 6"]
CH39["Ch 39 - 2480 MHz
Above WiFi Ch 11"]
end
subgraph DATA["BLE Data Channels (37 channels, hopping)"]
direction TB
D0["Ch 0-10
2404-2424 MHz"]
D1["Ch 11-26
2428-2458 MHz"]
D2["Ch 27-36
2460-2478 MHz"]
end
subgraph HOP["BLE Channel Selection"]
CSA["Channel Selection
Algorithm #2"]
MAP["Channel Map
(peer-exchanged)"]
UNMAPPED["Skip bad channels
remap to good ones"]
CSA --> MAP
MAP --> UNMAPPED
end
ADV -->|"Device discovery
+ connection setup"| DATA
DATA -->|"Connected mode
data transfer"| HOP
subgraph STRATEGY["Why 37, 38, 39?"]
S1["Placed in gaps between
WiFi channels 1, 6, 11"]
S2["Maximizes advertising
survival during WiFi use"]
S3["Three channels = redundancy
if one is blocked"]
end
ADV -.-> STRATEGY
BLE channel architecture - three advertising channels are strategically placed in gaps between common WiFi channels, while 37 data channels use adaptive hopping for connected communication.
Adaptive Frequency Hopping: Getting Smarter About WiFi
Bluetooth 1.2 introduced Adaptive Frequency Hopping (AFH), and it addresses a specific problem: WiFi channels are wide and stationary. A WiFi network on channel 6 occupies roughly 22MHz of spectrum - that's about 22 of the 79 Bluetooth channels in one go. Hopping into those frequencies 1,600 times per second guarantees heavy collision with the WiFi traffic.
AFH solves this by classifying channels as good or bad. The master device monitors channel quality and maintains a channel map - a 79-bit bitmap indicating which channels are currently usable. Channels that consistently show high error rates get removed from the hopping sequence. The Bluetooth spec requires that at least 20 channels remain active at all times to maintain adequate frequency diversity.
When a channel is marked bad, the hopping algorithm remaps onto the remaining good channels. The result is that Classic Bluetooth and WiFi can coexist much more gracefully. The Bluetooth radio learns to navigate around active WiFi traffic in real time.
AFH is why a Bluetooth headset and a WiFi connection can share the same device without constantly destroying each other. The ESP32 uses exactly this mechanism - its coexistence controller manages the radio sharing between WiFi and Bluetooth using AFH alongside time-division scheduling at the firmware level.
How BLE Does It Differently: 40 Channels and 3 Fixed Advertising Slots
Bluetooth Low Energy takes a different approach entirely. Instead of 79 narrow channels, BLE uses 40 channels, each 2MHz wide, covering the same 80MHz span of spectrum from 2.402GHz to 2.480GHz. The wider channels allow for the 1Mbit/s and 2Mbit/s PHY modes.
BLE doesn't do the same high-speed continuous hopping as Classic Bluetooth. There are two separate channel groups with completely different behaviors: advertising channels and data channels.
Advertising channels are how BLE devices announce themselves. Devices broadcast advertisements, scanners listen. These channels are fixed - they don't hop. There are only three of them. This is a deliberate design choice: scanners need to know where to look, so the advertising channels are fixed and well-known.
Data channels are used after a connection is established. Once two BLE devices are connected, they do use frequency hopping - but it's much slower than Classic Bluetooth. Connection events happen every few milliseconds to several seconds depending on the connection interval, and the channel advances according to a hopping algorithm each time.
Channels 37, 38, and 39: The Gaps in the WiFi Spectrum
The three BLE advertising channels are numbered 37, 38, and 39. Their placement in the spectrum is not arbitrary - they were chosen specifically to avoid the center frequencies of WiFi channels 1, 6, and 11: the three non-overlapping 2.4GHz WiFi channels used in most deployments.
In frequency terms:
- BLE channel 37 sits at 2.402GHz - just below WiFi channel 1 (2.412GHz center)
- BLE channel 38 sits at 2.426GHz - between WiFi channels 1 and 6
- BLE channel 39 sits at 2.480GHz - above WiFi channel 11 (2.462GHz center)
This placement means that even without AFH, BLE advertisements are landing in the quietest parts of the 2.4GHz band. A device scanning for BLE advertisements doesn't compete heavily with the typical WiFi deployment on 1, 6, and 11.
Devices broadcast advertisements on all three advertising channels in sequence, typically with a short randomized delay between each to reduce collision probability with other advertising devices doing the same thing. This is why BLE scanners find devices reliably even in a crowded environment - they're listening on channels placed to avoid the worst WiFi interference, and each advertisement is sent three times per interval.
The 37 Data Channels and Connection Hopping
When two BLE devices connect, they negotiate a channel hopping sequence using the remaining 37 channels (numbered 0 through 36, which map to 2.404GHz through 2.478GHz). The hop increment and the starting channel are part of the connection parameters negotiated during setup.
BLE connection hopping uses the following algorithm: next channel = (current channel + hop increment) modulo 37, where the hop increment is a value between 5 and 16 chosen at connection time. This gives a simple and predictable sequence, but one that still distributes the connection across the available channels.
Unlike Classic Bluetooth's 1,600 hops per second, BLE data channels only hop once per connection event. Connection intervals are configurable from 7.5ms to 4 seconds. At the minimum interval, you'd see about 133 channel changes per second - far slower than Classic Bluetooth, but appropriate for the low-power, low-duty-cycle nature of BLE.
BLE also supports AFH at the data channel level. If channels are causing consistent errors, the master can update the channel map through a LL_CHANNEL_MAP_IND control PDU to remove bad channels from the hopping sequence. In practice, this is more important in industrial environments with heavy 2.4GHz interference than in typical office or home settings.
What This Means for the BLEShark Nano
The BLEShark Nano runs on an ESP32-C3, which has a single 2.4GHz radio. That radio handles both WiFi and BLE, and it can't do both at exactly the same time - the coexistence controller time-divides between them. This is a direct consequence of the shared 2.4GHz spectrum and the frequency hopping architecture of both protocols.
When you use BLE features on the BLEShark - BLE scanning, BLESpam, Bad-BT - the radio is operating primarily as a BLE device. WiFi features like network scanning and deauth operate when the radio is in WiFi mode. The firmware manages transitions between these modes.
BLESpam is specifically relevant here. When the BLEShark broadcasts spoofed BLE advertisements, it's transmitting on those three fixed advertising channels: 37, 38, and 39. It doesn't need to hop because advertisements are always broadcast on fixed channels. Every iOS device, Android device, and Windows laptop scanning for nearby Bluetooth devices is listening on exactly those three channels - which is why the spoofed packets land reliably.
When the BLEShark is connected to a Shiver mesh, the mesh operates over ESP-NOW, which runs on the WiFi radio at the firmware level. This means when the device is in mesh mode, the BLE radio is available - but Bad-BT requires a persistent BLE connection, so Bad-BT mode fully disconnects from the mesh. BLESpam can hop back to the mesh radio windows, but sustained BLE connections are incompatible with full mesh participation on a single radio.
Understanding frequency hopping also explains why the BLEShark's BLE scanner can pick up devices across a room. The scanner listens on all three advertising channels - the same channels every compliant BLE device is required to advertise on. There's no scanning across all 79MHz of spectrum required; three fixed channels cover all advertising traffic. What you see in the scanner output is every BLE device within range that has advertising enabled, regardless of manufacturer or protocol version.
The Shiver mesh itself uses ESP-NOW in Long Range mode at 250 kbps. ESP-NOW operates on WiFi channels - not BLE advertising channels - so it doesn't interfere with BLE scanning or advertising. A Shiver pack of up to 16 nodes can cover 20-50m each, creating a distributed sensor network where each node independently captures BLE advertisement data and forwards it back to the mesh.
This article is for educational purposes. Understanding radio protocols and spectrum sharing is foundational knowledge for network security research and wireless engineering.