nRF52840 Bluetooth Sensor Hub

Headless IoT Platform with NFC-Assisted Secure Pairing

Michael Neumüller · linkedin.com/in/michael-neumueller1 · March 2026

A professional prototype sensor platform built on the Nordic nRF52840 (ARM Cortex-M4F) running Zephyr RTOS, demonstrating a fully headless multi-sensor BLE beacon architecture. The implementation addresses a key IoT UX challenge: secure device onboarding without physical user interface: by combining NFC Type 2 Tag emulation with hardware-derived cryptographic pairing, enabling seamless tap-to-connect operation from any NFC-enabled smartphone.

Technology Stack

Layer	Technology
MCU / SoC	Nordic nRF52840: ARM Cortex-M4F, 1 MB Flash, 256 KB RAM
RTOS	Zephyr RTOS (preemptive multithreading, workqueue scheduling)
Connectivity	Bluetooth 5.0 LE (1M / 2M PHY), NFC Type 2 Tag (NDEF)
Security	BLE Security Level 4: AES-128 CCM, ECDH key exchange
Sensors	LSM6DS3TR-C 6-axis IMU (I²C), PDM MEMS Microphone
Power	LiPo 3.3–4.15 V, BQ25100 charge IC, adaptive TX power
Interface	Web Bluetooth API dashboard: zero native app required
Hardware	Seeed Studio XIAO nRF52840 Sense

System Architecture

End-to-End System Overview

IMU 6-AxisAccel + Gyro @ 52 Hz

PDM MicrophoneAudio @ 16 kHz

Battery ADCSMA Filter (12 samples)

RGB LEDAudio-Reactive Feedback

▼

Zephyr RTOS Kernel
Sensor Thread (P3) · Audio Thread (P2) · Main Thread + Workqueues

▼

Custom BLE GATT Service: 6 Characteristics
Accelerometer · Gyroscope · Audio Level · TX Power · Battery · System Reset
ALL require authenticated pairing (BT_GATT_PERM_*_AUTHEN)

▼

BLE 5.0 Radio1M / 2M PHY · Adaptive TX Power

NFC T2T TagNDEF URI with embedded PIN

▼ WIRELESS ▼

Smartphone / Browser
Web Bluetooth Dashboard: Real-Time Charts · Spectrogram · Power Mgmt · CSV Export

Security Architecture & NFC Workflow

The Challenge: Secure Pairing Without a Screen

Traditional BLE devices display a pairing PIN on a screen or use insecure "Just Works" pairing. A headless sensor node has neither a display nor input: yet must enforce strong authentication to protect sensor data from unauthorized access.

The Solution: Hardware-Derived PIN via NFC Handoff

A three-layer security architecture turns NFC into a physical-proximity authentication channel:

NFC-Assisted Secure Pairing Flow

① Read Hardware ID (FICR) Factory-burned, immutable, unique per chip

② Derive 6-Digit Passkey PIN = (DeviceAddress % 900000) + 100000 Deterministic: same PIN every boot, no storage

③a Register with BLE SMP Passkey Display mode (Level 4) Enables AES-128 CCM encryption

③b Encode PIN in NFC Tag NDEF URI → https://…/?pin=XXXXXX Physical proximity = trust anchor

④ User Taps Phone on Device Browser opens Web UI → PIN auto-displayed (20 s expiry) → User enters PIN in OS pairing dialog

⑤ Encrypted Bond Established AES-128 CCM active · Bond stored in NVS Flash · Persists across reboots

GATT-Level Security Enforcement

Every characteristic enforces READ_AUTHEN / WRITE_AUTHEN permissions:

Protection	Effect
No data leaks	Unauthenticated observers cannot read any sensor values
No unauthorized control	Remote bootloader reset requires a bonded, encrypted connection
Mandatory encryption	All traffic is AES-128 CCM encrypted after successful pairing
Persistent bonding	Credentials survive reboots via Zephyr NVS/Settings subsystem

Comparison: Traditional vs. This Approach

Traditional Approach	This Solution
PIN printed on label: static, easily shared	PIN derived from silicon: unique per device
"Just Works" pairing: zero authentication	Passkey Display (Level 4): MITM-resistant
Requires companion app for onboarding	NFC tap opens standard browser: zero app install
PIN visible only during setup wizard	PIN in URL, auto-expires in Web UI (20 seconds)

Real-Time System Architecture

Preemptive Multi-Threading Model

Three concurrent threads on Zephyr's preemptive scheduler plus two asynchronous workqueue tasks for non-blocking power management:

Zephyr RTOS Threading & Data Pipeline

P 2

Audio Thread
PDM Microphone → 512-sample blocks @ 16 kHz → RMS (loudness) + ZCR (zero-crossing rate) → BLE GATT Notify → RGB LED audio-reactive color mapping (silence → blue → green → yellow → red)

P 3

Sensor Thread
LSM6DS3TR-C IMU → Accel (X/Y/Z) + Gyro (X/Y/Z) @ 52 Hz → Little-endian int32 serialization → BLE GATT Notify to all connected clients

MAIN

Main Thread + Delayed Workqueues
Battery Work: ADC burst → SMA(12) filter → SoC% estimation · Interval: 1 s (boot) → 10 s (steady)
Status Work: BQ25100 charge IC monitoring · USB VBUS detection · Charge current control (1 s poll)
TX Power Logic: SoC > 20% or USB → +8 dBm (max range) · SoC < 20% battery → −4 dBm (power save)

Custom BLE GATT Service

One primary service, six characteristics covering the full sensor pipeline and system control:

Characteristic	UUID Suffix	Type	Payload
Accelerometer	`…def1`	Notify	3× int32 LE: X, Y, Z in milli-m/s²
Gyroscope	`…def2`	Notify	3× int32 LE: X, Y, Z in milli-°/s
Audio Level	`…def3`	Notify	uint32 RMS + uint32 ZCR per block
TX Power	`…def4`	Read / Notify	int8: current power in dBm
Battery	`…def5`	Read / Notify	uint16 mV + uint8 SoC% + uint8 status
System Reset	`…def6`	Write	Write 0x01 → reboot to UF2 bootloader

Intelligent Power Management

Battery-Aware Adaptive TX Power Pipeline

ADC ReadPin P0.14

▶

Burst ×2+ Average

▶

SMA Filter12 samples

▶

SoC Estimate3.3 to 4.15 V

▶

SoC > 20% or USBTX = +8 dBm (max range)

SoC < 20% batteryTX = −4 dBm (power save)

Web Bluetooth Dashboard

A fully responsive browser-native monitoring interface via the Web Bluetooth API: zero native app installation required. Works on Chrome and Edge across all platforms.

Feature	Technical Detail
Real-Time Telemetry	Acceleration & gyroscope rolling charts (Chart.js, 150-point buffer, pinch-to-zoom)
Audio Analysis	1024-point FFT, A-weighted Power Spectral Density, live Canvas 2D waterfall spectrogram
Power Management	Battery voltage, SoC %, charge status indicator, TX power with dBm → mW conversion
NFC PIN Integration	URL parameter `?pin=XXXXXX` auto-displays passkey with 20 s animated expiry timer
Remote System Control	One-click reboot to UF2 bootloader for wireless firmware updates
Performance	Visibility API throttling, 30 FPS render cap, EMA-smoothed audio, tab-suspend protection
Export	CSV telemetry session export for offline analysis

Key Engineering Highlights

1

        Zero-UI Onboarding
        NFC tag + Web Bluetooth = no display, no companion app, no manual PIN entry. Tap the device and go.
      

2

        Hardware-Rooted Trust
        Passkey derived from immutable FICR silicon ID. Deterministic: no RNG, no provisioning step, no key storage.
      

3

        Defense in Depth
        NFC (physical proximity) → BLE SMP (cryptographic gate) → GATT AUTHEN (per-characteristic access control).
      

4

        Battery-Aware Radio
        Dynamic TX power preserves energy at low SoC without sacrificing range when power is available.
      

5

        Non-Blocking Architecture
        All I/O is threaded or workqueue-driven. Main loop sleeps at 1 Hz. Zero busy-wait patterns anywhere.
      

6

        Bluetooth 5.0 Optimized
        2M PHY, extended data length (69 B), optimized intervals (15–30 ms), up to 3 simultaneous connections.
      

7

        Production Patterns
        NVS-backed bonding, SMA-filtered ADC, graceful BLE reconnect, RGB startup self-test sequence.
      

8

        Remote Firmware Update
        Wireless bootloader reset via authenticated BLE write: no physical access to the device required.
      

Zephyr RTOS Nordic nRF52840 BLE 5.0 NFC T2T Web Bluetooth AES-128 CCM Cortex-M4F NDEF