I am trying to debug this bug https://github.com/espressif/esp-idf/issues/10660 where on some ESP32 versions, the device doesn't respond with a SCAN_RSP for incoming scan requests.
The BLE stack in use is ESP32 Bluedroid with BLE 5.0 disabled (only 4.x, I believe that 5.x is not supported on ESP32) but I am having hard time to figure out where in the source code incoming SCAN_REQ are handled https://github.com/espressif/esp-idf/tree/master/components/bt/host/bluedroid
My question is, what is the path of incoming SCAN_REQ requests in the ESP32 Bluedroid stack and where the requests are handled by sending back a SCAN_RSP. My plan is to set breakpoints and add log messages to compare a working chip version with a non working one.
You won't find it in the host part of a Bluetooth stack (for example Bluedroid). It's handled by the controller (one layer below hci).
The controller code can be found in ROM code, with some patches here https://github.com/espressif/esp-idf/tree/master/components/bt/controller (everything is closed source). The rest of the implementation is done fully in hardware, likely including the part that responds to scan requests, since there is such a strict time requirement (150 microseconds) when the response must be sent.