Bluetooth

From The iPhone Wiki
Revision as of 13:55, 26 May 2020 by IAdam1n (talk | contribs)
Jump to: navigation, search

Bluetooth is a short-range wireless technology. Bluetooth hardware is provided on all iPhone, iPod touch (2nd generation) or higher, all iPad, and all Apple TV. Apple has severely restricted the functions of Bluetooth to the end-user, for seemingly no reason, as the hardware supplied is capable of most if not all current bluetooth 2.0/2.1 functions.

With iPhoneOS 3.0, support for 3G internet bridging (PAN) or 'tethering' and A2DP over Bluetooth has been added, however the file sharing OBEX protocol is notably still missing.

Hardware

Apple TV

Apple Watch

iPad

iPad mini

iPhone

iPod touch

Software

Access

Developers have been able to successfully access and interface the Bluetooth hardware to achieve basic L2CAP, RCOMM and OBEX. Besides individual closed-apps that contain a patched version of the lwBT Bluetooth Stack (e.g. roqyGPS for SPP plus iBluetooth and iBlueNova for OBEX), the open-source BTstack project at http://btstack.googlecode.com provides general Bluetooth support for multiple applications. Examples available in Cydia: BTstack Keyboard, BTstack Mouse, WiiMote OpenGL Demo and some of ZodTTD's emulators.

The device nodes of relevance here, are

Officially Supported Profiles

  • HFP - Hands-Free Profile
  • HSP - Headset Profile
  • ??? - Peer-to-peer connectivity (iPhone OS 3.0 and above; iPhone 3G and newer)
  • AD2P - Stereo audio streaming (iPhone OS 3.0 and above; iPhone 3G and newer)
  • PAN - Tethering (iPhone OS 3.0 and above; iPhone 3G and newer)
  • AVRCP - Media controls (Partial support since iPhone OS 3.0, improved in iOS 4.1; iPhone 3G and newer)
  • SPP - Serial Port Profile for Braille terminals (iOS 4.? and above)

More info: Bluetooth Profiles

Profiles available with unofficial software

Bluetooth Stack

Bluetoothstack.gif The chip implements up to the HCI in the Bluetooth Stack. The profiles seem to be implemented in software.


BTServer

The iPhone has a Bluetooth daemon called BTServer that serves the little the iPhone currently does. It is launched by the /sbin/launchd process. On killing the BTServer process, launchd restart it almost instantly. It is possible to catch BTServer itself launches the BlueTool utility by rapidly displaying processes right after killing BTServer. If bluetooth was set inactive in the control panel, BTServer call /usr/sbin/BlueTool -f /etc/bluetool/iPhone1,1.deepsleep.script. On the other hand, If bluetooth was set active in the control panel, BTServer calls the /etc/bluetool/iPhone1,1.init.script.

Disabling BTServer

In order to fool around with bluetooth it seems necessary to prevent the BTServer from being loaded. The System/Library/LaunchDaemons/com.apple.BTServer.plist file can be edited. There is a 'disabled' key set to false by default. Setting it true will prevent BTServer from being started. With BTServer completely deactivated, the control panel bluetooth item should say 'inactive' and the toggle switch grayed out.

Update: It is not necessary to disable the BTserver. It's enough to keep Bluetooth turned off in the control panel.

Enabling Bluetooth Logs[1]

mkdir -p /var/logs/BTServer
touch /var/logs/BTServer/stderr
touch /var/logs/BTServer/stdout

(As of firmware 2.0, the above mentioned snippet does not seem to work anymore)

Update For firmware 2.0, you also need to change the ownership of the log directory:

chown -R mobile /var/logs/BTServer

BlueTool

This is a low level utility, used by the BTServer daemon to configure the iPhone Bluetooth module through the /etc/bluetool/iPhone1,1.init.script file.

This effectively 'turns on' bluetooth (sets it to discoverable) but it should be noted that the kernel doesnt know it (there is no bt icon in the status bar).

to do this your self:

#bluetool

Welcome to bluetool... (etc)

bluetool> device -d /dev/cu.bluetooth # select the device
  • this makes bluetool call a function from CoreTelephony which has been reverse engineered already called _CTServerConnectionCreate(CFAllocatorRef, void *, int *)

bluetool will then tell you (if successful) that it has opened /dev/cu.bluetooth @ 115200 baud

bluetool> power on
  • again, a CT function is called, however no-one (to the extent of my knowledge) has reversed it. _CTServerConnectionSetBluetoothPower(???) however you can bet that the first argument is going to be a connection reference made from calling ConnectionCreate -> ie connRef = _CTServerConnectionCreate();
bluetool> autobaud
  • from here on bluetool only deals with posix functions (yay!!) and it basically sends ioctl() requests to the bluetooth driver in the coveted HCI.

knowing the ioctl() numbers for each HCI command can only be found out by reverse engineering or porting/using strace, dtrace, ktrace, sc_usage or truss.

Note with bluetool

it may not be that easy becuase on reverse engineer of a pre 2.0 bluetool, calls functions from IOKit, which is obviously not posix. The 2.0 bluetool still links against IOKit.

to 'unlock' the iPhones bluetooth capabilities, which I believe are there (in the driver, the chip can DEFINITELY do it) one would need to be able to send the driver raw HCI, which this program demonstrates it can do.

Output of the BlueTool console on an iPhone:

bluetool-> hci info

Radio Manufacturer: CSR Bluetooth HCI Specification: Version 2.0

Bluetooth Address: 00:02:5b:00:a5:a5

bluetool-> csr -V

CSR BlueCore Version 0x0003, Revision 0x0030, Build: A06

From CSR' BlueCore BCCMD Commands Document (bcore-sp-005Pe)

ChipVer = 0x03, BlueCore3-Multimedia, BlueCore3-ROM, BlueCore3-FLASH, BlueCore4-External, BlueCore4-ROM

ChipRev = 0x30, BlueCore4-ROM

ChipAnaVer = A06 (???)