The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Bluetooth"
(Added BTstack info) |
m |
||
(34 intermediate revisions by 13 users not shown) | |||
Line 1: | Line 1: | ||
− | Bluetooth is a short-range |
+ | Bluetooth is a short-range wireless technology. Bluetooth hardware is provided on all [[List of iPhones|iPhone]], [[N72AP|iPod touch (2nd generation)]] or higher, all [[List of iPads|iPad]], and all [[List of Apple TVs|Apple TV]]. Apple has severely restricted the functions of Bluetooth to the end-user, for seemingly no reason<!-- read: commercial reasons-->, as the hardware supplied is capable of most if not all current bluetooth 2.0/2.1 functions. |
With iPhoneOS 3.0, support for 3G internet bridging (PAN) or 'tethering' and A2DP over Bluetooth has been added, however the file sharing OBEX protocol is notably still missing. |
With iPhoneOS 3.0, support for 3G internet bridging (PAN) or 'tethering' and A2DP over Bluetooth has been added, however the file sharing OBEX protocol is notably still missing. |
||
− | == |
+ | == Hardware== |
+ | ===[[List of Apple TVs|Apple TV]]=== |
||
+ | * [[K66AP|Apple TV (2nd generation)]] - [[BCM4329]] - Bluetooth® 2.1 + EDR |
||
+ | * [[J33AP|Apple TV (3rd generation) (AppleTV3,1)]] - [[BCM4330]] |
||
+ | * [[J33IAP|Apple TV (3rd generation) (AppleTV3,2)]] - [[BCM4334]] |
||
+ | * [[J42dAP|Apple TV HD]] - ? |
||
+ | ===[[Apple Watch]]=== |
||
− | Developers have been able to successfully access and interface the Bluetooth hardware to achieve basic L2CAP, RCOMM and OBEX. Besides individual closed-apps that contain a patched version of the lwBT Bluetooth Stack (e.g. roqyGPS and the upcoming iBlueNova for OBEX), the open-source BTstack project at http://btstack.googlecode.com provides general Bluetooth support for multiple applications. Examples available in Cydia: BTstack Keyboard, BTstack Mouse, WiiMote OpenGL Demo and some of ZodTTD's emulators. |
||
+ | * [[Apple Watch (1st generation)]] - [[BCM4334]] |
||
+ | * [[Apple Watch Series 1]] - ? |
||
+ | * [[Apple Watch Series 2]] - ? |
||
+ | ===[[List of iPads|iPad]]=== |
||
− | The device nodes of relevance here, are |
||
+ | * [[K66AP|iPad]] - [[BCM4329]] - Bluetooth® 2.1 + EDR |
||
− | * /dev/uart.bluetooth |
||
+ | * [[iPad 2]] - [[BCM4329]] - Bluetooth® 2.1 + EDR |
||
− | * /dev/cu.bluetooth |
||
+ | * [[iPad (3rd generation)]] - [[BCM4330]] |
||
− | * /dev/tty.bluetooth |
||
+ | * [[iPad (4th generation)]] - [[BCM4334]] |
||
− | * /dev/btreset |
||
+ | * [[iPad Air]] - [[BCM43342]] |
||
+ | * [[iPad Air 2]] - [[BCM4345]] |
||
+ | * [[iPad Pro (12.9-inch)]] - ? |
||
+ | * [[iPad Pro (9.7-inch)]] - ? |
||
+ | * [[iPad (5th generation)]] - ? |
||
+ | ===[[List of iPad minis|iPad mini]]=== |
||
− | == iPhone/iPods Bluetooth Hardware Summary== |
||
+ | * [[iPad mini]] - [[BCM4334]] |
||
+ | * [[iPad mini 2]] - [[BCM43342]] |
||
+ | * [[iPad mini 3]] - ? |
||
+ | * [[iPad mini 4]] - ? |
||
+ | ===[[List of iPhones|iPhone]]=== |
||
− | * iPhone (iPhone1,1) (m68ap) - Bluetooth (r) 2.0 + EDR |
||
− | * iPhone |
+ | * [[M68AP|iPhone]] - [[BlueCore 4]] - Bluetooth® 2.0 + EDR |
− | * iPhone |
+ | * [[N82AP|iPhone 3G]] - [[BlueCore 6]] - Bluetooth® 2.0 + EDR |
+ | * [[N88AP|iPhone 3GS]] - [[BCM4325]] - Bluetooth® 2.1 + EDR |
||
+ | * [[iPhone 4]] - [[BCM4329]] - Bluetooth® 2.1 + EDR |
||
+ | * [[N94AP|iPhone 4S]] - [[BCM4330]] |
||
+ | * [[iPhone 5]] - [[BCM4334]] |
||
+ | * [[iPhone 5c]] - [[BCM4334]] |
||
+ | * [[iPhone 5s]] - [[BCM43342]] |
||
+ | * [[iPhone 6]] - [[BCM4345]] |
||
+ | * [[iPhone 6s]] - [[BCM4350]] |
||
+ | * [[iPhone SE (1st generation)]] - ? |
||
+ | * [[iPhone 7]] - ? |
||
+ | * [[iPhone 8]] - ? |
||
+ | * [[iPhone X]] - ? |
||
+ | ===[[List of iPod touches|iPod touch]]=== |
||
− | * iPod Touch (iPod1,1) (n45ap) - No Bluetooth Hardware |
||
− | * iPod |
+ | * [[N45AP|iPod touch]] - No Bluetooth Hardware |
− | * iPod |
+ | * [[N72AP|iPod touch (2nd generation)]] - [[BCM4325]] - Bluetooth® 2.1 + EDR |
+ | * [[N18AP|iPod touch (3rd generation)]] - [[BCM4329]] - Bluetooth® 2.1 + EDR |
||
+ | * [[N81AP|iPod touch (4th generation)]] - [[BCM4329]] - Bluetooth® 2.1 + EDR |
||
+ | * [[iPod touch (5th generation)]] - [[BCM4334]] |
||
+ | * [[N102AP|iPod touch (6th generation)]] - [[BCM4335]] |
||
+ | |||
+ | ==Software== |
||
+ | === Access === |
||
+ | |||
+ | Developers have been able to successfully access and interface the Bluetooth hardware to achieve basic L2CAP, RCOMM and OBEX. Besides individual closed-apps that contain a patched version of the lwBT Bluetooth Stack (e.g. roqyGPS for SPP plus iBluetooth and iBlueNova for OBEX), the open-source BTstack project at http://btstack.googlecode.com provides general Bluetooth support for multiple applications. Examples available in Cydia: BTstack Keyboard, BTstack Mouse, WiiMote OpenGL Demo and some of ZodTTD's emulators. |
||
+ | |||
+ | The [[/dev|device nodes]] of relevance here, are |
||
+ | * [[/dev/uart.bluetooth|uart.bluetooth]] |
||
+ | * [[/dev/cu.bluetooth|cu.bluetooth]] |
||
+ | * [[/dev/tty.bluetooth|tty.bluetooth]] |
||
+ | * [[/dev/btreset|btreset]] |
||
+ | * [[/dev/btwake|btwake]] |
||
+ | |||
+ | ===Officially Supported Profiles === |
||
+ | *HFP - Hands-Free Profile |
||
+ | *HSP - Headset Profile |
||
+ | *??? - Peer-to-peer connectivity (iPhone OS 3.0 and above; iPhone 3G and newer) |
||
+ | *AD2P - Stereo audio streaming (iPhone OS 3.0 and above; iPhone 3G and newer) |
||
+ | *PAN - Tethering (iPhone OS 3.0 and above; iPhone 3G and newer) |
||
+ | *AVRCP - Media controls (Partial support since iPhone OS 3.0, improved in iOS 4.1; iPhone 3G and newer) |
||
+ | *SPP - Serial Port Profile for Braille terminals (iOS 4.? and above) |
||
+ | |||
+ | More info: [http://en.wikipedia.org/wiki/Bluetooth_profile Bluetooth Profiles] |
||
+ | |||
+ | ===Profiles available with unofficial software=== |
||
+ | *OBEX - OBject EXchange ([[iBluetooth]] on iPhone OS 2.x; [[iBlueNova]] on 3.x; [[Celeste]] on iOS 4.x; No equivalent on iOS 5.x) |
||
+ | *DUN - Dial-up Networking Profile (<!-- I don't remember the name...-->) |
||
+ | *SPP - Serial Port Profile for GPS receivers ([[roqyBT]]) |
||
+ | *ADP - Mono audio streaming ([[Bluetooth Mono SBSettings]] on iPhone OS 3.x) |
||
+ | |||
+ | ===Bluetooth Stack=== |
||
+ | |||
+ | [[Image:Bluetoothstack.gif]] |
||
+ | The chip implements up to the HCI in the Bluetooth Stack. The profiles seem to be implemented in software. |
||
+ | |||
+ | |||
+ | ===BTServer=== |
||
+ | The iPhone has a Bluetooth daemon called [[BTServer]] that serves the little the iPhone currently does. It is launched by the /sbin/launchd process. On killing the BTServer process, launchd restart it almost instantly. It is possible to catch BTServer itself launches the BlueTool utility by rapidly displaying processes right after killing BTServer. If bluetooth was set inactive in the control panel, BTServer call /usr/sbin/BlueTool -f /etc/bluetool/iPhone1,1.deepsleep.script. On the other hand, If bluetooth was set active in the control panel, BTServer calls the /etc/bluetool/iPhone1,1.init.script. |
||
+ | |||
+ | ====Disabling BTServer==== |
||
+ | In order to fool around with bluetooth it seems necessary to prevent the BTServer from being loaded. The System/Library/LaunchDaemons/com.apple.BTServer.plist file can be edited. There is a 'disabled' key set to false by default. Setting it true will prevent BTServer from being started. With BTServer completely deactivated, the control panel bluetooth item should say 'inactive' and the toggle switch grayed out. |
||
+ | |||
+ | '''Update''': It is not necessary to disable the BTserver. It's enough to keep Bluetooth turned off in the control panel. |
||
+ | |||
+ | ====Enabling Bluetooth Logs[http://code.google.com/p/iphone-elite/wiki/BTServerLogs]==== |
||
+ | mkdir -p /var/logs/BTServer |
||
+ | touch /var/logs/BTServer/stderr |
||
+ | touch /var/logs/BTServer/stdout |
||
+ | |||
+ | (As of firmware 2.0, the above mentioned snippet does not seem to work anymore) |
||
+ | |||
+ | '''Update''' For firmware 2.0, you also need to change the ownership of the log directory: |
||
+ | chown -R mobile /var/logs/BTServer |
||
+ | |||
+ | ===BlueTool=== |
||
+ | This is a low level utility, used by the BTServer daemon to configure the iPhone Bluetooth module through the /etc/bluetool/iPhone1,1.init.script file. |
||
+ | |||
+ | This effectively 'turns on' bluetooth (sets it to discoverable) but it should be noted that the kernel doesnt know it (there is no bt icon in the status bar). |
||
+ | |||
+ | to do this your self: |
||
+ | |||
+ | #bluetool |
||
+ | Welcome to bluetool... (etc) |
||
+ | |||
+ | bluetool> device -d /dev/cu.bluetooth # select the device |
||
+ | |||
+ | *this makes bluetool call a function from CoreTelephony which has been reverse engineered already called _CTServerConnectionCreate(CFAllocatorRef, void *, int *) |
||
+ | |||
+ | bluetool will then tell you (if successful) that it has opened /dev/cu.bluetooth @ 115200 baud |
||
+ | |||
+ | bluetool> power on |
||
+ | |||
+ | *again, a CT function is called, however no-one (to the extent of my knowledge) has reversed it. _CTServerConnectionSetBluetoothPower(???) however you can bet that the first argument is going to be a connection reference made from calling ConnectionCreate -> ie connRef = _CTServerConnectionCreate(); |
||
+ | |||
+ | bluetool> autobaud |
||
+ | |||
+ | *from here on bluetool only deals with posix functions (yay!!) and it basically sends ioctl() requests to the bluetooth driver in the coveted HCI. |
||
+ | |||
+ | knowing the ioctl() numbers for each HCI command can only be found out by reverse engineering or porting/using strace, dtrace, ktrace, sc_usage or truss. |
||
+ | |||
+ | ====Note with bluetool==== |
||
+ | |||
+ | it may not be that easy becuase on reverse engineer of a pre 2.0 bluetool, calls functions from IOKit, which is obviously not posix. The 2.0 bluetool still links against IOKit. |
||
+ | |||
+ | to 'unlock' the iPhones bluetooth capabilities, which I believe are there (in the driver, the chip can DEFINITELY do it) one would need to be able to send the driver raw HCI, which this program demonstrates it can do. |
||
+ | |||
+ | Output of the BlueTool console on an [[M68AP|iPhone]]: |
||
+ | |||
+ | bluetool-> hci info |
||
+ | |||
+ | Radio Manufacturer: CSR |
||
+ | Bluetooth HCI Specification: Version 2.0 |
||
+ | |||
+ | Bluetooth Address: 00:02:5b:00:a5:a5 |
||
+ | |||
+ | bluetool-> csr -V |
||
+ | |||
+ | CSR BlueCore Version 0x0003, Revision 0x0030, Build: A06 |
||
+ | |||
+ | From CSR' BlueCore BCCMD Commands Document (bcore-sp-005Pe) |
||
+ | |||
+ | ChipVer = 0x03, BlueCore3-Multimedia, BlueCore3-ROM, BlueCore3-FLASH, BlueCore4-External, BlueCore4-ROM |
||
+ | |||
+ | ChipRev = 0x30, BlueCore4-ROM |
||
+ | |||
+ | ChipAnaVer = A06 (???) |
Latest revision as of 15:20, 20 September 2020
Bluetooth is a short-range wireless technology. Bluetooth hardware is provided on all iPhone, iPod touch (2nd generation) or higher, all iPad, and all Apple TV. Apple has severely restricted the functions of Bluetooth to the end-user, for seemingly no reason, as the hardware supplied is capable of most if not all current bluetooth 2.0/2.1 functions.
With iPhoneOS 3.0, support for 3G internet bridging (PAN) or 'tethering' and A2DP over Bluetooth has been added, however the file sharing OBEX protocol is notably still missing.
Contents
Hardware
Apple TV
- Apple TV (2nd generation) - BCM4329 - Bluetooth® 2.1 + EDR
- Apple TV (3rd generation) (AppleTV3,1) - BCM4330
- Apple TV (3rd generation) (AppleTV3,2) - BCM4334
- Apple TV HD - ?
Apple Watch
iPad
- iPad - BCM4329 - Bluetooth® 2.1 + EDR
- iPad 2 - BCM4329 - Bluetooth® 2.1 + EDR
- iPad (3rd generation) - BCM4330
- iPad (4th generation) - BCM4334
- iPad Air - BCM43342
- iPad Air 2 - BCM4345
- iPad Pro (12.9-inch) - ?
- iPad Pro (9.7-inch) - ?
- iPad (5th generation) - ?
iPad mini
- iPad mini - BCM4334
- iPad mini 2 - BCM43342
- iPad mini 3 - ?
- iPad mini 4 - ?
iPhone
- iPhone - BlueCore 4 - Bluetooth® 2.0 + EDR
- iPhone 3G - BlueCore 6 - Bluetooth® 2.0 + EDR
- iPhone 3GS - BCM4325 - Bluetooth® 2.1 + EDR
- iPhone 4 - BCM4329 - Bluetooth® 2.1 + EDR
- iPhone 4S - BCM4330
- iPhone 5 - BCM4334
- iPhone 5c - BCM4334
- iPhone 5s - BCM43342
- iPhone 6 - BCM4345
- iPhone 6s - BCM4350
- iPhone SE (1st generation) - ?
- iPhone 7 - ?
- iPhone 8 - ?
- iPhone X - ?
iPod touch
- iPod touch - No Bluetooth Hardware
- iPod touch (2nd generation) - BCM4325 - Bluetooth® 2.1 + EDR
- iPod touch (3rd generation) - BCM4329 - Bluetooth® 2.1 + EDR
- iPod touch (4th generation) - BCM4329 - Bluetooth® 2.1 + EDR
- iPod touch (5th generation) - BCM4334
- iPod touch (6th generation) - BCM4335
Software
Access
Developers have been able to successfully access and interface the Bluetooth hardware to achieve basic L2CAP, RCOMM and OBEX. Besides individual closed-apps that contain a patched version of the lwBT Bluetooth Stack (e.g. roqyGPS for SPP plus iBluetooth and iBlueNova for OBEX), the open-source BTstack project at http://btstack.googlecode.com provides general Bluetooth support for multiple applications. Examples available in Cydia: BTstack Keyboard, BTstack Mouse, WiiMote OpenGL Demo and some of ZodTTD's emulators.
The device nodes of relevance here, are
Officially Supported Profiles
- HFP - Hands-Free Profile
- HSP - Headset Profile
- ??? - Peer-to-peer connectivity (iPhone OS 3.0 and above; iPhone 3G and newer)
- AD2P - Stereo audio streaming (iPhone OS 3.0 and above; iPhone 3G and newer)
- PAN - Tethering (iPhone OS 3.0 and above; iPhone 3G and newer)
- AVRCP - Media controls (Partial support since iPhone OS 3.0, improved in iOS 4.1; iPhone 3G and newer)
- SPP - Serial Port Profile for Braille terminals (iOS 4.? and above)
More info: Bluetooth Profiles
Profiles available with unofficial software
- OBEX - OBject EXchange (iBluetooth on iPhone OS 2.x; iBlueNova on 3.x; Celeste on iOS 4.x; No equivalent on iOS 5.x)
- DUN - Dial-up Networking Profile ()
- SPP - Serial Port Profile for GPS receivers (roqyBT)
- ADP - Mono audio streaming (Bluetooth Mono SBSettings on iPhone OS 3.x)
Bluetooth Stack
The chip implements up to the HCI in the Bluetooth Stack. The profiles seem to be implemented in software.
BTServer
The iPhone has a Bluetooth daemon called BTServer that serves the little the iPhone currently does. It is launched by the /sbin/launchd process. On killing the BTServer process, launchd restart it almost instantly. It is possible to catch BTServer itself launches the BlueTool utility by rapidly displaying processes right after killing BTServer. If bluetooth was set inactive in the control panel, BTServer call /usr/sbin/BlueTool -f /etc/bluetool/iPhone1,1.deepsleep.script. On the other hand, If bluetooth was set active in the control panel, BTServer calls the /etc/bluetool/iPhone1,1.init.script.
Disabling BTServer
In order to fool around with bluetooth it seems necessary to prevent the BTServer from being loaded. The System/Library/LaunchDaemons/com.apple.BTServer.plist file can be edited. There is a 'disabled' key set to false by default. Setting it true will prevent BTServer from being started. With BTServer completely deactivated, the control panel bluetooth item should say 'inactive' and the toggle switch grayed out.
Update: It is not necessary to disable the BTserver. It's enough to keep Bluetooth turned off in the control panel.
Enabling Bluetooth Logs[1]
mkdir -p /var/logs/BTServer touch /var/logs/BTServer/stderr touch /var/logs/BTServer/stdout
(As of firmware 2.0, the above mentioned snippet does not seem to work anymore)
Update For firmware 2.0, you also need to change the ownership of the log directory:
chown -R mobile /var/logs/BTServer
BlueTool
This is a low level utility, used by the BTServer daemon to configure the iPhone Bluetooth module through the /etc/bluetool/iPhone1,1.init.script file.
This effectively 'turns on' bluetooth (sets it to discoverable) but it should be noted that the kernel doesnt know it (there is no bt icon in the status bar).
to do this your self:
#bluetool
Welcome to bluetool... (etc)
bluetool> device -d /dev/cu.bluetooth # select the device
- this makes bluetool call a function from CoreTelephony which has been reverse engineered already called _CTServerConnectionCreate(CFAllocatorRef, void *, int *)
bluetool will then tell you (if successful) that it has opened /dev/cu.bluetooth @ 115200 baud
bluetool> power on
- again, a CT function is called, however no-one (to the extent of my knowledge) has reversed it. _CTServerConnectionSetBluetoothPower(???) however you can bet that the first argument is going to be a connection reference made from calling ConnectionCreate -> ie connRef = _CTServerConnectionCreate();
bluetool> autobaud
- from here on bluetool only deals with posix functions (yay!!) and it basically sends ioctl() requests to the bluetooth driver in the coveted HCI.
knowing the ioctl() numbers for each HCI command can only be found out by reverse engineering or porting/using strace, dtrace, ktrace, sc_usage or truss.
Note with bluetool
it may not be that easy becuase on reverse engineer of a pre 2.0 bluetool, calls functions from IOKit, which is obviously not posix. The 2.0 bluetool still links against IOKit.
to 'unlock' the iPhones bluetooth capabilities, which I believe are there (in the driver, the chip can DEFINITELY do it) one would need to be able to send the driver raw HCI, which this program demonstrates it can do.
Output of the BlueTool console on an iPhone:
bluetool-> hci info
Radio Manufacturer: CSR Bluetooth HCI Specification: Version 2.0
Bluetooth Address: 00:02:5b:00:a5:a5
bluetool-> csr -V
CSR BlueCore Version 0x0003, Revision 0x0030, Build: A06
From CSR' BlueCore BCCMD Commands Document (bcore-sp-005Pe)
ChipVer = 0x03, BlueCore3-Multimedia, BlueCore3-ROM, BlueCore3-FLASH, BlueCore4-External, BlueCore4-ROM
ChipRev = 0x30, BlueCore4-ROM
ChipAnaVer = A06 (???)