2g bluetooth: fun with ssh

Discussion in 'iPod touch' started by mac2612, Feb 5, 2009.

  1. mac2612

    mac2612 New Member

    Joined:
    Sep 16, 2008
    Messages:
    6
    Likes Received:
    0
    Hi,

    I don't know if anyone else has also gotten this far, but I've done a little mucking around in the shell with the 2g bluetooth.

    The first big thing I noticed was the presence of all of the bluetooth devices:
    iPod-touch:/ root# ls /dev
    aes_0 bpf2 console disk0s1 ptmx ptyp3 ptyp7 rdisk0s2 tty.iap ttyp3 ttyp7 ttys003 urandom
    bcm43250 bpf3 cu.bluetooth disk0s2 ptyp0 ptyp4 random sha1_0 ttyp0 ttyp4 ttys000 ttys004 vn0
    bpf0 btreset cu.iap klog ptyp1 ptyp5 rdisk0 tty ttyp1 ttyp5 ttys001 uart.bluetooth vn1
    bpf1 btwake disk0 null ptyp2 ptyp6 rdisk0s1 tty.bluetooth ttyp2 ttyp6 ttys002 uart.iap zero

    I also noticed that the BTServer process is running by default:
    iPod-touch:/ root# ps ax | grep BTServer
    31 ?? Ss 0:00.31 /usr/sbin/BTServer

    All of these things are in line with the way that the iphone does bluetooth.

    I enabled logging for BTServer by following the procedure at: http://theiphonewiki.com/wiki/index.php?title=Bluetooth

    The logs contain some interesting things. These lines confirm that the device does indeed have a valid bluetooth address, and that the ipod is giving itself a hostname for bluetooth:

    Using env variable: BT_DEVICE_ADDRESS = 00:22:41:b2:fd:10
    Sending Write_BD_ADDR
    Using host name: iPod-touch
    Sending Write_Local_Name: iPod-touch

    Now, BTServer uses a low-level utility called BlueTool to configure the bluetooth adapter. The BlueTool commands that the ipod is sending to the chipset can be found in /etc/bluetool. I found it interesting that the iphone1,1 scripts were in there as well. Anyways, you can look at the scripts to see what BTServer is "saying" to the chipset when it starts up. You can mimic these commands in BlueTool.

    The next step is trying to get all of this to actually DO something useful. I've made an attempt at this by following /etc/bluetool/pcm.example in BlueTool.

    However, I end up getting a wierd error.

    Here's what I've been able to do in BlueTool:
    iPod-touch:/etc/bluetool root# BlueTool

    Welcome to BlueTool... Rev 0.1

    Cannot read termcap database;
    using dumb terminal settings.
    bluetool-> device -d /dev/cu.bluetooth -s 115200
    Opening /dev/cu.bluetooth @ 115200 baud.
    bluetool-> autobaud
    bluetool_command_autobaud
    bluetool_command_autobaud : reset ON
    bluetool_command_autobaud : reset OFF
    bluetool_command_autobaud : flush
    bluetool_command_autobaud : sleep again
    bluetool_command_autobaud : HCI reset !
    autobaud complete!
    bluetool-> hci reset
    Issued HCI Reset
    bluetool-> hci info
    Radio Manufacturer: Broadcom
    Bluetooth HCI Specification: 2.1
    Bluetooth HCI Revision: 0x0000
    Bluetooth LMP Version: 0x04
    Bluetooth LMP Subversion: 0x8107
    Bluetooth Address: 00:22:41:b2:fd:10
    bluetool-> csr -l 0
    Chip now in PCM Loopback Mode 0

    This is the point where I'm stuck:
    bluetool-> csr -V
    read() returned 22
    read() returned 22
    read() returned 22
    read() returned 22
    read() returned 22

    Keeps giving that error until you kill the app. I'm wondering if perhaps apple may have left out part of the bluetooth firmware, causing it to try and read something nonexistant.

    I know that this post is a little UNIX intensive for IPTF, but does anybody have any thoughts?
  2. MANOWAR©

    MANOWAR© Member

    Joined:
    Aug 10, 2008
    Messages:
    235
    Likes Received:
    2
    Device:
    iPhone 4 (Black)
    can you change the baud rate from auto to a fixed 115200?

    I have a device from work that has BT built in but neutered also like this is and changing it from auto data transfer rate to a fixed on lets me use my BT head set on it. Maybe this works the same way. Totally different kind of device though.
  3. ZombieKiller

    ZombieKiller Banned

    Joined:
    Oct 21, 2007
    Messages:
    3,740
    Likes Received:
    30
    Device:
    iPhone 3G (White)
    Maybe you can change the shemewame to 15484 and then edit the doocaca to 45754, and after that... you can cause a black hole.
  4. markxdye

    markxdye New Member

    Joined:
    Jan 25, 2009
    Messages:
    3
    Likes Received:
    0
    Device:
    2G iPod touch
    ahahah win
  5. nikj14

    nikj14 Active Member

    Joined:
    Sep 4, 2008
    Messages:
    1,313
    Likes Received:
    0
    Device:
    iPhone 3GS (Black)
    have you figured out if there are enough similarities so Sweet tooth will work?( or sumthin like it)
  6. mac2612

    mac2612 New Member

    Joined:
    Sep 16, 2008
    Messages:
    6
    Likes Received:
    0
    Yeah, you can not use autobaud and just say like
    bcm -b 1520000

    but I'm not sure how much good it'll do. I still can't get anything other than read() returned 22 out of the csr command, but there may be a different way to pair a headset. The problem is that no documents/references on this stuff exist outside of apple, to my knowledge, so its hard to know which commands are actually available.
    ------------------double post merged------------------
    hahaha reminds me of the lake tittycaca
    ------------------double post merged------------------
    Well.....That's just the thing. It looks like big parts of the way that apple talks to the device are the same, but since the csr part of the chip isn't working (which I don't know if its physically missing or just disabled,) I can't figure out how exactly to DO anything yet. I think that if we can get the csr portion of the bluetooth to work, we may be able to unlock "real" bluetooth.

    Edit:
    OK, I figured something else out. CSR is the brand of the chip that the iphone uses, meaning the csr command is probably useless with a broadcom chip like the ipt2g. Therefore, I'd think we should be investigating the syntax of the bcm command within BlueTool.
  7. MANOWAR©

    MANOWAR© Member

    Joined:
    Aug 10, 2008
    Messages:
    235
    Likes Received:
    2
    Device:
    iPhone 4 (Black)

    maybe he will divide by 0 and do just that!!

    Please Register or Log in to view images

  8. DS-Magic

    DS-Magic Member

    Joined:
    Jan 1, 2009
    Messages:
    81
    Likes Received:
    0
    I cant say I understood that, but does that mean there is a slight chance an app can use the bluetooth to actually send things to other BT devices?
  9. rtgiant

    rtgiant New Member

    Joined:
    Jan 15, 2009
    Messages:
    156
    Likes Received:
    0
  10. VECTORD

    VECTORD New Member

    Joined:
    Jan 31, 2009
    Messages:
    15
    Likes Received:
    0
    Device:
    iPhone 4 (Black)
    the bluetool-> csr -V comand can only be used bi iPhones i think... because the iPod touch has BCM and The iPhone has the CSR

Share This Page