MRMCD 2018

»InternalBlue - A Deep Dive into Bluetooth Controller Firmware«
2018-09-08, 14:00–14:50, Multiplex

The firmware of the BCM4339 Bluetooth controller (Nexus 5) and its firmware update mechanism have been reverse engineered. Based on that we developed a Bluetooth experimentation framework which is able to patch the firmware and therefore implement monitoring and injection tools for the lower layers of the Bluetooth protocol stack.

Where no one has gone before - into the Bluetooth controller internals, a component used by many but understood by only few. On our journey we explore the lower layers of the Bluetooth protocol stack which are hidden for the common eye - encapsulated inside the firmware of the controller. In the depths of the disassembly we encounter semaphores, blocking queues and task schedulers and when we finally discover the firmware update mechanism a whole new world of possibilities opens up.

Armed with this knowledge, we build a bridge into this world by implementing the Bluetooth experimentation framework InternalBlue. For the hidden Link Manager Protocol is dark and full of terrors, we use InternalBlue to cast light into the shadows of the night. If the old demo gods and the new are merciful we will be able to witness a Bluetooth pairing sequence in Wireshark and follow the key exchange in real time.