InternalBlue - A Deep Dive into Bluetooth Controller Firmware

Dennis Mantz

The firmware of the BCM4339 Bluetooth controller (Nexus 5) and its firmware
update mechanism have been reverse engineered. Based on that we developed a
Bluetooth experimentation framework which is able to patch the firmware and
therefore implement monitoring and injection tools for the lower layers of the
Bluetooth protocol stack.

Where no one has gone before - into the Bluetooth controller internals, a
component used by many but understood by only few. On our journey we explore
the lower layers of the Bluetooth protocol stack which are hidden for the
common eye - encapsulated inside the firmware of the controller. In the depths
of the disassembly we encounter semaphores, blocking queues and task schedulers
and when we finally discover the firmware update mechanism a whole new world of
possibilities opens up.

Armed with this knowledge, we build a bridge into this world by implementing
the Bluetooth experimentation framework InternalBlue. For the hidden Link
Manager Protocol is dark and full of terrors, we use InternalBlue to cast light
into the shadows of the night. If the old demo gods and the new are merciful we
will be able to witness a Bluetooth pairing sequence in Wireshark and follow
the key exchange in real time.