I. Statement
We will continue to update this column by serialization. The planned update of this column is as follows:
The first part: Comprehensive introduction of Bluetooth, mainly introduces some concepts of Bluetooth, its background, development track, introduction of Bluetooth in the market, and introduction of Bluetooth development board.
The second part: Introduction to the Transport layer, mainly introduces the Bluetooth protocol stack and the hardware transmission protocols before the Bluetooth chip, such as UART-based H4, H5, BCSP, USB-based H2, etc.
The third part: Introduction of traditional Bluetooth controller, mainly introduces the introduction of traditional Bluetooth chips, including radio frequency layer (RF), baseband layer (baseband), link management layer (LMP), etc.
Part 4: Introduction to traditional Bluetooth host, mainly introduces the traditional Bluetooth protocol stack, such as HCI, L2CAP, SDP, RFCOMM, HFP, SPP, HID, AVDTP, AVCTP, A2DP, AVRCP, OBEX, PBAP, MAP, etc. Agreement.
Part 5: Introduction to Bluetooth low energy controller, mainly introduces Bluetooth low energy chips, including physical layer (PHY), link layer (LL)
Part 6: Introduction to low-power Bluetooth host, introduction of low-power Bluetooth protocol stack, including HCI, L2CAP, ATT, GATT, SM, etc.
Part 7: Introduction to Bluetooth chips, mainly introduces the initialization process of some Bluetooth chips, based on the extension of HCI vendor command
Chapter 8: Appendix, which mainly introduces the introduction of the above common terms and the introduction of some special processes.
In addition, the development board is connected to the red letter as follows, which is the best set for those who want to learn the Bluetooth protocol stack. In order to better learn the Bluetooth protocol stack, believe me, after learning this set of videos, you will have the ability to modify any protocol stack (such as bluez under Linux, bluedroid under Android).
------------------------------------------------------------------------------------------------------------------------------------------
CSDN Academy link (enter to select the course you want to study): https://edu.csdn.net/lecturer/5352?spm=1002.2001.3001.4144
Bluetooth AC button group: 970324688
Github code: https://github.com/sj15712795029/bluetooth_stack
Start the development board: https://item.taobao.com/item.htm?spm=a1z10.1-cs.w4004-22329603896.18.5aeb41f973iStr&id=622836061708
------------------------------------------------------------------------------------------------------------------------------------------
In addition, welcome to pay attention to the official account, I will regularly push dry goods to you
2. How to capture HCI packets on iPhone
In the actual development process, we may want to know the results of the Bluetooth interaction between the iPhone and the third-party products, but unfortunately we can't capture the HCI log, and the air log can't get the Linkkey, so we can't see the interaction process, so based on this pain point, I found a way to do The only way to get there is that the threshold is a bit high, and you need a mac computer and an MFI account! Let me tell you! If you can't get a Mac computer and someone with an MFI account to make a detour, farewell! !
The main purpose of this part is to capture the HCI data of the iPhone. It has the following purposes :
- Understand the process of iPhone Bluetooth
- If there is a compatibility problem during the research and development process, you can use the HCI log to locate the problem of the iPhone or the problem of our local protocol stack.
- Find Linkkey to crack the Air log through the HCI log captured by the iPhone. The purpose of this is to assume a product (made by another company) and want to see the interaction process between him and the iPhone, but the captured air log cannot be cracked. At this time This method can be used
2.1 Preparation and installation of software tools
Required equipment: iPhone and Mac computer, the schematic diagram is as follows:
The MAC computer is connected to the iPhone through a USB cable, and then the software is installed (the software and MFI account need to find their own way, they are all NDA data, which is inconvenient to leak)
- Mac computers need to install ATS software and have an MFI account
- The iPhone needs IOS 13 or above, and needs to install ATS Utility, and also needs to have an MFI account
2.1.1 iPhone use steps:
① After installing ATS Utility
② Open ATS Utility, select ATS tool
③ Open ATS Tool, select INSTALL of Tethered Bluetooth, this process will fill in the MFI account and download a configuration description file, download it
④ Then open the iPhone's settings, there will be one more downloaded description file, click in and click install!
So far the iPhone side has been installed and configured, let's take a look at the settings on the mac side
2.1.2 Mac usage steps:
① After installing the ATS
② Open ATS, click the small + sign
③ After opening, select the Wireless tab as shown in the figure, and select Protocol and IAP2 if there is a device
④ Click Start Capture, this symbol will appear on the iPhone after selection
⑤ Then there will be data in the normal operation of the Bluetooth interface. He only has the analysis of several protocols, HCI, L2CAP, SDP, IAP, so there are only two main purposes for me, the development of IAP2 and the capture of Linkkey, capture The pictures taken are as follows:
At this point, you can watch the interaction of HCI through ATS, but there is a drawback, this is mainly used to develop IAP2, so the interaction of HCI is not as complete as the Ellisys/Frontline/Wireshark protocol display, so the best effect should be Look at the linkkey, decrypt the air log, and view the interactive process directly through the air log!
2.2 Where to find Linkkey
Open the data package directly, open the HCI section, find the HCI event of Linkkey Notification , and you can find the Linkkey, as shown in the figure
Alright, it's done! Start your time to demystify the iPhone! !