# Inside Job: Diagnosing Bluetooth Lower Layers Using Off-the-Shelf   Devices

**Authors:** Jiska Classen, Matthias Hollick

arXiv: 1905.00634 · 2019-05-03

## TL;DR

This paper demonstrates how standard smartphones can be used to diagnose and analyze Bluetooth chip behavior internally, revealing lower-layer operations and diagnostic features without expensive external tools.

## Contribution

It introduces a method to reverse engineer a diagnostic protocol inside Broadcom Bluetooth chips using off-the-shelf smartphones.

## Key findings

- Enabled internal Bluetooth analysis on consumer devices
- Revealed diagnostic features like LL sniffing and memory access
- Demonstrated practical on-device Bluetooth diagnostics

## Abstract

Bluetooth is among the dominant standards for wireless short-range communication with multi-billion Bluetooth devices shipped each year. Basic Bluetooth analysis inside consumer hardware such as smartphones can be accomplished observing the Host Controller Interface (HCI) between the operating system's driver and the Bluetooth chip. However, the HCI does not provide insights to tasks running inside a Bluetooth chip or Link Layer (LL) packets exchanged over the air. As of today, consumer hardware internal behavior can only be observed with external, and often expensive tools, that need to be present during initial device pairing. In this paper, we leverage standard smartphones for on-device Bluetooth analysis and reverse engineer a diagnostic protocol that resides inside Broadcom chips. Diagnostic features include sniffing lower layers such as LL for Classic Bluetooth and Bluetooth Low Energy (BLE), transmission and reception statistics, test mode, and memory peek and poke.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1905.00634/full.md

## Figures

5 figures with captions in the complete paper: https://tomesphere.com/paper/1905.00634/full.md

## References

18 references — full list in the complete paper: https://tomesphere.com/paper/1905.00634/full.md

---
Source: https://tomesphere.com/paper/1905.00634