{"guid":"0c371809-6e2f-5094-a0ac-6190e939363a","title":"InternalBlue - A Deep Dive into Bluetooth Controller Firmware","subtitle":null,"slug":"2018-154-internalblue-a-deep-dive-into-bluetooth-controller-firmware","link":"https://talks.mrmcd.net/2018/talk/NBA9RW","description":"The firmware of the BCM4339 Bluetooth controller (Nexus 5) and its firmware\nupdate mechanism have been reverse engineered. Based on that we developed a\nBluetooth experimentation framework which is able to patch the firmware and\ntherefore implement monitoring and injection tools for the lower layers of the\nBluetooth protocol stack.\n\nWhere no one has gone before - into the Bluetooth controller internals, a\ncomponent used by many but understood by only few. On our journey we explore\nthe lower layers of the Bluetooth protocol stack which are hidden for the\ncommon eye - encapsulated inside the firmware of the controller. In the depths\nof the disassembly we encounter semaphores, blocking queues and task schedulers\nand when we finally discover the firmware update mechanism a whole new world of\npossibilities opens up.\n\nArmed with this knowledge, we build a bridge into this world by implementing\nthe Bluetooth experimentation framework InternalBlue. For the hidden Link\nManager Protocol is dark and full of terrors, we use InternalBlue to cast light\ninto the shadows of the night. If the old demo gods and the new are merciful we\nwill be able to witness a Bluetooth pairing sequence in Wireshark and follow\nthe key exchange in real time.","original_language":"eng","persons":["Dennis Mantz"],"tags":["mrmcd18","154"],"view_count":1195,"promoted":false,"date":"2018-09-08T00:00:00.000+02:00","release_date":"2018-09-08T02:00:00.000+02:00","updated_at":"2026-04-01T19:30:06.519+02:00","length":2021,"duration":2021,"thumb_url":"https://static.media.ccc.de/media/conferences/mrmcd/mrmcd18/154-hd.jpg","poster_url":"https://static.media.ccc.de/media/conferences/mrmcd/mrmcd18/154-hd_preview.jpg","timeline_url":"https://static.media.ccc.de/media/conferences/mrmcd/mrmcd18/0c371809-6e2f-5094-a0ac-6190e939363a-timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/conferences/mrmcd/mrmcd18/0c371809-6e2f-5094-a0ac-6190e939363a-thumbnails.vtt","frontend_link":"https://media.ccc.de/v/2018-154-internalblue-a-deep-dive-into-bluetooth-controller-firmware","url":"https://api.media.ccc.de/public/events/0c371809-6e2f-5094-a0ac-6190e939363a","conference_title":"MRMCD 2018 - Ganz grosses Kino","conference_url":"https://api.media.ccc.de/public/conferences/mrmcd18","related":[{"event_id":5949,"event_guid":"641b63f4-4499-57e7-ab51-997b002babf0","weight":13},{"event_id":5951,"event_guid":"416b46f8-7d6c-5bbb-82da-b7481007b94f","weight":12},{"event_id":5952,"event_guid":"17e98e8e-9c37-54b0-9738-f1004ca6d311","weight":10},{"event_id":5953,"event_guid":"3c3707ab-6d54-53b8-93d9-7c414cac425e","weight":19},{"event_id":5956,"event_guid":"9085a612-073b-5fe3-97e8-02f308ade923","weight":21},{"event_id":5958,"event_guid":"736d18c5-2d2d-5815-b488-aad7429dfdea","weight":11},{"event_id":5960,"event_guid":"541dc917-721a-59c3-b4eb-371a7e8acc3e","weight":14},{"event_id":5963,"event_guid":"a82b651c-90ab-5427-96f5-41907efaab08","weight":10},{"event_id":5964,"event_guid":"f5c4898d-68fb-5758-9ea1-717a099803dd","weight":14},{"event_id":5965,"event_guid":"c9dcd2a5-288f-55d0-8577-dc00c2e185ce","weight":19},{"event_id":5966,"event_guid":"b6554fda-0520-5ae9-ad5a-73dab200bf36","weight":6},{"event_id":5967,"event_guid":"1ce53ae2-b5c6-59a3-ad28-68078de8e634","weight":12},{"event_id":5969,"event_guid":"121459c7-aa60-5448-af88-2cf9a53f0a6c","weight":10},{"event_id":5971,"event_guid":"1b238da1-4d57-5951-8dea-abf09df92f3e","weight":10},{"event_id":6598,"event_guid":"8bd222ad-34a7-468a-9e83-11767dcfa809","weight":76}],"recordings":[{"size":138,"length":2021,"mime_type":"video/mp4","language":"eng","filename":"mrmcd18-154-eng-InternalBlue_-_A_Deep_Dive_into_Bluetooth_Controller_Firmware_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2018-09-08T18:37:46.148+02:00","recording_url":"https://cdn.media.ccc.de/events/mrmcd/mrmcd18/h264-hd/mrmcd18-154-eng-InternalBlue_-_A_Deep_Dive_into_Bluetooth_Controller_Firmware_hd.mp4","url":"https://api.media.ccc.de/public/recordings/28381","event_url":"https://api.media.ccc.de/public/events/0c371809-6e2f-5094-a0ac-6190e939363a","conference_url":"https://api.media.ccc.de/public/conferences/mrmcd18"},{"size":30,"length":2011,"mime_type":"audio/mpeg","language":"eng","filename":"mrmcd18-154-eng-InternalBlue_-_A_Deep_Dive_into_Bluetooth_Controller_Firmware_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2018-09-08T18:37:58.518+02:00","recording_url":"https://cdn.media.ccc.de/events/mrmcd/mrmcd18/mp3/mrmcd18-154-eng-InternalBlue_-_A_Deep_Dive_into_Bluetooth_Controller_Firmware_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/28382","event_url":"https://api.media.ccc.de/public/events/0c371809-6e2f-5094-a0ac-6190e939363a","conference_url":"https://api.media.ccc.de/public/conferences/mrmcd18"},{"size":26,"length":2011,"mime_type":"audio/opus","language":"eng","filename":"mrmcd18-154-eng-InternalBlue_-_A_Deep_Dive_into_Bluetooth_Controller_Firmware_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2018-09-08T18:53:01.341+02:00","recording_url":"https://cdn.media.ccc.de/events/mrmcd/mrmcd18/opus/mrmcd18-154-eng-InternalBlue_-_A_Deep_Dive_into_Bluetooth_Controller_Firmware_opus.opus","url":"https://api.media.ccc.de/public/recordings/28386","event_url":"https://api.media.ccc.de/public/events/0c371809-6e2f-5094-a0ac-6190e939363a","conference_url":"https://api.media.ccc.de/public/conferences/mrmcd18"},{"size":234,"length":2021,"mime_type":"video/webm","language":"eng","filename":"mrmcd18-154-eng-InternalBlue_-_A_Deep_Dive_into_Bluetooth_Controller_Firmware_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2018-09-08T19:58:06.740+02:00","recording_url":"https://cdn.media.ccc.de/events/mrmcd/mrmcd18/webm-hd/mrmcd18-154-eng-InternalBlue_-_A_Deep_Dive_into_Bluetooth_Controller_Firmware_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/28387","event_url":"https://api.media.ccc.de/public/events/0c371809-6e2f-5094-a0ac-6190e939363a","conference_url":"https://api.media.ccc.de/public/conferences/mrmcd18"},{"size":85,"length":2021,"mime_type":"video/webm","language":"eng","filename":"mrmcd18-154-eng-InternalBlue_-_A_Deep_Dive_into_Bluetooth_Controller_Firmware_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2018-09-08T19:59:04.228+02:00","recording_url":"https://cdn.media.ccc.de/events/mrmcd/mrmcd18/webm-sd/mrmcd18-154-eng-InternalBlue_-_A_Deep_Dive_into_Bluetooth_Controller_Firmware_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/28390","event_url":"https://api.media.ccc.de/public/events/0c371809-6e2f-5094-a0ac-6190e939363a","conference_url":"https://api.media.ccc.de/public/conferences/mrmcd18"},{"size":58,"length":2021,"mime_type":"video/mp4","language":"eng","filename":"mrmcd18-154-eng-InternalBlue_-_A_Deep_Dive_into_Bluetooth_Controller_Firmware_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2018-09-08T19:59:37.667+02:00","recording_url":"https://cdn.media.ccc.de/events/mrmcd/mrmcd18/h264-sd/mrmcd18-154-eng-InternalBlue_-_A_Deep_Dive_into_Bluetooth_Controller_Firmware_sd.mp4","url":"https://api.media.ccc.de/public/recordings/28391","event_url":"https://api.media.ccc.de/public/events/0c371809-6e2f-5094-a0ac-6190e939363a","conference_url":"https://api.media.ccc.de/public/conferences/mrmcd18"}]}