I'm interested in connecting to iOS-based devices over Bluetooth. I can see that the "Local Network" service is exposed, but I cannot find any extra information about it. Property stored under key 0x0204 looks like a Bonjour key.
Which protocol is used? How can one talk to the iOS device using Linux, Mac or one's own embedded device equipped with a Bluetooth chip?
Here's SDP data extracted using Bluetooth Explorer under OS X while the iOS device runs Gameloft's Star Battalion.
{
0x0000 = uint32(1330188565),
0x0200 = uint32(2),
0x0202 = string(004wD7l1A..0|0|0|ivucic-À'),
0x030a = uint32(0),
0x0009 = { { uuid16(11 15), uint16(256) } },
0x0201 = string(_657o30a6rmst07À),
0x0005 = { uuid16(10 02) },
0x0100 = string(Local Network),
0x0001 = { uuid16(11 15) },
0x0203 = string(004wd7l1a..0|0|0|ivucic-_657o30a6rmst07À
0xf000 = uint8(2),
0x0204 = string( txtvers=1state=A),
0x0008 = uint8(255),
0x0006 = { uint16(25966), uint16(106), uint16(256), uint16(26226), uint16(106), uint16(272), uint16(25701), uint16(106), uint16(288), uint16(27233), uint16(106), uint16(304) },
0x0004 = { { uuid16(01 00), uint16(15) }, { uuid16(00 0f), uint16(256), { uint16(2048), uint16(2054) } } },
0x0002 = uint32(0)
},
Other partially relevant questions:
- PAN with Linux, iOS, Bluetooth, Bonjour, GameKit — Possible? - Person can solve problem using Wi-Fi. Not solution here because embedded device will not have the way more expensive Wi-Fi chip.
- Bonjour over bluetooth WITHOUT Gamekit? - Best answer does not end up providing technical details
- iOS bluetooth without GameKit - Provides a solution for a jailbroken device, which is not applicable here.
Researching further with Apple's Bluetooth Explorer in OS X and sdptool
in GNU/Linux, I have discovered that key 0x0001
(standing for "protocol class"), containing value of 0x1115
, stands for the "PANU" variant of "PAN" - a peer2peer variant. It is notable that OS X does not provide service-side ('hosting') support for this protocol, despite supporting creation of a 0x1116
network, which is the "NAP" variant of "PAN" - a client/server variant.
This might be good news, but only if GameKit's session protocol does not have to be used. Hijacking the media-layer connection established by GameKit in order to send other UDP traffic would be ideal.
I'll still have to research whether or not this GameKit connection really is 0x1115
; that is, if it really is "PANU". Does anyone have any further information?
Note while Bonjour automatically announced this Bluetooth service after iOS 3, this has changed with iOS 5. See the answer I posted on how to establish Bluetooth connection without GameKit, where I handily documented information from Apple's Technical Q&A QA1753.
A small amount of research with GNU/Linux did not result in a successful connection. It may be due to lack of knowledge on how to properly use pand
. It may also be due to Bluetooth MAC based blocking. I'd love info anyone may have to offer. If I research this further and stumble upon something interesting, I'll update this answer.
Results under Ubuntu. The service appears only when Bluetooth Bonjour is active.
ivucica@ivucica-MacBook:~$ sdptool browse $ADDR #relevant data only
Browsing ADDRESS_HERE ...
Service Name: Local Network
Service RecHandle: 0x4f491115
Service Class ID List:
"PAN User" (0x1115)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 15
"BNEP" (0x000f)
Version: 0x0100
SEQ8: 0 6
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
code_ISO639: 0x6672
encoding: 0x6a
base_offset: 0x110
code_ISO639: 0x6465
encoding: 0x6a
base_offset: 0x120
code_ISO639: 0x6a61
encoding: 0x6a
base_offset: 0x130
Profile Descriptor List:
"PAN User" (0x1115)
Version: 0x0100
... and so on ...
Here's the attempt to connect:
ivucica@ivucica-MacBook:~$ pand --connect $ADDR -n
pand[3237]: Bluetooth PAN daemon version 4.98
pand[3237]: Connecting to ADDRESS_HERE
pand[3237]: Connect to ADDRESS_HERE failed. Connection refused(111)
Is some sort of authorization required? Enabling encryption, authentication, secure connection and forcing becoming a master doesn't seem to make any difference (-AESM
options in various combinations).
Anyone has any ideas?
Huh!
ivucica@ivucica-MacBook:~$ sudo hcidump HCI sniffer - Bluetooth packet analyzer ver 2.2 device: hci0 snap_len: 1028 filter: 0xffffffff HCI Event: Command Status (0x0f) plen 4 Create Connection (0x01|0x0005) status 0x00 ncmd 1 > HCI Event: Role Change (0x12) plen 8 status 0x00 bdaddr ADDRESS_HERE role 0x01 Role: Slave > HCI Event: Connect Complete (0x03) plen 11 status 0x00 handle 12 bdaddr ADDRESS_HERE type ACL encrypt 0x00 HCI Event: Command Status (0x0f) plen 4 Read Remote Supported Features (0x01|0x001b) status 0x00 ncmd 1 > HCI Event: Read Remote Supported Features (0x0b) plen 11 status 0x00 handle 12 Features: 0xbf 0xfe 0x8f 0xfe 0x9b 0xff 0x79 0x83 HCI Event: Command Status (0x0f) plen 4 Read Remote Extended Features (0x01|0x001c) status 0x00 ncmd 1 > HCI Event: Max Slots Change (0x1b) plen 3 handle 12 slots 5 > HCI Event: Read Remote Extended Features (0x23) plen 13 status 0x00 handle 12 page 1 max 1 Features: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 HCI Event: Command Status (0x0f) plen 4 Remote Name Request (0x01|0x0019) status 0x00 ncmd 1 > HCI Event: Remote Name Req Complete (0x07) plen 255 status 0x00 bdaddr ADDRESS_HERE name 'Evil iPad' HCI Event: Command Status (0x0f) plen 4 Authentication Requested (0x01|0x0011) status 0x00 ncmd 1 > HCI Event: Link Key Request (0x17) plen 6 bdaddr ADDRESS_HERE HCI Event: Command Complete (0x0e) plen 10 Link Key Request Reply (0x01|0x000b) ncmd 1 status 0x00 bdaddr ADDRESS_HERE > HCI Event: Auth Complete (0x06) plen 3 status 0x00 handle 12 HCI Event: Command Status (0x0f) plen 4 Set Connection Encryption (0x01|0x0013) status 0x00 ncmd 1 > HCI Event: Encrypt Change (0x08) plen 4 status 0x00 handle 12 encrypt 0x01 HCI Event: Number of Completed Packets (0x13) plen 5 handle 12 packets 1 > ACL data: handle 12 flags 0x02 dlen 16 L2CAP(s): Info rsp: type 2 result 0 Extended feature mask 0x02a8 Enhanced Retransmission mode FCS Option Fixed Channels Unicast Connectless Data Reception HCI Event: Number of Completed Packets (0x13) plen 5 handle 12 packets 1 > ACL data: handle 12 flags 0x02 dlen 20 L2CAP(s): Info rsp: type 3 result 0 Fixed channel list 0x00000006 L2CAP Signalling Channel L2CAP Connless HCI Event: Number of Completed Packets (0x13) plen 5 handle 12 packets 1 > ACL data: handle 12 flags 0x02 dlen 16 L2CAP(s): Connect rsp: dcid 0x0000 scid 0x0040 result 2 status 0 Connection refused - PSM not supported > HCI Event: Disconn Complete (0x05) plen 4 status 0x00 handle 12 reason 0x13 Reason: Remote User Terminated Connection
This?
> ACL data: handle 12 flags 0x02 dlen 16 L2CAP(s): Connect rsp: dcid 0x0000 scid 0x0040 result 2 status 0 Connection refused - PSM not supported