Bluetooth

Bluetooth is a short-range wireless technology. Bluetooth hardware is provided on all iPhone, iPod touch (2nd generation) or higher, all iPad, and all Apple TV. Apple has severely restricted the functions of Bluetooth to the end-user, for seemingly no reason, as the hardware supplied is capable of most if not all current bluetooth 2.0/2.1 functions.

With iPhoneOS 3.0, support for 3G internet bridging (PAN) or 'tethering' and A2DP over Bluetooth has been added, however the file sharing OBEX protocol is notably still missing.

Apple TV

 * Apple TV (2nd generation) - BCM4329 - Bluetooth&reg; 2.1 + EDR
 * Apple TV (3rd generation) (AppleTV3,1) - BCM4330
 * Apple TV (3rd generation) (AppleTV3,2) - BCM4334
 * Apple TV (4th generation) - ?

Apple Watch

 * Apple Watch (1st generation) - BCM4334
 * Apple Watch Series 1 - ?
 * Apple Watch Series 2 - ?

iPad

 * iPad - BCM4329 - Bluetooth&reg; 2.1 + EDR
 * iPad (2nd generation) - BCM4329 - Bluetooth&reg; 2.1 + EDR
 * iPad (3rd generation) - BCM4330
 * iPad (4th generation) - BCM4334
 * iPad Air - BCM43342
 * iPad Air 2 - ?
 * iPad Pro (12.9-inch) - ?
 * iPad Pro (9.7-inch) - ?
 * iPad (5th generation) - ?

iPad mini

 * iPad mini - BCM4334
 * iPad mini 2 - BCM43342
 * iPad mini 3 - ?
 * iPad mini 4 - ?

iPhone

 * iPhone - BlueCore 4 - Bluetooth&reg; 2.0 + EDR
 * iPhone 3G - BlueCore 6 - Bluetooth&reg; 2.0 + EDR
 * iPhone 3GS - BCM4325 - Bluetooth&reg; 2.1 + EDR
 * iPhone 4 - BCM4329 - Bluetooth&reg; 2.1 + EDR
 * iPhone 4S - BCM4330
 * iPhone 5 - BCM4334
 * iPhone 5c - BCM4334
 * iPhone 5s - BCM43342
 * iPhone 6 - ?
 * iPhone 6 Plus - ?
 * iPhone 6s - ?
 * iPhone 6s Plus - ?
 * iPhone SE - ?
 * iPhone 7 - ?
 * iPhone 7 Plus - ?

iPod touch

 * iPod touch - No Bluetooth Hardware
 * iPod touch (2nd generation) - BCM4325 - Bluetooth&reg; 2.1 + EDR
 * iPod touch (3rd generation) - BCM4329 - Bluetooth&reg; 2.1 + EDR
 * iPod touch (4th generation) - BCM4329 - Bluetooth&reg; 2.1 + EDR
 * iPod touch (5th generation) - BCM4334
 * iPod touch (6th generation) - BCM4335

Access
Developers have been able to successfully access and interface the Bluetooth hardware to achieve basic L2CAP, RCOMM and OBEX. Besides individual closed-apps that contain a patched version of the lwBT Bluetooth Stack (e.g. roqyGPS for SPP plus iBluetooth and iBlueNova for OBEX), the open-source BTstack project at http://btstack.googlecode.com provides general Bluetooth support for multiple applications. Examples available in Cydia: BTstack Keyboard, BTstack Mouse, WiiMote OpenGL Demo and some of ZodTTD's emulators.

The device nodes of relevance here, are
 * uart.bluetooth
 * cu.bluetooth
 * tty.bluetooth
 * btreset
 * btwake

Officially Supported Profiles

 * HFP - Hands-Free Profile
 * HSP - Headset Profile
 * ??? - Peer-to-peer connectivity (iPhone OS 3.0 and above; iPhone 3G and newer)
 * AD2P - Stereo audio streaming (iPhone OS 3.0 and above; iPhone 3G and newer)
 * PAN - Tethering (iPhone OS 3.0 and above; iPhone 3G and newer)
 * AVRCP - Media controls (Partial support since iPhone OS 3.0, improved in iOS 4.1; iPhone 3G and newer)
 * SPP - Serial Port Profile for Braille terminals (iOS 4.? and above)

More info: Bluetooth Profiles

Profiles available with unofficial software

 * OBEX - OBject EXchange (iBluetooth on iPhone OS 2.x; iBlueNova on 3.x; Celeste on iOS 4.x; No equivalent on iOS 5.x)
 * DUN - Dial-up Networking Profile
 * SPP - Serial Port Profile for GPS receivers (roqyBT)
 * ADP - Mono audio streaming (Bluetooth Mono SBSettings on iPhone OS 3.x)

Bluetooth Stack
The chip implements up to the HCI in the Bluetooth Stack. The profiles seem to be implemented in software.

BTServer
The iPhone has a Bluetooth daemon called BTServer that serves the little the iPhone currently does. It is launched by the /sbin/launchd process. On killing the BTServer process, launchd restart it almost instantly. It is possible to catch BTServer itself launches the BlueTool utility by rapidly displaying processes right after killing BTServer. If bluetooth was set inactive in the control panel, BTServer call /usr/sbin/BlueTool -f /etc/bluetool/iPhone1,1.deepsleep.script. On the other hand, If bluetooth was set active in the control panel, BTServer calls the /etc/bluetool/iPhone1,1.init.script.

Disabling BTServer
In order to fool around with bluetooth it seems necessary to prevent the BTServer from being loaded. The System/Library/LaunchDaemons/com.apple.BTServer.plist file can be edited. There is a 'disabled' key set to false by default. Setting it true will prevent BTServer from being started. With BTServer completely deactivated, the control panel bluetooth item should say 'inactive' and the toggle switch grayed out.

Update: It is not necessary to disable the BTserver. It's enough to keep Bluetooth turned off in the control panel.

Enabling Bluetooth Logs
mkdir -p /var/logs/BTServer touch /var/logs/BTServer/stderr touch /var/logs/BTServer/stdout

(As of firmware 2.0, the above mentioned snippet does not seem to work anymore)

Update For firmware 2.0, you also need to change the ownership of the log directory: chown -R mobile /var/logs/BTServer

BlueTool
This is a low level utility, used by the BTServer daemon to configure the iPhone Bluetooth module through the /etc/bluetool/iPhone1,1.init.script file.

This effectively 'turns on' bluetooth (sets it to discoverable) but it should be noted that the kernel doesnt know it (there is no bt icon in the status bar).

to do this your self:

Welcome to bluetool... (etc)
 * 1) bluetool

bluetool> device -d /dev/cu.bluetooth # select the device


 * this makes bluetool call a function from CoreTelephony which has been reverse engineered already called _CTServerConnectionCreate(CFAllocatorRef, void *, int *)

bluetool will then tell you (if successful) that it has opened /dev/cu.bluetooth @ 115200 baud

bluetool> power on


 * again, a CT function is called, however no-one (to the extent of my knowledge) has reversed it. _CTServerConnectionSetBluetoothPower(???) however you can bet that the first argument is going to be a connection reference made from calling ConnectionCreate -> ie connRef = _CTServerConnectionCreate;

bluetool> autobaud


 * from here on bluetool only deals with posix functions (yay!!) and it basically sends ioctl requests to the bluetooth driver in the coveted HCI.

knowing the ioctl numbers for each HCI command can only be found out by reverse engineering or porting/using strace, dtrace, ktrace, sc_usage or truss.

Note with bluetool
it may not be that easy becuase on reverse engineer of a pre 2.0 bluetool, calls functions from IOKit, which is obviously not posix. The 2.0 bluetool still links against IOKit.

to 'unlock' the iPhones bluetooth capabilities, which I believe are there (in the driver, the chip can DEFINITELY do it) one would need to be able to send the driver raw HCI, which this program demonstrates it can do.

Output of the BlueTool console on an iPhone:

bluetool-> hci info

Radio Manufacturer:           CSR Bluetooth HCI Specification:  Version 2.0

Bluetooth Address:            00:02:5b:00:a5:a5

bluetool-> csr -V

CSR BlueCore Version 0x0003, Revision 0x0030, Build: A06

From CSR' BlueCore BCCMD Commands Document (bcore-sp-005Pe)

ChipVer       = 0x03, BlueCore3-Multimedia, BlueCore3-ROM, BlueCore3-FLASH, BlueCore4-External, BlueCore4-ROM

ChipRev      = 0x30, BlueCore4-ROM

ChipAnaVer = A06 (???)