![]() ![]() IOBluetoothHostController *hciController = // public API Changing the local name of a Mac’s Bluetooth adapter via these private APIs is pretty easy and requires no root access or special entitlements. Using class-dump, I discovered that Apple implemented all the HCI commands in the Bluetooth 4.2 specification via private methods on IOBluetoothHostController. I used Hopper to decompile bluetoothd and discovered that it was using IOBluetoothHostController, which led me to believe it was using private APIs I could exploit. This Objective-C class allows for some basic operations with your Bluetooth controller according the official APIs. Thankfully, the Objetive-C IOBluetoothHostController API is a public API that has been around since macOS 10.2, despite it being the code that runs on the bluetoothd service. *1 IOWorkLoop::sleepGate(void*, unsigned long long, unsigned int) + 126 (kernel + 7057470) *1 IOEventSource::sleepGate(void*, unsigned long long, unsigned int) + 83 (kernel + 7062579) *1 IOBluetoothHCIRequest::Start() + 515 (IOBluetoothFamily + 114737) *1 IOBluetoothHostController::SendRawHCICommand(unsigned int, char*, unsigned int, unsigned char*, unsigned int) + 2423 (IOBluetoothFamily + 327391) *1 IOBluetoothHCIUserClient::SimpleDispatchWL(IOBluetoothHCIDispatchParams*) + 918 (IOBluetoothFamily + 83308) *1 IOBluetoothHCIUserClient::externalMethod(unsigned int, IOExternalMethodArguments*, IOExternalMethodDispatch*, OSObject*, void*) + 257 (IOBluetoothFamily + 82363) ![]() Here is a backtrace of bluetoothd illustrating this” kext (C++ IOKit.IOBluetoothHostController) > (via XPC) deamon with root permissions (Objective-C IOBluetooth.IOBluetoothHostController) > (via ObjC) CoreBluetooth ( CBCentralManager is a proxy for CBXpcConnection) Here is a breakdown on how the CoreBluetooth API works: In theory, this should be much more secure than Linux becuase it would impossible to talk to the Bluetooth hardware directly even with elevated permissions like sudo. ![]() It turns out that Apple’s Darwin kernet is more secure and doesn’t allow userland code to open a socket and talk directly to the hardware, instead CoreBlueooth acts as a proxy for bluetoothd which use the IOBluetooth framework, which in turn opens a Mach port to a Kernel Extension (Device driver) which is loaded with the Kernel. Since I have my PureSwift/Bluetooth library with some HCI commands implemented, I assumed the endeavor was only a matter of opening a socket to the Bluetooth adapter and sending bytes, which is how its done on Linux. I recently did a little research project to see if I could control the Bluetooth controller on my Mac via HCI (Host Controller Interface) commands in order to replicate the functionality of PureSwift/BluetoothLinux on macOS. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |