BTstack on a non-jailbroken iPhone/iPad?

849 views
Skip to first unread message

Jeremy Gale

unread,
Nov 2, 2011, 2:52:17 PM11/2/11
to btstack-dev
Hi everyone,

First of all, great work on BTstack. I'm amazed at what you've been
able to accomplish, and your excellent documentation, wikis, support
forum, etc. It's a really impressive project.

I am investigating whether it would be feasible to modify BTstack to
run in an iPhone app without it being jailbroken. This would mean
changing it to not run as a daemon, but instead to be a fully
integrated part of a single app. It obviously couldn't be submitted to
the App Store, but I was wondering if it could be distributed via
Enterprise so that it can use private APIs, etc.

My gut feeling is that this wouldn't be possible, but I wanted to
confirm with you guys. Here are the reasons I don't think it could be
done:

- It looks like most of the communication is done by opening the /dev/
tty.bluetooth device. This device can't be opened from a non-
jailbroken app. You get error 13, permission denied.

- BTstack needs to stop Apple's BTserver from running, this is done
via a call like: system("launchctl unload /System/Library/
LaunchDaemons/com.apple.BTServer.plist"). This isn't allowed in the
app sandbox. Generally speaking, there will be no way to stop an Apple
service from a legit app.

- BTstack needs to run BlueTool to configure the chipset. I don't
think there would be any way to do this from the app sandbox, as
above. Furthermore, the BlueTool app has a binary patch applied to it
before it's run. There would be no way to include and run the patched
binary in a legit app.

Does my reasoning make sense? Would you guys agree it's impossible to
modify BTstack to run in an app on a non-jailbroken phone?

Thanks very much,
Jeremy

Chris Hughes

unread,
Nov 2, 2011, 3:39:27 PM11/2/11
to btsta...@googlegroups.com
Yes, your assumptions about why it cannot be anything but a jailbroken
app are correct.

While you cannot just modify the application to do what you are
looking for, you can look at privilege escalation bugs like the one
used in the PDF exploit that allows for a userland jailbreak to
bootstrap what you are looking to do.

Comex the guy responsible for the jailbreakme site has posted the code on github
https://github.com/comex/star_

> --
> You received this message because you are subscribed to the Google Groups "btstack-dev" group.
> To post to this group, send email to btsta...@googlegroups.com.
> To unsubscribe from this group, send email to btstack-dev...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/btstack-dev?hl=en.
>
>

--
sig ver 2.4
twitter: @chews (drunk tweet me)
blog: http://spazout.com
iPhone: 310.933.4533

Matthias Ringwald

unread,
Nov 8, 2011, 2:40:58 PM11/8/11
to btsta...@googlegroups.com
Hi Jeremy

you're analysis is pretty accurate. BTstack wouldn't necessarily need to stop BTServer, it didn't do that in the beginning, but BTServer was crashing afterwards and causing repeated crashes during device sleep, so I figured why not just unload it for the time being.

Best
matthias

Reply all
Reply to author
Forward
0 new messages