Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
129 lines (103 sloc) 9.03 KB

Firmware Versions

This package adds support for different Broadcom and Cypress firmware versions. A list of known versions can be found below, however we only have firmware information on a subset of these. Results are based on real world testing, this list is very incomplete. If you know more versions, input is appreciated.

Vendor Version SubVersion Firmware Devices Firmware Build Date
0x000f 0x04 0x4217 BCM4329B1 iPhone 4, Nexus One, iPod touch (A1367)
0x000f 0x04 0x21d0 BCM2046 iMac 27" late 2009
0x000f 0x04 0x422a BCM4331 MacBook Pro early 2011
0x000f 0x04 0x4203 HP ProBook 6550b and 6450b
0x000f 0x05 0x4203 BCM2034B Thinkpad T420
0x000f 0x05 0x610d iPad A1395
0x000f 0x05 0x240c BCM20733 Magic Keyboard
0x000f 0x06 0x220e BCM20702A1 Asus USB Bluetooth dongle, HP Elitebook 820 G2
0x000f 0x06 0x229b BCM20702A3 MacBook Pro 13" mid 2012 (A1278)
0x000f 0x06 0x4103 BCM4330B1 iPhone 4s
0x000f 0x06 0x410d BlackBerry Q5
0x000f 0x06 0x4196 BCM20702B0 MacBook Pro mid 2014, iMac (Retina 5k, 27", ultimo 2014), MacBook Air 2017 13"
0x000f 0x06 0x6109 Samsung Galaxy Note 10.1 2014 WiFi (SM-P600)
0x000f 0x07 0x220f BCM20736S Equiva Radiator Thermostat CC-RT-BLE-EQ
0x000f 0x07 0x2203 BCM43342 iPhone 5s
0x000f 0x07 0x2209 BCM43430A1 Raspberry Pi 3 Jun 2 2014
0x000f 0x07 0x230f BCM4356A2 Xperia Z5
0x000f 0x07 0x410d BCM4334 iPhone 5 (A1429)
0x000f 0x07 0x4606 BCM4324 iPad Air (A1474)
0x000f 0x07 0x6109 BCM4335C0 (BCM4339) Nexus 5, Xperia Z3 Compact, Samsung Galaxy Note 3, LG G4 (LG-h815) Dec 11 2012
0x0131 0x08 0x1200 Philips Sonicare (Cypress SoC CY8C4247LQI-BL483, not sure if compatible)
0x000f 0x08 0x21a1 MacBook Pro Retina 13" early 2015
0x000f 0x08 0x21a6 BCM20703A1 MacBook Pro early 2015
0x000f 0x08 0x21a7 BCM20703A1 MacBook Pro early 2015 (with security fix)
0x000f 0x08 0x21a8 BCM20703A1 MacBook Pro early 2015 (with security fix, 10.14.6)
0x000f 0x08 0x220b CYW20706 CYW920706 Evaluation Kit, same ROM as MacBook Pro 2016 Oct 22 2015
0x000f 0x08 0x220b BCM20707 Fitbit Ionic
0x000f 0x08 0x2230 BCM20703A2 MacBook Pro 2016 (A1707) Oct 22 2015
0x000f 0x08 0x2246 BCM20703A2 MacBook Pro 2016 Oct 22 2015
0x000f 0x08 0x2247 BCM20703A2 MacBook Pro 2016 (with security fix) Oct 22 2015
0x000f 0x08 0x224b BCM20703A2 MacBook Pro 2016, 2017, iMac 2017 Retina 5k Oct 22 2015
0x000f 0x08 0x224c BCM20703A2 MacBook Pro 15" 2017 (A1707) Oct 22 2015
0x000f 0x08 0x240f BCM4358A3 Nexus 6P, Samsung Galaxy S6, Samsung Galaxy S6 edge Oct 23 2014
0x000f 0x08 0x4109 BCM4345B0 iPhone 6 (Tempranillo) Jul 15 2013
0x000f 0x08 0x430a iPad Pro 2016 (MLMW2FD/A)
0x000f 0x08 0x6103 BCM4355C0 iPhone 7 A1778 (Elsa) Sep 14 2015
0x000f 0x08 0x6106 Samsung Galaxy S7, Huawei P20
0x000f 0x08 0x617e BCM4350 MacBook Pro 2017 (Retina 12", 13"), MacBook Pro (13", 2016) May 28 2013
0x000f 0x08 0x6119 BCM4345C0 Raspberry Pi 3+, Honor 8, Xperia X Aug 19 2014
0x000f 0x08 0x6206 BCM4345C1 iPhone SE (Hans), iPod Touch 7th Generation (MVJ72FD/A) Jan 27 2015
0x000f 0x09 0x102f BCM4355 MacBook Air 2019 13" Retina Mar 7 2017
0x000f 0x09 0x112e BCM4364B0 iMac Retina 4K 21.5"/27" 2019 macOS Mojave 10.14.6 Aug 21 2015
0x000f 0x09 0x112f BCM4364B0 MacBook Pro 2019 13" 4x Thunderbold Aug 21 2015
0x000f 0x09 0x103f BCM4364 iMac Pro 2017
0x000f 0x09 0x2023 BCM4377B3 MacBook Pro 2019 13" 2x Thunderbold (Formosa) Feb 28 2018
0x000f 0x09 0x203f BCM4364 MacBook Pro (13", 2018)
0x000f 0x09 0x2040 Apple Watch Series 3
0x000f 0x09 0x2043 BCM4346B0 MacBook Pro 2019 15"
0x0131 0x09 0x220c CYW20819A1 ULP BLE/BR/EDR Bluetooth 5 Wireless MCU Evaluation Kit CYW920819EVB-02 May 22 2018
0x000f 0x09 0x411a BCM4347B0 (BCM4361B0) Samsung Galaxy S8 Jun 3 2016
0x0131 0x09 0x4208 CYW20735B1 BLE/BR Bluetooth 5.0 Evaluation Kit CYW920735Q60EVB-01 Jan 18 2018
0x000f 0x09 0x4208 BCM4375B1 Samsung Galaxy S10e, Samsung Galaxy S10, Samsung Galaxy S10+, Samsung Galaxy Note 10/10+ (local version is 0x1111) April 13 2018
0x000f 0x09 0x420e BCM4347B1 iPhone 8, XR, X Oct 11 2016
0x0131 0x09 0x420e CYW20739B1 Bluetooth 5.0 BLE Evaluation Kit CYW920719Q40EVB-01 Jan 17 2017
0x000f 0x09 0x4307 BCM4377B2 iPhone XS (Aladdin), iPhone Xs Max (Genie), iPad Pro 11" 3E149FD/A, iPad Pro 11" 3E148FD/A, iPad Pro 12.9" 3rd gen 3D941FD/A, iPad mini 5th gen 3F559FD/A, iPad Air 3rd gen 3F561FD/A
0x000f 0x09 0x4309 Samsung Galaxy Note 9, Samsung Galaxy S9, S9+
0x0131 0x09 0x6119 BCM4345C0 Raspberry Pi 3+/4 --- with Bluetooth 5 patches, same ROM as 3+ Aug 19 2014
0x000f 0x09 0x6214 BCM4355C1 iPad 6th gen 3D575FD/A, iPad 6th gen MRJN2FD/A, iPad 6th gen MR7J2FD/A A1893 (FigaroA)
0x000f 0x0a 0x4228 BCM4378B1 iPhone 11 (Hei), iPhone 11 Pro (Moana), iPhone 11 Pro Max (Tala) --- announce BT 5.1 over the air despite being specified as BT 5 online

Matching of vendor and version number see list of Bluetooth versions and company identifiers.

There are more popular devices with Broadcom chips, i.e. many Lenovos, Acers, Sonys, Toshibas, HPs, Azurewares, ... see this list, but we did not see these in the wild yet and do not know their LMP subversion.

Known Issues

There is a couple of issues causing trouble running InternalBlue, which are related to certain firmware versions.

  • BCM4335C0
    • Diagnostic messages lack behind by one. If you send diag c1 you will not get a response. Followed by diag c2 you will get a response for c1, and so on. This issue is independent from the Android driver patch, i.e. a Nexus 6P works perfectly with the same LineageOS 14.1 patch that causes this issue on a Nexus 5.
  • BCM4358A3
    • Launch_RAM crashes the firmware if it received another HCI command within the next ~6 seconds. When patching and launching scripts, close the Bluetooth overview from the operating system to prevent scanning and hope that nothing else interacts with this.
  • CYW20735B1
    • Launch_RAM works in principle, but threading seems to be broken if the executed code generates other HCI events. A hook at 0xB0316 is a nice spot to implement a function that generates HCI events and can be called via the HCI command 0xfc19. The general solution seems to be self.internalblue.patchRom(0x3d32e, "\x70\x47\x70\x47") respectively patch -a 0x3d32e --asm bx lr, which fixes that the baud rate is set to a wrong value during Launch_RAM.

Firmware Version and Build Date

Broadcom internally uses different firmware versions than chip names. For example, the BCM4339 chip in the Nexus 5 is internally called BCM4335C0. It is known to be a revision of the older BCM4335 chip.

On newer chips, the build information is located in the beginning of the stack. To see it, simply enter

hd 0x200400

License

Copyright 2019 Jiska Classen

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

You can’t perform that action at this time.