Introducing the new version of the ios-proxy: internalblued

README.md

@@ -135,9 +135,10 @@ Linux:
 * For most commands: Privileged access
 
 iOS:
-* A jailbroken iOS device (tested on iOS 12.1.2/12.4 with iPhone 6, SE, 7, 8, X)
-* The included `ios-proxy` (instructions in [here](ios-proxy/README.md))
-* Optional: a Mac with `xcode` to compile the proxy yourself
+* A jailbroken iOS device (tested on iOS 12 and 13 with iPhone 6, SE, 7, 8, X , does not work on iPhones newer than XR, these devices have a Bluetooth chip connected via PCIe)
+* `usbmuxd`, which is pre installed on macOS but is available on most Linux distributions as well. Alternatively it can be obtained from [here](https://github.com/libimobiledevice/usbmuxd).
+* The [``internalblued`` daemon](ios-internalblued/README.md) installed on the iOS device
+
 * Optional, no jailbreak required: install [iOS Bluetooth Debug Profile](https://developer.apple.com/bug-reporting/profiles-and-logs/) to obtain
   HCI and diagnostic messages, either via diagnostic report feature (all iOS versions) or live with PacketLogger (since iOS 13)
 

ios-internalblued/.gitignore

@@ -0,0 +1,2 @@
+.theos
+.DS_STORE

ios-internalblued/Makefile

@@ -0,0 +1,14 @@
+include $(THEOS)/makefiles/common.mk
+
+TOOL_NAME = internalblued
+
+internalblued_FILES = main.m ios-proxy.m
+internalblued_CFLAGS = -fobjc-arc
+
+include $(THEOS_MAKE_PATH)/tool.mk
+
+SUBPROJECTS += internalbluedprefs
+include $(THEOS_MAKE_PATH)/aggregate.mk
+
+after-internalblued-stage::
+	$(ECHO_NOTHING)$(FAKEROOT) chown root:wheel $(THEOS_STAGING_DIR)/Library/LaunchDaemons/com.ttdennis.internalblued.plist$(ECHO_END)

ios-internalblued/README.md

@@ -0,0 +1,25 @@
+# internalblued 
+This project is a proxy that redirects the *iOS* Bluetooth socket and exposes it as a
+TCP socket which can be used to send HCI commands to the Bluetooth controller of the device.
+A jailbroken device is required.
+
+A compiled version of `internalblued` can be found in [`packages/com.ttdennis.internalblued_0.0.1_iphoneos-arm.deb`](packages/com.ttdennis.internalblued_0.0.1_iphoneos-arm.deb).
+
+## Installing
+1. Transfer the `.deb` file to your iOS device
+2. Run `dpkg -i your-deb-file.deb` to install `internalblued` on your device
+
+## Running internalblued
+Once installed, `internalblued` runs as a `LaunchDaemon` and is ready to be used. By default it will listen to port 1234 (TCP) on localhost. If `usbmux` is installed, `internalblue` will be able to connect to the phone as the port is passed through `usbmuxd`.
+
+During usage with `internalblue` Bluetooth has to be disabled in the phones Settings App.
+
+In case the Bluetooth chip stops responding, Bluetooth has to be turned on and off again in the Settings App.
+
+There is a Settings App pane for `internalblued` to turn off the daemon and adapt the listening port. However, this is usually not required. As long as `internalblue` is not connected to `internalblued`'s socket, Bluetooth can be used without any restrictions.
+
+## Building internalblued
+1. Install [theos](https://github.com/theos/theos)
+2. Run `make`
+3. A `.deb` file should be in the `packages` folder now
+

ios-internalblued/internalbluedprefs/IBDRootListController.h

@@ -0,0 +1,5 @@
+#import <Preferences/PSListController.h>
+
+@interface IBDRootListController : PSListController
+
+@end

ios-internalblued/internalbluedprefs/IBDRootListController.m

@@ -0,0 +1,80 @@
+#include <xpc/xpc.h>
+
+#include "IBDRootListController.h"
+#import <Preferences/PSListController.h>
+#import <Preferences/PSViewController.h>
+#import <Preferences/PSSpecifier.h>
+#include "../xpc_protocol.h"
+
+#define PREF_FILE @"/var/mobile/Library/Preferences/com.ttdennis.internalblue-prefs.plist"
+
+@implementation IBDRootListController
+
+xpc_connection_t get_connection() {
+    xpc_connection_t connection = xpc_connection_create_mach_service(
+            "com.ttdennis.internalblued", NULL, 0);
+    // we don't expect any responses anyway
+	xpc_connection_set_event_handler(connection, ^(xpc_object_t some_object) { });
+	xpc_connection_resume(connection);
+
+    NSLog(@"connection %@", connection);
+    return connection;
+}
+
+-(bool) should_stop {
+    for (PSSpecifier *spec in [self specifiers]) {
+        if ([[spec identifier] isEqualToString:@"enabled"]) {
+            bool isEnabled = [[self readPreferenceValue:spec] boolValue];
+            NSLog(@"Toggle is: %d", isEnabled);
+            return !isEnabled;
+        }
+    }
+    return false;
+}
+
+- (void)toggle:(NSNotification *)notification {
+    // close the number keyboard
+    [self.view endEditing:YES];
+    // force write the preference file so that the daemon will pick up the correct value
+    CFPreferencesSynchronize(CFSTR("com.ttdennis.internalblue-prefs"), kCFPreferencesCurrentUser, kCFPreferencesCurrentHost);
+
+    sleep(1);
+
+    xpc_connection_t connection = get_connection();
+    xpc_object_t object = xpc_dictionary_create(NULL, NULL, 0);
+
+    if ([self should_stop]){
+        xpc_dictionary_set_uint64(object, "message", CMD_STOP_PROXY);
+    } else {
+        xpc_dictionary_set_uint64(object, "message", CMD_START_PROXY);
+    }
+
+    xpc_connection_send_message(connection, object);
+}
+
+void notify_ns() {
+    [[NSNotificationCenter defaultCenter] postNotificationName:@"com.ttdennis.internalblue/toggle" object:nil];
+}
+
+
+- (id) init {
+    self = [super init];
+
+    [[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(toggle:) 
+                                            name:@"com.ttdennis.internalblue/toggle"
+                                            object:nil];
+    CFNotificationCenterAddObserver(CFNotificationCenterGetDarwinNotifyCenter(), (__bridge const void *)(self), (CFNotificationCallback)notify_ns, 
+            CFSTR("com.ttdennis.internalblue/toggle"), NULL, 0);
+
+    return self;
+}
+
+- (NSArray *)specifiers {
+	if (!_specifiers) {
+		_specifiers = [self loadSpecifiersFromPlistName:@"Root" target:self];
+	}
+
+	return _specifiers;
+}
+
+@end

ios-internalblued/internalbluedprefs/Makefile

@@ -0,0 +1,15 @@
+include $(THEOS)/makefiles/common.mk
+
+BUNDLE_NAME = internalbluedprefs
+
+internalbluedprefs_FILES = IBDRootListController.m
+internalbluedprefs_INSTALL_PATH = /Library/PreferenceBundles
+internalbluedprefs_FRAMEWORKS = UIKit
+internalbluedprefs_PRIVATE_FRAMEWORKS = Preferences
+internalbluedprefs_CFLAGS = -fobjc-arc
+
+include $(THEOS_MAKE_PATH)/bundle.mk
+
+internal-stage::
+	$(ECHO_NOTHING)mkdir -p $(THEOS_STAGING_DIR)/Library/PreferenceLoader/Preferences$(ECHO_END)
+	$(ECHO_NOTHING)cp entry.plist $(THEOS_STAGING_DIR)/Library/PreferenceLoader/Preferences/internalbluedprefs.plist$(ECHO_END)

ios-internalblued/internalbluedprefs/Resources/Info.plist

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>English</string>
+	<key>CFBundleExecutable</key>
+	<string>internalbluedprefs</string>
+	<key>CFBundleIdentifier</key>
+	<string>com.ttdennis.internalblue-prefs</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundlePackageType</key>
+	<string>BNDL</string>
+	<key>CFBundleShortVersionString</key>
+	<string>1.0.0</string>
+	<key>CFBundleSignature</key>
+	<string>????</string>
+	<key>CFBundleVersion</key>
+	<string>1.0</string>
+	<key>NSPrincipalClass</key>
+	<string>IBDRootListController</string>
+</dict>
+</plist>

ios-internalblued/internalbluedprefs/Resources/Root.plist

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>items</key>
+	<array>
+		<dict>
+			<key>cell</key>
+			<string>PSGroupCell</string>
+            <key>footerText</key>
+			<string>Enable the InternalBlue proxy. For a reliable performance Bluetooth must be disabled in the settings.</string>    
+        </dict>
+		<dict>
+			<key>cell</key>
+			<string>PSSwitchCell</string>
+			<key>default</key>
+			<false/>
+			<key>defaults</key>
+			<string>com.ttdennis.internalblue-prefs</string>
+			<key>key</key>
+			<string>isEnabled</string>
+			<key>label</key>
+            <string>Enable InternalBlue Proxy</string>
+            <key>PostNotification</key>
+            <string>com.ttdennis.internalblue/toggle</string>
+            <key>id</key>
+            <string>enabled</string>
+		</dict>
+		<dict>
+			<key>cell</key>
+			<string>PSGroupCell</string>
+            <key>footerText</key>
+			<string>This sets the port the proxy is listening on. InternalBlue assumes 1234. Changing this port requires adapting InternalBlue and restarting the proxy.</string>    
+        </dict>
+        <dict>
+            <key>cell</key>
+            <string>PSEditTextCell</string>
+            <key>default</key>
+            <string>1234</string>
+            <key>defaults</key>
+            <string>com.ttdennis.internalblue-prefs</string>
+            <key>key</key>
+            <string>port</string>
+            <key>label</key>
+            <string>Proxy Port</string>
+            <key>isNumeric</key>
+            <true/>
+            <key>id</key>
+            <string>port</string>
+        </dict>
+	</array>
+	<key>title</key>
+	<string>InternalBlue Proxy Settings</string>
+</dict>
+</plist>

ios-internalblued/internalbluedprefs/entry.plist

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>entry</key>
+	<dict>
+		<key>bundle</key>
+		<string>internalbluedprefs</string>
+		<key>cell</key>
+		<string>PSLinkCell</string>
+		<key>detail</key>
+		<string>IBDRootListController</string>
+		<key>icon</key>
+		<string>icon.png</string>
+		<key>isController</key>
+		<true/>
+		<key>label</key>
+		<string>InternalBlue Proxy</string>
+	</dict>
+</dict>
+</plist>

ios-internalblued/ios-proxy.h

@@ -0,0 +1,29 @@
+//
+//  ios-proxy.h
+//  ios-proxy
+//
+//  Copyright © 2019 ttdennis. All rights reserved.
+//
+
+#ifndef ios_proxy_h
+#define ios_proxy_h
+
+#include <stdio.h>
+
+
+#define IOAOSSKYSETCHANNELSPEC 0x800C5414
+#define IOAOSSKYGETCHANNELUUID 0x40105412
+
+#define CTLIOCGINFO 0xC0644E03
+
+typedef struct ctl_info {
+    uint32_t ctl_id;
+    char ctl_name[96];
+} ctl_info_t;
+
+int connect_bt_device();
+int create_server(int port);
+int wait_for_connection(int server_fd);
+void proxy_bt_socket(int client, int bt);
+
+#endif /* ios_proxy_h */