Description
Hi,
I'm trying to use internalblue with a rooted Google Nexus 5 (hammerhead) device running Android 6.0.1. This device uses the Broadcom BCM4335C0 (0x6109) Bluetooth chip.
Device: Rooted Google Nexus 5 (hammerhead)
Android Version: 6.0.1
Chip: Broadcom BCM4335C0 (0x6109)
Problem Description:
When launching internalblue using the ADB backend with the device serial number, the tool successfully connects to the phone via ADB, identifies the Bluetooth chip (0x6109), loads the corresponding firmware definition (fw_0x6109.py), and enters the interactive shell prompt (>).
However, almost immediately after the shell prompt appears, the ADB-proxied communication channel used for HCI interaction with the Bluetooth chip is closed by the remote device (the phone's Android system). This leads to a non-operational state and the following message is printed:
[*] recvThreadFunc: bt_snoop socket was closed by remote site. stopping recv thread...
After this, the internalblue instance is effectively non-functional ([!] Not running.) for commands interacting with the chip (like info device, dumpmem, etc.), which fail with errors such as [!] Not running. call connect() first!. The shell command also appears to execute commands locally on the host machine in this state, rather than remotely on the Android device.
Steps Taken to Troubleshoot:
Confirmed the device is rooted and adb shell su grants root access.
Identified the Bluetooth HCI device node on the phone as /dev/ttyHS99.
Checked initial file permissions for /dev/ttyHS99 using adb shell su ls -l /dev/ttyHS99, which were crw-rw---- bluetooth net_bt_stack. This indicated that "others" did not have R/W access.
Modified permissions to allow read/write for all (crw-rw-rw-) using adb shell su chmod 666 /dev/ttyHS99. Verified the change with ls -l.
root@hammerhead:/ # ls -l /dev/ttyHS99
crw-rw---- bluetooth net_bt_stack 247, 99 2025-05-10 22:22 ttyHS99
root@hammerhead:/ # chmod 666 /dev/ttyHS99
root@hammerhead:/ # ls -l /dev/ttyHS99
crw-rw-rw- bluetooth net_bt_stack 247, 99 2025-05-10 22:22 ttyHS99
Running internalblue with Bluetooth enabled after this change did not resolve the connection dropping issue.
Attempted launching internalblue with Bluetooth completely disabled via the Android settings GUI. This prevented the initial connection from being established at all, resulting in critical errors ([CRITICAL] No connection to target device.).
The issue persists with Bluetooth enabled via GUI and /dev/ttyHS99 permissions set to 666. The connection still drops almost instantly after entering the internalblue shell.
Expected Behavior:
The ADB-proxied communication channel to the Bluetooth chip should remain open and stable, allowing internalblue commands to interact with the chip.
Relevant Output (example showing the drop):
sergey@sergey-ferrari3200:~$ internalblue --adb --serial 087b887d0182a9a7
[] No connected HCI device found
[] Found multiple adb devices
[] Android btsnoop logfile /storage/emulated/0/btsnoop_hci.log...
[] Android Bluetooth interface /dev/ttyHS99...
[] Connected to 087b887d0182a9a7
[] Chip identifier: 0x6109 (003.001.009)
[] Using fw_0x6109.py
[] Loaded firmware information for BCM4335C0.
[] Try to enable debugging on H4 (warning if not supported)...
[!] Diagnostic protocol requires modified Android driver!
[] Starting commandLoop for self.internalblue <internalblue.adbcore.ADBCore object at ...>
type <help -v> for usage information!
--adb is not a recognized command, alias, or macro.
087b887d0182a9a7 is not a recognized command, alias, or macro.
[*] recvThreadFunc: bt_snoop socket was closed by remote site. stopping recv thread...