iOS Unified Logs - Bluetooth paring and connection
Being able to show whether the investigated iPhone was connected via Bluetooth to another device can be important in some investigations.
Lionel Notari
Week nº 3
The iOS Unified Logs related to Bluetooth are abundant! For this first article, I will focus on the scanning, pairing process (when two devices connect for the first time) and the connection process.
iOS Unified Logs - Scanning
Devices paired with an iPhone appear in the ‘My Devices’ section, while those that are not paired are under ‘Other Devices.’ This distinction is important because, when the iPhone scans its surroundings, paired devices provide far more information than the unpaired ones!
# | Event |
---|---|
1 | bluetoothd: Discovered device 30:D8:75:B9:19:D0 |
1.1 | bluetoothd: “Device found: CBDevice D03ECD37-2683-57D7-4D16-58092CB18598, BDA F0:CD:31:38:EC:99, Nm ‘S22+ de Lionel’ [ ... ]" |
A few important information
When a device that isn’t paired with the iPhone is detected, only its Bluetooth address appears in the Unified Logs (Log 1).
When a device paired with the iPhone is detected, we also retrieve its name and CBDevice UUID (Log 1.1).
iOS Unified Logs - Pairing
Before the iPhone and the other device are paired, only limited information, such as the Bluetooth address, will appear in the Unified Logs. During the pairing process, in this case using a confirmation code, the following Unified Logs are recorded:
# | Event |
---|---|
1 | bluetoothd: Running SDP on device F0:CD:31:38:EC:99 |
1.1 | bluetoothd: We have a stalled incoming SDP request from device F0:CD:31:38:EC:99 with cid: 2312. |
2 | bluetoothd: Received a new numeric comparison request for device F0:CD:31:38:EC:99 |
3 | bluetoothd Tracking numeric comparison request for device F0:CD:31:38:EC:99 |
4 | bluetoothd Notifying 'pairing started' for self-initiated pairing to F0:CD:31:38:EC:99 for Auth type 2 |
5 | bluetoothd Sending 'numeric comparison request' pairing event for device F0:CD:31:38:EC:99 |
6 | Preferences: received user confirmation request (numeric comparison to 622428) for device <private> |
7 | bluetoothd Sending 'pairing complete' event for device F0:CD:31:38:EC:99 with result 0 |
8 | Sharingd: Sharing-CA: Device connected: CUBluetoothDevice F0:CD:31:38:EC:99, ID 'd03ecd37-2683-57d7-4d16-58092cb18598', 'S22+ de Lionel', PID 0x100, VrI 0x201, DT 12, CnS 0x100, PriP Disabled, 2ndP Disabled, Color 0 (White) |
Bonus | accessoryd: Adding accessory info: name VAPPEBY 20 gen 3, model E2036, manufacturer IKEA of SWEDEN AB, serial E2036N233000744, firmware revision (active) FW-3.1.1.7, firmware revision (pending) (null), hardware revision KT-V20-S0001-V00, ppid 73921389bae24500, regionCode (null), hideFromUI: NO |
A few important information
The SDP connection is “running” when the iPhone initiates a pairing request (Uniffied Log 1) . When the request comes from the other device, it’s Log 1.1 that is recorded with an "Incoming" request.
Log 6 (Preferences process) records the pairing code displayed on both the iPhone and the other device in parentheses!
The “with result 0” mention in Log 7, which confirms pairing, is crucial! In the case of a connection failure, the result will differ (e.g., “with result 158” when the pairing process is canceled).
The final Unified Log (Sharingd process) is also a reliable way to confirm pairing, as this log is not recorded if one of the devices declines the Bluetooth pairing.
In the case of pairing without a connection confirmation code, such as with an external speaker, the Unified Logs in the table above will still be recorded (except for the log from the “Preferences” process).
BONUS: By connecting my iPhone to my “Vappeby 20 gen 3” speaker, I found this very interesting log, as it records extensive information about the other device!
iOS Unified Logs - Connection
Once the devices are paired, future Bluetooth connections can occur automatically. For example, when entering our car, there’s no need to manually connect our iPhone to it. While this is very convenient from a user perspective, the Unified Logs recorded are rather limited. However, the two following logs are sufficient to indicate a connection:
# | Event |
---|---|
1 | bluetoothd: Sending 'device connected' notification for device 6C:5C:3D:3B:50:20 with result 0 |
2 | Sharingd: Sharing-CA: Device connected: CUBluetoothDevice 6C:5C:3D:3B:50:20, ID '20cd13ba-5eaf-aa5b-a58d-6beffcaf3a69', 'VAPPEBY 20 gen 3', PID 0xB009, VrI 0x100, DT 16, CnS 0x18, PriP Disabled, 2ndP Disabled, Color 0 (White) |