FORUMS
Remove All Ads from XDA

[Q&A] Lollipop BMW E46 Carkit Bluetooth Problem (patching bluetooth.default.so))

24 posts
Thanks Meter: 22
 
By shimodax, Junior Member on 3rd March 2015, 10:42 PM
Post Reply Email Thread
Hello Bimmers/BMWers and others who are suffering from old cars vs. new Android!

IMPORTANT EDIT: Since this solution no longer applies to current Android versions, consider Replacing the ULF/Bluetooth Module or see this thread which has pre-built Google-Pixel binaries.


Background: With Android 4.2 Google introduced a new Bluetooth stack which broke bluetooth connections with some older car kits (see the comment in https://code.google.com/p/android/is...etail?id=41625 ... it is for the BMW E46 , but this also affects other BMW series with the same old Bluetooth ULF, like E39, older X3, X5 (E83) and Z4 and probably also some Audi and VW). The problem this addresses, is a bluetooth disconnect within 5 seconds after pairing.

I'm the original submitter of that patch to Google AOSP which was ignored by Google but subsequently included into CyanogenMod (https://android-review.googlesource.com/#/c/48164/ ) and with purchasing a new new phone (a Moto X 2 2014 with Lollipop) I had to revisit the issue (my car is still the same BMW E46).

This binary patch applies to the Moto X 2 (2014) Lollipop 5.0 bluetooth library, but probably the same will work for Android 4.2.2, 4.3, 4.4 and other phones too (the bluetooth C source code in that location is still unchanged since android v4.2, see the posts linked in step 4 below)

Essentially I found that it is possible to patch the bluetooth lib on the phone directly without a complete android build environment (I had tried a full rebuild too, but was unable to get my self-compiled bluetooth library in the Moto X ... if you have a Nexus phone or if you can compile Android yourself, using the source patch is probably easier)

Here are the steps (I'm keeping them somewhat vague to deter noobs from trying to tinker with the files):

To make Android work with those older BMW car kits, it is necessary to modify a behavior of bluetooth in some minor way. This obviously requires a rooted device.

The file in question is /system/lib/hw/bluetooth.default.so

Step 1 (make a backup):
run adb shell and copy /system/lib/hw/bluetooth.default.so to /sdcard/bluetooth.default.so.orig
A backup of the whole system (TWRP or similar) will be a good idea too.

Step 2
(disable bluetooth and download the file to patch to your computer):
On the phone go to settings and turn bluetooth off
Issue: adb pull /system/lib/hw/bluetooth.default.so bluetooth.default.so

Step 3 (generate a hex version of the file, linux):
xxd bluetooth.default.so >bds.txt

Step 4 (edit the hex version):
Find the byte sequence b8ed a8b1 b4f8 6032 93b9 b0f8 08e0 0de0 (it should be around offset 00a1000)
Change it to b8ed a8b1 b4f8 6032 93b9 4ff0 000e 0de0

(edit: in a post below, a user reports a slightly different byte series for a Samsung S4, so if you can't find the above sequence, try ignoring the initial b8ed and start your searching with a8b1 ... or follow suit with another post about earlier Android versions or a post about a LG G3).

Step 5 (create a binary version of the patched file):
xxd -reverse bds.txt > bluetooth.default.so.patched

Step 6 (upload patched binary to phone):
Issue adb push bluetooth.default.so.patched /sdcard/
Remount the /system partition as rw
Use adb shell, then su and cp /sdcard/bluetooth.default.so.patched /system/lib/hw/bluetooth.default.so
Then (still in the shell as su): chmod 644 /system/lib/hw/bluetooth.default.so
Verify that only those four bytes changed: cmp -l /system/lib/hw/bluetooth.default.so.orig /system/lib/hw/bluetooth.default.so
Verify permisssions (ls -l /system/lib/hw and check if the new file has same flags as the rest (rw--r---r---)).

Step 7 (enable bluetooth again):
on the phone set Settings > Bluetooth : on
Make sure it stays on (and doesn't give an error, otherwise make sure the file has correct permissions and/or copy the original file back from bluetooth.default.so.orig)

Step 8 (check with car):
Take phone to the car, pair the device to the car-kit.
It should stay paired and making calls and access to the phone address register should work.

Done.


EDIT: In a later post a user says there is also a file named /etc/bluetooth/auto_pair_devlist.conf which has a number of devices blacklisted and to make it work, some entries need to cleaned (commented out or deleted).
The Following 7 Users Say Thank You to shimodax For This Useful Post: [ View ] Gift shimodax Ad-Free
 
 
10th March 2015, 09:47 AM |#2  
Junior Member
Thanks Meter: 0
 
More
That's a fantastic bit of work in tracking that one down
Do you know if the patch you submitted for CM11 could be integrated into the CM12 branch?

Andy.
12th March 2015, 09:35 AM |#3  
dontpannic's Avatar
Senior Member
Flag South East London
Thanks Meter: 368
 
More
You are an absolute legend.

I was looking for ways on how to decompile the bluetooth.default.so from an 'off the shelf' ROM (I'm not too hot on compiling from source yet!) and this post was enough. My phone now connects to my BMW E46's bluetooth ULF and works absolutely perfectly. Thankyou!

EDIT 1: Just for further info - I'm using a Galaxy S4 LTE (I9505) and the byte sequence was slightly different.
Find the byte sequence 9aeb a8b1 b4f8 6032 93b9 b0f8 08e0 0de0 (starting around offset 00a2490)
Change it to 9aeb a8b1 b4f8 6032 93b9 4ff0 000e 0de0

EDIT 2: In fact, it seems like you can probably start from a8b1 b4f8...
The Following User Says Thank You to dontpannic For This Useful Post: [ View ] Gift dontpannic Ad-Free
15th March 2015, 03:27 PM |#4  
OP Junior Member
Thanks Meter: 22
 
More
Quote:
Originally Posted by Cavechild

That's a fantastic bit of work in tracking that one down
do you know if the patch you submitted for CM11 could be integrated into the CM12 branch?

Technically there should be no problem using the same source patch for CM12 because the original source in Android is still the same. But I don't know if they will carry it forward or how long.
15th March 2015, 03:36 PM |#5  
OP Junior Member
Thanks Meter: 22
 
More
Quote:
Originally Posted by dontpannic

You are an absolute legend.

I was looking for ways on how to decompile the bluetooth.default.so from an 'off the shelf' ROM (I'm not too hot on compiling from source yet!) and this post was enough. My phone now connects to my BMW E46's bluetooth ULF and works absolutely perfectly. Thankyou!

EDIT 1: Just for further info - I'm using a Galaxy S4 LTE (I9505) and the byte sequence was slightly different.
Find the byte sequence 9aeb a8b1 b4f8 6032 93b9 b0f8 08e0 0de0 (starting around offset 00a2490)
Change it to 9aeb a8b1 b4f8 6032 93b9 4ff0 000e 0de0

EDIT 2: In fact, it seems like you can probably start from a8b1 b4f8...

Cool ... I didn't expect anyone else (besides me) to to tinker with the issue in that depth.

You're right, you can probably ignore the first two bytes (I made an edit to my original post). Starting there was a rather arbitrary decision on my side, it's just important that sequence around the modified bytes exists in the library only once.

Enjoy!
15th March 2015, 07:43 PM |#6  
OP Junior Member
Thanks Meter: 22
 
More
I had a bit of free time and tinkered a bit with builds of the library in earlier versions of Android (4.4. and 4.3. Nexus builds).

Note: this is experimental, I don't have a Android 4.x device anymore, so this may or may not work.

This is a diff of a bluetooth.default.so file (hex dump via linux xxd command as described above) for an Android 4.4. Nexus 5 build:

007b8b0: 5a22 27f0 e4ff 2846 57b1 40f2 1131 27f0
007b8c0: 1bfe 00b9 14e0 b4f8 5812 89b9 0389 0de0 (original)
007b8c0: 1bfe 00b9 14e0 b4f8 5812 89b9 0023 0de0 (modified)
007b8d0: 40f2 0231 27f0 10fe 50b1 007a b4f8 58e2


So, the following would lead with reasonable certainty to the location that needs to be changed (I had a look at an old Nexus i9250 build with Android 4.3 from my previous phone and it matched):

Find: 00b9 14e0 b4f8 5812 89b9 0389 0de0 40f2 0231
Change: 00b9 14e0 b4f8 5812 89b9 0023 0de0 40f2 0231

Probably even the following will do (assuming the find-sequence appears only once in the file)

Find: 5812 89b9 0389 0de0
Change: 5812 89b9 0023 0de0

Again this is speculative, but if someone does try it, let us know the results.

EDIT: one user reports here that the short sequence worked.
16th March 2015, 01:53 PM |#7  
Junior Member
Thanks Meter: 0
 
More
Hi,
I had a go at patching the bluetooth.default.so on my LG G3.
Here's the closest match I could find to your original byte sequence along with what I patched it to:
Code:
A8B1 B4F8 6432 93B9 B0F8 08E0 0DE0
A8B1 B4F8 6432 93B9 4FF0 000E 0DE0
The numbers in green are the matching sequence from your original patch, there was however a difference with your byte sequence that I highlighted in red (6032 > 6432).
I don't know how important that is, but the patch as I made it didn't seem to make any difference to the phone/car behaviour.
They still connect ok and the address book transfers fine, everything is hunky dory until I make a call at which point the bluetooth disconnects and the audio reverts to the phone.

The file is in the original place with the original file permissions too.

Any ideas?

Andy.
16th March 2015, 02:59 PM |#8  
OP Junior Member
Thanks Meter: 22
 
More
Quote:
Originally Posted by Cavechild

I don't know how important that is, but the patch as I made it didn't seem to make any difference to the phone/car behaviour.
They still connect ok and the address book transfers fine, everything is hunky dory until I make a call at which point the bluetooth disconnects and the audio reverts to the phone.

This is probably simply a different problem. The problem the original patch adresses, happens only at bluetooth-paring (... a disconnect within 3-5 seconds). Your patch probably fixed that behavior, but I guess your car/phone combo suffers from a different one.
16th March 2015, 03:33 PM |#9  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by shimodax

This is probably simply a different problem. The problem the original patch adresses, happens only at bluetooth-paring (... a disconnect within 3-5 seconds). Your patch probably fixed that behavior, but I guess your car/phone combo suffers from a different one.

Bugger, I have a 2005 E46 With Business Radio (the one that plays MP3s) and a ULF that I don't know the model number of. Worked perfectly with my Galaxy S3 running JellyBean.

How did you go about debugging the issue as I'm tempted to have a pop at recompiling the .so.
16th March 2015, 03:55 PM |#10  
OP Junior Member
Thanks Meter: 22
 
More
Quote:
Originally Posted by Cavechild

Bugger, I have a 2005 E46 With Business Radio (the one that plays MP3s) and a ULF that I don't know the model number of. Worked perfectly with my Galaxy S3 running JellyBean. How did you go about debugging the issue as I'm tempted to have a pop at recompiling the .so.

Almost 99.9% a different problem, because this problem was introduced to Android with 4.2 (i.e. stock 4.3 Jelly Bean would not have worked either).

Initially (when researching the problem the very first time in 2012 with Navi-Professional), I started looking at the system log (adb logcat or via catlog app) and was looking for bluetooth related output.
The Following User Says Thank You to shimodax For This Useful Post: [ View ] Gift shimodax Ad-Free
16th March 2015, 04:08 PM |#11  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by shimodax

Almost 99.9% a different problem, because this problem was introduced to Android with 4.2 (i.e. stock 4.3 Jelly Bean would not have worked either).

Initially (when researching the problem the very first time in 2012 with Navi-Professional), I started looking at the system log (adb logcat or via catlog app) and was looking for bluetooth related output.

Thanks, I'll give the catlog app a try and see what pops out
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes