This repo contains Wireshark dissectors for various proprietary bluetooth protocols used by Apple.
They serve as a (very crude) reference for me to help in understanding and come with absolutely no guarantee in version compatibility, correctness or reliability.
Bluetooth captures for related protocols would be much appreciated!
The protocol is used on various audio accessories (e.g. AirPods) and is responsible for handling configuration (anc, buttons, hearing aid), device/health metrics (battery, heartrate, motion, crashlogs), managing magic keys, possibly updates by encapsulating UARP and checking device authenticity via certificates.
Negotiates L2CAP channels and is also capable of sending some initial protocol commands directly during the connection phase. Protocols utilizing FastConnect will strip the PSM from SDP, rendering Wireshark unable to assign the dissector to the L2CAP channels without the plugin. Primarily used by Apple audio accessories.
Exchanges shared secrets which may get synced to iCloud so that other devices can also seamlessly connect to the paired accessory. AACP makes use of the key message structure from this protocol and adds additional key types.
Service exchange and connection protocol. Devices advertise available services by name to each other and can initiate a connection on demand. Mostly used by devices like Apple Watch and AirTags but also AirPods to some extent.
Handles firmware (and other asset) updates for accessories.
- Move the lua plugin into:
~/.local/lib/wireshark/plugins/(Linux/MacOS)
%APPDATA%/Wireshark/plugins/(Windows)
and reload with Ctrl + Shift + L
Should just work™ after installing.
Make sure that the initial connection is part of the capture.
If not, manually assign the dissector to the L2CAP channel: Right click -> Decode As...