This repository contains information about Bluetooth HCI Vendor-Specific Commands (VSCs) which are known to be security-relevant, as found across different vendors. The currently tracked VSC types of security interest are given below, along with a description of why they are security-relevant. It also documents the Vendor-Specific Events (VSEs) and their formats (when known), which are returned by a controller after a VSC is received.
- Read Controller Registers
- Write Controller Registers
- Read Controller RAM
- Write Controller RAM
- Read Controller ROM
- Write Controller ROM Patches
- Read Controller Non-volatile Memory (e.g. SPI NOR Flash)
- Write Controller Non-volatile Memory (e.g. SPI NOR Flash)
- Set Bluetooth Classic / BLE Public BD_ADDR
- Set TX power level
- Send arbitrary LMP packets
- Send arbitrary LLCP packets
These are not all possible security-relevant VSCs, but they are some of those most commonly found across chip-makers.
- Broadcom
- Cambridge Silicon Radio (CSR)
- Cypress (Purchased by Infineon)
- Espressif
- Realtek
- Silicon Labs
- Texas Instruments