Coming from our last post, we left off with the conclusion that the only real way to figure out Bluetooth would probably be to leak the at-runtime firmware being executed. From there I initially set out to attempt fishing out some data by using SPI writes to modify the firmware patches, however I was disappointed to discover some things: When writing to SPI, the firmware itself actually limits writes from 0x6000 to 0x10000, anywhere else will unfortunately be ignored entirely. My attempts to ...
