20
May
2014-05-18 16_38_58-Gimbal Beacons Breaking Bluetooth on Android on Vimeo

It's no secret that Bluetooth has been a problem child for Android, plagued with poor audio quality and connectivity issues. I've already covered a handful of common problems in a previous post, but another issue has been emerging in the last few months that threatens to virtually kill all Bluetooth operation on a device in the right conditions. The culprit is a nasty little oversight in the Bluetooth Low-Energy code added with Android 4.3 Jelly Bean. Once a device has been within range of enough BLE devices, the entire Bluetooth service will begin crashing.

1148-38795-s6o6DG7F4zEWJyD-upload

Symptoms

There is only one truly obvious symptom, but it's incredibly unhelpful for diagnosing the issue. When the bug exposes itself, it's in the form of a single dialog box with the message, "Unfortunately, Bluetooth share has stopped." After tapping the 'OK' button, the service will automatically restart in the background, and the cycle often repeats shortly afterward. Turning off Bluetooth will prevent the dialog from appearing, but once Bluetooth is re-enabled, the cycle is likely to begin again.

The Problem

The problem is located in a piece of the Bluetooth Low-Energy code. When a new MAC address (a unique number for identifying a piece of hardware on a network) is detected, it is first stored in memory and later written to a file called bt_config.xml when the Bluetooth service shuts down naturally. This logging operation is going on anytime the radio is scanning for devices. That may not sound like a common occurrence, but scans occur frequently as long as Bluetooth is enabled.

Once the log reaches 1,990 entries, any new MAC address will cause an overflow and immediately crash the Bluetooth service. Since the log is reloaded into memory each time the service restarts, the problem doesn't really go away on its own. Keep in mind, devices that have already been detected and exist within the log will not cause a crash; rather, it's just when a previously unknown address appears. In other words, the Bluetooth service might start crashing as you're walking around a mall or even driving by a jogger with a fitness band, but it's unlikely to act up when you're at home, even if you've got a handful of BLE gadgets laying around.

2014-05-18 16_38_58-Gimbal Beacons Breaking Bluetooth on Android on Vimeo

Nearly 2,000 addresses should sound like a lot, and aside from frequent travelers, many people wouldn't even come close enough to that many active BLE devices in the lifetime of a phone or tablet. However, a new type of gadget will virtually guarantee this number is hit within hours of going into a public setting: Proximity Beacons. The most notable of these are based on a technology developed by Apple, called iBeacon. These small, fairly low-cost transmitters can be placed around stores and events to push data and location information to devices. Proximity beacons are already appearing in some sporting and concert venues, and they are likely to become commonplace in popular retail outlets like Macy's and Walmart.

Where the problem becomes eminently worse is a "security feature" employed by some beacons. To prevent spoofing, products like the Gimbal by Qualcomm are designed to rapidly roll through auto-generated MAC addresses. The Gimbal broadcasts a new MAC every 0.8 seconds and can roll through the necessary 1990 addresses in less than 30 minutes. This video taken at Dodger Stadium demonstrates a deployed Gimbal setting off the bug.

Affected Versions And Devices

The bug was introduced when Android 4.3 Jelly Bean added support for BLE to the Bluedroid Bluetooth stack. Since this issue has gone largely unnoticed until recently, it managed to survive well into the life of Android 4.4. Virtually every device running stock firmware on Android 4.3 - 4.4.2 should be affected by this issue, assuming the manufacturer hasn't substantially modified the Bluetooth stack on their own. It's possible that some recent firmware updates may have silently patched this issue already, but it has been identified in the latest updates to the HTC One (m7 and m8), Samsung Galaxy S 5, and a few others.

The Bluedroid stack was first introduced with Android 4.2, but custom implementations of BLE built by HTC, Samsung, and Sony for that version should not be affected.

Workarounds and Fixes

If the Bluetooth service on your device has started crashing, there are a few methods for solving the problem, and even one that may prevent it from returning. Unfortunately, there's one catch that prevents this from being easily and permanently fixed on most devices: the log file bt_config.xml is restricted to system-level access. That means it can only be directly read or modified by the Bluetooth service, the OS, or apps with root access.

  • I'll start with the best option in the group, an app called Bluetooth Crash Resolver. It was developed by Radius Networks, one of the companies that manufactures proximity beacons. bt_config.xml can't be modified directly without root, but the Bluetooth service can be tricked into clearing out entries by forcing a "discovery" to run. The app can watch for and fix the log after a crash occurs and it will attempt to prevent further issues through regular paring down of the list. The developers acknowledge that it's not a perfect solution and it may cost some battery life, but it's the easiest and as close to a permanent fix that exists without rooting. Unfortunately, there are reports that it doesn't work with every device firmware, so some users will have to resort to alternative solutions. This app is also open source. Note to developers using BLE: there are instructions for ways your own apps can help to reduce the problem.
  • The other non-root solution, if you can call it that, is a factory reset. I only mention this because there aren't any other alternatives. This will fix the issue until the log refills, and then you're right back to square one. Consider this a last resort.
  • If your device is rooted, you can manually edit bt_config.xml to remove excess entries. It's located at /data/misc/bluedroid. Doing this may require re-pairing with your existing BLE devices, unless those are kept in the list. This method is also a very temporary fix since the log will eventually refill on its own. I've yet to see an app that automates this process, but such a thing will probably turn up fairly soon.

While I don't consider 3rd-party ROMs to inherently be a "fix," it's worth noting that this bug was patched in CyanogenMod 10.2 all the way back on September 27th - four days before the launch of KitKat. Umm, did anybody remember to submit this patch upstream to Google? Nonetheless, any custom ROM based on CM source from after that date should be free of this issue.

Current Status

A bug report has already been posted to the AOSP Issue Tracker with details for reproduction. Google hasn't directly responded to that bug post, but we've reached out to Qualcomm, and received a comment that confirms Google is aware of the issue and fixing it with a future release.

Please know that while the overall Gimbal context aware platform supports iOS and Android, Gimbal proximity beacons today only support iOS.  We are aware of an issue within Android and have been working with Google to address in their next software release.  We look forward to Gimbal proximity beacons being supported by Android in the near future. -- Qualcomm

After a bit of digging around in the accidentally leaked 4.4.3 changelog, it appears that a fix is on the way (see line 316 of our mirror). At least we know the bug is squashed for future releases.

Wrap-Up

With the rise of Bluetooth Low-Energy devices, we're bound to see a few bugs bubbling up from the depths. This particular issue will likely pose problems for the next year or two on devices that have been abandoned with Android 4.3 - 4.4.2. As for devices that will continue to receive updates, we can probably expect many OEMs to simply skip 4.4.3 (if it is released) in favor of the next major release due to come out at Google I/O 2014.

Sources: AOSP Issue Tracker #67272, StackOverflow, Radius Networks (+ Github thread)

Cody Toombs
Cody is a Software Engineer and Writer with a mildly overwhelming obsession with smartphones and the mobile world. If he’s been pulled away from the computer for any length of time, you might find him talking about cocktails and movies, sometimes resulting in the consumption of both.

  • Grahaman27

    thats unbelievable.

  • blahmoomoo

    Classic buffer overflow... it's always sad to see this sort of bug in a place that can't be readily fixed. At least said buffer overflow doesn't seem to lead to a security breach, but it's still a serious problem due to how it makes Bluetooth almost completely crippled.

    I'll have to remember to turn off my Bluetooth when I'm not going to use it just in case... until the next OS update comes out.

  • Steve

    I've had a problem in my car that seems to be related (Xperia Z1S but also happened with my Razr Maxx HD) -

    After a month or so of having no bluetooth issues, the bluetooth connection with my car goes in and out, often. I've actually noticed that it seems to only happen when I'm in traffic or on local roads, which makes sense with this article (that may be when it is hitting other bluetooth signals). I now believe the info in this article describes exactly my problem and the reason why.

  • mikewatson021

    I believe the info in this article describes exactly my problem and the reason why.
    http://bit.ly/1i0LgHG

  • yodatom10

    Hopefully a fix is rolled into 4.4.3

    • Stevebry56

      :)

    • blahmoomoo

      The paragraph after the quote in "Current Status" suggests it probably will be.

  • Adair Vargas

    I have a problem in my S4 that maybe and maybe not is this. With my pebble, sometimes the bluetooth restarts itself (without any dialog), and my pebble is stuck trying to get the notification that was displaying.

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      The reports of exactly how the issue presents itself are fairly sparse, so it wouldn't surprise me if this is related. The few people who were specific mention the dialog, but I've seen first-hand that the dialog doesn't always show up if a service crashes or goes down for other reasons.

  • Mike Reid

    >It's located at /datamedia/misc/bluedroid.

    You mean /data/misc/bluedroid/ ?

    That's where bt_config.xml is on my phones, mostly running CM11.

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      Good catch. I must have tapped the trackpad while I was typing 'media' and didn't notice it at the time. The keyboard I'm using makes that a little too easy :(

  • DirkBelig

    I am totally unable to send text messages while my Nexus 5 is paired with my car's Sync system because as soon as I do, the Bluetooth share error occurs and I can't play anything until I reboot the phone, which is a hazard while driving. (I text at the lights or while parked, not while moving!) So annoying. Not sure how this is happening because the only BT device I pair with.

    • Psycho

      I have the same issue with Honda link. My phone automatically pairs with my car but as soon as I send a text message (using handcent) I have the same problem. I'm also listening to music via bluetooth in the car when this happens.

      • DirkBelig

        I'm using Handcent as well, but it crashes with Hangouts, too.

        • OCSportsGeek

          Also seeing it with sync and handcent timing. Interesting...

  • Manbearpig

    I have 3 phones on 4.4. Moto X, G2, and a Note 2 and I work at a best buy surrounded by Bluetooth all day and I can't ever recall a problem like this. Maybe I'm lucky

    • billykent1972

      probably lucky as I'm running 4.4.2 on a Moto X and can say I've seen this, only twice so no big deal really. But can confirm it does happen on Moto X.

  • Roh_Mish

    I Have not counted but looks like I am near the limit or crossed it. I use PA and if I have crossed it then PA is not affected by this bug.

  • AAlchemy
  • Udit Kumar

    Well.. I went to watch a match at a cricket stadium... and then my smart watch started getting disconnecting 3-4 times every minute .. Which is weird.. though I did not have any crash errors..

  • http://www.LOVEanon.org/ Michael Oghia (Ogie)

    Thanks for covering this @CodyToombs:disqus !

  • MadmaxxHD

    I have a RazrMaxxHD and before the kitkat update, streaming to the Ford Sync in my my car worked perfectly for years. Now it can't stream a song without skipping. It was my favorite feature of a smartphone and now it's useless. Tanks for nothing Google software geeks. Thanks for freakin nothing.

  • Mika Stone

    My Moto G fists gen is doing this i smashed it, fuck KK and android you put your OS out way to fast then bugs appear. I never had such problems and unreliability from any android till KK. Going to windows phone cuz fuck apple too.