But something else had changed.
She checked the driver version: 2.2.3.481. A known bug in the community forums: "HCI command timeout after idle." Broadcom had supposedly fixed it three months ago. Version 2.2.3.593. bluetooth firmware -broadcom- update version 2.2.3.593
Elena noticed it at 3:17 AM, alone in the lab, when she ran btmon in verbose mode. The controller was now sending vendor events for a command she’d never seen: Opcode 0xFC2F — Read ROM Checksum . That wasn’t in the public HCI spec. But something else had changed
Here’s a short technical narrative based on your request: The Patch That Spoke in Packets Version 2
She checked the hex dump of the new .bin file. Hidden in the last 512 bytes: a string "BMAT_2.2.3.593" and a timestamp "2024-10-12T14:23:11Z" — three weeks ahead of the official release date.
Elena froze. Either Broadcom was telemetrying every Bluetooth chip in the field without disclosure… or someone had slipped a test build into production. She reported it through internal security channels, attaching the packet capture.