Frontend · Flutter · Android

Reverse-Engineering AirPods: An Open-Source Project Brings Full AACP Protocol to Android

By 恋猫de小郭 · Jun 24, 2026

Read original on juejin.cn ↗ Google Translate ↗ Alt translation

For Android developers and power users, this project proves that Apple's hardware lock-in is breakable at the protocol level. It also exposes a real, widespread L2CAP bug in Android's Bluetooth stack that affects more devices than most realize — a signal that Google's Bluetooth implementation still has rough edges.

Summary

A new open-source project called LibrePods brings the full suite of AirPods features to Android by reverse-engineering Apple's private AACP (Apple Accessory Communication Protocol). The project works on three Bluetooth layers: passive BLE scanning for battery and in-ear status, a custom L2CAP channel (PSM 0x1001) for bidirectional control commands like noise cancellation and conversational awareness, and an ATT layer (PSM 31) for fine-grained transparency and hearing aid parameters.

The biggest hurdle is a widespread bug in Android's Bluetooth stack (Fluoride/Gabeldorsche) that blocks L2CAP connections to the required PSM. LibrePods works around this with an Xposed module that hooks the low-level `l2c_fcr_chk_chan_modes` function, plus reflection to create L2CAP sockets directly. Some devices — including recent ColorOS, OxygenOS, and Android 16 QPR3 builds — have already fixed the bug and don't need the hook.

To unlock features like multi-device switching and ATT access, the project also spoofs the Bluetooth DID VendorID to Apple's `0x004C`, tricking AirPods into treating the Android device as an Apple product. Over 60 control commands have been reverse-engineered so far, though spatial audio and heart rate monitoring remain unimplemented.

Takeaways

— LibrePods reverse-engineers Apple's AACP protocol and reimplements it on Android using standard Bluetooth APIs.

— The protocol operates on three layers: BLE broadcast (passive status), L2CAP PSM 0x1001 (bidirectional control), and ATT PSM 31 (fine-grained parameters).

— Over 60 control commands have been reverse-engineered, covering noise cancellation, conversational awareness, button config, and hearing aid features.

— A bug in Android's Bluetooth stack (Fluoride/Gabeldorsche) blocks L2CAP connections to PSM 0x1001 on most devices.

— The project works around the bug with an Xposed module that hooks the `l2c_fcr_chk_chan_modes` function and uses reflection to create L2CAP sockets.

— Some OEM builds (ColorOS 16, OxygenOS 16, Realme UI 7.0, Android 16 QPR3) have fixed the L2CAP bug and don't require the hook.

— Spoofing the Bluetooth DID VendorID to Apple's 0x004C unlocks multi-device switching and ATT access.

— Spatial audio (head tracking) and heart rate monitoring are not yet implemented.

— The protocol was reverse-engineered by capturing Bluetooth traffic with macOS PacketLogger.

Conclusions

The fact that a single developer could reverse-engineer Apple's private protocol and reimplement it on a competing platform shows how much of Apple's 'ecosystem lock-in' is just protocol obscurity, not technical impossibility.

The L2CAP bug in Android's Bluetooth stack is a surprisingly fundamental flaw — it blocks a standard protocol feature that AirPods happen to rely on, and it's present across most devices.

The VendorID spoofing trick is a neat reminder that Apple's hardware checks are often just a few bytes in a profile — once you know the magic number, the gates open.

The project's reliance on Xposed and reflection highlights how Android's public Bluetooth APIs are still too restrictive for low-level protocol work.

Concepts & terms

AACP (Apple Accessory Communication Protocol)

Apple's proprietary Bluetooth protocol used by AirPods for control commands, status updates, and feature configuration. It runs over a custom L2CAP channel and is not part of the standard Bluetooth specification.

L2CAP PSM

Protocol Service Multiplexer — a number that identifies a specific protocol or service on top of an L2CAP connection. AirPods use PSM 0x1001 for AACP control and PSM 31 for raw ATT.

FCR (Flow Control and Retransmission)

A Bluetooth L2CAP mode that manages data flow and retransmission of lost packets. Android's Bluetooth stack has a bug in negotiating this mode, which blocks connections to certain PSMs.

DID Profile (Device ID Profile)

A Bluetooth profile that exposes a device's vendor ID, product ID, and version. AirPods check the VendorID of the connected device — only Apple's ID (0x004C) unlocks certain features.

Source: juejin.cn ↗ Google Translate ↗ Backup ↗