Bug Report: Bluetooth HAL crash (SIGABRT) on Pixel 8 Pro (husky)

[dexty99]

Device: Pixel 8 Pro (husky)
OS Version: GrapheneOS 2026030701 (stable channel)

Build Fingerprint: google/husky/husky:16/BP4A.260205.001/2026030701:user/release-keys

Summary:
Severe system instability and repeated com.android.bluetooth crashes occurring on the latest stable build. The Bluetooth HAL is dying due to GLINK IPC handshake timeouts, which in turn causes dependent services (Location/GNSS) and navigation apps (HERE/Organic Mapto crash or become non-responsive.
Symptoms:
Bluetooth and Wi-Fi are effectively unusable.
System services crashing: com.android.bluetooth logs frequent SIGABRT signals.
Location services hanging/timing out, leading to force-closes in navigation applications.
High kernel-level coex error spam in dmesg.

Reproduction:
Occurs consistently on boot/runtime when the Bluetooth stack attempts to initialize via the current vendor firmware blob (coex_fw_5.15.0). The issue appears linked to the March 2026 vendor image regression regarding Wi-Fi/Bluetooth coexistence.

Log

type: crash
osVersion: google/husky/husky:16/BP4A.260205.001/2026030701:user/release-keys
flags: dev options enabled
package: com.android.bluetooth:36, targetSdk 36
sharedUid: android.uid.bluetooth
process: com.android.bluetooth

signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
Abort message: 'system/gd/hal/hci_backend_aidl.cc:83 operator(): The Bluetooth HAL died.'

backtrace:
      #00 pc 000000000007d9c0  /apex/com.android.runtime/lib64/bionic/libc.so (abort+160) (BuildId: 8a370b0bf94749d5fe50368f2a729ddb)
      #01 pc 0000000000933488  /apex/com.android.art/lib64/libart.so (art::Runtime::Abort(char const*)+1016) (BuildId: beb7fbd1d32b8638db451308cec29e5b)
      #02 pc 0000000000016f04  /apex/com.android.art/lib64/libbase.so (android::base::SetAborter(std::__1::function<void (char const*)>&&)::$_0::__invoke(char const*)+84) (BuildId: eba44ef0784e7c9bd49d2eb775454587)
      #03 pc 0000000000d7b22c  /apex/com.android.bt/lib64/libbluetooth_jni.so (bluetooth::log_internal::vlog(bluetooth::log_internal::Level, char const*, bluetooth::log_internal::source_location, std::__1::basic_string_view<char, std::__1::char_traits<char>>, std::__1::basic_format_args<std::__1::basic_format_context<std::__1::back_insert_iterator<std::__1::__format::__output_buffer<char>>, char>>)+844) (BuildId: 00d118981e5ee1c35b6355d7dfe7550c)
      #04 pc 0000000000be268c  /apex/com.android.bt/lib64/libbluetooth_jni.so (bluetooth::log::fatal(std::__1::basic_format_string<char>, bluetooth::log_internal::source_location)+76) (BuildId: 00d118981e5ee1c35b6355d7dfe7550c)
      #05 pc 0000000000be2514  /apex/com.android.bt/lib64/libbluetooth_jni.so (bluetooth::hal::AidlHci::AidlHci(char const*)::'lambda'(void*)::__invoke(void*)+116) (BuildId: 00d118981e5ee1c35b6355d7dfe7550c)
      #06 pc 000000000001b6f4  /system/lib64/libbinder_ndk.so (AIBinder_DeathRecipient::TransferDeathRecipient::binderDied(android::wp<android::IBinder> const&)+68) (BuildId: a21d540cece8ffe428b756346ed6b28a)
      #07 pc 000000000005ec00  /system/lib64/libbinder.so (android::BpBinder::sendObituary()+384) (BuildId: d73d6f7577213372ee63464ecca8a7ab)
      #08 pc 0000000000052008  /system/lib64/libbinder.so (android::IPCThreadState::executeCommand(int)+4280) (BuildId: d73d6f7577213372ee63464ecca8a7ab)
      #09 pc 0000000000094a4c  /system/lib64/libbinder.so (android::IPCThreadState::joinThreadPool(bool)+300) (BuildId: d73d6f7577213372ee63464ecca8a7ab)
      #10 pc 000000000009490c  /system/lib64/libbinder.so (android::PoolThread::threadLoop()+28) (BuildId: d73d6f7577213372ee63464ecca8a7ab)
      #11 pc 0000000000018250  /system/lib64/libutils.so (android::Thread::_threadLoop(void*)+208) (BuildId: d190dad3e30afcd1d9179d6819d8d20c)
      #12 pc 0000000000139ee0  /system/lib64/libandroid_runtime.so (android::AndroidRuntime::javaThreadShell(void*)+144) (BuildId: 56386880e756b863b49c79c74bc139d0)
      #13 pc 000000000001a5b8  /system/lib64/libutils.so (libutil_thread_trampoline(void*) (.__uniq.226528677032898775202282855395389835431)+24) (BuildId: d190dad3e30afcd1d9179d6819d8d20c)
      #14 pc 0000000000091584  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*) (.__uniq.67847048707805468364044055584648682506)+180) (BuildId: 8a370b0bf94749d5fe50368f2a729ddb)
      #15 pc 00000000000813d4  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68) (BuildId: 8a370b0bf94749d5fe50368f2a729ddb)

[dexty99]

Just installed 20260320 beta build and I'm getting this:

type: crash
flags: dev options enabled
osVersion: google/husky/husky:16/BP4A.260205.001/2026032001:user/release-keys
uid: 1002 (u:r:bluetooth:s0)
cmdline: com.android.bluetooth
processUptime: 0s

abortMessage: system/gd/hal/hci_backend_aidl.cc:83 operator(): The Bluetooth HAL died.

signal: 6 (SIGABRT), code -1 (SI_QUEUE)
threadName: binder:8324_3
MTE: enabled

backtrace:
    /apex/com.android.runtime/lib64/bionic/libc.so (abort+160, pc 7d700)
    /apex/com.android.art/lib64/libart.so (art::Runtime::Abort(char const*)+1016, pc 933488)
    /apex/com.android.art/lib64/libbase.so (android::base::SetAborter(std::__1::function<void (char const*)>&&)::$_0::__invoke(char const*)+84, pc 16f04)
    /apex/com.android.bt/lib64/libbluetooth_jni.so (bluetooth::log_internal::vlog(bluetooth::log_internal::Level, char const*, bluetooth::log_internal::source_location, std::__1::basic_string_view<char, std::__1::char_traits<char>>, std::__1::basic_format_args<std::__1::basic_format_context<std::__1::back_insert_iterator<std::__1::__format::__output_buffer<char>>, char>>)+844, pc d7b22c)
    /apex/com.android.bt/lib64/libbluetooth_jni.so (bluetooth::log::fatal(std::__1::basic_format_string<char>, bluetooth::log_internal::source_location)+76, pc be268c)
    /apex/com.android.bt/lib64/libbluetooth_jni.so (bluetooth::hal::AidlHci::AidlHci(char const*)::'lambda'(void*)::__invoke(void*)+116, pc be2514)
    /system/lib64/libbinder_ndk.so (AIBinder_DeathRecipient::TransferDeathRecipient::binderDied(android::wp<android::IBinder> const&)+68, pc 1b6f4)
    /system/lib64/libbinder.so (android::BpBinder::sendObituary()+384, pc 5ec00)
    /system/lib64/libbinder.so (android::IPCThreadState::executeCommand(int)+4280, pc 52008)
    /system/lib64/libbinder.so (android::IPCThreadState::joinThreadPool(bool)+300, pc 94a4c)
    /system/lib64/libbinder.so (android::PoolThread::threadLoop()+28, pc 9490c)
    /system/lib64/libutils.so (android::Thread::_threadLoop(void*)+208, pc 18250)
    /system/lib64/libandroid_runtime.so (android::AndroidRuntime::javaThreadShell(void*)+144, pc 139ee0)
    /system/lib64/libutils.so (libutil_thread_trampoline(void*) (.__uniq.226528677032898775202282855395389835431)+24, pc 1a5b8)
    /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*) (.__uniq.67847048707805468364044055584648682506)+180, pc 912c4)
    /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+68, pc 81114)

[thestinger]

This looks like it's probably a hardware issue. Please try fully turning off the device for 10 seconds to see if that helps. If it doesn't then there's a high chance the Bluetooth radio has died.

[dexty99]

Update on this issue: I have performed a clean cold boot and captured logs from the current build (2026030701).
Diagnostic Summary:
Physical State: adb shell ls /sys/bus/pci/devices/ confirms the Bluetooth hardware is physically present and powered on the PCIe bus (0000:01:00.0). The hardware is not ‘dead’—it is failing to initialize.
Software State: adb shell dumpsys bluetooth_manager returns Bluetooth Service not connected and logs a loop of CRASH reasons for the BluetoothSystemServer trying to initialize.
Firmware Crash: The system logs confirm the Bluetooth HAL is dying during the hci_backend_aidl handshake. Further investigation confirms this is a systemic regression across multiple ZUMA-based devices, including husky (Pixel 8 Pro), akita (Pixel 8a), mustang (Pixel 9 Pro), and raven (Pixel 8 Pro Fold), all failing on the March 2026 vendor firmware blobs.

[thestinger]

Why does it only happen for you if it's a firmware or software issue?

[dexty99]

I understand why the limited number of reports suggests a hardware failure, but the persistent SIGABRT in hci_backend_aidl occurring precisely at the firmware handshake indicates a software/driver incompatibility rather than a dead radio. The device successfully enumerates on the PCIe bus, confirming the hardware is powered. Could this be related to a specific revision of the ZUMA Bluetooth controller interacting poorly with the coex_fw_5.15.0 blob included in the March update? I am happy to perform further testing if we can verify the behavior against the previous vendor firmware.

[dexty99]

I have captured a logcat confirming the systemic failure of the Bluetooth and Telephony Radio-HAL in the March 2026 build (2026030701).
Technical Evidence:
Root Cause: The com.android.bluetooth service is entering a SIGABRT loop due to a Bluetooth HAL died exception.
Stack Trace: The crash is triggered by bluetooth::hal::AidlHci::AidlHci via libbinder_ndk.so, confirming that the system is receiving a “death notification” from the underlying vendor-level interface.
SIM/Radio Interaction: Concurrent logs show the telephony stack receiving GENERIC_FAILURE (File not found, 0x6a 0x82) during SIM_IO requests. This confirms that the radio firmware is failing to respond to standard AIDL interface requests, causing a cascade failure across Bluetooth and Telephony.
Hardware State: Bluetooth hardware is physically detected on the PCIe bus, confirming this is an initialization/handshake failure at the firmware blob level, not a physical hardware defect.

bluetooth_crash_log.txt

[GavinBRichards]

I am also receiving this error since updating to the latest version of Graphene recently.

Device: Pixel 6 Pro (Raven)
Build: 2026030701

type: crash
osVersion: google/raven/raven:16/BP4A.251205.006/2026030701:user/release-keys
flags: dev options enabled
package: com.android.bluetooth:36, targetSdk 36
sharedUid: android.uid.bluetooth
process: com.android.bluetooth

signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
Abort message: 'system/gd/hal/hci_backend_aidl.cc:83 operator(): The Bluetooth HAL died.'

backtrace:
      #00 pc 000000000007c26c  /apex/com.android.runtime/lib64/bionic/libc.so (abort+156) (BuildId: 9e7d74e1e5118dee168638298ed46346)
      #01 pc 0000000000920d14  /apex/com.android.art/lib64/libart.so (art::Runtime::Abort(char const*)+1012) (BuildId: 18171138f568afd8f62ab03b00113051)
      #02 pc 0000000000014df0  /apex/com.android.art/lib64/libbase.so (android::base::SetAborter(std::__1::function<void (char const*)>&&)::$_0::__invoke(char const*)+80) (BuildId: 16a65a739667269682cf6911c12bfbbc)
      #03 pc 0000000000d38a5c  /apex/com.android.bt/lib64/libbluetooth_jni.so (bluetooth::log_internal::vlog(bluetooth::log_internal::Level, char const*, bluetooth::log_internal::source_location, std::__1::basic_string_view<char, std::__1::char_traits<char>>, std::__1::basic_format_args<std::__1::basic_format_context<std::__1::back_insert_iterator<std::__1::__format::__output_buffer<char>>, char>>)+844) (BuildId: 9fd5067a27f587605f5f58b3cfc04070)
      #04 pc 0000000000bac534  /apex/com.android.bt/lib64/libbluetooth_jni.so (bluetooth::log::fatal(std::__1::basic_format_string<char>, bluetooth::log_internal::source_location)+68) (BuildId: 9fd5067a27f587605f5f58b3cfc04070)
      #05 pc 0000000000bac3dc  /apex/com.android.bt/lib64/libbluetooth_jni.so (bluetooth::hal::AidlHci::AidlHci(char const*)::'lambda'(void*)::__invoke(void*)+108) (BuildId: 9fd5067a27f587605f5f58b3cfc04070)
      #06 pc 00000000000183c0  /system/lib64/libbinder_ndk.so (AIBinder_DeathRecipient::TransferDeathRecipient::binderDied(android::wp<android::IBinder> const&)+64) (BuildId: 0e10c99f4e584c6c80b9679741c7c52d)
      #07 pc 000000000005aa98  /system/lib64/libbinder.so (android::BpBinder::sendObituary()+376) (BuildId: e54d7e13834472fce7f36a2d8f0ad89d)
      #08 pc 000000000004dfe4  /system/lib64/libbinder.so (android::IPCThreadState::executeCommand(int)+4276) (BuildId: e54d7e13834472fce7f36a2d8f0ad89d)
      #09 pc 000000000008f9cc  /system/lib64/libbinder.so (android::IPCThreadState::joinThreadPool(bool)+300) (BuildId: e54d7e13834472fce7f36a2d8f0ad89d)
      #10 pc 000000000008f888  /system/lib64/libbinder.so (android::PoolThread::threadLoop()+24) (BuildId: e54d7e13834472fce7f36a2d8f0ad89d)
      #11 pc 0000000000015fcc  /system/lib64/libutils.so (android::Thread::_threadLoop(void*)+204) (BuildId: d6e22e213b0725025f19f1ae095d168f)
      #12 pc 000000000013664c  /system/lib64/libandroid_runtime.so (android::AndroidRuntime::javaThreadShell(void*)+140) (BuildId: ed1ee612304d0f2bf5e2a84d1ded6c1b)
      #13 pc 00000000000181f4  /system/lib64/libutils.so (libutil_thread_trampoline(void*) (.__uniq.226528677032898775202282855395389835431)+20) (BuildId: d6e22e213b0725025f19f1ae095d168f)
      #14 pc 000000000008e8bc  /apex/com.android.runtime/lib64/bionic/libc.so (__pthread_start(void*) (.__uniq.67847048707805468364044055584648682506)+236) (BuildId: 9e7d74e1e5118dee168638298ed46346)
      #15 pc 000000000007f460  /apex/com.android.runtime/lib64/bionic/libc.so (__start_thread+64) (BuildId: 9e7d74e1e5118dee168638298ed46346)