A multi-platform educational toolkit for understanding Bluetooth Classic (RFCOMM) and BLE (GATT) protocol behavior in controlled, authorized lab environments.
⚠️ Authorized Use Only This toolkit is intended strictly for use on devices you personally own or have explicit written permission to test. Unauthorized use against third-party devices may violate local and international law. The authors assume no liability for misuse.
⚠️ Potentially Harmful Capabilities & Risk DisclosureThis tool contains features that can cause operational disruption to target hardware if used improperly:
RFCOMM Hardware Flooding: The "Flood" module intentionally injects dense byte streams into targeted Bluetooth channels. On vulnerable, legacy, or unpatched Bluetooth stacks, this can cause buffer overflows, resulting in the target device freezing, kernel panics, or complete Denial of Service (DoS).
Payload Injection & State Manipulation: The ability to inject raw AT commands (e.g., HFP handshake manipulation) and OBEX payloads can alter the operational state of target devices, potentially causing unauthorized call manipulation or disrupting audio gateways.
GATT Interaction: Unauthenticated reading/writing of BLE characteristics may expose sensitive plaintext data or alter IoT device configurations.
Use exclusively on hardware you own or have explicit consent to audit.
DissPair is a Bluetooth security learning toolkit designed for students, hardware developers, and security researchers to explore low-level behavior of:
- Bluetooth Classic (RFCOMM)
- Bluetooth Low Energy (BLE GATT)
Unlike many tools that rely purely on Service Discovery Protocol (SDP), DissPair actively probes and interacts with devices to reveal real behavior vs advertised behavior.
It is designed for use in personal lab environments — testing your own devices, understanding protocol fundamentals, and learning how Bluetooth service discovery and channel communication works under the hood.
| CVE Number | Vulnerability Description | Link |
|---|---|---|
| CVE-2026-31280 | An issue in the Bluetooth RFCOMM service of Parani M10 Motorcycle Intercom v2.1.3 allows unauthorized attackers to cause a Denial of Service (DoS) via supplying crafted RFCOMM frames. | View Details |
| CVE-2025-67133 | An issue in Hero Motocorp Vida V1 Pro 2.0.7 allows a local attacker to cause a denial of service via the BLE component | View Details |
| Platform | Description | |
|---|---|---|
| 📱 | Android | Native Kotlin app with Jetpack Compose UI for on-device Bluetooth analysis. Field learning — explore Bluetooth environments from a mobile device. |
| 🐧 | Linux CLI | Python-based tool using BlueZ and raw Bluetooth sockets. Desktop study — terminal-based protocol analysis with minimal dependencies. |
Scan → Discover nearby Bluetooth devices (Classic BR/EDR and BLE)
↓
Sweep → Probe RFCOMM channels (1–30) on your own device
↓
Map → Identify active vs advertised services
↓
Analyze → Interact with protocols (RFCOMM / GATT) to study behavior
- Students learning Bluetooth protocol internals on their own hardware
- Hardware hobbyists auditing and validating their own devices
- Security researchers studying RFCOMM/GATT behavior in lab setups
- Developers building Bluetooth-enabled hardware who want to validate their own implementations
DissPair APK is a native Android application written in Kotlin with a Jetpack Compose UI. It uses Android's native Bluetooth APIs directly — including BluetoothAdapter, BluetoothGatt, and reflection-based createRfcommSocket / createInsecureRfcommSocket calls — to interact with the device's Bluetooth stack without relying on higher-level abstractions.
Disspair/
├── app/
│ └── src/
│ └── main/
│ ├── java/org/disspair/disspair/
│ │ └── MainActivity.kt # Core app logic, UI, Bluetooth analysis
│ └── res/
│ └── drawable/
│ └── disspair_logo.png # App icon
├── build.gradle
└── README.md
- Android 6.0 (API 23) or higher
- Android 12+ (API 31) requires
BLUETOOTH_SCANandBLUETOOTH_CONNECTpermissions - Location services must be enabled for Bluetooth scanning
- For Classic device analysis: Location + Nearby Devices permissions
- Download
disspair.apkfrom the Releases tab - On your Android device, allow your browser or file manager to Install unknown apps
- Open the app and grant the requested Location and Nearby Devices permissions
These permissions are required for Bluetooth scanning on Android 12+
git clone https://github.com/threadpoolx/DissPair.git
cd DissPair
git checkout APK- Open Android Studio (Hedgehog or newer recommended)
- Select Open and navigate to the cloned directory
- Let Gradle sync complete
# Via Android Studio: Build > Build Bundle(s) / APK(s) > Build APK(s)
# Or via command line:
./gradlew assembleDebugThe compiled APK will appear in app/build/outputs/apk/debug/.
Ensure you have Android SDK, Android NDK, and JDK 17 installed and configured in Android Studio.
sequenceDiagram
autonumber
participant D as DissPair v2 (Android)
participant B as Android BT Stack
participant T as Target Device
Note over D, T: 1. Setup & Device Discovery
D->>B: checkPermissions() and startDiscovery()
B-->>D: onDeviceFound(Name, MAC, Type)
D->>D: UI Update - Categorize Classic vs BLE
Note over D, T: 2. Classic RFCOMM & Payload Mapping
D->>T: createRfcommSocket(ch 1-30)
T-->>D: Socket Verified Open
Note over D, T: Classic Attack Engine
alt Method - Flood
D->>T: write payload in High-Speed Loop
T-->>D: IOException (Buffer Overflow / DoS)
else Method - Payload Injection
Note right of D: Feature - TTY (AT Cmds), PBAP, or Custom
D->>T: Send specific Protocol Payload
T-->>D: Stream Response / Data Leak
end
Note over D, T: 3. BLE GATT & Profile Interaction
D->>T: connectGatt() and discoverServices()
T-->>D: onServicesDiscovered(List of GattService)
Note over D, T: BLE Attack Engine
alt General Profile Access
D->>T: readCharacteristic(Generic_UUID)
T-->>D: onCharacteristicRead (DeviceInfo/Battery)
else Customized Profile Manipulation
Note right of D: Targeted Write/Fuzzing
D->>T: writeCharacteristic(Custom_UUID, malformed_data)
T-->>D: onCharacteristicWrite status
end
Note over D: closeAll() - Release Hardware Resources
| Button | Description |
|---|---|
| SCAN CLASSIC | Discovers nearby BR/EDR devices using Android's startDiscovery API. Loops up to 5 scan cycles to maximize coverage. |
| SCAN BLE | Passively listens for BLE advertisement packets via BluetoothLeScanner. |
Paired devices are loaded automatically from the local Bluetooth bond cache on startup and shown via the Paired toggle.
Tap ANALYSE on any Classic or Paired device to open the RFCOMM Channel Analysis.
Probes channels 1–15 by default (expandable to 16–30 via the PROBE 16-30 button) using direct RFCOMM connection attempts. Reports which channels are live and whether they accept unpaired (insecure) or paired (secure) connections.
| Action | Description |
|---|---|
| PAYLOADS | Opens the payload dialog to send a predefined or custom payload to the channel |
| FLOOD | Transmits a continuous 2048-byte burst stream to stress-test the target's RFCOMM buffer handling |
- AT Command: Connect — Sends
ATZ\r\n(Hayes modem reset/ping) - PBAP/MAP: OBEX Connect — Sends a raw OBEX
0x80Connect PDU - Custom Payload — Enter any AT command;
\r\nis auto-appended - Includes automatic HFP handshake detection and bypass — if the target opens with an
AT+BRSFprompt, the tool auto-negotiates withAT+BRSF=0before injecting the chosen payload
Tap ANALYSE on any BLE device to open the GATT Analysis.
- Establishes a GATT connection and enumerates all services and characteristics
- Displays service type (General for standard 16-bit Bluetooth UUIDs, Customized for vendor UUIDs)
- Per-characteristic actions:
| Action | Description |
|---|---|
| READ | Reads the current value of the characteristic |
| WRITE | Opens a write dialog supporting ASCII or raw Hex input |
- Toggle HEX / ASCII display for all captured values
A live scrolling terminal log at the top of the main screen and within each overlay shows all events, discovered targets, errors, and decoded responses in color-coded monospace output.
A Python-based command-line tool using:
- Native Linux Bluetooth sockets (
AF_BLUETOOTH) - BlueZ stack
Allows low-level protocol interaction without abstractions.
- Kali Linux (recommended)
- Ubuntu / Debian
VM users must use a USB Bluetooth adapter
flowchart TB
Start["START: Init & Dep Check"] --> ScanClassic["Scan Classic\nhcitool/bluez"] & ScanBLE["Scan BLE\nBleak Scanner"] & PairedDevices["Paired Devices\nLocal BlueZ"] & ManualMAC["Manual MAC"]
ScanClassic --> TargetLocked["Target Locked"]
ScanBLE --> TargetLocked
PairedDevices --> TargetLocked
ManualMAC --> TargetLocked
TargetLocked --> ClassicEnum["Classic Enumeration\nBrute-force RFCOMM 1-30"] & BLEEnum["BLE GATT Enumeration\nPull Services & Chars"]
ClassicEnum --> ClassicAttacks["RFCOMM Attacks\n- Silent Connection\n- Kali TTY Modem Noise\n- Resource Flood DoS\n- Customized Payload"]
BLEEnum --> BLEAttacks["GATT Interaction\n- Read Hex/ASCII\n- Write Text String\n- Write Raw Hex"]
sudo apt update
sudo apt install -y bluez rfkillpython3 -m venv disspair_env
source disspair_env/bin/activate
pip install bleaksource disspair_env/bin/activate
sudo $(which python3) disspair_kali.py- Scan Classic devices
- Scan BLE devices
- Load paired devices
- Manual MAC input
- RFCOMM channel probing (1–30)
- BLE GATT enumeration
- Connect to channel
- Send AT commands
- Flood testing
- Read characteristics
- Write characteristics
sudo rfkill unblock bluetooth
sudo systemctl restart bluetooth
sudo hciconfig hci0 up
hciconfig -aIf you need to report a security vulnerability, malicious activity, or third-party abuse related to this tool, please see the Security Policy for contact details and responsible disclosure guidelines.
Only use DissPair against:
- Devices you personally own
- Devices where you have explicit written authorization from the owner
Never use this tool against:
- Public devices
- Vehicles or infrastructure
- Third-party hardware without consent
