A powerful Android Bluetooth penetration testing framework for security researchers and penetration testers. Test Bluetooth device resilience against various attack vectors including connection flooding, pairing spam, and protocol-level attacks.
FOR EDUCATIONAL AND AUTHORIZED TESTING ONLY
This tool is designed for:
- Security researchers
- Penetration testers with proper authorization
- Bluetooth security auditing
- Testing device resilience in controlled environments
Unauthorized jamming of Bluetooth devices may be illegal in your jurisdiction. Use responsibly and only on devices you own or have explicit permission to test.
- Block NEW connection attempts — Prevents devices from connecting initially
- Interfere with pairing process — Disrupts device pairing
- Connection spam attacks — Makes discovery difficult
- DoS during connection establishment — Overwhelms connection logic
- Jamming active music playback — Android OS prevents this
- Disconnecting already-connected headphones — Requires HCI access
- Disrupting established audio streams — OS-level protection
- Forcing disconnection of paired devices — Need root privileges
BOTTOM LINE: Non-root modes only work on devices trying to connect, NOT devices already playing audio.
- Force disconnect active connections — Via HCI deauth commands
- Disrupt audio streams in real-time — Bluetooth stack manipulation
- Inject malformed packets — Protocol-level attacks
- Bypass Android security restrictions — Direct hardware access
- Android Version: 10 (API 29) or higher
- Permissions:
- Bluetooth
- Bluetooth Admin
- Location (for BLE scanning)
- Limitations: Only affects NEW connections
- All non-root requirements
- Root access (Magisk recommended)
hcitoolbinary (usually included in ROM)- SELinux permissive (may be required on some devices)
- Download the latest APK from releases.
- Enable "Install from Unknown Sources" on your device.
- Install the APK.
- Grant required permissions.
- (Optional) Root your device with Magisk for active connection attacks.
# Clone the repository
git clone https://github.com/yourusername/bluetooth2jam.git
cd bluetooth2jam
# Build with Gradle
./gradlew assembleDebug
# APK location:
# app/build/outputs/apk/debug/app-debug.apk- Scan for Devices: Tap SEARCH DEVICES to discover nearby Bluetooth devices.
- Select Target: Choose a device from the list.
- Choose Attack Mode:
- Non-Root Modes (6 modes): Work on NEW connections only.
- Root Modes (2 modes): Can disrupt ACTIVE connections.
- Configure Threads: Set number of concurrent attack threads (default: 8).
- Start Attack: Tap START ATTACK button.
- Monitor Logs: View real-time attack progress in the log window.
- Stop Attack: Tap STOP ATTACK when finished.
Combines multiple attack strategies:
- SDP service discovery spam (every 5th attempt)
- Pairing requests (every 10th attempt)
- Rapid RFCOMM connections on channels 1–30
- L2CAP channel flooding
- 990-byte junk data transmission
Works for: Blocking NEW connection attempts
Won't affect: Already-connected devices playing audio
- Creates rapid connect/disconnect cycles
- Uses reflection to access hidden RFCOMM sockets
- Floods with 990-byte packets
- Attempts 30 channels per cycle
Works for: Overwhelming connection logic
Won't affect: Established connections
- Scans RFCOMM channels 1–30
- Maintains persistent connections
- Continuous data flooding (10 ms intervals)
- Keeps sockets alive until stopped
Works for: Channel exhaustion on NEW connections
Won't affect: Active audio streams
- Targets L2CAP protocol layer
- Tests PSM (Protocol/Service Multiplexer) 1–50
- Rapid channel creation and destruction
Works for: Protocol-level resilience testing
Won't affect: Established audio connections
- Continuous pairing requests
- SDP UUID fetching
- Bond state manipulation
Works for: Disrupting pairing process
Won't affect: Already-paired devices
- Service Discovery Protocol spam
- UUID fetching at 50 ms intervals
- Overwhelming service discovery
Works for: SDP stack testing during discovery
Won't affect: Connected devices
THIS IS WHAT YOU NEED FOR ACTIVE AUDIO JAMMING
- Force disconnect via
hcitool dc - HCI reset commands
- Bluetooth stack toggling
- ACL connection reset
WILL disrupt: Active music playback
WILL disconnect: Already-connected headphones
WILL drop: Established audio streams
Requirements:
- Rooted device (Magisk)
hcitoolbinary- Root permission granted to app
- Injects malformed L2CAP packets
- Invalid channel IDs
- Oversized packet injection
- HCI command manipulation
WILL crash: Bluetooth stack (requires reboot)
WILL disrupt: All active connections
WARNING: May cause device instability
- Unlock Bootloader:
# Enable OEM Unlocking in Developer Options
# Boot to fastboot: Power + Volume Down
adb reboot bootloader
fastboot oem unlock # or: fastboot flashing unlock- Install Magisk:
- Download stock
boot.imgfor your device. - Install Magisk Manager APK.
- Patch
boot.imgin Magisk app. - Flash patched boot:
- Download stock
fastboot flash boot magisk_patched.img- Verify Root:
- Open Bluetooth Jammer app.
- Check logs: should show
Root Status: AVAILABLE. - Root attack modes should be enabled (not grayed out).
Rooting Warnings:
- Voids warranty.
- May brick device if done incorrectly.
- Banking apps may not work (Magisk Hide can help).
- Samsung devices may trip Knox permanently.
Android OS protects established Bluetooth connections through:
- ACL (Active Connection Link) — OS-managed, app-inaccessible
- A2DP Audio Stream — Kernel-level audio routing
- Security restrictions — Apps can't access HCI layer
- Socket isolation — Each connection has protected socket
The attacks target:
- RFCOMM connection establishment (pre-connection phase)
- L2CAP channel setup (before audio starts)
- SDP service discovery (before pairing)
The attacks DON'T reach:
- Established ACL links
- Active A2DP streams
- Kernel-level audio routing
Root access allows:
- HCI command injection — Direct Bluetooth hardware control
- Bluetooth stack manipulation — Service enable/disable
- Packet injection — Malformed HCI commands
- Connection termination — Force disconnect via
hcitool dc
Cause: You're using non-root modes on an already-connected device
Solution:
- Root your device.
- Select "Root Deauth Attack" mode.
- Grant root permission when prompted.
- Start attack — music should disconnect.
Cause: Device is not rooted or root not detected
Solution:
- Verify root: install Root Checker app.
- Ensure Magisk is properly installed.
- Grant root to Bluetooth Jammer when prompted.
- Check logs for
Root Status: AVAILABLE.
Cause: hcitool binary not found on device
Solution:
- Check if
hcitoolexists:
adb shell which hcitool- Some custom ROMs don't include it.
- Install manually or use a ROM that includes it.
Cause: Malformed packets crash Bluetooth stack
Solution:
- Reboot device to recover.
- Use "Root Deauth Attack" instead (safer).
- Stack Poison is intentionally destructive.
- ChatGPT-4o: AI assistance and code optimization
- Material Design 3: Google's design system
- Android Bluetooth API: Core functionality
- Magisk: Root solution for testing root modes
MIT License — See LICENSE file for details
Remember: Non-root modes only block NEW connections. For active audio jamming, you MUST root your device and use Root Deauth Attack mode.
