BTClass - Bluetooth Device Class Cloaking

Feb 2005

2 mins read

Each Bluetooth device has a device class (type of device and services it provides) which is part of the responds to an inquiry. The device class has a total length of 24 bits and is separated in three parts. First there is the Service Class which is a bit field (first 11 bits) and second and third are the Major (5 bits) and Minor (6 bits) device class. The last two bits indicate the format. Not all possible values will be described here, you can find the complete specification here.

A phone will show up as something like 0x500204 which indicates that the Service Class is: ‘Object Transfer and Telephony’ with a MajorClass of: ‘Phone’ and a MinorClass of: ‘Cellular’.

A printer would show up like: 0x140680 which indicates ‘Rendering and Object Transfer’ with a MajorClass of ‘Imaging’ and a MinorClass of ‘Printer’.

The Deal

So what is the deal with the device class? The deal is that when you want to find a certain type of device you will filter out all devices with uninteresting device classes. So for example if you are looking for cellphones to spam, you might look for devices which advertise Object Transfer. Devices that have switched of this service cannot be attacked. The second example is the other way around, some devices may lower their security settings for certain device types as they are more trustworthy. So through changing the device class you can gain more access to target devices.


Basically the idea to change the device class is old, I came up with it at the time I wrote BlueSpam (a BlueJacking PoC for PalmOS). Because I didn’t want to be hit by my own program - it was only attacking devices which hat the Object Transfer service class set (also I filtered out certain BD_ADDRes). To Protect my Palm I then wrote BTClass ;-P

The current version attacks everything in sight.


BTClass currently lets you change the Bluetooth device class of your PalmOS device. It also makes a nice class generator/lookup tool on non Bluetooth Palm devices (so you can easily set your Linux-BlueZ device class to Network access point and wait until somebody trys to connect to you).

Future Work

Currently, a PocketPC (WinCE) version is work in progress. But there is still no Symbian version, yet.

Also we want to do some more extensive device testing while running with different device classes. So we will finally see all the nice little icons your OS of choice shows you to represent the different device types.


BTClass for PalmOS

BTClass website

BlueSpam website

Bluetooth Baseband Assigned Numbers


In case of any questions/suggestion ask Collin Mulliner

Sharing is caring!