v2.6.2 Bug Fixes

[2.6.2] - 2026-04-17

Summary

Blue-Tap 2.6.2 is a small follow-up to 2.6.1 that fixes post-USB-reset verification on RTL8761B adapters and wires up automated GitHub Pages deployment for the docs site.

Fixed — Hardware

• DarkFirmwareManager.usb_reset_and_wait() — new method that resets the RTL8761B, waits for teardown, then polls find_rtl8761b_hci() until the adapter re-enumerates and returns the new hciX name. The kernel can re-enumerate the adapter under a different index after reset (e.g. hci8 → hci0); callers that verified post-reset state (is_darkfirmware_loaded, get_current_bdaddr) were probing the pre-reset name and reporting "verification inconclusive" even when install/patch succeeded
• firmware-install (install + restore), patch_bdaddr, and the startup auto-install prompt now use the re-enumerated hci for verification and user-facing messages

Build

• Version bumped to 2.6.2
• .github/workflows/docs.yml — new workflow auto-builds MkDocs site with --strict and deploys to GitHub Pages on every push to main
• pyproject.toml — license metadata format fixed to satisfy PEP 639 (SPDX expression only, no classifier duplication)

---

[2.6.1] - 2026-04-17

Summary

Blue-Tap 2.6.1 is a stability, ergonomics, and correctness release on top of 2.6.0. The CLI now supports interactive target selection across every target-taking command (omit the address to get a device picker); the hardware layer picks up a second RTL8761B dongle variant and hardens the DarkFirmware watchdog against concurrent HCI access; several modules that silently "succeeded" while producing wrong results now return honest envelopes; and the module loader can actually unregister + re-import plugin classes instead of leaking descriptors on reload.

Added — CLI Ergonomics

• Interactive target picker — vulnscan, recon, exploit, extract, dos, fleet, adapter info now accept TARGET as optional. When omitted (or when the argument doesn't match a MAC), a device scan runs and presents a numbered picker
• invoke_or_exit() (interfaces/cli/_module_runner.py) — new helper used by all facade commands; failed module runs now exit with status 1 instead of 0, so blue-tap works correctly in shell pipelines and CI
• Command-name-aware proxy usage hints — dos-<check>, vuln-cve-*, vuln-<check>, recon-hci-capture, recon-sniffer proxy commands now print the exact real-command invocation (e.g. blue-tap dos TARGET --checks bluefrag or blue-tap vulnscan TARGET --cve CVE-2020-0022) instead of a generic "<group> <subcommand>" template
• fuzz cve — registered proxy command for replaying a known CVE fuzz pattern
• run-playbook added to no-session command allow-list so blue-tap run-playbook --list works without an active session
• auto — docstring rewritten to state explicitly that this is a 4-module shortcut (SDP recon → vuln_scanner → KNOB exploit → PBAP extract → report), not a "full pentest"; report generation now uses the active session's data correctly and writes report.html into the session directory

Added — Framework

• ReportAdapter.priority — adapters now carry an integer priority (lower = runs first). Plugin adapters default to 50; the built-in vulnscan fallback adapter is pinned to 200 so third-party adapters are always tried first
• get_report_adapters() — returns adapters sorted by priority, unifying built-in + plugin-registered adapters; interfaces/reporting/generator.py now iterates through this function instead of the static REPORT_ADAPTERS tuple (plugin adapters were previously ignored during report generation)
• ModuleRegistry.unregister(module_id) — returns True if the descriptor was present; used by the loader to clean up on reload=True
• ModuleLoader.load_plugins(reload=True) — now unregisters previously-loaded descriptors and evicts cached modules from sys.modules before re-importing, so plugin upgrades no longer leak stale classes
• function_module() decorator — the generated _FunctionModule class is now injected into the calling module's namespace so its entry_point string resolves at import time; this previously failed silently for any module defined via @function_module
• Recon outcome taxonomy — VALID_OUTCOMES_BY_FAMILY["reconnaissance"] extended with undetermined, partial_observation, auth_required, not_found, not_connectable, timeout, no_results to cover the actual envelopes recon modules were already emitting
• build_recon_execution(module_id=...) — new optional argument so recon executions can record their fully-qualified module ID (e.g. reconnaissance.campaign) instead of just reconnaissance
• Session timestamps in UTC — framework/sessions/store.py now uses datetime.now(timezone.utc).isoformat() via a single _now_iso_utc() helper; prevents naïve-local timestamps from drifting across hosts
• OptPath.validate() — returns None for optional paths with no default instead of raising OptionError, letting modules distinguish "path was given" from "path was not set"
• Plugin discovery diagnostics — ModuleRegistry.load_entry_points() now logs a warning with traceback when discovery fails instead of swallowing the exception silently

Added — Hardware

• Second RTL8761B dongle variant — firmware.py now detects both 2357:0604 (TP-Link UB500) and 0bda:8771 (generic Realtek) via a new RTL8761B_VID_PIDS tuple; is_darkfirmware_loaded() and USB presence checks iterate both VID:PIDs
• DarkFirmware watchdog thread safety — DarkFirmwareWatchdog now uses a threading.Lock around _reinit_count, _last_reinit, and a new _reinit_in_progress flag; prevents double-reinit races when a USB event fires during an in-flight reinit
• HCIVSCSocket.recv_event() concurrency guard — raises RuntimeError if called from an external thread while the LMP monitor loop is running on the same socket; two concurrent readers were causing event-frame corruption
• adapter_up, adapter_down, adapter_reset — now auto-resolve hci=None via resolve_active_hci() and return a structured error dict if no adapter can be discovered, instead of NPE-ing downstream
• L2CAP DoS socket binding — _l2cap_raw_socket() now binds to the requested HCI's local address before connecting, so DoS traffic goes out the intended adapter in multi-dongle setups

Fixed — Hardware

• MAC spoofer fallback — spoof_rtl8761b() now falls through from RAM patch to firmware-file patch when RAM patch reports success but the adapter still reports the wrong BDADDR (previously returned verified=False with success=True, confusing the caller)
• MAC spoofer file-write permission — save_original_mac() now catches PermissionError and emits a user-facing warning pointing at the root-owned state file, instead of raising into the caller
• Firmware RAM-patch length check — patch_bdaddr_ram() now requires exactly 4 bytes back from vsc.read_memory() before attempting the file-patch fallback, instead of accepting any byte count ≥4
• Firmware file-read leak — is_darkfirmware_loaded() now uses with open(...) for modalias probes (previously leaked file descriptors in the multi-adapter loop)

Fixed — Modules

• assessment.fleet — UUID matching now canonicalizes short form, 0x prefix, and full 128-bit Base UUID; previously only matched exact "0x111f" literal, so IVIs advertising "111f", "0000111f-0000-1000-8000-00805f9b34fb", or uppercase variants were misclassified as generic headsets
• assessment.vuln_scanner._check_blueborne — removed the bluetoothd --version probe (it reports the local stack version, not the target's); now relies on SDP-extracted BlueZ X.Y strings only. Removes a class of false-positive BlueBorne findings on assessments run from a Kali attacker
• exploitation.encryption_downgrade — results["success"] now reflects whether at least one downgrade method actually worked; previously hardcoded True even when the target rejected every method
• exploitation.hijack — bails out of the attack chain when recon fails; was previously entering SSP/pairing with no target data
• reconnaissance.sdp.search_services_batch — UUID matching normalizes 0x-prefixed hex and checks the full class_id_uuids list against candidate service records; previously missed services whose class IDs used a different textual form than the filter UUID
• reconnaissance.fingerprint — vendor derivation now uses manufacturer (the actual output field) instead of a non-existent chipset.vendor nested key, so has_signal correctly flips on vendor-only fingerprints
• reconnaissance.hci_capture — capture loop uses a clamped remaining time slice and exits cleanly when remaining <= 0, preventing a hang at the boundary of duration
• reconnaissance.campaign — _cleanup_tmp_artifact() unlinks the tempfile on all four capture-step failure paths (was leaking empty PCAPs into the session dir)
• reconnaissance.prerequisites — prerequisite missing list now filters by a new applicable flag per check, so a BLE-only target no longer reports DarkFirmware/LMP prerequisites as "missing"
• post_exploitation.pbap — extract_all now deduplicates PBAP_PATH_ALIASES to 9 unique canonical paths instead of pulling the same phonebook 28 times (one for every alias key)
• post_exploitation.map_client — all self.sock.send() calls go through a _send() helper that raises if not connected; adds None guards on _setpath_root, _setpath_down, _recv_response; message body LENGTH: header now reflects byte length of the UTF-8 encoded body, not character count
• post_exploitation.bluesnarfer — auto-discovers the AT RFCOMM channel via SDP (tries `Dial...

Modular Framework Architecture

[2.6.0] - 2026-04-16

Summary

Blue-Tap 2.6.0 is the Modular Framework release — every module now implements the Module protocol, produces typed RunEnvelope output, and is auto-registered in a global ModuleRegistry. The CLI was redesigned around the assessment workflow (discover → recon → vulnscan → exploit → extract → fuzz → report). The hardware layer gained a unified resolve_active_hci() resolver. The report pipeline is fully adapter-driven with per-family outcome validation enforced at call time.

Added — Module Protocol (framework/module)

• Module abstract base class — defines run(ctx: RunContext) → RunEnvelope; __init_subclass__ hook auto-registers every subclass in the global ModuleRegistry without a manual ModuleDescriptor block
• RunContext dataclass — single typed argument to Module.run(): target, adapter, options, session_id, dry_run; replaces ad-hoc kwargs scattered across entry points
• Typed option descriptors — OptAddress, OptPort, OptBool, OptInt, OptStr, OptChoice, OptFlag; each validates its value at resolution time and raises ValueError on invalid input
• OptionsContainer — ordered dict of Option instances; resolves CLI args + env-var overrides at invocation time before Module.run() is called
• ModuleInvoker — resolves module_id from the registry, builds RunContext from CLI params, calls Module.run(), and streams CliEvents to the operator console
• ModuleLoader — imports Module classes from entry_point strings (package.module:Class); caches loaded classes to avoid repeated imports
• autoload.py — imports all family __init__.py files so subclass auto-registration fires before the registry is queried for the first time

Added — Phase-Verb CLI Architecture (interfaces/cli)

• discover — classic / ble / all sub-verbs wrapping DiscoveryScanner via ModuleInvoker; replaces the flat scan command with an explicit workflow step
• recon — sdp / rfcomm / gatt / hci-capture / sniffer / lmp-sniff sub-verbs consolidating the former recon + capture families into one phase command
• exploit — sub-commands: bias, bluffs, knob, ctkd, enc-downgrade, ssp-downgrade, hijack, pin-brute; grouped under Crypto/Key Attacks and Full Chain
• extract — sub-commands: contacts, messages, audio, media, push, snarf, at; covers all post-exploitation data paths in one place
• dos — BLE / Classic / Raw-ACL sub-commands forwarded to the DoS runner with protocol grouping
• fuzz — campaign + 9 protocol sub-commands (sdp-deep, l2cap-sig, rfcomm-raw, ble-att, ble-smp, bnep, obex, at-deep, lmp) plus crashes / minimize / replay / corpus analysis commands
• doctor — hardware diagnostics: adapter list, DarkFirmware probe, USB dongle detection by VID:PID, HCI sanity check
• auto — orchestrated discover → recon → vulnscan → exploit chain with --dry-run support and per-phase skip/abort handling
• fleet — multi-target orchestration; per-target error isolation so one failure no longer aborts the full run
• runner / plugins — generic blue-tap run <module_id> entry point; plugins lists registered modules and shows descriptor info
• _module_runner.py — single shared helper for all family CLIs: resolves module, builds RunContext, streams events, writes session envelope

Added — Outcome Validation Taxonomy

• VALID_OUTCOMES_BY_FAMILY (framework/contracts/result_schema.py) — per-family frozenset of allowed module_outcome values; make_execution() raises ValueError on any unlisted value so bugs surface in tests not in production envelopes
• Family outcome sets — discovery (observed / merged / correlated / partial / not_applicable); assessment (confirmed / inconclusive / pairing_required / not_applicable / not_detected); exploitation (success / unresponsive / recovered / aborted / not_applicable); post_exploitation (extracted / connected / streamed / transferred / partial); fuzzing (crash_found / timeout / corpus_grown / no_findings / crash_detected / reproduced)
• _infer_family_from_module_id() — extracts the family prefix from <family>.<name> module IDs; unknown families skip validation for backward compatibility with pre-2.6 modules

Added — Registry Extensions

• ModuleDescriptor.category — optional sub-family grouping field (e.g. "pairing", "l2cap", "ble") for DoS and CVE check sub-classification within a family
• ModuleDescriptor.references — tuple[str, ...] of external references (CVEs, RFCs, specs) associated with the module; surfaced in blue-tap plugins info <module> output
• ModuleRegistry.try_get(module_id) — returns ModuleDescriptor | None; avoids KeyError when probing for optional or plugin-provided modules

Added — Hardware Adapter Resolution

• resolve_active_hci(explicit=None) (hardware/adapter.py) — priority-ordered HCI resolution: explicit arg → BT_TAP_DARKFIRMWARE_HCI env var → RTL8761B USB VID:PID probe → first UP adapter from hciconfig → "hci0" as last resort
• Process-lifetime cache — result stored in _ACTIVE_HCI_CACHE after first hardware probe; reset_active_hci_cache() clears it on hot-plug or adapter-list refresh
• RTL8761B identified by VID:PID (0bda:8771) not HCI slot position — fixes false "DarkFirmware unavailable" in multi-adapter setups where the scan adapter ≠ firmware dongle

Added — Native Module Classes

• CveCheckModule (modules/assessment/base.py) — wraps legacy check functions into the Module protocol; subclasses declare check_fn and module_id without duplicating envelope construction
• VulnScanModule (modules/assessment/vulnscan_module.py) — thin Module subclass delegating to vuln_scanner.run() and wrapping the result in a canonical RunEnvelope
• DiscoveryScanner (modules/discovery/scanner.py) — Module class for Classic/BLE/combined scans; registered as "discovery.scanner" via auto-registration
• _e0.py (modules/exploitation/) — E0 encryption-mode downgrade probe helper shared by knob.py and bias.py
• DoSCheckModule (modules/exploitation/dos/base.py) — shared base for BLE / Classic / Raw-ACL DoS checks; handles timing evidence, recovery probe wiring, and envelope construction
• FuzzCampaign (modules/fuzzing/campaign.py) — Module wrapping the full engine lifecycle: seed corpus, run, collect crashes, finalize RunEnvelope; supports campaign resume and crash export
• ReconCampaign (modules/reconnaissance/campaign.py) — Module wrapping the multi-collector recon pipeline into a single RunEnvelope; registered as "reconnaissance.campaign"

Added — Documentation Site (MkDocs)

• mkdocs.yml — Material theme configuration with structured nav tree, light/dark mode, code block highlights
• docs/getting-started/ — installation, hardware setup (single/dual adapter), quick start, IVI simulator
• docs/guide/ — per-phase operator guides: discovery, recon, vulnerability assessment, exploitation, DoS, fuzzing, post-exploitation, sessions and reporting, automation
• docs/workflows/ — end-to-end scenario walkthroughs: full pentest, quick assessment, fuzzing campaign, encryption downgrade, audio eavesdropping, custom playbooks
• docs/developer/ — architecture overview, module system, writing a module, report adapters, plugin entry-points
• docs/reference/ — hardware compatibility matrix, platform notes, troubleshooting reference
• docs/cve/ — CVE detection matrix, DoS CVE matrix, expansion roadmap; CVE specs moved from flat cve-detection-specs/ → cve/specs/

Added — Testing

• conftest.py — shared fixtures: mock adapter, target MAC, tmp session directory, registry reset between tests
• 13 test_userflow_*.py — end-to-end operator workflow coverage: discover→recon→report, vulnscan fleet, BIAS, KNOB, DoS runner, fuzzing campaign, PBAP/OPP, A2DP/AVRCP, report generation, session resume, console output, playbook execution
• test_cli_facades.py — Click command registration smoke tests for every phase-verb subcommand; catches missing imports and mis-wired groups
• test_outcome_validator.py — VALID_OUTCOMES_BY_FAMILY enforcement: valid outcomes pass, invalid ones raise ValueError
• test_module_runtime_e2e.py — Module.run() → RunEnvelope round-trip for one module per family; validates schema, run_id, and outcome fields
• test_hci_vsc_concurrency.py — HciVscClient concurrent command safety under multi-thread access
• test_dos_migration.py — DoS adapter post-migration regression: accepts() family-prefix matching, ingest(), section output shape

Changed

• Report adapter accepts() — all adapters match both legacy module name strings and modern "family.name" prefixes; DiscoveryReportAdapter additionally accepts any "discovery.*" prefix
• Envelope module label — renamed "attack" → "exploitation" across all envelope builders to align with module family taxonomy
• Session store — atomic JSON writes via write-to-temp + os.replace(), correlation IDs on every operation, session-resume by name lookup, path configurable via BT_TAP_SESSIONS_DIR
• Module __init__.py files — all family __init__.py dropped manual ModuleDescriptor blocks; __init_subclass__ auto-registration handles all modules
• _check_darkfirmware_available() — identifies RTL8761B by USB VID:PID and reads BT_TAP_DARKFIRMWARE_HCI env var; scan adapter no longer assumed to be the firmware dongle
• All recon collectors — call resolve_active_hci() instead of hardcoding "hci0"; structured WARNING-level logging on socket errors
• All post-exploitation modules — `resolve...

v2.5.0

[2.5.0] - 2026-04-11

Summary

Blue-Tap 2.5.0 is the Standardized Framework release. Every module now produces structured RunEnvelope output with typed ExecutionRecord entries, evidence blocks, and artifact references. The report pipeline has been rewritten around module-owned ReportAdapter classes. The CLI emits structured lifecycle events throughout all operations. Session logging validates envelope shape. This release lays the groundwork for the upcoming modular framework architecture (Metasploit-style module families, registry, and plugin system).

Added — Standardized Result Schema

Core Framework Contracts

• RunEnvelope schema (core/result_schema.py) — canonical output container for every module invocation with required fields: schema, schema_version, module, run_id, target, adapter, started_at/completed_at, operator_context, summary, executions, artifacts, module_data
• ExecutionRecord model — normalized unit of work within a run with two-layer status taxonomy: execution_status (lifecycle: completed/failed/error/skipped/timeout) and module_outcome (semantic: confirmed/inconclusive/recovered/observed/etc.)
• EvidenceRecord model — structured observation container with summary, confidence, observations, packets, state_changes, module_evidence, and capability_limitations
• ArtifactRef model — typed pointer to saved files (pcap, log, HTML, JSON) with artifact_id, kind, label, path, execution_id
• validate_run_envelope() — schema shape validator for envelope integrity
• looks_like_run_envelope() — fast heuristic check for session logging
• Envelope helper functions — build_run_envelope(), make_execution(), make_evidence(), make_artifact(), envelope_executions(), envelope_module_data()

Structured CLI Event System

• emit_cli_event() (core/cli_events.py) — structured event emitter with required fields: event_type, module, run_id, target, adapter, timestamp, message, details
• 13 defined event types — run_started, phase_started, execution_started, execution_result, execution_skipped, pairing_required, recovery_wait_started, recovery_wait_progress, recovery_wait_finished, artifact_saved, run_completed, run_aborted, run_error
• Every CLI command now emits lifecycle events — operators always know what started, what's running, and when it's done

Report Adapter Architecture

• ReportAdapter ABC (core/report_contract.py) — module-owned report interface with accepts(), ingest(), build_sections(), build_json_section()
• SectionModel/SectionBlock data models — typed report section containers replacing raw HTML string generation
• 12 report adapters — one per module type:
  • DiscoveryReportAdapter — scan result tables with device properties, risk indicators
  • VulnscanReportAdapter — CVE/non-CVE finding cards with evidence, execution logs
  • AttackReportAdapter — attack outcome cards with phase tracking, evidence
  • AutoReportAdapter — 9-phase pentest summary with per-phase execution records
  • DataReportAdapter — PBAP/MAP/OPP/AT extraction summaries with artifact links
  • AudioReportAdapter — HFP/A2DP/AVRCP session summaries with capture artifacts
  • DosReportAdapter — DoS check results with recovery probe outcomes
  • FirmwareReportAdapter — DarkFirmware operations with KNOB detection cards
  • FuzzReportAdapter — per-protocol campaign runs with crash details and corpus stats
  • LmpCaptureReportAdapter — LMP sniff session summaries
  • ReconReportAdapter — reconnaissance campaign results with correlation analysis
  • SpoofReportAdapter — spoof operations with before/after MAC evidence
• Block renderer system (report/renderers/) — BlockRendererRegistry with typed block renderers for tables, paragraphs, text, and custom block types
• render_sections() — converts SectionModel lists into HTML via block renderers

Report Generator Refactor

• Adapter-driven report generation — generator.py now orchestrates via REPORT_ADAPTERS registry: dispatches envelopes to matching adapters, collects SectionModel output, renders HTML/JSON through shared renderers
• Generator no longer contains module-specific logic — all CVE interpretation, evidence formatting, and finding classification moved to adapters
• Unified ingestion pipeline — both HTML and JSON reports consume the same adapter output, preventing report format divergence

Added — Module Envelope Builders

Each module family has a dedicated envelope builder in core/:

• attack_framework.py — build_attack_result() for exploitation modules (BIAS, KNOB, BLUFFS, hijack, SSP/encryption downgrade, CTKD)
• audio_framework.py — build_audio_result() for HFP/A2DP/AVRCP sessions
• auto_framework.py — build_auto_result() with build_auto_phase_execution() for 9-phase auto pentest
• data_framework.py — build_data_result() for PBAP/MAP/OPP/AT data extraction
• firmware_framework.py — build_firmware_status_result(), build_firmware_dump_result(), build_connection_inspect_result(), build_firmware_operation_result() for DarkFirmware operations
• fuzz_framework.py — build_fuzz_result() for fuzzing campaign runs
• recon_framework.py — build_recon_result() for reconnaissance operations
• scan_framework.py — build_scan_result() for discovery scans
• spoof_framework.py — build_spoof_result() with MAC before/after evidence, method verification

Added — Module Standardization

Discovery & Scan

• Scan commands produce RunEnvelope — scan classic, scan ble, scan combined, scan all, scan inquiry, scan watch all log full envelopes to session
• Campaign correlation output wrapped in scan envelopes with correlation evidence
• Fleet scan logs actual scan envelope instead of raw device list

Reconnaissance

• All 13 recon commands produce envelopes via build_recon_result() — auto, sdp, gatt, fingerprint, ssp, rfcomm, l2cap, capture, capture-analyze, pairing-mode, ble-sniff, lmp-capture, lmp-intercept, combined-sniff, crackle, extract-keys, wireshark-keys
• Recon CLI helpers — _recon_cli_context(), _recon_emit(), _recon_start(), _recon_result(), _recon_skip() for consistent event emission
• Capture analysis wrapped in recon correlation envelopes
• HCI capture — improved parser, stale PID detection, capture analysis integration

Vulnerability Assessment

• Vulnscan produces structured envelope (blue_tap.vulnscan.result) with scanner metadata, per-check execution logs, finding summaries, and evidence
• CVE check execution tracking — each check records execution_status + module_outcome + evidence
• Fleet assessment builds reports from standardized scan and vuln envelopes

Exploitation

• BIAS — per-phase ExecutionRecord entries (spoof, connect, inject, verify) with structured evidence
• KNOB — probe and brute-force phases produce typed execution records with key-size evidence
• BLUFFS — per-variant (A1 LSC downgrade, A3 SC→LSC) execution records with DarkFirmware capability reporting
• SSP downgrade — execution tracking across SSP probe, legacy force, PIN brute phases with lockout evidence
• Hijack — 4-phase tracking (spoof, connect, monitor, exploit) with per-phase success/failure evidence
• CTKD — probe result standardization with MAC normalization and cross-transport key evidence
• Encryption downgrade — 3 method variants (disable, toggle, SC-reject) produce execution records with LMP evidence
• DoS — all checks wrapped in RunEnvelope with recovery probe outcomes, timing evidence, and severity

Post-Exploitation

• PBAP/MAP — structured data envelopes with extraction counts, artifact refs, parsed entry metadata
• HFP — all 8 subcommands (call, answer, hangup, volume, dtmf, sco, codec, diagnostics) log audio envelopes
• A2DP — capture/record/eavesdrop/play/stream/loopback produce audio envelopes with duration, codec, sample rate evidence
• AVRCP — all 10 subcommands (play, pause, next, prev, volume, info, shuffle, repeat, monitor, flood) log structured envelopes
• AT commands — extraction responses parsed into structured device artifacts with field-level evidence
• OPP — transfer diagnostics across dbus and raw fallback paths with artifact tracking
• Bluesnarfer — extraction operations produce data envelopes

Fuzzing

• Per-protocol RunEnvelope — each protocol fuzz run produces its own envelope with crash/corpus/timing evidence
• Run IDs — every fuzz campaign gets a stable run_id carried through all events and artifacts
• Crash lifecycle events — execution_result emitted for each crash with severity and reproduction steps
• Utility commands (list-crashes, replay, import-pcap) emit structured events
• Legacy fuzz commands removed — all fuzzing routes through the standardized engine

Adapter & Firmware

• Adapter commands (up, down, reset, set-name, set-class) log general envelopes to session
• Firmware status/install/init/dump emit lifecycle events and log envelopes
• Connection inspect builds envelope with per-slot KNOB detection findings
• Spoof commands produce spoof envelopes with before/after MAC proof and method verification

Auto Pentest

• 9-phase RunEnvelope with per-phase ExecutionRecord entries (discover, fingerprint, recon, vulnscan, pair, exploit, fuzz, dos, report)
• Phase skip tracking — skipped phases produce execution records with skip reason evidence
• Summary counters — per-phase success/fail/skip counts in envelope summary

Playbook / Run Mode

• **Pl...

Structured Vulnerability Scanner Framework with 40 odd CVEs added

[2.3.2] - 2026-04-09

Added — Structured Vulnerability Scanner Framework

This release turns vulnscan into the single end-to-end vulnerability assessment entry point, adds modular OTA CVE detection coverage, and extends the report pipeline to preserve per-check execution evidence for both CVE and non-CVE checks.

CVE Detection Framework

• Shared CVE result framework (attack/cve_framework.py) — centralized finding builder, status constants, per-check summary helpers, structured CveCheck / CveSection metadata, and vulnscan result envelope generation
• Structured vulnscan envelope — blue_tap.vulnscan.result now carries scanner metadata, finding summaries, CVE execution logs, and non-CVE execution logs for report generation and downstream parsing
• Per-check execution logging — scanner records primary status, finding count, status counts, and evidence samples for each check instead of only emitting a flat findings list

Modular OTA CVE Probe Coverage

• Airoha RACE checks (attack/cve_checks_airoha.py) — OTA detection for:
  • CVE-2025-20700 unauthenticated RACE over GATT
  • CVE-2025-20701 unauthenticated RACE over BR/EDR
  • CVE-2025-20702 link-key disclosure over confirmed RACE transport
• AVRCP checks (attack/cve_checks_avrcp.py) — OTA behavioral probes for:
  • CVE-2021-0507
  • CVE-2022-39176
• BNEP checks (attack/cve_checks_bnep.py) — OTA probes for:
  • CVE-2017-0783
  • CVE-2017-13258
  • CVE-2017-13260
  • CVE-2017-13261
  • CVE-2017-13262
• BLE SMP checks (attack/cve_checks_ble_smp.py) — pairing-aware OTA checks for:
  • CVE-2024-34722
  • CVE-2018-9365
• GATT / ATT checks (attack/cve_checks_gatt.py) — OTA differential checks for:
  • CVE-2022-0204
  • CVE-2023-35681
• HID / HOGP checks (attack/cve_checks_hid.py) — OTA checks for:
  • CVE-2020-0556
  • CVE-2023-45866
• L2CAP checks (attack/cve_checks_l2cap.py) — OTA differential checks for:
  • CVE-2019-3459
  • CVE-2018-9359
  • CVE-2018-9360
  • CVE-2018-9361
  • CVE-2020-12352
  • CVE-2022-42896
  • CVE-2022-20345
  • CVE-2022-42895
  • CVE-2026-23395
• BR/EDR pairing checks (attack/cve_checks_pairing.py) — pairing-driven probes for:
  • CVE-2020-26558
  • CVE-2022-25837
  • CVE-2019-2225
• Raw ACL check (attack/cve_checks_raw_acl.py) — DarkFirmware-backed BlueFrag boundary probe for CVE-2020-0022
• SDP continuation check (attack/cve_checks_sdp.py) — OTA continuation-state replay probe for CVE-2017-0785

Non-CVE Modular Scanner Coverage

• RFCOMM / OBEX non-CVE module (attack/non_cve_checks_rfcomm.py) with structured checks for:
  • sensitive RFCOMM profile reachability
  • hidden RFCOMM channels
  • low-security RFCOMM acceptance
  • OBEX authorization posture
  • automotive diagnostics and serial responder detection
• BLE non-CVE module (attack/non_cve_checks_ble.py) with structured checks for:
  • writable GATT surface classification
  • sensitive writable BLE control/DFU/debug surfaces
  • EATT capability posture
  • pairing-method posture with IO-capability context
• Security-posture module (attack/non_cve_checks_posture.py) with structured checks for:
  • legacy PIN lockout / throttling behavior
  • device-class posture and corroboration
  • LMP feature posture and prerequisites

Reporting and Documentation

• Dedicated vulnscan matrix (docs/vulnscan-cve-matrix.md) listing the CVEs actually checked by blue-tap vulnscan plus the modular non-CVE checks that are part of the same scan path
• HTML report enhancement — report generator now renders:
  • Non-CVE Check Execution table
  • CVE Check Execution table
  • richer finding metadata from the structured vulnscan envelope
• JSON report enhancement — exported vulnerability report data now preserves structured vulnscan runs instead of flattening everything into findings only

Changed

• vulnscan command model — blue-tap vulnscan now runs the full scanner in one invocation; --active is no longer required to enable the main vulnerability-scan path
• BIAS input handling — --phone remains available as optional paired-phone context for the BIAS auto-reconnect probe instead of serving as a gate for the entire scanner
• Non-CVE finding semantics — exposure and posture checks now distinguish:
  • reachable transport vs actual unauthenticated data access
  • protocol capability vs security weakness
  • naming hints vs confirmed diagnostic / control responders
• Writable GATT analysis — scanner now separates generic writable characteristics from sensitive writable surfaces such as control, DFU, debug, pairing, or HID report paths
• EATT reporting — EATT is now treated as protocol capability / posture instead of being implicitly framed as a weakness
• PIN lockout analysis — lockout logic now uses stronger retry sampling and timing interpretation instead of a minimal fast/slow split
• Device class and LMP feature reporting — these checks now serve as scanner posture/context signals rather than overstating every capability bit as a vulnerability finding
• Public docs — README, features guide, usage guide, and playbooks now describe vulnscan as the primary assessment path and document the current structured report model

Fixed

• Airoha false positives — GATT RACE detection no longer treats a writable characteristic alone as CVE-2025-20700 confirmation; detection now requires a valid unauthenticated RACE response
• Airoha RFCOMM overclaim — BR/EDR RACE detection no longer guesses RFCOMM channel 1 or treats generic HFP openness as confirmed CVE-2025-20701
• Airoha link-key confirmation — CVE-2025-20702 now chains from confirmed RACE transport and structured response parsing instead of standalone assumptions
• L2CAP patched-response handling — CVE-2022-20345 now accepts documented patched reject outcomes instead of flagging them as vulnerable
• L2CAP duplicate-identifier logic — CVE-2026-23395 now evaluates the second duplicate response instead of treating any two responses as a hit
• LE credit-based response parsing — corrected response-field parsing in both CVE-2022-42896 and CVE-2023-35681 checks
• Off-by-one L2CAP response guard — corrected the length guard in cve_checks_l2cap.py so result-code parsing requires a full 12-byte buffer
• Pairing CVE overclaims — CVE-2019-2225 and CVE-2022-25837 no longer overclaim confirmation from weak evidence paths
• BlueFrag confirmation heuristic — raw ACL BlueFrag probe no longer confirms from arbitrary response bytes; it now stays conservative unless the boundary probe produces defensible evidence
• Android GATT CVE overclaims — removed incomplete scanner coverage for:
  • CVE-2023-40129
  • CVE-2024-0039
  • CVE-2024-49748
    because the required target-specific trigger construction was not robust enough for scanner-grade confirmation
• Parallel active-probe nondeterminism — L2CAP/CVE active probes are no longer treated as loosely parallelized behavior; the scanner executes transport-mutating checks in a more deterministic sequence
• Report/rendering mismatch — report generation now understands the structured vulnscan envelope and newer finding statuses instead of assuming a legacy flat findings list

Removed

• Top-level assess command — removed the redundant “assessment without exploitation” wrapper; vulnscan is now the single CLI entry point for vulnerability scanning
• vulnscan --active public workflow — documentation and CLI help no longer advertise a split scanner mode
• Stale assess-based playbooks and docs — playbooks, README, and feature docs no longer route users through a separate assess workflow for vulnerability scanning

DarkFirmware Research Integration

[2.3.1] - 2026-04-08

Added — DarkFirmware Integration

This release completes the DarkFirmware integration with full bidirectional LMP traffic parsing, connection table inspection, in-flight packet modification, and new attack modules.

DarkFirmware HCI Infrastructure

• Bidirectional traffic parsing — TXXX (outgoing LMP), ACLX (outgoing ACL), RXLC (incoming LC) marker parsers added to HCI VSC socket alongside existing AAAA (incoming LMP)
• Complete LMP opcode tables — 61 standard + 22 extended opcodes per BT Core Spec v5.4 with human-readable decode helper
• In-flight LMP modification — set_mod_mode()/clear_mod_mode() for Hook 2 modes: passthrough, modify, drop, opcode-drop, persistent-modify, auto-respond
• Raw ACL injection — send_raw_acl() bypasses BlueZ L2CAP stack for below-stack packet injection
• Oversize LMP PDUs — TX max raised from 17 to 28 bytes for BrakTooth-style oversize packet testing
• read_memory quirk fix — RTL8761B returns 4 bytes only with size=0x20 (not size=4)

Hook Management & Connection Inspection

• Hook initialization — init_hooks() writes Hook 3/4 backup pointers to RAM and verifies all 4 hooks active
• ConnectionInspector — Read/write controller RAM for encryption state, key material, auth flags, Secure Connections flag across all 12 connection slots
• DarkFirmwareWatchdog — Dual detection (udevadm monitor + periodic health check) with 5s debounce and 3s settle for multi-day fuzzing
• Firmware-level detection — Replaced MAC-based DarkFirmware detection with hook backup probe + LMP TX echo verification
• CONNECTION_SLOT_SIZE fix — Corrected from 500 to 0x2B8 (696 bytes) per reverse engineering findings

Below-HCI Attack Modules

• CTKD attack (attack/ctkd.py) — CVE-2020-15802 cross-transport key derivation probe: snapshots key material before/after Classic attack, detects shared keys across slots
• KNOB RAM verification — ConnectionInspector confirms actual key_size in controller memory after KNOB negotiation injection
• 20 LMP state confusion tests — BrakTooth-style test cases (enc_before_auth, switch_during_enc, knob_min_key, etc.) as vulnerability scanner seeds
• Raw L2CAP builders (fuzz/protocols/l2cap_raw.py) — Frame builders + 15 malformed fuzz tests for below-stack injection

Fuzzing Transports

• LMPTransport.send_and_collect() — Send packet, wait for responses from rx_queue and lmp_log_buffer
• LMPTransport.check_alive() — HCI Read BD Addr probe to detect dongle crash during fuzzing
• RawACLTransport — Full transport class routing send() through send_raw_acl(), ACL handle resolution, ACLX/RXLC event monitoring

CLI Integration

• Root privilege check on startup (allows --help/--version/demo without root)
• Startup hardware detection — Probe dongle, check DarkFirmware, init hooks, start watchdog (non-blocking)
• adapter firmware-init — Manual hook initialization command
• adapter connection-inspect — Dump connection table from controller RAM
• ctkd command — Cross-transport key derivation attack with probe and monitor modes

Fixed

• OBEX PUT opcode — OBEX_PUT was 0x82 (PUT-Final) instead of 0x02 (PUT), breaking multi-part OPP file transfers
• _read_bytes() alignment bug — Unaligned addresses truncated reads; rewrote to track actual bytes extracted per iteration

Changed

• README restructured — Split 1876-line README into focused docs: features, usage guide, troubleshooting, IVI simulator. README retains purpose, architecture, quick start with hyperlinks to detailed docs.
• Memory read/write logging — Changed from info() to logger.debug() to reduce noise during fuzzing

---

RTL8761B DarkFirmware Support @darkmentor.com

[2.3.0] - 2026-04-05

Added — DarkFirmware Below-HCI Attack Platform

This release extends Blue-Tap below the HCI boundary with a custom firmware platform for RTL8761B (TP-Link UB500). The DarkFirmware integration enables direct LMP packet injection and monitoring — capabilities that no standard BlueZ tool provides.

Key breakthrough: Live RAM patching of the RTL8761B controller — BDADDR spoofing and 17-byte LMP PDU injection/capture work without adapter reset, by writing directly to the running firmware's SRAM via HCI VSC 0xFC61/0xFC62. The original DarkFirmware research supported basic injection; Blue-Tap extends this with live RAM patching, full 17-byte LMP PDU support (not just 10-byte), and structured LMP log parsing.

DarkFirmware Core (4 new modules, 1,772 lines)

• core/hci_vsc.py (584 lines) — Raw HCI socket interface for vendor-specific commands: LMP injection (VSC 0xFE22), controller memory read (0xFC61), memory write (0xFC62), background LMP monitor thread with structured 56-byte log parsing
• core/firmware.py (788 lines) — DarkFirmware lifecycle management: RTL8761B detection, firmware install/restore with automatic backup, live RAM BDADDR patching (no reset), firmware status verification via memory read, controller memory dump, USB reset
• Runtime detection — CLI auto-detects RTL8761B and DarkFirmware at startup, shows green "active" status or warning with install command
• Firmware CLI commands — adapter firmware-status, firmware-install, firmware-spoof, firmware-set, firmware-dump, connections

Below-HCI Attacks (2 new modules, 771 lines)

• BLUFFS attack (attack/bluffs.py, 408 lines) — CVE-2023-24023 session key derivation downgrade with probe/A1 (LSC key-downgrade)/A3 (SC→LSC downgrade) variants via DarkFirmware LMP injection
• Encryption downgrade (attack/encryption_downgrade.py, 363 lines) — 3 attack methods beyond KNOB: LMP_ENCRYPTION_MODE_REQ(mode=0) to disable encryption, stop/start toggle for weaker renegotiation, SC PDU rejection to force Legacy SC

LMP Protocol Support

• LMP protocol builder (fuzz/protocols/lmp.py, 2,020 lines) — Full LMP PDU construction for 30+ opcodes: key negotiation, encryption setup, feature exchange, role switch, version exchange, pairing, power control
• LMP fuzzing — 12th protocol added to campaign engine via HCI VSC injection
• LMP sniffing — recon lmp-sniff, lmp-monitor (with live dashboard), combined-sniff (HCI + LMP)
• LMP DoS — dos lmp with configurable method, count, and delay

Other New Features

• Assess command — Non-destructive 5-phase security assessment (fingerprint → services → vulnscan → DarkFirmware probe → summary with next-step commands)
• TargetedStrategy wired into engine — --strategy targeted now works in fuzz campaigns via adapter wrapper that bridges the CVE-pattern generator API to the engine's generate/feedback interface
• Session adapter tracking — set_adapter() auto-records which HCI adapter is used; populated automatically from --hci parameter
• Protocol DoS expansion — LMP-level DoS attacks via DarkFirmware
• BIAS LMP injection mode — BIAS attack can now use DarkFirmware for LMP-level role-switch manipulation
• KNOB LMP negotiation — KNOB attack uses DarkFirmware for direct LMP key-size manipulation
• Sniffer rewrite — Replaced USRP B210 SDR integration with DarkFirmware LMP capture; nRF52840 BLE sniffing retained
• Playbooks module — blue_tap/playbooks/ for reusable assessment sequences
• UI dashboard — blue_tap/ui/dashboard.py for live attack monitoring
• Fuzzing strategy base class — fuzz/strategies/base.py formal strategy interface

Improved

• README overhauled — Added BLUFFS, encryption downgrade, assess, DarkFirmware sections; RTL8761B as primary recommended adapter; DarkFirmware setup in Quick Start; Credits & References section with research paper citations; 9 workflows; removed CSR8510 from hardware table (BT 4.x)
• Hardware recommendations — RTL8761B (TP-Link UB500) promoted to primary adapter; dual-adapter setup no longer needed; USRP B210 kept only as research-grade option
• Fuzz engine — Baseline learning uses explicit recv_timeout=5.0; field weight tracker logs exceptions instead of silently swallowing; _StubCorpus now implements get_all_seeds() for proper baseline learning
• Report generator — Crash DB load errors use warning() instead of silent info()
• SDP parser — PSM channel fallback returns 0 (int) instead of raw string for type consistency
• CLI command grouping — Added bluffs, encryption-downgrade, assess to Rich-Click command groups; _infer_category covers all attack types
• Vuln scanner — Extended with DarkFirmware-aware checks
• Transport layer — LMP transport added alongside L2CAP/RFCOMM/BLE
• Coverage-guided strategy — Enhanced with protocol-aware seed selection
• State machine strategy — Extended with LMP state transitions

Fixed

• fleet_assess NameError (HIGH) — risk_color undefined when results is empty, causing crash
• _StubCorpus missing get_all_seeds() — Baseline learning silently skipped when Corpus import failed
• Dead _SESSION_SKIP_COMMANDS — Removed unused module-level variable
• Unnecessary hasattr() guard — Removed defensive check on add_session_metadata() that always exists
• Silent field tracker exceptions — except: pass in field weight tracker now logs warnings
• Baseline recv timeout — Baseline learning now passes explicit timeout instead of relying on transport default

Removed

• USRP B210 SDR integration — Replaced by DarkFirmware LMP capture (simpler, cheaper, more reliable)
• CSR8510 from recommended hardware — BT 4.x adapter superseded by RTL8761B (BT 5.0 + DarkFirmware)
• All mock-based test files (26 files, 21K lines) — Replaced with real hardware validation workflows

12 new capabilities

[2.2.0] - 2026-04-04

Added

• Active BIAS vulnerability probe in vulnscan with --active --phone flags — spoofs as paired phone to test auto-reconnect
• Parallel vulnerability analysis — version/feature checks run in ThreadPoolExecutor (cuts scan time ~60%)
• KNOB real brute-force — XOR decryption against captured ACL data with L2CAP header validation (replaces fake enumeration)
• ACL traffic capture for KNOB — 60-second capture windows via hcidump with user-prompted extensions (up to 5 min)
• IVI confidence scoring in fingerprint — normalized profile matching with 0.0-1.0 confidence float
• Codec auto-detection in HFP — detects CVSD (8kHz) vs mSBC (16kHz) from SLC negotiation
• Sample rate auto-detection in A2DP — queries PulseAudio source info instead of hardcoded 44100
• PulseAudio loopback tracking — module ID stored for reliable cleanup via stop_loopback
• Session logging added to RFCOMM scan, L2CAP scan, GATT enum, all HFP/A2DP/AVRCP/spoof/hijack/BIAS CLI commands
• Adapter management in README — adapter list/info/up/down/reset/set-name/set-class documented
• OPP in README — opp push and opp vcard documented under Data Extraction
• 2,109 unit tests across 13 new test files (66% line coverage)

Improved

• Scanner: complete device class tables (Computer, Peripheral, Wearable), BLE manufacturer DB expanded to 32 vendors, name resolution retry
• SDP: retry on transient failures, batch UUID search, robust parser for sdptool format variants
• GATT: connection retry with backoff, security inference (likely_paired/read_only/notify_only), expanded value decoders
• RFCOMM/L2CAP: retry logic, consecutive-unreachable threshold, parallel dynamic scan (--workers), progress via verbose logging
• HCI Capture: stale PID detection, atomic PID writes, status() method
• Fingerprint: profile density signal, structured attack surface via profile ID dict, BrakTooth/SweynTooth/SPP/PBAP vuln hints
• Vuln Scanner: timeout constants consolidated, hcitool retry wrapper, BlueZ version via bluetoothd, OBEX response codes expanded, BrakTooth word-boundary matching with all CVEs reported
• Hijack: phase gate (MAC verification before connect), abort on impersonate failure, connect retry, per-step cleanup isolation
• SSP Downgrade: lockout_detected flag, PIN range validation, process cleanup in finally blocks
• BIAS: try/finally for adapter reset, TimeoutExpired handling in subprocess calls
• HFP: SLC BRSF/indicator parsing crash guards, silent_call timing fix, SCO socket leak fix, empty WAV detection
• A2DP: pactl parsing guards, capture validation on timeout, profile switch retry, mic restore safety
• AVRCP: D-Bus disconnect in all CLI finally blocks, volume ramp works both directions, skip flood 10ms minimum, connection retry, get_player_settings warns on error
• MAC Spoofing: CLI checks return values, btmgmt power commands return-code checked, sleep between adapter reset/down/up, atomic MAC save with corruption recovery
• Auto Pentest: skipped phases tracked with reason, proper DoS module imports, timestamped reports, duration validation
• Fleet: --all-devices on fleet report, narrowed exception handling, CoD parse warning
• CLI: migrated to rich-click — full descriptions without truncation, commands grouped by pentest phase, max_width=120
• README: features reordered by pentest flow (14 sections), workflows rewritten (8 workflows), command reference in collapsible block

Fixed

• scan_classic double error message on adapter failure
• clone_device_identity returned True on partial failure — now returns False
• run_full_attack continued after impersonate failure — now aborts
• connect_ivi subprocess TimeoutExpired unhandled — now caught with pairing cleanup
• brute_force_key returned fabricated "found" key — now performs real decryption
• probe_vulnerability (BIAS) left adapter spoofed on crash — now try/finally
• setup_audio SCO socket leaked on final retry failure — now closed
• Encryption enforcement socket leaked on setsockopt failure — now closed
• BrakTooth break after first chipset match — now reports all matching families
• negotiate_codec parsing crash on truncated +BCS response — now guarded
• RFCOMM connect() socket leaked on retry — now closed before retry
• Fleet report missing log_command — now logged

Removed

• Link Key Harvest feature (key_harvest.py, keys CLI group, report narrative)

v2.1.1 with DoS test suite and improved reporting

[2.1.1] - 2026-03-31

Added

• 10 protocol-level DoS attacks targeting L2CAP, SDP, RFCOMM, OBEX, and HFP
• Link key harvest and persistent access (keys command group)
• SSP downgrade attack (ssp-downgrade command group)
• KNOB attack execution (knob command group, CVE-2019-9506)
• Fleet-wide assessment (fleet command group)
• Full 9-phase automated pentest (auto command): discovery, fingerprinting, recon, vuln assessment, pairing attacks, exploitation, coverage-guided fuzzing (1hr default), DoS testing, report generation
• Comprehensive CLI logging across all 100+ commands: every operation now logs start, progress, result, and errors with context
• Changelog file (docs/CHANGELOG.md)

Changed

• Report overhaul: modern UI with Inter/JetBrains Mono fonts, Tailwind-inspired color palette, rounded cards, soft severity badges, pentest narrative text in every section, support for v2.1.1 findings (key harvest, SSP downgrade, KNOB, fleet, protocol DoS)
• Auto command rewritten from 4-phase (discover, vulnscan, hijack, report) to 9-phase pentest methodology with coverage-guided fuzzing and DoS testing. New options: --fuzz-duration, --skip-fuzz, --skip-dos, --skip-exploit

Fixed

• L2CAP DoS attacks use valid socket operations (not raw signaling)
• DoS result dict key mismatch with CLI
• KNOB probe missing internalblue_available field
• Fleet assess crash on invalid MAC address
• Report collector namespaces new attack types (key_harvest, ssp_downgrade, knob_attack)
• DoS grouping keywords cover all protocol-level attacks

2.1.0

Changelog

All notable changes to Blue-Tap are documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.

2.1.0 - 2026-03-31

Added

• Response-guided intelligent fuzzing engine with 6 layers of analysis:
  • Phase 1: Protocol state inference adapted from AFLNet — state extractors for all 8 BT protocols (SDP, ATT, L2CAP, RFCOMM, SMP, OBEX, BNEP, AT), directed state graph with AFLNet scoring formula, state-aware seed selection
  • Phase 2: Anomaly-guided field mutation weights inspired by BrakTooth — per-field anomaly/crash tracking, adaptive mutation probabilities, field-aware mutator using protocol field maps for all 13 protocol variants
  • Phase 3: Structural response validation for all 13 protocols — PDU self-consistency checks (length fields, error codes, FCS), cross-protocol confusion detection, response code regression tracking, size oscillation detection
  • Phase 4: Timing-based coverage proxy — per-opcode latency profiling (p50/p90/p99), online timing cluster detection as code path signal, latency spike/drop detection with consecutive spike escalation
  • Phase 5: Entropy-based information leak detection — Shannon and Renyi entropy analysis, sliding window entropy for localized leak detection, heap pattern scanning (DEADBEEF, BAADF00D, etc.), request echo detection, per-protocol expected entropy baselines, composite leak scoring with confidence levels
  • Phase 6: Watchdog reboot detection adapted from Defensics — target health monitoring, exponential backoff reconnection probing, reboot cycle detection, zombie state detection, latency degradation analysis, crash candidate ranking with confidence scores, adaptive cooldown
• Full engine integration of all 6 phases into the campaign main loop with persistence and feedback
• Live dashboard intelligence panel showing target health status, states discovered per protocol, timing clusters, anomaly counts by type, and hot mutation fields ranked by weight
• Fuzzing intelligence section in reports — state coverage graph, field weight analysis with bar charts, target response baselines, health event timeline (HTML and JSON)
• Link key harvest and persistent access (keys command group) — capture pairing exchanges, extract link keys via tshark, persistent key database (JSON), reconnect using stored keys without re-pairing, key verification
• SSP downgrade attack (ssp-downgrade command group) — probe SSP capabilities, force legacy PIN mode via IO capability manipulation and SSP disable, automated PIN brute force (0000-9999) with lockout detection
• KNOB attack execution (knob command group) — CVE-2019-9506 vulnerability probe, minimum encryption key negotiation (InternalBlue LMP injection or btmgmt fallback), demonstrative key brute force
• Fleet-wide assessment (fleet command group) — discover and classify all nearby devices (IVI/phone/headset/computer/wearable), per-device vulnerability assessment, consolidated fleet report with overall risk rating
• GPL v3 license
• SVG banner for README
• requirements.txt for fresh Kali/Ubuntu installs
• 129 unit tests covering all new fuzzing modules (state inference, field weights, response analyzer, health monitor)

Changed

• Fuzzing engine (engine.py): strategy dispatch now instantiates real strategy classes (RandomWalk, CoverageGuided, StateMachine) instead of ignoring the --strategy flag; coverage-guided feedback loop wired (calls strategy.feedback() after every send/recv); crash payloads automatically added back to corpus as seeds; adaptive protocol scheduling weights toward high-crash-rate protocols; multi-packet sequence support for state-machine strategy
• Response fingerprinting improved from sha256(response[:32]) to sha256(len_bucket:opcode:err_byte:prefix) — catches different error codes that share leading bytes
• AVRCP module (avrcp.py): rewritten from dbus-python/PyGObject to dbus-fast (pure Python, pre-built wheels) — pip install now works without system C headers
• Dependencies: replaced dbus-python and PyGObject (C extensions, no wheels on PyPI) with dbus-fast (pure Python); moved scapy and pulsectl from optional to hard dependencies; all deps now install via pip without apt
• Report generator (generator.py): complete rewrite with professional dark-theme HTML, table of contents, executive summary with SVG donut/bar charts, overall risk rating badge, metric dashboard, assessment timeline, structured recon tables, finding cards with evidence blocks, crash reproduction steps, print-friendly CSS
• CLI version display: now reads from single source __version__ instead of hardcoded strings (CLI --version, banner, report footer)
• README: comprehensive rewrite of Protocol Fuzzing section with architecture diagram, intelligence layer documentation, research citations; added sections for link key harvest, SSP downgrade, KNOB, fleet assessment; updated "What Blue-Tap Does" to reflect all current capabilities; streamlined installation instructions

Fixed

• Campaign duration reset on resume — prior_elapsed field added to CampaignStats so resumed campaigns continue timing from where they left off instead of restarting the clock
• Stub API mismatches — _StubMutator.mutate() return type aligned with CorpusMutator (returns bytes not tuple); _StubTransport changed from .is_connected() method to .connected property; _StubCrashDB.log_crash() returns int; _StubCorpus.add_seed() returns None
• response_analyzer.py monitor bug — props.on_properties_changed() replaced with correct dbus-fast API (bus.add_message_handler() + AddMatch rule)
• Banner SVG spacing — tightened gap between "BLUE" and "TAP" text
• Missing system dependency documentation for libcairo2-dev, libgirepository1.0-dev, gir1.2-glib-2.0

2.0.1 - 2026-03-30

Fixed

• Duration limit reset on campaign resume
• Stub API mismatches (mutator, transport, crash_db, corpus return types)
• Version display hardcoded in CLI and banner (now reads from __version__)

Changed

• Moved dbus-python and PyGObject to optional dependencies (later reverted to hard deps, then replaced with dbus-fast)

[2.0.0] - 2026-03-29

Added

• Initial public release
• Bluetooth Classic and BLE device discovery
• SDP, GATT, RFCOMM, L2CAP service enumeration
• Device fingerprinting (BT version, chipset, manufacturer)
• Vulnerability scanner with 20+ CVE checks
• PBAP phonebook extraction
• MAP message extraction
• AT command interface and data extraction
• OBEX Object Push
• Connection hijacking via MAC spoofing and identity cloning
• BIAS attack (CVE-2020-10135)
• HFP call control and audio interception
• A2DP media stream capture
• AVRCP media control and DoS
• DoS attacks (pairing flood, name flood, L2ping flood, PIN brute force)
• Multi-protocol fuzzing engine (SDP, L2CAP, ATT, RFCOMM, SMP, OBEX, AT, BNEP)
• 4 fuzzing strategies (random walk, coverage-guided, state-machine, targeted)
• Crash database with deduplication and reproduction
• Crash minimization (binary search, delta debugging, field reducer)
• btsnoop pcap replay with mutation
• CVE reproduction patterns (CVE-2017-0785, CVE-2017-0781, SweynTooth, CVE-2018-5383, CVE-2024-24746)
• Session management with auto-logging
• HTML and JSON report generation
• Automated attack chain (auto command)
• Command sequencing (run command with playbook support)
• Rich terminal UI with styled output, tables, panels
• Live fuzzing dashboard with keyboard controls

Full Changelog: https://github.com/Indspl0it/blue-tap/commits/v2.1.0