Yulu BLE Protocol - Security Analysis Tool

Research & Educational Purposes Only - Offline Mode Vulnerability Demonstration

⚠️ SECURITY RESEARCH NOTICE: This tool demonstrates vulnerabilities in the Yulu BLE authorization protocol. Use only on devices you own or have explicit permission to test. Unauthorized access to shared mobility devices is illegal.

📋 Vulnerability Analysis Summary

  • Static BLE Session Keys: Fleet-wide hardcoded AES keys in native libraries
  • Replicable Command Payloads: UNLOCK commands use static byte arrays without server-side HMAC
  • Insecure Offline Fallback: App trusts client-side SharedPreferences for rental status
  • No Server Validation: Bike hardware accepts commands without verifying server authorization

🔧 Configuration (Offline Protocol)

🔗 Connection Status

Disconnected

🚲 Bike Control Commands

📜 Protocol Log

[System] Tool initialized. Ready for BLE communication.

🔬 Command Payload Analysis

Command payloads will be displayed here during execution...