A simple non stealth scan method is implemented that simply connects to all RFCOMM channels to see if they are open. A timeout of 7 seconds is used.

$ ./blucat scan 00000000CAFE
#Scanning RFCOMM Channels 1-30
btspp://00000000CAFE:2 -> Open Channel!!! BluetoothRFCommClientConnection
btspp://00000000CAFE:3 -> Open Channel!!! BluetoothRFCommClientConnection
btspp://00000000CAFE:12 -> Open Channel!!! BluetoothRFCommClientConnection
btspp://00000000CAFE:16 -> Open Channel!!! BluetoothRFCommClientConnection
btspp://00000000CAFE:17 -> Open Channel!!! BluetoothRFCommClientConnection
btspp://00000000CAFE:19 -> Open Channel!!! BluetoothRFCommClientConnection
#Scanning L2CAP Channels 0-65000
btl2cap://00000000CAFE:1 -> Open Channel!!! BluetoothL2CAPClientConnection
btl2cap://00000000CAFE:3 -> Open Channel!!! BluetoothL2CAPClientConnection
btl2cap://00000000CAFE:17 -> Open Channel!!! BluetoothL2CAPClientConnection
btl2cap://00000000CAFE:19 -> Open Channel!!! BluetoothL2CAPClientConnection

A simple fun example is connecting to a Serial Port Profile (SPP) address that allows shell access. There is an app running on the device 123456789000 on channel 20. The devices must be paired in order to connect. Once connected, the stdin and stdout are passed to and received from the other side of the connection. In this example the target has passed these pipes connected to the process /system/bin/sh.

laptop$blucat -url btspp://123456789000:20
#Waiting for connection...
#Got connection!
phone$cd /system/app

Currently this uses the SDP (Service Discovery Protocol) to locate services on devices. Each device is queried for the RFCOMM UUID (0x0003) and the Service Name attribute (0x0100). In the future this should include more UUIDs but the API fails with more then one.

$blucat services
#Listing all services
+,00000000CAFE, "The Engineer", Trusted:true, Encrypted:false, NA
-,"OBEX Message Access E-Mail Server", "", btgoep://00000000CAFE:17
-,"AV Remote Control Target", "", btl2cap://00000000CAFE:0017
-,"OBEX Phonebook Access Server", "", btgoep://00000000CAFE:19
-,"Advanced Audio", "", btl2cap://00000000CAFE:0019
-,"OBEX Object Push", "", btgoep://00000000CAFE:12
-,"Android Network Access Point", "", btl2cap://00000000CAFE:000f
-,"Headset Gateway", "", btspp://00000000CAFE:2
-,"OBEX Message Access SMS/MMS Server", "", btgoep://00000000CAFE:16
-,"Android Network User", "", btl2cap://00000000CAFE:000f
-,"Handsfree Gateway", "", btspp://00000000CAFE:3

This method performs a General/Unlimited Inquiry Access Code (GIAC) discovery and returns the devices found.

The devices option shows MAC, display name, paired/trusted, encrypted connection, and the RSSI. For RSSI you need to specify -rssi on the command line.

$blucat devices
#Searching for devices
+,00000000CAFE, "The Engineer", Trusted:true, Encrypted:false, 8
+,123456789000, "Nexus 7", Trusted:true, Encrypted:false, -2
+,012345678900, "GT-P1010", Trusted:false, Encrypted:false, NA
+,001234567890, "Android Dev Phone 1", Trusted:true, Encrypted:false, -22
#Found 3 device(s)