Home Blog BAT BMS App Tirri Control: How It Works & How to Protect Your E-Rickshaw
Back to Blog
AI & Automation

BAT BMS App Tirri Control: How It Works & How to Protect Your E-Rickshaw

The BAT BMS app is going viral for remotely disabling e-rickshaws via Bluetooth. Learn how the Tirri Control prank works, why cheap BMS units are vulnerable, and how to protect your EV.

DH
By DigiHaryana Team
· · Updated · 12 min read
#bat bms app#tirri control#e-rickshaw#battery management system#ev security#bluetooth exploit#tirri prank#cybersecurity
BAT BMS App Tirri Control: How It Works & How to Protect Your E-Rickshaw

Quick answer: The BAT BMS app is a legitimate Chinese battery management tool that has gone viral in India for a dangerous reason — pranksters are using it to remotely disable e-rickshaws (“tirris”) by connecting to unsecured Bluetooth battery systems and cutting off power. The app communicates with the battery’s Built-in Management System (BMS) over Bluetooth. If the BMS lacks password authentication — as many low-cost units do — anyone within 10-15 metres can connect and flip the discharge switch, instantly stopping the vehicle. Protection is straightforward: disable Bluetooth on the BMS, set a password if supported, or upgrade to a secure BMS.

Social media in India is flooded with “Tirri Control” videos showing people stopping moving e-rickshaws with a tap on their phone. The trend has sparked outrage, safety concerns, and a nationwide conversation about EV cybersecurity. This guide explains exactly how the exploit works, why it only affects certain vehicles, and what you can do to protect yourself.

What Is the BAT BMS App?

BAT BMS is developed by Shenzhen Grenergy Technology Co., Ltd. , a Chinese company specialising in battery management solutions. The app is freely available on both Google Play Store and Apple App Store under the package name com.bms.grenergy. It has over 100,000 downloads on Android alone.

The app is designed for a legitimate purpose — monitoring and managing Bluetooth-enabled lithium batteries. It provides real-time data on:

ParameterWhat It Tracks
State of Charge (SOC)Current battery percentage
VoltageTotal pack voltage and individual cell voltages
CurrentCharge and discharge current flow
TemperatureBattery pack temperature
Cycle LifeNumber of charge/discharge cycles completed
Cell BalanceVoltage difference across individual cells

This data is essential for battery owners — solar installers, boat owners, RV enthusiasts, and businesses using lithium battery banks. The app was never designed as a hacking tool. But a core feature — the ability to enable or disable battery discharge — is now being exploited.

How the “Tirri Control” Prank Works

The exploit follows a simple sequence that takes under 10 seconds to execute:

StepActionResult
1Phone scans for nearby Bluetooth devicesDetects broadcasting BMS units within 10-15 metres
2BAT BMS app connects to the battery’s BMSNo password or authentication required on cheap units
3User navigates to the discharge control settingInterface shows a toggle switch for battery output
4User flips the discharge switch to OFFBMS opens the MOSFET circuit, cutting power
5Vehicle loses motor power immediatelyE-rickshaw stops moving, driver stranded

The reason this works is straightforward: many low-cost Chinese Battery Management Systems ship with Bluetooth enabled, no password set, and the discharge control exposed through the BAT BMS app’s standard interface. No hacking, no exploit — the app simply uses the BMS as intended.

Technical Deep Dive: Why the Vulnerability Exists

What Is a BMS?

A Battery Management System is the “brain” of any lithium-ion battery pack. It monitors every cell, prevents overcharging and over-discharging, balances cells, and protects against short circuits. Without a BMS, lithium batteries are dangerous and short-lived.

The MOSFET Discharge Switch

Inside every BMS, there are MOSFETs (Metal-Oxide-Semiconductor Field-Effect Transistors) that act as electronic switches controlling whether power flows out of the battery. These MOSFETs are the physical component that the BAT BMS app toggles when you flip the discharge switch.

The BMS firmware exposes this switch over Bluetooth for legitimate reasons — a battery owner might need to cut power remotely for safety during maintenance or transport. The problem arises when this control is accessible without any authentication.

Why Chinese BMS Units Lack Security

Most budget e-rickshaws in India use Chinese-manufactured lithium battery packs with built-in BMS. These BMS units are designed for cost efficiency, not security:

  • No password requirement — Bluetooth is open by default, and no PIN is set during manufacturing
  • No encryption — Communication between app and BMS is plaintext
  • No access control — Once connected, all features (including discharge control) are available
  • Default pairing mode — The BMS continuously broadcasts its presence, making it discoverable

This combination creates a perfect vulnerability: discoverable, connectable, and controllable with zero authentication.

Range Limitation

The exploit has a physical limitation — Bluetooth range is approximately 10-15 metres. The prankster must be physically near the target vehicle. This means the attack cannot be performed remotely over the internet, only by someone within visual range.

Does This Affect Every Electric Vehicle?

No. The BAT BMS app only works with specific hardware. Here is a breakdown of which vehicles are affected:

Vehicle TypeVulnerable?Reason
Lead-acid battery e-rickshawNoNo BMS or Bluetooth
Premium lithium EV (Ola, Ather, Bajaj)NoProprietary BMS with authentication
Budget lithium e-rickshaw with Chinese BMSYesUnsecured Bluetooth BMS
DIY-converted e-rickshaw with generic lithium packYesOften uses cheap Chinese BMS
Electric scooter with no-name batteryYesSame vulnerability applies

Only vehicles with Bluetooth-enabled lithium battery BMS units that lack password protection are at risk. Most branded EVs from established manufacturers use secure, proprietary systems.

How to Protect Your E-Rickshaw

If you own or operate a lithium-battery e-rickshaw, here are practical steps to secure it.

1. Check if Your BMS Is Vulnerable

Download the BAT BMS app on your phone and walk near your parked vehicle. If the app discovers your battery and connects without a password prompt, your BMS is unsecured.

2. Disable Bluetooth on the BMS

Many BMS units allow you to turn off Bluetooth through a configuration tool or dedicated desktop software. Check with your battery supplier for instructions. Once Bluetooth is off, no app can connect.

3. Set a BMS Password

Some BMS firmware supports password protection even if it is not enabled by default. The BAT BMS app itself may allow you to set a password under device settings. If your BMS supports this, set a strong password immediately.

4. Upgrade to a Secure BMS

If your current BMS has no security features at all, replace it with one that supports password authentication and encrypted Bluetooth communication. The upgrade typically costs between ₹500 and ₹2,000.

5. Physically Secure the Battery Enclosure

If an attacker cannot physically access the BMS module inside the battery pack, they cannot reset or bypass it. Ensure your battery box is locked and tamper-proof.

6. Switch to Lead-Acid Batteries (Temporary Fix)

If you are unable to secure your lithium BMS immediately, consider temporarily switching to lead-acid batteries. They are heavier and less efficient but do not use Bluetooth BMS at all, making them immune to this exploit.

7. Report Suspicious Activity

If you experience sudden power loss and suspect someone is using the BAT BMS app nearby, look around for someone holding a phone near your vehicle. File a complaint with local police and report the incident to the cybercrime department.

Using the BAT BMS app to disable someone else’s vehicle is not a harmless prank — it is a crime.

  • Indian IT Act 2000, Section 43 — Unauthorised access to a computer resource (the BMS is a computer system) is punishable with fines and compensation
  • Indian IT Act 2000, Section 66 — Computer-related offences carry imprisonment up to 3 years and fines up to ₹5 lakhs
  • IPC Section 336 — Any act endangering the life or personal safety of others is punishable with imprisonment up to 3 months or fine
  • Motor Vehicles Act 1988 — Tampering with a vehicle’s systems could lead to prosecution

Several petitions are circulating to ban the BAT BMS app in India. However, the app itself is a legitimate tool — the real issue is insecure BMS hardware. A ban would be hard to enforce, and it would not fix the underlying security gap.

What India’s EV Industry Must Learn

This incident highlights a critical gap in India’s EV ecosystem. As the country pushes for rapid electrification, security standards for battery systems have not kept pace.

IssueCurrent StateWhat Is Needed
BMS authenticationNone on budget unitsMandatory password/BLE encryption
Bluetooth securityOpen by defaultPairing required, encryption enforced
Discharge control accessExposed without authorisationPIN or biometric confirmation required
Firmware updatesRarely availableOTA update mechanism with security patches
Regulatory oversightNo standards for BMS cybersecurityBIS or ARAI certification for BMS security

The BAT BMS controversy is a wake-up call. As more Indians adopt electric vehicles — e-rickshaws alone number over 15 lakhs in the country — the security of their battery systems can no longer be an afterthought.

Conclusion

The BAT BMS “Tirri Control” trend is a dangerous viral phenomenon that exposes a real vulnerability in India’s budget EV ecosystem. The fix is not to ban the app — it is to demand better security from battery manufacturers. If you own an e-rickshaw, check your BMS today. Set a password. Disable Bluetooth if possible. And report any misuse you witness.

India’s EV transition must be built on safety, not just speed. This incident should push regulators, manufacturers, and owners to take battery cybersecurity seriously.

Need help securing your EV fleet or business IT infrastructure? Contact DigiHaryana for cybersecurity consulting and IT solutions tailored for Indian businesses.

Frequently Asked Questions

Q1: What is the BAT BMS app? A1: BAT BMS is a legitimate battery management app developed by Shenzhen Grenergy Technology. It monitors Bluetooth-enabled lithium batteries — tracking voltage, temperature, charge levels, and cycle life. It also allows users to enable or disable battery discharge.

Q2: Can the BAT BMS app really stop an e-rickshaw? A2: Yes, but only if the e-rickshaw uses a compatible Bluetooth-enabled lithium battery BMS with no password protection. The app connects to the BMS and flips the discharge switch off, cutting power to the motor and stopping the vehicle.

Q3: How do I protect my e-rickshaw from the BAT BMS app? A3: Turn off Bluetooth on the BMS if possible, set a strong password on the BMS, upgrade to a BMS with authentication, physically secure the battery enclosure, or switch to a lead-acid battery which does not use Bluetooth BMS.

Q4: Is every e-rickshaw vulnerable to this attack? A4: No. Only e-rickshaws with cheap Chinese Bluetooth-enabled lithium battery BMS units that lack password authentication are vulnerable. Lead-acid battery rickshaws and premium EVs with secure BMS are not affected.

Q5: Is the BAT BMS app illegal to use? A5: Using the app to disable someone else’s vehicle is illegal under Indian IT Act 2000 (unauthorised access to a computer resource) and IPC Section 336 (act endangering life or personal safety of others).

Q6: Should the BAT BMS app be banned? A6: The app itself is a legitimate tool. The real issue is weak security in low-cost BMS units. The fix is better BMS security standards, not banning the app.

Q7: Which vehicles use Bluetooth BMS that could be vulnerable? A7: Many budget e-rickshaws and electric two-wheelers using Chinese lithium battery packs with Bluetooth-enabled BMS are potentially vulnerable, especially those without password authentication on the BMS.

How the BAT BMS App Actually Works: Attack Flow

The exploit relies on Bluetooth Low Energy (BLE) communication between the app and the battery’s BMS. Here is the exact technical sequence:

  1. Discovery — The BMS continuously broadcasts BLE advertising packets with a known UUID (0000ffe0-0000-1000-8000-00805f9b34fb). The BAT BMS app scans for these signals within 10-15 metres.

  2. Connection — The app sends a BLE connection request to the discovered BMS. On cheap units, this is accepted without any PIN, password, or authentication.

  3. Service Discovery — Once connected, the app queries the BMS for its available services and characteristics. It finds read/write handles for battery data (voltage, temperature, SOC) and control functions (discharge on/off).

  4. Parameter Read — The app reads the current battery status: voltage, current, temperature, individual cell voltages, and the current state of the discharge MOSFET (on/off).

  5. Command Execution — The app writes to the discharge control characteristic (typically writing 0x00 to a specific handle). This signals the BMS firmware to open the MOSFET circuit.

  6. Power Cut — The MOSFETs open, breaking the circuit between the battery cells and the output terminals. The motor instantly loses power and the vehicle stops.

  7. Re-Pairing Prevention — Some BMS units remain in a locked state after a remote shutdown, requiring the owner to physically reset the battery or use the app themselves to re-enable discharge.

Prevention Checklist

  • Set a BMS password via manufacturer software (look for “PIN” or “Password” setting)
  • Disable Bluetooth broadcast if you do not need continuous monitoring
  • Verify your BMS firmware supports encrypted pairing
  • Use tamper-evident seals on the battery enclosure
  • Register your battery with the manufacturer for firmware update alerts
  • Report suspicious power loss incidents to your local cybercrime cell

Need expert help? Learn how our IT consulting services can help you secure your business systems.

Related Articles

Need Help With This?

Get Professional IT Consulting Services

Reduce IT spend waste by 25% — vendor-neutral strategy, digital transformation, and 3-5 year technology roadmaps.

WhatsApp