Reverse Engineering a Bluetooth Lightbulb

“Any sufficiently advanced technology is indistinguishable from magic.” — Arthur C. Clarke

Why take the time to reverse engineer the protocol?

First of all, this way is a lot more fun. It also gives you the ability to integrate it with anything, such as a weather service (bulb changes color according to weather), your startup’s automated build (bulb is red when the code is broken), or flashing random colors rapidly just for the sake of it (my audiences really seem to enjoy this last use for it).

Bluetooth Low Energy 101 (or maybe 100)

In Bluetooth Low Energy, devices can perform one of two roles. A device can be either a “Central” (in this example, your phone) or a “Peripheral” (and respectively, the bulb).

Bluetooth Low Energy: Peripherals, Services and Characteristics

Reverse Engineering the Bulbs: Bulb 1

Reverse engineering the first bulb, a Smart Led Lamp E27 RGBW 5W Bulb, was easy. In a nutshell — I opened NRF Connect, scanned, found the bulb, tried some values, and got what I wanted.

nRF Connect
After connecting to the device, look for Characteristic ffb2 and click on the up arrow to write data

Reverse Engineering the Bulbs: Bulb 2

The second bulb, a Magic Blue UU E27 Bulb, was much more interesting. Using the same technique with nRF Connect, I immediately spotted the only writable Characteristic (Characteristic number ffe9 in Service ffe5), but sending values to it didn’t have any effect. I decided to try another approach — using the official Android app that comes with bulb, then recording all the communication, figuring out the commands, and then send them to the bulb myself to control it.

Magic Blue Smart Bulb
  • First, you need to enable Developer Mode in Android if you haven’t done so already.
  • Next, go to Settings, then open “Developer Options” and turn on the “Enable Bluetooth HCI snoop log.” This will start recording all the Bluetooth traffic that goes through your device.
adb pull /sdcard/btsnoop_hci.log
Wireshark in Action
btatt.opcode.method==0x12
bluetooth.addr==f7:34:5b:f8:cc:ef
Enter the values, send to the device, and…
…it changes color!
56 RR GG BB 00 f0 aa
56 00 00 00 WW 0f aa
bb II SS 44
bb 25 05 44

A Word About Security

As you have seen above, both smart bulbs contain no security mechanism. This means that everyone within range can connect to them and control them. While the second bulb at least required some effort to reverse engineer the protocol, the first one didn’t even require a lot of effort. I hope that some of the higher-end smart bulbs are designed with security in mind, though from a quick Google for “Bluetooth smart bulb security,” it seems like nobody really addresses these concerns at the moment (for example, I could only find one reference to a security review of a smart bulb).

Conclusions: we’ve hacked the bulbs… now for (more) fun!

So now we’ve hacked the bulbs by reverse engineering the protocols and we can confidently change the colors of our neighbors’ smart bulbs (I’m kidding: I don’t condone or recommend this at all… I’m just saying we could).

--

--

Google Developer Expert for Web Technologies, Maker and Public Speaker

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Uri Shaked

Uri Shaked

Google Developer Expert for Web Technologies, Maker and Public Speaker