Reverse Engineering a Bluetooth Lightbulb

“Any sufficiently advanced technology is indistinguishable from magic.” — Arthur C. Clarke

Why take the time to reverse engineer the protocol?

Bluetooth Low Energy 101 (or maybe 100)

Bluetooth Low Energy: Peripherals, Services and Characteristics

Reverse Engineering the Bulbs: Bulb 1

nRF Connect
After connecting to the device, look for Characteristic ffb2 and click on the up arrow to write data

Reverse Engineering the Bulbs: Bulb 2

Magic Blue Smart Bulb
  • First, you need to enable Developer Mode in Android if you haven’t done so already.
  • Next, go to Settings, then open “Developer Options” and turn on the “Enable Bluetooth HCI snoop log.” This will start recording all the Bluetooth traffic that goes through your device.
adb pull /sdcard/btsnoop_hci.log
Wireshark in Action
btatt.opcode.method==0x12
bluetooth.addr==f7:34:5b:f8:cc:ef
Enter the values, send to the device, and…
…it changes color!
56 RR GG BB 00 f0 aa
56 00 00 00 WW 0f aa
bb II SS 44
bb 25 05 44

A Word About Security

Conclusions: we’ve hacked the bulbs… now for (more) fun!

--

--

--

Google Developer Expert for Web Technologies, Maker and Public Speaker

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Uri Shaked

Uri Shaked

Google Developer Expert for Web Technologies, Maker and Public Speaker

More from Medium

My Thoughts on Windows OS and its reliability

How I fixed insert date in google sheets (ctrl + semicolon) & Creating Emojis from underlined ‘e’…

How to use my headset microphone on Ubuntu 22.04

Why I Love Linux as a Windows User