Reverse Engineering A BLE Service To Control A Light Bulb

So, you buy an Internet of Things light bulb, it’s a fun toy that allows you to bathe your environment in pretty colours at the touch of an app, but eventually you want more. You start to wonder how you might do more with it, and begin to investigate its inner workings. Then to your horror you discover that far from having bought a device with a convenient API for you to use, it has an impenetrable closed protocol that defies easy access.

This was the problem facing [Ayan Pahwa] when he bought a Syska Smartlight Rainbow LED bulb, and discovered that its Bluetooth Low Energy  interface used a closed protocol. But instead of giving up, he proceeded to reverse engineer the communication between bulb and app, and his write-up makes for an interesting read that provides a basic primer on some of BLE’s workings for the uninitiated.

BLE allows a device manufacturer to define their own device service specific to their functionality alongside standard ones for common device types. Using a handy Android app from Nordic Semiconductor he was able to identify the services defined for the light bulb, but sadly they lacked any human-readable information to help him as to their purpose. He thus had to sniff BLE packets directly, and lacking dedicated hardware for this task he relied on a developer feature built into Android versions since KitKat, allowing packets to be captured and logged. By analysing the resulting packet files he was able to identify the Texas Instruments chip inside the bulb, and to deduce the sequences required to control its colours. Then he was able to use the Bluez utilities to talk directly to it, and as if by magic, his colours appeared! Take a look at the video we’ve placed below the break.

Many of us may never need to reverse engineer a BLE device. But if we are BLE novices, after reading [Ayan]’s piece we will at least have some idea of its inner workings. And that can only be a positive thing.

Want to know more about BLE? Read our Hackaday Dictionary piece on it. And if you’d like to use it, look at this tiny BLE UART, or even use an NRF24L01 module.

18 thoughts on “Reverse Engineering A BLE Service To Control A Light Bulb

  1. People get upset when IoT is riddled with security holes and people also get upset when IoT is riddled with closed source, obfuscated, proprietary inner workings. *shakes head*

        1. Though the real problem is that open source solutions tend to be bad solutions since they’re inevitably some combination of linux and a web server stuffed in a SoC, and the system becomes millions of times too complicated for the task – which includes the millions of obscure bugs and security holes that pop up years and years later.

        2. No reason why they can’t – there are plenty of companies trying to do it with ‘large-scale’ (ie linux) IoT devices using docker et al, and all of the big BLE vendors support (secure) OtA updates as far as I know

Leave a Reply to DaxCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.