Reverse Engineering a Bluetooth Lightbulb

Uri Shaked
Aug 3, 2016 · 9 min read
“Any sufficiently advanced technology is indistinguishable from magic.” — Arthur C. Clarke

Why take the time to reverse engineer the protocol?

Bluetooth Low Energy 101 (or maybe 100)

Bluetooth Low Energy: Peripherals, Services and Characteristics

Reverse Engineering the Bulbs: Bulb 1

nRF Connect
After connecting to the device, look for Characteristic ffb2 and click on the up arrow to write data

Reverse Engineering the Bulbs: Bulb 2

Magic Blue Smart Bulb
adb pull /sdcard/btsnoop_hci.log
Wireshark in Action
btatt.opcode.method==0x12
bluetooth.addr==f7:34:5b:f8:cc:ef
Enter the values, send to the device, and…
…it changes color!
56 RR GG BB 00 f0 aa
56 00 00 00 WW 0f aa
bb II SS 44
bb 25 05 44

A Word About Security

Conclusions: we’ve hacked the bulbs… now for (more) fun!

Uri Shaked

Written by

Google Developer Expert for Web Technologies, Maker and Public Speaker

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade