book collections email follower instructable user
Picture of Reverse Engineering Smart Bluetooth Low Energy Devices

As an IoT enthusiast and night time security researcher, it always intrigues me, how easy our lives have become with IoT applications which we use on daily basis intuitively, and this scratches that part of my brain which always wanted to see what's going on deep down inside, from using a mobile application to monitoring and controlling devices, what all is making it possible.

I recently bought a smart LED RGB light bulb for my work desk from Amazon, A 7 watts Syska Smartlight Rainbow LED bulb which can be controlled using a mobile application compatible with Android and Bluetooth. It was fun playing with it, a perfect mood lamp for my study room, blinks to notify of any new whatsApp message on phone, can wake me up in the morning and I can interact with it in so many ways BUT only through it's native application.

Unlike other famous smart light bulbs available in the market like Philips Hue, LIFX etc, this one works on Bluetooth Low Energy rather than WiFi and unlike them it has no API to interact with it your own custom made application. I still bought this knowing all just for it's cheap ₹1300/- price tag and the fact it's made by an Indian company.

After playing with it for couple of weeks, I decided to look whats's under the hood. I've been playing around Bluetooth and Bluetooth LOW energy protocol for quite sometimes now and know the nitty gritty functioning of it ( All thanks to Cypress Semiconductor for sending me a PSoC4 BLE evaluation kit last year ). Basically BLE(short for Bluetooth Low energy), provides a method to make user defined services on communication layer, providing the vendor using BLE in their product with utmost facility to define the protocol profile specific to the device they are making, though the BLE protocol has some already defined profiles such as basic old UART, BLE Heart Rate monitor, Beacons etc, the vendor is free to use what's called GATT or Generic Attribute and create their own custom profile of how they want communication to happen between master and slave.

Step 1: But a Catch....

The fact that this bulb is not using TCP/IP based protocol for communication makes it little hard to reverse engineer, I mean c'mon if it was suppose to be on my home network, things would be bit easier isn't it, I can just use it's MAC or IP to sniff and dump packets in a PCAP file to be later analysed with Wireshark, it could have been cryptic but easy to sniff, Basically a Man in the Middle sort of thing, even a simple CLI tcpdump would also work, but rather it is using Bluetooth (*sigh*) which is meant for peer-to-peer networking, means at one time the device can only talk to one master.

MartinP1451 year ago

Hello, thanks for your post. I am also a macOS die-hard, but did not get the buggy Kali working (not on my iMac, not on my Dell Laptop), so I finally ended up testing the values using a Win10-app called "Bluetooth Lab LE". Did the trick without any dongle - I used the build-in BTLE-chip of the Dell. Probably there is an app for macOS, too.