The first step to figuring out how the light bulb works is to investigate the GATT services exposed by the bulb. GATT, or generic attribute profile, is a protocol for interacting with a BLE device. Devices expose a list of services, and each service exposes a list of characteristics which can be read and/or written by a BLE application. Check out this great short introduction guide for more information on Bluetooth Low Energy and GATT.
An easy way to explore the GATT of a BLE device is using a smartphone or tablet and a BLE GATT exploration app. In this case I'll use Nordic Semiconductor's Master Control Panel app for Android. This is a free app that works well at letting you explore the GATT services of a BLE device.
With a light bulb turned on, I started the master control panel app and quickly saw the light bulb advertising itself as a BLE device:
You can see master control panel lists all of the BLE devices that are advertising themselves, including this 'RGBLightOne' device that must be my light bulb. The most important thing to note here is the address of the device, 5C:31:3E:F2:16:13. The address is a unique ID that will be different for every device.
Next I touched the connect button to connect and discover the GATT services exposed by the bulb:
Now things are getting a little interesting! You can see the bulb exposes a handful of services. Notice each service has a UUID (universal unique ID) and some of the services have been recognized by master control panel as general services defined by the BLE spec. Short 4 hex character (16 bit) UUIDs identify these common services, like 0x180A, 0x1803, etc.
When a service is clicked on it drills down into the characteristics exposed by the service. For example this is what I see when I look at the device information service and read its characteristics:
Unfortunately there isn't much useful information in the device information service of the bulb. In fact the strings like model number, serial number, etc. appear to be set to default values like "Model Number" and "Serial Number".
Looking further at the services list I see two unknown services at the bottom. These are custom services that the manufacturer defined and are identifiable by their full 128-bit UUIDs, 0000ffe0-0000-1000-8000-00805f9b34fb and 0000ffa0-0000-1000-8000-00805f9b34fb. If I'm lucky the manufacturer will have documented these services so I can learn how to use the characteristics they expose.
In this case I did some searching online and found the two unknown services are actually defined by Texas Instrument's CC2540 development kit as an accelerometer and simple keys service. This is a very interesting insight as it helps identify what hardware is powering this bulb, it's very likely a TI CC2540 BLE system on a chip.
Looking at all the device services for the bulb it's a bit puzzling why none of them appear to be related to LEDs or a light bulb. What likely happened is that the manufacturer adapted an existing BLE board (like the CC2540) and sample code to their needs instead of defining custom light bulb control services. This makes understanding how the bulb works a little more challenging since I'll need to look at the BLE commands sent by the bulb's control application to see what characteristics control the bulb.
Continue on to learn how to sniff Bluetooth Low Energy traffic and take a deeper look at how the bulb works.