So one of my recent new
toys professional purchases was a lightsaber photography light wand. More specifically, the Yongnuo YN360.
This is a icelight clone, that in my opinion is significantly more flexible, offering white light with variable temperature control, as well as providing arbitary RGB lighting as well. Frankly, the light was a great help at adding some fill light for my photography – but this is not meant to be a product review.
nerdy cool part of this device is that it offers a bluetooth app to enable remote control of the light from a smartphone. While cool, I tried this feature, and while it requires no pairing (thanks bluetooth 4.0), it is quite awkward to use, and is significantly more difficult to use than the physical controls on the light itself.
But this had me wondering – I had never played with bluetooth 4.0 till now, but my understanding was that it is a very very simple form of communication. So I grabbed out LightBlue on my iphone, and found I could read some data! Whoo hoo! However, I couldnt figure out what I needed to send to the light to control it. My first attempt was opening the .ipa file, hoping to find some secret strings or magic numbers, but I had no luck with this avenue. Googling “iphone app disassembly” was a fairly fruitless venture also. But – there was an android app as well! Searching for “apk disassembly” yielded several useful results, and within minutes, I was able to use an online tool to decompile the app and start perusing the source code!
Now, I only know C++, not java, but from what I could see, the difference seemed to be no greater than the difference between Spanish and Portuguese – you’re not going to be having a conversation, but you quickly get the gist of what the other person is trying to say. Unfortunately, due to either a lack of patience or a lack of skill, I didn’t find the information I wanted readily, and I interrupted the search as I had another idea.
Perhaps there was some way of sniffing the comunication between my iPhone and the light? I have a mac with Bluetooth Low Energy (BTLE) and another Android with the same. Surely one of these would be able to do some man-in-the-middle capturing of data? In fact it was even easier than that.
Android 4.4+ provides the ability to log BTLE data built into the system, and I simply installed the APK on my Huawei Y550, and turned the logger on before operating the app. Extracting the log files, and opening them up in wireshark soon showed me exactly what I was looking for.
YN360 BTLE Commands:
- 0xAEAA01XXYY56 — XX is hexadecimal code for cold white LED’s YY is hexadecimal code for warm white LED’s
- 0xAEA1RRGGBB56 — RR red hexadecimal, GG green hexadecimal, BB blue hexadecimal
- 0xAEEE00000056 — Off/Standby mode
- 0xAE3300000056 — Unknown
You can open up lightblue on mac or iphone, connect to the “Yongnuo LED” device, and then send command 0xAEAA01FFFF56 and turn on the LED’s easily, from the comfort of a keyboard.