Personally, I “reverse engineered” a BT controlled lamp by decompiling the APK of the Android APP.
Luckily, the code was not obfuscated and was thus readable.
That being said, I suspect BT is only used to configure the Wifi on the Skylight, then all commands go through a private cloud of theirs, which is how it usually works.
If so, the communication is surely encrypted, thus sniffing will lead to nothing.
Thank you for the input! I don’t own an android device so I don’t know how to download the .apk file. Unfortunately, it is not available on other repositories of .apk files such as apkmirror.com.
Do you think you could download the .apk file and send it to me? The app is called pesetech.
Hi, Im wondering if anyone has had anymore luck with this? I love the skylight but controlling it with google integration is sketchy at best. There must be some way to get a local key for it. I have the bluetooth touch dimmer by the way. I was thinking maybe there would be a way to connect it using an ESP bluetooth scanner but I’m new to this
Hi there,
I have some updates. tl;dr no success yet.
I tried the following:
Impersonate their MQTT server: basically I have sniffed the MQTT traffic between the skylight and their MQTT server. I then took note of the login and the MQTT topic and message. I created a MQTT server that accepts any password given a specific username (I coded a MQTT plugin using C). Outcome: negative. Unfortunately they have implemented a unique md5 hash inside the MQTT message that is used by the client to make sure the MQTT message was really sent by the server. Further details here: networking - Reverse engineering MQTT payload in a (apparently) sophisticated smart lamp - Reverse Engineering Stack Exchange
Sniff BLE traffic: this is extremely complicated and it required specific hardware (nrf Bluetooth sniffer). It is very complicated because the only way to “hack” into the communication protocol is to impersonate a skylight, join the BLE mesh network created by your smartphone and sniff the BLE mesh network keys. This goes a bit beyond my capabilities, so I’m kind of stuck.
Upgrade the firmware of the smart pad (yes I bought one) and sniff the binary image. I did succeed into doing this, but I have no idea how to reverse engineer the binary image of the firmware of the smartpad. I did try some basic tools but I did not obtain anything. I am happy to share the two files o have sniffed through the firmware upgrade.
Decompile the android app. I did that, but honestly I have no clue how to proceed. There are thousands of files and I don’t know what to look for.
I doubt there are any other approaches, I believe the most viable one is number 2, but honestly I could not find much documentation on BLE mesh networks hacking. The software implementation of the skylight, despite the appearances, is really well done and very safe.
Hmm Good to know. Thanks so much. I sent them an email as well. I’ve found their customer service to be very useful so maybe they will have some information on how an integration might work or what their stance on matter might be.
I also contacted their support to ask if they could implement the possibility to set your own mqtt server, the development effort is 0 for them. I didn’t get any response however, which is not very nice as I helped them identify 3 bugs on the skylight itself and on the smartpad.
Let me know if you get any feedback from them.
This was the response I got from them:
Generally, when skylight in the app is online, it will only use wifi to send commands, and when offline, it will use Bluetooth. Dimmer directly uses Bluetooth to send commands to skylight.
Our engineers said that ESP32 is another module and we are not using this one. And we don’t support Home Assistant at the moment.
Thanks for trying that out. As of now, the only viable path I can see is to control it through BLE:
I don’t really have the time to try that now, I would have to learn everything from scratch.
Shall anybody have experience in BLE Mesh networks and wants to give me some direction on how to start, let me know 
The workaround I have come up with is to install a shelly m1 mini gen 3 behind the switch and to put it in decoupled mode. the smart pad seems to still be able to control it in this situation and then i use the schedule within the pesetech app to tell the light what color/brightness to be on at different times of day. I also have a backup (every now and then the switch will turn on but the light stays off) set up using the google SDK integration (which is very slow, hence the backup) where i tell it to tell google to tell pesetech to turn on the skylight and to tell it what brightness and warmth setting to set it to. Definitely hacked together and no perfect, but at least runs better with the automations than running it only through google or their native app
Thanks for sharing!
Not an option for me unfortunately, it’s cloud based 
Tried to find a DM feature here, but couldn’t.
@tamengual What version of the panel do you have, as i understand yours is different from @giovanni?
@giovanni Did you consider other manufacturers like RYOPT? i see there’s a post here, that has exactly the same data as you? Is the light from the same manufacturer, just sold under different names?
Could we talk more on discord? my handle is ateusq. Would love to ask you more about the product, and maybe we could try to convince the manufacturer to make a home assistant integration.
Hello @giovanni!
I also struggle with the same issue - I want to create homebridge integration for Pesetech Skylight lamps, but without any documentation it is difficult to make the connection and set some colours or brightness.
I contacted manufacturer asking for API documentation or at least their BLE protocol description, but they replied me they cannot share any of it. They are not even into fixing their own app (it noticed it doesn’t handle summer time transition properly!), so I don’t think they are up to add any home integration (cc: @Ateus). So fck them. I did some investigation on my own and I’ll share you my findings.
I connected the lamps to their official iOS app using guest 2.4 GHz wi-fi network. I was able to control the lamps and ProxyMan working in the background showed me HTTP requests very nicely
Basically the lights are controlled through API hosted on http://service.lepuiot[.]com. Just note that Pesetech’s official name is “Shenzhen Lepu Lighting Technology Co.,Ltd”, so Lepu API is their own service.
Here you can see example data of with single lamp unit, especially take a look on extendJson value:
But I’m really not into opening my local network traffic for any of the Chinese companies, and I still need to implement a good integration, so I decided to go harder way and try with Bluetooth.
First, I turned off my guest wi-fi network. I observed that despite of this fact, I could still control lamps in the app! Connection error messages were displayed as soon as I change emission colour, but lamps still got updated in realtime, which suggested me that there is paired and working Bluetooth connection.
So, following great NovelBits tutorial, I installed Bluetooth Profile and using Xcode PacketLogger I got a tons of pretty readable bluetooth packets! But they are still very unclear and guessing the meaning of specific bytes with try-and-compare method would take ages.
So using koying suggestion, I downloaded Pesetech apk from apkcombo[.]com and de-obfuscated it using brilliant jadx tool and it was it!
jadx decompiled classes, and because they were not very obfuscated, I got pretty readable Java code with meaningful names. Remember mentioning Lepu services? Their main lib is called lepu.smart and it is the place where magic happens. Short search and I found function responsible for sending colour to the lamp. You can even see original Chinese log informing developer about changing rgb parameter.
private void sendRgb(int[] iArr) {
String str = "A06904" + SendCommand.toHex(iArr[0], 2) + SendCommand.toHex(iArr[1], 2) + SendCommand.toHex(iArr[2], 2) + SendCommand.toHex(100, 2);
Log.i(getClass().getName(), "发送rgb参数" + str);
this.bleConnect.sendData(Utils.hexToByteArray(str), 0);
}
So now it is a great starting point! If you are still up to decoding the communication and getting working BLE commands, we can join the forces and try to take a look on it together
@mariusz2, thank you very much for the contribution.
As I was discussing with @Ateus over Discord, the theory of hacking the BLE Mesh network is quite simple, but in practical terms it’s quite complicated.
The theory is the following (I also have used novelbits giude):
I really have no idea where to start to do this, if you have any ideas I’m very happy to join forces!
Given the high security (keys exchange) of BLE Mesh, a replay attack would be not only impossible but also impactical.
Concerning the quality of the skylight: that’s bad luck, my skylight is very good quality, the build is amazing and I never had any issue!
Hello @giovanni
As I had some time this evening, I was able to dig in and… I connected to the lamp and controlled it through Bluetooth, without using original app.
In general, I was analysing source code of the decompiled Pesetech application. Really, it is great that they didn’t obfuscate the app, as I was able to not only read hardcoded Bluetooth characteristics and services UUID, but also get the general idea how connecting mechanism works. So I got first entry point:
Service: 0000FFE0-0000-1000-8000-00805F9B34FB
Characteristics: 0000FFE1-0000-1000-8000-00805F9B34FB
I was able to perform basic connection and discover things published by the device:
Analysing source code, I also saw how badly are some classes written, one of it - called BleConnect - has log messages in… Chinese, English and even French. This lack of consistency is pretty characteristic, I googled those log messages and I found that this is the same snippet commonly used by many Chinese developers. One of the earliest mentions is this Wynsbin’s article - https://wynsbin.github[.]io/2018/12/19/ble-1/. He explains what GATT specification is and how to connect to it.
To read the information, I need to subscribe the 2ADC Out Characteristic of 7FDD service, while 2ADB is used as Input. However, any command I was replicating from app and sending to the GATT didn’t bring any effect. Which is pretty expected - there is some provisioning method and I have no access
So I know that lamp BLE is basically GATT, network is called SigMesh and engineered by Telink Semiconductor Co. This led me to the nice piece of Telink documentation, where they explain the provisioning and - which is even more important for now - provide some testing tools. Fun fact: looks like that Zigbee is using very similar network. Maybe with a bit care, it would be possible to connect Pesetech lamps into Zigbee?
Ok, but we need keys and network configuration, right? Fortunately or not, it is stored in Lepu cloud and it can be found under POST https://service.lepuiot.com/app/homeSource/getMeshJsonByHomeId. It returns almost perfectly standard JSON for Telink Mesh. I will not post my configuration with UUIDs of my network and the devices 
but here you can find example file to get the idea of content and structure: https://github[.]com/thanhtunguet/TelinkBleMesh/blob/master/mesh_sample.json
If you would try to test mesh config from your own Lepu app, don’t forget to remove
sequenceNumberandpartialkeys from JSON - they cause problems with recommended debug tool.
Then I installed TelinkSigMesh from App Store, spent some time to figure out how JSON import works in this weird app (spoiler: you need to save the file directly to the app folder) and after successfully importing Pesetech network, I got my lamps listed and I could manage them!
Ok, so now we know a bit more about the network and can send/receive data from lamps. For already onboarded devices we can fetch mesh keys from Lepu cloud, while pairing new lamps should be relatively easy (as long as we call following SigMesh implementation easy) and it will allow us to avoid Lepu completely.
Telink shared Sig Mesh SDK - https://wiki.telink-semi[.]cn/wiki/protocols/Telink-Mesh/, and there are also some more usable libraries based on this SDK. So I would say next step is to give it a try try, write some code that will utilise this knowledge and connect to the lamp programatically.
I’m still a new user here, so I have some limits on putting links and pictures in single post. Here is the screenshot from TelinkSigMesh app:
@mariusz2, outstanding work!! Thank you very much for sharing. I will give a try as soon as I have a little time. The next step for myself is to try to have an esp device connect to the lamp and act as a bridge.
With ESPHome it seems like it is possible to have something simple to interact with the lamp: BLE Client — ESPHome
I don’t have much experience with ESP. Looks like that even if ESP32 itself supports SigMesh, ESPHome is missing this integration. It may be doable with basic BLE, but it will be pretty tricky since provisioning requires some conditional logic.
Good luck! Let me know if you were able to integrate it!
Hey @giovanni! Sorry, I haven’t get any email notification from this forum and since life happened, I was not actively working on PeseTech integration.
However, recently I got my own HomeAssistant and I’m re-visiting the topic as well as ESPHome part. I replied your PM
