I bought a cheap BLE thermometer for about a fiver, the sort that only talks to a dubious phone app. I wanted the reading on my own dashboard instead, which meant finding out what it actually broadcasts. No soldering iron required for this one, just patience and gatttool.
First, find it. hcitool lescan gives you the MAC once the device is awake. Then connect interactively and dump the attribute table:
$ gatttool -b AA:BB:CC:DD:EE:FF -I
[AA:BB:CC:DD:EE:FF][LE]> connect
[AA:BB:CC:DD:EE:FF][LE]> char-desc
That lists every handle and its UUID. Most of it is the standard generic-access and device-information stuff. The interesting one was a vendor-specific characteristic with the "notify" property set, which is the usual giveaway that a value gets pushed when it changes rather than sitting still to be read.
Enabling notifications is the slightly fiddly bit: you write 0100 to the client characteristic configuration descriptor (the handle just above the one you care about), and then the device starts spitting out updates.
[..]> char-write-req 0x0011 0100
Notification handle = 0x0010 value: e8 00 ...
e8 00 little-endian is 232. Holding it against a known reference said the value was tenths of a degree, so 23.2°C. That was the whole puzzle: one notify characteristic, a two-byte little-endian integer, scaled by ten. Half an hour of poking and the thing is now readable from a fifteen-line script, no dubious app involved. Cheapest fun I've had all week.