Tab completion in bluetoothctl is a little wonky, but it lets you very quickly scan, connect, list services and characteristics, select the one(s) you're interested in, request descriptions (if available), directly send/receive bytes, and enable/disable notifications.
Once you figure out what data you want or which characteristics you need to poke to get your gadget to do its thing, you can use something like pygatt to build a more purpose-built client application for whatever it is you're trying to interface with.
If you want to start playing with it, get a BLE keychain, and see what you can do with it - like unlocking your desktop when you come home, tracking who is around your computer at given times, etc.
hcitool can do the basics. If you want some extra (like accelerometer data to figure if the keytag is not just here, but "resting" or "moving") you need a better keytag and some time for debugging
I used to use Smokeping for that back in 2002-3. Had a Vaio running Linux that did `hcitool ping [Sony Phone]` every 5 minutes. Was most amusing.
This is not hacking or reverse engineering, but it can be used for it. Also don't forget the Ubertooth, or multiple of them. Useful if you need to listen over multiple advertisement channels and need to know which channel receives what. Have fun!
To elaborate further, I have attempted using HackRF to sniff the OOB channels (e.g. NFC) with limited success. So, I'm wondering if anyone has had any experience with it.