How does your phone know that another phone has iMessage? Is it set up manually by the user or do phones lookup the phone number on Apple's servers? If the latter then would it be possible to reverse engineer this to test if any number was an iOS device?

Your phone number is associated with your Apple ID. So I'm guessing they just reverse lookup the number you're texting to determine if iMessage can be used. It can definitely be reserved engineered. Just text any number from an iOS device and see if it switches to iMessage. The only caveat is users can remove their phone number association with iMessage so you could never be 100% sure.

I see.

Do you know if messages are encrypted from device-to-device on BBM or if they are just encrypted to the hub like I message seems to be

BBM messages are encrypted end-to-end. However, BBM messages sent through the BlackBerry Internet Services (BIS) network (i.e. via your carrier) are encrypted using a RIM possessed by RIM. That means, that if/when required, they can be subpoenaed and asked for those messages.

The same is not true for BBM messages sent via the BlackBerry Enterprise Server (BES). Those are also encrypted, but using a key possessed only by your company's IT department. That means that if someone wants to read you messages, they have to subpoena your company. RIM can't help them, at all.

I'm not sure what happens when a BlackBerry connected via BES sends a BBM to a person using BIS, or even another BES network. Either decryption and re-encryption occur, or it reverts back to using RIM's private key. But it would be safe to assume that BBM messages sent within your own company's BES network are safe and secure.