diff --git a/Xiaomi-Bluetooth-Mi-Scale.md b/Xiaomi-Bluetooth-Mi-Scale.md index eb3e9c8..b99e284 100644 --- a/Xiaomi-Bluetooth-Mi-Scale.md +++ b/Xiaomi-Bluetooth-Mi-Scale.md @@ -37,7 +37,7 @@ But be aware that the weight date and time is only valid if the stabilized flag Unfortunately I could only receive the weight data if a user was on the scale and a connection was established. I didn't have access to the RAM of the Mi Scale were the history weight data was stored. Now the complicated part of the reverse engineering started. I had to capture and to analyse the Bluetooth transmission between the Mi Scale and the original [Mi Fit App](https://play.google.com/store/apps/details?id=com.xiaomi.hm.health). -For capturing the transmission I turned on the 'Bluetooth HCI Snoop Log' under the developer options on my smartphone and started the Mi Fit App. Make sure you turn off your Bluetooth before your turn on the log and if you want to turn it off do it in reverse order. For the analysing step I opened the saved log with [wireshark](https://www.wireshark.org/). +For capturing the transmission I turned on the `Bluetooth HCI Snoop Log` under the developer options on my smartphone and started the Mi Fit App. Make sure you turn off your Bluetooth before your turn on the log and if you want to turn it off do it in reverse order. For the analysing step I opened the saved log with [wireshark](https://www.wireshark.org/).

@@ -45,7 +45,7 @@ For capturing the transmission I turned on the 'Bluetooth HCI Snoop Log' under t Analysing initialization process with wireshark

-You will find a lot of unnecessary transmissions but to find the important operations I searched for the hex value 'E0 07' (year 2016 in little endian format) because I knew that every weight data contains the date and time. I found a lot of data package that was sending from the Mi Scale to the App that looks like the above weight data. The interesting part was that before the packages were send the App sends a write command to the scale with the value '0x02'. That must be the command to get the history data. +You will find a lot of unnecessary transmissions but to find the important operations I searched for the hex value `0xE0 0x07` (year 2016 in little endian format) because I knew that every weight data contains the date and time. I found a lot of data package that was sending from the Mi Scale to the App that looks like the above weight data. The interesting part was that before the packages were send the App sends a write command to the scale with the value `0x02`. That must be the command to get the history data. But I didn't know on which Bluetooth Service and Characteristic it was send. So I had to find out the available Bluetooth Services and Characteristic on the Mi Scale. For this I downloaded the [BLE Scanner App](https://play.google.com/store/apps/details?id=com.macdom.ble.blescanner) by Bluepixel Technology LLP. With the help of this App I could easily discover the services and characteristics and even sending/receiving data package to/from the Mi Scale. @@ -59,7 +59,7 @@ But I didn't know on which Bluetooth Service and Characteristic it was send. So You can find further descriptions of the standard services and characteristics at the official [Bluetooth specification](https://www.bluetooth.com/specifications/gatt/services) website. -The weight scale service was of course the interesting part of it. we already know how the weight measurement characteristic works from the above information but there was also a custom characteristic (0x2a2f) available at which we can enable an indication flag and write some values. So I turned on the notification flag and wrote the value '0x02' to this characteristic. Now I received the history weight data of the Mi Scale. But I got two weight data at once so I had to split them up. +The weight scale service was of course the interesting part of it. we already know how the weight measurement characteristic works from the above information but there was also a custom characteristic (0x2a2f) available at which we can enable an indication flag and write some values. So I turned on the notification flag and wrote the value `0x02` to this characteristic. Now I received the history weight data of the Mi Scale. But I got two weight data at once so I had to split them up. I thought I was finished but if you take out the scale batteries and but them back you have to initialized the Mi Scale otherwise the date and time is wrong and the weight measurement history is not saved. To do this I had to capture and analyse the initialization process between the Mi Fit App and the Mi Fit Scale again. After some headache I found out that you can enable the history weight measurement with the following magic bytes `0x01 0x96 0x8a 0xbd 0x62` but before you have to enable the history weight measurement indication flag. To set the current date and time on the Mi Scale you have to send a write command to the Current Time Characteristics (2a2b) with the following byte order: