How to reverse engineer a Bluetooth 4.x scale - mist/openScale GitHub Wiki
The general procedure of reverse engineering a Bluetooth 4.x scale is as follow:
1. Acquiring some Bluetooth traffic
- Delete first on your smartphone any old
btsnoop_hci.log - Turn on the
Bluetooth HCI Snoop Logdeveloper option on the smartphone - Weight yourself with the original app and note down the corresponding exact true date/time with all other information (e.g. weight, water percentage, bone mass and so on).
- Turn off the
Bluetooth HCI Snoop Logdeveloper option - Save the
btsnoop_hci.logwith a meaningful filename - Do step 1-5 at least three times again but with different weights (e.g. weight yourself while holding a crate of beer)
2. Find out the Bluetooth services and characteristic
- Install BLE Scanner App by Bluepixel Technology LLP
- Scan and connect to the scale with this app
- Note down all UUID numbers of services and characteristic which are not
Device Information,Generic Accessand,Generic Attribute - Additionally note down for every characteristic UUID if it readable (R), writeable (W) and/or have an indication flag (I)
3. Analyse the Bluetooth protocol
- Open your first
btsnoop_hci.logwith wireshark version > 1.10 - Search for the true values in the log files. A good starting point is to search for the weight
- Convert your decimal weight into a hex value (ignore any comma. The value is divided by 100 or 10 afterwards) for example if the weight is
75,3 kgthen the hex value is02F1in big-endian orF102in little endian - Look for the weight value in little endian format which is send from the scale to the app (source should be
remote()and destinationlocalhost())
- Convert your decimal weight into a hex value (ignore any comma. The value is divided by 100 or 10 afterwards) for example if the weight is
- If you have found a value string that contains the weight try to find in this string other values as well (e.g. water percentage and date/time)
- Decoding the date/time is the most difficult part because the format is unknown. It could be a unix time stamp or something different. A good free tool to help you to identify the used time format is DCode by digital detective
- Next we have to find out which steps are needed for the scale configuration to trigger the scale to send us the values
- Search in wireshark for the first data package from the scale which contains your weight value
- Now analyse previous data packages and see and note down what values was written to which characteristic UUID (source should be
localhost()and destinationremote()) - Note also down which UUID notification flag or indication flag was set enabled