Shulou(Shulou.com)05/31 Report--

How to conquer Xiaomi bracelet 2 and control it based on Linux, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

The story stems from a Facebook post that discussed the lack of an API interface for exercise and fitness trackers, and why not use it to help data experts do something cool.

After the post, my good friend Volodymyr Shymanskyy responded to help me and found the Leo Soares project on github and some code for my fitness tracker Xiaomi bracelet 2. He tried to run it, but there was some link problem with the connection, so it took him several hours to fix it. After that, he submitted a commit and gave me a link.

That meets my initial needs. It's quite OK. The code can connect to the bracelet, post notifications, and get a shot of the heart measurement. But that's not enough for me because I want to get real-time raw data from sensors for use in my data science experiments (I want to be a fitness predictor).

The text has just begun.

Before that, I didn't have any experience with Bluetooth devices, so first I tried to understand how all these things were organized and worked. As it turns out, it's nothing rare.

Each Bluetooth device starts several services, each with characteristics, and some features have descriptors (if the feature has multiple parameters or types of work (read | notify)). Some features have only read / write access, such as current time, battery status, or revision information. Some of them are more complex and work through request / notification cycles, such as real-time heart rate monitors and authorization. Basically, you need to know all this before you can start using it.

You also need two applications to help debug Bluetooth devices: Wireshark and BLE debugger. You also need to access the Android phone developer option (sorry, I don't know how to do that for the iOS guy yet).

First of all, you need to unpair Xiaomi bracelet 2 from the mobile app.

Now let's take a look at the services and features of the bracelet. Let's open BLE debugger, start scanning, and you'll see something like this:

Save the MAC address of the device, which will be used in subsequent operations.

Now let's connect it and see what services and features it runs.

In the above two simple operations, we have obtained some useful device information.

Another way is to use the console tools hcitool and gatttool.

Scan:sudo hcitool lescan

Connect and get services and descriptors:

Sudo gatttool-b YOUR_MAC-I-t random > connect > primary > char-desc

In some cases, the BLE stack may fail and you can turn Bluetooth on / off or run the following command:

Sudo hciconfig hci0 reset data sniffing

In order to sniff data in our mobile phone baseband communication, we need to enable Bluetooth to log in the development settings. To do this, you need to turn on the developer settings on your Android phone.

The following are the detailed steps of the operation:

On Android 4.1 and earlier, the developer options screen is available by default. In Android 4.2 and later, you must enable this screen as follows:

1. Turn on the phone settings.

2. (for Android 8.0 or later only) Select the system.

3. Scroll to the bottom and select about the phone.

4. Scroll to the bottom and click Build number 7 times.

5. Return to the previous screen to find developer options near the bottom.

Now open the development settings and find enable BleutoothHCI snoop log and enable it. In this way, all Bluetooth communications are recorded. Then you need to find a file called btsnoop_hci.log (on my phone (Android 7. 0) it is located at / mtklog/btlog/btsnoop_hci.log)

Authentication

Now we need to perform the next step to get some information about how authentication (pairing) works.

1. Open the Bluetooth and HCI logs.

two。 Match your device to Xiaomi's Android program.

3. Turn off Bluetooth.

4. Download btsnoop_hci.log to your computer.

5. Open it with Wireshark.

6. Find the first ATT protocol request that handles 0x0055

You will see the interface shown in the picture:

This is the verification step:

Pairing equipment

Main Service UUID

0000fee1-0000-1000-8000-00805f9b34fb

Authentication characteristics (Char) UUID

00000009-0000-3512-2118-0009af100700

Notification descriptor (Des) processing

0x2902 (all processes are the same)

1. Set the auth notification (to get a response) by sending a 2-byte request\ X01\ x00 to Des.

two。 Send a 16-byte encryption key to Char with the command, and append 2 bytes\ X01\ X00 + KEY.

3. Request a random key with a command from the device by sending 2 bytes of\ x02\ x00 to Char.

4. Get the random key (the last 16 bytes) from the device response.

5. Using our 16-byte key, encrypt this random number with AES/ECB/ NoPadding (from Crypto.Cipher import AES) and send it back to Char (\ x03\ x00+ encoded data)

Authentication

1. Request a random key with a command from the device by sending 2 bytes of\ x02\ x00 to Char.

two。 Get the random key (the last 16 bytes) from the device response.

3. Encrypt this random number using our 16-byte key and using AES / ECB / NoPadding (from Crypto.Cipher import AES) and send it back to Char (\ x03\ x00 + encoded data)

Real-time data

This is a little more complicated in the authentication process, because I don't see a mistake made in the process:) and because the heart rate monitor is turned off after 15 seconds.

Hardware Services (HRDW) UUID

0000fee0-0000-1000-8000-00805f9b34fb

Heart monitor service (HMS) UUID

0000180d-0000-1000-8000-00805f9b34fb

Heart rate measurement characteristics (HRM) UUID

00002a37-0000-1000-8000-00805f9b34fb

Control characteristics of heart monitor (HMC) UUID

00002a39-0000-1000-8000-00805f9b34fb

Sensor characteristics (SENS) UUID

00000001-0000-3512-2118-0009af100700

Notification descriptor (DES) handle

0x2902 (all processes are the same)

1. Turn off the measurement of the current monitor.

two。 Make an one-time measurement by sending a request to HMC\ x15\ x02\ x00.

3. Continuous measurements are made by sending a request to HMC.

4. Enable gyroscope and heart raw data by sending commands to SENS to\ X01\ x03\ x19

5. Enable notifications by writing DES\ X01\ x00 to HRM

6. Initiate continuous heart measurements by sending a request to HMC\ x15\ x01\ x01

7. Send a command to SENS\ x02 (I don't know why this instruction is needed)

8. Then, when you receive a notification every 12 seconds, you need to send\ x16 ping to HCM

Parsing data

This is the most boring part, because basically you need to figure out how to unpack the packaged data from the device.

Part of it can be parsed from the log, and some can't.

This is the response of the device at the current time

It may take some time to find the right packet and encoding. In my case, I need to find similar byte occurrences and some duplicate packets in adjacent packets.

Raw heart: 02102d8c348c448c458c3d8c428c488c 16Raw heart: 0218468c418c3d8c468c3f8c398c418c 16Realtime heart: 93Raw heart: 0220408c448c3f8c428c498c3c8c3d8c 16Raw heart: 02283d8c398c488c3e8c468c488c328c 16Realtime heart: 99Raw heart: 0230438c408c378c3a8c318c458c388c 16Realtime heart: 102Raw heart: 02404f8c408c458c428c4d8c558c4d8c 16Raw heart: 02483e8c3b8c3f8c348c398c318c428c 16Realtime heart: 98Raw heart: 02504c8c428c5e8c4f8c588c498c558c 16Raw heart: 0258478c458c3c8c4e8c3f8c468c4d8c 16Realtime heart: 100Raw heart: 0260518c4d8c4f8c4b8c4f8c528c458c 16Raw heart: 0268408c3f8c538c4d8c408c548c598c 16Realtime heart: 102Raw heart: 0278418c508c4e8c548c588c468c498c 16Raw heart: 0280368c328c2e8c3c8c338c308c3f8c 16Realtime heart: 101

We can see the clear data, repeating 368c 328c 2e8c 3c8c 338c 308c 3f8c, and the packet length is 16 bytes. Therefore, if we decompress with 2 bytes of unsigned short data, we can get the original measurements of seven heart sensors. We also see that the second byte is just an iteration, and I think it's just measuring the time difference between them (I mean the response time difference).

Raw gyro: 01de49ffd9ff3c004cffd8ff3b004dffdcff4400Raw gyro: 01df4cffd6ff44004dffd8ff40004cffd1ff4700Raw gyro: 02e1103231323d3274328e329632af32c732cf32Raw gyro: 01e34fffd7ff56004bffc7ff590049ffccff4c00Raw gyro: 01e443ffccff43004effcdff40005bffd4ff4c00Raw gyro: 01e558ffc9ff5f005effbfff66005fffb0ff5900Raw gyro: 01e64cffacff60005cffa7ff410066ffc9ff4600Raw gyro: 01e760ffdcff4b0051ffe4ff4f0034ffdeff5300Raw gyro: 02e903365c36813663361036543688374139fe3aRaw gyro: 01eb4bffc3ff50004fffc1ff430047ffbbff4100Raw gyro: 01ec3effb2ff3c0050ffbfff560047ffccff7300Raw gyro: 01ed4fffe0ff78005cffebff8e0056fff6ff8300Raw gyro: 01ee7efffbffa1008bff0f00bc00b1ff1900b800Raw gyro: 01ef9bff0c00d10095fff3ffd600b7ff0800df00Raw gyro: 02f12445314600479e473348aa481c499749244aRaw gyro: 01f3c3ff1600fe00beff1800f200a6ff0800e700Raw gyro: 01f4a9fff8ffd300a7fff3ffd700a9fff1ffdf00Raw gyro: 01f5b1fff8ffe800b4fff1fff700acfffcffef00Raw gyro: 01f67ffff7ffc0006bfff4ffb00078ffe9ffb600Raw gyro: 01f786ffecffc0006ffff0ffbc0060fff1ffc000Raw gyro: 02f9ca4cbb4c784c964ca84c784c854c444c1b4cRaw gyro: 01fb7cff0f00bb007eff2700ae0083ff30009800Raw gyro: 01fc79ff1800b00076ff0f00bc0068ff0900d900Raw gyro: 01fd78ff07000c01f6fffbff19011c000b00f600Raw gyro: 01fe4b001100d30054000700c3004300efffeb00Raw gyro: 01ff1f00d0ff1701fbffe8ff1b01e3ffffff1101Raw gyro: 0201214b014bec4ad04aba4acb4abe4aba4abd4aRaw gyro: 0103efffecfffc00e3fff3fff300defff3fffc00Raw gyro: 0104e3fff0fff400e6ffefff0301dbffe9ff0c01Raw gyro: 0105e3fff0ff0301e6ffe6fffc00dcffecfffc00Raw gyro: 0106dffff0fff700dbffeefff600d6fff0fff400Raw gyro: 0107dfffecffff00e1fff0ff0301defff3fffc00

As for gyroscopes, it's a little difficult. But my idea is that it should be packaged in a manner similar to heart data, but in this case, we measure each gyro axis that should be signed three times, and the packet length is 20 bytes. As a result, the 12 x moment y Z measurement will not cover all packets, but 3 will retain the first 2 bytes (the same as the previous package). So I tried it like this, otherwise the job would be normal.

This is the answer to the question about how to conquer Xiaomi bracelet 2 and control it based on Linux. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.