Xiao Mi band protocol analyze

2015-12-28

Xiao Mi band protocol analyze

I have used Mi band for 2 months and during this 2 months I analyzed how Bluetooth Low Energy protocol works and how Mi Fit App communicates with Mi band. There are 2 parts in this report. The first part is about data analyze which is recorded by Mi Fit App and the second is about BLE communication.

Data analyze

Mi Fit App saves all data in /data/data/com.xiaomi.hm.health/, where only Mi Fit itself and root App can reach. So I think it’s not possible for other Apps on Android to steal data, which is mentioned in initial “Draft Scope”. And Mi Fit saves most data in /databases and /shared_prefs.

In P2, user-db saves user information like name and sports.db saves your running data. And all of these data have been pushed into vendor’s server. When you change the phone or Mi band, the App will download those data from server. In P3, there also are some data like configure file.

Xmxm and his friends have done much to extract, clean and analyze Mi band data. Here, I use their tools to extract and analyze data. P4 shows the statistical chart about sleep and activity and P5 shows data of daily steps.

BLE communication

Bluetooth Low Energy Protocol

Bluetooth low energy is a wireless personal area network technology designed and marketed by the Bluetooth Special Interest Group aimed at novel applications in the healthcare, fitness, beacons, security, and home entertainment industries.

Bluetooth Smart (low energy) wireless technology features:

  1. Ultra-low peak, average and idle mode power consumption
  2. Ability to run for years on standard coin-cell batteries
  3. Low cost
  4. Multi-vendor interoperability
  5. Enhanced range

As showed in P6, it looks like TCP/IP Protocol Stack and they are very similar. The bottom 3 layers are designed for hardware, paired and encryption. The top 4 layers (Host and Application layers) are encapsulated for applications or other operating systems. So, I focus more on the top layers, more precisely on GATT server, in analyzing how Mi band communicates with Mi Fit App.

The attributes in a GATT server are grouped into services, each of which can contain zero or more characteristics. These characteristics, in turn, can include zero or more descriptors.

P8 illustrates an instance of the HRS on a fictitious server. This would not be the only service contained in the server, so you can see this as a partial slice of the complete set of attributes that a client could access. And everything in BLE Protocol, like service, characteristics and descriptor, is located by a UUID (16bits or 128bits).

So, communication between Mi band and Mi Fit App is using many UUIDs so that there won’t be much useful information by sniffing BLE data. And what I did is combining sniffing and reversing engineer to analyze the processing of communication.

Analyze Mi band communication protocol

First of all, let’s see how many services and characteristics MI Fit App has.

From P9, we can see there are 6 services 0x1800, 0x1801, 0xfee0, 0xfee1, 0xfee7 and 0x1802. And 3 of them, 0x1800, 0x1801 and 0x1802, have been approved by Bluetooth SIG (Special Interest Group), which means they have specific meanings and we can find them on BLE Services. So, services 0xfee0, 0xfee1, 0xfee7 are customized by the Vendor and only they know the meaning of every UUID.

As for characteristics, there are over 20 characteristics and most of them belong to 0xfee0 service. The rest 2 services, 0xfee1 and 0xfee7, are not realized in Mi Fit App. Maybe the vendor will complete them in the following version.

Table 2 shows the meaning of every characteristic in 0xfee0 service.

If I get data 0xff02 and its value is 60-09-4d-49, how to explain this? In fact, every value has its specific definition.

0xff01, DEVICE_INFO The length of value is 16 bytes.

  • Byte[0-3] --> device ID
  • Byte[4-7] --> profile version
  • Byte[8-9] --> feature
  • Byte[10-11] --> appearance
  • Byte[12-13] --> hardware version
  • Byte[14-15] --> firmware version

0xff02, DEVICE_NAME

Hex to String

0xff03, NOTIFICATION

Mi Fit App gets descriptor 0x2902, but I can’t figure out what it’ll do next. Maybe it’s used for notifying when the band have new data to upload.

0xff04, USER_INFO

(get data from Mi cloud)

  • Byte[0-3] --> user ID
  • Byte[4] --> gender (0:female, 1:male)
  • Byte[5] --> age
  • Byte[6] --> height
  • Byte[7] --> weight
  • Byte[8-11] --> alias

0xff05, CONTROL_POINT

  • Factory reset --> write 9 to control point
  • Reboot --> write 12
  • Send notification --> write 8 and xxx
  • Stop motor vibrate --> write 19
  • Sync --> write 11
  • Stop sync data --> write 17
  • Get sensor data --> 18 and 1 --> enable --> 18 and 0 --> diable
  • Get activities --> write 6
  • Send firmware info --> write 7 and info
  • Set color theme --> Write 14, R, G, B, D to Characteristic 0xFF05 (CONTROL_POINT). Where R, G, B, is a byte representing red, green blue value and D is 0 (don't flash) or 1 (quickly flash Color).
  • Set goal --> write 5 and goal
  • Set real time steps --> write 16 and steps (2 bytes)
  • Set time --> write 4 and times (12 bytes)
  • Set wear location --> write 15 and 1 para(left , right or neck)

0xff06, REALTIME_STEPS

Hex --> Int

0xff07, ACTIVITY_DATA

  • Byte[0] --> category (126 --> run)
  • Byte[1] --> intensity
  • Byte[2] --> steps

0xff08, FIRMWARE_DATA

I can’t figure out

0xff09, LE_PARAMS

  • connIntMin: 0xffff & (0xff & byte[0] or (0xff & byte[1]) << 8)
  • connIntMax: 0xffff & (0xff & byte[2] or (0xff & byte[3]) << 8)
  • latency:
  • 0xffff & (0xff & byte[4] or (0xff & byte[5]) << 8)
  • timeout:
  • 0xffff & (0xff & byte[6] or (0xff & byte[7]) << 8)
  • connInt:
  • 0xffff & (0xff & byte[8] or (0xff & byte[9]) << 8)
  • advInt:
  • 0xffff & (0xff & byte[10] or (0xff & byte[11]) << 8)

0xff0a, DATE_TIME

12 bytes, Year-month-day-hour-minute-second- Year-month-day-hour-minute-second The first one is Gregorian and the second one is lunar.

0xff0b, STATISTICS

  • Byte[0] --> wake (ms)
  • Byte[1] --> vibrate (ms)
  • Byte[2] --> light (ms)
  • Byte[3] --> conn (s)
  • Byte[4] --> adv (s)

0xff0c, BATTERY

  • Byte[0] --> level in%
  • Byte[1-6] --> year (should plus 2000) -month-day-hour-minute-second
  • Byte[7-8] --> charge times
  • Byte[9] --> status (1 = Battery low, 2 = Battery charging, 3 = Battery full (charging), 4 = Not charging)

0xff0d, TEST

  • Write 2 to Characteristic 0xFF0D (TEST). Your Mi Band will do crazy things (LED flashing,vibrate)
  • Write 1 to Characteristic 0xFF0D (TEST) --> disconnect

0xff0e, SENSOR_DATA I can’t figure out the meaning.

Now, I know every UUID’s meaning and I can analyze the sniffed BLE data.

We can see the Master (Android phone) want to read the data in handle 0x002c. According to P9,it’s between 0x0010 and 0x0039. So the service Master wanted is 0xffe0. Finally, we can locate the exact characteristic by 0x002c in appendix. It’s 0xff0c, which means the Master wants information about battery.

From the bottom part, we know the value is 5b-0f-0a-1a-06-04-3b-11-00-04 and we can refer to the meaning of battery I mentioned before:

  • Byte[0] --> level in%
  • Byte[1-6] --> year (should plus 2000) -month-day-hour-minute-second
  • Byte[7-8] --> charge times
  • Byte[9] --> status (1 = Battery low, 2 = Battery charging, 3 = Battery full (charging), 4 = Not charging)

Finally, this value shows that it’s remaining 91% power, last charged time is 2015-10-26-6h-04min-59s, it has been charged 11 times and the status is not charging.

Appendix

[CON][88:0F:10:DA:5A:39][LE]>

handle: 0x0002, char properties: 0x02, char value handle: 0x0003, uuid: 00002a00-0000-1000-8000-00805f9b34fb

handle: 0x0004, char properties: 0x02, char value handle: 0x0005, uuid: 00002a01-0000-1000-8000-00805f9b34fb

handle: 0x0006, char properties: 0x0a, char value handle: 0x0007, uuid: 00002a02-0000-1000-8000-00805f9b34fb

handle: 0x0008, char properties: 0x02, char value handle: 0x0009, uuid: 00002a04-0000-1000-8000-00805f9b34fb

handle: 0x000d, char properties: 0x22, char value handle: 0x000e, uuid: 00002a05-0000-1000-8000-00805f9b34fb

handle: 0x0011, char properties: 0x02, char value handle: 0x0012, uuid: 0000ff01-0000-1000-8000-00805f9b34fb

handle: 0x0013, char properties: 0x0a, char value handle: 0x0014, uuid: 0000ff02-0000-1000-8000-00805f9b34fb

handle: 0x0015, char properties: 0x12, char value handle: 0x0016, uuid: 0000ff03-0000-1000-8000-00805f9b34fb

handle: 0x0018, char properties: 0x0a, char value handle: 0x0019, uuid: 0000ff04-0000-1000-8000-00805f9b34fb

handle: 0x001a, char properties: 0x08, char value handle: 0x001b, uuid: 0000ff05-0000-1000-8000-00805f9b34fb

handle: 0x001c, char properties: 0x12, char value handle: 0x001d, uuid: 0000ff06-0000-1000-8000-00805f9b34fb

handle: 0x001f, char properties: 0x12, char value handle: 0x0020, uuid: 0000ff07-0000-1000-8000-00805f9b34fb

handle: 0x0022, char properties: 0x04, char value handle: 0x0023, uuid: 0000ff08-0000-1000-8000-00805f9b34fb

handle: 0x0024, char properties: 0x1a, char value handle: 0x0025, uuid: 0000ff09-0000-1000-8000-00805f9b34fb

handle: 0x0027, char properties: 0x0a, char value handle: 0x0028, uuid: 0000ff0a-0000-1000-8000-00805f9b34fb

handle: 0x0029, char properties: 0x0a, char value handle: 0x002a, uuid: 0000ff0b-0000-1000-8000-00805f9b34fb

handle: 0x002b, char properties: 0x12, char value handle: 0x002c, uuid: 0000ff0c-0000-1000-8000-00805f9b34fb

handle: 0x002e, char properties: 0x0a, char value handle: 0x002f, uuid: 0000ff0d-0000-1000-8000-00805f9b34fb

handle: 0x0030, char properties: 0x1a, char value handle: 0x0031, uuid: 0000ff0e-0000-1000-8000-00805f9b34fb

handle: 0x0033, char properties: 0x0a, char value handle: 0x0034, uuid: 0000ff0f-0000-1000-8000-00805f9b34fb

handle: 0x0035, char properties: 0x10, char value handle: 0x0036, uuid: 0000ff10-0000-1000-8000-00805f9b34fb

handle: 0x0038, char properties: 0x02, char value handle: 0x0039, uuid: 0000fec9-0000-1000-8000-00805f9b34fb

handle: 0x003b, char properties: 0x08, char value handle: 0x003c, uuid: 0000fedd-0000-1000-8000-00805f9b34fb

handle: 0x003d, char properties: 0x02, char value handle: 0x003e, uuid: 0000fede-0000-1000-8000-00805f9b34fb

handle: 0x003f, char properties: 0x02, char value handle: 0x0040, uuid: 0000fedf-0000-1000-8000-00805f9b34fb

handle: 0x0041, char properties: 0x08, char value handle: 0x0042, uuid: 0000fed0-0000-1000-8000-00805f9b34fb

handle: 0x0043, char properties: 0x08, char value handle: 0x0044, uuid: 0000fed1-0000-1000-8000-00805f9b34fb

handle: 0x0045, char properties: 0x02, char value handle: 0x0046, uuid: 0000fed2-0000-1000-8000-00805f9b34fb

handle: 0x0047, char properties: 0x08, char value handle: 0x0048, uuid: 0000fed3-0000-1000-8000-00805f9b34fb

handle: 0x004a, char properties: 0x08, char value handle: 0x004b, uuid: 0000fec7-0000-1000-8000-00805f9b34fb

handle: 0x004c, char properties: 0x22, char value handle: 0x004d, uuid: 0000fec8-0000-1000-8000-00805f9b34fb

handle: 0x004f, char properties: 0x02, char value handle: 0x0050, uuid: 0000fec9-0000-1000-8000-00805f9b34fb

handle: 0x0052, char properties: 0x04, char value handle: 0x0053, uuid: 00002a06-0000-1000-8000-00805f9b34fb

Category: Project Tagged: Mi Band

Comments