Skip to content

Xiaomi Bluetooth Mi Scale

OliE edited this page Dec 21, 2016 · 12 revisions

Xiaomi Bluetooth 4.x Mi Scale

missing
Xiaomi Mi Scale (front)

Xiaomi Mi Scale Reverse Engineering

Some of my relative bought a Xiaomi Mi Scale. After a while I had the idea to buy one for myself and give it a try to reverse engineer the Bluetooth 4.x protocol (also known as Smart Bluetooth). First of all I searched on the internet for information. Luckily I found some information about the Bluetooth protocol by perillamint and there was already an Android implementation OpenXiaomiScale by Mnkai. A short summarized by the above information was:

  • The connection was not encrypted at all
  • The Mi Scale broadcasts the weight in the Bluetooth advertisement frame and
  • You can enable a notification flag if you want to receive the weight data on every weight change
  • The first byte was a config control byte (which include a stabilized flag, a weight removed flag, and the scale unit)
  • If the scale was set to lbs or jin you have to divide the received weight with 100 otherwise with 200
  • The scale weight was received in little endian format

I could use these great information pieces to start my implementation and test the first connection to the Mi Scale. I enable the notification flag on the Mi Scale and now I received the weight data on every weight change.

The raw hex weight data looks like 0x62 0xAC 0x49 0xE0 0x07 0x0C 0x14 0x0D 0x1C 0x04 on every change. I quickly discovered that the weight date and time was also transmitted with the data, so in the end the byte decoding was:

byte function
0 status byte:
- Bit 0: lbs unit
- Bit 1-3: unknown
- Bit 4: jin unit
- Bit 5: stabilized
- Bit 6: unknown
- Bit 7: weight removed
1-2 weight (little endian)
3-4 year (little endian)
5 month
6 day
7 hour
8 minute
9 second

But be aware that the weight date and time is only valid if the stabilized flag is true and the weight removed flag is false!

Unfortunately I could only receive the weight data if a user was on the scale and a connection was established. I didn't have access to the RAM of the Mi Scale were the history weight data was stored. Now the complicated part of the reverse engineering started. I had to capture and to analyse the Bluetooth transmission between the Mi Scale and the original Mi Fit App.

For capturing the transmission I turned on the 'Bluetooth HCI Snoop Log' under the developer options on my smartphone and started the Mi Fit App. Make sure you turn off your Bluetooth before your turn on the log and if you want to turn it off do it in reverse order. For the analysing step I opened the saved log with wireshark.

missing
Analysing initialization process with wireshark

You will find a lot of unnecessary transmissions but to find the important operations I searched for the hex value 'E0 07' (year 2016 in little endian format) because I knew that every weight data contains the date and time. I found a lot of data package that was sending from the Mi Scale to the App that looks like the above weight data. The interesting part was that before the packages were send the App sends a write command to the scale with the value '0x02'. That must be the command to get the history data.

But I didn't know on which Bluetooth Service and Characteristic it was send. So I had to find out the available Bluetooth Services and Characteristic on the Mi Scale. For this I downloaded the BLE Scanner App by Bluepixel Technology LLP. With the help of this App I could easily discover the services and characteristics and even sending/receiving data package to/from the Mi Scale.

Service Characteristics
Device Information
0000180a-0000-1000-8000-00805f9b34fb
Serial Number String
00002a25-0000-1000-8000-00805f9b34fb
Software Revision String
00002a28-0000-1000-8000-00805f9b34fb
System ID
00002a23-0000-1000-8000-00805f9b34fb
PNP ID
00002a50-0000-1000-8000-00805f9b34fb
Generic Access
00001800-0000-1000-8000-00805f9b34fb
Device Name
00002a00-0000-1000-8000-00805f9b34fb
Appearance
00002a01-0000-1000-8000-00805f9b34fb
Peripheral Privacy Flag
00002a02-0000-1000-8000-00805f9b34fb
Reconnection Address
00002a03-0000-1000-8000-00805f9b34fb
Generic Attribute
00001801-0000-1000-8000-00805f9b34fb
Service Changed
00002a05-0000-1000-8000-00805f9b34fb
Weight Scale
0000181d-0000-1000-8000-00805f9b34fb
Current Time
00002a2b-0000-1000-8000-00805f9b34fb
Weight Scale Feature
00002a9e-0000-1000-8000-00805f9b34fb
Weight Measurement
00002a9d-0000-1000-8000-00805f9b34fb
History Weight Measurement [Custom Characteristics]
00002a2f-0000-3512-2118-0009af100700
Custom Service
00001530-0000-3512-2118-0009af100700
Custom Characteristics
00001531-0000-3512-2118-0009af100700
Custom Characteristic
00001532-0000-3512-2118-0009af100700
Peripheral Preferred Connection Parameters
00002a04-0000-1000-8000-00805f9b34fb
Custom Characteristic
00001542-0000-3512-2118-0009af100700
Custom Characteristic
00001543-0000-3512-2118-0009af100700

You can find further descriptions of the standard services and characteristics at the official Bluetooth specification website.

The weight scale service was of course the interesting part of it. we already know how the weight measurement characteristic works from the above information but there was also a custom characteristic (0x2a2f) available at which we can enable an indication flag and write some values. So I turned on the notification flag and wrote the value '0x02' to this characteristic. Now I received the history weight data of the Mi Scale. But I got two weight data at once so I had to split them up.

I thought I was finished but if you take out the scale batteries and but them back you have to initialized the Mi Scale otherwise the date and time is wrong and the weight measurement history is not saved. To do this I had to capture and analyse the initialization process between the Mi Fit App and the Mi Fit Scale again. After some headache I found out that you can enable the history weight measurement with the following magic bytes 0x01 0x96 0x8a 0xbd 0x62 but before you have to enable the history weight measurement indication flag. To set the current date and time on the Mi Scale you have to send a write command to the Current Time Characteristics (2a2b) with the following byte order:

byte value
0-1 year (little endian)
2 month
3 day
4 hour
5 minute
6 second
7 0x03
8 0x00
9 0x00

Somehow you have to restart the connection to write the current date and time. I don't know why. The last think that makes me wonder is that you can't delete the history weight measurement on the Mi Scale at all or I didn't find it out yet. If you know how you can delete them, please let me know.