Skip to content

How to reverse engineer a Bluetooth 4.x scale

Jump to bottom
OliE edited this page May 8, 2022 · 5 revisions

The general procedure of reverse engineering a Bluetooth 4.x scale is as follow:

1. Acquiring some Bluetooth traffic

  1. Enable developer options if not already done so
  2. Delete first on your smartphone any old btsnoop_hci.log
  3. Activate the Bluetooth HCI Snoop Log developer option on the smartphone
  4. Disable and enable bluetooth to start logging
  5. Weight yourself with the original app and note down the corresponding exact true date/time with all other information (e.g. weight, water percentage, bone mass and so on). Also note your user information like sex (male/female), body height, activity level, and age.
  6. Do step 1-5 at least three times again but with different weights (e.g. weight yourself while holding a crate of beer)
  7. Deactivate the Bluetooth HCI Snoop Log developer option
  8. Save the btsnoop_hci.log with a meaningful filename
    1. Enable USB debugging developer option on the smartphone
    2. Issue adb.exe bugreport .\debugdata on the PC for Windows or adb bugreport .\debugdata for Linux
    3. From debugdata.zip file created at previous step, get the btsnoop_hci.log; the file can be found in archive inside directory FS\data\misc\bluetooth\logs\

2. Find out the Bluetooth services and characteristic

  1. Install the openScale development version.
  2. Go to settings, about and enable debug log.
  3. Then go to settings, Bluetooth and search for your scale.
  4. Once found, click on it and openScale will then fetch information about all services and characteristics.
  5. Return to settings, about and disable logging. Attach the log together with the btsnoop logs in a GitHub issue.
  6. If this for some reason doesn't work you can also try the BLE Scanner App by Bluepixel Technology LLP.

3. Analyse the Bluetooth protocol

  1. Open your first btsnoop_hci.log with wireshark version > 1.10
  2. Search for the true values in the log files. A good starting point is to search for the weight
    • Convert your decimal weight into a hex value (ignore any comma. The value is divided by 100 or 10 afterwards) for example if the weight is 75,3 kg then the hex value is 02F1 in big-endian or F102 in little endian
    • Look for the weight value in little endian format which is send from the scale to the app (source should be remote() and destination localhost())
  3. If you have found a value string that contains the weight try to find in this string other values as well (e.g. water percentage and date/time)
    • Decoding the date/time is the most difficult part because the format is unknown. It could be a unix time stamp or something different. A good free tool to help you to identify the used time format is DCode by digital detective
  4. Next we have to find out which steps are needed for the scale configuration to trigger the scale to send us the values
    • Search in wireshark for the first data package from the scale which contains your weight value
    • Now analyse previous data packages and see and note down what values was written to which characteristic UUID (source should be localhost() and destination remote())
    • Note also down which UUID notification flag or indication flag was set enabled

4. Links

Verifying and Debugging Bluetooth

openScale

openScale sync

Clone this wiki locally