Reverse engineering Transtek / AdeVital BA1401 Body Scale BLE communication

The AdeVital app / scale seems to be a rebranding of Transtek. However I suppose they share the same comm. For testing I have used the AdeVital BA1401.

Service

00007802-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE"

00007882-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE_A3" (maybe a different version?)
00007892-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE_A3_TAYLOR" (maybe a different version?)

Characteristics


a) 00008a21-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE" (Indicate)
b) 00008a22-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE_TAYLOR_APPEND" (Indicate)
00008a20-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE_TAYLOR_FEATURE" (Read)
00008a81-0000-1000-8000-00805f9b34fb "COMMON_WRITE" (Write)

c) 00008a82-0000-1000-8000-00805f9b34fb "PWD_OR_RANDOM_NUMBER" (Indicate)

Descriptors (for char a b c)
00002902-0000-1000-8000-00805f9b34fb "DESC_CCC"

Values
We can read 4 values:
  • Unit
    • KG = 0x00
    • LB = 0x01
    • ST = 0x02
  • Weight
  • Impendance1
  • Impendance2

This system uses a custom pairing method. Let's look at it as a state-machine:
SERIAL_NUMBER_READ => PWD_READ  => ADDR_WRITTEN  => RANDOM_NUMBER_READ => PWD_RN_WRITTEN => UTC_WRITTEN

Write MAC Address // State ADDR_WRITTEN:
The Scale needs to know your phones BT MAC for auth.
Write 33 and the first 4 bytes of your MAC to CHARACTER_COMMON_WRITE.

Calculating a password // State PWD_RN_WRITTEN :
Listen for Notifications and enable indication on c)
When you get a callback where value[] represents the characteristic byte array data.

There are two options:
 a) you received a password (value[0] ^ 0xffffffa0 == 0)
 b) you received a random number (value[0] ^ 0xffffffa1 == 0)
a) should happen before b)

Save both values as let's say pasw[] and rand[]
Generate a new array, lets call it auth[]
Set auth[0] to 32

Now for all bytes (start with i=1):
auth[i] = pasw[i-1] ^ rand[i-1];

Write auth[] to COMMON_WRITE

Kommentare

  1. Thank you for another great article. Where else could anyone get that kind of information in such a perfect way of writing? I have a presentation next week, and I am on the look for such information Please follow my Site link Slot. Thank you very much.

    AntwortenLöschen
  2. Thank you for another great article. Where else could anyone get that kind of information in such a perfect way of writing? I have a presentation next week, and I am on the look for such information Please follow my Site link Slotxo. Thank you very much.

    AntwortenLöschen

Kommentar veröffentlichen