The AdeVital app / scale seems to be a rebranding of Transtek. However I suppose they share the same comm. For testing I have used the AdeVital BA1401.
Service
00007802-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE"
Characteristics
a) 00008a21-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE" (Indicate)
Values
We can read 4 values:
This system uses a custom pairing method. Let's look at it as a state-machine:
SERIAL_NUMBER_READ => PWD_READ => ADDR_WRITTEN => RANDOM_NUMBER_READ => PWD_RN_WRITTEN => UTC_WRITTEN
Write MAC Address // State ADDR_WRITTEN:
The Scale needs to know your phones BT MAC for auth.
Write 33 and the first 4 bytes of your MAC to CHARACTER_COMMON_WRITE.
Calculating a password // State PWD_RN_WRITTEN :
Listen for Notifications and enable indication on c)
When you get a callback where value[] represents the characteristic byte array data.
There are two options:
a) you received a password (value[0] ^ 0xffffffa0 == 0)
b) you received a random number (value[0] ^ 0xffffffa1 == 0)
a) should happen before b)
Save both values as let's say pasw[] and rand[]
Generate a new array, lets call it auth[]
Set auth[0] to 32
Now for all bytes (start with i=1):
auth[i] = pasw[i-1] ^ rand[i-1];
Write auth[] to COMMON_WRITE
Service
00007802-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE"
00007882-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE_A3" (maybe a different version?)
00007892-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE_A3_TAYLOR" (maybe a different version?)
a) 00008a21-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE" (Indicate)
b) 00008a22-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE_TAYLOR_APPEND" (Indicate)
00008a20-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE_TAYLOR_FEATURE" (Read)
00008a81-0000-1000-8000-00805f9b34fb "COMMON_WRITE" (Write)
c) 00008a82-0000-1000-8000-00805f9b34fb "PWD_OR_RANDOM_NUMBER" (Indicate)
Descriptors (for char a b c)
00002902-0000-1000-8000-00805f9b34fb "DESC_CCC"
Values
We can read 4 values:
- Unit
- KG = 0x00
- LB = 0x01
- ST = 0x02
- Weight
- Impendance1
- Impendance2
SERIAL_NUMBER_READ => PWD_READ => ADDR_WRITTEN => RANDOM_NUMBER_READ => PWD_RN_WRITTEN => UTC_WRITTEN
Write MAC Address // State ADDR_WRITTEN:
The Scale needs to know your phones BT MAC for auth.
Write 33 and the first 4 bytes of your MAC to CHARACTER_COMMON_WRITE.
Calculating a password // State PWD_RN_WRITTEN :
Listen for Notifications and enable indication on c)
When you get a callback where value[] represents the characteristic byte array data.
There are two options:
a) you received a password (value[0] ^ 0xffffffa0 == 0)
b) you received a random number (value[0] ^ 0xffffffa1 == 0)
a) should happen before b)
Save both values as let's say pasw[] and rand[]
Generate a new array, lets call it auth[]
Set auth[0] to 32
Now for all bytes (start with i=1):
auth[i] = pasw[i-1] ^ rand[i-1];
Write auth[] to COMMON_WRITE
Thank you for another great article. Where else could anyone get that kind of information in such a perfect way of writing? I have a presentation next week, and I am on the look for such information Please follow my Site link Slot. Thank you very much.
AntwortenLöschen