Could you redo the serial extract running the Pill on Bluetooth isteed?

kbaggen commented 2 years ago

Hi there, wanna se what is do when in bluetooth mode.......if it send by uuid just as TILT......hence, we might be able to puck the telemettric data up just as we can from TIL! /Klaus

Maclav1 commented 2 years ago

While I would love to see the console output when the PILL sends out a BT Packet and don't want to solder on a header I can assure you this thing is much harder to sniff the BT Data off.

This is as far as I got, best I can determine... its doing weird things with the data encoding.


52415054 01 78e36d3cebb4           9483 421e 18b0     4103 0070 0063 6400                            
R A P T  v1   MAC_ADDR___?         Temp/GU/Angle??    xxx_  yyy_  zzz_  bb__
string   hex (last hex wrong)      ?   ?     ?        int12? int12? int12? uint8?```

Zagitta commented 1 year ago

Great news everyone, I've spent the holidays reverse-engineering the BLE format and it's as follows in byte indices:

0-3: RAPT
4: Always 1 (the fw doesn't allude to this being a version number or anything as far as I can tell but it would make sense)
5-10: MAC address, the last hex isn't wrong, it's the actual BLE mac address
11-12: Temperature encoded as a big endian int16_t. ~Must be divided by -1000.0 to get the correct value.~ As noted below it's Kelvin and must be divided by 128.0
13-16: Gravity encoded as a big endian float.
17-18: X angle encoded as a big endian int16_t. Must be divided by 16.0 to get the correct value.
19-20: Y angle encoded as a big endian int16_t. Must be divided by 16.0 to get the correct value.
21-22: Z angle encoded as a big endian int16_t. Must be divided by 16.0 to get the correct value.
23-24: Charge in percent encoded as a big endian int16_t. Must be divided by 256.0 to get the correct value.

I plan to build an MQTT bridge using this info soonish. If this ends up being useful to anyone else please acknowledge my effort as I've spent at least 30 hours decompiling and reverse engineering the dumped FW 😊

Maclav1 commented 1 year ago

Amazing. They really didn't make that easy, having tried and failed this!

On Tue, Dec 27, 2022, 1:33 p.m. Simon Rasmussen @.***> wrote:

Great news everyone, I've spent the holidays reverse-engineering the BLE format and it's as follows in byte indices:

0-3: RAPT

4: Always 1 (the fw doesn't allude to this being a version number or anything as far as I can tell but it would make sense)

5-10: MAC address, the last hex isn't wrong, it's the actual BLE mac address

11-12: Temperature encoded as a big endian int16_t. Must be divided by -1000.0 to get the correct value.

13-16: Gravity encoded as a big endian float.

17-18: X angle encoded as a big endian int16_t. Must be divided by 16.0 to get the correct value.

19-20: Y angle encoded as a big endian int16_t. Must be divided by 16.0 to get the correct value.

21-22: Z angle encoded as a big endian int16_t. Must be divided by 16.0 to get the correct value.

23-24: Charge in percent encoded as a big endian int16_t. Must be divided by 256.0 to get the correct value.

I plan to build an MQTT bridge using this info soonish. If this ends up being useful to anyone else please acknowledge my effort as I've spent at least 30 hours decompiling and reverse engineering the dumped FW 😊

— Reply to this email directly, view it on GitHub https://github.com/BestEnemies/pill/issues/1#issuecomment-1366096196, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB4YZZUPUKNPKLYV2BV5PVTWPMY6HANCNFSM6AAAAAARCC65BE . You are receiving this because you commented.Message ID: @.***>

BestEnemies commented 1 year ago

Incredible work @Zagitta ! Do you mind if I update with your findings? With appropriate credit to you of course. I'm currently on holidays so it will be a little while

Zagitta commented 1 year ago

@BestEnemies please do, happy to have the info shared 😊

@Maclav1 In Keglands defence, I didn't see them do anything specifically to make it harder. They kindly left in a lot of debug strings providing function names and such. A lot the difficulty is just that a the decompilation tools for ESP32 are pretty 💩 That said their general system architecture seems preeeeeetty wonky...

kbaggen commented 1 year ago

Zagitta thanks.

kbaggen commented 1 year ago

So the temperature of above exsample of Maclav1 in hex: 9483 -> INT 16 big endian is = -27517 divided by -1000 = 27.517 in C (assumingly).

The gravity is then? hex: 421e 18b0 --> big endian float --> 39.52411 (tilt/angle???), or big endian int32 = 1109268656 ????

I am Using https://www.scadacore.com/tools/programming-calculators/online-hex-converter/

I was thinking including the bluetooth signal into my iBLOPPER`ESP32 samewise as it detect tilt hydrometer :-)

https://iblopper.bubble-logger.com/ ex.1 https://bubble-logger.com/line-chart/share.php?Brew_no_id=271 ex.2 https://bubble-logger.com/line-chart/share.php?Brew_no_id=274

Maclav1 commented 1 year ago

Yeah, something is wrong with the temp. It should be like 18c iirc (-2048 gets me closer). Gravity is correct, that sample was standing up in a cup IIRC. I'll grab a known good sample soon ish in some water.

On Wed, Dec 28, 2022, 10:42 a.m. kbaggen @.***> wrote:

So the temperature of above exsample of Maclav1 in hex: 9483 -> INT 16 big endian is = -27517 divided by -1000 = 27.517 in C (assumingly).

The gravity is then? hex: 421e 18b0 --> big endian float --> 39.52411 (tilt/angle???), or big endian int32 = 1109268656 ????

I am Using https://www.scadacore.com/tools/programming-calculators/online-hex-converter/

I was thinking including the bluetooth signal into my iBLOPPER`ESP32 samewise as it detect tilt hydrometer :-)

https://iblopper.bubble-logger.com/

— Reply to this email directly, view it on GitHub https://github.com/BestEnemies/pill/issues/1#issuecomment-1366743559, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB4YZZUWI2HVFLCPVJE6SJDWPRNWHANCNFSM6AAAAAARCC65BE . You are receiving this because you were mentioned.Message ID: @.***>

kbaggen commented 1 year ago

Yeah, something is wrong with the temp. It should be like 18c iirc (-2048 gets me closer). Gravity is correct, that sample was standing up in a cup IIRC. I'll grab a known good sample soon ish in some water.

so what was the SG in above?

Maclav1 commented 1 year ago

Payload: 524150540178e36d3cebb492db447fbcda2e9e0142d47a6400 Should be (about) 746x 20y -695z 43.12 angle 1.023gu 100% bat, 20.4c Formula: Bat: 100% GU: 1.023 Temp: 27.9c 746x 20y -696z

So everything is perfect, except temp. I'll fiddle with it, The rest are bit shifts so I'll start with that assumption. The - operator is very odd and I am assuming it reports in C

Here is some python code to do the things and stuff --- from bitstring import BitArray import math

class Parser: __start = 0

def __init__(self):
    self.__start = 0

def get_next(self, data: str, len: int) -> BitArray:
    print(f"-> {data[self.__start:self.__start+len]}")
    bits = BitArray(hex=data[self.__start:self.__start+len])
    self.__start += len
    return bits

data = "524150540178e36d3cebb492db447fbcda2e9e0142d47a6400" print(f"{data}")

p = Parser() rapt = str(p.get_next(data, 8)) version = p.get_next(data, 2).int ble_mac = p.get_next(data, 12).hex temp = p.get_next(data, 4).intbe / -1000 gu = p.get_next(data, 8).float x = p.get_next(data, 4).intbe / 16.0 y = p.get_next(data, 4).intbe / 16.0 z = p.get_next(data, 4).intbe / 16.0 batt = p.get_next(data, 4).intbe / 256.0 print(f"Bat: {int(batt)}% GU: {int(round(gu, 1))/1000} Temp: {round(temp, 1) }c {x} {y} {z}")

On Wed, Dec 28, 2022 at 11:38 AM kbaggen @.***> wrote:

Yeah, something is wrong with the temp. It should be like 18c iirc (-2048 gets me closer). Gravity is correct, that sample was standing up in a cup IIRC. I'll grab a known good sample soon ish in some water. … <#m-9073609952756130397> On Wed, Dec 28, 2022, 10:42 a.m. kbaggen @.> wrote: So the temperature of above exsample of Maclav1 in hex: 9483 -> INT 16 big endian is = -27517 divided by -1000 = 27.517 in C (assumingly). The gravity is then? hex: 421e 18b0 --> big endian float --> 39.52411 (tilt/angle???), or big endian int32 = 1109268656 ???? I am Using https://www.scadacore.com/tools/programming-calculators/online-hex-converter/ https://www.scadacore.com/tools/programming-calculators/online-hex-converter/ I was thinking including the bluetooth signal into my iBLOPPER`ESP32 samewise as it detect tilt hydrometer :-) https://iblopper.bubble-logger.com/ https://iblopper.bubble-logger.com/ — Reply to this email directly, view it on GitHub <#1 (comment) https://github.com/BestEnemies/pill/issues/1#issuecomment-1366743559>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB4YZZUWI2HVFLCPVJE6SJDWPRNWHANCNFSM6AAAAAARCC65BE https://github.com/notifications/unsubscribe-auth/AB4YZZUWI2HVFLCPVJE6SJDWPRNWHANCNFSM6AAAAAARCC65BE . You are receiving this because you were mentioned.Message ID: @.>

so what was the SG in above?

— Reply to this email directly, view it on GitHub https://github.com/BestEnemies/pill/issues/1#issuecomment-1366780141, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB4YZZUGFZS5YGBOYMTPCV3WPRUH3ANCNFSM6AAAAAARCC65BE . You are receiving this because you were mentioned.Message ID: @.***>

Maclav1 commented 1 year ago

It's a uint_16 / 128.0 and it reports in Kelvin.

On Wed, Dec 28, 2022 at 4:25 PM Jim Clark @.***> wrote:

Payload: 524150540178e36d3cebb492db447fbcda2e9e0142d47a6400 Should be (about) 746x 20y -695z 43.12 angle 1.023gu 100% bat, 20.4c Formula: Bat: 100% GU: 1.023 Temp: 27.9c 746x 20y -696z

So everything is perfect, except temp. I'll fiddle with it, The rest are bit shifts so I'll start with that assumption. The - operator is very odd and I am assuming it reports in C

Here is some python code to do the things and stuff --- from bitstring import BitArray import math

class Parser: __start = 0
def __init__(self):
    self.__start = 0

def get_next(self, data: str, len: int) -> BitArray:
    print(f"-> {data[self.__start:self.__start+len]}")
    bits = BitArray(hex=data[self.__start:self.__start+len])
    self.__start += len
    return bits
data = "524150540178e36d3cebb492db447fbcda2e9e0142d47a6400" print(f"{data}")

p = Parser() rapt = str(p.get_next(data, 8)) version = p.get_next(data, 2).int ble_mac = p.get_next(data, 12).hex temp = p.get_next(data, 4).intbe / -1000 gu = p.get_next(data, 8).float x = p.get_next(data, 4).intbe / 16.0 y = p.get_next(data, 4).intbe / 16.0 z = p.get_next(data, 4).intbe / 16.0 batt = p.get_next(data, 4).intbe / 256.0 print(f"Bat: {int(batt)}% GU: {int(round(gu, 1))/1000} Temp: {round(temp, 1)}c {x} {y} {z}")

On Wed, Dec 28, 2022 at 11:38 AM kbaggen @.***> wrote:

Yeah, something is wrong with the temp. It should be like 18c iirc (-2048 gets me closer). Gravity is correct, that sample was standing up in a cup IIRC. I'll grab a known good sample soon ish in some water. … <#m_-8930475025985011589m-9073609952756130397_> On Wed, Dec 28, 2022, 10:42 a.m. kbaggen @.> wrote: So the temperature of above exsample of Maclav1 in hex: 9483 -> INT 16 big endian is = -27517 divided by -1000 = 27.517 in C (assumingly). The gravity is then? hex: 421e 18b0 --> big endian float --> 39.52411 (tilt/angle???), or big endian int32 = 1109268656 ???? I am Using https://www.scadacore.com/tools/programming-calculators/online-hex-converter/ https://www.scadacore.com/tools/programming-calculators/online-hex-converter/ I was thinking including the bluetooth signal into my iBLOPPER`ESP32 samewise as it detect tilt hydrometer :-) https://iblopper.bubble-logger.com/ https://iblopper.bubble-logger.com/ — Reply to this email directly, view it on GitHub <#1 (comment) https://github.com/BestEnemies/pill/issues/1#issuecomment-1366743559>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB4YZZUWI2HVFLCPVJE6SJDWPRNWHANCNFSM6AAAAAARCC65BE https://github.com/notifications/unsubscribe-auth/AB4YZZUWI2HVFLCPVJE6SJDWPRNWHANCNFSM6AAAAAARCC65BE . You are receiving this because you were mentioned.Message ID: @.>

so what was the SG in above?

— Reply to this email directly, view it on GitHub https://github.com/BestEnemies/pill/issues/1#issuecomment-1366780141, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB4YZZUGFZS5YGBOYMTPCV3WPRUH3ANCNFSM6AAAAAARCC65BE . You are receiving this because you were mentioned.Message ID: @.***>

Zagitta commented 1 year ago

Have you guys confirmed the BLE data while it's connected to wifi and watching the values reported in the UI? That's how I got to the final interpretation of the data:

I'm pretty confident the value isn't reported in kelvin, see this decompiled code:

What firmware version are you on @Maclav1 ?

Maclav1 commented 1 year ago

273.15 is c to k coefficient and *128 is the bit shift I found. So yeah, it's sending Kelvin (uint_16 / 128) - 273.15 for temp in C.

Latest firmware. Ran some more temp tests and its bang on the diag screen with all the temp tests I can run with it open. Python line I am using (in above code):

temp = (p.get_next(data, 4).uintbe / 128.0) - 273.15

On Wed, Dec 28, 2022 at 5:21 PM Simon Rasmussen @.***> wrote:

Have you guys confirmed the BLE data while it's connected to wifi and watching the values reported in the UI? That's how I got to the final interpretation of the data: [image: billede] https://user-images.githubusercontent.com/865977/209878766-e9313cf5-bf2a-41e5-9049-e533c920cbf3.png

I'm pretty confident the value isn't reported in kelvin, see this decompiled code: [image: billede] https://user-images.githubusercontent.com/865977/209879657-4398edaa-0ce0-425e-99a1-106e24c5bfe6.png

What firmware version are you on @Maclav1 https://github.com/Maclav1 ?

— Reply to this email directly, view it on GitHub https://github.com/BestEnemies/pill/issues/1#issuecomment-1366957970, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB4YZZU74SXAWCXVZWQMXJ3WPS4OVANCNFSM6AAAAAARCC65BE . You are receiving this because you were mentioned.Message ID: @.***>

kbaggen commented 1 year ago

H ithere, havent got a RAPT yet.......sp just fooling around a bit :-)

kbaggen commented 1 year ago

Btw.......I am working on adding this till my project and got code working now for a ESP32, so if you guys could send a few more data string a la + the corresponding SG and temperature:

data = "524150540178e36d3cebb492db447fbcda2e9e0142d47a6400"

Then I can check if ithe code works......! Secondly, if one of you got a ESP32 let me know and you can ofcouse try it off.

BestEnemies commented 1 year ago

Here is one raw packet I have on my phone: 1b415200505401c45bbeb2bcc895a3449ce9780432e52a38c66226

Edit: looking at the above, it looks corrupted some how. I'll see if I can find more

I have a sheet of 100 data packets + the recorded values, unfortunately that's 12000km away.

kbaggen commented 1 year ago

1b415200505401c45bbeb2bcc895a3449ce9780432e52a38c66226

Sure is corrupted, must 50 cipher long and start by "52415054" eg. "RAPT". But thanks anyway........

kbaggen commented 1 year ago

........after I now got my Pill it do send a uint_16 in kelvin and to get it in C one must divede with 128 and then minus 273.15.

kbaggen commented 1 year ago

Btw.....I randomly get "RAPTdPillG1" from a to short uiid: 524150546450696c6c4731

ASCII then gives "RAPTdPillG1", and if anyone can explain this......let me know!

Maclav1 commented 1 year ago

The Pill puts out two different payloads. I assume this is for syncing with their fridges and whatnot. You can just drop these ones if your only interested in the telemetry.

On Thu, Jan 5, 2023, 4:31 p.m. kbaggen @.***> wrote:

Btw.....I randomly get "RAPTdPillG1" from a to short uiid: 524150546450696c6c4731

ASCII then gives "RAPTdPillG1", and if anyone can explain this......let me know!

— Reply to this email directly, view it on GitHub https://github.com/BestEnemies/pill/issues/1#issuecomment-1372801527, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB4YZZUMSBQU6MI7GU74IK3WQ44RXANCNFSM6AAAAAARCC65BE . You are receiving this because you were mentioned.Message ID: @.***>

kbaggen commented 1 year ago

The Pill puts out two different payloads. I assume this is for syncing with their fridges and whatnot. You can just drop these ones if your only interested in the telemetry. … On Thu, Jan 5, 2023, 4:31 p.m. kbaggen @.> wrote: Btw.....I randomly get "RAPTdPillG1" from a to short uiid: 524150546450696c6c4731 ASCII then gives "RAPTdPillG1", and if anyone can explain this......let me know! — Reply to this email directly, view it on GitHub <#1 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB4YZZUMSBQU6MI7GU74IK3WQ44RXANCNFSM6AAAAAARCC65BE . You are receiving this because you were mentioned.Message ID: @.>

Sure, also what I am doing :-)

kbaggen commented 1 year ago

iBLOPPER ESP32 can now find RAPT Pill, see more at: https://iblopper.bubble-logger.com/

kbaggen commented 1 year ago

For info, I have posted the following project based on infor from here, thanks guys :-) https://github.com/kbaggen/TILTPILLMATE

kbaggen commented 1 year ago

Hi all, seem to me Kegland changed the telemetric data ?

Seems to get now: 524150540200000000000092cb44a0cdb6028100513f666400

Before: 524150540178e36d3cebb49483421e18b04103007000636400

So the macid of bluetooth chip taken out, and also version number canged till 2.

Zagitta commented 1 year ago

Did you get a firmware update? I just force checked mine and it's still on 20220612_05156

kbaggen commented 1 year ago

Mine says now: 20230317_094939_9285ef0 Did not myself update, or not what I knew off........my SPINDELMATE just stop finding it.

kbaggen commented 1 year ago

Or more checking this is what I seem to get:

524150540200000000000092cb44a0cdb6028100513f666400 524150540200014354e76e920b4498149d05bc3e2c10486400 524150540200014354e76e921b449ef42f0320401001e36400 52415054020001435680cf9223449f15f90315400002ef6400

Maclav1 commented 1 year ago

Looks like they bumped to v2. If you have a the aprox values for gravity, temp, x, y, x and a payload I can give them a whirl decoding. My pill is floating around in some beer.

On Mon, Mar 27, 2023, 1:51 a.m. kbaggen @.***> wrote:

Or more checking this is what I seem to get:

524150540200000000000092cb44a0cdb6028100513f666400 524150540200014354e76e920b4498149d05bc3e2c10486400 524150540200014354e76e921b449ef42f0320401001e36400 52415054020001435680cf9223449f15f90315400002ef6400

— Reply to this email directly, view it on GitHub https://github.com/BestEnemies/pill/issues/1#issuecomment-1484534469, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB4YZZU43WGFP43UNUDO23TW6ETHDANCNFSM6AAAAAARCC65BE . You are receiving this because you were mentioned.Message ID: @.***>

Maclav1 commented 1 year ago

K, the actual data in the payload hasn't changed, JUST the version number.

524150540200014354e76e920b4498149d05bc3e2c10486400
-> RAPT v2 Bat: 100% GU: 1.216 Temp: 18.9c  91.75x 994.75y 260.5z

kbaggen commented 1 year ago

The area formerly contaning the MacID (e.g of you above = 00014354e76e) has now been changed till a new number.

OLD: 524150540178e36d3cebb492db447fbcda2e9e0142d47a6400 NEW: 524150540200000000000092cb44a0cdb6028100513f666400 524150540200014354e76e920b4498149d05bc3e2c10486400

At least my testing shows the MacID reproted by Nimble BLE is not the same as in Papt portal, and, hence removing the macid from the uuid give my headach how to seperate between 2 rapt future-wise in the SPINDELMATE code.

Kegland has written abit in my post of SPindelmate on homebrewtalk: https://www.homebrewtalk.com/threads/spindelmate-yet-another-ispindeel-tilt-hydrometer-and-rapt-pill-datalogger-and-temperature-controller.725163/

Maclav1 commented 1 year ago

If you need the real Mac you can get it from the BLE header. Not sure if that helps though.

On Tue, Mar 28, 2023, 9:46 a.m. kbaggen @.***> wrote:

The area formerly contaning the MacID (e.g of you above = 00014354e76e) has now been changed till a new number.

OLD: 524150540178e36d3cebb492db447fbcda2e9e0142d47a6400 NEW: 524150540200000000000092cb44a0cdb6028100513f666400 524150540200014354e76e920b4498149d05bc3e2c10486400

At least my testing shows the MacID reproted by Nimble BLE is not the same as in Papt portal, and, hence removing the macid from the uuid give my headach how to seperate between 2 rapt future-wise in the SPINDELMATE code.

— Reply to this email directly, view it on GitHub https://github.com/BestEnemies/pill/issues/1#issuecomment-1486921070, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB4YZZQCVFGSGDQUZBE5FHTW6LTVHANCNFSM6AAAAAARCC65BE . You are receiving this because you were mentioned.Message ID: @.***>

kbaggen commented 1 year ago

If you need the real Mac you can get it from the BLE header. Not sure if that helps though. …

I get that, but the issue is my MAcID in Rapt Portal is "78:e3:6d:3c:eb:7c", but the BLE scan give "78:e3:6d:3c:eb:7e", hence, they differ on last ciffer?

Maclav1, in your first post you wrote: Last hex differ, under macID line. SO I assume you noticed the same.

So question is if you found a way to scan and get the same macid as in rapt portal?

kbaggen commented 1 year ago

This is how it looks here:

And Rapt portal:

Zagitta commented 1 year ago

I believe they're using the wifi mac address for RAPT rather than the BLE mac address

On Wed, Mar 29, 2023, 15:18 kbaggen @.***> wrote:

This is how it looks here: [image: image] https://user-images.githubusercontent.com/16992918/228549099-edc9b389-57c0-4b53-8238-1479c35cf7f3.png

And Rapt portal: [image: image] https://user-images.githubusercontent.com/16992918/228550448-baf4e3b7-3bd8-4f08-93ef-fbd3f3be8bb7.png

— Reply to this email directly, view it on GitHub https://github.com/BestEnemies/pill/issues/1#issuecomment-1488595881, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGTNOMF2HACZEG54CZPZF3W6QZBBANCNFSM6AAAAAARCC65BE . You are receiving this because you were mentioned.Message ID: @.***>

BestEnemies / pill

Could you redo the serial extract running the Pill on Bluetooth isteed? #1