Open JsBergbau opened 2 years ago
mvdklip
commented
2 years ago After a bit of searching I found the Bluetooth protocol documentation for Sertag which is one of the manufacturers of bluetooth ESLs. Cannot post the doc on this public github page though...
Example from the doc:
1.Request write block size command
CMD DATA
0x01 NULL
Response for write block size command
CMD DATA (short)
0x01 Block size
Note: Short is low before highI also have the Chinese and English 'Bluetag' apps which can be run on an Android phone to program various bluetooth ESLs from Aliexpress.
mvdklip
commented
2 years ago One thing to keep in mind with ESLs is that the update frequency of the display cannot be high. It is only useful to display fairly static data. Updating more than once every 10 minutes is not recommended.
JsBergbau
commented
2 years ago You can post the link to the document here or try dragging the file into this field.
Updating more than once every 10 minutes is not recommended.
Should be sufficient to display water temperature or some other kind of information. For me this is still very useful.
mvdklip
commented
2 years ago I meant I should not post 'secret' information on a 'public' Github. ;-)
But I found a public source for the document so I can link it now. You will find it on this page under 'Communication Protocol of Bluetooth Electronic Shelf Labels':
JsBergbau
commented
2 years ago I understand. Thought it was some technical thing.
Here is the direct link https://www.eslmfg.com/download-file.htm?guid=488&type=pdf I neede Chrome to download. Firefox produced an error all the time...
Here https://sertag.en.alibaba.com/productgrouplist-816403506/RF_electronic_shelf_labels.html you find Sertag ESLs. The big ones are quite expensive with around 40 $, but the 2.9" for about 6 $ is a reasonable price.
According to Video on https://www.alibaba.com/product-detail/Sertag-Dot-Matrix-lcd-Tag-Electronic_62543088175.html tag can blink by itself. Would be ideal to sense an alarm like temperature too low.
Do you have some spare time to try to program these? Would be great if you could write some python script to access these displays.
mvdklip
commented
2 years ago Well, I think it's great these Sertag's are available for wholesale but I'm not sure it really helps in the end. If we make this an opensource project I think these guys will just stop selling single displays through Alibaba. I think we need to find a similar (or identical) device on AliExpress so that there is a seller in between and we can (sort of) source these devices anonymously. It will take a bit more research to find out what the Sertag devices actually is (Telink?) and who is selling the same devices under a different brand.
mvdklip
commented
2 years ago The YalaTech devices (available on AliExpress) seem to be very similar but are not identical. Also these are still being sold by the manufacturer itself so it's not said that it is possible to actually order these as a consumer. I would really like to find a source where we know for sure that these devices stay available for a longer period of time.
JsBergbau
commented
2 years ago If we make this an opensource project I think these guys will just stop selling single displays through Alibaba.
That's an interesting point, I didn't think of. Sadly you're probably right. I can image that these manufacturers will stop selling the devices to customers. I can't really understand that, because making the documentation public and supporting OpenSource community would allow them to sell millions of additional tags to people like us that wan't to use it as information display in Smarthome.
mvdklip
commented
2 years ago I ordered two ESLs from AliExpress to experiment with. I'll keep you updated.
On Wed, 5 Jan 2022, 23:23 JsBergbau, @.***> wrote:
If we make this an opensource project I think these guys will just stop selling single displays through Alibaba.
That's an interesting point, I didn't think of. Sadly you're probably right. I can image that these manufacturers will stop selling the devices to customers. I can't really understand that, because making the documentation public and supporting OpenSource community would allow them to sell millions of additional tags to people like us that wan't to use it as information display in Smarthome.
— Reply to this email directly, view it on GitHub https://github.com/JsBergbau/Verschiedenes/issues/3#issuecomment-1006125619, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABQ47TVNIFJVRIM5FXXPBTUUTAGXANCNFSM5LD3CCSQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you commented.Message ID: @.***>
mvdklip
commented
2 years ago One of them has been shipped. The other I got enquiries about. I said that I want to use it for a demo in BLE mode and I don't need their base station for that.
JsBergbau
commented
2 years ago Thanks for the update. Very interesting that even on Aliexpress they tried to sell their basestation before shipping.
mvdklip
commented
2 years ago I have cancelled the Yalatech order. They don't want to ship and they say their ble product cannot function standalone. They recommend me to use nfc version but that's useless in a smarthome setup.
With Gicisky I got a bit further. The device is shipped and I am in contact with a sales rep about SDK access. They normally charge $1280 for this but I said I only need some tech documents. I used the sertag protocol document as evidence that other companies are sharing such info so who knows. Also I found that apparantly the "real" manufacturer for these devices is picksmart.cn which also supplies the standalone BlueTag Android app:
http://a.picksmart.cn:8088/picksmart/app/ble-app-new.apk http://a.picksmart.cn:8089/login http://a.picksmart.cn:8081
It's a bit vague who the real manufacturer is. I have found Gicisky, Hi-Link, Pick Smart and Pique Smart as company names until now.
mvdklip
commented
2 years ago I have also been looking at the Lilygo products on AliExpress. These are ESP32 based and can be fully programmed. This is a big screen:
https://a.aliexpress.com/_u7X1hV
But smaller (ESL size) is also available:
https://a.aliexpress.com/_vLhFAJ
On Fri, 7 Jan 2022, 14:42 JsBergbau, @.***> wrote:
Thanks for the update. Very interesting that even on Aliexpress they tried to sell their basestation before shipping.
— Reply to this email directly, view it on GitHub https://github.com/JsBergbau/Verschiedenes/issues/3#issuecomment-1007417068, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABQ47RM6UHH7XZKUGJTZE3UU3US5ANCNFSM5LD3CCSQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you commented.Message ID: @.***>
JsBergbau
commented
2 years ago I've already seen similiar devices. However for me the ESLs look much nicer, because they're flat and can just be put on the wall without any measures.
mvdklip
commented
2 years ago I understand. Just mentioning because the ESLs are:
The only thing I have right now is documentation by sertag, a Chinese (cloud) app by picksmart and (hopefully soon) a device to dissect. I'll keep you updated.
mvdklip
commented
2 years ago Gicisky said I needed a base station as well if I wanted to use their ESL for anything else than using their app.
mvdklip
commented
2 years ago Was looking at KKM now because they seem fairly open:
https://www.kkmcn.com/2-9-e-ink-display-tag https://www.kkmcn.com/esl_sdk
They mention that the ESLs can also be programmed over BLE from a raspberry pi. They promise full access to all technical details but I haven't been able to find it yet.
Interestingly enough I found a document by e-paper-display.com (GooDisplay or good-display.com) which has the exact same devices and claims in it, but again wasn't able to find bluetooth protocol docs anywhere yet. Maybe somewhere in here:
https://www.good-display.com/blank15.html#c_portalResCompanyFile_list-15878877704403956-1
@JsBergbau I'm too tired to continue now, but if you find anything let me know.
mvdklip
commented
2 years ago I have received the Gicisky ESL. It works fine and I am able to program it using the Bluetag Android app. I did notice that this device has a TFT instead of e-ink screen which is less pretty. It's also not marked in any way with a manufacterer identification. Not even on the mainboard inside the device. The fact that it comes with the Bluetag app implies that it is compatible with Picksmart which owns that app. Now I "only" have to find out / reverse engineer what protocol this app / Picksmart uses.
Edit: the Picksmart product page lists the 2.1" TFT bluetooth ESL: http://www.picksmart.cn/index.php/list-16.html
mvdklip
commented
2 years ago Haha just used a hacked version of your script to detect the advertisements of this ESL:
BLE packet - Unknown: FF:FF:61:61:66:51 00 100201060302f0fe08ff5350a01f010100 -70
0x5053 (or 0x5350 reversed) is the manufacturer id as documented in the sertag doc. 0x1f is the battery voltage times 10 = 3.1V.
Power ON bluetooth device 0 Bluetooth device 0 is already enabled Enable LE scan scan params: interval=1280.000ms window=1280.000ms own_bdaddr=public whitelist=no socket filter set to ptype=HCI_EVENT_PKT event=LE_META_EVENT Listening ... BLE packet - ESL: FF:FF:61:61:66:51 00 100201060302f0fe08ff5350a01f010100 -70 Battery voltage: 3.1 V
BLE packet - ESL: FF:FF:61:61:66:51 00 100201060302f0fe08ff5350a01f010100 -70 Battery voltage: 3.1 V
BLE packet - ESL: FF:FF:61:61:66:51 00 100201060302f0fe08ff5350a01f010100 -73 Battery voltage: 3.1 V
BLE packet - ESL: FF:FF:61:61:66:51 00 100201060302f0fe08ff5350a01f010100 -66 Battery voltage: 3.1 V
mvdklip
commented
2 years ago So it is a confirmed picksmart device:
[CHG] Device FF:FF:61:61:66:51 UUIDs: 00001800-0000-1000-8000-00805f9b34fb
[CHG] Device FF:FF:61:61:66:51 UUIDs: 00001801-0000-1000-8000-00805f9b34fb
[CHG] Device FF:FF:61:61:66:51 UUIDs: 0000fef0-0000-1000-8000-00805f9b34fb
[CHG] Device FF:FF:61:61:66:51 UUIDs: f000ffc0-0451-4000-b000-000000000000
[CHG] Device FF:FF:61:61:66:51 ServicesResolved: yes
[CHG] Device FF:FF:61:61:66:51 Name: PICKSMART
[CHG] Device FF:FF:61:61:66:51 Alias: PICKSMART
Both Sertag and Gicisky (and others) seem to resell this device under their own name. The Sertag docs are not great but they should be enough to let us write to this display at some point. It will take a few hours or days of tinkering though.
JsBergbau
commented
2 years ago To make developing easier for you: Do you know nrF Connect https://play.google.com/store/apps/details?id=no.nordicsemi.android.mcp ? This App shows you a lot of information on your Android device. There is also a version for Desktop computers available https://www.nordicsemi.com/Products/Development-tools/nRF-Connect-for-desktop However I have some trouble to get this running on Windows. I have a integrated bluetooth/wifi card. I think this is due to some security settings on Windows.
Also Wireshark is very helpful just to have a look into the broadcasted packages. You can either open it live selecting bluetooth interface and running hcidump in parallel or you can use hcidump to write a file which can then be opened by wireshark hcidump -w filename.pcap.
For more details see https://blog.wirelessmoves.com/2014/01/tracing-bluetooth-with-wireshark-and-hcidump.html
mvdklip
commented
2 years ago There is only an Android app so installing something on a desktop PC is not going to help unfortunately. Well, unless I get a development bluetooth dongle which can be flashed into a sniffing device. Normal bluetooth dongles cannot do this.
But... I have already captured a log on my Android phone by enabling bluetooth logging in the Android developer settings. This file is Wireshark compatible. Just didn't have time yet to analyse it.
mvdklip
commented
2 years ago I have deciphered the following from the dump:
handle value
write req 0x000f, 0x01 0x00 # Enable notifications
write cmd 0x000e, 0x01 # Request write block size command
rcvd notf 0x000e, 0x01 0xf4 0x00 # Response for write block size command - Block size = 0x00f4 = 244
write cmd 0x000e, 0x02 0x98 0x0d 0x00 0x00 0x00 # Request write screen command
rcvd notf 0x000e, 0x02 0x00 # Response for write screen command - Status = 0x00 = Success
write cmd 0x000e, 0x03 # Request start transfer command
rcvd notf 0x000e, 0x05 0x00 0x00 0x00 0x00 0x00 # Response for start transfer command - Status = 0x00 = Success
write cmd 0x0012, 0x00 0x00 0x00 0x00 ... # Transfer data packet - 240 bytes of data
rcvd notf 0x000e, 0x05 0x00 0x01 0x00 0x00 0x00 # Response for start transfer command - Status = 0x00 = Success, Next block index = 0x0001
write cmd 0x0012, 0x01 0x00 0x00 0x00 ... # Transfer data packet - 240 bytes of data
rcvd notf 0x000e, 0x05 0x00 0x02 0x00 0x00 0x00 # Response for start transfer command - Status = 0x00 = Success, Next block index = 0x0002
...
write cmd 0x0012, 0x0e 0x00 0x00 0x00 ... # Transfer data packet - 120 bytes of data
rcvd notf 0x000e, 0x05 0x08 0x00 0x00 0x00 0x00 # Response for start transfer command - Status = 0x08 = Done
So this is how to transfer an image to the screen. It matches the Sertag documentation. I don't know the format of the image yet.
mvdklip
commented
2 years ago The screen in this device is of type 101 which is not documented. Sertag documentation only has types 000 and 001. If I dump the transferred bytes into a file and assume that it is a raw black and white image (1 bytes = 8 pixels) then the data is for 30.720 pixels. 250x122 seems a likely display resolution in that case.
However... I can already see that this is not correct because the template / image I uploaded has all black on the first couple of lines which would mean that the image should start with a lot of 0xff values which it doesn't so it must be a different format. Even if a 0 pixel would be black instead of white this can't be the case because the file doesn't start with a lot of 0x00 values as well.
I do see 'aaaaaaaaaa' a few times in the hex stream. This kind of attracts attention but I'm not sure what to make of it yet. A hex A is a bin 1010. The predominant repeating patterns are 0's, a's and f's.
I just remembered that I updated the ESL multiple times during dumping and that I did a one-letter change in the template in between. This should lead to a small number of pixels difference when comparing two binary dumps but unfortunately I see that the first packets are identical but then change radically. This probably means that the data is compressed or encrypted in some way. The change happens in the end of the third packet: 56aa80753f4000000880 becomes 56aa80744340fd5aaaa9 and from there on it never recovers; the data is completely different. Also the last packet has 75 (instead of 120) bytes of data.
jbraceg
commented
2 years ago @mvdklip did you get any further with this? I've just acquired a very similar device and gone down much the same path as you. I'd love to compare notes on code to update the screen.
mvdklip
commented
2 years ago @jbraceg did not get any further unfortunately because I don't know what the binary data format is. Would be great to decipher it though so feel free to post your experiences in this thread.
Originalpost by mvdklip