search

cnrd / yeelock

Information about reversing the protocol of yeelock BT lock.
17 stars 0 forks source link

My research on the YeeLock #3

Open jawadaq82 opened 3 years ago

jawadaq82 commented 3 years ago

I have performed 3 unlock actions using YeeLock application. https://play.google.com/store/apps/details?id=com.yeeloc.yisuobao

The application requires Bluetooth and Location Services enabled before unlock. Once it unlocks the BLE_Lock, after a few seconds (around 5 sec) it automatically lock it again.

[Service UUID: 58af3dca6fc04fa3946474662f043a39] Service UUID is constant across all locks, I have reverse engineered the YeeLock.apk and have noticed these Service UUIDs in the source code, as below

        UUID fromString = UUID.fromString("58AF3DCA-6FC0-4FA3-9464-74662F043A39");
        Intrinsics.checkNotNull(fromString);
        SERVICE_B0_DATA = fromString;
        UUID fromString2 = UUID.fromString("58AF3DCA-6FC0-4FA3-9464-74662F043A3B");
        Intrinsics.checkNotNull(fromString2);
        B0_DATA_RX = fromString2;
        UUID fromString3 = UUID.fromString("58AF3DCA-6FC0-4FA3-9464-74662F043A3A");
        Intrinsics.checkNotNull(fromString3);
        B0_DATA_TX = fromString3;

I can see 0150 command is used to unlock while 0640 is used to lock it again.

Lock Value: 01506083d6150027540152495682507919197895 Unlock Value: 06406083d617ad6ce0ebbc204fbba28d6e7bf857

Lock Value: 01506083d62000a6800439f63568812e3a09cdcd Unlock Value: 06406083d6204cac98cfceeca2b6534769bfdf6b

Lock Value: 01506083d6290010ad6a43e996b8cb7c63646e92 Unlock Value: 06406083d629eabe086de8c51114f46eb677a4b0

User Actoin Raw Value Command Time Hex String Length Dec String Dec Length
Jawad Unlock Value: 01506083d6150027540152495682507919197895 Value: 0150 6083d615 0027540152495682507919197895 28 3115896676394019312557251721365 31
Jawad Lock Value: 06406083d617ad6ce0ebbc204fbba28d6e7bf857 Value: 0640 6083d617 ad6ce0ebbc204fbba28d6e7bf857 28 3517483112611448062490557600757847 34
Jawad Unlock Value: 01506083d62000a6800439f63568812e3a09cdcd Value: 0150 6083d620 00a6800439f63568812e3a09cdcd 28 13191494168044927701461223722445 32
Jawad Lock Value: 06406083d6204cac98cfceeca2b6534769bfdf6b Value: 0640 6083d620 4cac98cfceeca2b6534769bfdf6b 28 1555137666776290574687554443927403 34
Jawad Unlock Value: 01506083d6290010ad6a43e996b8cb7c63646e92 Value: 0150 6083d629 0010ad6a43e996b8cb7c63646e92 28 1321319973771707624755671887506 31
Jawad Lock Value: 06406083d629eabe086de8c51114f46eb677a4b0 Value: 0640 6083d629 eabe086de8c51114f46eb677a4b0 28 4761139806884418275587192987821232 34
CNRD Unlock Value: 01505c84ff2f0099cf13d74d5b246c38eb6cf702 Value: 0150 5c84ff2f 0099cf13d74d5b246c38eb6cf702 28 12185996248041795362790266697474 32
CNRD Unlock Value: 01505c85028d0085c9d5a63ea4da470ce50688c6 Value: 0150 5c85028d 0085c9d5a63ea4da470ce50688c6 28 10599810387639238348788187171014 32
CNRD Unlock Value: 01505c85029800f74dae629a1da681d98164a5c8 Value: 0150 5c850298 00f74dae629a1da681d98164a5c8 28 19593397305506998347794477262280 32
CNRD Unlock Value: 01505c8502a0009011e29d3b60c7cad22d5f3119 Value: 0150 5c8502a0 009011e29d3b60c7cad22d5f3119 28 11414390606963129862267355476249 32

image

jawadaq82 commented 3 years ago

We are able to control the Yeelock Bluetooth lock and we have created our own android app for this.

Please get back to me by email if interested our services.

jawadaq82 commented 3 years ago

Our app is live on Google Play https://play.google.com/store/apps/details?id=com.basecampit.smartbox