Yeelight Bluetooth Rotary Dimmer Switch YLKG07YL/YLKG08YL

[Ernst79]

Request from @latel for support for Yeelight Bluetooth Rotary Dimmer Switch (model YLKG08L) https://www.aliexpress.com/item/32973439343.html?spm=2114.search0104.3.17.6edd4cb7NgQMcK&ws_ab_test=searchweb0_0,searchweb201602_2_10065_10068_319_10059_10884_317_10887_10696_321_322_453_10084_454_10083_10103_10618_10307_10820_10301_10821_10303_537_536_10902,searchweb201603_51,ppcSwitch_0&algo_expid=18475432-ec47-461e-b642-4cf806469bf6-5&algo_pvid=18475432-ec47-461e-b642-4cf806469bf6&transAbTest=ae803_5

I think what we need is here [nccchirag/yeelight-ble-rotary-dimmer#1]{https://github.com/nccchirag/yeelight-ble-rotary-dimmer/issues/1)

[Ernst79]

@latel I checked the link you gave, and I noticed that they say the device isn't able to connect to MiHome, but it connects to a ceiling light directly, so it's not possible to get the encryption key easily. Can you confirm these findings?

• Are you able/not able to connect it to MiHome?
• Could you do a check (just for sure) that the encryption key isn't stored in the Xiaomi cloud. You can use xiaomi cloud token extractor to check this.

The problem is that the messages are encrypted. I copied one of the messages from the link you gave, added the first part myself (before 95 FE) to get (almost) the full message. The dimmer switch is the last line in the table. It seems to be missing the MAC TAG, as you can see.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
HCI  Evt Len Sub Num Evt  Peer -------MAC-------   Len Len Type Val Len  AD  Xiaomi Frame Product Frame     MAC (LE)        ----------------------PAYLOAD------------  RSSI
type code    evt rep type addr                             flag         type  UUID   ctrl  type    cnt                          cypher            ext.cnt     MAC tag
 A    B  C    D  E    F    G          H            I   J    K   L   M    N     O      P     Q      R           S            
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 04   3E 2B  02  01   00   00  6D C4 CC 50 EC 50   1F  02   01  06  1B   16  95 FE  58 59  F6 07   8E   6D C4 CC 50 EC 50   C1 97 EA 28 FD 7B     3A 01 00  73 CC DF B1  BC
 04   3e 2b  02  01   00   00  6d c4 cc 50 ec 50   1f  02   01  06  1b   16  95 fe  58 59  f6 07   2b   6d c4 cc 50 ec 50   8b 88 e3 50 1d 95     1c 01 00  21 7c a4 39  cd
 04   3e 2b  02  01   00   00  6d c4 cc 50 ec 50   1f  02   01  06  1b   16  95 fe  58 59  f6 07   2f   6d c4 cc 50 ec 50   0c 2e a3 7e e7 10     1c 01 00  0a 79 18 d8  cb
 04   3e 2b  02  01   00   00  bf a7 39 27 d1 28   1f  02   01  06  1b   16  95 fe  58 59  bf 07   55   bf a7 39 27 d1 28   0d 67 14 2a ab 1c     02 00 00  25 f9 50 1a  bf
 04   3e 27  02  01   00   00  38 1F C3 41 24 F8   1b  02   01  06  17   16  95 FE  58 30  B6 03   7B   38 1F C3 41 24 F8   83 7E 33 ED 9C B5     08 00 00               5C

Could you do a check by collecting some messages with sudo hcidump --raw hci > dump.txt. These might have the full message with the missing MAC tag.

The encryption key can normally be found with method 1, 3 and 4 from our FAQ. In case it can't connect to MiHome, you will probably have to use method 4 and sniff the encryption key while connecting it to the ceiling light.

[keniji]

@latel I checked the link you gave, and I noticed that they say the device isn't able to connect to MiHome, but it connects to a ceiling light directly, so it's not possible to get the encryption key easily. Can you confirm these findings?

• Are you able/not able to connect it to MiHome?
• Could you do a check (just for sure) that the encryption key isn't stored in the Xiaomi cloud. You can use xiaomi cloud token extractor to check this.

The problem is that the messages are encrypted. I copied one of the messages from the link you gave, added the first part myself (before 95 FE) to get (almost) the full message. The dimmer switch is the last line in the table. It seems to be missing the MAC TAG, as you can see.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
HCI  Evt Len Sub Num Evt  Peer -------MAC-------   Len Len Type Val Len  AD  Xiaomi Frame Product Frame     MAC (LE)        ----------------------PAYLOAD------------  RSSI
type code    evt rep type addr                             flag         type  UUID   ctrl  type    cnt                          cypher            ext.cnt     MAC tag
 A    B  C    D  E    F    G          H            I   J    K   L   M    N     O      P     Q      R           S            
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 04   3E 2B  02  01   00   00  6D C4 CC 50 EC 50   1F  02   01  06  1B   16  95 FE  58 59  F6 07   8E   6D C4 CC 50 EC 50   C1 97 EA 28 FD 7B     3A 01 00  73 CC DF B1  BC
 04   3e 2b  02  01   00   00  6d c4 cc 50 ec 50   1f  02   01  06  1b   16  95 fe  58 59  f6 07   2b   6d c4 cc 50 ec 50   8b 88 e3 50 1d 95     1c 01 00  21 7c a4 39  cd
 04   3e 2b  02  01   00   00  6d c4 cc 50 ec 50   1f  02   01  06  1b   16  95 fe  58 59  f6 07   2f   6d c4 cc 50 ec 50   0c 2e a3 7e e7 10     1c 01 00  0a 79 18 d8  cb
 04   3e 2b  02  01   00   00  bf a7 39 27 d1 28   1f  02   01  06  1b   16  95 fe  58 59  bf 07   55   bf a7 39 27 d1 28   0d 67 14 2a ab 1c     02 00 00  25 f9 50 1a  bf
 04   3e 27  02  01   00   00  38 1F C3 41 24 F8   1b  02   01  06  17   16  95 FE  58 30  B6 03   7B   38 1F C3 41 24 F8   83 7E 33 ED 9C B5     08 00 00               5C

Could you do a check by collecting some messages with sudo hcidump --raw hci > dump.txt. These might have the full message with the missing MAC tag.

The encryption key can normally be found with method 1, 3 and 4 from our FAQ. In case it can't connect to MiHome, you will probably have to use method 4 and sniff the encryption key while connecting it to the ceiling light.

I have this switch too and I'm also monitoring that issue for a long time and seems it's not easy to step forward...

• I think there is no way to add the switch to MiHome, it's not in the support list.
• I tried the extractor and the switch is not shown in the result.

The way how we can pair it with the ceiling light, is just to press a button on the top of it for 3 seconds, and MiHome is no needed at all during the process, so I guess we won't be able to get it's encryption key with any method of the FAQ?

For now the only way I know so far about how to "see" this switch is to open the MiHome APP, open the light combined with this switch, click the three dot, click Remote control and switch, then I will see this switch and it's MAC. And, the reason why we're trying to decrypt is because we would like to use it to control another device (light), but what if this switch won't send any command data until it's combined with a light?

[Ernst79]

The way how we can pair it with the ceiling light, is just to press a button on the top of it for 3 seconds, and MiHome is no needed at all during the process, so I guess we won't be able to get it's encryption key with any method of the FAQ?

You might be able to use a sniffer to catch the encryption key. When you press the reset button, it will probably exchange a new key in a bluetooth message that is send from the switch to the ceiling light. But this is quite complicated (at least for me), as you have to figure out which message contains the key and how to extract it from the message. I know @magalex2x14 has done something like this to catch the key from a message between a sensor and MiHome. I assume it works the same way for the key exchange between the switch and light. But it will only be send once (when pressing the reset button). some sniffing tools are given in the faq, method 4

example of using a sniffing tool: https://community.home-assistant.io/t/passive-ble-monitor-integration-xiaomi-mijia-ble-mibeacon-monitor/177352/117

Unfortunately, I can't help you with this, I don't have this switch/light.

And, the reason why we're trying to decrypt is because we would like to use it to control another device (light), but what if this switch won't send any command data until it's combined with a light?

That is the next problem to solve, but that seems to be easier to solve, e.g. with dummy devices. But it might not send anything, if not coupled to a ceiling light.

[rezmus]

afaik they use some proprietary yeelight encryption protocol, not mible. it can only be reversed from yeelight firmware.

[latel]

I've got contact with ceo of yeelight, he told me ths device use mi ble encryption protocol

[rezmus]

you can get encryption key for yeelight bt devices (remote/dimmer) paired with ceiling light by sending miio cmd to device.

> {"id":1234,"method":"ble_dbg_tbl_dump","params":{"table":"evtRuleTbl"}}
> {"code":0,"id":1234,"result":[{"beaconkey":"00112233445566778899aabb","evtid":4097,"mac":"aabbccddeeff","pid":950},{"beaconkey":"bbaa998877665544332211","evtid":4097,"mac":"ffeeddccbbaa","pid":339}]}

pid 339 is yeelink.bleremote.v1 (remote), pid 950 is dimmer. mible decryption should work after.

[Ernst79]

If someone can send a log with the option report_unknown: "xiaomi" and the encryption key, i will have a look

[rezmus]

    var RemoteControllerType = {
        BLERC: 339,
        SEESAW: 950,
        BHFRC: 959,
        VENFAN: 1254
    };

there are also remotes for bhf/fan light.

virtual remote via miio cmd.

  var RemoteBeaconKeyEvent = {
    On: "RemoteBeaconKeyOn",
    Off: "RemoteBeaconKeyOff",
    ColorTemperature: "RemoteBeaconKeyColorTemperature",
    Plus: "RemoteBeaconKeyPlus",
    Mode: "RemoteBeaconKeyMode",
    Minus: "RemoteBeaconKeyMinus"
  };
  var KeyPressEvent = {
    Normal: "KeyPressEventNormal",
    Long: "KeyPressEventLong"
  };

  function _callRemoteBeaconKey(key, actionEvent, callback) {
    var keyValue = -1;

    if (actionEvent == KeyPressEvent.Normal) {
      if (key == RemoteBeaconKeyEvent.On) {
        keyValue = "0";
      } else if (key == RemoteBeaconKeyEvent.Off) {
        keyValue = "1";
      } else if (key == RemoteBeaconKeyEvent.ColorTemperature) {
        keyValue = "2";
      } else if (key == RemoteBeaconKeyEvent.Plus) {
        keyValue = "3";
      } else if (key == RemoteBeaconKeyEvent.Mode) {
        keyValue = "4";
      } else if (key == RemoteBeaconKeyEvent.Minus) {
        keyValue = "5";
      }
    } else if (actionEvent == KeyPressEvent.Long) {
      if (key == RemoteBeaconKeyEvent.On) {
        keyValue = "131072";
      } else if (key == RemoteBeaconKeyEvent.Off) {
        keyValue = "131073";
      } else if (key == RemoteBeaconKeyEvent.ColorTemperature) {
        keyValue = "131074";
      } else if (key == RemoteBeaconKeyEvent.Plus) {
        keyValue = "131075";
      } else if (key == RemoteBeaconKeyEvent.Mode) {
        keyValue = "131076";
      } else if (key == RemoteBeaconKeyEvent.Minus) {
        keyValue = "131077";
      }
    }

    return _callMiSDKMethod("set_ps", ["pseudo_beacon", "4097|" + keyValue], callback);
  }

[rezmus]

if you only have remote, but no ceiling, you can pair it with mijia app and check if ble adv can be decrypted.

[rezmus]

@Ernst79 i tested yeelight remote with mgl03 hub and looks like payload is decrypted without issues. you should be able to use it with ble_monitor even without ceiling. dimmer might be more tricky without ceiling, but should be also doable. i don't have any, can't test. from what i know it also sends 4097 (0x1001) events probably with dimmer possition.

this is list of all events yeelight remote sends for keys in order on, off, sun, +, m, - and 2nd pass with long press.

{"did":"blt.X","eid":4097,"edata":"000000","pdid":339,"seq":113}
{"did":"blt.X","eid":4097,"edata":"010000","pdid":339,"seq":114}
{"did":"blt.X","eid":4097,"edata":"020000","pdid":339,"seq":115}
{"did":"blt.X","eid":4097,"edata":"030000","pdid":339,"seq":116}
{"did":"blt.X","eid":4097,"edata":"040000","pdid":339,"seq":117}
{"did":"blt.X","eid":4097,"edata":"050000","pdid":339,"seq":118}
{"did":"blt.X","eid":4097,"edata":"000002","pdid":339,"seq":119}
{"did":"blt.X","eid":4097,"edata":"010002","pdid":339,"seq":120}
{"did":"blt.X","eid":4097,"edata":"020002","pdid":339,"seq":121}
{"did":"blt.X","eid":4097,"edata":"030002","pdid":339,"seq":122}
{"did":"blt.X","eid":4097,"edata":"040002","pdid":339,"seq":123}
{"did":"blt.X","eid":4097,"edata":"050002","pdid":339,"seq":124}

[Ernst79]

Thanks for the info. I need a full ble message to fully understand the format. Could you make a hcidump for me with the key (and mac)? Will make it much easier for me

[rezmus]

sorry, i don't have any bt dongle. it should be the same as yeelink.remote.remote switch which also sends 4097 events.

[Ernst79]

Ok. I dont have the device myself, but could you give us the miio command we have to use? I've never used miio, but i assume it's this repo. But what command do you use to get the key? Is it as simple as:

npm install -g miio
miio discover

[rezmus]

you can use this npm miio, python-miio, php-miio, etc. send this cmd

{"id":1234,"method":"ble_dbg_tbl_dump","params":{"table":"evtRuleTbl"}}

your dimmer/remote must be paired with ceiling light. if you don't have ceiling light like me you can pair remote (maybe also dimmer) with special version of mijia app and get key same way you get it for other mijia ble devices.

[Ernst79]

Thanks, but its still a bit unclear how to send that command (sorry).

I dont have the ceiling Light, nor the remote. Im only the developer of ble_monitor, so I need some user to provide me with the data and key @latel or @keniji can one of you try to get the encryption key with the method of @rezmus ? Please post it together with some logs generated with report_unknown: "Xiaomi"

[rexbut]

I have the ceiling light, the dimmer and the remote control, but how do I send the command?

Can you send the command?

[rezmus]

you need IP/TOKEN of your ceiling light. you can get it with token extractor (check ble monitor faqs for details).

install python-miio and send

miiocli device --ip IP --token TOKEN raw_command ble_dbg_tbl_dump '{"table":"evtRuleTbl"}'

or php-miio and send

php miio-cli.php --ip IP --token TOKEN --sendcmd '{"id":1234,"method":"ble_dbg_tbl_dump","params":{"table":"evtRuleTbl"}}'

[rexbut]

~# miiocli device --ip <IP> --token <TOKEN> raw_command ble_dbg_tbl_dump '{"table":"evtRuleTbl"}'
Running command raw_command
[{'mac': '8b98c54124f8', 'evtid': 4097, 'pid': 950, 'beaconkey': 'b853075158487ca39a5b5ea9'}, {'mac': '7450e94124f8', 'evtid': 4097, 'pid': 339, 'beaconkey': '471342543805f83c2caa9deb'}]

Remote: F8:24:41:E9:50:74

2021-05-11 21:42:48 INFO (Thread-4) [custom_components.ble_monitor.ble_parser.xiaomi] BLE ADV from UNKNOWN Xiaomi sensor: RSSI: -42, MAC: F82441E95074, ADV: 043e2b020100007450e94124f81f02010607097965652d7263131695fe51325301017450e94124f80200020110d6

Dimmer: F8:24:41:C5:98:8B

2021-05-11 21:55:58 INFO (Thread-3) [custom_components.ble_monitor.ble_parser.xiaomi] BLE ADV from UNKNOWN Xiaomi sensor: RSSI: -27, MAC: F82441C5988B, ADV: 043e2b020100008b98c54124f81f02010607097965652d7263131695fe5132b603018b98c54124f80200020110e5

[Ernst79]

Thanks. Ill look into it the coming days.

[Ernst79]

@rexbut The messages you posted are not encrypted, and do not contain much useful data. Both the dimmer (1st line) and the remote (2nd line) have the same data. The third line is for comparison, a regular LYWSDCGQ sensor

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
HCI  Evt Len Sub Num Evt  Peer -------MAC-------   Len Len Type Val Len  AD  -----NAME-----     Len  AD  Xiaomi Frame Product Frame ------MAC--------   -----PAYLOAD------------- RSSI
type code    evt rep type addr                             flag         Type                        type  UUID   ctrl   ID    cnt                       type  Len   value
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 04   3e 2b  02  01   00   00  8b 98 c5 41 24 f8   1f  02   01  06  07   09  79 65 65 2d 72 63   13   16  95 fe  51 32  b6 03   01   8b 98 c5 41 24 f8   02 00  02   01 10          e5 yeelight dimmer
 04   3e 2b  02  01   00   00  74 50 e9 41 24 f8   1f  02   01  06  07   09  79 65 65 2d 72 63   13   16  95 fe  51 32  53 01   01   74 50 e9 41 24 f8   02 00  02   01 10          d6 yeelight remote
 04   3e 25  02  01   00   00  9b b8 dd a8 65 4c   19  02   01  06                               15   16  95 fe  50 20  aa 01   fe   9b b8 dd a8 65 4c   0d 10  04   b2 00  75 02   cb LYWSDCGQ

The dimmer and remote have two messages in one advertisement, a NAME and a PAYLOAD (besides MAC and RSSI).

NAME data: 07 09 79 65 65 2d 72 63 Length 07 bytes Type 09 (Complete Local Name) Name: 79 65 65 2d 72 63 which is in ASCII characters yee-rc

PAYLOAD data: 02 00 02 01 10 Type: 02 00 --> 0002 --> Easy pairing (see MIIJA website (use google translate, look for 0x0002)) Length 02 bytes data: 01 10 (normally to be read as 1001)

I'm not sure what the "easy pairing" parameter exactly means, probably that it is connected to a light or an app.

Other useful info Dimmer device code: b6 03 --> 03b6 --> 950 in dec (corresponds to pid from @rezmus) Remote device code: 53 01 --> 0153 --> 339 in dec (corresponds to pid from @rezmus)

I think we need other messages, @rexbut can you make another log, and try to press the remote / dimmer during that time. Post all messages you get, I will try to filter it.

[rezmus]

yeah device sends also some adv with edata 2, you need to push buttons to get 4097. it's possible that adv won't be encrypted at all due to short beacon key (such devices in mijia are usually plain).

{"did":"blt.X","eid":2,"edata":"0110","pdid":339,"seq":1}
{"did":"blt.X","eid":4097,"edata":"000000","pdid":339,"seq":5}

[Ernst79]

Yes, the beacon key seems to be too short, normally it is 32 characters. But let’s wait for additional data from @rexbut first.

strange thing is that @keniji has posted encrypted messages with device type f6 07 —> 07f6 —> pid = 2038

[rezmus]

there are a few yeelight remotes. in their plugins they have support for remote/dimmer and 2 remotes designed for bhf light and fan light, but i saw some more. for example remote from this light may also talk mible.

https://mi-home.pl/akcesoria/akcesoria-komputerowe/mi-computer-monitor-light-bar

    var RemoteControllerType = {
        BLERC: 339,
        SEESAW: 950,
        BHFRC: 959,
        VENFAN: 1254
    };

pid 2038 is yeelink.light.nl1 - Mi Motion-Activated Night Light 2. from your parser 0x07F6 = 2038.

b'\xF6\x07': ("MJYD02YL", True),

[Ernst79]

Ah, sorry, you're right. It was looking at the wrong line in the table.

[rexbut]

~# hcidump -R -x 

Remote: F8:24:41:E9:50:74

04 3E 21 02 01 03 00 74 50 E9 41 24 F8 15 14 16 95 FE 50 30 53 01 3E 74 50 E9 41 24 F8 01 10 03 00 00 00 DD
04 3E 2B 02 01 00 00 74 50 E9 41 24 F8 1F 02 01 06 07 09 79 65 65 2D 72 63 13 16 95 FE 51 32 53 01 01 74 50 E9 41 24 F8 
04 3E 21 02 01 03 00 74 50 E9 41 24 F8 15 14 16 95 FE 50 30 53 01 3F 74 50 E9 41 24 F8 01 10 03 00 00 00 E0
04 3E 2B 02 01 00 00 74 50 E9 41 24 F8 1F 02 01 06 07 09 79 65 65 2D 72 63 13 16 95 FE 51 32 53 01 01 74 50 E9 41 24 F8 02 00 02 01 10 D3
04 3E 21 02 01 03 00 74 50 E9 41 24 F8 15 14 16 95 FE 50 30 53 01 32 74 50 E9 41 24 F8 01 10 03 02 00 00 DD 
04 3E 2B 02 01 00 00 74 50 E9 41 24 F8 1F 02 01 06 07 09 79 65 65 2D 72 63 13 16 95 FE 51 32 53 01 01 74 50 E9 41 24 F8 02 00 02 01 10 DE 
04 3E 21 02 01 03 00 74 50 E9 41 24 F8 15 14 16 95 FE 50 30 53 01 34 74 50 E9 41 24 F8 01 10 03 04 00 00 D8 
04 3E 2B 02 01 00 00 74 50 E9 41 24 F8 1F 02 01 06 07 09 79 65 65 2D 72 63 13 16 95 FE 51 32 53 01 01 74 50 E9 41 24 F8 02 00 02 01 10 D5 
04 3E 2B 02 01 00 00 74 50 E9 41 24 F8 1F 02 01 06 07 09 79 65 65 2D 72 63 13 16 95 FE 51 32 53 01 01 74 50 E9 41 24 F8 02 00 02 01 10 DF 
04 3E 21 02 01 03 00 74 50 E9 41 24 F8 15 14 16 95 FE 50 30 53 01 3B 74 50 E9 41 24 F8 01 10 03 00 00 00 DF

Dimmer: F8:24:41:C5:98:8B

04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 D0 8B 98 C5 41 24 F8 48 C7 ED 8C 12 AD 00 00 00 34 D9
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 D1 8B 98 C5 41 24 F8 8C 31 9A 1F 97 95 00 00 00 60 E5
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 D2 8B 98 C5 41 24 F8 C3 49 14 76 75 7E 00 00 00 99 DE
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 D3 8B 98 C5 41 24 F8 E7 AC 43 D1 2C 2F 00 00 00 7F E4
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 D4 8B 98 C5 41 24 F8 62 4F BF 3D CA D0 00 00 00 48 E6
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 D5 8B 98 C5 41 24 F8 70 92 E4 08 B7 84 00 00 00 03 E8
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 D7 8B 98 C5 41 24 F8 C9 69 55 28 32 01 00 00 00 92 E4
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 D8 8B 98 C5 41 24 F8 BA D1 51 D3 2F 24 00 00 00 D8 E4 
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 B9 8B 98 C5 41 24 F8 07 FF 19 07 C6 00 00 00 00 2A D0 
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 B9 8B 98 C5 41 24 F8 07 FF 19 07 C6 00 00 00 00 2A CC 
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 B9 8B 98 C5 41 24 F8 07 FF 19 07 C6 00 00 00 00 2A D5 
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 BA 8B 98 C5 41 24 F8 CD 4A 5C 36 DE 95 00 00 00 AD CE 
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 BC 8B 98 C5 41 24 F8 CB B0 65 F4 64 C4 00 00 00 BF D3 
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 BE 8B 98 C5 41 24 F8 A7 CD FB 28 25 FF 00 00 00 6C D1 
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 C0 8B 98 C5 41 24 F8 EB E9 4F 27 97 9C 00 00 00 E4 D6 
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 C1 8B 98 C5 41 24 F8 85 15 8A EF 27 9B 00 00 00 F6 D6 
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 C2 8B 98 C5 41 24 F8 96 9E DB 25 FA FF 00 00 00 98 CD 
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 C6 8B 98 C5 41 24 F8 C3 2D B2 42 D2 B4 00 00 00 5C CE 
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 CC 8B 98 C5 41 24 F8 F9 49 88 3D DC 9D 00 00 00 6C D0 
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 CE 8B 98 C5 41 24 F8 AF A6 D5 49 B5 95 00 00 00 E6 D2  
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 CF 8B 98 C5 41 24 F8 CC F9 53 02 50 00 00 00 00 BD E7

[rezmus]

it looks like remote payload is plain

01 10 03 00 00 00
01 10 03 00 00 00
01 10 03 02 00 00
01 10 03 04 00 00
01 10 03 00 00 00

and dimmer is encrypted.

[Ernst79]

I've released 2.0.0-beta with initial support for the remote control (YLYK01YL). Dimmer will follow later.

The button being pressed is presented in the state of the remote sensor, the type of press (short press, long press or double press) is now added as an attribute. There is also a binary sensor (True/False), which is True when pressing on, + or - and False when pressing off (regardless of the type of press). While writing this, I realize that we should actually have three binary sensors, one for each type of press.

Please let me know if the sensors are working and are what you need. Some questions to thing about.

• Is one remote sensor with the type of press (short press, long press or double press) as an attribute ok or should this be a separate sensor.
• Should the binary sensor be split in three separate sensors (one for short press, long press and double press) , or is it not needed and can it be removed?
• Should the binary sensor have attributes (type of press and button being pressed)

[rezmus]

@Ernst79 can you check if sample dimmer payloads can be decrypted?

[rexbut]

2021-05-13 13:31:00 DEBUG (MainThread) [custom_components.ble_monitor.sensor] Data measuring sensor received: {'rssi': -37, 'mac': 'F82441E95074', 'type': 'YLYK01YL', 'packet': 171, 'firmware': 'Xiaomi (MiBeacon)', 'data': True, 'press': 'single press', 'remote': 'on', 'binary': 1}
2021-05-13 13:31:01 DEBUG (MainThread) [custom_components.ble_monitor.sensor] Data measuring sensor received: {'rssi': -36, 'mac': 'F82441E95074', 'type': 'YLYK01YL', 'packet': 172, 'firmware': 'Xiaomi (MiBeacon)', 'data': True, 'press': 'single press', 'remote': 'off', 'binary': 0}
2021-05-13 13:31:01 DEBUG (MainThread) [custom_components.ble_monitor.binary_sensor] Data binary sensor received: {'rssi': -32, 'mac': 'F82441E95074', 'type': 'YLYK01YL', 'packet': 173, 'firmware': 'Xiaomi (MiBeacon)', 'data': True, 'press': 'single press', 'remote': 'sun'}
2021-05-13 13:31:02 DEBUG (MainThread) [custom_components.ble_monitor.sensor] Data measuring sensor received: {'rssi': -34, 'mac': 'F82441E95074', 'type': 'YLYK01YL', 'packet': 174, 'firmware': 'Xiaomi (MiBeacon)', 'data': True, 'press': 'single press', 'remote': '+', 'binary': 1}
2021-05-13 13:31:03 DEBUG (MainThread) [custom_components.ble_monitor.sensor] Data measuring sensor received: {'rssi': -34, 'mac': 'F82441E95074', 'type': 'YLYK01YL', 'packet': 175, 'firmware': 'Xiaomi (MiBeacon)', 'data': True, 'press': 'single press', 'remote': '-', 'binary': 1}
2021-05-13 13:31:03 DEBUG (MainThread) [custom_components.ble_monitor.binary_sensor] Data binary sensor received: {'rssi': -33, 'mac': 'F82441E95074', 'type': 'YLYK01YL', 'packet': 176, 'firmware': 'Xiaomi (MiBeacon)', 'data': True, 'press': 'single press', 'remote': 'm'}

2021-05-13 13:31:05 DEBUG (MainThread) [custom_components.ble_monitor.sensor] Data measuring sensor received: {'rssi': -33, 'mac': 'F82441E95074', 'type': 'YLYK01YL', 'packet': 178, 'firmware': 'Xiaomi (MiBeacon)', 'data': True, 'press': 'long press', 'remote': 'off', 'binary': 0}

[Ernst79]

@rezmus No, unfortunately not. The key is too short (should be 16 bytes, not 12), The payload seems to be too short as well, to be able to contain a MAC TAC, (normally 4 bytes)

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
HCI  Evt Len Sub Num Evt  Peer -------MAC-------   Len Len Type Val Len  AD  Xiaomi Frame Product Frame     MAC (LE)        ----------------------PAYLOAD------------  RSSI
type code    evt rep type addr                             flag         type  UUID   ctrl  type    cnt                          cypher            ext.cnt     MAC tag
 A    B  C    D  E    F    G          H            I   J    K   L   M    N     O      P     Q      R           S            
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 04   3E 2A  02  01   00   00  C7 A8 D9 38 C1 A4   1E  02   01  06  1A   16  95 FE  58 58  5B 05   90   C7 A8 D9 38 C1 A4   2D E3 2D 7B 49        00 00 00  EF 49 D6 2E  CE   LYWSD03MMC (default firmware)
 04   3e 2b  02  01   00   00  6d c4 cc 50 ec 50   1f  02   01  06  1b   16  95 fe  58 59  f6 07   2f   6d c4 cc 50 ec 50   0c 2e a3 7e e7 10     1c 01 00  0a 79 18 d8  cb   illuminance + motion
 04   3E 25  02  01   03   00  8B 98 C5 41 24 F8   19  18                16  95 FE  58 30  B6 03   B9   8B 98 C5 41 24 F8   07 FF 19 07 C6 00     00 00 00  2A           D0   Yeelight dimmer

See also the discussion here, where they didn't manage to do the decryption after 1.5 years https://github.com/nccchirag/yeelight-ble-rotary-dimmer/issues/1

@rexbut, thanks for the fix, I also see that the measurements do have a packet number that increases, I was under the impression that it was always 1. My mistake, I'll remove the workaround (there is a check that the packet number is increased, otherwise the message is ignored.

[rezmus]

@Ernst79 what is mac tag? from api if key is short they fill it with 4xFF, but in this case payloads are always plain. anyway i think you picked wrong adv for test because this 3 next to each other looks dummy (same payload bytes after mac), while all other have 6 random bytes.

04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 B9 8B 98 C5 41 24 F8 07 FF 19 07 C6 00 00 00 00 2A D0 
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 B9 8B 98 C5 41 24 F8 07 FF 19 07 C6 00 00 00 00 2A CC 
04 3E 25 02 01 03 00 8B 98 C5 41 24 F8 19 18 16 95 FE 58 30 B6 03 B9 8B 98 C5 41 24 F8 07 FF 19 07 C6 00 00 00 00 2A D5

[rexbut]

@Ernst79 Plain remote payload starts with "04 3E 21" and contains "14 16 95"

04 3E 21 02 01 03 00 74 50 E9 41 24 F8 15 14 16 95 FE 50 30 53 01 3E 74 50 E9 41 24 F8 01 10 03 00 00 00 DD
04 3E 21 02 01 03 00 74 50 E9 41 24 F8 15 14 16 95 FE 50 30 53 01 3F 74 50 E9 41 24 F8 01 10 03 00 00 00 E0
04 3E 21 02 01 03 00 74 50 E9 41 24 F8 15 14 16 95 FE 50 30 53 01 32 74 50 E9 41 24 F8 01 10 03 02 00 00 DD 
04 3E 21 02 01 03 00 74 50 E9 41 24 F8 15 14 16 95 FE 50 30 53 01 34 74 50 E9 41 24 F8 01 10 03 04 00 00 D8 
04 3E 21 02 01 03 00 74 50 E9 41 24 F8 15 14 16 95 FE 50 30 53 01 3B 74 50 E9 41 24 F8 01 10 03 00 00 00 DF

Other:

04 3E 2B 02 01 00 00 74 50 E9 41 24 F8 1F 02 01 06 07 09 79 65 65 2D 72 63 13 16 95 FE 51 32 53 01 01 74 50 E9 41 24 F8 
04 3E 2B 02 01 00 00 74 50 E9 41 24 F8 1F 02 01 06 07 09 79 65 65 2D 72 63 13 16 95 FE 51 32 53 01 01 74 50 E9 41 24 F8 02 00 02 01 10 D3
04 3E 2B 02 01 00 00 74 50 E9 41 24 F8 1F 02 01 06 07 09 79 65 65 2D 72 63 13 16 95 FE 51 32 53 01 01 74 50 E9 41 24 F8 02 00 02 01 10 DE 
04 3E 2B 02 01 00 00 74 50 E9 41 24 F8 1F 02 01 06 07 09 79 65 65 2D 72 63 13 16 95 FE 51 32 53 01 01 74 50 E9 41 24 F8 02 00 02 01 10 D5 
04 3E 2B 02 01 00 00 74 50 E9 41 24 F8 1F 02 01 06 07 09 79 65 65 2D 72 63 13 16 95 FE 51 32 53 01 01 74 50 E9 41 24 F8 02 00 02 01 10 DF 

[Ernst79]

@rexbut Let me know what you think of the generated sensors and attributes. If something needs to change, let me know.

[rezmus]

@rexbut can you log a few more adv for dimmer when you do same action several times? for example single click it (without rotate or anything).

[rexbut]

@Ernst79 The remote is working fine but I don't know yet if the remote is sending data to the battery

[Ernst79]

@rezmus. This is how Xiaomi MiBeacon encrypted messages are normally decrypted. The mac tag is called token in the encryption process below.

from Cryptodome.Cipher import AES

data_string = "043e2b020103000fc4e044ef541f0201061b1695fe58598d0a170fc4e044ef547cc27a5c03a1000000790df258bb"
aeskey = "FDD8CE9C08AE7533A79BDAF0BB755E96"

data = bytes(bytearray.fromhex(data_string))
key = bytes.fromhex(aeskey)

xiaomi_index = data.find(b'\x16\x95\xFE')
xiaomi_mac_reversed = data[xiaomi_index + 8:xiaomi_index + 14]
# xiaomi_mac_reversed: 0fc4e044ef54

device_type = data[xiaomi_index + 5:xiaomi_index + 7]
# device_type: 8d0a

nonce = b"".join([xiaomi_mac_reversed, device_type, data[xiaomi_index + 7:xiaomi_index + 8]])
# nonce: 0fc4e044ef548d0a17

encrypted_payload = data[xiaomi_index + 14:-1]
# encrypted_payload: 7cc27a5c03a1000000790df258

aad = b"\x11"

token = encrypted_payload[-4:]
# token: 790df258

payload_counter = encrypted_payload[-7:-4]
# payload_counter: 000000

nonce = b"".join([nonce, payload_counter])
# nonce: 0fc4e044ef548d0a17000000

cipherpayload = encrypted_payload[:-7]
# cipherpayload: 7cc27a5c03a1

cipher = AES.new(key, AES.MODE_CCM, nonce=nonce, mac_len=4)
cipher.update(aad)

decrypted_payload = cipher.decrypt_and_verify(cipherpayload, token)
# decrypted_payload:  0f0003000000

[Ernst79]

@rexbut I enabled the battery sensor to test, as most sensors send battery info. This can take up to 24 hours. Please let me know tomorrow if is still unknown, otherwise I will remove it.

[Ernst79]

@rexbut, but what do you think about the binary sensor. It is now one binary sensor, which is going to True, when pressing "on" with a single press, but also with a double press or long press.

Shouldn't this be split up into three different binary sensors? It will make automations easier, I guess (e.g. If long_press_binary_sensor to True do something, if short_press_binary_sensor to True do something else). But the same can already be achieved with the remote sensor, so we could also leave it out.

[rezmus]

afaik it does not support double click, only single and long.

[rexbut]

@rezmus Here is the click data:

 miiocli device --ip 192.168.5.54 --token edbdb50025c38535ca8d926247fe36f7 raw_command ble_dbg_tbl_dump '{"table":"evtRuleTbl"}'
Running command raw_command
[{'mac': '8b98c54124f8', 'evtid': 4097, 'pid': 950, 'beaconkey': 'b853075158487ca39a5b5ea9'}, {'mac': '7450e94124f8', 'evtid': 4097, 'pid': 339, 'beaconkey': '471342543805f83c2caa9deb'}]

I don't understand why but I reconnected the dimmer several times but I still have the same token.

Data: 043e25020103008b98c54124f819181695fe5830b603368b98c54124f88bb8f2661351000000d6ef
Data: 043e25020103008b98c54124f819181695fe5830b603368b98c54124f88bb8f2661351000000d6f3
Data: 043e25020103008b98c54124f819181695fe5830b603368b98c54124f88bb8f2661351000000d6f3
Data: 043e25020103008b98c54124f819181695fe5830b603368b98c54124f88bb8f2661351000000d6f2
Data: 043e25020103008b98c54124f819181695fe5830b603368b98c54124f88bb8f2661351000000d6f0
Data: 043e25020103008b98c54124f819181695fe5830b603368b98c54124f88bb8f2661351000000d6f0
Data: 043e25020103008b98c54124f819181695fe5830b603368b98c54124f88bb8f2661351000000d6f3
Data: 043e25020103008b98c54124f819181695fe5830b603368b98c54124f88bb8f2661351000000d6f1
Data: 043e25020103008b98c54124f819181695fe5830b603368b98c54124f88bb8f2661351000000d6ef
Data: 043e25020103008b98c54124f819181695fe5830b603368b98c54124f88bb8f2661351000000d6f0
Data: 043e2b020100008b98c54124f81f02010607097965652d7263131695fe5132b603018b98c54124f80200020110e1
Data: 043e25020103008b98c54124f819181695fe5830b603378b98c54124f8447b5d7701c8000000c7e1
Data: 043e25020103008b98c54124f819181695fe5830b603378b98c54124f8447b5d7701c8000000c7e1
Data: 043e25020103008b98c54124f819181695fe5830b603378b98c54124f8447b5d7701c8000000c7e2
Data: 043e25020103008b98c54124f819181695fe5830b603378b98c54124f8447b5d7701c8000000c7e2
Data: 043e25020103008b98c54124f819181695fe5830b603378b98c54124f8447b5d7701c8000000c7e2
Data: 043e25020103008b98c54124f819181695fe5830b603378b98c54124f8447b5d7701c8000000c7e3
Data: 043e25020103008b98c54124f819181695fe5830b603378b98c54124f8447b5d7701c8000000c7e2
Data: 043e25020103008b98c54124f819181695fe5830b603378b98c54124f8447b5d7701c8000000c7e1
Data: 043e25020103008b98c54124f819181695fe5830b603378b98c54124f8447b5d7701c8000000c7e1
Data: 043e25020103008b98c54124f819181695fe5830b603378b98c54124f8447b5d7701c8000000c7e2
Data: 043e25020103008b98c54124f819181695fe5830b603378b98c54124f8447b5d7701c8000000c7e1
Data: 043e25020103008b98c54124f819181695fe5830b603388b98c54124f8b69725ed76e300000059e1
Data: 043e25020103008b98c54124f819181695fe5830b603388b98c54124f8b69725ed76e300000059e3
Data: 043e25020103008b98c54124f819181695fe5830b603388b98c54124f8b69725ed76e300000059e3
Data: 043e25020103008b98c54124f819181695fe5830b603388b98c54124f8b69725ed76e300000059e1
Data: 043e25020103008b98c54124f819181695fe5830b603388b98c54124f8b69725ed76e300000059e0
Data: 043e25020103008b98c54124f819181695fe5830b603388b98c54124f8b69725ed76e300000059e2
Data: 043e25020103008b98c54124f819181695fe5830b603388b98c54124f8b69725ed76e300000059e4
Data: 043e25020103008b98c54124f819181695fe5830b603388b98c54124f8b69725ed76e300000059e3
Data: 043e25020103008b98c54124f819181695fe5830b603388b98c54124f8b69725ed76e300000059e1
Data: 043e25020103008b98c54124f819181695fe5830b603388b98c54124f8b69725ed76e300000059e1
Data: 043e25020103008b98c54124f819181695fe5830b603388b98c54124f8b69725ed76e300000059e2
Data: 043e25020103008b98c54124f819181695fe5830b603388b98c54124f8b69725ed76e300000059e3
Data: 043e25020103008b98c54124f819181695fe5830b603398b98c54124f87fd1883e5fbc00000076e1
Data: 043e25020103008b98c54124f819181695fe5830b603398b98c54124f87fd1883e5fbc00000076e2
Data: 043e25020103008b98c54124f819181695fe5830b603398b98c54124f87fd1883e5fbc00000076e2
Data: 043e25020103008b98c54124f819181695fe5830b603398b98c54124f87fd1883e5fbc00000076e2
Data: 043e25020103008b98c54124f819181695fe5830b603398b98c54124f87fd1883e5fbc00000076e1
Data: 043e25020103008b98c54124f819181695fe5830b603398b98c54124f87fd1883e5fbc00000076e1
Data: 043e25020103008b98c54124f819181695fe5830b603398b98c54124f87fd1883e5fbc00000076e2
Data: 043e25020103008b98c54124f819181695fe5830b603398b98c54124f87fd1883e5fbc00000076e2
Data: 043e25020103008b98c54124f819181695fe5830b603398b98c54124f87fd1883e5fbc00000076e2
Data: 043e25020103008b98c54124f819181695fe5830b603398b98c54124f87fd1883e5fbc00000076e1
Data: 043e25020103008b98c54124f819181695fe5830b603398b98c54124f87fd1883e5fbc00000076e2
Data: 043e25020103008b98c54124f819181695fe5830b6033a8b98c54124f8cc5e78586d6a000000dce3
Data: 043e25020103008b98c54124f819181695fe5830b6033a8b98c54124f8cc5e78586d6a000000dce1
Data: 043e25020103008b98c54124f819181695fe5830b6033a8b98c54124f8cc5e78586d6a000000dce1
Data: 043e25020103008b98c54124f819181695fe5830b6033a8b98c54124f8cc5e78586d6a000000dce1
Data: 043e25020103008b98c54124f819181695fe5830b6033a8b98c54124f8cc5e78586d6a000000dce1
Data: 043e25020103008b98c54124f819181695fe5830b6033a8b98c54124f8cc5e78586d6a000000dce1
Data: 043e25020103008b98c54124f819181695fe5830b6033a8b98c54124f8cc5e78586d6a000000dcdf
Data: 043e25020103008b98c54124f819181695fe5830b6033a8b98c54124f8cc5e78586d6a000000dce1
Data: 043e25020103008b98c54124f819181695fe5830b6033a8b98c54124f8cc5e78586d6a000000dce1
Data: 043e25020103008b98c54124f819181695fe5830b6033a8b98c54124f8cc5e78586d6a000000dce1
Data: 043e25020103008b98c54124f819181695fe5830b6033b8b98c54124f80e8831ca9cde00000018e1
Data: 043e25020103008b98c54124f819181695fe5830b6033b8b98c54124f80e8831ca9cde00000018e1
Data: 043e25020103008b98c54124f819181695fe5830b6033b8b98c54124f80e8831ca9cde00000018e0
Data: 043e25020103008b98c54124f819181695fe5830b6033b8b98c54124f80e8831ca9cde00000018e1
Data: 043e25020103008b98c54124f819181695fe5830b6033b8b98c54124f80e8831ca9cde00000018de
Data: 043e25020103008b98c54124f819181695fe5830b6033b8b98c54124f80e8831ca9cde00000018e1
Data: 043e25020103008b98c54124f819181695fe5830b6033b8b98c54124f80e8831ca9cde00000018e1
Data: 043e25020103008b98c54124f819181695fe5830b6033b8b98c54124f80e8831ca9cde00000018e1
Data: 043e25020103008b98c54124f819181695fe5830b6033b8b98c54124f80e8831ca9cde00000018de
Data: 043e25020103008b98c54124f819181695fe5830b6033b8b98c54124f80e8831ca9cde00000018de
Data: 043e25020103008b98c54124f819181695fe5830b6033c8b98c54124f8277c4e6f1bcb000000eae1
Data: 043e25020103008b98c54124f819181695fe5830b6033c8b98c54124f8277c4e6f1bcb000000eae1
Data: 043e25020103008b98c54124f819181695fe5830b6033c8b98c54124f8277c4e6f1bcb000000eae0
Data: 043e25020103008b98c54124f819181695fe5830b6033c8b98c54124f8277c4e6f1bcb000000eae2
Data: 043e25020103008b98c54124f819181695fe5830b6033c8b98c54124f8277c4e6f1bcb000000eae2
Data: 043e25020103008b98c54124f819181695fe5830b6033c8b98c54124f8277c4e6f1bcb000000eae0
Data: 043e25020103008b98c54124f819181695fe5830b6033c8b98c54124f8277c4e6f1bcb000000eae0
Data: 043e25020103008b98c54124f819181695fe5830b6033c8b98c54124f8277c4e6f1bcb000000eae2

[rezmus]

tx! i've noticed this before with my remote paired with mijia app. ble key did not change.

[Ernst79]

This token, isn't that from a hub? It has an IP address?

I see that you mention the mijia app. Did you ever try https://github.com/PiotrMachowski/Xiaomi-cloud-tokens-extractor to get a key

[rexbut]

@Ernst79 Yes, I use a "Yeelight YLXD76YL" to get the "beaconkey"

[rezmus]

token/ip is from ceiling light. he meant ble/beacon key which usually changes each time you pair device, but not for yeelight dimmer/remote. btw: notice longer data adv for dimmer, there is same event 2 at the end which was present for remote. i'm pretty sure we can decrypt payload with ble key, we just need to find a way how ;)

@Ernst79 to use cloud api 1st you need to bind remote to mijia app and you can't do it with stock one. not sure if you remember, but i was the one who posted api call for ble key used by token extractor ;)

[Ernst79]

Yes, I remember (now).

Are you sure beacon_key is the encryption key? I know that in Xiaomi cloud tokens extractor you get a 12 bytes (24 char) token for each device and a 16 bytes (32 char) beaconkey.

The length of the beacon_key seems to the same as the length of the so called token

About the event 2 messages, both remote and dimmer seem to send this unencrypted messages. But I didn't do anything with this for now.

[rezmus]

token is used for wifi devices to encrypt local miio, while beaconkey is used by ble devices for ble adv encryption. encrypted devices usually use 16 bytes ble key during bind process, while unencrypted send 12 bytes. it is filled with FF when ble gateway pull key from the cloud (it's not used anyway due to plain payload).

{"id":555,"result":{"operation":"query_dev","did":"blt.X","mac":"C4:7C:8D:XX:XX:XX","pdid":152,"ttl":1800,"token":"ca4c96ee2c095457xxxxxxxx","beaconkey":"000102030405060708090a0bFFFFFFFF"}}

000102030405060708090a0b - was send by device as ble/beaconkey to cloud during pair process. you can ignore token part because it's not used in ble adv decryption.

btw: i think they don't change ble key so you can pair remote/dimmer with many lights (all adv encrypted with same key).

[Ernst79]

Ok. So to summarize, this dimmer device is using another type of encryption as all other Xiaomi MiBeacon sensors. We need to figure out what kind of encryption is used. I have to google and learn the basics of encryption first, I’m afraid

[rezmus]

i think it might be some variation of mible decryption used before current one. do you know who (or which project) made mible decryption opensource? maybe we can find some answers there.

i try to connect dimmer to mijia, but there are some issues atm. when i'm done i can check if silabs binary on mgl03 can decode dimmer payload (if it's part of mible sdk).

[Ernst79]

@Magalex2x14 made the decryption in the past. He wrote this page explaining the decryption, but so far, all sensors have followed this decryption method (AES, MODE_CCM).

https://github.com/Magalex2x14/LYWSD03MMC-info

This is the official documentation, I'm looking for encryption info right now (with the help of google translate) https://iot.mi.com/new/doc/embedded-development/ble/overview

Some quotes for reference: https://iot.mi.com/new/doc/embedded-development/ble/ble-standard/function-dev

2. Data transmission Users can use the stdio_tx() interface in the Demo program to send data. stdio_tx() When the interface sends data, mi_session_encrypt() encrypt the data first , and the encrypted data will have 6 bytes of additional information than the plaintext data; then, use the interface to mible_gatts_notify_or_indicate() send data. For details, please refer to the content in the Demo program.

3. Data reception After receiving the encrypted data, the BLE device will call the interface to get_mi_authorization() determine the current state, then use the interface to mi_session_decrypt() decrypt the data, and report the decrypted data to the application layer for rx_handlerprocessing. For details, please refer to the content in the Demo program.

The code for mi_session_decrypt() can be found in this topic

mi_session_decrypt()does not seem to exist anymore and is now being replaced with ccm.h. According to this, the key must be 16 bytes long https://github.com/MiEcosystem/mijia_ble_common/blob/master/ccm.h

[Ernst79]

This page is interesting. It does not look encrypted, at least you can recognize the type of press. Perhaps the rest is the angle?

https://github.com/archaron/docs/blob/master/BLE/ylkg08y.md