Connection to YunChen Smart Scale

[pkscwc]

Dear Olie,

I have recently purchased this Yunchen Brand smart scale. Can you add it as one of supported scales in your program.

I have tried using some hcitool and GATTtool commands to get relevant handles and UUIDs for this scale.

It is based on Texas Instrument chip.

Output of GATTTool commands like Primary & char-desc-hnd are given below:

Result of GATTtool log : command "primary"

attrhandle:0x0001,endgrp handle:0x0007 uuid:00001800-0000-1000-8000-00805f9b34fb attrhandle:0x0008,endgrp handle:0x000a uuid:0000180a-0000-1000-8000-00805f9b34fb attrhandle:0x000b,endgrp handle:0x000e uuid:00010203-0405-0607-0809-0a0b0c0d1912 attrhandle:0x000f,endgrp handle:0x0013 uuid:0000ffaa-0000-1000-8000-00805f9b34fb attrhandle:0x0014,endgrp handle:0x001c uuid:0000fff0-0000-1000-8000-00805f9b34fb

Result of GATTtool log : command "char-desc"

handle:0x0001,uuid:00002800-0000-1000-8000-00805f9b34fb handle:0x0002,uuid:00002803-0000-1000-8000-00805f9b34fb handle:0x0003,uuid:00002a00-0000-1000-8000-00805f9b34fb handle:0x0004,uuid:00002803-0000-1000-8000-00805f9b34fb handle:0x0005,uuid:00002a01-0000-1000-8000-00805f9b34fb handle:0x0006,uuid:00002803-0000-1000-8000-00805f9b34fb handle:0x0007,uuid:00002a04-0000-1000-8000-00805f9b34fb handle:0x0008,uuid:00002800-0000-1000-8000-00805f9b34fb handle:0x0009,uuid:00002803-0000-1000-8000-00805f9b34fb handle:0x000a,uuid:00002a50-0000-1000-8000-00805f9b34fb handle:0x000b,uuid:00002800-0000-1000-8000-00805f9b34fb handle:0x000c,uuid:00002803-0000-1000-8000-00805f9b34fb handle:0x000d,uuid:00010203-0405-0607-0809-0a0b0c0d2b12 handle:0x000e,uuid:00002901-0000-1000-8000-00805f9b34fb handle:0x000f,uuid:00002800-0000-1000-8000-00805f9b34fb handle:0x0010,uuid:00002803-0000-1000-8000-00805f9b34fb handle:0x0011,uuid:0000ffab-0000-1000-8000-00805f9b34fb handle:0x0012,uuid:00002902-0000-1000-8000-00805f9b34fb handle:0x0013,uuid:00002901-0000-1000-8000-00805f9b34fb handle:0x0014,uuid:00002800-0000-1000-8000-00805f9b34fb handle:0x0015,uuid:00002803-0000-1000-8000-00805f9b34fb handle:0x0016,uuid:0000fff4-0000-1000-8000-00805f9b34fb handle:0x0017,uuid:00002902-0000-1000-8000-00805f9b34fb handle:0x0018,uuid:00002901-0000-1000-8000-00805f9b34fb handle:0x0019,uuid:00002803-0000-1000-8000-00805f9b34fb handle:0x001a,uuid:0000fff1-0000-1000-8000-00805f9b34fb handle:0x001b,uuid:00002902-0000-1000-8000-00805f9b34fb handle:0x001c,uuid:00002901-0000-1000-8000-00805f9b34fb

The values received from each handle above through command "char-read-hnd" in above order are given under:

0018 12 59756e4368656e0000000000000000000000 02 0000 02 140028000000e803 0a18 02 028a2466820100 12190d0c0b0a09080706050403020100 16 00 4f5441 aaff 14 0000000000000000000000000000000000000000 0000 436d64205257 f0ff 10 0000000000000000000000000000000000000000 0000 53707020524f 04 0000000000000000000000000000000000000000 0000 53707020574f

I have browsed through files hosted at openScale/android_app/app/src/main/java/com/health/openscale/core/bluetooth/

and found that four of the java files use these UUIDs.

Like: BluetoothBeurerBF700_800 and BluetoothSanitasSbf70 use

UUIDs of 00002A00, 01, 04 and 50.

BluetoothDigooDGSO38H and BluetoothExcelvanCF369BLE use UUIDs of 0000FFF0, 1 and 4.

I hope it helps.

[oliexdev]

Hi @pkscwc

I can't find this scale on the internet. :thinking: Do you have a link to the vendors website?

Did you read the wiki about how to reverse engineer a Bluetooth scale? Maybe this helps a bit too how you do it on a real device.

You have to analyse the incoming and outcoming values so we know which byte is used for what.

Some UUIDs are standard UUIDs but that doesn't mean that the data format are the same (but sure it could be possible).

I don't own this scale so its difficult to help in this stage. You have to do analyse the byte structure and the commands which are send from the your scale.

Btw. please use the Markdown code tags for posting source code or formatted output messages.

Best regards oli

[pkscwc]

I have some hci snoop logs.

On 14 Jan 2018 3:51 p.m., "OliE" notifications@github.com wrote:

Hi @pkscwc https://github.com/pkscwc

I can't find this scale on the internet. 🤔 Do you have a link to the vendors website?

Did you read the wiki https://github.com/oliexdev/openScale/wiki/How-to-reverse-engineer-a-Bluetooth-4.x-scale about how to reverse engineer a Bluetooth scale? Maybe this https://github.com/oliexdev/openScale/wiki/Xiaomi-Bluetooth-Mi-Scale helps a bit too how you do it on a real device.

You have to analyse the incoming and outcoming values so we know which byte is used for what.

Some UUIDs are standard UUIDs but that doesn't mean that the data format are the same (but sure it could be possible).

I don't own this scale so its difficult to help in this stage. You have to do analyse the byte structure and the commands which are send from the your scale.

Btw. please use the Markdown code tags for posting source code or formatted output messages.

Best regards oli

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/oliexdev/openScale/issues/140#issuecomment-357501812, or mute the thread https://github.com/notifications/unsubscribe-auth/AB4GNx6pfYSUEImLy0IxINtBsXhyWuvhks5tKdUsgaJpZM4Rdh3c .

[oliexdev]

then try to analyse it with wireshark as described in the wiki.

[pkscwc]

OK. What data exactly may help us.

On 14 Jan 2018 5:28 p.m., "OliE" notifications@github.com wrote:

then try to analyse it with wireshark as described in the wiki.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/oliexdev/openScale/issues/140#issuecomment-357506700, or mute the thread https://github.com/notifications/unsubscribe-auth/AB4GN7cCJ-0Ee3WSUgZ8-rMCo4t8DhLfks5tKevNgaJpZM4Rdh3c .

[pkscwc]

I have uploaded the blue pixel ble scan log having UUID s in it.

On 14 Jan 2018 3:51 p.m., "OliE" notifications@github.com wrote:

Hi @pkscwc https://github.com/pkscwc

I can't find this scale on the internet. 🤔 Do you have a link to the vendors website?

Did you read the wiki https://github.com/oliexdev/openScale/wiki/How-to-reverse-engineer-a-Bluetooth-4.x-scale about how to reverse engineer a Bluetooth scale? Maybe this https://github.com/oliexdev/openScale/wiki/Xiaomi-Bluetooth-Mi-Scale helps a bit too how you do it on a real device.

You have to analyse the incoming and outcoming values so we know which byte is used for what.

Some UUIDs are standard UUIDs but that doesn't mean that the data format are the same (but sure it could be possible).

I don't own this scale so its difficult to help in this stage. You have to do analyse the byte structure and the commands which are send from the your scale.

Btw. please use the Markdown code tags for posting source code or formatted output messages.

Best regards oli

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/oliexdev/openScale/issues/140#issuecomment-357501812, or mute the thread https://github.com/notifications/unsubscribe-auth/AB4GNx6pfYSUEImLy0IxINtBsXhyWuvhks5tKdUsgaJpZM4Rdh3c .

[Dododappere]

@pkscwc if your scale uses the FFF1 characteristic I would try to make a copy of the Digoo scale handler code and configure OpenScale to accept your scale. With a bit of luck it will work....if it doesn't you need to do reverse engineering of the hci snoop logs to see what is going on.

[pkscwc]

Ok. Thanks. I will put in required efforts from my side also.

On 14 Jan 2018 10:05 p.m., "Dododappere" notifications@github.com wrote:

@pkscwc https://github.com/pkscwc if your scale uses the FFF1 characteristic I would try to make a copy of the Digoo scale handler code and configure OpenScale to accept your scale. With a bit of luck it will work....if it doesn't you need to do reverse engineering of the hci snoop logs to see what is going on.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/oliexdev/openScale/issues/140#issuecomment-357523924, or mute the thread https://github.com/notifications/unsubscribe-auth/AB4GN7MUO5wrqj_QHuQuE4TetKtWhKWMks5tKizVgaJpZM4Rdh3c .

[pkscwc]

Hi Olie,

I have done some work today on wireshark and ble snoop.

Perhaps, got the values required.

Hope, it helps.

On Sun, Jan 14, 2018 at 10:05 PM, Dododappere notifications@github.com wrote:

@pkscwc https://github.com/pkscwc if your scale uses the FFF1 characteristic I would try to make a copy of the Digoo scale handler code and configure OpenScale to accept your scale. With a bit of luck it will work....if it doesn't you need to do reverse engineering of the hci snoop logs to see what is going on.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/oliexdev/openScale/issues/140#issuecomment-357523924, or mute the thread https://github.com/notifications/unsubscribe-auth/AB4GN7MUO5wrqj_QHuQuE4TetKtWhKWMks5tKizVgaJpZM4Rdh3c .

[pkscwc]

Hi Olie,

I have attached the ble log file also.

On Wed, Jan 17, 2018 at 5:05 PM, Pankaj Kr Sharma pkscwc@gmail.com wrote:

Hi Olie,

I have done some work today on wireshark and ble snoop.

Perhaps, got the values required.

Hope, it helps.

On Sun, Jan 14, 2018 at 10:05 PM, Dododappere notifications@github.com wrote:

@pkscwc https://github.com/pkscwc if your scale uses the FFF1 characteristic I would try to make a copy of the Digoo scale handler code and configure OpenScale to accept your scale. With a bit of luck it will work....if it doesn't you need to do reverse engineering of the hci snoop logs to see what is going on.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/oliexdev/openScale/issues/140#issuecomment-357523924, or mute the thread https://github.com/notifications/unsubscribe-auth/AB4GN7MUO5wrqj_QHuQuE4TetKtWhKWMks5tKizVgaJpZM4Rdh3c .

[oliexdev]

@pkscwc you didn't attach anything. Also you have to analyse the protocol format to find the weight and other data in the Bluetooth data packages.

[pkscwc]

Please check. I can see attachments sent in the email with desired details...

On 17 Jan 2018 11:55 p.m., "OliE" notifications@github.com wrote:

@pkscwc https://github.com/pkscwc you didn't attached anything. Also you have to analyse the protocol to find weight and other data in the Bluetooth data packages.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/oliexdev/openScale/issues/140#issuecomment-358396861, or mute the thread https://github.com/notifications/unsubscribe-auth/AB4GN9ym55UiF1JgjN2V9ozjCjkHUCV3ks5tLjspgaJpZM4Rdh3c .

[erijo]

I didn't get the attachment either. Please see https://help.github.com/articles/file-attachments-on-issues-and-pull-requests/ for how to attach files.

[pkscwc]

OK thanks.

On 18 Jan 2018 2:18 p.m., "Erik Johansson" notifications@github.com wrote:

I didn't get the attachment either. Please see https://help.github.com/ articles/file-attachments-on-issues-and-pull-requests/ for how to attach files.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/oliexdev/openScale/issues/140#issuecomment-358578004, or mute the thread https://github.com/notifications/unsubscribe-auth/AB4GN5UoXPxy_aqzZz5b1RzNMlYWF-Fmks5tLwVdgaJpZM4Rdh3c .

[pkscwc]

I have submitted it as a new issue with relevant files. Thanks.

On Thu, Jan 18, 2018 at 7:23 PM, Pankaj Kr Sharma pkscwc@gmail.com wrote:

OK thanks.

On 18 Jan 2018 2:18 p.m., "Erik Johansson" notifications@github.com wrote:

I didn't get the attachment either. Please see https://help.github.com/articles/file-attachments-on-issues- and-pull-requests/ for how to attach files.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/oliexdev/openScale/issues/140#issuecomment-358578004, or mute the thread https://github.com/notifications/unsubscribe-auth/AB4GN5UoXPxy_aqzZz5b1RzNMlYWF-Fmks5tLwVdgaJpZM4Rdh3c .

[pkscwc]

YunchenLog.docx YunChen_only_filter.log

[oliexdev]

@pkscwc thanks for the files but I need more information.

1. Please provide a link to the vendors app
2. Please provide a link to the product page of your YunChen scale.
3. I need a photo of your scale for the gallery (same angle like the others)
4. I need the complete Bluetooth log file. Your YunChen_only_filter.log file filtered to much out. The commands from the vendors App are missing.

[pkscwc]

In a minute.

On Sun, Jan 21, 2018 at 1:59 PM, OliE notifications@github.com wrote:

@pkscwc https://github.com/pkscwc thanks for the files but I need more information.

1. Please provide a link to the vendors app
2. Please provide a link to the product page of your YunChen scale.
3. I need a photo of your scale for the gallery (same angle like the others)
4. I need the complete Bluetooth log file. Your YunChen_only_filter.log file filtered to much out. The commands from the vendors App are missing.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/oliexdev/openScale/issues/140#issuecomment-359232257, or mute the thread https://github.com/notifications/unsubscribe-auth/AB4GN9BeQtR3zh692POFBpzDzcSoI7qJks5tMvV8gaJpZM4Rdh3c .

[pkscwc]

link to the product page of YunChen scale. Brand name is different. But, in bluetooth, it comes as Yunchen only.

https://www.amazon.in/gp/product/B071J756ZB/ref=oh_aui_detailpage_o06_s00?ie=UTF8&psc=1

We can copy the photo from amazon itself.

[pkscwc]

Vendors other products https://www.amazon.in/Health-Personal-Care-Hesley-Inc/s?ie=UTF8&field-brandtextbin=Hesley%20Inc&page=1&rh=n%3A1350384031

[pkscwc]

Vendor's app known as KeepFit https://play.google.com/store/apps/details?id=com.beikang&hl=en

[pkscwc]

The complete log. I just realized that I have filtered the commands from localhost to remote. This is the complete log containing all the bluetooth devices nearby to my mobile. Lot of garbage.

BtSnoop_17Jan2018.log

[pkscwc]

hope it helps.

[pkscwc]

In this file, I have tried to include both. scale to mobile and mobile to scale. scale_to_mobile_all.log

[pkscwc]

Another, filtered but having both way traffic log

scale_to_PERX_all.log

[oliexdev]

@pkscwc I implemented a first try for Hesley scale. Please try the latest dev version of openScale.

Some thinks that are not clear yet:

1. The scale is sending around 149 (:open_mouth: !) times the same command bytes a5:01:2c:ab:50:5a:29 to the scale. After every command the scale send sometimes mostly nothing or the weight with the body metrics.
2. Currently I don't know what the magic bytes a5:01:2c:ab:50:5a:29 are. Maybe the date and time are in these byte!?
3. Which date and exact time did you weight in the above log files?
4. What did you enter in the app for your body height and your age?

Do you receive any data from the scale with openScale? A toast message should popup with some hex bytes. Please post that here.

[oliexdev]

We can copy the photo from amazon itself.

I can't use the Amazon photo due to copyright reasons. Please take a photo of your scale by yourself and post it here. Thanks.

[pkscwc]

Dear Olie,

I have noticed the magic bytes a5:01:2c:ab:50:5a:29 and tried my level best to connect with them date and time formats. So far, there is nothing to link with them date and time. The exact date and time of each packet is logged and can be seen in Wireshark.

[pkscwc]

another one from today.

[pkscwc]

This cannot be a data or time string as it is same for both days i.e. 17th and 21st January. Date & time should be somewhere else.

[oliexdev]

@pkscwc It was just an idea but please give clear feedback what is working and what not otherwise we don't get any further in the reverse engineering process.

[pkscwc]

An image of the scale:

[pkscwc]

Dear Olie,

I am sorry. But, I don't know how to install developer version of openscale on my mobile. Is there any apk to download? I cannot find anything helpful.

with regards,

[pkscwc]

Ok. Got it, I have to install Android-Studio. Please give me some time.

[oliexdev]

Or use this APK file https://github.com/oliexdev/openScale/releases/tag/travis-dev-build

[pkscwc]

Install openScale-dev-build.apk . Yes found this. Thanks.

[pkscwc]

In Bluetooth logs, it is recognised as Yunchen only.

[pkscwc]

App installed without any error. It found my scale as Yunchen. After that, "trying to connect to Yunchen". And then " no bluetooth devices found".

I noticed that app bluetooth search timeout is rather short. Scale remains active for twice more time.

[pkscwc]

So, no readings for now.

[pkscwc]

[pkscwc]

I used the apk file. It connects but no data comes back from scale to app.

Can we change the magic number and try.

On Sun, Jan 21, 2018 at 9:40 PM, OliE notifications@github.com wrote:

Or use this APK file https://github.com/oliexdev/ openScale/releases/tag/travis-dev-build

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/oliexdev/openScale/issues/140#issuecomment-359259476, or mute the thread https://github.com/notifications/unsubscribe-auth/AB4GNwm0Jn0qDmssdAVzeUAO0zW0mgPgks5tM2GDgaJpZM4Rdh3c .

[pkscwc]

nRF Connect, 2018-01-22 YunChen (78:9C:E7:0C:1F:F3) I 14:49:22.839 [Server] Server started V 14:49:22.858 Device Information (0x180A)

• PnP ID [R] (0x2A50) Unknown Service (00010203-0405-0607-0809-0a0b0c0d1912)
• Unknown Characteristic [N R WNR] (00010203-0405-0607-0809-0a0b0c0d2b12)    Characteristic User Description (0x2901)    Client Characteristic Configuration (0x2902) Unknown Service (0000ffaa-0000-1000-8000-00805f9b34fb)
• Unknown Characteristic [N WNR] (0000ffab-0000-1000-8000-00805f9b34fb)    Characteristic User Description (0x2901)    Client Characteristic Configuration (0x2902) Unknown Service (0000fff0-0000-1000-8000-00805f9b34fb)
• Unknown Characteristic [N] (0000fff4-0000-1000-8000-00805f9b34fb)    Characteristic User Description (0x2901)    Client Characteristic Configuration (0x2902)
• Unknown Characteristic [WNR] (0000fff1-0000-1000-8000-00805f9b34fb)    Characteristic User Description (0x2901) V 14:49:23.169 Connecting to 78:9C:E7:0C:1F:F3... D 14:49:23.169 gatt = device.connectGatt(autoConnect = false, TRANSPORT_LE) D 14:49:23.515 [Server callback] Connection state changed with status: 0 and new state: CONNECTED (2) I 14:49:23.515 [Server] Device with address 78:9C:E7:0C:1F:F3 connected V 14:49:23.515 [Server] Creating server connection... D 14:49:23.515 server.connect(device, autoConnect = false) D 14:49:23.521 [Callback] Connection state changed with status: 0 and new state: CONNECTED (2) I 14:49:23.521 Connected to 78:9C:E7:0C:1F:F3 D 14:49:23.524 wait(1600ms) D 14:49:23.545 [Broadcast] Action received: android.bluetooth.device.action.ACL_CONNECTED V 14:49:25.131 Discovering services... D 14:49:25.131 gatt.discoverServices() D 14:49:25.158 [Callback] Services discovered with status: 0 I 14:49:25.159 Services discovered V 14:49:25.186 Generic Access (0x1800)
• Device Name [N R] (0x2A00)
• Appearance [R] (0x2A01)
• Peripheral Preferred Connection Parameters [R] (0x2A04) Device Information (0x180A)
• PnP ID [R] (0x2A50) Unknown Service (00010203-0405-0607-0809-0a0b0c0d1912)
• Unknown Characteristic [N R WNR] (00010203-0405-0607-0809-0a0b0c0d2b12)    Characteristic User Description (0x2901) Unknown Service (0000ffaa-0000-1000-8000-00805f9b34fb)
• Unknown Characteristic [N WNR] (0000ffab-0000-1000-8000-00805f9b34fb)    Client Characteristic Configuration (0x2902)    Characteristic User Description (0x2901) Unknown Service (0000fff0-0000-1000-8000-00805f9b34fb)
• Unknown Characteristic [N] (0000fff4-0000-1000-8000-00805f9b34fb)    Client Characteristic Configuration (0x2902)    Characteristic User Description (0x2901)
• Unknown Characteristic [WNR] (0000fff1-0000-1000-8000-00805f9b34fb)    Client Characteristic Configuration (0x2902)    Characteristic User Description (0x2901) D 14:49:29.620 [Server callback] Connection state changed with status: 0 and new state: DISCONNECTED (0) I 14:49:29.620 [Server] Device disconnected D 14:49:29.667 [Callback] Connection state changed with status: 8 and new state: DISCONNECTED (0) E 14:49:29.667 Error 8 (0x8): GATT CONN TIMEOUT I 14:49:29.667 Disconnected D 14:49:29.814 [Broadcast] Action received: android.bluetooth.device.action.ACL_DISCONNECTED

[pkscwc]

Log by nRF logger

[oliexdev]

please fork the project and edit the BluetoothHesley.java file in Android Studio. In that file you can see the magic bytes which you can change. I can't help you much anymore because you have to do some kind of try and error analyses with your scale.

[pkscwc]

Hi Olie,

App now gets connected with scale. But it is not showing any measurement yet. Can we increase the bluetooth time-out of the app. It time-outs before the scale.

Any suggestion.

On Mon, Jan 22, 2018 at 8:55 PM, OliE notifications@github.com wrote:

please fork the project and edit the BluetoothHesley.java file in Android Studio. In that file you can see the magic bytes which you can change. I can't help you much anymore because you have to do some kind of try and error analyses with your scale.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/oliexdev/openScale/issues/140#issuecomment-359456905, or mute the thread https://github.com/notifications/unsubscribe-auth/AB4GNymGEaBoDIMZR8ktoimQDzlFSoKQks5tNKhzgaJpZM4Rdh3c .

[oliexdev]

@pkscwc It has nothing to do with the Bluetooth time-out. Please create some image with the BLE Scanner. Then I can check again of the right services and characteristic. But as I said you have to experiment with your scale.

[pkscwc]

Dear Olie,

I would like to express my sincere thanks for all the encouragements and actually writing the BluetoothHesley.java file for users of Hesley scale.

Yes, it worked.

I studied the logs in wireshark as suggested by you and tweaked the java file. The scale starts broadcasting the data as soon as it is activated. So, the use of magic bytes are still a mystery.

Relevant files are attached with screenshot. BluetoothHesley_worked_java.txt

[pkscwc]

Remaining data like fat etc is not present, because scale did not broadcast it.

[oliexdev]

I implemented your changes into the master repository. Use the latest development version of openScale.

I guess to get the remaining data we have to figure out what the magic bytes are. Until then I will close this issue. If you find a solution create a new issue or PR or reply to this issue.

[pkscwc]

Dear Olie,

It looks like that I made a mistake. It is not getting connected. I only read my manually entered data. I have updated some information in the java file. Particularly the data test part, data [1] = 0x01 should be 0xc1. I have altogether removed it. But, still it is not working. Although, in the log file, it clearly shows that scale is returning full data (including fat etc ) after receiving the magic bytes.

Your expert opinion is required. BluetoothHesley.java.txt os30jan8640.log

[pkscwc]

Further, the toast commands are not creating any message window. What to do?