glacambre
commented
2 years ago I'm aware that you probably can't do anything without having access to captures of the data synchronization step between the official app and the scale. This is why I attempted to add support by myself, but my lack of android development and bluetooth knowledge is hindering me. So far, I managed to hack openScale to accept my scale:
diff --git a/android_app/app/src/main/java/com/health/openscale/core/bluetooth/BluetoothFactory.java b/android_app/app/src/main/java/com/health/openscale/core/bluetooth/BluetoothFactory.java
index 8985d008..62f0f07b 100644
--- a/android_app/app/src/main/java/com/health/openscale/core/bluetooth/BluetoothFactory.java
+++ b/android_app/app/src/main/java/com/health/openscale/core/bluetooth/BluetoothFactory.java
@@ -136,6 +136,9 @@ public class BluetoothFactory {
if (deviceName.equals("CH100")){
return new BluetoothHuaweiAH100(context);
}
+ if (deviceName.equals("Body+ 3C")){
+ return new BluetoothBodyPlus3C(context);
+ }
return null;
}
}With BluetoothBodyPlus3C.java looking like this:
package com.health.openscale.core.bluetooth;
import android.content.Context;
import android.os.Handler;
import com.health.openscale.core.OpenScale;
import com.health.openscale.core.datatypes.ScaleUser;
import java.util.UUID;
import timber.log.Timber;
public class BluetoothBodyPlus3C extends BluetoothCommunication {
private static final UUID SERVICE_BODYPLUS3C_CUSTOM_SERVICE = BluetoothGattUuid.fromShortCode(0xfaa0);
private static final UUID SERVICE_BODYPLUS3C_CUSTOM_RECEIVE = BluetoothGattUuid.fromShortCode(0xfaa2);
private enum STEPS {
INIT,
}
private Context context;
private Handler beatHandler;
public BluetoothBodyPlus3C(Context context) {
super(context);
this.context = context;
this.beatHandler = new Handler();
}
@Override
public String driverName() {
return "Withings Body+ 3C";
}
@Override
protected boolean onNextStep(int stepNr) {
STEPS step;
try {
step = STEPS.values()[stepNr];
} catch (Exception e) {
// stepNr is bigger then we have in STEPS
return false;
}
switch (step) {
case INIT:
// wait scale wake up
Timber.d("BODYPLUS3C::onNextStep step 0 = set notification");
final ScaleUser selectedUser = OpenScale.getInstance().getSelectedScaleUser();
// Setup notification
setNotificationOn(SERVICE_BODYPLUS3C_CUSTOM_SERVICE, SERVICE_BODYPLUS3C_CUSTOM_RECEIVE);
stopMachineState();
break;
}
return true;
}
@Override
public void onBluetoothNotify(UUID characteristic, byte[] value) {
Timber.d("BODYPLUS3C::onBluetoothNotify uuid: %s", characteristic.toString());
}
}But I'm quite lost about what the next steps are - in particular, I have a hard time deciphering the bluetooth logs. I've found that asking wireshark to filter out everything except RFCOMM packets seem to only keep what's truly important, but I'm at a loss as to what to do exactly. My first guess would be to perform a diff between my various logs, see what parts are different between the various files and then hone in on them, trying to figure out how to tie them to known values.
Do you have any tool/recommended reading to proceed with this? How do you usually proceed?
Scale name Withings Body+ 3C. The model I have is Nokia-branded (withings was temporarily aquired by Nokia), but I don't think this has an impact on the scale's internals. The official application is withings healthmate.
Step 1: Read the general reverse engineer process
Step 2: Acquiring some Bluetooth traffic
Unfortunately, this scale is shared with other persons and it looks like the logs seem to contain personal information about these other persons, so I can't share the files (I can see their names in some of the bluetooth packets).
Step 3: Discover Bluetooth services and characteristic The scale has two steps: setup and synchronization. Here are the logs taken through openScale when the scale is in "setup" mode: btsnoop_hci_openscale_init1.log And here are the logs taken through openScale when the scale has been setup with the official app: btsnoop_hci_openscale1.log