Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fitbit Aria Air support (unlikely?) #1105

Open
drinkcat opened this issue Jan 12, 2025 · 0 comments
Open

Fitbit Aria Air support (unlikely?) #1105

drinkcat opened this issue Jan 12, 2025 · 0 comments
Labels
scale support

Comments

@drinkcat
Copy link

Device: Fitbit Aria Air

That scale a bit flaky with the official app, so I was hoping to make it work with Openscale.

Sadly, it seems like the data is encrypted in some way, so, support seems unlikely (no idea where the key is, I also captured pairing process and couldn't see anything obvious).

I'm dropping this here to leave a trace behind of my experiments yesterday (so that others don't waste time, or at least know what they are getting into...), but if there's any simple experiment I can try, I'd be happy to.

A sample Handle Value Indication packet looks like this after decoding in wireshark (removed some not relevant data for privacy):

Frame 4277: 31 bytes on wire (248 bits), 31 bytes captured (248 bits)
    Encapsulation type: Bluetooth H4 with linux header (99)
    ...
    Frame Number: 4277
    Frame Length: 31 bytes (248 bits)
    Capture Length: 31 bytes (248 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    Point-to-Point Direction: Received (1)
    [Protocols in frame: bluetooth:hci_h4:bthci_acl:btl2cap:btatt]
Bluetooth
    [Source: TelinkSemico_XXX (a4:c1:38:XXX)]
    [Destination: XXX]
Bluetooth HCI H4
    [Direction: Rcvd (0x01)]
    HCI Packet Type: ACL Data (0x02)
Bluetooth HCI ACL Packet
    .... 0000 0100 0010 = Connection Handle: 0x042
    ..10 .... .... .... = PB Flag: First Automatically Flushable Packet (2)
    00.. .... .... .... = BC Flag: Point-To-Point (0)
    Data Total Length: 26
    Data
    [Connect in frame: 4054]
    [Disconnect in frame: 4343]
    [Source BD_ADDR: TelinkSemico_XXX (a4:c1:38:XXX)]
    [Source Device Name: Aria Air]
    [Source Role: Unknown (0)]
    [Destination BD_ADDR: XXX]
    [Destination Role: Unknown (0)]
    [Current Mode: Unknown (-1)]
Bluetooth L2CAP Protocol
    Length: 22
    CID: Attribute Protocol (0x0004)
Bluetooth Attribute Protocol
    Opcode: Handle Value Indication (0x1d)
        0... .... = Authentication Signature: False
        .0.. .... = Command: False
        ..01 1101 = Method: Handle Value Indication (0x1d)
    Handle: 0x0019 (Weight Scale: Unknown)
        [Service UUID: Weight Scale (0x181d)]
        [UUID: 67b0ab2c8323427ab1c970324bb5e228]
    Value: 9fbaa50ba5ba75ea3822d2f02305a1db3858f5

I was trying to make sense of the value, and... it looks totally scrambled.

These are all different weights:

0242201a00160004001d1900a8e870ec70e8d1a2c790bac096bd6fd2268fc8
0242201a00160004001d1900a12352015223478e9aa7d6f265c6957fdcc63a
0242201a00160004001d19009fbaa50ba5ba75ea3822d2f02305a1db3858f5
0242201a00160004001d1900d0a6081708a64d9b545a5502e8347ea173b81f

These are all the same weight (same as the first one above actually):

0241201a00160004001d190040f26ab96af2e4c91c2e426e9586d890df8edb
0241201a00160004001d1900eb1603b303162d5bbb386eda842a6089af6b9e
0241201a00160004001d19008c4becaaec4b972e157350756bd077864c49b9
0241201a00160004001d19005ec8b29bb2c890219832d283c908ff906d18cb
0241201a00160004001d19003c05019701050a14763693768510177e53fd6a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
scale support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@drinkcat