Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Amazfit NEO pairing #375

Open
jmlich opened this issue May 12, 2024 · 3 comments
Open

Amazfit NEO pairing #375

jmlich opened this issue May 12, 2024 · 3 comments

Comments

@jmlich
Copy link
Contributor

jmlich commented May 12, 2024

There are many differences from my previous try:

  • compiled natively on Fedora 40 as Kirigami flavor
  • it is different bluetooth device

I am trying to pair with Amazfit NEO. The device is connected to zepp application and I am getting token with

$ python3 -m huami_token -m amazfit -e [email protected] -p 'Password' -b
...CUT...
╓───Device 0
║  MAC: E1:87:29:30:E4:E7, active: Yes
║  Key: 0xcaa04207ff084f260d8513a5d75d8dcf
╙────────────

The 0xcaa04207ff084f260d8513a5d75d8dcf (including 0x) was entered into dialog.

I can see authfailed message in daemon's log:

2024-05-12 17:34:36.615 : void MiBand2Service::characteristicChanged(const QString&, const QByteArray&) Changed: "00000009-0000-3512-2118-0009af100700" "\x10\x83\b"
2024-05-12 17:34:36.615 : Unexpected data
2024-05-12 17:34:36.615 : void HuamiDevice::authenticated(bool) false
2024-05-12 17:34:36.615 : void AbstractDevice::setConnectionState(const QString&) Connection state: "authfailed"

Whole log follows:

2024-05-12 17:34:36.526 : 9 nodes
2024-05-12 17:34:36.527 : Creating service for:  "00001801-0000-1000-8000-00805f9b34fb"
2024-05-12 17:34:36.527 : Creating service for:  "0000180a-0000-1000-8000-00805f9b34fb"
2024-05-12 17:34:36.527 : Creating service for:  "00001530-0000-3512-2118-0009af100700"
2024-05-12 17:34:36.528 : Creating service for:  "00001811-0000-1000-8000-00805f9b34fb"
2024-05-12 17:34:36.528 : Creating service for:  "00001802-0000-1000-8000-00805f9b34fb"
2024-05-12 17:34:36.528 : Creating service for:  "0000fee0-0000-1000-8000-00805f9b34fb"
2024-05-12 17:34:36.528 : Creating service for:  "0000fee1-0000-1000-8000-00805f9b34fb"
2024-05-12 17:34:36.529 : Creating service for:  "0000180d-0000-1000-8000-00805f9b34fb"
2024-05-12 17:34:36.529 : Got MiBand2 service
2024-05-12 17:34:36.529 : Starting notify for  "00000009-0000-3512-2118-0009af100700"
2024-05-12 17:34:36.529 : void MiBand2Service::initialise(bool) Writing request for auth number
2024-05-12 17:34:36.529 : QByteArray MiBand2Service::requestAuthNumber() Crypt Byte: 128
2024-05-12 17:34:36.529 : Writing to  "00000009-0000-3512-2118-0009af100700" : "8200020100"
2024-05-12 17:34:36.529 : virtual void NeoDevice::initialise() Neo Firmware:  "V1.1.2.58"
2024-05-12 17:34:36.529 : virtual void HuamiDevice::onPropertiesChanged(QString, QVariantMap, QStringList) "org.bluez.Device1" QMap(("Modalias", QVariant(QString, "bluetooth:v0157p0043d0100"))) ()
2024-05-12 17:34:36.530 : virtual void NeoDevice::initialise()
2024-05-12 17:34:36.530 : void AbstractDevice::setConnectionState(const QString&) Connection state: "connected"
2024-05-12 17:34:36.530 : void NeoDevice::parseServices()
2024-05-12 17:34:36.530 : Resolved services...
2024-05-12 17:34:36.530 : <!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
<node><interface name="org.freedesktop.DBus.Introspectable"><method name="Introspect"><arg name="xml" type="s" direction="out"/>
</method></interface><interface name="org.bluez.Device1"><method name="Disconnect"></method><method name="Connect"></method><method name="ConnectProfile"><arg name="UUID" type="s" direction="in"/>
</method><method name="DisconnectProfile"><arg name="UUID" type="s" direction="in"/>
</method><method name="Pair"></method><method name="CancelPairing"></method><property name="Address" type="s" access="read"></property><property name="AddressType" type="s" access="read"></property><property name="Name" type="s" access="read"></property><property name="Alias" type="s" access="readwrite"></property><property name="Class" type="u" access="read"></property><property name="Appearance" type="q" access="read"></property><property name="Icon" type="s" access="read"></property><property name="Paired" type="b" access="read"></property><property name="Bonded" type="b" access="read"></property><property name="Trusted" type="b" access="readwrite"></property><property name="Blocked" type="b" access="readwrite"></property><property name="LegacyPairing" type="b" access="read"></property><property name="RSSI" type="n" access="read"></property><property name="Connected" type="b" access="read"></property><property name="UUIDs" type="as" access="read"></property><property name="Modalias" type="s" access="read"></property><property name="Adapter" type="o" access="read"></property><property name="ManufacturerData" type="a{qv}" access="read"></property><property name="ServiceData" type="a{sv}" access="read"></property><property name="TxPower" type="n" access="read"></property><property name="ServicesResolved" type="b" access="read"></property><property name="WakeAllowed" type="b" access="readwrite"></property><property name="Sets" type="a{oa{sv}}" access="read"></property></interface><interface name="org.freedesktop.DBus.Properties"><method name="Get"><arg name="interface" type="s" direction="in"/>
<arg name="name" type="s" direction="in"/>
<arg name="value" type="v" direction="out"/>
</method><method name="Set"><arg name="interface" type="s" direction="in"/>
<arg name="name" type="s" direction="in"/>
<arg name="value" type="v" direction="in"/>
</method><method name="GetAll"><arg name="interface" type="s" direction="in"/>
<arg name="properties" type="a{sv}" direction="out"/>
</method><signal name="PropertiesChanged"><arg name="interface" type="s"/>
<arg name="changed_properties" type="a{sv}"/>
<arg name="invalidated_properties" type="as"/>
</signal>
</interface><node name="service0008"/><node name="service000c"/><node name="service001a"/><node name="service0020"/><node name="service0027"/><node name="service002a"/><node name="service005b"/><node name="service0070"/></node>
2024-05-12 17:34:36.530 : 9 nodes
2024-05-12 17:34:36.530 : Creating service for:  "00001801-0000-1000-8000-00805f9b34fb"
2024-05-12 17:34:36.531 : Creating service for:  "0000180a-0000-1000-8000-00805f9b34fb"
2024-05-12 17:34:36.531 : Creating service for:  "00001530-0000-3512-2118-0009af100700"
2024-05-12 17:34:36.531 : Creating service for:  "00001811-0000-1000-8000-00805f9b34fb"
2024-05-12 17:34:36.532 : Creating service for:  "00001802-0000-1000-8000-00805f9b34fb"
2024-05-12 17:34:36.532 : Creating service for:  "0000fee0-0000-1000-8000-00805f9b34fb"
2024-05-12 17:34:36.532 : Creating service for:  "0000fee1-0000-1000-8000-00805f9b34fb"
2024-05-12 17:34:36.533 : Creating service for:  "0000180d-0000-1000-8000-00805f9b34fb"
2024-05-12 17:34:36.533 : Got MiBand2 service
2024-05-12 17:34:36.533 : Starting notify for  "00000009-0000-3512-2118-0009af100700"
2024-05-12 17:34:36.533 : void MiBand2Service::initialise(bool) Writing request for auth number
2024-05-12 17:34:36.533 : QByteArray MiBand2Service::requestAuthNumber() Crypt Byte: 128
2024-05-12 17:34:36.533 : Writing to  "00000009-0000-3512-2118-0009af100700" : "8200020100"
2024-05-12 17:34:36.533 : virtual void NeoDevice::initialise() Neo Firmware:  "V1.1.2.58"
2024-05-12 17:34:36.533 : void MiBand2Service::characteristicChanged(const QString&, const QByteArray&) Changed: "00000009-0000-3512-2118-0009af100700" "\x10\x82\x01\x97\x9F""d\x10\xA9\x99&\xFA\x9B\xF3\xC8""Dm\xADJ\xEE"
2024-05-12 17:34:36.533 : Received random auth number, sending encrypted auth number
2024-05-12 17:34:36.534 : Writing to  "00000009-0000-3512-2118-0009af100700" : "8300057e4d35b66f3db36d080e90368991d1"
2024-05-12 17:34:36.555 : void MiBand2Service::characteristicChanged(const QString&, const QByteArray&) Changed: "00000009-0000-3512-2118-0009af100700" "\x10\x82\x01\xC9\xB2\xB2\x0Fsd\xCCq}\xF6""F\xB3\xE7h \xD5"
2024-05-12 17:34:36.555 : Received random auth number, sending encrypted auth number
2024-05-12 17:34:36.555 : Writing to  "00000009-0000-3512-2118-0009af100700" : "8300768f534da6d08cfbf243eacf9acf064a"
2024-05-12 17:34:36.556 : void MiBand2Service::characteristicChanged(const QString&, const QByteArray&) Changed: "00000009-0000-3512-2118-0009af100700" "\x10\x82\x01\xFF\xE7\f\x98\x91""aN\x02\x03;p\xCCUur\xF6"
2024-05-12 17:34:36.556 : Received random auth number, sending encrypted auth number
2024-05-12 17:34:36.556 : Writing to  "00000009-0000-3512-2118-0009af100700" : "8300bace6f93a6e61073960d631c74248c4b"
2024-05-12 17:34:36.571 : void MiBand2Service::characteristicChanged(const QString&, const QByteArray&) Changed: "00000009-0000-3512-2118-0009af100700" "\x10\x83\b"
2024-05-12 17:34:36.571 : Unexpected data
2024-05-12 17:34:36.571 : void HuamiDevice::authenticated(bool) false
2024-05-12 17:34:36.571 : void AbstractDevice::setConnectionState(const QString&) Connection state: "authfailed"
2024-05-12 17:34:36.571 : void DeviceInterface::onConnectionStateChanged() "authfailed"
2024-05-12 17:34:36.585 : void MiBand2Service::characteristicChanged(const QString&, const QByteArray&) Changed: "00000009-0000-3512-2118-0009af100700" "\x10\x83\b"
2024-05-12 17:34:36.585 : Unexpected data
2024-05-12 17:34:36.585 : void HuamiDevice::authenticated(bool) false
2024-05-12 17:34:36.585 : void AbstractDevice::setConnectionState(const QString&) Connection state: "authfailed"
2024-05-12 17:34:36.615 : void MiBand2Service::characteristicChanged(const QString&, const QByteArray&) Changed: "00000009-0000-3512-2118-0009af100700" "\x10\x83\b"
2024-05-12 17:34:36.615 : Unexpected data
2024-05-12 17:34:36.615 : void HuamiDevice::authenticated(bool) false
2024-05-12 17:34:36.615 : void AbstractDevice::setConnectionState(const QString&) Connection state: "authfailed"
2024-05-12 17:34:42.327 : Close notification 1 1
2024-05-12 17:34:42.327 :  but it is not found
2024-05-12 17:35:35.649 : virtual void HuamiDevice::onPropertiesChanged(QString, QVariantMap, QStringList) "org.bluez.Device1" QMap(("Connected", QVariant(bool, false))("ServicesResolved", QVariant(bool, false))) ()
2024-05-12 17:35:35.649 : void AbstractDevice::setConnectionState(const QString&) Connection state: "disconnected"
2024-05-12 17:35:35.649 : void DeviceInterface::onConnectionStateChanged() "disconnected"

It looks like the "\x10\x83\b" is the unexpected data. Maybe also @kirbylife can take a look.
@jmlich
Copy link
Contributor Author

jmlich commented Jun 2, 2024

The Gadgetbridge is able to connect to Amazfit NEO without troubles. I tried to compare the pairing mechanism in gadgetbridge and amazfish.
So far I can see the only difference, gadget bridge is using bytes 3-19 and amazfish bytes 3-17:

https://codeberg.org/Freeyourgadget/Gadgetbridge/src/branch/master/app/src/main/java/nodomain/freeyourgadget/gadgetbridge/service/devices/huami/operations/init/InitOperation.java#L163

harbour-amazfish/daemon/src/services/miband2service.cpp

Line 44 in 8efe634

writeValue(UUID_CHARACTERISITIC_MIBAND2_AUTH, UCHAR_TO_BYTEARRAY(a) + UCHAR_TO_BYTEARRAY(m_authByte) + handleAesAuth(value.mid(3, 17), getSecretKey()));

The value "\x10\x83\b" for characteristics corresponds to this condition

value[0] == RESPONSE && 
(value[1] & 0x0f) == AUTH_SEND_ENCRYPTED_AUTH_NUMBER && 
value[2] == 0x08

doesn't seems to be handled in gadgetbridge either.

@kirbylife
Copy link

Are you able to pair other Amazfit watches on that version of Amazfish?
or only the NEO is the one with the problem?
Because it seems that the erroneously fetched data issue may also correspond to a problem of using the miband2 service for the Neo.

@jmlich
Copy link
Contributor Author

jmlich commented Jun 4, 2024

I don't have any other Amazfit device to test.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kirbylife @jmlich