Git Product home page Git Product logo

yeelight-ble-rotary-dimmer's Introduction

Yeelight Bluetooth Rotary Dimmer Switch

Yeelight Smart Dimmer

Intent
To be able to use the dimmer switch with other smart home devices and applications eg. home-assistant

Setup Required

Hardware

Protocol Reverse Engineering Open Issue

Software Tools

References

Other Solution

  • ESP32 based new pcb which can fit in the same plastic housing
    • Deep Sleep
    • LiPo battery
    • HTTP programmable actions

yeelight-ble-rotary-dimmer's People

Contributors

nccchirag avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

cyber-junkie9 onlysunjun

yeelight-ble-rotary-dimmer's Issues

BLE Protocol Reverse Engineering

Inputs from @matthias-schulz

yee-rc detected as F8:24:41:C1:D1:1F (Yeelink) -67 dBm.
 

 │   Handles    │ Service > Characteristics │  Properties   │         Data         │
├──────────────┼───────────────────────────┼───────────────┼──────────────────────┤
│ 0001 -> 001a │ fe95                      │               │                      │
│ 0003         │     0001                  │ WRITE, NOTIFY │                      │
│ 0007         │     0002                  │ READ          │ 0000                 │
│ 000a         │     0004                  │ READ          │ O993yDåo8f04X        │
│ 000d         │     0005                  │ WRITE, NOTIFY │                      │
│ 0010         │     0007                  │ WRITE         │                      │
│ 0013         │     0010                  │ WRITE         │                      │
│ 0016         │     0013                  │ READ, WRITE   │ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ │
│ 0019         │     0014                  │ READ, WRITE   │ L8e"ëad<01cúýéû 

LL Data: 05 22 ea 7f 8e f9 d1 c2 e0 ab df 41 24 f8 bb 3d e9 b1 d9 16 42 08 06 00 43 00 00 00 d0 07 ff ff ff ff 1f 10
[i] Got CONNECT_REQ packet from c2:d1:f9:8e:7f:ea to f8:24:41:df:ab:e0
 |-- Access Address: 0xb1e93dbb
 |-- CRC Init value: 0x4216d9
 |-- Hop interval: 67
 |-- Hop increment: 16
 |-- Channel Map: 1fffffffff
 |-- Timeout: 20000 ms

LL Data: 13 09 08 e1 00 00 00 00 00 00 00
LL Data: 0b 09 09 01 00 00 00 00 00 00 00
LL Data: 06 10 0c 00 05 00 12 01 08 00 10 00 20 00 00 00 c8 00
LL Data: 0a 0c 08 00 04 00 11 06 01 00 1a 00 95 fe
LL Data: 13 0c 00 08 06 00 24 00 00 00 c8 00 08 00
LL Data: 1e 0a 06 00 05 00 13 01 02 00 00 00
LL Data: 12 0b 07 00 04 00 10 1b 00 ff ff 00 28
LL Data: 0a 09 05 00 04 00 01 10 1b 00 00
LL Data: 12 0d 09 00 04 00 06 01 00 ff ff 00 28 95 fe
LL Data: 0a 09 05 00 04 00 07 01 00 1a 00
LL Data: 12 0d 09 00 04 00 06 1b 00 ff ff 00 28 95 fe
LL Data: 0a 09 05 00 04 00 01 06 1b 00 0a
LL Data: 12 0b 07 00 04 00 08 01 00 1a 00 02 28
LL Data: 0a 09 05 00 04 00 01 08 01 00 00
LL Data: 12 0b 07 00 04 00 08 01 00 1a 00 03 28
LL Data: 06 1b 17 00 04 00 09 07 02 00 18 03 00 01 00 06 00 02 07 00 02 00 09 00 02 0a 00 04 00
LL Data: 1e 0b 07 00 04 00 08 0b 00 1a 00 03 28
LL Data: 06 1b 17 00 04 00 09 07 0c 00 18 0d 00 05 00 0f 00 08 10 00 07 00 12 00 08 13 00 10 00


LL Data: 05 22 08 e4 ad a2 ac c8 1f d1 c1 41 24 f8 60 58 ac 0b 72 86 a0 08 06 00 43 00 00 00 d0 07 ff ff ff ff 1f 10
[i] Got CONNECT_REQ packet from c8:ac:a2:ad:e4:08 to f8:24:41:c1:d1:1f
 |-- Access Address: 0x0bac5860
 |-- CRC Init value: 0xa08672
 |-- Hop interval: 67
 |-- Hop increment: 16
 |-- Channel Map: 1fffffffff
 |-- Timeout: 20000 ms

LL Data: 13 09 08 e1 00 00 00 00 00 00 00
LL Data: 0b 09 09 01 00 00 00 00 00 00 00
LL Data: 12 0b 07 00 04 00 10 01 00 ff ff 00 28
LL Data: 0a 0c 08 00 04 00 11 06 01 00 1a 00 95 fe
LL Data: 13 0c 00 08 06 00 24 00 00 00 c8 00 08 00
LL Data: 1e 0a 06 00 05 00 13 01 02 00 00 00
LL Data: 12 0b 07 00 04 00 10 1b 00 ff ff 00 28
LL Data: 0a 09 05 00 04 00 01 10 1b 00 00
LL Data: 12 0d 09 00 04 00 06 01 00 ff ff 00 28 95 fe
LL Data: 12 0d 09 00 04 00 06 1b 00 ff ff 00 28 95 fe
LL Data: 0a 09 05 00 04 00 01 06 1b 00 0a
LL Data: 12 0b 07 00 04 00 08 01 00 1a 00 02 28
LL Data: 0a 09 05 00 04 00 01 08 01 00 00
LL Data: 12 0b 07 00 04 00 08 01 00 1a 00 03 28
LL Data: 0a 1b 17 00 04 00 09 07 02 00 18 03 00 01 00 06 00 02 07 00 02 00 09 00 02 0a 00 04 00
LL Data: 12 0b 07 00 04 00 08 0b 00 1a 00 03 28
LL Data: 0a 1b 17 00 04 00 09 07 0c 00 18 0d 00 05 00 0f 00 08 10 00 07 00 12 00 08 13 00 10 00


LL Data: 05 22 40 9f ce 64 21 c3 a3 d5 c1 41 24 f8 12 8c e2 7b eb 6e 0f 08 06 00 43 00 00 00 d0 07 ff ff ff ff 1f 05
[i] Got CONNECT_REQ packet from c3:21:64:ce:9f:40 to f8:24:41:c1:d5:a3
 |-- Access Address: 0x7be28c12
 |-- CRC Init value: 0x0f6eeb
 |-- Hop interval: 67
 |-- Hop increment: 5
 |-- Channel Map: 1fffffffff
 |-- Timeout: 20000 ms

LL Data: 13 09 08 e1 00 00 00 00 00 00 00
LL Data: 0b 09 09 01 00 00 00 00 00 00 00
LL Data: 12 0b 07 00 04 00 10 01 00 ff ff 00 28
LL Data: 0a 0c 08 00 04 00 11 06 01 00 1a 00 95 fe
LL Data: 0a 09 05 00 04 00 01 10 1b 00 00
LL Data: 12 0d 09 00 04 00 06 01 00 ff ff 00 28 95 fe
LL Data: 0a 09 05 00 04 00 07 01 00 1a 00
LL Data: 12 0d 09 00 04 00 06 1b 00 ff ff 00 28 95 fe
LL Data: 0a 09 05 00 04 00 01 06 1b 00 0a
LL Data: 12 0b 07 00 04 00 08 01 00 1a 00 02 28
LL Data: 0a 09 05 00 04 00 01 08 01 00 00
LL Data: 0a 1b 17 00 04 00 09 07 02 00 18 03 00 01 00 06 00 02 07 00 02 00 09 00 02 0a 00 04 00
LL Data: 12 0b 07 00 04 00 08 0b 00 1a 00 03 28
LL Data: 0a 1b 17 00 04 00 09 07 0c 00 18 0d 00 05 00 0f 00 08 10 00 07 00 12 00 08 13 00 10 00
LL Data: 12 0b 07 00 04 00 08 14 00 1a 00 03 28
LL Data: 0a 14 10 00 04 00 09 07 15 00 0a 16 00 13 00 18 00 0a 19 00 14 00
LL Data: 12 09 05 00 04 00 04 04 00 05 00
LL Data: 0a 0e 0a 00 04 00 05 01 04 00 02 29 05 00 01 29
LL Data: 12 09 05 00 04 00 04 08 00 08 00
LL Data: 0a 0a 06 00 04 00 05 01 08 00 01 29
LL Data: 12 09 05 00 04 00 04 0b 00 0b 00
LL Data: 0a 0a 06 00 04 00 05 01 0b 00 01 29
LL Data: 0a 0a 06 00 04 00 05 01 0e 00 01 29
LL Data: 0a 0a 06 00 04 00 05 01 11 00 01 29
LL Data: 12 09 05 00 04 00 04 14 00 14 00
LL Data: 0a 0a 06 00 04 00 05 01 14 00 01 29
LL Data: 12 09 05 00 04 00 04 17 00 17 00
LL Data: 0a 0a 06 00 04 00 05 01 17 00 01 29
LL Data: 12 09 05 00 04 00 04 1a 00 1a 00
LL Data: 0a 0a 06 00 04 00 05 01 1a 00 01 29
LL Data: 12 0b 07 00 04 00 12 13 00 90 ca 85 de
LL Data: 0a 05 01 00 04 00 13
LL Data: 12 09 05 00 04 00 12 04 00 01 00
LL Data: 0a 05 01 00 04 00 13
LL Data: 12 13 0f 00 04 00 12 03 00 8c d1 cf 62 43 fb b1 d3 f8 2a f2 b9
LL Data: 1a 05 01 00 04 00 13
LL Data: 06 13 0f 00 04 00 1b 03 00 5e 6a 72 c9 52 b1 95 a9 2c 0f 1f 51
LL Data: 1e 0b 07 00 04 00 12 03 00 99 7b 30 c5
LL Data: 06 05 01 00 04 00 13
LL Data: 1e 07 03 00 04 00 0a 19 00
LL Data: 06 11 0d 00 04 00 0b 4c 0a 2a 21 a8 c9 4a 69 63 4c e7 31
LL Data: 1f 02 02 13

Here is a little python script that shows the decryption. 

    Here is a little python script that shows the decryption.

Your message starts at frame ctrl and stops before rssi.

from Cryptodome.Cipher import AES

data_string = "043e25020103008b98c54124f819181695fe5830b603368b98c54124f88bb8f2661351000000d6ef"
aeskey = "b853075158487ca39a5b5ea9"

#                                       frame dev ct ---mac------ ----encrypted payload- rssi
#                                       ctrl  id                  cipherpayld- -cnt-- tk 
#  043e25020103008b98c54124f819181695fe 5830 b603 36 8b98c54124f8 8bb8f2661351 000000 d6   ef


data = bytes(bytearray.fromhex(data_string))
key = bytes.fromhex(aeskey)

key_1 = key[0:6]
key_2 = bytes.fromhex("8d3d3c97")
key_3 = key[6:]
key = b"".join([key_1, key_2, key_3])
print("key: ", key.hex())

xiaomi_index = data.find(b'\x16\x95\xFE')
xiaomi_mac_reversed = data[xiaomi_index + 8:xiaomi_index + 14]
print("reversed mac: ", xiaomi_mac_reversed.hex())
# reversed mac: 8b98c54124f8

framectrl_data = data[xiaomi_index + 3:xiaomi_index + 5]
print("frame ctrl: ", framectrl_data.hex())
# frame ctrl: 5830

device_type = data[xiaomi_index + 5:xiaomi_index + 7]
print("device type (product id): ", device_type.hex())
# device type (product id): b603

encrypted_payload = data[xiaomi_index + 14:-1]
print("encrypted payload: ", encrypted_payload.hex())
# encrypted payload: 8bb8f2661351000000d6

packet_id = data[xiaomi_index + 7:xiaomi_index + 8]
payload_counter = b"".join([packet_id,  encrypted_payload[-4:-1]])
print("payload counter: ", payload_counter.hex())
# payload_counter: 36000000

nonce = b"".join([framectrl_data, device_type, payload_counter, xiaomi_mac_reversed[:-1]])
print("nonce: ", nonce.hex())
# nonce: 5830b603360000008b98c54124

aad = b"\x11"

token = encrypted_payload[-1:]
print("token: ", token.hex())
# token: d6

cipherpayload = encrypted_payload[:-4]
print("cipher payload: ", cipherpayload.hex())
# cipher payload: 8bb8f2661351

cipher = AES.new(key, AES.MODE_CCM, nonce=nonce, mac_len=4)
cipher.update(aad)

decrypted_payload = cipher.decrypt(cipherpayload)
print("decrypted payload: ", decrypted_payload.hex())
# decrypted payload:  01100300ff04

The decrypted payload can be read as follows.
0110 = Button (= type of message according to the MiBeacon protocol)
03 = length of data
00 = button
ff = value
04 = press

button, value and press are the names I use in BLE monitor, depending on the device type, they are translated to a message. See the def obj0110(xobj): function in https://github.com/custom-components/ble_monitor/blob/master/custom_components/ble_monitor/ble_parser/xiaomi.py. In this example, press 04 + button = 0 means "rotate left" with (256 - 255(= ff) = 1 steps.

I also tried your BLE advertisement + beaconkey, but it doesn't seem to be right, I get this as result.

decrypted payload: ab330e5cbc82

Originally posted by @Ernst79 in #1 (comment)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.