Hacking Ready For Sky (R4S) home appliances
This repository holds some data for controlling Redmond SkyKettle RK-M171S from GNU/Linux
I welcome suggestions and ideas for simplification and making code more reliable. Using script wrapper around gatttool is so far the simplest approach. But it is terribly ugly.
Prerequisits: You need bluez installed. Version 4.01 is fine
- ./connect.sh [KETTLE MAC] auth
- ./connect.sh [KETTLE MAC] query
- ./connect.sh [KETTLE MAC] queryone
- ./connect.sh [KETTLE MAC] keeptemp
- ./connect.sh [KETTLE MAC] on
- ./connect.sh [KETTLE MAC] off
You can get your [KETTLE MAC] by entering "bt-device -l"
You don't need to dump anything, you can just reverse the application itself. Later data had been acquired with decompile method
- dump/auth.on.off.bin Initiate an auth from application. Hold "+" on kettle. Switch kettle "ON". Press "OFF" just a second before 100C
Initiate an auth from application. do nothing on kettle
- Bluetooth dongle (CSR4.0) - http://ru.aliexpress.com/item/Bluetooth-4-0-Dongles-Mini-USB-2-0-3-0-Bluetooth-Dongle-Adapters-Dual-Mode-adapter/32292553074.html
[ 8058.302793] usb 3-13: USB disconnect, device number 5 [ 8059.355045] usb 3-14: USB disconnect, device number 6 [ 8062.905322] usb 3-13: new full-speed USB device number 12 using xhci_hcd [ 8062.922927] usb 3-13: New USB device found, idVendor=e0ff, idProduct=0002 [ 8062.922928] usb 3-13: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [ 8062.922930] usb 3-13: Product: G3 [ 8062.922930] usb 3-13: Manufacturer: A..... [ 8062.924416] input: A..... G3 as /devices/pci0000:00/0000:00:14.0/usb3/3-13/3-13:1.0/input/input22 [ 8062.924479] hid-generic 0003:E0FF:0002.0006: input,hidraw0: USB HID v1.00 Mouse [A..... G3] on usb-0000:00:14.0-13/input0 [ 8062.925984] input: A..... G3 as /devices/pci0000:00/0000:00:14.0/usb3/3-13/3-13:1.1/input/input23 [ 8062.926091] hid-generic 0003:E0FF:0002.0007: input,hiddev0,hidraw1: USB HID v1.00 Keyboard [A..... G3] on usb-0000:00:14.0-13/input1 [ 8071.616958] usb 3-10.3: new full-speed USB device number 13 using xhci_hcd [ 8071.640199] usb 3-10.3: New USB device found, idVendor=0a12, idProduct=0001 [ 8071.640217] usb 3-10.3: New USB device strings: Mfr=0, Product=2, SerialNumber=0 [ 8071.640223] usb 3-10.3: Product: CSR8510 A10
Protocol had been reversed with the following techique. Dumps were made with "Enable Bluetoog HCI snoop log" Android feature. Analised then with wireshark
[E7:5A:53:79:82:A4] Name: RK-M171S Alias: RK-M171S [rw] Address: E7:5A:53:79:82:A4 Icon: undefined Class: 0x0 Paired: 0 Trusted: 0 [rw] Blocked: 0 [rw] Connected: 0 UUIDs: [00001800-0000-1000-8000-00805f9b34fb, 00001801-0000-1000-8000-00805f9b34fb, 6e400001-b5a3-f393-e0a9-e50e24dcca9e]
attr handle = 0x0001, end grp handle = 0x0007 uuid: 00001800-0000-1000-8000-00805f9b34fb attr handle = 0x0008, end grp handle = 0x0008 uuid: 00001801-0000-1000-8000-00805f9b34fb attr handle = 0x0009, end grp handle = 0xffff uuid: 6e400001-b5a3-f393-e0a9-e50e24dcca9e 00001800-0000-1000-8000-00805f9b34fb Generic Access 00001800-0000-1000-8000-00805f9b34fb Generic Attribute 6e400001-b5a3-f393-e0a9-e50e24dcca9e UART Service
handle = 0x0002, char properties = 0x0a, char value handle = 0x0003, uuid = 00002a00-0000-1000-8000-00805f9b34fb read write handle = 0x0004, char properties = 0x02, char value handle = 0x0005, uuid = 00002a01-0000-1000-8000-00805f9b34fb read handle = 0x0006, char properties = 0x02, char value handle = 0x0007, uuid = 00002a04-0000-1000-8000-00805f9b34fb read handle = 0x000a, char properties = 0x10, char value handle = 0x000b, uuid = 6e400003-b5a3-f393-e0a9-e50e24dcca9e notify read handle = 0x000d, char properties = 0x0c, char value handle = 0x000e, uuid = 6e400002-b5a3-f393-e0a9-e50e24dcca9e write
To start talking to device, you need to connect and write 0x0100 to handle 0x000c (is not listed by the device?). This needs to be done after every reconnect. Gatttool doesn't allow you to know when reconnect happend. So I send it every time.
Now you can send commands to handle 0x000e You will get back the answers from handle 0x000b
Commands start with 0x55 byte, and end with 0xaa Second byte is a counter, you should increment it with any new request. I don't know yet what happens when you overflow Third byte is a command itself
- 0x01 - happens sometimes, unknown
- 0x05 - switch the kettle on to keepwarm (on with 0 temperature)
- 0x04 - switch the kettle off
- 0x06 - request status
- 0xFF - authorize
Next go the parameters.
0x55 0x76 0x06 0xaa | | | | start | | end counter | command id
As a reply you will recive a sequence that start with 0x55 byte, and end with 0xAA Second byte is a counter which is the same as in the request it replies to. Third byte is the command - same as in the request. It depends on the command. Next goes the data.
I can guess you should do the following. Generate a 8byte random ID. This will be your key. I don't know yet if any key is ok. These are - 55:3a:57:47:f8:c2:62:4a, b5:4c:75:b1:b4:0c:88:ef
Send auth command, starting with counter 0
-> 55:<counter>:ff:<8 bytes. Seem random. ID? MAC?>:aa
If you are not yet authorized (you need to hold "+" on the kettle for this) the kettle will reply
Send the request again with incrementing counter. Meanwhile hold "+" key. At some point the auth will be passed. And you will get:
Next time with the same key you should be able to connect from the first attempt. In the auth state you can issue next commands.
Unknown command usually at start
-> 55:<counter>:01:aa reply example <- 55:<counter>:01:02:06:aa
BOLING AND HEATING command
request examples -> 55:<counter>:05:00:00:28:00:aa -> 55:<counter>:05:00:00:00:00:aa - just switch on. -> 55:<counter>:05:01:00:5f:00:aa - keepwarm at 95 55:<counter>:05:00:00:<keep warm temp>:00:aa reply example <- 55:<counter>:05:01:aa // 01 status meens OK
-> 55:<counter>:04:aa reply example <- 55:<counter>:04:01:aa // 01 status meens OK
-> 55:<counter>:06:aa reply examples: <- 55:<counter>:06:00:00:00:00:00:0c:00:00:00:00:51:00:00:00:00:00:aa - kettle is on in boiling <- 55:<counter>:06:00:00:28:00:00:0c:00:01:02:00:33:00:00:00:00:00:aa - kettle is on <- 55:<counter>:06:00:00:00:00:00:0c:00:00:00:00:3e:00:00:00:00:00:aa - kettle is off <- 55:<counter>:06 00 00 28 00 00 0c 00 01 00 00 64 00 00 00 00 00 aa <- 55:<counter>:06 01 00 28 00 00 0c 00 01 02 00 64 00 00 00 00 00 aa - kettle finished boiling () <- 55:<counter>:06 01 00 28 00 00 0c 00 01 02 00 63 00 00 00 00 00 aa - a while after finished boiling external num 1 2 3 4 5 6 7 8 9 10 11 12 13 14 internal num 0 1 2 3 4 5 6 7 8 9 10 11 55:<counter>:06:<keep warm?>:00:<keepwarm temp?>:00:00:0c:00:01:<heater?>:00:<temp>:00:00:00:00:00:aa
|Byte ext||Byte int||Action|