Skip to content

Analysis

Jump to bottom Edit New page
Matthias Blaicher edited this page Jan 5, 2015 · 9 revisions

Analysis

To analyse the USB protocol and the data exchanged by the scale, a scale Beurer BF 480 USB was used.

The data were sniffed using a Linux box with usbmon and a Oracle VM VirtualBox with a running copy of Windows® XP and the Beurer HealthManager from Beurer.

An extract from the usbmon is the following:

ffff88006198ee40 2180364789 S Co:1:003:0 s 21 09 0300 0000 0008 8 = 10000000 00000000
ffff88006198ee40 2180376856 C Co:1:003:0 0 8 >
ffff880082f0c740 2180416884 C Ii:1:003:1 0:8 8 = 03720370 036e0367
ffff880082f0c740 2180417205 S Ii:1:003:1 -115:8 8 <
ffff880082f0c740 2180424931 C Ii:1:003:1 0:8 8 = 0369036d 036c036d
...

USB protocol

When connect to the PC, the scale have Vendor ID 0x04d9 and Product ID 0x8010.

The download of the data are requested by the host sending this USB control transfer sequence: Co:1:003:0 s 21 09 0300 0000 0008 8 = 10000000 00000000.

The data in the request are:

  • Co: Control (from Host to Device)
  • 1: USB Bus
  • 003: USB Device
  • 0: USB Endpoint
  • s: setup flag
  • 21: bmRequestType - Output endpoint (host-to-device), Class request type and Interface recipient
  • 09: bRequest - HID set report
  • 0300: wValue
  • 0000: wIndex
  • 0008 and 8: wLength
  • 10000000 00000000: data packet

After this control transfer, the scale start to send all data with the interrupt transfer in chunk of 8 bytes for a total of 8192 bytes.

Exchanged data

The data are composed by 10 blocks of 768 bytes and a last block of 512 bytes.

Each of the 10 blocks are the data for the measurements of an user. The last extra block contains user informations (birth date, height, sex and degree of activity), the counter of the measurements, the date and the time of the scale and some other bytes not yet decoded.

Each user block is composed by 6 block of 128 bytes that represents the 6 values for each measurement:

  • weight
  • % body fat
  • % water
  • % muscle
  • date
  • time

After each list of measurements for a variable, there are a separator of 8 bytes with value 0.

The values are encoded in unsigned word (2 bytes) and represent the values multiplied by 10:

  • A value of 0x0368 for the weight represents a value of 87.2 Kg (0x0368 is 872 in decimal)
  • A value of 0x0240 for the percentage of water represents a value of 57.6 % (0x0240 id 576 in decimal)

The date is encoded using 7 bits for the year (starting in 1920), 4 bits for the month and 5 bits for the day.

  • A value of 0xbcc7 represents the date 2014-06-07
  • A value of 0xbcba represents the date 2014-05-26

The time is encoded using upper byte for the hour and lower byte for the minutes.

  • A value of 0x1436 represents the time 20:54
  • A value of 0x0805 represents the time 8:05

So the 768 bytes of each user block are divided in 6 variable blocks of 128 bytes. This blocks are composed of 60 values (represented with 2 bytes each) and the 8 bytes separator.

The extra block have a first part of 256 bytes with value 0xff. Just after that block, there are 10 blocks of 8 bytes with user information:

  • ID (from the position on the scale) - 1 byte
  • Height - 1 byte
  • Birth date - 2 byte (encoded as the date of the measurements)
  • Gender - MSB of the 5° byte (0 for male, 1 for female)
  • Degree of activity - lower part of the 5° byte (value from 0 to 4)
  • Counter of measurements - 1 byte

Each disabled profile have the ID set to 0. After the 10 blocks, there are a byte set to 0 and 15 bytes set to 0xff.

Following we have another list of pointers of measurements of 10 bytes: this value indicates the next value to be written. When there are less then 60 measurements, the value is the same of the counter in the user information block (previous block of 10 bytes for each user). When there are at least 60 measurements, this value indicate the position of the oldest value.

Another block of 112 bytes set to 0xff is following.

And the last 32 bytes close the extra block: the 1° and 2° bytes are the scale date and the 4° and 5° bytes are the scale time at the moment of the data download. Both are encoded as data and time in measurements.

Overwriting

When all 60 position in the memory are occupied, the scale start to overwrite from the first position, overwriting always the oldest measurement.

Undecoded data

There are some data that aren't yet decoded in the last block of 512 bytes:

  • The last two bytes of each user information block
  • The last 32 bytes, except the scale date and time These data had always the same values for each download made.
Add a custom footer
Add a custom sidebar
Clone this wiki locally