Skip to content

Fitbit Aria Air support (unlikely?) #1105

New issue
New issue
Closed
Closed
Fitbit Aria Air support (unlikely?)#1105
Labels
help wantedIndicates that a maintainer wants help on an issue or pull requestno-progressIndicates that this issue has seen no progress for a long time.scale supportIndicates that this issue is a request for support for a specific scale.
@drinkcat

Description

@drinkcat
drinkcat
opened on Jan 12, 2025

Device: Fitbit Aria Air

That scale a bit flaky with the official app, so I was hoping to make it work with Openscale.

Sadly, it seems like the data is encrypted in some way, so, support seems unlikely (no idea where the key is, I also captured pairing process and couldn't see anything obvious).

I'm dropping this here to leave a trace behind of my experiments yesterday (so that others don't waste time, or at least know what they are getting into...), but if there's any simple experiment I can try, I'd be happy to.

A sample Handle Value Indication packet looks like this after decoding in wireshark (removed some not relevant data for privacy):

Frame 4277: 31 bytes on wire (248 bits), 31 bytes captured (248 bits)
    Encapsulation type: Bluetooth H4 with linux header (99)
    ...
    Frame Number: 4277
    Frame Length: 31 bytes (248 bits)
    Capture Length: 31 bytes (248 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    Point-to-Point Direction: Received (1)
    [Protocols in frame: bluetooth:hci_h4:bthci_acl:btl2cap:btatt]
Bluetooth
    [Source: TelinkSemico_XXX (a4:c1:38:XXX)]
    [Destination: XXX]
Bluetooth HCI H4
    [Direction: Rcvd (0x01)]
    HCI Packet Type: ACL Data (0x02)
Bluetooth HCI ACL Packet
    .... 0000 0100 0010 = Connection Handle: 0x042
    ..10 .... .... .... = PB Flag: First Automatically Flushable Packet (2)
    00.. .... .... .... = BC Flag: Point-To-Point (0)
    Data Total Length: 26
    Data
    [Connect in frame: 4054]
    [Disconnect in frame: 4343]
    [Source BD_ADDR: TelinkSemico_XXX (a4:c1:38:XXX)]
    [Source Device Name: Aria Air]
    [Source Role: Unknown (0)]
    [Destination BD_ADDR: XXX]
    [Destination Role: Unknown (0)]
    [Current Mode: Unknown (-1)]
Bluetooth L2CAP Protocol
    Length: 22
    CID: Attribute Protocol (0x0004)
Bluetooth Attribute Protocol
    Opcode: Handle Value Indication (0x1d)
        0... .... = Authentication Signature: False
        .0.. .... = Command: False
        ..01 1101 = Method: Handle Value Indication (0x1d)
    Handle: 0x0019 (Weight Scale: Unknown)
        [Service UUID: Weight Scale (0x181d)]
        [UUID: 67b0ab2c8323427ab1c970324bb5e228]
    Value: 9fbaa50ba5ba75ea3822d2f02305a1db3858f5

I was trying to make sense of the value, and... it looks totally scrambled.

These are all different weights:

0242201a00160004001d1900a8e870ec70e8d1a2c790bac096bd6fd2268fc8
0242201a00160004001d1900a12352015223478e9aa7d6f265c6957fdcc63a
0242201a00160004001d19009fbaa50ba5ba75ea3822d2f02305a1db3858f5
0242201a00160004001d1900d0a6081708a64d9b545a5502e8347ea173b81f

These are all the same weight (same as the first one above actually):

0241201a00160004001d190040f26ab96af2e4c91c2e426e9586d890df8edb
0241201a00160004001d1900eb1603b303162d5bbb386eda842a6089af6b9e
0241201a00160004001d19008c4becaaec4b972e157350756bd077864c49b9
0241201a00160004001d19005ec8b29bb2c890219832d283c908ff906d18cb
0241201a00160004001d19003c05019701050a14763693768510177e53fd6a

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedIndicates that a maintainer wants help on an issue or pull requestno-progressIndicates that this issue has seen no progress for a long time.scale supportIndicates that this issue is a request for support for a specific scale.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions