Close

Starters: what we know right now.

A project log for Mi Band reverse engineering

I want to liberate the thing I'm going to be keeping on my wrist

morgan-gangwereMorgan Gangwere 07/02/2015 at 17:291 Comment

What I know about the Xiaomi Mi Band:


There has been some work documenting the protocol but it hasn't been complete. There's a packet sniffer from Adafruit that I've looked into. Unfortunately for me though, it's all windows.

I'm going to start by attacking the application that Xiaomi put out (cutely enough, called Mi Fit). I've run it through tools (Luyten, Procyon, smali, etc) and found some... interesting snippets hidden away:

    
    private static void g() {
        d("MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM");
        d("MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM");
        d("MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM");
        d("MM.:  .:'   `:::  .:`MMMMMMMMMMM|`MMM'|MMMMMMMMMMM':  .:'   `:::  .:'.MM");
        d("MMMM.     :          `MMMMMMMMMM  :*'  MMMMMMMMMM'        :        .MMMM");
        d("MMMMM.    ::    .     `MMMMMMMM'  ::   `MMMMMMMM'   .     ::   .  .MMMMM");
        d("MMMMMM. :   :: ::'  :   :: ::'  :   :: ::'      :: ::'  :   :: ::.MMMMMM");
        d("MMMMMMM    ;::         ;::         ;::         ;::         ;::   MMMMMMM");
        d("MMMMMMM .:'   `:::  .:'   `:::  .:'   `:::  .:'   `:::  .:'   `::MMMMMMM");
        d("MMMMMM'     :           :           :           :           :    `MMMMMM");
        d("MMMMM'______::____      ::    .     ::    .     ::     ___._::____`MMMMM");
        d("MMMMMMMMMMMMMMMMMMM`---._ :: ::'  :   :: ::'  _.--::MMMMMMMMMMMMMMMMMMMM");
        d("MMMMMMMMMMMMMMMMMMMMMMMMMM::.         ::  .--MMMMMMMMMMMMMMMMMMMMMMMMMMM");
        d("MMMMMMMMMMMMMMMMMMMMMMMMMMMMMM-.     ;::-MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM");
        d("MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM. .:' .MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM");
        d("MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM.   .MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM");
        d("MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM\\ /MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM");
        d("MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMVMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM");
        d("MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM .:ZylvanaS:. MM");
        d("MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM");
    }

(for those who can't read wrapped java, that's the Batman logo.)

First, I need to attack the anti-debugging features. This includes their "vaguely" custom "logging" framework. There's a couple of settings that look useful in the long run. The next step is going to be using that logging framework (that they've so *handily* provided me!) to dump every BTLE GATT statement.

(in reality, the first step is getting the app to install under the modified package name and not get conflicts)
Next log

Android app hacking 101: Finding the hidden gems

07/02/2015 at 22:00 0 comments

Discussions

Rodrigo Borba wrote 06/17/2016 at 20:45 point

Cool! Any news about it?

  Are you sure? yes | no

Yes, delete it Cancel

Going up?

About Us Contact Hackaday.io Give Feedback Terms of Use Privacy Policy Hackaday API

© 2025 Hackaday