Developed starting from Bluez hcitool, this tool is able to read the data sent as BLE advertisements by the Xiaomi Mijia Bluetooth temperature and humidity sensor.
You should have already installed the Bluetooh Bluez stack.
Issue 'make' to build the tool. Then issue scanMijia -h to show detailed help.
Like the original hcitool command, also this tool should be run from root.
Below is a brief description of the sensor protocol.
<style> </style>
As soon as the battery is inserted, the sensor starts sending
adverisement data every two seconds and the advertisement data contiains all
the useful information (Temperature, Humidity and Battery Level).
You can test it with the two Bluez commands hcitool and hcidump (or any other
tool able to read advertisemnt data sent by BLE devices).
In order to show the raw data sent by the sensor, you should first start in
background a BT le scan in 'passive mode' and then print the raw data.
'Passive mode' means that you are not sending any request to the sensor but you
are just reciving the advertisements sent by the BLE devices.
If you scan in normal mode (without --passive option), you will send a scan
request and the the device will send some other additional data (Sensor Name,
available UUIDs) but it is not necessary and you will only waste the sensor
battery.
sudo hcitool lescan --passive &
hcidump --raw
Looking at the hcidump output you can identify four type of messages.
|
Header |
04 3E 25 02 01 00 00 XX XX XX XX XX XX 19 |
|
Flags AD |
02 01 06 |
|
Service Data AD |
15 16 95 FE 50 20 AA 01 17 XX XX XX XX XX XX 0D 10 04 B9 00 5C 02 |
|
RSSI |
A4 |
|
Header |
04 3E 22 02 01 00 00 XX XX XX XX XX XX 16 |
|
Flags AD |
02 01 06 |
|
Service Data AD |
12 16 95 FE 50 20 AA 01 12 XX XX XX XX XX XX 0A 10 01 64 |
|
RSSI |
A6 |
|
Header |
04 3E 23 02 01 00 00 XX XX XX XX XX XX 17 |
|
Flags AD |
02 01 06 |
|
Service Data AD |
13 16 95 FE 50 20 AA 01 14 XX XX XX XX XX XX 06 10 02 5C 02 |
|
RSSI |
A6 |
|
Header |
04 3E 23 02 01 00 00 XX XX XX XX XX XX 17 |
|
Flags AD |
02 01 06 |
|
Service Data AD |
13 16 95 FE 50 20 AA 01 19 XX XX XX XX XX XX 04 10 02 B9 00 |
|
RSSI |
A7 |
The "Service Data AD" is the part of the message that carries the useful information.
XX .. XX are the BT addres of the device, red values is the data type and green values are the data values.
But first we will give a look to the whole message.
As example we will use the Temperature & Humidity message.
04 3E 25 02 01 00 00 XX XX XX XX XX XX 19 02 01 06 15 16 95 FE 50 20 AA 01 17 XX XX XX XX XX XX 0D 10 04 B9 00 5C 02 A6
|
|
Pos. |
Value (hex) |
Description |
|
Header |
0 |
04 |
HCI Packet Type HCI Event |
|
1 |
3E |
LE Meta event |
|
|
2 |
25 |
Nr of following bytes (37 bytes) |
|
|
3 |
02 |
LE Advertising report sub-event |
|
|
4 |
01 |
Number of reports |
|
|
5 |
00 |
Event type (connectable and scannable undirected advertising) |
|
|
6 |
00 |
Public address type |
|
|
7..12 |
XX..XX |
BT Address (6 bytes) |
|
|
13 |
19 |
length of data field (25 bytes) |
|
|
Data |
14 |
02 |
length of first advertising data (AD)structure |
|
15 |
01 |
type of first AD structure (0x01 = Flags) |
|
|
16 |
06 |
first AD data (0x06=LE General Discoverable Mode && BR/EDR Not Supported) |
|
|
17 |
15 |
length of second advertising data (AD) structure |
|
|
18 |
16 |
type of second AD structure (0x16=Service Data) |
|
|
19..38 |
95..02 |
Second AD data (see next table for details) |
|
|
RSSI |
39 |
A6 |
RSSI value (signed byte, 0xA6=-90) |
The most important information is contained into the second AD structure (type 0x16).
The Bluetooth specification defines the AD Type 0x16 as �Service Data�. This AD �must contain at least two bytes representing the 16 bit UUID of this Service Data. The data following the UUID� is custom data and the meaning is not defined in the Bluetooth specification.
The table below shows the meaning of ��Service Data� AD for our sensor. As example we will use the Service Data AD of the same Temperature & Humidity message as above.
95 FE 50 20 AA 01 17 XX XX XX XX XX XX 0D 10 04 B9 00 5C 02
|
|
Pos. |
Value (Hex) |
Description |
|
16 bit UUID |
0..1 |
95 FE |
UUID 16 bit (0xFE95) |
|
Custom Data |
2..5 |
50 20 AA 01 |
TBD (always 50 20 AA 01) |
|
6 |
17 |
Message counter (increments by 1 every message and then restart from 0 when reaches FF) |
|
|
7..12 |
XX XX XX XX XX XX |
Device BT address (6 bytes) |
|
|
13 |
0D |
Data
type: |
|
|
14 |
10 |
TBD (always 0x10) |
|
|
15 |
04 |
Nr of following bytes (depends on Data Type) |
|
|
16..N |
B9 00 5C 02 |
Data
values: |