Reverse engineering Transtek / AdeVital BA1401 Body Scale BLE communication

The AdeVital app / scale seems to be a rebranding of Transtek. However I suppose they share the same comm. For testing I have used the AdeVital BA1401.

Service

00007802-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE"

00007882-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE_A3" (maybe a different version?)
00007892-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE_A3_TAYLOR" (maybe a different version?)

Characteristics


a) 00008a21-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE" (Indicate)
b) 00008a22-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE_TAYLOR_APPEND" (Indicate)
00008a20-0000-1000-8000-00805f9b34fb "WEIGHT_SCALE_TAYLOR_FEATURE" (Read)
00008a81-0000-1000-8000-00805f9b34fb "COMMON_WRITE" (Write)

c) 00008a82-0000-1000-8000-00805f9b34fb "PWD_OR_RANDOM_NUMBER" (Indicate)

Descriptors (for char a b c)
00002902-0000-1000-8000-00805f9b34fb "DESC_CCC"

Values
We can read 4 values:
  • Unit
    • KG = 0x00
    • LB = 0x01
    • ST = 0x02
  • Weight
  • Impendance1
  • Impendance2

This system uses a custom pairing method. Let's look at it as a state-machine:
SERIAL_NUMBER_READ => PWD_READ  => ADDR_WRITTEN  => RANDOM_NUMBER_READ => PWD_RN_WRITTEN => UTC_WRITTEN

Write MAC Address // State ADDR_WRITTEN:
The Scale needs to know your phones BT MAC for auth.
Write 33 and the first 4 bytes of your MAC to CHARACTER_COMMON_WRITE.

Calculating a password // State PWD_RN_WRITTEN :
Listen for Notifications and enable indication on c)
When you get a callback where value[] represents the characteristic byte array data.

There are two options:
 a) you received a password (value[0] ^ 0xffffffa0 == 0)
 b) you received a random number (value[0] ^ 0xffffffa1 == 0)
a) should happen before b)

Save both values as let's say pasw[] and rand[]
Generate a new array, lets call it auth[]
Set auth[0] to 32

Now for all bytes (start with i=1):
auth[i] = pasw[i-1] ^ rand[i-1];

Write auth[] to COMMON_WRITE