Thread about the Bluetooth channel in Xiaomi Yi

[luckylz]

Hi @defendermannen, does the following info help you anyway?

I copy bt*.xml files from the telnet, only the /tmp/fuse_a/pref/bt_devices.xml has differences:

the first time pairing:

<penc_ltk>BB:F2:26:81:09:28:24:A7:37:BE:02:2D:45:B4:C0:13</penc_ltk>
<penc_rand>BF:A6:CA:55:4D:1C:08:BB</penc_rand>
<penc_ediv>27187</penc_ediv>

the second time pairing (after I clear the Yi Cam bluetooth's pairing, and try that again):

<penc_ltk>4B:42:36:51:99:78:34:77:C7:0E:12:FD:D5:04:D0:E3</penc_ltk>
<penc_rand>4F:F6:DA:25:DD:6C:18:8B</penc_rand>
<penc_ediv>44227</penc_ediv>

Does the bluetooth generate some passkey, everytime pairing to Yi Cam?

 

[defendermannen]

Hi @defendermannen, does the following info help you anyway?

I copy bt*.xml files from the telnet, only the /tmp/fuse_a/pref/bt_devices.xml has differences:

the first time pairing:

<penc_ltk>BB:F2:26:81:09:28:24:A7:37:BE:02:2D:45:B4:C0:13</penc_ltk>
<penc_rand>BF:A6:CA:55:4D:1C:08:BB</penc_rand>
<penc_ediv>27187</penc_ediv>

the second time pairing (after I clear the Yi Cam bluetooth's pairing, and try that again):

<penc_ltk>4B:42:36:51:99:78:34:77:C7:0E:12:FD:D5:04:D0:E3</penc_ltk>
<penc_rand>4F:F6:DA:25:DD:6C:18:8B</penc_rand>
<penc_ediv>44227</penc_ediv>

Does the bluetooth generate some passkey, everytime pairing to Yi Cam?

I'm pretty sure those values are related to the encryption scheme used in BLE.
The LTK value is the Long Term Key, which is a key saved between the master(YI) and the slave(remote) and is agreed upon during pairing.
The Rand value is a random 64-bit value generated on both the slave and the master. Master generates one 64-bit value and slave generates one 64-bit value. These are used to produce a short-term key that is different for each connection but based on the Long Term Key.

I'm not sure about the Ediv value. I think it is a value stored in the master which allows the slave to forget the long-term Key and only remember a shorter key. The master sends the ediv to the slave and the slave can generate the LTK and with the LTK and the Random numbers(different for each connection event) produce the STK(used for encryption).

Basically, those are keys used for encryption. So the communication between the remote and the camera is most likely encrypted. Do you have a remote to pair with?

 

[luckylz]

Yes, these values are the same bluetooth, pairing to the same Yi Cam, for 2 times.
Then I tried to put the old bt_devices.xml back to Yi Cam, and reboot.
With no luck, the bluetooth can't control the Yi Cam anymore. Need to re-pairing steps.

 

[defendermannen]

Coo

Yes, these values are the same bluetooth, pairing to the same Yi Cam, for 2 times.
Then I tried to put the old bt_devices.xml back to Yi Cam, and reboot.
With no luck, the bluetooth can't control the Yi Cam anymore. Need to re-pairing steps.

So these are definitely encryption keys.

Can you try to download a BLE scanner app to your phone and scan your Bluetooth remote?
For example https://play.google.com/store/apps/details?id=com.tony.ble_tool

Can you post what you find here?

 

[luckylz]

Coo

So these are definitely encryption keys.

Can you try to download a BLE scanner app to your phone and scan your Bluetooth remote?
For example https://play.google.com/store/apps/details?id=com.tony.ble_tool

Can you post what you find here?

I can not download from google play. could zip & share the apk to me?

 

[luckylz]

What kind of info you need?

 

[defendermannen]

View attachment 14425
What kind of info you need?

Yes! Thank you, this confirms a lot of information, are you able to post all the info?
Can you open the attributes and see what they contain? I might be able to make a clone of the remote.

 

[Andy_S]

i still would prefer wifi remote, that could control much more than bluetooth "Trigger only"...

 

[defendermannen]

i still would prefer wifi remote, that could control much more than bluetooth "Trigger only"...

Why not both?
Yes, a wifi remote would have much more use than a Bluetooth remote. But there are some advantages with Bluetooth + I want to know more about BLE.

 

[Andy_S]

Sure, but since there is complete wifi module for ~$3 (google for esp8266), i would opt for that

 

[defendermannen]

Sure, but since there is complete wifi module for ~$3 (google for esp8266), i would opt for that

Well, learning is a much higher priority for me than the price of modules. BLE is quite a new technology that has not yet been exploited to it's full potential and I think it is useful to get some hands on experience with programming BLE modules. The HM-10 modules are not that pricey.
Wifi was not intended do be used with small electronics like the Xiaomi Yi, BLE does a lot of the same things, deals better with interference and draws a fraction of the power. It is designed to send commands and small sensor data.

 

[Andy_S]

True, but (in this case) limits you, what you will be capable to do. (basically nothing else than what original RC can do).
Wifi controller can do the same as full app.

 

[defendermannen]

Yep, this camera does not seem to use the BLE channel for that much.

Is should be possible to build an app for a smartphone with BLE peripheral capabilites so you could use your smartphone as remote shutter. This can a ready be done via wifi but the wifi channel is so slow to boot and does impact the camera sound. And you have to enable the wifi on the camera all the time.
I think the BLE channel is up all the time so if I can build this app, the app would only need to connect once.

Anyway, many speculations from my side. I know this might not sound that useful but I would like to try. Would be nice to not have to boot wifi all the time.

Can anyone with controller tell me what happens if you:
Pair camera with controller.
Turn off camera.
Turn on camera without Wifi
Try use the remote.
Does the remote still function?

 

[defendermannen]

View attachment 14425
What kind of info you need?

Hello Luckylz, could you please try to "click" on every bar and show me the number values they contain?
So, try to click the "Device name", "Appearance" "Peripheral privacy flag" and so on...
Can you post the value they hold?

Also, I you boot camera with wifi off. Does the bluetooth remote still work?

 

[luckylz]

Yes, even the wifi is off, the bluetooth can still work !
After BT links with the YiCam, everytime when YiCam start-up, first time press BT button, is a little slow. I think it takes sometime to reconnect to YiCam.

 

[luckylz]

Guys, I shared my bluetooth config files copy from /tmp/fuse_a/pref, can it help you to get to the 3rd-party bluetooth remote controller?

 

[luckylz]

Hi @defendermannen I dump the log file for you, does it help?

->  Device Name  2A00 reading...
->  Device Name  2A00 read response -> 088 105 097 111 089 105 095 082 067
->  Appearance  2A01 reading...
->  Appearance  2A01 read response -> 193 003
->  Peripheral Privacy Flag  2A02 reading...
->  Peripheral Privacy Flag  2A02 read response -> 000
->  Peripheral Preferred Connection Parameters  2A04 reading...
->  Peripheral Preferred Connection Parameters  2A04 read response -> 006 000 016 000 031 000 200 000
->  Service Changed  2A05 reading...
->  Service Changed  2A05 read response -> 001 000 255 255
->  Manufacturer Name String  2A29 reading...
->  Manufacturer Name String  2A29 read response -> 068 105 097 108 111 103 032 083 101 109 105
->  Model Number String  2A24 reading...
->  Model Number String  2A24 read response -> 068 065 049 052 053 056 048
->  Firmware Revision String  2A26 reading...
->  Firmware Revision String  2A26 read response -> 118 050 048 095 048 046 049 046 056 095 115 057 049 053
->  Software Revision String  2A28 reading...
->  Software Revision String  2A28 read response -> 118 050 048 095 048 046 049 046 056 095 115 057 049 053
->  System ID  2A23 reading...
->  System ID  2A23 read response -> 018 052 086 255 254 154 188 222
->  PnP ID  2A50 reading...
->  PnP ID  2A50 read response -> 001 210 000 128 005 000 001
->  HID Information  2A4A reading...
->  HID Information  2A4A read response -> 000 001 000 000
->  Report Map  2A4B reading...
->  Report Map  2A4B read response -> 005 012 009 001 161 001 133 003 021 000 037 001 117 001 149 008 009 181 009 182 009 183 009 184 009 205 009 226 009 233 009 234 129 002 010 131 001 010 138 001 010 146 001 010 148 001 010 033 002 026 035 002 042 037 002 129 002 010 038 002 010 039 002 010 042 002 149 003 129 002 149 005 129 001 192 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
->  Protocol Mode  2A4E reading...
->  Protocol Mode  2A4E read response -> 001
->  Boot Keyboard Input Report  2A22 reading...
->  Boot Keyboard Output Report  2A32 reading...
->  Report  2A4D reading...
->  Report  2A4D read response -> 000 000 000
->  Unknow  CAA8 reading...
->  Unknow  49F0 reading...
->  Unknow  DB25 reading...
->  Unknow  B9A3 reading...
->  Unknow  71E8 reading...
->  Unknow  DF94 reading...
->  Unknow  DF94 read response -> 000

 

[defendermannen]

Yes, even the wifi is off, the bluetooth can still work !
After BT links with the YiCam, everytime when YiCam start-up, first time press BT button, is a little slow. I think it takes sometime to reconnect to YiCam.

Cool! What's the "BT button"? Is it on the controller or the Yi camera?

Hi @defendermannen I dump the log file for you, does it help?

->  Device Name  2A00 reading...
->  Device Name  2A00 read response -> 088 105 097 111 089 105 095 082 067
->  Appearance  2A01 reading...
->  Appearance  2A01 read response -> 193 003
->  Peripheral Privacy Flag  2A02 reading...
->  Peripheral Privacy Flag  2A02 read response -> 000
->  Peripheral Preferred Connection Parameters  2A04 reading...
->  Peripheral Preferred Connection Parameters  2A04 read response -> 006 000 016 000 031 000 200 000
->  Service Changed  2A05 reading...
->  Service Changed  2A05 read response -> 001 000 255 255
->  Manufacturer Name String  2A29 reading...
->  Manufacturer Name String  2A29 read response -> 068 105 097 108 111 103 032 083 101 109 105
->  Model Number String  2A24 reading...
->  Model Number String  2A24 read response -> 068 065 049 052 053 056 048
->  Firmware Revision String  2A26 reading...
->  Firmware Revision String  2A26 read response -> 118 050 048 095 048 046 049 046 056 095 115 057 049 053
->  Software Revision String  2A28 reading...
->  Software Revision String  2A28 read response -> 118 050 048 095 048 046 049 046 056 095 115 057 049 053
->  System ID  2A23 reading...
->  System ID  2A23 read response -> 018 052 086 255 254 154 188 222
->  PnP ID  2A50 reading...
->  PnP ID  2A50 read response -> 001 210 000 128 005 000 001
->  HID Information  2A4A reading...
->  HID Information  2A4A read response -> 000 001 000 000
->  Report Map  2A4B reading...
->  Report Map  2A4B read response -> 005 012 009 001 161 001 133 003 021 000 037 001 117 001 149 008 009 181 009 182 009 183 009 184 009 205 009 226 009 233 009 234 129 002 010 131 001 010 138 001 010 146 001 010 148 001 010 033 002 026 035 002 042 037 002 129 002 010 038 002 010 039 002 010 042 002 149 003 129 002 149 005 129 001 192 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
->  Protocol Mode  2A4E reading...
->  Protocol Mode  2A4E read response -> 001
->  Boot Keyboard Input Report  2A22 reading...
->  Boot Keyboard Output Report  2A32 reading...
->  Report  2A4D reading...
->  Report  2A4D read response -> 000 000 000
->  Unknow  CAA8 reading...
->  Unknow  49F0 reading...
->  Unknow  DB25 reading...
->  Unknow  B9A3 reading...
->  Unknow  71E8 reading...
->  Unknow  DF94 reading...
->  Unknow  DF94 read response -> 000

Yes, that should help alot! There is another user trying make an app to make a smartwatch beeing able to controll the Yi cam over BLE.

 

[luckylz]

There are 2 button in the remote:
"Mode" button: change from photo & video
"Shutter" button: perform take photo & start/stop video.

 

[defendermannen]

There are 2 button in the remote:
"Mode" button: change from photo & video
"Shutter" button: perform take photo & start/stop video.

Ok, so when you say "After BT links with the YiCam, everytime when YiCam start-up, first time press BT button, is a little slow." what do you mean? Do you have to press the wifi/bluetooth button on the camera?