Xgimi-4-Home-Assistant icon indicating copy to clipboard operation
Xgimi-4-Home-Assistant copied to clipboard

Published 20 hours ago verified publisher icon manymuch

BLE token appears to increment with each broadcast

Open jack-webb opened this issue 1 year ago • 2 comments

I re-scanned my remote for its BLE advertising token today, and the token it advertised is different to the one when I first did this a few months ago. I ran a few more tests and it appears the BLE advertising token of my remote is incrementing roughly with each broadcast.

I wrote a script for scanning tokens using python, was originally looking ways to sniff the token directly on a bluetooth-capable host. I ran the script whilst pressing the power button (projector unplugged ofc). Script is here: https://github.com/jack-webb/XBleet

[master][~/xbleet]$ pipenv run python XBleet/main.py
Discovered BLE device(s):
Device name: BLuetooth 4.0 RC, Address: 1C:F3:01:F9:9B:8F
Manufacturer 0x46
Data 0xEDD731E3B22440FFFFFF3043524B544D

[master][~/xbleet]$ pipenv run python XBleet/main.py
^[[ADiscovered BLE device(s):
Device name: BLuetooth 4.0 RC, Address: 1C:F3:01:F9:9B:8F
Manufacturer 0x46
Data 0xEDD731E3B22440FFFFFF3043524B544D

[master][~/xbleet]$ pipenv run python XBleet/main.py
Discovered BLE device(s):
Device name: BLuetooth 4.0 RC, Address: 1C:F3:01:F9:9B:8F
Manufacturer 0x46
Data 0xEFD731E3B22440FFFFFF3043524B544D

...

[master][~/xbleet]$ pipenv run python XBleet/main.py
Discovered BLE device(s):
Device name: BLuetooth 4.0 RC, Address: 1C:F3:01:F9:9B:8F
Manufacturer 0x46
Data 0xF2D731E3B22440FFFFFF3043524B544D

[master][~/xbleet]$ pipenv run python XBleet/main.py
Discovered BLE device(s):
Device name: BLuetooth 4.0 RC, Address: 1C:F3:01:F9:9B:8F
Manufacturer 0x46
Data 0xF3D731E3B22440FFFFFF3043524B544D

[master][~/xbleet]$ pipenv run python XBleet/main.py
Discovered BLE device(s):
Device name: BLuetooth 4.0 RC, Address: 1C:F3:01:F9:9B:8F
Manufacturer 0x46
Data 0xF4D731E3B22440FFFFFF3043524B544D

[master][~/xbleet]$ pipenv run python XBleet/main.py
Discovered BLE device(s):
Device name: BLuetooth 4.0 RC, Address: 1C:F3:01:F9:9B:8F
Manufacturer 0x46
Data 0xF6D731E3B22440FFFFFF3043524B544D

It looks like this is happening to others too - see this comment from a few days ago. The first token bytes are somewhat sequential, which I could see happening over a few attempts at capturing with EFR. Interestingly, for me both the original token and an 'incremented' token spoofed with EFR Connect worked to turn on my projector, which it doesn't for the linked comment.

Also, please add a Bluetooth label for issues so we can tell which are and are not bluetooth related :)

jack-webb avatar Feb 01 '24 17:02 jack-webb