Understood. Most of the devices (in fact, all devices) that have deal with so far does not need to be paired.
The UUID can be used to uniquely identify the type of the device. I can used it to match to a DTH. If there is no connect information, there may be additional broadcasting/Advertising data. This is called active scanning. The GUI may not be able to see it. However, nrfconnect has a link on the device that say raw. This will display all advertising data. Something like below.
This is an example of one of my device. My nrfConnect has that raw link. Marked red.
For xiaomi, as an example, there is a type 0x16 for all the sensor data. Yours may be different. We are looking for something similar to this. Marked blue.
Please do make sure whether you can connect to it. If you cannot connect to it, it mean it is operating as beacon. There must be a flag that will say not connectable. Marked green. We can concentrate our effort looking for advertising data. If it turn out to be connectable, there may be a different mechanism to get the data.
Unfortunately, I only have ios devices (my old android tablet doesn't support the new nrf connect app). With NRF, I don't have the options for clone raw or more on any device.
Are there any other suggestions or a bluetooth sniffer you all would recommend?
I ordered the dongle, so hopefully I can try and get some better information this weekend. The second and third screenshots are what I had. The third screenshot is comparable to what you have in the ipad app. The screen had the chart, I just focused on what I thought was the relevant piece for the information. The first/second screenshots were what was on the primary screen, and the third screenshot was the second page (the same as your right column.)
I am not able to connect. I think it just broadcasts data. I'm hoping when I get the dongle I can see if I can get the raw data (fingers crossed it will be here by this weekend).
I think you may not need the dongle. I think that manufacture data is the one that has some of the tank level and humidity info. I pull this from TI documentation.
It is type 0xFF (manufacture data). company ID 0x000D. The rest is probably sensor data. We just need to decode it. One way is to see how the number change as the sensor reading change. Some of these number is usually simple to decode. Please do play around with the lpg sensor and see if you can correlate the number that you see on the APP.
Will do. I had done it a bit, but it hadn't seemed to change. I'm out this week, but will play around this weekend and see what changes. Thank you again for all of your help and innovation in pushing the hubitat forward.
Just let me know when you have additional info. I am hopping that the sensor value should be in the Manufacture data.
Sometime, they are easy to decode. As an example, xiaomi has byte a byte that change as the temperature change. Once the byte that change identified, in the case of xiaomi, it turn out the byte if converted to decimal value show a value of the temperature in Celsius. I hope the LPG sensor does the same thing.
Thanks for gathering the data. As we can add support for more Bluetooth devices, It will open up our Hub to use other interesting devices beyond Zigbee and Z-wave devices.
Amazon has started to have some incredible sale on Bluetooth BBQ probe.
It is $42 + tax with coupon DIJ4RV93.
I wish I did not buy mine too soon. I have the 4 probes model. It seems like the 6 probe could be the same design with additional 2 probes added to it. For those who had my BT modules and need a BBQ probe, it would be interesting to see if this version would work as well.
$16 with coupon U3HDBCG5 for 2 Sensor. This is probably the cheapest Temperature/Humidity sensor regardless the wireless technology. Rumor has it that it has a Swiss sensor.
I got the bluetooth dongle and used an iphone and an ipad to receive the data. I was not able to connect to the device with any of the methods. I tried measuring initially with the device connected to the tank, disconnected from the tank and next to the monitoring devices, disconnected from the tank and in the refrigerator (to get a lower ambient temperature and poorer signal strength), and then reconnected to the tank. Interestingly, I would have expected the data received on all three devices to be the same, but it varied by device. I did quit out of nrfconnect on the ios devices and restarted scanning but ti seemed to report the same data in all the scenarios. About the only piece I am sure of is the device ID is 1e:d2:34 the last three sets of the manufacturer data, which was consistent across devices.
The result on the Ipad and Iphone is puzzling for me. A device should send out exactly the same data regardless the recipient. It looked like they are from a different device. Do you have one LPG sensor or multiple of them?
The red circle show something that I cannot explain unless they come from different variant of lpg sensor. Even from the multiple device from the same type and variant, the red information should be the same. In this case, each device will have different mac address.
If I have to assume that they are from the same device, the major value has changed. This tell me that the major value has meaning. I am not sure now how this manufacture use this value. I have worked on a couple devices that use the major and minor to deliver sensor data. Perhaps it is worth to try to see whether these value reflect reading of the sensor in the app. If you take those numbers.
Does number like 01, 08 , 05, 78 resemble some value you have seen on the Sensor app? If those numbers are in hex, we are looking at number like 1, 8 , 5 and 120 in decimal. Otherwise, this indicate reading from different devices.
The blue circle show that It may have some service. This is a term in bluetooth protocol that you may have some attribute that you can poll(read). But, in this case, The device should be connectable. Once you connect to it, you will be shown all the possible characteristics.
If you have the Bluetooth dongle, you should be able to sniff the traffic between the LPG phone app and the LPG sensor assuming they are not encrypted. I do not know in particular how the dongle setup is. But, I imagine that it will be connected to Wireshark application. If you can do this, there could be some secret that you can reveal. It may be something worth to try.
I only have one device. Seeing that the settings stayed consistent on the iphone/ipad - I'm not necessarily convinced that the phone was actively scanning versus once it got a value it kept it. I had tried closing out of the app, but I find it interesting that it had not changed. Similarly though even with the windows app there was a change between some of the readings, but I would have expected some difference between all three scenarios (since it also reports wireless signal, quality of reading and how full - previously the app also reported ambient temperature). In my case the tank is about 80% full, but the signal strength should have changed, and when disconnected from the tank go from 80 to zero.
As an aside I found out after the fact that the nrf25840 dongle is not supported for sniffing.
Could the 218 or 223 potentially be the height of the propane in mm- the app reports ~21.2 cm which is equivalent to 81% or 8.4 inches for how full the tank is (20# tank)? I know not an exact match but close.
Reading on tip and trick on reverse engineering, if possible, you want to simulate changes on one of the parameter. We know that it is a level. Assuming it is in a percentage, there is potential one, two or 4 bytes that would represent a percentage. If I have to guess, one byte is the most likely.
Would you be able to trigger level measurement change only? If you can make 1 % gradual change, it would be ideal. But, if you can see a number that flip from 0 to X, if you can trigger empty or some value, that would be useful as well.
I believe that you mentioned that that there is another sensor reading. If we can catch it further by triggering changes.
The app also help to correlate which of the green bytes represent the sensor reading.
