Implement Samsung Smart Tag #65
Comments
|
I remember seeing that repo yes, but besides from the very impressive rom dump there is no more info there (as you already mentioned there). The paper on the other hand has a lot of info, and I did not see that one yet. I'll have a look soon. |
|
@KieronQuinn does your work on the Samsung tags also include creating fake tags, or is it focused on using official tags on non-samsung androids? |
Only official tags on non-Samsung. I'm not sure a similar setup to Open Haystack is even possible with Samsung's network, the Bluetooth communication is a lot more complex and would need replicating. |
|
Got a moment to spare so some more detail on the above:
Like I said on the linked ticket, I plan to include extensive API documentation with my app once it's released. The app won't require root, but will come in the form of a modified SmartThings APK and a companion app (with the option of using the official SmartThings build and Xposed for rooted users) |
|
I'm very much looking forward to the docs! My focus is on the BLE advertisement, I'll try to get that info from the paper linked a couple comments up. |
|
I do have a list of characteristic IDs and what they're for, as well as the output of an endpoint which gives a list of "commands" that can be made on them if that'd be useful to you. I think it includes which are encrypted too. |
Am I understanding correctly that the FD5A uuid in the advertisement is all a lost tag needs to transmit? |
As far as I've been able to find, the only difference between tags that are connected to a device (not lost) and not (potentially lost) is a single flag in the advertisement data on that service: the tag state. Here's two decoded service datas: Tag connected to phone: Tag not connected to phone: And here's the Kotlin code for decoding these items: val version = (serviceData[0].toInt() and 0xF0) shr 4
val tagStateAndAdvertisementType = serviceData[0].toInt() and 15
val tagState = tagStateAndAdvertisementType and 7
val advertisementType = tagStateAndAdvertisementType shr 3 and 1
val agingCounter = serviceData[1].toInt() and 0xFF or
((serviceData[2].toInt() and 0xFF) shl 8) or
((serviceData[3].toInt() and 0xFF) shl 16)
val privacyId = ByteArray(8).apply {
serviceData.copyInto(this, startIndex = 4, endIndex = 12)
}.toHexString()
val regionId = (serviceData[12].toInt() and 0xF0) shr 4
val flags = serviceData[12].toInt() and 15
val uwbFlag = flags shr 2 and 1
val encryptionFlag = flags shr 3 and 1
val batteryLevel = flags and 3
val motionDetection = 1 and ((serviceData[13].toInt() and 0xFF) shr 7)
val reserved = ByteArray(2).apply {
serviceData.copyInto(this, startIndex = 14, endIndex = 16)
}
val activityTrackingMode = (serviceData[15].toInt() and 1) != 0
val signature = ByteArray(4).apply {
serviceData.copyInto(this, startIndex = 16, endIndex = 20)
}I'm just checking now to see if there's an enum in the SmartThings APK for what the tag states correspond to, but obviously 5 is connected and 4 is disconnected. Edit: There doesn't seem to be one, it's always checking against just integers. Most likely it's been optimised out of the APK. |
|
Here's the full list of characteristics for a SmartTag2 from the https://client.smartthings.com/miniature/configure?profileId=*removed* endpoint: characteristics.json And my own table of them that was built before I found that endpoint, based on what they were used for in the APK: eedd5e73-6aa8-4673-8219-398a489da87c (Encryption/Auth Service)
0000fd5a-0000-1000-8000-00805f9b34f (Control Service)
a0e78d39-75b5-4182-8fdc-c4b7365c9062 (?)
|
Hi @KieronQuinn: amazing job. Can you tell me: this kotlin code is decoding the "5AFD" service data, or some GATT characteristic value? |
The service data. Characteristics are encrypted for the most part. |
|
Thank you! One more thing: in case having 2 SmartTags, is there any way based on this advertisement data to distinguish which one is my BLE scanner seeing, or in case of seeing 5AFD service data I just can be sure there is "A" SmartTag nearby (I can't even be sure it belongs to me)? I though either signature or privacyId is constant but it seems they are keep changing just as the mac. |
|
I was never able to figure out that bit. SmartThings seems to know which are owned by you, so I've been using that to filter the scan results. The API does send some privacy ID generation related code, so perhaps it's possible to work out which if you own it from that. |
|
Which API do you use for that? |
|
https://client.smartthings.com/devices with the right authentication, I'll post the full API documentation soon |
For me, this page is 401, maybe I need first login into somewhere before opening this link? |
Yes, like I said it needs the correct authentication. The auth system is complex so I won't explain it here now, but it's covered in my API documentation which will be posted soon. |
|
Just thought I'd link this component in case it's interesting: https://github.com/Vedeneb/HA-SmartThings-Find Even though you have to add the Samsung Smart Tags from a Samsung phone, you can use this integration to track the tags afterwards. Once in a while (every 2 weeks perhaps) you have to reauth, but that's basically logging in again on your Samsung account from a browser. |
|
Yes I saw that, but the web interface is very limited compared to the app |
Hi everyone,
Have you seen this repo?
Samsung SmartTag Hack
Samsung holds a significant market share in the tracker space, and this could be interesting for anyone looking into.
The text was updated successfully, but these errors were encountered: