Source: now
Xiaomi Mi Band BLE Protocol reverse-engineering and API
My Mi-Band is finally here and I totally love it.
Only compatible with Xiaomi Mi3 and Mi4? Lies! Except for unlocking and notifications, every other BLE phone will work with it. Just grab the (translated) app from xda-developers and enjoy. Official App now available for Android and iOS.
To allow third-party developers access to this device I will post details here.
Android: https://github.com/paulgavrikov/xiaomi-miband-android
Cocoa / Swift: https://github.com/paulgavrikov/xiaomi-miband-cocoa
Based on me:
Android by lwis: https://github.com/lwis/miband-notifier
Python by OscarAcena: https://bitbucket.org/OscarAcena/mibanda
Used BLE chip: Dialog DA14580
Default name MI
Connectable yes (approx. 30sec timeout)
Does advertise yes
What features does it have (accessible by BLE):
3 LED (color adjustable), capacitive touch sensor, Vibrator (can be stopped actively), Timer (starts to Vibrate), Battery stats, stores full user profile (gender, age, weight, ...), live step notifications, save step notifications, sleep detection
Write 2 to Characteristic 0xFF0F (PAIR). Maybe you have to confirm by putting your finger on the aluminium part of the Mi Band.
Mi Band will respond with 2 on the same characteristic if the pairing was successful.
Mi Band will respond with 0xfff on the same characteristic if the device is not paired.
Self Test
Write 2 to Characteristic 0xFF0D (TEST). Your Mi Band will do crazy things (LED flashing, vibrate)
Realtime Step Notification
Enable Notifications: Write 3, 1 to Characteristic 0xFF05 (CONTROL_POINT).
Disable Notifications: Write 3, 0 to Characteristic 0xFF05 (CONTROL_POINT).
I assume that you will be notified from 0xFF03 but I haven't verified yet.
Sensor Data Notification
Enable Notifications: Write 18, 1 to Characteristic 0xFF05 (CONTROL_POINT).
Disable Notifications: Write 18, 0 to Characteristic 0xFF05 (CONTROL_POINT).
I assume that you will be notified from 0xFF03 but I haven't verified yet.
Get Battery Info
Read or let notify from Characteristic 0xFF0C (BATTERY).
Interpret the received byte array, skip if received not exactly 10 bytes:
Battery Info:
Level in%: byte[0]
Charges: 0xffff & (0xff & byte[7] | (0xff & byte[8]) << 8)
Status: byte[9]
where 1 = Battery low
2 = Battery charging
3 = Battery full (charging)
4 = Not charging
Last charged Date Information (Gregorian Calendar):
Year: byte[1] + 2000
Month: byte[2]
Day / date: byte[3]
Hour (0-24): byte[4]
Minute: byte[5]
Second: byte[6]
Example response: 33 0E 09 1B 08 03 2E 06 00 04
Factory Reset
Write 9 to Characteristic 0xFF05 (CONTROL_POINT).
To allow third-party developers access to this device I will post details here.
Libraries & Apps
Made by me:Android: https://github.com/paulgavrikov/xiaomi-miband-android
Cocoa / Swift: https://github.com/paulgavrikov/xiaomi-miband-cocoa
Based on me:
Android by lwis: https://github.com/lwis/miband-notifier
Python by OscarAcena: https://bitbucket.org/OscarAcena/mibanda
Used BLE chip: Dialog DA14580
Default name MI
Connectable yes (approx. 30sec timeout)
Does advertise yes
What features does it have (accessible by BLE):
3 LED (color adjustable), capacitive touch sensor, Vibrator (can be stopped actively), Timer (starts to Vibrate), Battery stats, stores full user profile (gender, age, weight, ...), live step notifications, save step notifications, sleep detection
The device has 3 BLE Services:
After a firmware update Mi Band no longer has user-descriptions for their Chars & Services. Either they don't want us to reverse engineer or they simply forgot it ...
- Service 1 (0xFEE0) "Mili-Service"
- 0xFF01 read
- DEVICE_INFO
- 0xFF02 read write
- DEVICE_NAME
- 0xFF03 read notify
- NOTIFICATION
- 0xFF04 read write
- USER_INFO
- 0xFF05 write
- CONTROL_POINT
- 0xFF06 read notify
- REALTIME_STEPS
- 0xFF07 read indicate
- ACTIVITY_DATA
- 0xFF08 write without response
- FIRMWARE_DATA
- 0xFF09 read write
- LE_PARAMS
- 0xFF0A read write
- DATE_TIME
- 0xFF0B read write
- STATISTICS
- 0xFF0C read notify
- BATTERY
- 0xFF0D read write
- TEST
- 0xFF0E read notify
- SENSOR_DATA
- 0xFF0F read write
- PAIR
- 0xFF01 read
-
- Service 2 (0xFEE1)
- 0xFEDD write
- 0xFEDE write
- 0xFEDF read
- Service 3 (0xFEE7)
- 0xFEC7 write
- 0xFEC8 read indicate
- 0xFEC9 read
BLE Actions
The protocol is not up to date, I am no longer updating it.
Extracted from com.xiaomi.hm.bleservice.profile.MiLiProfile.java
Pair
Note: Once the Miband is actively paired with a device, other devices won't discover it
Note: Once the Miband is actively paired with a device, other devices won't discover it
Write 2 to Characteristic 0xFF0F (PAIR). Maybe you have to confirm by putting your finger on the aluminium part of the Mi Band.
Mi Band will respond with 2 on the same characteristic if the pairing was successful.
Mi Band will respond with 0xfff on the same characteristic if the device is not paired.
Self Test
Note: This will remove bonding information on the Mi Band, which might confused iOS (and probably Android, too). So before you connect next time remove your Mi Band via Settings > Bluetooth.
Realtime Step Notification
Enable Notifications: Write 3, 1 to Characteristic 0xFF05 (CONTROL_POINT).
Disable Notifications: Write 3, 0 to Characteristic 0xFF05 (CONTROL_POINT).
I assume that you will be notified from 0xFF03 but I haven't verified yet.
Sensor Data Notification
Enable Notifications: Write 18, 1 to Characteristic 0xFF05 (CONTROL_POINT).
Disable Notifications: Write 18, 0 to Characteristic 0xFF05 (CONTROL_POINT).
I assume that you will be notified from 0xFF03 but I haven't verified yet.
Get Battery Info
Read or let notify from Characteristic 0xFF0C (BATTERY).
Interpret the received byte array, skip if received not exactly 10 bytes:
Battery Info:
Level in%: byte[0]
Charges: 0xffff & (0xff & byte[7] | (0xff & byte[8]) << 8)
Status: byte[9]
where 1 = Battery low
2 = Battery charging
3 = Battery full (charging)
4 = Not charging
Last charged Date Information (Gregorian Calendar):
Year: byte[1] + 2000
Month: byte[2]
Day / date: byte[3]
Hour (0-24): byte[4]
Minute: byte[5]
Second: byte[6]
Example response: 33 0E 09 1B 08 03 2E 06 00 04
=> 51 % charged
=> Not charging
=> Last charged 2014\09\27 08:03:46
=> 6 Cycles (seems like someone charged it before me 5 times ...)
Get Date Time
Get Device / Bluetooth Name
Read from Characteristic 0xFF02 (DEVICE_NAME). The received bytes are to be interpreted as UTF8 String.
Get Device Info
Read from Characteristic 0xFF01 (DEVICE_INFO). Interpret the received byte array.
UUID: formate byte[0-7] as "%02X%02X%02X%02X%02X%02X%02X%02X"
You can extract features, appearance (probably the color) and hardwareRevision form UUID.
There other bytes inside the array are profileVersion and firmwareVersion. Calculation will be posted later.
Read from Characteristic 0xFF01 (DEVICE_INFO). Interpret the received byte array.
UUID: formate byte[0-7] as "%02X%02X%02X%02X%02X%02X%02X%02X"
You can extract features, appearance (probably the color) and hardwareRevision form UUID.
There other bytes inside the array are profileVersion and firmwareVersion. Calculation will be posted later.
Get LE Params
Read from Characteristic 0xFF09 (LE_PARAMS). Interpret the received byte array, skip if received not exactly 12 bytes:
connIntMin: 0xffff & (0xff & byte[0] | (0xff & byte[1]) << 8)
connIntMax: 0xffff & (0xff & byte[2] | (0xff & byte[3]) << 8)
latency: 0xffff & (0xff & byte[4] | (0xff & byte[5]) << 8)
timeout: 0xffff & (0xff & byte[6] | (0xff & byte[7]) << 8)
connInt: 0xffff & (0xff & byte[8] | (0xff & byte[9]) << 8)
advInt: 0xffff & (0xff & byte[10] | (0xff & byte[11]) << 8)
How to interpret this raw timing data:
connIntMin * 1.25 milliseconds
connIntMax * 1.25 milliseconds
latency milliseconds
timeout * 10 milliseconds
connInt * 1.25 milliseconds
advInt * 0.625 milliseconds
Read from Characteristic 0xFF09 (LE_PARAMS). Interpret the received byte array, skip if received not exactly 12 bytes:
connIntMin: 0xffff & (0xff & byte[0] | (0xff & byte[1]) << 8)
connIntMax: 0xffff & (0xff & byte[2] | (0xff & byte[3]) << 8)
latency: 0xffff & (0xff & byte[4] | (0xff & byte[5]) << 8)
timeout: 0xffff & (0xff & byte[6] | (0xff & byte[7]) << 8)
connInt: 0xffff & (0xff & byte[8] | (0xff & byte[9]) << 8)
advInt: 0xffff & (0xff & byte[10] | (0xff & byte[11]) << 8)
How to interpret this raw timing data:
connIntMin * 1.25 milliseconds
connIntMax * 1.25 milliseconds
latency milliseconds
timeout * 10 milliseconds
connInt * 1.25 milliseconds
advInt * 0.625 milliseconds
Get Usage
Get User Info
Get Realtime Steps
Read from Characteristic 0xFF06 (REALTIME_STEPS). The 2 received bytes are the steps. Interpret them as integer.
Example response: 12 16
=> 4630 steps
Read from Characteristic 0xFF06 (REALTIME_STEPS). The 2 received bytes are the steps. Interpret them as integer.
Example response: 12 16
=> 4630 steps
Factory Reset
Note: This will remove bonding information on the Mi Band, which might confused iOS (and probably Android, too). So before you connect next time remove your Mi Band via Settings > Bluetooth.
Reboot
Write 12 to Characteristic 0xFF05 (CONTROL_POINT).
Write 12 to Characteristic 0xFF05 (CONTROL_POINT).
Remind (seems to be Beta testing)
Remote Disconnect
Write 1 to Characteristic 0xFF0D (TEST).
Note: This will remove bonding information on the Mi Band, which might confused iOS (and probably Android, too). So before you connect next time remove your Mi Band via Settings > Bluetooth.
Start Vibration
Write 8, 2 to Characteristic 0xFF05 (CONTROL_POINT).
Write 8, 2 to Characteristic 0xFF05 (CONTROL_POINT).
Stop Motor Vibration
Write 19 to Characteristic 0xFF05 (CONTROL_POINT).
Write 19 to Characteristic 0xFF05 (CONTROL_POINT).
Sync
Write 11 to Characteristic 0xFF05 (CONTROL_POINT).
Write 11 to Characteristic 0xFF05 (CONTROL_POINT).
Write MD5 (???)
Send Firmware
Send Firmware Info
Set Color Theme
Write 14, R, G, B, D to Characteristic 0xFF05 (CONTROL_POINT). Where R, G, B, is a byte representing red, green blue value and D is 0 (don't flash) or 1 (quickly flash Color).
Default colors from the app:
blue: 1542 (Note: yes, this is a int)
green: 0x40500
red: 0x60102
orange: 0x60200
Write 14, R, G, B, D to Characteristic 0xFF05 (CONTROL_POINT). Where R, G, B, is a byte representing red, green blue value and D is 0 (don't flash) or 1 (quickly flash Color).
Default colors from the app:
blue: 1542 (Note: yes, this is a int)
green: 0x40500
red: 0x60102
orange: 0x60200
Set Goal (in steps)
Set Device / Bluetooth Name
Write an UTF8 String (as byte array) to Characteristic 0xFF02 (DEVICE_NAME).
Set Realtime Steps
Set Timer
Set User Info
Set Wear Location (Left Hand, Right Hand, Neck)
Authenticate
I will update more details and post the protocol soon (step by step).