#define CRC_PRESET 0x00
#include <stdio.h>
#include <stdlib.h> /* strtol */
#define CRC_POLYNOM 0x8c
#define CRC_PRESET 0x00
int main(int argc, char* argv[]) {
if(argc!=21 && argc!=2){
printf("\n\tMiband userinfo checksum by 009\n");
printf("\t Usage: %s [arrayOfByte] <lastBleAddr>\n", argv[0]);
printf("\t\t%s 0x88\n", argv[0]);
printf("\t\t%s 0xA3 0xF0 0x1D 0x28 0x01 0x20 0xAA 0x3C 0x01 0x30 0x30 0x39 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x88\n\n", argv[0]);
return 0;
}
unsigned char FRAME[] = {0xA3, 0xF0, 0x1D, 0x28, 0x01, 0x20, 0xAA, 0x3C, 0x01, 0x30, 0x30, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
unsigned char lastAddr = strtol(argv[20],NULL,0);
unsigned int crc = CRC_PRESET;
if(argc==21){
for(int i = 0; i < 19; i++)FRAME[i]=strtol(argv[i+1],NULL,0);
}
for(int i = 0; i < sizeof(FRAME); i++) {
crc ^= FRAME[i];
for(int j = 0; j < 8; j++) {
if(crc & 0x01) {
crc = (crc >> 1) ^ CRC_POLYNOM;
} else {
crc = (crc >> 1);
}
}
}
printf("CRC8=%02X\n", crc);
for(i = 0; i < 19; i++)printf("%02X-", FRAME[i]);
printf("%02X\n", crc^lastAddr); //0x3A mac地址最后一字節(jié)
return 0;
}
下面是各種UUID:
|
Characteristic
|
Handle
|
UUID
|
|
|
Des
|
|
UUID_SERVICE_MILI_SERVICE
|
|
FEE0
|
|
|
服務(wù)
|
|
UUID_CHARACTERISTIC_DEVICE_INFO
|
|
FF01
|
R
|
88-7C-XX-XX-00-00-02-B5-00-06-00-02-30-09-00-01
|
設(shè)備信息
|
|
UUID_CHARACTERISTIC_DEVICE_NAME
|
|
FF02
|
RW
|
00-60-09-4D-49
|
設(shè)備名稱
|
|
UUID_CHARACTERISTIC_NOTIFICATION
|
|
FF03
|
Notify,R
|
15
|
|
|
|
|
0x2902
|
R
|
01-00
|
notify
|
|
UUID_CHARACTERISTIC_USER_INFO
|
19
|
FF04
|
RW
|
XX-XX-1D-28-01-11-AF-4B-01-30-30-39-00-00-00-00-00-00-00-71
|
|
|
UUID_CHARACTERISTIC_CONTROL_POINT
|
1B
|
FF05
|
W
|
|
控制指令
|
|
UUID_CHARACTERISTIC_REALTIME_STEPS
|
|
FF06
|
Notify,R
|
B9-14-00-00
|
步數(shù)
|
|
|
|
0x2902
|
R
|
01-00
|
realtimedata
|
|
UUID_CHARACTERISTIC_ACTIVITY_DATA
|
|
FF07
|
Notify,R
|
01-0F-05-11-10-06-04-00-00-00-00
|
|
|
|
|
0x2902
|
R
|
01-00
|
Data
|
|
UUID_CHARACTERISTIC_FIRMWARE_DATA
|
|
FF08
|
W
|
|
升級(jí)數(shù)據(jù)
|
|
UUID_CHARACTERISTIC_LE_PARAMS
|
|
FF09
|
Notify,RW
|
CC-01-F4-01-00-00-F4-01-F4-01-08-08
|
|
|
|
|
0x2902
|
R
|
6C-65-70-61-72-61-6D
|
leparam
|
|
UUID_CHARACTERISTIC_DATE_TIME
|
28
|
FF0A
|
RW
|
0F-05-11-10-05-33-0F-05-11-10-06-05
|
|
|
UUID_CHARACTERISTIC_STATISTICS
|
|
FF0B
|
RW
|
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
|
|
|
UUID_CHARACTERISTIC_BATTERY
|
|
FF0C
|
Notify,R
|
1C-0F-04-0D-0A-32-33-05-00-00
|
電池信息
|
|
|
|
0x2902
|
R
|
01-00
|
Battery
|
|
UUID_CHARACTERISTIC_TEST
|
2E
|
FF0D
|
RW
|
B7-1D
|
|
|
|
|
FF0E
|
Notify,RW
|
|
|
|
|
|
0x2902
|
R
|
01-00
|
fulldata
|
|
PAIR,寫入02解除
|
33
|
FF0F
|
RW
|
FF-FF
|
|
|
|
|
|
|
|
|
|
補(bǔ)充
|
|
|
|
|
|
|
|
0x0014
|
FF02
|
|
01 廣播 00 不廣播
|
|
電池信息:1C-0F-04-0D-0A-32-33-05-00-00
沒啥大用,第一個(gè)字節(jié)電量百分比,之后上次充電的年月日時(shí)間等。
FF05是發(fā)送控制指令用的,常用的如下:
|
UUID
|
作用
|
值
|
|
FF05
|
updateFirmware
|
07XXXXXX ...
|
|
SetGoal
|
0500LLHH
|
|
SetColor
|
0ERRGGBB01
|
|
StartVibrate
|
0801
|
|
StopVibrate
|
0D
|
|
Vibrate
|
0802
|
|
Vibrate + LED
|
0800
|
|
FactoryReset
|
09
|
|
Reboot
|
0C
|
|
Sync
|
0B
|
|
左右手
|
0FXX
|
|
打開實(shí)時(shí)步數(shù)提示
|
0301
|
|
關(guān)閉實(shí)時(shí)步數(shù)提示
|
0300
|
例如:成功寫入了如下FF04之后,
寫入完成后,向FF05寫入0E06000001就設(shè)置了手環(huán)發(fā)紅光。。。
點(diǎn)擊讀FF06就會(huì)獲得當(dāng)前步數(shù)(好像這個(gè)值不需要寫FF04也可以,懶得試了)
另:各個(gè)固件可以隨便刷,不用考慮能不能降版本的問題。手機(jī)APP只是手機(jī)端做了限制。
如果哪位大俠分析出了固件升級(jí)時(shí)候校驗(yàn)是怎么校驗(yàn)的,望賜教,ARM逆向?qū)嵲诟悴欢ā?br />
不會(huì)寫手機(jī)端APP,否則可以搞一些比較好(wei)玩(suo)的事情。
以上分析不一定完全正確,有錯(cuò)誤的地方歡迎指正。