Gadgetbridge: Mi Band 4 Support

You have one?

What is the device (Bluetooth) Name?
Is there a firmware somewhere?

Now, is OTA update
https://geekdoing.com/threads/mi-band-4-known-features.811/page-3

I pushed inittal "support", meaning the device might work as a Mi Band 3.

If you have such a device, please test master and report

I will tag a release very soon, please test if you can!

First impressions of initial support:

• Steps count doesn't sync at all. (Device set to 8000, Gadgetbridge still display 10000 steps)
• Vibration and notification test doesn't work.

@ninfia:

So pairing and connecting works?

Do phone calls work ?

@ninfia
Regarding "step count sync" - we do not sync. Gadgetbridge sends the configured step goal, we do not get it back from the device. If your device still has a goal of 8000, even when Gadgetbridge was set to 10000, then this feature also does not work.

@ninfia
Honestly I have no idea what you tested, because connecting to the Mi Band4 probably did not work at all (that was just fixed in master) - OR - it was detected as a Mi Band 2 (if that was the case which unfortunately you cannot see), it is not fixed yet

What is the Bluetooth device name?

I can't pair my smartphone with miband 4. The application is blocked "connection in progress".

@R34V3N

Using self-compiled master?

And please finally someone....

tell me the Bluetooth device name! Is it Mi Smart Band 4?

The bluetooth device name is Mi Smart Band 4

Self-compiled, it's identifed as MIBAND4 during attempt connection. (Or Mi Smart Band 4 in the device ID).

Paring doesn't work.

(Sorry for late response, had some trouble recovering email to log back to github)

@ninfia
Can you remove the if from:

https://github.com/Freeyourgadget/Gadgetbridge/blob/78dd7ef1531a754d1e28b93c0a8d5ef07b32d1ca/app/src/main/java/nodomain/freeyourgadget/gadgetbridge/service/devices/huami/miband3/MiBand3Support.java#L50

and try again?

Still failed to authenticate. I have tried both w/ and w/o Mi Fit.

@ninfia

Thanks. Time to get a mi Band 4 i guess...
Or you could send me a Bluetooth hci dump while pairing with mi fit ;)

Here's the btsnoop_hci.log

Will it helps?

@ninfia
Thanks, will analyze the file.
AS long as it contains the pairing it should be helpful :)

@ninfia
can you try the miband4_blind_experiments branch I just created and report back?
IF it should work to pair, please also try to disconnect and reconnect afterwards...

Pairing works, but requires the device to be paired w/ Mi Fit. No auth screen for pairing.

(FW: 1.0.4.38, HW: V0.25.131.5)

Can't pair without mi fit (after unpaired from mi fit).

Reconnect works.

@ninfia
Ok for clarification:

1) did the miband4_blind_experiments change anything?
2) the log you send was pairing in mi fit after having unpaired in mi fit?

I am not sure but in the past people reported they cannot connect/pair while mi fit was installed. I cannot confirm that because I never had mi fit on my phone.

https://github.com/Freeyourgadget/Gadgetbridge/blob/master/app/src/main/java/nodomain/freeyourgadget/gadgetbridge/model/DeviceType.java#L41 has a key of 15, identical to the model above. Shouldn't it be 16 for uniqueness?

@ashimokawa
1 - The miband4_blind_experiments indeed make it connected, however without any auth from the miband device. (there should be one, probably this is why it doesn't work without Mi Fit?).

However the notifications debug feature aren't working. (Vibrations happened, but band displayed as "No Notifications")

2 - Yes, the procedure is following. Unpaired -> Restart -> Enable HCI snooping -> Use Mi Fit to Pair -> Use Mi Fit to set a theme -> Use Mi Fit to Find Phone.

@ninfia
Thanks, yes the paring sequence has changed significantly, and I missed something. Will push some more code soon (all untested of course).
What puzzles me is that the shared secret is not pushed to the band in the first step anymore. Normally it is like
1) send shared secret
2) request and receive random number
3) encrypt that with the shared secret and send to band

here it is different - seemingly a random number comes in without step 1.

The log also contains other interesting stuff I didn't see before, and which seems to be unique to the mi band 4 (more flags are sent after connect).

@ninfia
If you have any other device like the mi band 3 I would also be interested in the bluetooth log for comparison.

Unfortunately no, I didn't use a mi band for a while until the 4.

hello i can help you with that (i've got 3 and 4 mi band) just tell me wich test to do

@cynnfx
A bluetooth hci dump of the initial pairing (or pairing after unpairing) in mi fit of a mi band 3 would be interesting (to compare that to the mi band 4).
I fear a lot has changed...

@ashimokawa

Did you get or are you planning on getting mi band 4? I would like to help sponsoring one for you. I am not planning on getting it myself anytime soon as long as my band 3 is OK, but I use gb daily and would like to support you. Please let me know.

@vanous

Yes I will get one for Gadgetbridge

@ashimokawa

Would you like me to help contributing to it?

After my dog ate my previous Mi band 3, I searched for another new one, and Xiaomi just released the 4th gen of this band. I wanted only Gadgetbridge compatible devices ( what I really want it's a Pebble Classic!) but anyway I liked the new stuff and the comfortableness of the band so I'm considering this one. I would like to help too, so I could share you links for the cheapest offer I could find (It's also pretty fast delivery). I don't know if I could share comertial links here so please tell me.

Also searching for the best option I found there are different types (Chinese-that includes CH EN SPN RUSS languages, a Global version and one only Chinese but with NFC and an AI speaker), my question here it's witch one are you using for testing? And do you think it's that feature worth the price and/or fleasible to implement with Gadgetbridge and some other FOSS apps (I was thinking Mycroft or similar, I consider this unlikely but anyway)? If so I probably will be interest in contributing too

@vanous
You mean code-wise? oder money-wise? ;)
We do have some donations left (although donations do not work and we have zero income).

@TheZuaveDragonfly
Just ordered my Mi Band 4 with NFC and Mic. Takes 2-3 weeks to deliver though.

I cannot promise any progress on or ETA though. However once I have it I am motivated to get it running. ;)

@ashimokawa
i would love to contribute code but i have no android coding skills that would be beneficial, so i can only contribute money wise. But motivation (as you said as well :) ) is a big thing, this is why i thought paying for a real hardware (for example MiBand4) would be more beneficial then sending money. Have you paid for your MB4 order already? :)

Is it even possible to use the NFC version outside of china (e.g. in english) right now?

@vanous
Yes I have paid it and it should arrive tomorrow,
however it might be hard to get it working without mi fit (#1554 sounds bad...)

@ninfia
I got my MI Band 4 and can confirm that it is not working with Gadgetbridge
What really puzzles me is that in your log with mi fit 0x0100 is sent to the auth characteristing (frame 522) you get some long random number back (frame 524)
Also in the sequence that follows there is nothing interesting sent from phone to mi band (key, encrypted data) send.

When I do exaclty the same (write 0x0100 to the auth characteristic) I do not get data a large chunk of random data - just a confirmation. And no buzzing / paring screen (what I would expect)

EDIT:
It seems a lot of data are sent after receiving a random number - just to a different characteristics. Hope it is no crypto that involves mi fit servers

After days of research and investigation, I have to assume - based on all information I got - that pairing is done though XIaomi servers, which basically means we cannot support the Mi Band 4. There might be a trick to connect to an already "registered" mi bands when sniffing keys or something, but I did not get past the point since I do not have a xiaomi account.

I will leave this open, if you have different information, and you see a chance to do that offline, just chime in.

After days of research and investigation, I have to assume - based on all information I got - that pairing is done though XIaomi servers,

That would explain why I had lots of issues pairing the band on company wifi yesterday but it worked first try at home... Jesus. Why, xiaomi, why.

@ashimokawa , I am not convinced yet that there is some server-side thingy going on...

I paired my MiBand4 with the MiFit app and analyzed the authentication protocol. Here is what it looks like:

01. Read 00000020-0000-3512-2118-0009af100700
02. Receive 04 (model number?)
03. Turn on notification 00000020-0000-3512-2118-0009af100700
04. Turn on notification 00000009-0000-3512-2118-0009af100700
05. Write 01:00 to 00000009-0000-3512-2118-0009af100700
06. Receive 10:01:81:01:18:63:c2:cc:e5:d1:59:41:3b:ed:92:c4:b1:63:c2:79 from 00000009-0000-3512-2118-0009af100700  (always the same byte array)
07. Write 82:00:02 to 00000009-0000-3512-2118-0009af100700
08. Receive 10:82:01:57:3a:0e:2f:ab:36:46:4e:e2:72:f3:51:7c:4c:3c:a7 from 00000009-0000-3512-2118-0009af100700 (seems to be random number)
09. Write 00:04:00:83:00:76:89:ba:6d:ad:ce:70:30:81:c8:cf:f0:66:f9:95 to 00000020-0000-3512-2118-0009af100700 (four part reponse)
10. Write 00:44:01:12:fe:de:04:6f:27:89:1a:0b:16:17:25:65:18:9f:43:9b to 00000020-0000-3512-2118-0009af100700
11. Write 00:44:02:14:a0:16:b9:34:07:7a:f6:c9:a6:35:15:b4:b5:30:f6:c2 to 00000020-0000-3512-2118-0009af100700
12. Write 00:44:03:65:fa:c5:34:e4:06:4e:b6:74:2f:c7:e1:98:f5:c2:00:00 to 00000020-0000-3512-2118-0009af100700
13. Write 00:84:04:00:00 to 00000020-0000-3512-2118-0009af100700
14. Receive Request MTU 247
15. Receive 10:83:01 from 00000009-0000-3512-2118-0009af100700
16. Receive 10:00:84:01:01:00:00 from 00000020-0000-3512-2118-0009af100700
17. Receive 10:01:01 from 00000009-0000-3512-2118-0009af100700
18. Write 82:00:02 to 00000009-0000-3512-2118-0009af100700
19. Receive 10:82:01:a0:96:39:38:09:7d:73:4d:3f:55:6b:bf:e2:1d:3b:92 from 00000009-0000-3512-2118-0009af100700
20. Write 83:00:6e:84:ee:9d:aa:28:37:84:ef:8a:b2:98:c2:b4:63:90 to 00000009-0000-3512-2118-0009af100700
21. Receive 10:83:01 from 00000009-0000-3512-2118-0009af100700 (authentication succesful)
22. Turn off notification 00000009-0000-3512-2118-0009af100700
23. Read current time
...

I made a small test app and I was able to implement the process until step 9 because that is where the encrypted response comes in.

Some observations:

• The response in step 6 is always the same for my device. Must be some public key of the device.
• The responses are much larger than for the MiBand3 but it is still essentially a challenge-response mechanism. However, I have no idea at this point what kind of encryption is used.
• There seems to be a second challenge-response in steps 18-20 just before receiving the final 'success.

Do we need to "hack" band's firmware for un-binding from server?

@weliem
Thanks, but I have already analyzed that in more detail.

Step nine contains signature from the the server. There lies the problem
Input is mac + random number, plus the key fingerprint from step 6 (same for all current devices)
Output is a 64 bit signature from the server(!), which is send in chunks 9-13 (payload is 2 byted header, 64 bit signature and 4 zero bytes). Chunked protocol in already in Gadgetbridge.

@ashimokawa , ah ok, didn't known you already got further. Good!

Why are you so sure the 64 bit signature is coming from the server? Considering the speed in which all these BLE calls are made, it is impossible to do a call to the server after step 8 and before step 9! Perhaps it is a key that is linked to the user and hence already available before the pairing sequence begins? If so, I'd say there is still hope...

@weliem
Regarding your comparison to the Mi Band 3: WE send the encryption key first, and then the band vibrates for pairing, after the band has the key, we do challenge response. For Mi Band 4 we are no longer the one who sends a private key...

Anyway we can dicuss this in the matrix chat, send you an email just in case.

EDIT: Fixed wrong first sentence

I'm also interested by this discussion, please send me the matrix link.

How about disassembling Mi Fit and analyzing the connect function?

My Mi Band 4 will probably be delivered tomorrow, I'm also interested in participating in the discussion and helping to get the 4 to work with GB.

Hi! Here is another new Mi Band 4 owner with some coding experience. I would like to contribute, so send me pls the matrix link. cu

I have my own Mi Band 4 and have skill of C/C++ on embedded system and python.
I wanna try to extract the IMU data for my research. I may help you on this topic.
I would like to contribute this too. Please tell me the Matrix link.

Perhaps the solution here would be to MitM the app? Does anybody know if it is possible to use the android SDK on a computer to talk to a miband4? And, further to that, to add a CA that we control to the SDK's certificate store?

If those basic prerequisites can be met, it ought to be possible to dump out both network and bluetooth traffic, from the moment the app is installed and any accounts set up, through to the point where the MB4 is paired.

https://matrix.to/#/#gadgetbridge:matrix.org

is the chat

We can then create a new room for this specific topic.

How to hack mi band 2's protocol, hope this link is helpful.

If you can please test master.
Quoting myself:

Mi Band 4: Bring your own key support (blindly done, I dont have my key)

THIS STILL REQUIRES MI FIT AND YOUR EXTRACTED KEY

HOWTO:
1) press + button in Gadgerbridge
2) LONG PRESS Mi Band 4
3) Tap "Auth Key"
4) Enter your key prefixed with 0x (eg. 0x112233445566778899aabbccddeeff00)
5) Go back
6) Tap Mi Band 4

Success? You tell me.

@ashimokawa is there any prebuild apk available?

@unkraut
No, but that would not really help because many features are still missing and bugs exist.

I just wanted to chime in I tried yesterday to connect to my mi band 4 and there was some kind of connection because when i went to the gadgetbridge settings and chose to test vibration for calls, sms, etc, the mi band 4 would vibrate.

I just wanted to chime in I tried yesterday to...

check out and build the last master. we have managed to connect successful several Mi Band 4 devices with it. the only difficulty: you must bring your unique key. there are several ways, with and without rooted smartphone to obtain it. good luck!

thanks

Is it realistic to have key extraction as part of the app on a non-rooted phone in the medium term?

@RichiH as per current status: not at the moment and most likely not at all.

Perhaps the solution here would be to MitM the app? Does anybody know if it is possible to use the android SDK on a computer to talk to a miband4? And, further to that, to add a CA that we control to the SDK's certificate store?

If those basic prerequisites can be met, it ought to be possible to dump out both network and bluetooth traffic, from the moment the app is installed and any accounts set up, through to the point where the MB4 is paired.

I've clearly been overtaken by events, however, right now this is a non-starter, because either I can get bluetooth or I can install mifit in an emulated android system: I haven't been able to do both! (This is a shame, as I have absolutely no intention of installing mifit on a real device)

@weliem
Thanks, but I have already analyzed that in more detail.

Step nine contains signature from the the server. There lies the problem
Input is mac + random number, plus the key fingerprint from step 6 (same for all current devices)
Output is a 64 bit signature from the server(!), which is send in chunks 9-13 (payload is 2 byted header, 64 bit signature and 4 zero bytes). Chunked protocol in already in Gadgetbridge.

64 bit or 128 bit? Because if it's 128 bit, it might be an md5 hash. If it is an md5 hash, it might be of the concatenation of the number read from the device, its mac address and a preshared secret (stored in some read-only memory in the miband4, and on the remote server). If that is what is going on, and the secret isn't too long, and if it is possible to get a sufficiently large pool of signatures, public tokens and addresses, then it might be possible to discover the preshared secret by generating md5 collisions, and that would allow pairing with miband4 without needing mifit.

Of course, if the secret is different for each device, then this is a non-starter.

That is a lot of ifs!

Sorry, the signature is 64 bytes(!), signed with a private key that is in the hands of xiaomi. The band ought to know only a public key to verify the signature.

So this is impossible to crack unless they made stupid mistakes.

Think about it. Can you sign emails in my name with gpg without knowing my private key? No.

Can you sign emails in my name with gpg without knowing my private key? No.

Probably not if it's actual GPG, but there's always a chance the implementation is faulty in some way.
https://neopg.io/blog/gpg-signature-spoof

My point is just, that sniffing traffic is futile in my opinion. Prove me wrong and I am more than happy ;)

I just wanted to chime in I tried yesterday to...

check out and build the last master. we have managed to connect successful several Mi Band 4 devices with it. the only difficulty: you must bring your unique key. there are several ways, with and without rooted smartphone to obtain it. good luck!

Is there any documentation how to obtain the key?

I am interested in this as well. I am coding proof of concept app that utilizes WebBluetooth. I own MiBand4 and can help if you need something regarding logs/testing.

Hello, can somebody please point me in the right direction on how to capture the authentication key. I have a rooted phone, but can't seem to find a guide or something on how to do it anywhere. Please help as I bought the band 4 specifically to use it with gadgetbridge

@Zvfhll i do not have Mi Band 4 so i cannot help you any further, but i have added the description for getting the key on rooted phone to the wiki: https://github.com/Freeyourgadget/Gadgetbridge/wiki/Mi-Band-4#requirements

@tojaad mentioned there was a way to get the key without root. Do you have a link to that process as well?

@tojaad mentioned there was a way to get the key without root.

Yeah. I found some possibilities to get the key on smartphones without root, but it is not quite legal, so sorry i don't want to post it here. Hint: look at some other 3th party apps. They will help you ;)

And on rooted devices this is very easy. Check the MiFit Database (origin_db).

@tojaad sorry but that doesn't help me at all. I have no idea what 3rd party app to look for and what exactly would be illegal about it.

Hi, I used nrf connect and used the scanner. Is the key under Manufacturer data like this?

Manufacturer data (Bluetooth Core 4.1):
Company: Anhui Huami Information Technology Co., Ltd. <0x0157> 0x0090EEFCAAE2A55F5E....

Edit: I tried using this key (btw, keys change whenever I reconnect bluetooth with band) and waited for a couple of minutes for pairing. Did not connect though. Don't know why.

Xiaomi has locked down the pairing process, there is no other way then using mi fit and get the key with root (see wiki) or use a modified version of mi fit that tells you or a third party app the key.

Modification and redistribution of Mi Fit is illegal. Do not link such versions here.

If you do not have root you can install mi fit on a friends phone with your credentials and then that mi dit will sync the key from the cloud and you can get it there then uninstall.

Is the key linked to anything other than the device id?

If yes, which?
If not, why would one need to enter one's own credentials?

If not, why would one need to enter one's own credentials?

The key is stored in Xiaomi's cloud...

Xiaomi has locked down the pairing process, there is no other way then using mi fit and get the key with root (see wiki) or use a modified version of mi fit that tells you or a third party app the key.

Modification and redistribution of Mi Fit is illegal. Do not link such versions here.

If you do not have root you can install mi fit on a friends phone with your credentials and then that mi dit will sync the key from the cloud and you can get it there then uninstall.

Is this the key that we need?

NO!

If I understand correctly, the key is needed only for the pairing process. As far as I know, Mi Fit is using some kind of JSON API to talk to the servers. If we find out what the requests look like, it would be possible to let Gadgetbridge make them without needing the Mi Fit app.

Maybe people can enter their Mi Fit account credentials into Gadgetbridge, so that the app can request a pairing key for the device from the server. After pairing, Gadgetbridge would never contact the servers again, so the amount of data collected by Xiaomi would be neglible (just a throwaway email adress, a random password, the source IP the request was made from and the Mi Band's device ID).

@Holzhaus I understand the gadgetbridge app deliberately does not have internet access permissions, so this needs a second app.

This might be helpful:
https://gist.github.com/Holzhaus/4e469b57735e0faa2c66f71f110fadf6

Using a public key hash and the random bytes, the script requests a signature from Huami's servers.

Interesting. The url In the script provided some interesting search results... For example https://github.com/huamitech/rest-api/wiki

Perhaps this app can help to get the key (see The linked page)
r/miband
Untested, I have only miband3

OK. Cool, so obviously, some solutions already exist. All of them will require either root, patched MiFit or API access.

• The root method is already described in the wiki.
• Patched MiFit app and distribution/linking to it is not something that belongs here, but creative people will be able to search for, if they prefer that.
• API access requires network permission which GB is not to add, so again, creative people will be able to do with the Python gist. As Python installation might be hard, I can imagine that the simple Python code could be rewritten to completely client based JavaScript, but that and hosting is again, up to anyone.

I think the issue is solved and no further discussion is needed, in order not to pollute it here with further links to questionable content. We could rename this to 'MB4 pairing' and open a new generic MB4 issue for other unrelated things.

Of course, these are just my 2¢ 😃

Well, the python script requires the pubkey hash and the random bytes sent from the device. Both are currently not displayed by Gadgetbridge. Also, I don't know how useful the script actually is, since the pairing might time out when the user has to enter or copy&paste the values around manually,

Ideally, we'd have a separate app with internet access that is used when we're pairing a Mi Band 4 and no auth key has entered manually (Similar to "Weather notification" that is used for retrieving weather information in Gadgetbride, just for pairing).

@dj0001 got the auth key but can't get past GB's pairing stage. Just an unending loop. lol It does seem to connect to bluetooth but doesn't get through.

@Nlsalz hmm, perhaps the 0x prefix? https://codeberg.org/Freeyourgadget/Gadgetbridge/wiki/Mi-Band-4#setup

@vanous @dj0001 I've got it connected already. Yay!

The Python script is useful and all i would need to implement that in gadgetbridge.

Missing steps:

• Actually implement sending signature in Gadgetbridge (easy)
• converting the python script to a standalone android app , (medium) - volunteers?
• make Gadgetbridge communicate with the to be written app mentioned above. (I don't want to have internet access and huami web service access in Gadgetbridge) - medium.

To leave a short Feedback: Acquiring the authkey is a bit tricky. The authkey will be generated per Pairing. So Repairing on another device will lead into a wrong authkey. But after a sucsessful Connection, it works pretty good.

To leave a short Feedback: Acquiring the authkey is a bit tricky. The authkey will be generated per Pairing. So Repairing on another device will lead into a wrong authkey. But after a sucsessful Connection, it works pretty good.

Uh, I think that's the reason why I didn't managed to pair the device after getting the key with the modded Mi Fit app.

@unkraut so what's the good path?

@fam4r Just delete the Pairing on the old device in Android Settings and pair on the News device with Gadget-Bridge. Maybe also disabling Bluetooth on the old device could be a good Idea.

Hi all,
I'm trying to pair my Mi Band 4 and I'm trying to obtain the authkey through the python script,
however I don't know how to obtain the hash of the public key of the device.
Is there a way to get it?

Thanks

@n1zzo It's not that easy. The Python script does not give you the authkey. It gives you the server's signature which is needed for the auth key agreement with the Mi Band. So you'd not only need to obtain the hash and the random data from the device, but also need to transmit the output of the Python script (i.e. the signature) to the device and then continue until the key agreeement is complete.

As @ashimokawa already wrote, we need an Android app that implements the Python script's logic and exposes an API that Gadgetbridge can use. I'm not an Android developer, so it'd be nice if somebody would step up and implement that app.

I'm observing some connection issued. I took the authkey dein another device with root. On the other device, i was able to pair the band. After some time, hours or days, i loose the Connection. Reconnection often only success, after severall Times. Onyone else with sporadic Connection issues?

Well, i don't want t judge if the situation is better or worse then with the original app certainly there is no-one to report to in MiFit case... so...

Onyone else with sporadic Connection issues?

Sure:

https://github.com/Freeyourgadget/Gadgetbridge/issues?utf8=%E2%9C%93&q=unstable

https://github.com/Freeyourgadget/Gadgetbridge/issues?utf8=%E2%9C%93&q=+label%3A%22one+of+the+1000+issues+about+disconnection%22+
...

That doesen't Help. The Question focused in the Blessing Edge Implementation for Band 4. By the was: Mi Fit App hadn't any Connection issues.

Have it from time to time but not that often that im tracking it. And it is not a silent one as in one of the linked threads. Can see it when looking to the GB notification icon.

My mobile is set to airplane mode over night, so connecting is broken once a day anyway. Maybe that is different to other users. Automatic reconnecting is working without issues.

Cannot compare to Mi Fit as I never used it, only for pairing. GB was a prerequisite for using such device.

Also dont have experience with any other device connected for more than few hours.

What I realized before and remembered when reading linked threads: I don't see the Mi Band 4 in Android's paired devices and the bluetooth symbol doesn't show active connection.