Implement Samsung Smart Tag #65
Comments
|
I remember seeing that repo yes, but besides from the very impressive rom dump there is no more info there (as you already mentioned there). The paper on the other hand has a lot of info, and I did not see that one yet. I'll have a look soon. |
|
@KieronQuinn does your work on the Samsung tags also include creating fake tags, or is it focused on using official tags on non-samsung androids? |
Only official tags on non-Samsung. I'm not sure a similar setup to Open Haystack is even possible with Samsung's network, the Bluetooth communication is a lot more complex and would need replicating. |
|
Got a moment to spare so some more detail on the above:
Like I said on the linked ticket, I plan to include extensive API documentation with my app once it's released. The app won't require root, but will come in the form of a modified SmartThings APK and a companion app (with the option of using the official SmartThings build and Xposed for rooted users) |
|
I'm very much looking forward to the docs! My focus is on the BLE advertisement, I'll try to get that info from the paper linked a couple comments up. |
|
I do have a list of characteristic IDs and what they're for, as well as the output of an endpoint which gives a list of "commands" that can be made on them if that'd be useful to you. I think it includes which are encrypted too. |
Am I understanding correctly that the FD5A uuid in the advertisement is all a lost tag needs to transmit? |
As far as I've been able to find, the only difference between tags that are connected to a device (not lost) and not (potentially lost) is a single flag in the advertisement data on that service: the tag state. Here's two decoded service datas: Tag connected to phone: Tag not connected to phone: And here's the Kotlin code for decoding these items: val version = (serviceData[0].toInt() and 0xF0) shr 4
val tagStateAndAdvertisementType = serviceData[0].toInt() and 15
val tagState = tagStateAndAdvertisementType and 7
val advertisementType = tagStateAndAdvertisementType shr 3 and 1
val agingCounter = serviceData[1].toInt() and 0xFF or
((serviceData[2].toInt() and 0xFF) shl 8) or
((serviceData[3].toInt() and 0xFF) shl 16)
val privacyId = ByteArray(8).apply {
serviceData.copyInto(this, startIndex = 4, endIndex = 12)
}.toHexString()
val regionId = (serviceData[12].toInt() and 0xF0) shr 4
val flags = serviceData[12].toInt() and 15
val uwbFlag = flags shr 2 and 1
val encryptionFlag = flags shr 3 and 1
val batteryLevel = flags and 3
val motionDetection = 1 and ((serviceData[13].toInt() and 0xFF) shr 7)
val reserved = ByteArray(2).apply {
serviceData.copyInto(this, startIndex = 14, endIndex = 16)
}
val activityTrackingMode = (serviceData[15].toInt() and 1) != 0
val signature = ByteArray(4).apply {
serviceData.copyInto(this, startIndex = 16, endIndex = 20)
}I'm just checking now to see if there's an enum in the SmartThings APK for what the tag states correspond to, but obviously 5 is connected and 4 is disconnected. Edit: There doesn't seem to be one, it's always checking against just integers. Most likely it's been optimised out of the APK. |
|
Here's the full list of characteristics for a SmartTag2 from the https://client.smartthings.com/miniature/configure?profileId=*removed* endpoint: characteristics.json And my own table of them that was built before I found that endpoint, based on what they were used for in the APK: eedd5e73-6aa8-4673-8219-398a489da87c (Encryption/Auth Service)
0000fd5a-0000-1000-8000-00805f9b34f (Control Service)
a0e78d39-75b5-4182-8fdc-c4b7365c9062 (?)
|
Hi everyone,
Have you seen this repo?
Samsung SmartTag Hack
Samsung holds a significant market share in the tracker space, and this could be interesting for anyone looking into.
The text was updated successfully, but these errors were encountered: