Keychain with chip ST17H66B (iSearching)

[pvvx]

Key fob on chip ST17H66B with firmware "KEY2"

There are a large number of variations of this device.

Switching to “FindMy” mode

FindMy

• Run PHY62x2BTHome.html

---

• To find a device in the connection list, press or hold the button on the key fob.
  Select "Connect" and press the button on the key fob again.

---

• Set the "FindMy" key:
  

---

• Set the “FindMy” mode and the desired beacon transmission interval:
  

---

• Disconnect...

[Hunter32R]

I have such key fobs, but they have ST17H66T chip. Is support planned?

[pvvx]

ST17H66T is a chip without the ability to reflash. It uses one-time programmable memory, which is produced at the factory.

[Hunter32R]

Thanks for the information.

[biemster]

This looks great, going to try this as soon as I find my Lenze programming jig. Do you mind if I link to this on biemster/FindMy?

[pvvx]

Программирование брелка с ST17H66B

Потребуется адаптер USB-COM с выходами на 3.3В

Талица соединений:

USB-COM	PCB брелка
GND	GND
+3.3V	+3.3V
TX	P10
RX	P9

Пример строки запуска скрипта:

python rdwr_phy62x2.py -p COM5 -e -r wh BOOT_KEY2_v20.hex

Остальные варианты описаны в README

Последовательность программирования.

1. Включить USB-COM
2. Произвести соединения согласно таблице.
3. Запустить скрипт и быстро соединить провод питания +3.3В от USB-COM адаптера. Если прошивка не началась, отключить и снова подключить провод питания. Возможны и другие варианты – при старте скрипта кратковременно отключать провод GND от адаптера к брелку.

[pvvx]

Интеграция в Home Assistant.

После прошивки брелка прошивкой “KEY2” в Home Assistant отобразится новое устройство:

Добавляем и нажимаем кнопку на брелке – появится новое Событие: “Button”.

Брелок зарегистрирован.

Переключение на шифрованную рекламу BTHome BLE v2 (encrypted).

1. Производим соединение с брелком в PHY62x2BTHome.html.
2. В меню “Service” назначаем BindKey. Можно использовать изначально сгенерированный прошивкой случайный BindKey - тогда используем “Прочитать” BindKey. Копируем BindKey в буфер обмена.
3. В меню “Config” жмем Прочитать, включаем галку “Шифрованная реклама”, далее Записать.
4. Отключаем соединение: кнопка Отключение.
5. Жмем кнопку на брелке – в Home Assistant появится предложение установить BindKey. Копируем BindKey из буфера обмена.

На этом всё – теперь брелок работает с шифрованной рекламой.

[olivluca]

My advertisement keys are 28 bytes (see here) but when I try your flasher it complains that it must be 22 bytes.

[olivluca]

In fact nrf connect shows 28 bytes, the first six are 38 1f 8d 09 af 89 and the remaining 22 are the ones I put in your flasher (edit: the mac of the device is f8 1f 8d 09 af 89)

[pvvx]

Firmware (v2.0 beta4) and PHY62x2BTHome.html program (v1.8) have been updated.
The key is entered in the "Base64" format. When you enter the key, the MAC will be changed automatically.

FindMy key Base64: EiM0RVZneImaq7zN3u/+7dzLuqmYh3ZlVEMyIQ==
= 12233445566778899aabbccddeeffeeddccbbaa99887766554433221

The FindMy beacon has been supplemented with battery status transmission.

Byte	Value	Description
1	0x19	Length of payload
2	Bits 0..1: Reserved. Bit 2: Maintained Bits 3..4: Reserved Bits 5: 0b1 Bits 6..7: Battery state.	Maintained Set if owner connected within current key rotation period (15 minutes) 0= Full 1 = Medium 2= Low 3 = Critically low

So far, no new information about the FindMy bacon format has been found. There are no publications or descriptions from the creators of the “reverse engineering” of FindMy on the Internet.

[olivluca]

Really nice, with the latest firmware flashed I actually got a report from Apple 👍 .
How does it compare to @biemster's implementation (regarding battery life and reach of the beacon)?

[pvvx]

Depends heavily on the beacon transmission interval.
With the same interval, there is no difference with the firmware https://github.com/biemster/FindMy/tree/main/Lenze_ST17H66.

Average current consumption as a function of beacon period. With a 3.0 V source.
The graph corresponds to measurements when working in the BTHome format. For FindMy it will be slightly less - up to a couple of percent at short intervals.
In FindMy mode, the key fob does not track the connection request, but the length of the transmitted data is greater.This gives a difference of 1..3% only at short intervals.

At longer intervals the chip sleep current (chip leakage) has a greater effect. Average sleep current - 2.8..3.5 uA - depends on the chip quality.

At short intervals there is a large dependence on the set transmitter power in dBm.
The graph is given for a setting of 0 dBm.

[olivluca]

Cool, I set a 3s advertising interval but I see @biemster's code uses 5s, I'll change it.
Besides, I see that the device can do double duty (working both as a bthome button in ha and as a findmy tracker). Not that I'm going to use it that way but it's really cool nevertheless.

[biemster]

Is there a way to protect OTA access, with a password or something? I would not like if someone else passes by and changes the key..

[pvvx]

If the button is not pressed, it is impossible to connect. The FindMy beacon does not have a connection request reception...

[biemster]

If the button is not pressed, it is impossible to connect. The FindMy beacon does not have a connection request reception...

ah sorry, I missed that! I just flashed an E2XT2319, as mentioned in the issue above, which went fine. But it does not have a button :D

[pvvx]

Button processing (FindMy mode):

When the button is pressed, LED turns on, the FindMy beacon switches to transmitting BLE advertising with the AdvEventType = LL_ADV_CONNECTABLE_UNDIRECTED_EVT attributes. A first packet of BLE advertising events is transmitted in the quantity specified in "Number of event transmissions". The period of advertising events is 95 ms. Data in the packet is in BTHome format with "Button" = "1".

If the button is released, the LED goes out.

After the packet has been transmitted N*95ms, the speaker quietly clicks, the LED turns off regardless of the button (saving battery). If the button is still pressed, the first packet is transmitted again. If the button is released, the second packet of BLE "Number of Event Transmissions" announcements is transmitted, but with "Button" = "0".

After the second packet is transmitted, the FindMy beacon with the AdvEventType attribute = LL_ADV_NONCONNECTABLE_UNDIRECTED_EVT begins to be transmitted.

PS: I barely wrote it in English - Google translate is terrible :)

[pvvx]

@biemster - Now, to support "Find My" in Home Assistant, you'll have to fight with the writers of "Bluetooth" integration. But there you'll be sent to "Bluez", and there you'll be sent to the kernel, and there's Linus Torvalds :P

[omarkhali]

@pvvx @biemster
https://github.com/malmeloo/hass-FindMy

[biemster]

@biemster - Now, to support "Find My" in Home Assistant, you'll have to fight with the writers of "Bluetooth" integration. But there you'll be sent to "Bluez", and there you'll be sent to the kernel, and there's Linus Torvalds :P

😭

[omarkhali]

@pvvx @biemster https://github.com/malmeloo/hass-FindMy

This integration works beautifully and I use it with hass. Many thanks to @biemster @pvvx @malmeloo On this hard work

[pvvx]

This integration does not receive the Find My beacon.
There is no way to determine that the Find My carrier has appeared at home or in the yard, in a specific room ...
The "bluetooth" integration does not accept beacons without "flags" in the PDU. At the same time, in the standard, unspecified flag keys are accepted as the value 0 by default. But Bluez and kernel (Linus Torvalds) have their own standards.
This also involves "D-Bus"... And it is impossible to move this entire chain. Especially since Linus Torvalds has gone into politics and imposed sanctions on the Russians :)
In Linux, in "Bluez", in "Bleak" Bluetooth version 5.0+ is still not supported since 2016.

---

For the BTHome mode option, an addition is planned - a key fob search. Upon request, when connected, it will give a sound signal...

[biemster]

I forgot how frustrating it is to program these chips, I'm on it for three hours now and managed a grand total of 2!

The third one I flashed only half, @pvvx your OTA bootloader does not replace the entire bootloader right?

[pvvx]

your OTA bootloader does not replace the entire bootloader right?

The question is not clear.

Firmware installation via USB-COM adapter takes several minutes with soldering of wires.

OTA:

17:29:16: Starting programming...
17:30:04: Programming completed in 47.069 seconds
17:30:08: Device disconnected.

[biemster]

I'm just installing BOOT_KEY2_v20.hex. Getting the chip to start in firmware upload mode has always been an issue for me, probably due to the hacky setup I'm using. When the flasher gets to cmd>> it actually finishes in seconds, but getting to that is very finicky.

The question was if flashing BOOT_KEY2_v20.hex only partially due to lost connection will brick the chip?

[pvvx]

Flash writing on PHY62x2/ST17H66B chips is always available.
UART Boot is in ROM.

[biemster]

Flash writing on PHY62x2/ST17H66B chips is always available. UART Boot is in ROM.

ok great!

[pvvx]

Flash bootloader program via UART located in ROM can be blocked by encryption key in Flash.
Then the response will not be cmd>>:, but fct>>:.
With fct>>: only command to erase entire Flash works. Then will be cmd>>: again.

rdwr_phy62x2.py:
print ("Use the 'Erase All Flash' (ea) command to exit FCT mode!"

[biemster]

That's interesting, I read the code of your flasher and found a lot more functionality than I extracted from LeKit :)

My issue however is that the flashing procedure overloads my USB uart, which is also powering the chip:

[25046.566999] cp210x ttyUSB0: usb_serial_generic_write_bulk_callback - nonzero urb status: -71

This gets spammed in dmesg k times when I apply the 3v3 of the usb-uart to the chip.

EDIT: I "fixed" my horrible setup by using the 3v3 of an RP2040-zero I just found on my bench, it flashes fine now (I really should invest in a proper power supply)

[olivluca]

Firmware installation via USB-COM adapter takes several minutes with soldering of wires.

No need to solder using some pogo pins (I'm using a much more rudimentary version but it works).
@biemster I use the usb to ttl part of an esp32 board (keeping the EN pin connected to GND), apparently its 3.3V regulator is powerful enough to flash the keychain.

[biemster]

Just finished flashing three of those:

which have an E2XT2319 (?). No need for a button, when you add the battery after flashing you can connect and set the key + interval, then all is set.

This is absolutely brilliant.

[lovelyelfpop]

I bought 4 iTags, none of them is ST17H66B, so sad

[pvvx]

I use the usb to ttl part of an esp32 board (keeping the EN pin connected to GND), apparently its 3.3V regulator is powerful enough to flash the keychain.

The reason for the high consumption of "iSearching" during programming is in the electrical circuit. The speaker key (Buzzer) is connected to the P9 pin. During programming, P9 is the input of the "RX" adapter and the speaker is on 90% of the time, which creates a high current consumption. The Buzzer even gets hot :)

To reduce the supply current when running the programming script, it is possible to briefly disconnect the GND wire from the adapter to the key fob, instead of switching +Bat.

[lovelyelfpop]

Anyway to make the buzzer work? AirGuard app can found airtags around, it can make them play sound. This fork https://github.com/AeroX2/st17h66_FindMy support buzzer, but it surely not the way airtags do it.

[lovelyelfpop]

And it would be greate if this firmware implement key rotation. I found that if a tag with this firmware and an iPhone meet at the same place every morning, the location of the tag will not be reported by the iPhone. Even if the iPhone and the tag have been to other places the day before. I guess this is related to key rotation. The location of my other tags with nRF5x firmware(50 keys) get updated more frequently.

[pvvx]

There is no description of the key rotation algorithm yet.

[biemster]

There is a description in the openhaystack paper, and also FindMy.py is able to deduce the current airtag key from the registered data on macOS, but what @lovelyelfpop probably meant is uploading N keys and just start broadcasting the next after let's say 15 minutes.

Since uploading a bunch of keys might be cumbersome with the web flasher, we could also use one key as base, and after every time interval either add the curve generator to it (basically private key +1), or multiply by 2 (private key *2) with the latter being easier to implement. Although since this will be done very rarely efficiency should not be an issue.

[omarkhali]

This integration does not receive the Find My beacon.
There is no way to determine that the Find My carrier has appeared at home or in the yard, in a specific room ...
The "bluetooth" integration does not accept beacons without "flags" in the PDU. At the same time, in the standard, unspecified flag keys are accepted as the value 0 by default. But Bluez and kernel (Linus Torvalds) have their own standards.
This also involves "D-Bus"... And it is impossible to move this entire chain. Especially since Linus Torvalds has gone into politics and imposed sanctions on the Russians :)
In Linux, in "Bluez", in "Bleak" Bluetooth version 5.0+ is still not supported since 2016.

HI @pvvx Is this the you are looking for?

https://github.com/agittins/bermuda

[pvvx]

Added musical accompaniment :)

I'm too lazy to write music - I copied some pieces...

The buzzer is turned off by the button release event.

[pvvx]

HI @pvvx Is this the you are looking for?

https://github.com/agittins/bermuda

The link offers an unnecessary device that consumes several watts - using ESPHome bluetooth_proxy devices

Why all this? It's easier for me to patch the Linux kernel and Bluez.

As a last resort, write another version of a BLE repeater in Zigbee.

And there is no Bluetooth "AoA" and "AoD" functionality :(

---

FindMy Scan works in https://github.com/pvvx/hcitooladv
(In HA, "Bluetooth" and other "FindMy" integrations are not scanned - "Bluez")

root@nanopi-r5s:~/hcitooladv# ./hcitooladv -i hci0 lescan --passive --duplicates --advanced

LE Scan ...
38:1F:8D:94:2E:F9-020106030201a2141601a20154cf0451ebc77129c7b6647dfdaa27c4c1
38:1F:8D:D8:B5:2D-020106030201a2141601a2013291499cc35a871c792b8e1772197a78b0
1C:90:FF:DC:0C:C6-020106030201a2141601a201d3496059d9146eded9e4d956127b7b6faf
F8:1F:8D:7A:4B:08-0201061216d2fc4000c201340cde093a013e47000000ae
38:1F:8D:94:1E:11-020106030201a2141601a2019d2de84dff21d8f26160e052d0d0b672b8
38:1F:8D:D9:3C:B6-020106030201a2141601a2016db2d52cd37c86fa958e84fb795ead4eb2
38:1F:8D:94:2E:F9-020106030201a2141601a20154cf0451ebc77129c7b6647dfdaa27c4ba
1C:90:FF:D8:BA:69-020106030201a2141601a201b6b51d57da6369372027fed8e7910b0cb1
38:1F:8D:D8:B5:2D-020106030201a2141601a2013291499cc35a871c792b8e1772197a78a5

D2:23:34:45:56:67-1eff4c0012190078899aabbccddeeffeeddccbbaa998877665544332210000b6

F8:1F:8D:7A:4B:08-0201061216d2fc4000c201340cde093a013e47000000b0
58:2D:34:60:5F:AA-0201061716cdfd0812aa5f60342d580201480f019f090400000000b8
38:1F:8D:D9:3C:B6-020106030201a2141601a2016db2d52cd37c86fa958e84fb795ead4eb7
A4:C1:38:B3:7A:74-12161a18747ab338c1a483fd8823c10805d705ab
....

D2:23:34:45:56:67-1eff4c0012190078899aabbccddeeffeeddccbbaa998877665544332210000b6

RSSI: 0xb6 = -74

Any BT adapter accepts "FindMy" but does not pass through Bluez to the "bluetooth" integration in HA.

[omarkhali]

Added musical accompaniment :) I'm too lazy to write music - I copied some pieces...

The buzzer is turned off by the button release event.

Is it possible to add button buzzer in homeassistant

[pvvx]

Is it possible to add button buzzer in homeassistant

To do this, you need to write some kind of integration for "HA". The main problem with integrations for "HA" is that it requires constant support. "HA" is constantly changing and users always have thousands of questions. Support takes a lot of time and not everyone has it.

[pvvx]

I poked around in "Passive BLE Monitor Integration" and:


:)

"Passive BLE Monitor" works via HCI interface with BT adapter... Doesn't need a BLE stack.
But for trackers, MAC and UUID are exchanged in the code "Passive BLE Monitor". The reason is that the binding is to the key number.
Too lazy to patch everything... Let the author do it right himself...

Also, the display interface in HA is not designed for long FindMy keys.

[biemster]

I'm not a HA user, but this might change my mind