Gardena bluetooth lawn mower

Yeah good thinking, the app does have a pin which you need to provide, either via the app or physically, for it to connect (the first time).

I actually have Bluetooth packets sniffed from my phone that I’ve looked at in Wireshark. It looks like the authentication dialog between my phone and the mower is all there (SMP protocol). I did a factory reset, authenticated with my phone/Gardena app again and then sent a “cut the grass for 30 minutes” command. Then I stopped the sniffing. There also seems to be services and characteristics declared.

image1361×908 336 KB

There’s a lot of information there, I’m just not sure what to do with it This is my first time working with Bluetooth and Wireshark so a lot of new information and concepts to grasp.

Ultimately I would have wanted to just replay the conversation between the phone and the mower but have not found a good tool to help with that yet.

Not sure it’s possible to get. But the trace you showed above showed just requests, ie stuff sent to the device. Not the responses. Could the responses have been filtered away?

Also… Think you can see if you can pair with the device over commandline? Pairing from Ubuntu Core | Ubuntu

The trace had the responses filtered out, I do have those as well (if necessary).

BUT…I managed to connect! I had tried to use bluetoothctl before but did it properly this time and factory reset the mower again and then tried to connect again.

I’ve not tried your gardena_bluetooth script but perhaps it’s not necessary any more?

[CHG] Device 70:B9:50:68:C8:F2 Connected: yes
Connection successful
[NEW] Primary Service (Handle 0xc461)
        /org/bluez/hci0/dev_70_B9_50_68_C8_F2/service0008
        00001801-0000-1000-8000-00805f9b34fb
        Generic Attribute Profile
[NEW] Primary Service (Handle 0xc461)
        /org/bluez/hci0/dev_70_B9_50_68_C8_F2/service0009
        98bd0001-0b0e-421a-84e5-ddbf75dc6de4
        Vendor specific
[NEW] Characteristic (Handle 0xc461)
        /org/bluez/hci0/dev_70_B9_50_68_C8_F2/service0009/char000a
        98bd0002-0b0e-421a-84e5-ddbf75dc6de4
        Vendor specific
[NEW] Descriptor (Handle 0x1e74)
        /org/bluez/hci0/dev_70_B9_50_68_C8_F2/service0009/char000a/desc000c
        00002901-0000-1000-8000-00805f9b34fb
        Characteristic User Description
[NEW] Characteristic (Handle 0xc461)
        /org/bluez/hci0/dev_70_B9_50_68_C8_F2/service0009/char000d
        98bd0003-0b0e-421a-84e5-ddbf75dc6de4
        Vendor specific
[NEW] Descriptor (Handle 0x2d04)
        /org/bluez/hci0/dev_70_B9_50_68_C8_F2/service0009/char000d/desc000f
        00002902-0000-1000-8000-00805f9b34fb
        Client Characteristic Configuration
[NEW] Descriptor (Handle 0x2ff4)
        /org/bluez/hci0/dev_70_B9_50_68_C8_F2/service0009/char000d/desc0010
        00002901-0000-1000-8000-00805f9b34fb
        Characteristic User Description
[NEW] Characteristic (Handle 0xc461)
        /org/bluez/hci0/dev_70_B9_50_68_C8_F2/service0009/char0011
        98bd0004-0b0e-421a-84e5-ddbf75dc6de4
        Vendor specific
[NEW] Descriptor (Handle 0x35d4)
        /org/bluez/hci0/dev_70_B9_50_68_C8_F2/service0009/char0011/desc0013
        00002901-0000-1000-8000-00805f9b34fb
        Characteristic User Description
[CHG] Device 70:B9:50:68:C8:F2 UUIDs: 00001800-0000-1000-8000-00805f9b34fb
[CHG] Device 70:B9:50:68:C8:F2 UUIDs: 00001801-0000-1000-8000-00805f9b34fb
[CHG] Device 70:B9:50:68:C8:F2 UUIDs: 98bd0001-0b0e-421a-84e5-ddbf75dc6de4
[CHG] Device 70:B9:50:68:C8:F2 ServicesResolved: yes
[CHG] Device 70:B9:50:68:C8:F2 ServicesResolved: no
[CHG] Device 70:B9:50:68:C8:F2 Connected: no

Now that I’m connected through the computer, should I try to write values back to the mower, e.g. through bluetoothctl and the gatt menu (write)? Perhaps using a write command from the sniffed packets?

You could, but i still would be interested in the output from my script, to see if it understand any of the characteristics after being paired.

Tried it a few times (restart mower, run script), finally got this. Ran it three times.

image1866×856 237 KB

p.s. the **TEST** comes from me modifying your script and increasing the timeout in the connect method.

I accidentally had bluetoothctl running in another terminal and got the question to Accept pairing (yes/no). Don’t think I would have gotten the output if I hadn’t been running this. It looks identical to the output received earlier.

Using bluetoothctl I did manage to stay connected to the mower (had to be right next to it physically, otherwise I would get disconnected).

And I tried to read a few values from attributes but I’m in deep waters right now

image945×514 80.7 KB

Soo… the mowers seem to work on a very different protocol than the watering units. You can find the protocol at this location in tha apk: sources/com/husqvarnagroup/dss/amc/blelib in the app.

In essence, they just use BLE services to transport raw packet data for their proprietary protocol which seemingly support events and other commands.

I will not have time to re-implement that in python. If anybody get’s to doing it i’ll review and accept pull requests for it on the library.

Following this topic as I’d love to see this working. All I would like is start, stop, and return to base control, recognising that the Bluetooth range isn’t very good so it would probably need some kind of outside aerial.

Any progress in this? i am also very interested in this. I have two mowers. One sileno city and one sileno minimo i would like to try this on​:slightly_smiling_face:. Very god work btw

Good job!
What is this: Sileno City 250 goes "smart" - App-Steuerung via Bluetooth | Roboter-Forum.com

I decompiled the Android app. But my rudimentary Java knowledge is not enough to understand it or to find the right code passages.

Is there anyone here who can explain how the protocol works?

Perhaps others can then do the implementation in Python!

I think there has been some progress here. Gardena/Macculloc mowers probably use the same protocol.