Help with Momcozy BLE Wearable Digital Thermometer

Configuration
1

Device: Generic T31 BLE Thermometer (sold under Momcozy and other brands as Momcozy Wearable Digital Thermometer for Baby). Low profile and cheap, like $50!

Goal: Create Home Assistant integration to read temperature and battery data. This device would be incredibly helpful for it’s intended retail purpose, but my goal is to help women who suffer from menopause by predicting hot flashes coming on and engaging things like smart fans automatically to hopefully reduce sleep disturbances.

What I’ve Figured Out:

:white_check_mark: Working:

  • BLE connection and protocol framing (SOP=0xA6, EOP=0x6A)
  • Battery reading (cmd=0xB1): body[1]=%, body[2]+[3]=voltage
  • Device stays connected and sends temperature data, very fast polling rates
  • Protocol structure is mostly understood

:x: Problem:
Cannot determine correct temperature parsing from cmd=0x01 response

The Issue:

When my script reads the device, it shows 95°F (35°C) using byte[3].
When Momcozy official app reads the same device (seconds later), it shows 98.13°F.

The body temperature data is in the 8-byte payload, but I cannot find which bytes correctly represent body temperature.

What I’ve Tried:

  1. Bluetooth sniffing - Captured official app traffic, but data format differs
  2. Tested all byte combinations:
    • bytes[0]+[1], bytes[1]+[2], bytes[2]+[3], etc. (little/big endian)
    • bytes[3] as single Celsius value → gives 95°F (wrong!)
    • bytes[5]+[6] seems most stable but shows ~101°F
    • bytes[6]+[7] fluctuates wildly (91-120°F range)
  3. Formula testing - With AI, I’ve tried division by 1000, 100, 256, offsets, etc.

Sample Data:

When probe reads body temperature:

cmd=0x01 body: 39 0a 79 23 d4 ef 9f a8
  • My script extracts: byte[3]=35 → 35°C = 95°F
  • Momcozy app shows: 98.13°F

Working Python Script for BLE connection with MQTT support:

I have a working connection script using bleak that successfully:

  • Discovers device by name
  • Connects and maintains connection with auto-reconnect
  • Reads battery data correctly
  • Receives temperature notifications

Dependencies: pip install bleak paho-mqtt

Request for Help:

Has anyone successfully reverse-engineered this device protocol? Or have tools/methods to determine the correct temperature byte extraction?

UUIDs: FFF1 (notify), FFF2 (write), FFFF (key in advertisement)

Any insights appreciated!

2

Welcome to the world of reverse engineering!
Have a look at OpenScale project (BLE scales) to get ideas of what is involved. Not every vendor uses the same approach.
BLE one way, two way? Advertising packet payloads. How often is data sent? Battery life. CRC checksums to validate data. Time stamps. Added data fields. Your goal is easier as you only have two measurements to track - temperature and battery level. All in a day’s work!

Look at the bundled app. Can you decompile it for clues? Packet sniff? Log data and actual readings to watch for patterns. Are they encrypted, or just bit packed? Offset from a known value? Celcius to Fahrenheit or Kelvin conversion?

Nordic, a vendor closely involved in the BlueTooth standards, has many tools that may assist.