Goal: Create Home Assistant integration to read temperature and battery data. This device would be incredibly helpful for it’s intended retail purpose, but my goal is to help women who suffer from menopause by predicting hot flashes coming on and engaging things like smart fans automatically to hopefully reduce sleep disturbances.
What I’ve Figured Out:
Working:
BLE connection and protocol framing (SOP=0xA6, EOP=0x6A)
Device stays connected and sends temperature data, very fast polling rates
Protocol structure is mostly understood
Problem:
Cannot determine correct temperature parsing from cmd=0x01 response
The Issue:
When my script reads the device, it shows 95°F (35°C) using byte[3].
When Momcozy official app reads the same device (seconds later), it shows 98.13°F.
The body temperature data is in the 8-byte payload, but I cannot find which bytes correctly represent body temperature.
What I’ve Tried:
Bluetooth sniffing - Captured official app traffic, but data format differs
Tested all byte combinations:
bytes[0]+[1], bytes[1]+[2], bytes[2]+[3], etc. (little/big endian)
bytes[3] as single Celsius value → gives 95°F (wrong!)
bytes[5]+[6] seems most stable but shows ~101°F
bytes[6]+[7] fluctuates wildly (91-120°F range)
Formula testing - With AI, I’ve tried division by 1000, 100, 256, offsets, etc.
Sample Data:
When probe reads body temperature:
cmd=0x01 body: 39 0a 79 23 d4 ef 9f a8
My script extracts: byte[3]=35 → 35°C = 95°F
Momcozy app shows: 98.13°F
Working Python Script for BLE connection with MQTT support:
I have a working connection script using bleak that successfully:
Discovers device by name
Connects and maintains connection with auto-reconnect
Reads battery data correctly
Receives temperature notifications
Dependencies:pip install bleak paho-mqtt
Request for Help:
Has anyone successfully reverse-engineered this device protocol? Or have tools/methods to determine the correct temperature byte extraction?
UUIDs: FFF1 (notify), FFF2 (write), FFFF (key in advertisement)
Welcome to the world of reverse engineering!
Have a look at OpenScale project (BLE scales) to get ideas of what is involved. Not every vendor uses the same approach.
BLE one way, two way? Advertising packet payloads. How often is data sent? Battery life. CRC checksums to validate data. Time stamps. Added data fields. Your goal is easier as you only have two measurements to track - temperature and battery level. All in a day’s work!
Look at the bundled app. Can you decompile it for clues? Packet sniff? Log data and actual readings to watch for patterns. Are they encrypted, or just bit packed? Offset from a known value? Celcius to Fahrenheit or Kelvin conversion?
Nordic, a vendor closely involved in the BlueTooth standards, has many tools that may assist.
Hi there,
Any luck with your project?
I also bought Momcozy T31 thermometer but have a problem with BT range. It is almost imposible to monitor someone if you aren’t in the same room using their buggy app.
Right now I am looking for other solutions than the momcozy app.
This may be a common limitation of BLE (Bluetooth Low Energy) technology being used for this device (and most others in this field), the underlying networking interface, specifically designed for extremely low power, and extremely low distance, rather than anything to do with the software. Another frustrating limitation often encountered is the limit of only one session, so you cannot monitor this with the original software and HomeAssistant at the same time.
The BLE tools from Nordic will prove eye opening. The vendor, seeking huge increase in sales, may divulge the API or source code if you ask nicely, to enable it to be incorporated into other monitoring software and automation products such as HomeAssistant.
Strong warning: Please do not rely on hobby grade HomeAssistant to provide medical life and health monitoring functionality for a sick child. If your child is sick or has temperature, take them to hospital or have a human closely monitor them.
Hi. Thanks for checking in. I bought a fancy BLE dongle from Nordic, but ended up giving up after flashing it incorrectly and getting frustrated.
You would have to use a bluetooth proxy over ethernet in the same room as the occupant, I use this one - GL-S10 - GL.iNet , but I wouldn’t recommend getting it for this purpose because I haven’t been able to get much further. I get some readings that might be accurate, but it takes a few minutes to get it to show up correctly (I think it is applying some smoothing over time or something like that, but can’t prove it).
Funny enough, I also found the same exact device under a different brand (Genial) for less than half the price on aliexpress by searching “bluetooth thermometer wearable”…like $20, free shipping. https://www.aliexpress.us/item/3256807772166227.html
It seems like the momcozy version is just a rebadged version with a slightly different top cover. I wondered if the firmware might be more easily read on this version, but can’t afford splurging on something right now that might just end up in the tech junk drawer.
In a Chinese world full of clones, you might expect more than one brand to copy each other to save on any software development costs, or just use the example from the vendor SDK application notes. After all, you made your purchase decision based on price, didn’t you?
Working:
Problem: