Local Bluetooth presence/device tracking for Apple Watch, iPhone and iPad with security relevant unlocked property

Hi all,

I wanted to inform you about our newly implemented feature with the recent release of Theengs Gateway to allow for fast local Bluetooth presence/device tracking for Apple Watch, iPhone and iPad, with additional unlocked property, to allow for security relevant automations, like opening gates, garage doors or even unlocking door locks etc., to only run if an authorised user is arriving back home, without the fear that these automations would also run in case the devices got lost or stolen.

The easiest and quickest installation for Home Assistant users is the Theengs Gateway Add-On

This also requires for the MQTT Integration to be installed.

Once installed, follow the instructions on how to retrieve the Identity Bluetooth MAC Address and Identity Resolving Key for your Apple devices, and enter them into the Theengs Gateway Add-On Configuration, as described in its Documentation, e. g.

{"00:11:22:33:44:55:66":"0dc540f3025b474b9ef1085e051b1add","AA:BB:CC:DD:EE:FF":"6385424e1b0341109942ad2a6bb42e58"}

With DISCOVERY turned on in the Add-On Configuration and having entered the above details, your discovered devices then show up in the MQTT Integration, from which they can be added to your dashboards, looking like

Screenshot 2024-01-09 at 15.10.16856×734 26.4 KB

with any of the device trackers also available to be assigned to individuals.

While the Apple Watch continuously sends the unlocked state as long as its worn on the wrist of its owner and being unlocked with its Passcode, there are known restrictions for the unlocked state on iPhone and iPad

• An unlocked lock screen does not register as unlocked - iPhone users will know what this somehow contradictory unlocked lock screen is
• Unlocked for the iPhone and iPad really signifies fully unlocked device with recent user interaction, so after a certain time, also depending on the device’s auto-lock setting, even before a fully locked device the state will already switch back to locked.
• During a phone or Facetime call the state will be reported as locked. We are already looking into implementing phone/Facetime call detection for allowing incoming call alerts in a future update.

We hope this might be interesting to some of you. Any feedback is appreciated.

I must be missing something. I followed the instructions using my MQTT host, username, password, and port. The addon successfully started. So, then I added 2 of our iOS devices (my phone and watch) to the IDENTITIES.

At first I used the instructions from the post above (substituted my know MAC address and the Name from MacOS Keychain, without the dashes): {"00:11:22:33:44:55:66":"0dc540f3025b474b9ef1085e051b1add","AA:BB:CC:DD:EE:FF":"6385424e1b0341109942ad2a6bb42e58"}

That did not work, so I tried the configuration from here:
https://gateway.theengs.io/use/use.html#getting-identity-resolving-key-irk-for-apple-watch-iphone-and-ipad
using {"11:22:33:44:55:66": "WERknmckjn51464saa=="} and substituting my MAC address (same as above), but the Remote IRK key from the data section that resembles the “WER…”.

TheengsGateway saved this data, but the devices never appeared. So I tried to toggle GENERAL_PRESENCE and PRESENCE. The phone and watch still do not show up, either in MQTT devices or in MQTT Explorer.

In MQTT Explorer, I can see the topic home/TheengsGateway/BTtoMQTT/ and other BLE devices (some Govee lights), but NOT my phone or watch.

What am I doing wrong?

Also, will I be able to track battery levels/charging, longitude/latitude for the IOS devices? I DO like that I could change the scan interval, but would like to do that more often for some devices and not others (like my husband’s).

Hi @mandolin

This looks like some wrong entries in the IDENTITIES section of your devices.

Did you make sure you got the Identity Bluetooth MAC addresses directly from Settings > General > About > Bluetooth on the actual device / in the Watch app?

And the IRK from the Keychain entry’s long text field section at the very end, with the entry like

    …
    </dict>
	<key>Remote IRK</key>
	<data>
	XXXXXXXXXXXXXXXXXXXXXX==
	</data>
</dict>
</plist>

XXXXXXXXXXXXXXXXXXXXXX== being the required IRK?

And do you have the latest Theengs Gateway Add-on installed with version 1.11.0?

TheengsGateway saved this data, but the devices never appeared. So I tried to toggle GENERAL_PRESENCE and PRESENCE

The only important setting for this really is DISCOVERY, which should be ON.

This is not possible with this implementation, which relies on local Bluetooth advertising broadcasts only. Because of that very fast and reliable, but not able to receive or decode any battery level or GPS location.

It was the wrong MAC address, which I used from MacOS keychain with the IRK. I can see it in MQTT Explorer now. Unfortunately, I really wanted to track my Apple watch, so this is not the right HA component for me.

Thank you

Hi @mandolin

All you need is to enter the same Identity Bluetooth MAC and IRK for your Apple Watch.
Unless you want GPS tracking, for which you alternatively or additionally need some other implementation.

I got an error trying to start the add-on.

ERROR:BLEGateway:[org.freedesktop.DBus.Error.AccessDenied] An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="AddMatch" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)

any idea how to fix that?

Hi @flave

Did you have a look at your AppAmor policies, as this seems to be preventing the Theengs Gateway Add-on from running properly.

Also, have you tried completely uninstalling the Theengs Gateway Add-on and then installing it afresh?

@DigiH
Finally, it’s just what I was looking for, and it finally makes me stop fighting with the native Bluetooth device tracker.

I want your advice on making it as fast and reliable as possible regarding Home/Away detection.

Again, thank you so much. It seems to work very, very well.

Hi @emanuele.bordon

You can set the responsiveness in the Add-on Configuration with the time between scans (TIME_BETWEEN) and the scan duration (SCAN_DUR) for recognising HOME, and then TRACKER_TIMEOUT in seconds after which time a tracker should be recognised as AWAY (defaults to 120 seconds.)

The default is 5 seconds for both TIME_BETWEEN and SCAN_DUR.

Personally I have TIME_BETWEEN 12 and SCAN_DUR 3 which will issue a 3 seconds scan every 12 seconds, making sure I have an updated status every 15 seconds for HOME and 180 for AWAY after 3 minutes.

You’re welcome, glad to hear you are enjoying this implementation

1. I don‘t have a Mac. How to get the key?
2. Is this feature limited to TheengsGateway or can we also use this with OMGs? (as I have several of them around placed in strategic suitable locations, while the TheengsGateway on the HA server (addon) won‘t help me much for detecting my iDevices)

While I do not have any personal experience with these alternative options, there is a whole guide thread here on the forum

Depending on how you get your IRK it might be in HEX format, you will have to convert it into base64 for usage with Theengs Gateway.

Currently this is limited to Theengs Gateway, but might also be added to OpenMQTTGateway in the future.

I think I might have mentioned this to you before with your BM2, you can either install the esp32dev-ble-mqtt-undecoded binary on all your ESP32s so that they all function as remote Bluetooth reception antennas only, forwarding the undecoded messages to a central Theengs Gateway which does all the decoding, including this Apple devices implementation, or you can just convert your exiting OMGs by publishing
{"extDecoderEnable":true,"save":true}
to the
home/OpenMQTTGateway/commands/MQTTtoBT/config
topic.

By using one or more undecoded OpenMQTTGateway gateways like that you can make sure to have a reliable coverage over a wide area.