Xiaomi MIjia YEELOCK integration

Hello.

Somebody, knows how to integrate this look?

https://www.aliexpress.com/item/Xiaomi-MIjia-YEELOCK-Smart-Drawer-Cabinet-Lock-Bluetooth-APP-Unlock-Anti-Theft-Child-Safety-File-Security/32958301873.html

I’m also interested in doing this, any updates?

1 Like

I haven’t seen anything but I am also interested in this and have it flagged.

Craig

I just tried decompiling the android app, as far as I can see the app is only a stub (It downloads the full app on launch). I don’t have an android phone however, which means I can’t get hold of the actual code.

Another idea I had would be to capture the actual bluetooth packages, but I don’t have the equipment for this either.

If someone have access to both an android phone and a lock, you could try this: http://nilhcem.com/iot/reverse-engineering-simple-bluetooth-devices to get a log of the bluetooth packages.

I got one of the locks, and it doesn’t seem to integrate with anything at all. I have an iPhone, and it works fine with the iOS app, but I don’t really want to use that. Can we sniff the traffic with a Raspberry?

I’m interested in this too, maybe it’s possible to sniff/capture the packets with btlejack:

I think I will give that a try, but I will have to get the hardware (bluetooth sniffer) so this will take some time. Any other suggestions?

I captured 4 unlocks, also I’m gathering all the info I have here: https://github.com/cnrd/yeelock

It looks like the value is changing every time you unlock, but I’m unsure what this value is.

Also I tried unlocking while in airplane mode, you cannot use the app in airplane mode, som I’m afraid that they are actually generating an “unlock code” on their servers.

This does not mean that it is impossible to reverse.

Unfortunately I can confirm this, it seems like it needs internet access to unlock it. I have sniffed the network traffic at my access point. The app is connecting to api.yeeloc.com, unfortunately the traffic is encrypted. :confused:

Here is a full unlock dump: https://pastebin.com/raw/LbZA2q4B

@tom-x1 you may be able to intercept the traffic with something like: https://mitmproxy.org

Thanks for the tip… I’ve setup mitmproxy, it’s running now for a few minutes, i don’t really have time now to analyze everything. But this response from the server looks promising :slight_smile:

[
    {
        "add_time": "2019-03-09 03:37:08",
        "ble_sign_key": "6A66714348537769",
        "last_unlock_datetime": "2019-03-11 00:58:11",
        "lock_id": 114413,
        "lock_name": "Drawer lock",
        "lock_sn": "B0E8rC98",
        "lock_type": "CTS",
        "type": "user",
        "unlock_times": 17
    }
]

As soon as I have the hardware to sniff the bluetooth traffic, I may be able to find some relations. I have also downloaded and decompiled the apk, I will have a close look at it in the next days.

2 Likes

@tom-x1 from what I could gather the apk is just a stub (downloading on launch), I did get it from a 3. party site, so that may also be why.

Are you on Android? If yes have you tried enabling Bluetooth HCI Snooping in the developer menu? If you look at my GitHub link, there is a full log of 4 different unlocks.

Combining the logs may be a great step forward in understanding the value sent, as it is currently pretty magical.

Hopefully we will be able to reverse whatever algorithm they are using.

Unfortunately i don’t have an Android device. I’ve ordered a Adafruit BT Sniffer https://www.adafruit.com/product/2269 but it will take about 2 weeks until delivery.

Also interested…

Any updates on this?

I’ve tried to sniff the BT traffic with the adafruit dongle and an microbit. Unfortunately I have not found any useful information inside the sniffed traffic. But I’m also not really familiar with bluetooth… so if anyone here has a deeper knowledge of BTLE I could provide a pcap file…

I would love to use it in HA… :frowning: theoretically, do you think it’s possible to add it?
And why they have not included it in Xiaomi Home app… at least we could do some automations… damn…

as I want to move it forward I wrote them a feedback in the android app and I will also contact them by their website… maybe you could also do it? they are on www.yeeloc.com

I would love to see the pcap.

Indeed not working in airplane mode but without internet (wifi and data off) I am able to unlock!
So I dont think it needs to be connected to internet for unlock operations.

What platform are you on? As on iOS it will log me out of the app if I try to open it with no network connection.

I’m using Android.