Skip to content

mspider65/Xiaomi-Mijia-Bluetooth-Temperature-and-Humidity-Sensor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
Makefile
Makefile
 
 
README.md
README.md
 
 
SensorProtocol.html
SensorProtocol.html
 
 
bluetooth.c
bluetooth.c
 
 
bluetooth.h
bluetooth.h
 
 
hci.c
hci.c
 
 
hci.h
hci.h
 
 
hci_lib.h
hci_lib.h
 
 
oui.c
oui.c
 
 
oui.h
oui.h
 
 
scanMijia.c
scanMijia.c
 
 

Repository files navigation

Xiaomi-Mijia-Bluetooth-Temperature-and-Humidity-Sensor

Developed starting from Bluez hcitool, this tool is able to read the data sent as BLE advertisements by the Xiaomi Mijia Bluetooth temperature and humidity sensor.

You should have already installed the Bluetooh Bluez stack.

Issue 'make' to build the tool. Then issue scanMijia -h to show detailed help.

Like the original hcitool command, also this tool should be run from root.

Below is a brief description of the sensor protocol.

<style> </style>

Sensor protocol specification:

 

As soon as the battery is inserted, the sensor starts sending adverisement data every two seconds and the advertisement data contiains all the useful information (Temperature, Humidity and Battery Level).
You can test it with the two Bluez commands hcitool and hcidump (or any other tool able to read advertisemnt data sent by BLE devices).
In order to show the raw data sent by the sensor, you should first start in background a BT le scan in 'passive mode' and then print the raw data.
'Passive mode' means that you are not sending any request to the sensor but you are just reciving the advertisements sent by the BLE devices.
If you scan in normal mode (without --passive option), you will send a scan request and the the device will send some other additional data (Sensor Name, available UUIDs) but it is not necessary and you will only waste the sensor battery.

sudo hcitool lescan --passive &

hcidump --raw

Looking at the hcidump output you can identify four type of messages.

Messages examples:

Temperature & Humidity:

Header

04 3E 25 02 01 00 00 XX XX XX XX XX XX 19

Flags AD

02 01 06

Service Data AD

15 16 95 FE 50 20 AA 01 17 XX XX XX XX XX XX 0D 10 04 B9 00 5C 02

RSSI

A4

 

Battery Level:

Header

04 3E 22 02 01 00 00 XX XX XX XX XX XX 16

Flags AD

02 01 06

Service Data AD

12 16 95 FE 50 20 AA 01 12 XX XX XX XX XX XX 0A 10 01 64

RSSI

A6

 

Humidity:

Header

04 3E 23 02 01 00 00 XX XX XX XX XX XX 17

Flags AD

02 01 06

Service Data AD

13 16 95 FE 50 20 AA 01 14 XX XX XX XX XX XX 06 10 02 5C 02

RSSI

A6

 

Temperature:

Header

04 3E 23 02 01 00 00 XX XX XX XX XX XX 17

Flags AD

02 01 06

Service Data AD

13 16 95 FE 50 20 AA 01 19 XX XX XX XX XX XX 04 10 02 B9 00

RSSI

A7

 

The "Service Data AD" is the part of the message that carries the useful information.

XX .. XX are the BT addres of the device, red values is the data type and green values are the data values.

But first we will give a look to the whole message.

Message Description

As example we will use the Temperature & Humidity message.

 

04 3E 25 02 01 00 00 XX XX XX XX XX XX 19 02 01 06 15 16 95 FE 50 20 AA 01 17 XX XX XX XX XX XX 0D 10 04 B9 00 5C 02 A6

 

 

Pos.

Value (hex)

Description

 

Header

0

04

HCI Packet Type HCI Event

1

3E

LE Meta event

2

25

Nr of following bytes (37 bytes)

3

02

LE Advertising report sub-event

4

01

Number of reports

5

00

Event type (connectable and scannable undirected advertising)

6

00

Public address type

7..12

XX..XX

BT Address (6 bytes)

13

19

length of data field (25 bytes)

 

Data

14

02

length of first advertising data (AD)structure

15

01

 
type of first AD structure (0x01 = Flags)

16

06

first AD data (0x06=LE General Discoverable Mode && BR/EDR Not Supported)

17

15

length of second advertising data (AD) structure

18

16

type of second AD structure (0x16=Service Data)

19..38

95..02

Second AD data (see next table for details)

RSSI

39

A6

RSSI value (signed byte, 0xA6=-90)

 

Service Data AD

The most important information is contained into the second AD structure (type 0x16).

The Bluetooth specification defines the AD Type 0x16 as �Service Data�. This AD �must contain at least two bytes representing the 16 bit UUID of this Service Data. The data following the UUID� is custom data and the meaning is not defined in the Bluetooth specification.

The table below shows the meaning of ��Service Data� AD for our sensor. As example we will use the Service Data AD of the same Temperature & Humidity message as above.

95 FE 50 20 AA 01 17 XX XX XX XX XX XX 0D 10 04 B9 00 5C 02

 

 

Pos.

Value (Hex)

Description

16 bit UUID

0..1

95 FE

UUID 16 bit (0xFE95)

 

Custom Data

2..5

50 20 AA 01

TBD (always 50 20 AA 01)

6

17

Message counter (increments by 1 every message and then restart from 0 when reaches FF)

7..12

XX XX XX XX XX XX

Device BT address (6 bytes)

13

0D

Data type:
0D -> Temperature & Humidity (4 bytes TL,TH,HL,HH)
0A -> battery % (1 byte)
06 -> only Humidity (2 bytes HL,HH)
04 -> only Temperature (2 bytes TL, TH)

14

10

TBD (always 0x10)

15

04

Nr of following bytes (depends on Data Type)

16..N

B9 00 5C 02

Data values:
0x00B9 = 185 -> 18.5 C
0x025C = 604 -> 60.4 %

 

About

Xiaomi-Mijia-Bluetooth-Temperature-and-Humidity-Sensor

Resources

Readme
Activity

Stars

50 stars

Watchers

8 watching

Forks

11 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages