Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Keychain with chip ST17H66B (iSearching) #94

Open
pvvx opened this issue Dec 9, 2024 · 62 comments
Open

Keychain with chip ST17H66B (iSearching) #94

pvvx opened this issue Dec 9, 2024 · 62 comments
Labels
documentation Improvements or additions to documentation

Comments

@pvvx
Copy link
Owner

pvvx commented Dec 9, 2024

Key fob on chip ST17H66B with firmware "KEY2"

image

iSearching - BLE, Flash

iSearching2 - BLE, Flash

iSearching3 - BLE, OTP (!)

There are a large number of variations of this device.

Switching to “FindMy” mode

FindMy

image


  • To find a device in the connection list, press or hold the button on the key fob.
    Select "Connect" and press the button on the key fob again.

  • Set the "FindMy" key:
    image

  • Set the “FindMy” mode and the desired beacon transmission interval:
    image

  • Disconnect...
@pvvx pvvx added the documentation Improvements or additions to documentation label Dec 9, 2024
@Hunter32R
Copy link

I have such key fobs, but they have ST17H66T chip. Is support planned?

@pvvx
Copy link
Owner Author

pvvx commented Dec 9, 2024

ST17H66T is a chip without the ability to reflash. It uses one-time programmable memory, which is produced at the factory.

@pvvx pvvx changed the title Keychain with chip ST17H66 (iSearching) Keychain with chip ST17H66B (iSearching) Dec 9, 2024
@Hunter32R
Copy link

Thanks for the information.

@biemster
Copy link

biemster commented Dec 9, 2024

This looks great, going to try this as soon as I find my Lenze programming jig. Do you mind if I link to this on biemster/FindMy?

@pvvx
Copy link
Owner Author

pvvx commented Dec 9, 2024

Программирование брелка с ST17H66B

Потребуется адаптер USB-COM с выходами на 3.3В

Талица соединений:

USB-COM PCB брелка
GND GND
+3.3V +3.3V
TX P10
RX P9

Пример строки запуска скрипта:

python rdwr_phy62x2.py -p COM5 -e -r wh BOOT_KEY2_v20.hex

Остальные варианты описаны в README

Последовательность программирования.

  1. Включить USB-COM
  2. Произвести соединения согласно таблице.
  3. Запустить скрипт и быстро соединить провод питания +3.3В от USB-COM адаптера. Если прошивка не началась, отключить и снова подключить провод питания. Возможны и другие варианты – при старте скрипта кратковременно отключать провод GND от адаптера к брелку.

@pvvx
Copy link
Owner Author

pvvx commented Dec 10, 2024

Интеграция в Home Assistant.

После прошивки брелка прошивкой “KEY2” в Home Assistant отобразится новое устройство:

image

Добавляем и нажимаем кнопку на брелке – появится новое Событие: “Button”.

image

Брелок зарегистрирован.

Переключение на шифрованную рекламу BTHome BLE v2 (encrypted).

  1. Производим соединение с брелком в PHY62x2BTHome.html.
  2. В меню “Service” назначаем BindKey. Можно использовать изначально сгенерированный прошивкой случайный BindKey - тогда используем “Прочитать” BindKey. Копируем BindKey в буфер обмена.
  3. В меню “Config” жмем Прочитать, включаем галку “Шифрованная реклама”, далее Записать.
  4. Отключаем соединение: кнопка Отключение.
  5. Жмем кнопку на брелке – в Home Assistant появится предложение установить BindKey. Копируем BindKey из буфера обмена.

image

На этом всё – теперь брелок работает с шифрованной рекламой.

@olivluca
Copy link

olivluca commented Dec 10, 2024

My advertisement keys are 28 bytes (see here) but when I try your flasher it complains that it must be 22 bytes.

@olivluca
Copy link

olivluca commented Dec 10, 2024

In fact nrf connect shows 28 bytes, the first six are 38 1f 8d 09 af 89 and the remaining 22 are the ones I put in your flasher (edit: the mac of the device is f8 1f 8d 09 af 89)

@pvvx
Copy link
Owner Author

pvvx commented Dec 10, 2024

Firmware (v2.0 beta4) and PHY62x2BTHome.html program (v1.8) have been updated.
The key is entered in the "Base64" format. When you enter the key, the MAC will be changed automatically.

FindMy key Base64: EiM0RVZneImaq7zN3u/+7dzLuqmYh3ZlVEMyIQ==
= 12233445566778899aabbccddeeffeeddccbbaa99887766554433221

The FindMy beacon has been supplemented with battery status transmission.

Byte Value Description
1 0x19 Length of payload
2 Bits 0..1: Reserved.
Bit 2: Maintained
Bits 3..4: Reserved
Bits 5: 0b1
Bits 6..7: Battery state.
Maintained
Set if owner connected within current key rotation period (15 minutes)
0= Full
1 = Medium
2= Low
3 = Critically low

So far, no new information about the FindMy bacon format has been found. There are no publications or descriptions from the creators of the “reverse engineering” of FindMy on the Internet.

@olivluca
Copy link

Really nice, with the latest firmware flashed I actually got a report from Apple 👍 .
How does it compare to @biemster's implementation (regarding battery life and reach of the beacon)?

@pvvx
Copy link
Owner Author

pvvx commented Dec 11, 2024

Depends heavily on the beacon transmission interval.
With the same interval, there is no difference with the firmware https://github.com/biemster/FindMy/tree/main/Lenze_ST17H66.

image

Average current consumption as a function of beacon period. With a 3.0 V source.
The graph corresponds to measurements when working in the BTHome format. For FindMy it will be slightly less - up to a couple of percent at short intervals.
In FindMy mode, the key fob does not track the connection request, but the length of the transmitted data is greater.This gives a difference of 1..3% only at short intervals.

At longer intervals the chip sleep current (chip leakage) has a greater effect. Average sleep current - 2.8..3.5 uA - depends on the chip quality.

At short intervals there is a large dependence on the set transmitter power in dBm.
The graph is given for a setting of 0 dBm.

@olivluca
Copy link

Cool, I set a 3s advertising interval but I see @biemster's code uses 5s, I'll change it.
Besides, I see that the device can do double duty (working both as a bthome button in ha and as a findmy tracker). Not that I'm going to use it that way but it's really cool nevertheless.

@biemster
Copy link

Is there a way to protect OTA access, with a password or something? I would not like if someone else passes by and changes the key..

@pvvx
Copy link
Owner Author

pvvx commented Dec 12, 2024

If the button is not pressed, it is impossible to connect. The FindMy beacon does not have a connection request reception...

@biemster
Copy link

If the button is not pressed, it is impossible to connect. The FindMy beacon does not have a connection request reception...

ah sorry, I missed that! I just flashed an E2XT2319, as mentioned in the issue above, which went fine. But it does not have a button :D

@pvvx
Copy link
Owner Author

pvvx commented Dec 12, 2024

Button processing (FindMy mode):

When the button is pressed, LED turns on, the FindMy beacon switches to transmitting BLE advertising with the AdvEventType = LL_ADV_CONNECTABLE_UNDIRECTED_EVT attributes. A first packet of BLE advertising events is transmitted in the quantity specified in "Number of event transmissions". The period of advertising events is 95 ms. Data in the packet is in BTHome format with "Button" = "1".

If the button is released, the LED goes out.

After the packet has been transmitted N*95ms, the speaker quietly clicks, the LED turns off regardless of the button (saving battery). If the button is still pressed, the first packet is transmitted again. If the button is released, the second packet of BLE "Number of Event Transmissions" announcements is transmitted, but with "Button" = "0".

After the second packet is transmitted, the FindMy beacon with the AdvEventType attribute = LL_ADV_NONCONNECTABLE_UNDIRECTED_EVT begins to be transmitted.

PS: I barely wrote it in English - Google translate is terrible :)

@pvvx
Copy link
Owner Author

pvvx commented Dec 12, 2024

@biemster - Now, to support "Find My" in Home Assistant, you'll have to fight with the writers of "Bluetooth" integration. But there you'll be sent to "Bluez", and there you'll be sent to the kernel, and there's Linus Torvalds :P

@omarkhali
Copy link

omarkhali commented Dec 12, 2024

@pvvx @biemster
https://github.com/malmeloo/hass-FindMy

@biemster
Copy link

@biemster - Now, to support "Find My" in Home Assistant, you'll have to fight with the writers of "Bluetooth" integration. But there you'll be sent to "Bluez", and there you'll be sent to the kernel, and there's Linus Torvalds :P

😭

@omarkhali
Copy link

@pvvx @biemster https://github.com/malmeloo/hass-FindMy

This integration works beautifully and I use it with hass. Many thanks to @biemster @pvvx @malmeloo On this hard work

@pvvx
Copy link
Owner Author

pvvx commented Dec 12, 2024

This integration does not receive the Find My beacon.
There is no way to determine that the Find My carrier has appeared at home or in the yard, in a specific room ...
The "bluetooth" integration does not accept beacons without "flags" in the PDU. At the same time, in the standard, unspecified flag keys are accepted as the value 0 by default. But Bluez and kernel (Linus Torvalds) have their own standards.
This also involves "D-Bus"... And it is impossible to move this entire chain. Especially since Linus Torvalds has gone into politics and imposed sanctions on the Russians :)
In Linux, in "Bluez", in "Bleak" Bluetooth version 5.0+ is still not supported since 2016.


For the BTHome mode option, an addition is planned - a key fob search. Upon request, when connected, it will give a sound signal...

@biemster
Copy link

I forgot how frustrating it is to program these chips, I'm on it for three hours now and managed a grand total of 2!

The third one I flashed only half, @pvvx your OTA bootloader does not replace the entire bootloader right?

@pvvx
Copy link
Owner Author

pvvx commented Dec 12, 2024

your OTA bootloader does not replace the entire bootloader right?

The question is not clear.

Firmware installation via USB-COM adapter takes several minutes with soldering of wires.

OTA:

17:29:16: Starting programming...
17:30:04: Programming completed in 47.069 seconds
17:30:08: Device disconnected.

@biemster
Copy link

I'm just installing BOOT_KEY2_v20.hex. Getting the chip to start in firmware upload mode has always been an issue for me, probably due to the hacky setup I'm using. When the flasher gets to cmd>> it actually finishes in seconds, but getting to that is very finicky.

The question was if flashing BOOT_KEY2_v20.hex only partially due to lost connection will brick the chip?

@pvvx
Copy link
Owner Author

pvvx commented Dec 12, 2024

Flash writing on PHY62x2/ST17H66B chips is always available.
UART Boot is in ROM.

@lovelyelfpop
Copy link

And it would be greate if this firmware implement key rotation. I found that if a tag with this firmware and an iPhone meet at the same place every morning, the location of the tag will not be reported by the iPhone. Even if the iPhone and the tag have been to other places the day before. I guess this is related to key rotation. The location of my other tags with nRF5x firmware(50 keys) get updated more frequently.

@pvvx
Copy link
Owner Author

pvvx commented Dec 13, 2024

There is no description of the key rotation algorithm yet.

@biemster
Copy link

There is a description in the openhaystack paper, and also FindMy.py is able to deduce the current airtag key from the registered data on macOS, but what @lovelyelfpop probably meant is uploading N keys and just start broadcasting the next after let's say 15 minutes.

Since uploading a bunch of keys might be cumbersome with the web flasher, we could also use one key as base, and after every time interval either add the curve generator to it (basically private key +1), or multiply by 2 (private key *2) with the latter being easier to implement. Although since this will be done very rarely efficiency should not be an issue.

@omarkhali
Copy link

omarkhali commented Dec 13, 2024

This integration does not receive the Find My beacon.
There is no way to determine that the Find My carrier has appeared at home or in the yard, in a specific room ...
The "bluetooth" integration does not accept beacons without "flags" in the PDU. At the same time, in the standard, unspecified flag keys are accepted as the value 0 by default. But Bluez and kernel (Linus Torvalds) have their own standards.
This also involves "D-Bus"... And it is impossible to move this entire chain. Especially since Linus Torvalds has gone into politics and imposed sanctions on the Russians :)
In Linux, in "Bluez", in "Bleak" Bluetooth version 5.0+ is still not supported since 2016.

HI @pvvx Is this the you are looking for?

https://github.com/agittins/bermuda

@pvvx
Copy link
Owner Author

pvvx commented Dec 13, 2024

Added musical accompaniment :)
image
I'm too lazy to write music - I copied some pieces...

The buzzer is turned off by the button release event.

@pvvx
Copy link
Owner Author

pvvx commented Dec 13, 2024

HI @pvvx Is this the you are looking for?

https://github.com/agittins/bermuda

The link offers an unnecessary device that consumes several watts - using ESPHome bluetooth_proxy devices

Why all this? It's easier for me to patch the Linux kernel and Bluez.

As a last resort, write another version of a BLE repeater in Zigbee.

And there is no Bluetooth "AoA" and "AoD" functionality :(


FindMy Scan works in https://github.com/pvvx/hcitooladv
(In HA, "Bluetooth" and other "FindMy" integrations are not scanned - "Bluez")

root@nanopi-r5s:~/hcitooladv# ./hcitooladv -i hci0 lescan --passive --duplicates --advanced

LE Scan ...
38:1F:8D:94:2E:F9-020106030201a2141601a20154cf0451ebc77129c7b6647dfdaa27c4c1
38:1F:8D:D8:B5:2D-020106030201a2141601a2013291499cc35a871c792b8e1772197a78b0
1C:90:FF:DC:0C:C6-020106030201a2141601a201d3496059d9146eded9e4d956127b7b6faf
F8:1F:8D:7A:4B:08-0201061216d2fc4000c201340cde093a013e47000000ae
38:1F:8D:94:1E:11-020106030201a2141601a2019d2de84dff21d8f26160e052d0d0b672b8
38:1F:8D:D9:3C:B6-020106030201a2141601a2016db2d52cd37c86fa958e84fb795ead4eb2
38:1F:8D:94:2E:F9-020106030201a2141601a20154cf0451ebc77129c7b6647dfdaa27c4ba
1C:90:FF:D8:BA:69-020106030201a2141601a201b6b51d57da6369372027fed8e7910b0cb1
38:1F:8D:D8:B5:2D-020106030201a2141601a2013291499cc35a871c792b8e1772197a78a5

D2:23:34:45:56:67-1eff4c0012190078899aabbccddeeffeeddccbbaa998877665544332210000b6

F8:1F:8D:7A:4B:08-0201061216d2fc4000c201340cde093a013e47000000b0
58:2D:34:60:5F:AA-0201061716cdfd0812aa5f60342d580201480f019f090400000000b8
38:1F:8D:D9:3C:B6-020106030201a2141601a2016db2d52cd37c86fa958e84fb795ead4eb7
A4:C1:38:B3:7A:74-12161a18747ab338c1a483fd8823c10805d705ab
....

D2:23:34:45:56:67-1eff4c0012190078899aabbccddeeffeeddccbbaa998877665544332210000b6

RSSI: 0xb6 = -74

Any BT adapter accepts "FindMy" but does not pass through Bluez to the "bluetooth" integration in HA.

@omarkhali
Copy link

Added musical accompaniment :) image I'm too lazy to write music - I copied some pieces...

The buzzer is turned off by the button release event.

Is it possible to add button buzzer in homeassistant

@pvvx
Copy link
Owner Author

pvvx commented Dec 13, 2024

Is it possible to add button buzzer in homeassistant

To do this, you need to write some kind of integration for "HA". The main problem with integrations for "HA" is that it requires constant support. "HA" is constantly changing and users always have thousands of questions. Support takes a lot of time and not everyone has it.

@pvvx
Copy link
Owner Author

pvvx commented Dec 14, 2024

I poked around in "Passive BLE Monitor Integration" and:
image
image
:)

"Passive BLE Monitor" works via HCI interface with BT adapter... Doesn't need a BLE stack.
But for trackers, MAC and UUID are exchanged in the code "Passive BLE Monitor". The reason is that the binding is to the key number.
Too lazy to patch everything... Let the author do it right himself...

Also, the display interface in HA is not designed for long FindMy keys.

@biemster
Copy link

I'm not a HA user, but this might change my mind

@yousaf465
Copy link

20250101_165137
20250101_165125
20250101_170144

@pvvx is this a supported device?

@pvvx
Copy link
Owner Author

pvvx commented Jan 1, 2025

Unknown.

@yousaf465
Copy link

Unknown.

should I program with RX and TX on board only?

@nobodyspecial
Copy link

What is the model of the chip? (small one in the second pic) I have the same keychain and unfortunately mine has the ST17H66T chip which is not flashable.

@yousaf465
Copy link

What is the model of the chip? (small one in the second pic) I have the same keychain and unfortunately mine has the ST17H66T chip which is not flashable.

Can't read at least with my phone camera, let me try with my microscope
I do have a program pad under p06 in the second pic.

@nobodyspecial
Copy link

What is the model of the chip? (small one in the second pic) I have the same keychain and unfortunately mine has the ST17H66T chip which is not flashable.

Can't read at least with my phone camera, let me try with my microscope I do have a program pad under p06 in the second pic.

Yeah, I had to use a magnifying glass and a flashlight lol.

@pvvx
Copy link
Owner Author

pvvx commented Jan 1, 2025

Option with OTP on PHY6230.
Has one-time programming by the manufacturer.

@pvvx
Copy link
Owner Author

pvvx commented Jan 1, 2025

Can't read at least with my phone camera, let me try with my microscope

The markings don't say anything. Especially on OTP chips. The chip marking may indicate the OTP firmware order number.

@yousaf465
Copy link

yousaf465 commented Jan 1, 2025

What is the model of the chip? (small one in the second pic) I have the same keychain and unfortunately mine has the ST17H66T chip which is not flashable.

Can't read at least with my phone camera, let me try with my microscope I do have a program pad under p06 in the second pic.

Yeah, I had to use a magnifying glass and a flashlight lol.

BK3431
CG5111f

WIN_20250101_19_06_25_Pro
WIN_20250101_19_06_28_Pro

@pvvx
Copy link
Owner Author

pvvx commented Jan 1, 2025

I have the same keychain and unfortunately mine has the ST17H66T chip which is not flashable.

ST17H66T is PHY6230?

image

image

image

@nobodyspecial
Copy link

I have the same keychain and unfortunately mine has the ST17H66T chip which is not flashable.

ST17H66T is PHY6230?

image

image

Earlier in this thread you said:

ST17H66T is a chip without the ability to reflash. It uses one-time programmable memory, which is produced at the factory.

Is that not true?

@pvvx
Copy link
Owner Author

pvvx commented Jan 1, 2025

PHY6230, having OTP, meets this ID:

Chip Reset Ok. Response: b'cmd>>:'
Revision: b'00000000 6230CK05'

PHY6256 also come with OTP.

@biemster
Copy link

biemster commented Jan 1, 2025

What is the model of the chip? (small one in the second pic) I have the same keychain and unfortunately mine has the ST17H66T chip which is not flashable.

Can't read at least with my phone camera, let me try with my microscope I do have a program pad under p06 in the second pic.

Yeah, I had to use a magnifying glass and a flashlight lol.

BK3431 CG5111f

that's a beken 3431, and should be programmable. I'm working on those, but did not receive mine yet

@pvvx
Copy link
Owner Author

pvvx commented Jan 1, 2025

Is that not true?

PHY6xxx is a Chinese SoC design. It is sold to other companies or labeled for the customer.

iSearching - BLE, Flash
iSearching2 - BLE, Flash
iSearching3 - BLE, OTP (!)

@yousaf465
Copy link

What is the model of the chip? (small one in the second pic) I have the same keychain and unfortunately mine has the ST17H66T chip which is not flashable.

Can't read at least with my phone camera, let me try with my microscope I do have a program pad under p06 in the second pic.

Yeah, I had to use a magnifying glass and a flashlight lol.

BK3431 CG5111f

that's a beken 3431, and should be programmable. I'm working on those, but did not receive mine yet

Should I flash with PVVX firmware? Use TX and RX pins only?

@pvvx
Copy link
Owner Author

pvvx commented Jan 1, 2025

Should I flash with PVVX firmware? Use TX and RX pins only?

There is no firmware for the BK3431 chip.

@biemster
Copy link

biemster commented Jan 1, 2025

Should I flash with PVVX firmware? Use TX and RX pins only?

There is no firmware for the BK3431 chip.

@yousaf465 an SDK seems to be here: https://github.com/yumzhi/ble
I'll start working on this once my chips arrive (although they are bk3432, but I'm hoping they are similar enough)

@MartinEssink
Copy link

MartinEssink commented Jan 7, 2025

Option with OTP on PHY6230. Has one-time programming by the manufacturer.

IMG_20250107_204544
I have one with a similar layout, but the pinout seems slightly different. There is no marking on the chip.
Did you read the data from the SOP8 one over uart, and if so, what pins did you use?

@pvvx
Copy link
Owner Author

pvvx commented Jan 7, 2025

image

rdwr_phy62x2.py

Chip Reset Ok. Response: b'cmd>>:'
Revision: b'00000000 6230CK05'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests

9 participants