[Bug]: Newer versions of Bluetti firmware use BLE encryption

[jsaiko]

What happened?

I have a new AC180 which does not work with any known currently available open source solution. After some digging, it appears the device is using BLE encryption. Based on my troubleshooting, the "2A 2A" is a signature to start the encryption process.

Connected: True
Started notifications on 0000ff01-0000-1000-8000-00805f9b34fb
Waiting for notifications...
Notification from 0000ff01-0000-1000-8000-00805f9b34fb (Handle: 30): Vendor specific:
Offset  Hexadecimal                                       ASCII
------  -----------------------------------------------   ----------------
000000  2A 2A 01 04 84 69 0F 5A 01 5B                    **...i.Z.[
Notification from 0000ff01-0000-1000-8000-00805f9b34fb (Handle: 30): Vendor specific:
Offset  Hexadecimal                                       ASCII
------  -----------------------------------------------   ----------------
000000  2A 2A 01 04 84 69 0F 5A 01 5B                    **...i.Z.[
Notification from 0000ff01-0000-1000-8000-00805f9b34fb (Handle: 30): Vendor specific:
Offset  Hexadecimal                                       ASCII
------  -----------------------------------------------   ----------------
000000  2A 2A 01 04 84 69 0F 5A 01 5B                    **...i.Z.[
Notification from 0000ff01-0000-1000-8000-00805f9b34fb (Handle: 30): Vendor specific:
Offset  Hexadecimal                                       ASCII
------  -----------------------------------------------   ----------------
000000  2A 2A 01 04 84 69 0F 5A 01 5B                    **...i.Z.[
Notification from 0000ff01-0000-1000-8000-00805f9b34fb (Handle: 30): Vendor specific:
Offset  Hexadecimal                                       ASCII
------  -----------------------------------------------   ----------------
000000  2A 2A 01 04 84 69 0F 5A 01 5B                    **...i.Z.[
Notification from 0000ff01-0000-1000-8000-00805f9b34fb (Handle: 30): Vendor specific:
Offset  Hexadecimal                                       ASCII
------  -----------------------------------------------   ----------------
000000  2A 2A 01 04 84 69 0F 5A 01 5B                    **...i.Z.[
Notification from 0000ff01-0000-1000-8000-00805f9b34fb (Handle: 30): Vendor specific:
Offset  Hexadecimal                                       ASCII
------  -----------------------------------------------   ----------------
000000  2A 2A 01 04 84 69 0F 5A 01 5B                    **...i.Z.[

These notifications appear then a few seconds later the device disconnects if no action is taken.

What version of our software are you running?

0.1.2

What device are you seeing the problem on?

AC180

IOT v9046.01
ARM v2107.02
DSP v2102.02

What bluetooth connection are you using?

Internal bluetooth adapter

Have you changed the integration settings?

false

Integration settings (if you changed them)

No response

Relevant log output

No response

[jsaiko]

Further investigation is showing that devices with manufacturer data containing this value are encrypted: 424c5545545446

[misterdalto]

also experiencing the same issue, though good to know others were able to sus it out

[jsaiko]

also experiencing the same issue, though good to know others were able to sus it out

I have made tons of progress reverse engineering the protocol. It appears that once you get past the encryption that the underlying data exchange is the same. As for merging this with the integration, not sure I will be much use there.

[Patrick762]

Seems like my new AC70 also uses encryption ...
Such a waste of potential for bluetti, but ecoflow is not better ...
I really hope there will be a law for open interfaces in the future

[jhagenk]

From what their marketing people told me, they added a "password" function to the Bluetooth control to prevent people walking around RV parks from turning off other people's power.

I don't have details on how they added it.

[jsaiko]

@Patrick762 I have the encryption process mostly worked out in a test script that I wrote in python. I haven't had much time to complete the final steps of the handshake but I at least know what is happening. Hit me up on Discord (I'm in your channel) and I can share it with you if you want. I would like to see if it is universal across the different models.

[10der]

is any news about AC180(T) connection?

please...

[Fridgeir-9]

the same here, also a AC180

UPDATE: todays update to hassio 13.0 finished, after that, state of charge is displayed

[v-maslovskyi]

Same here with an AC 180
Any updates on this or assistance is needed?

[smai86]

Any News on this? Just updated my ep600 to the newest version... now nothing works ... :-(

[jsaiko]

Any News on this? Just updated my ep600 to the newest version... now nothing works ... :-(

Yeah definitely don't update if your stuff is working. I haven't had a bunch of time to finish dissecting the encryption due to work stress. It's definitely not standard and I'm not sure it will work with the HA integration. Might be portable to the MQTT project that exists however.

[smai86]

Any News on this? Just updated my ep600 to the newest version... now nothing works ... :-(

Yeah definitely don't update if your stuff is working. I haven't had a bunch of time to finish dissecting the encryption due to work stress. It's definitely not standard and I'm not sure it will work with the HA integration. Might be portable to the MQTT project that exists however.

Yeah, but had to Update my EP600. Because I get a second one and the parallel grid connection didint work until I updated both EP600 to the newest available FW.. :-(
It would be enough for me to get the SOC into homeassistant because all the other values I´ll get from some shelly 3pm...

UPDATE:
Newest Update is working, sorry guys.... The rpoblem was a broken bt proxy

[LeoAlioth]

guys, i just got the AC180, and while the device connects, only 2 entities a created and nothing shows up.

[russellproud]

@jsaiko are you able to share the current code, irrelevant of the state? I'd love to pick it up as I have some time to put into some projects and this one is a bug bear of mine that I'd like to sort out.

[jsaiko]

@jsaiko are you able to share the current code, irrelevant of the state? I'd love to pick it up as I have some time to put into some projects and this one is a bug bear of mine that I'd like to sort out.

I unfortunately just did a system format and dont have the most recent version of the code 😞 I did find an older copy though, not sure how broken it is or isn't. Maybe I can find time to touch it up soon.

https://github.com/jsaiko/bluetti-enc-test

[russellproud]

Thanks @jsaiko. I'll spend some time during the week having a look through and seeing what I can add. Will share back here.

[russellproud]

@jsaiko (let me know if you don't want me tagging you).

I've gone a slightly different route; I've decompiled the Android APK for Bluetti. I've attached the connection manager classes and associated services to this.

ConnectManager.txt

Item to note is one of the consts defined is ;

public static final String LOCAL_AES_KEY = "459FC535808941F17091E0993EE3E93D";

My java and cryptography skills are a bit rusty, at best. I'll spend some time over next few days trying to compare this to what you've implemented (or atlernatively, just reimplement the below in Python once I've got my head around it).

If something below is an aha moment for you and it's quick for you to implement this to finalise, call it out and I'll hold.

The method bleEncryptedHandler is below for reference.

    public final void bleEncryptedHandle(String str, BleTaskItem bleTaskItem) {
        String str2 = str;
        Intrinsics.checkNotNullParameter(str2, "data");
        String str3 = "";
        if (StringsKt.startsWith(str2, "2A 2A", true)) {
            List split$default = StringsKt.split$default((CharSequence) str2, new String[]{" "}, false, 0, 6, (Object) null);
            int parseInt = Integer.parseInt((String) split$default.get(2), CharsKt.checkRadix(16));
            if (parseInt == 1) {
                byte[] hexStringToBytes = HexUtil.hexStringToBytes(CollectionsKt.joinToString$default(split$default.subList(4, 8), str3, (CharSequence) null, (CharSequence) null, 0, (CharSequence) null, ConnectManager$bleEncryptedHandle$1$random$1.INSTANCE, 30, (Object) null));
                Intrinsics.checkNotNullExpressionValue(hexStringToBytes, "hexStringToBytes(random)");
                String md5Encode = MD5.md5Encode(ArraysKt.reversedArray(hexStringToBytes));
                Intrinsics.checkNotNullExpressionValue(md5Encode, "md5Encode(HexUtil.hexStr…(random).reversedArray())");
                this.randomMd5 = md5Encode;
                String substring = md5Encode.substring(16, 24);
                Intrinsics.checkNotNullExpressionValue(substring, "this as java.lang.String…ing(startIndex, endIndex)");
                getTaskQueue().add(new BleTaskItem(-1, "2A2A0204" + substring + HexUtilKt.hexStrSum$default(HexUtilKt.INSTANCE, "0204" + substring, 0, 2, (Object) null), 0, (StringBuilder) null, false, 0, false, (String) null, 248, (DefaultConstructorMarker) null));
                executeTask$default(this, (BleTaskItem) null, 1, (Object) null);
                String hexStrXorOther = HexUtilKt.INSTANCE.hexStrXorOther(this.randomMd5, ConnConstantsV2.LOCAL_AES_KEY);
                if (hexStrXorOther != null) {
                    str3 = hexStrXorOther;
                }
                this.bleConnAESKey = str3;
            } else if (parseInt == 3) {
                getTaskQueue().poll();
            }
        } else {
            CharSequence charSequence = this.bleConnShareKey;
            if (charSequence == null || charSequence.length() == 0) {
                List<String> hexStr2StringList = HexUtilKt.INSTANCE.hexStr2StringList(ProtocolParse.parseAESCBCData$default(ProtocolParse.INSTANCE, str, this.bleConnAESKey, HexUtil.hexStringToBytes(this.randomMd5), false, 8, (Object) null));
                if (StringsKt.equals(hexStr2StringList.get(0) + hexStr2StringList.get(1), "2A2A", true)) {
                    int parseInt2 = Integer.parseInt(hexStr2StringList.get(2), CharsKt.checkRadix(16));
                    if (parseInt2 == 4) {
                        String joinToString$default = CollectionsKt.joinToString$default(hexStr2StringList.subList(4, 68), str3, (CharSequence) null, (CharSequence) null, 0, (CharSequence) null, ConnectManager$bleEncryptedHandle$2$lotPkHexStr$1.INSTANCE, 30, (Object) null);
                        String joinToString$default2 = CollectionsKt.joinToString$default(hexStr2StringList.subList(68, hexStr2StringList.size() - 2), str3, (CharSequence) null, (CharSequence) null, 0, (CharSequence) null, ConnectManager$bleEncryptedHandle$2$signature$1.INSTANCE, 30, (Object) null);
                        SignatureCrypt signatureCrypt = SignatureCrypt.INSTANCE;
                        byte[] hexStringToBytes2 = HexUtil.hexStringToBytes(joinToString$default + this.randomMd5);
                        Intrinsics.checkNotNullExpressionValue(hexStringToBytes2, "hexStringToBytes(lotPkHexStr + randomMd5)");
                        SignatureCrypt signatureCrypt2 = SignatureCrypt.INSTANCE;
                        byte[] hexStringToBytes3 = HexUtil.hexStringToBytes(joinToString$default2);
                        Intrinsics.checkNotNullExpressionValue(hexStringToBytes3, "hexStringToBytes(signature)");
                        byte[] edcsaToDERSignature = signatureCrypt2.edcsaToDERSignature(hexStringToBytes3);
                        byte[] hexStringToBytes4 = HexUtil.hexStringToBytes(SignatureCrypt.PUBLIC_KEY_K2);
                        Intrinsics.checkNotNullExpressionValue(hexStringToBytes4, "hexStringToBytes(SignatureCrypt.PUBLIC_KEY_K2)");
                        if (signatureCrypt.verifyForECDSA256(hexStringToBytes2, edcsaToDERSignature, hexStringToBytes4)) {
                            ECDHUtils eCDHUtils = ECDHUtils.INSTANCE;
                            byte[] hexStringToBytes5 = HexUtil.hexStringToBytes(ECDHUtils.SECP_256R1_PUBLIC_PREFIX + joinToString$default);
                            Intrinsics.checkNotNullExpressionValue(hexStringToBytes5, "hexStringToBytes(\"${ECDH…LIC_PREFIX}$lotPkHexStr\")");
                            this.iotPublicKey = ECDHUtils.getPublicKey$default(eCDHUtils, hexStringToBytes5, (String) null, 2, (Object) null);
                            KeyPair generateKeyPair = ECDHUtils.INSTANCE.generateKeyPair();
                            this.ecdhKeyPair = generateKeyPair;
                            if (generateKeyPair != null) {
                                ECDHUtils eCDHUtils2 = ECDHUtils.INSTANCE;
                                KeyPair keyPair = this.ecdhKeyPair;
                                if (keyPair != null) {
                                    String publicKey = eCDHUtils2.getPublicKey(keyPair);
                                    SignatureCrypt signatureCrypt3 = SignatureCrypt.INSTANCE;
                                    byte[] hexStringToBytes6 = HexUtil.hexStringToBytes(publicKey + this.randomMd5);
                                    Intrinsics.checkNotNullExpressionValue(hexStringToBytes6, "hexStringToBytes(pkHexStr + randomMd5)");
                                    ECDHUtils eCDHUtils3 = ECDHUtils.INSTANCE;
                                    byte[] hexStringToBytes7 = HexUtil.hexStringToBytes(SignatureCrypt.PRIVATE_KEY_L1);
                                    Intrinsics.checkNotNullExpressionValue(hexStringToBytes7, "hexStringToBytes(SignatureCrypt.PRIVATE_KEY_L1)");
                                    String edcsaDERSignatureParse = SignatureCrypt.INSTANCE.edcsaDERSignatureParse(TransformExtKt.toHexString(signatureCrypt3.sign(hexStringToBytes6, eCDHUtils3.getPrivateKeyForSecp256r1(hexStringToBytes7), "SHA256withECDSA")));
                                    addTaskItem$default(this, new BleTaskItem(-1, "2A2A0580" + publicKey + edcsaDERSignatureParse + HexUtilKt.hexStrSum$default(HexUtilKt.INSTANCE, "0580" + publicKey + edcsaDERSignatureParse, 0, 2, (Object) null), 0, (StringBuilder) null, false, 0, false, (String) null, 248, (DefaultConstructorMarker) null), true, false, 0, false, 28, (Object) null);
                                }
                            }
                        }
                    } else if (parseInt2 == 6 && Integer.parseInt(hexStr2StringList.get(4), CharsKt.checkRadix(16)) == 0) {
                        ECDHUtils eCDHUtils4 = ECDHUtils.INSTANCE;
                        KeyPair keyPair2 = this.ecdhKeyPair;
                        PrivateKey privateKey = keyPair2 != null ? keyPair2.getPrivate() : null;
                        if (privateKey != null) {
                            Intrinsics.checkNotNullExpressionValue(privateKey, "ecdhKeyPair?.private ?: return");
                            PublicKey publicKey2 = this.iotPublicKey;
                            if (publicKey2 != null) {
                                this.bleConnShareKey = TransformExtKt.toHexString(eCDHUtils4.getSharedSecret(privateKey, publicKey2));
                                this.iotPublicKey = null;
                                this.bleConnAESKey = str3;
                                readProtocolVer();
                            }
                        }
                    }
                }
            } else if (bleTaskItem != null) {
                HexUtilKt hexUtilKt = HexUtilKt.INSTANCE;
                ProtocolParse protocolParse = ProtocolParse.INSTANCE;
                String str4 = this.bleConnShareKey;
                if (str4 != null) {
                    modbusDataHandle$default(this, bleTaskItem, hexUtilKt.hexStr2StringList(ProtocolParse.parseAESCBCData$default(protocolParse, str, str4, (byte[]) null, false, 12, (Object) null)), (String) null, 4, (Object) null);
                    executeTask$default(this, (BleTaskItem) null, 1, (Object) null);
                }
            }
        }
    }

[jsaiko]

@russellproud I was using the APK as a reference when creating the script too ;)

[russellproud]

Haha yeah, I came to that conclusion after posting this :)

[blackys7312]

Hi, I don't suppose anyone has found a way of getting at least the percentage available info into homeassistant on an EB3A? appreciate there is the encryption issue but didn't know if anyone had found a workaround to get the raw data into HA somehow.

[jsaiko]

If your device uses encryption, even reading the values is not possible without decryption.

[blackys7312]

it's odd as they have enabled encryption (from what people say) to prevent other people accessing your device however the app has local option which just finds and connects to devices close by without having to authenticate. that would therefore not stop people accessing your device whether it's using encryption or no encryption, you just need the app.

[jhagenk]

There is an option in the app to set a password. The “no login” part of the app should ask for the password at connect time if a password has been set on the device. If no password is set, then the device seems to use encryption anyway with a default password. Thanks! -Jeff On Dec 13, 2024, at 3:40 PM, blackys7312 ***@***.***> wrote: it's odd as they have enabled encryption (from what people say) to prevent other people accessing your device however the app has local option which just finds and connects to devices close by without having to authenticate. that would therefore not stop people accessing your device whether it's using encryption or no encryption, you just need the app. — Reply to this email directly, view it on GitHub<#120 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BDQE2HJUHZP7LZ7YA2RACZL2FNV75AVCNFSM6AAAAABKQ2IA3GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNBSGU2TGMBYGA>. You are receiving this because you commented.Message ID: ***@***.***>

[brunokelo]

Hello everyone, has anyone made any progress on this topic?

[brunokelo]

https://community.bluettipower.com/t/eb63a-bluetooth-home-assistant/35566

[10der]

https://community.bluettipower.com/t/eb63a-bluetooth-home-assistant/35566

FIN

[jsaiko]

This isn't over. Bluetti just saying they aren't supporting it. That's fine, I'll work in finishing up this decryption and just stop buying their products.

[jhagenk]

I think the forum post is a bad example of the “telephone game”. I have some internal contacts with Bluetti management and have suggested that they document the Bluetooth protocol as well as the method of encryption to enable HA compatibility. The technical managers were very positive on the idea. I cannot get into any further details. I’m not a Bluetti employee. It would be useful if you guys have a specific ask for what is to be documented. I can present that to them next time. Also: is documentation in Chinese OK? Translating it is more work for them than documenting it. They have to hire (expensive!) business document translators to get things into English. I think if we are OK to have Chinese documentation then it would be a much easier ask on their side. Thanks! -Jeff On Jan 20, 2025, at 13:27, Joe Saiko ***@***.***> wrote:  This isn't over. Bluetti just saying they aren't supporting it. That's fine, I'll work in finishing up this decryption and just stop buying their products. — Reply to this email directly, view it on GitHub<#120 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BDQE2HI6RNMUPLFDYT6C32T2LVS2HAVCNFSM6AAAAABKQ2IA3GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMBTGI2TANRTGM>. You are receiving this because you commented.Message ID: ***@***.***>

[jsaiko]

@jhagenk thanks for the insight. We just need the handshake process documented. There are multiple key exchanges that take place when connecting to the device by bluetooth before you can even exchange any data. Their implementation is non standard so it will take time figure out unless they are able to help.

[jhagenk]

I’ll reach out when they are back in the office. I’d bet it will be a bit before we see anything as we are coming up on the Chinese new years holiday. Thanks! -Jeff On Jan 20, 2025, at 13:39, Joe Saiko ***@***.***> wrote:  @jhagenk<https://github.com/jhagenk> thanks for the insight. We just need the handshake process documented. There are multiple key exchanges that take place when connecting to the device by bluetooth before you can even exchange any data. Their implementation is non standard so it will take time figure out unless they are able to help. — Reply to this email directly, view it on GitHub<#120 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BDQE2HJXRP2KLIYILE62XJ32LVUJ5AVCNFSM6AAAAABKQ2IA3GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMBTGI3DGMBWGQ>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[nhurman]

I got the BLE encryption to work! I could only test with a new AC180, but I can retrieve the serial number and the battery pct% just fine, using the exact same ReadHoldingRegisters() commands as what's already in the repository.

The encryption just wraps the existing protocol, with some additional chatter in the beginning to exchange keys.

On a side note, the "bluetooth password" which supposedly was one of the reasons for the protocol change is not secure at all... It's stored on the device, the application asks the device for the password and compares it with what the user types.

You can literally ask over bluetooth what the password is!

I'll clean up the code next weekend and submit. I'm sure I've taken shortcuts somewhere so could use help after it's published to properly integrate it.

[brunokelo]

I got the BLE encryption to work! I could only test with a new AC180, but I can retrieve the serial number and the battery pct% just fine, using the exact same ReadHoldingRegisters() commands as what's already in the repository.

The encryption just wraps the existing protocol, with some additional chatter in the beginning to exchange keys.

On a side note, the "bluetooth password" which supposedly was one of the reasons for the protocol change is not secure at all... It's stored on the device, the application asks the device for the password and compares it with what the user types.

You can literally ask over bluetooth what the password is!

I'll clean up the code next weekend and submit. I'm sure I've taken shortcuts somewhere so could use help after it's published to properly integrate it.

What great news!! If you need help testing on the EB3A model, count on me! Thank you very much

[Patrick762]

Thank you for your work!

If that's working now, we can in the next step extract the bt lib from the integration so it can be used in a mqtt project.

[jhagenk]

Awesome! Given that this has been figured out, I’ll save my favors from the development manager for another time. I can assist with testing if needed. I have access to most current Bluetti models. Thanks! -Jeff On Jan 27, 2025, at 4:53 AM, Patrick762 ***@***.***> wrote: Thank you for your work! If that's working now, we can in the next step extract the bt lib from the integration so it can be used in a mqtt project. — Reply to this email directly, view it on GitHub<#120 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BDQE2HM4NBYVGYSYYDXEW232MYT6JAVCNFSM6AAAAABKQ2IA3GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMJVGY4DKNJRGA>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[nhurman]

I ended up putting this in the warhammerkid/bluetti_mqtt code since the Bluetooth stack of the machine I have running home assistant doesn't seem to properly work. There are more changes than just the encryption since I added another device type in there, but the encryption code is self-contained if you only want that.

nhurman/bluetti_mqtt@bf037c3

To try it out, you should be able to run something similar to the command in the commit summary. Maybe try changing the device type to V2Device too if you're not using AC180 (bluetooth/__init__.py, build_device function)

Thanks @jsaiko for sharing your earlier attempt, you were very close!

[LuukvanDort]

I have the same problem with my AC180P, very annoying. For now at least bluetti need to make the bluetti app have a horizontal version, so i can integrade it in a nice touch display for my camper.

Hope anyone can find a solution or bluetti will come with one...

[jesherman]

I ended up putting this in the warhammerkid/bluetti_mqtt code since the Bluetooth stack of the machine I have running home assistant doesn't seem to properly work. There are more changes than just the encryption since I added another device type in there, but the encryption code is self-contained if you only want that.

nhurman/bluetti_mqtt@bf037c3

To try it out, you should be able to run something similar to the command in the commit summary. Maybe try changing the device type to V2Device too if you're not using AC180 (bluetooth/init.py, build_device function)

Thanks @jsaiko for sharing your earlier attempt, you were very close!

Tried running this build of bluett_mqtt and getting errors. Hopefully it's able to help as an updated build in this add-on soon. :)