Lair Of The Multimedia Guru

2015-11-09

Bluetooth tracking devices/tags/”key” finders

A while ago in coverity while fixing FFmpeg bugs there was a some kind of Nominate a bug, win a prize thing, i didnt ever nominate one but this was when i learned about the existence of tile which would have been the prize one could win. A BLE device that can be attached to something valuable and that can then be searched and found with a recent android or iPhone, or the other way around using the device to find your phone.
This seemed potentially useful to me, though i personally have never lost my keys or phone for more than a few seconds, i know someone who does have that problem. So i thought buy a tile or 2 they might come in handy for something but then i saw the price, non replaceable, non rechargable battery and thought ok, didnt expect someone would be that lame. I guess one should not expect any company not to attempt to rip its customers off to the maximum extend possible.

Lucky there are many similar devices, so the goal was to find the cheapest that works and is not just tied to a ridiculous business model. So i bought some of the cheapest i could find (they of course all have user replaceable batteries …)
First is something that identifies itself as

ITAG

IMG_0383-1280IMG_0384-1280
The above one is one example of these, they come in many different shapes, cost less than 5$ with free shipping. The first i got had a different shape and came with a dead battery and also ate a new battery within a day. The second i got is the one pictured above, which worked more or less.
When Off, A long press on its large surface switches it on with 2 beeps.
When On or connected a long press switches it off with a long beep (this renders it useless as its easy to press by mistake)
When on but not connected its led also continuously blinks, draining the battery but making finding easier, it also at least once hanged and required the battery to be disconnected for a moment to function again.
On the BT protocol side setting immedeate alert to 2 results in 30 beeps and led blinks, setting link loss to 0 or 2 has no effect, the device always beeps on unintentional connection losses as far as i could figure out. pressing the button results in a notify with value 0x01 on 0000ffe0-0000-1000-8000-00805f9b34fb / 0000ffe1-0000-1000-8000-00805f9b34fb.
To make the itag only blink and not beep on immedeate alert, 0000fff0-0000-1000-8000-00805f9b34fb/0000fff1-0000-1000-8000-00805f9b34fb can be set to 0x00, this is remembered over disconnects but not over switching the tag off. All other values seem to cause blinking and beeping.
To identify it this may be helpfull:

  • 0x2A29: CEVA
  • 0x2A24: BT 4.0
  • 0x2A25: 12x07x2012
  • 0x2A27: SM-1
  • 0x2A50: Bluetooth SIG Company: Ceva, Inc. (formerly Parthus Technologies, Inc.)
    Product Id:13330
    Product Version: 26369

Smart Finder

IMG_0380-1280IMG_0386-1280
The above is another sub 5$ tag, which appears identical (minus the logos) to tags on amazon from chirotronix and ikee.
The official software for android (“small lovely”) has a rather long list of unneeded permissions like for the previous tag (“iTracing”) but for this theres also no inofficial sw i could find for android which supports these tags, which is why i reverse engeneered the protocol
When off a long press switches it on with a long beep, to switch it off again 5 rapid short presses are needed (resulting in 3 beeps).
When in On mode pressing the button results in 2 beeps this also causes the “#255 Manufacturer Specific Data” to change from 0x58,0x48,0x52 to 0x58,0x48,0xFF for a few seconds, apparently to identify which of potential several devices one wants to connect to. Switching the device off also seems not possible while it is connected. On connect and disconnect its led flashes once.
Protocol wise neither “link loss” nor “immedeate alert” have any effect that i could identify. To make the device beep and blink a command must be written to 0000fff0-0000-1000-8000-00805f9b34fb / 0000fff1-0000-1000-8000-00805f9b34fb. A single 0xAA results in some short beeps and blinking. Its also possible to write a 5 byte command 0xAA 0x03 count duration1 duration2. The count is the number of beeps, the 2 durations are the beep and non beep durations in milli seconds, i dont know what the 0x03 does or if there are other interesting commands.
To detect button presses the device can send notifies on 0000fff0-0000-1000-8000-00805f9b34fb / 0000fff1-0000-1000-8000-00805f9b34fb with a 3 byte value, it is either (0x01 xx 0x00) xx = number of short button presses or (0x02 0x00 xx) xx = number of seconds button is hold
To identify it this may be helpfull:

  • 0x2A29: SIGNAL
  • 0x2A24: BT A8105
  • 0x2A25: 00001
  • 0x2A26: F4F5V02
  • 0x2A27: A8105F4
  • 0x2A28: 1030627

The name of teh device is “AMIYJ_5B68”, i dont know if this is true for all these devices, google seemed not to have any hits on that.
It seems using a A8105, (the ITAG seems using a BK3431) datasheets can be found with google.
Interestingly theres also a entry for “Heart rate” on the bluetooth level, so i guess this shares some code with some other devices.

IMG_0382-1280

Hope something above is useful to someone

Update: 2015-11-09: corrected itags link loss behavior
Update: 2015-11-10: Added names of the official apps
Update: 2015-11-14: Added itag blink only info (found by and thanks to Joachim Schäfer)

Filed under: Electronics,Hardware,Off Topic,Reverse Engineering — Michael @ 03:16

7 Comments »

  1. Hi
    I just bought 2 Itag ibeacon.
    I can connecte them with itracing app.
    I will try to make my own app in Delphi XE 8
    but then I need the uuid for the ITag.
    I’ve tried the 4 uuid that is in the text, but I can not get them to work.
    Best regards
    Nikolaj

    Comment by Nikolaj Pedersen — 2015-12-01 @ 20:23

  2. i have wrote a dissenting Application if you should play with it …https://github.com/sylvek/itracing2
    please is there a way that tell me what is the chipset on your devices?

    Comment by sylvek — 2016-01-08 @ 16:13

  3. Hi Michael,

    Just worked through this as I am writing software for the iOS side of this app. There are a few revisions of the square tag above (small lovely tag).
    I have 2 of them one starts with “AMISL_” and the other “AMIYJ_”. Both of the ones I have the commands worked excellent, the only thing that I found was that the
    UUID of the service is “FFF0” and the UUID of the Characteristic “FFF2” instead of “FFF1”. So on the Andoird side it looks like this on my side:
    0000fff0-0000-1000-8000-00805f9b34fb / 0000fff2-0000-1000-8000-00805f9b34fb

    Thanks for this post. It saved me hours on trying to brute force the device.

    Have an awesome day guys

    Comment by Wynand van Wyk — 2016-02-08 @ 13:27

  4. ITAG (Green Triangle)
    As I can see in the picture 2. that it has some pinouts, (RSTN, TXD, RXD, GND, P04, P05, P06, P07, VCC, Prog) 10 Pins.

    Have you tried to debug or communicate with it via these pins?

    If anyone has had luck with this, please write here.

    Regards
    Nicolai J. Andersen

    Comment by Nicolai J. Andersen — 2016-02-18 @ 15:54

  5. Hackers look here

    https://github.com/sylvek/itracing2/issues/5#issue

    Comment by Nicolai J. Andersen — 2016-02-19 @ 07:13

  6. Hi, I found this article very helpful. It enabled me to make a little fun program which causes any of these devices in range to start spewing messages out in Morse Code. :D

    https://github.com/matthewg42/btlefun

    Comment by Mouse — 2016-07-12 @ 01:29

  7. Any idea how I can get notified of a button press on the Smart Finder?

    Comment by Kurt — 2016-10-27 @ 22:13

RSS feed for comments on this post.

Leave a comment

Powered by WordPress