Ramblings of an aging IT geek
← Ramblings of an aging IT geek
hardware

poking at a four-quid bluetooth thermometer

How I sniffed the BLE traffic from a cheap fridge thermometer and got its readings into my own dashboard without the vendor app.

John Mylchreest
John Mylchreest
2023-08-06 · 3 min read

A workbench with a soldering iron and small electronics

The thing cost about four pounds and came with an app that wanted a login, a region, and, for reasons I will never understand, the ability to see my contacts. All I wanted was the temperature inside my beer fridge. So I decided to skip the app entirely and talk to the device myself.

It is a little BLE thermometer-hygrometer, the white square kind with an e-ink display that sells under a dozen brand names. The good news with these is that almost nothing is encrypted. The bad news is that nothing is documented either, so you have to go and find out.

Listening first

Before you touch any code, just watch. On Linux bluetoothctl will get you the address, and then I let it advertise into the void for a bit:

bluetoothctl
[bluetooth]# scan on
[NEW] Device A4:C1:38:XX:XX:XX LYWSD03MMC

The cheaper sensors broadcast their readings straight out in the advertising packets, no connection required. That is the jackpot, because it means I never have to pair, never have to fight a connection limit, and I can read it from a Pi sat in the cupboard.

I used bluetoothctl with a passive scan and dumped the manufacturer data. After a couple of minutes you start to see fields that move. Temperature climbs when you cup the thing in your hand. Humidity climbs when you breathe on it. That is your Rosetta Stone: change the physical world, watch which bytes change.

A close-up of a small circuit board

Decoding the bytes

The service data turned out to be six bytes after the MAC: two for temperature, one for humidity, one for battery, and a couple I never bothered to identify. Temperature was a signed 16-bit value, little-endian, divided by ten. So 0x0114 is 276, which is 27.6°C, which matched the display to a tenth. Humidity was a single byte, a straight percentage.

A few lines of Python over bleak and I had it logging to a file:

temp = int.from_bytes(data[0:2], "little", signed=True) / 100.0
humidity = data[2]
print(f"{temp:.1f}C {humidity}%")

From there it went into a tiny MQTT publish, which my existing Home Assistant box was already listening for, and the beer fridge appeared on the dashboard next to everything else.

Was it worth it?

For four quid and an afternoon, honestly yes. Not because I saved money, I spent more in time than the gadget cost ten times over, but because now I own the data path. No cloud, no app, no login, no contacts. If the vendor vanishes tomorrow the sensor keeps working, because all it ever does is shout its readings into the air and I just happen to be listening.

The wider lesson keeps proving itself: the cheaper the device, the lazier the firmware, and the easier it is to take back. I am not complaining.