Reverse Engineering the DT4 Mate Smartwatch BLE Protocol

The DT4 Mate smartwatch, like many modern smartwatches, uses Bluetooth Low Energy (BLE) to sync data with a phone. Curious about its command format, I embarked on a journey to reverse engineer the protocol it uses. Given the challenge of debugging such finished products, I turned to the versatile ESP32 microcontroller with its BLE functionality for assistance.

The Role of ESP32 in Reverse Engineering

To gain insight into the data transmission between the smartwatch and the phone, I decided to clone the services and characteristics of the DT4 Mate on an ESP32. By doing so, I could connect the ESP32 to the sync app and observe the data being transmitted. The BLE cloner Python script I developed enables the creation of a sketch that emulates the watch. Initially, the connection fails because the app sends a command and expects a response from the "watch." However, using nRF Connect, I was able to send the command, see the response from the watch, and replicate it on the ESP32. This allowed me to break through the initial communication barrier.

Observing Hex Commands

By sending WhatsApp notifications to the phone, I could observe the following hex commands along with the corresponding messages:

Felix : test

55 20 00 1E 00 E1 00 44 06 00 60 00 19 07 46 00 65 00 6C 00 69 00 78 00 20 00 3A 00 20 00 74 00 65 00 73 00 74 00        

Felix : ok

55 20 00 1A 00 F5 00 45 06 00 60 00 15 07 46 00 65 00 6C 00 69 00 78 00 20 00 3A 00 20 00 6F 00 6B 00        

Felix : ko

55 20 00 1A 00 09 00 AA 06 00 60 00 15 07 46 00 65 00 6C 00 69 00 78 00 20 00 3A 00 20 00 6B 00 6F 00        

Decoding the Data

• First two bytes: These are the header.
• Bytes 3 and 4: These represent the length of the command starting from byte 9.
• Byte 13: This is the length of the message starting from byte 14.
• Bytes 14 onwards: Message content in UTF-16LE (Little Endian)
• Bytes 9-12: These are standard and do not change.
• Bytes 6 and 8: These change based on the message content.

The Checksum Hypothesis

Through extensive research and experimentation, I discovered that calculating the checksum of bytes starting from byte 9 matched byte 6 using CRC-8/EBU algorithm. However, the purpose and calculation method for byte 8 remain elusive.

Seeking Insights

If anyone has insights or hypotheses on how byte 8 is calculated, your expertise would be greatly appreciated! This information could be the key to fully understanding the BLE protocol of the DT4 Mate smartwatch.