Last week I visited thomasdotwtf from eventphone who has a jura coffee machine. We took one evening to look into it, how easy it is, to use a generic BLE device like a raspberry pi to control it. He has a Jura Z8 Automatic Coffee Machine which supports an IOS/Android app via Bluetooh LE.
Jura released (at least) two different apps to control it.
- pl.mkssystems.juracoffee.household (Jura Coffee)
- ch.toptronic.joe (J.O.E.)
Both apps supports ordering, changing properties of a coffee (e.g. how much water do you want to have or how much coffee should be in there?). mkssystems.pl seems to went out-of-service, but the internet archive still have an old version and they show a lot of coffee machine related products. As well as a small blue device [1].
This is the BlueFrog a bluetooth dongle to control Jura coffee machines.
What can you do with the Apps?
- Configure your Coffee
- Produce a Coffee
- Statistics
- Firmware updates
How we looked into?
- bluetooth packettrace: We used the android btsnoop.log to retrieve a packet trace which we loaded into wireshark.
- decompiled with different tools the .apk
- loaded the source code into android studio
What we found out?
The J.O.E. application is using XML files to be configured for the different coffee machines. The XML defines products (e.g. a coffee, a green tea, ...), there are properties (e.g. how much coffee should be produced), statistics and settings. The article number defines the XML file to be used.
A firmware process including the update urls and the new firmware.
We tried to find the same commands which should work on the RS232/serial in the bluetooth packet trace, but there wasn't any. After looking further in the code, we found a lot UUIDs for characteristics including a human readable name. We discovered also an "encryption" method which uses 2x hardcoded keys as well an additional input of 8 bit from the BLE advertisment. The encryption look like a static key.
In the BLE advertisment, there are manufactoring data. In our case, the manufactoring data contains 27 bytes. If 16 bit will be used, it's little endian.
manufactoring data as hex (27 byte): aa 05 06 03 d73a yyyy xxxx 5836 4435 01 c0 00 00 00 00 00 00 00 00 00 00 00 aa: key 05: BlueFrog Major Version 06: BlueFrog Minor Version 03: unused (maybe Patch Version?) d73a: article number (the specific type of the machine) yyyy: machine number xxxx: serial number 5836: production date (Feb. 2017) 4435: production date UHCI (does UHCI means the bluefrog?) (Okt. 2016) 01: unused c0: bitmask, define supported features
The production dates can be decoded and also validated using the application where it's shown in the connection fragment:
days: (i & 31) month: ((i & 480) >> 5) year: ((i & 65024) >> 9) + 1990;
What to do next?
Write a decrypt function which can parse pcap files and shows the message or write a dissector (lua) for wireshark with decryption function.
Find out how to map the XML files into commands towards the BlueFrog.
Bluetooth Interface
The good thing of BLE is, it's standarzied in the communication. BLE uses Bluetooth Attribute Protocol to communicate. The Bluetooth Attribute Protocol uses services and characteristics. A service is an object which can hold multiple characteristics. A characteristic can support one or more of the following operations read, write, notification, indication. Every service has a UUID as well a characteristic has a UUID. The Bluetooth Attribute Protocol has it's own methods to discover avaiable services and characterics. For more information please take a closer look into Bluetooth Low Energy.
As a general BLE device, the BlueFrog annouce itself on the BLE.
> hcitool lescan
LE Scan ...
C9:26:E8:4B:72:02 TT214H BlueFrog
> HCI Event: LE Meta Event (0x3e) plen 43 #8 [hci0] 8.466202
LE Advertising Report (0x02)
Num reports: 1
Event type: Scan response - SCAN_RSP (0x04)
Address type: Random (0x01)
Address: C9:26:E8:4B:72:02 (Static)
Data length: 31
Company: Ingenieur-Systemgruppe Zahn GmbH (171)
Data: aa050603d73a080402005836443501c00000000000000000000000
RSSI: -78 dBm (0xb2)
And further more we can also look for the services and characteristics via the gatttool.
> gatttool -b C9:26:E8:4B:72:02 --services -t random attr handle = 0x0001, end grp handle = 0x0007 uuid: 00001800-0000-1000-8000-00805f9b34fb attr handle = 0x0008, end grp handle = 0x0008 uuid: 00001801-0000-1000-8000-00805f9b34fb attr handle = 0x0009, end grp handle = 0x0033 uuid: 5a401523-ab2e-2548-c435-08c300000710 attr handle = 0x0034, end grp handle = 0x003a uuid: 5a401623-ab2e-2548-c435-08c300000710 attr handle = 0x003b, end grp handle = 0xffff uuid: 00001530-1212-efde-1523-785feabcd123
> gatttool -b C9:26:E8:4B:72:02 --characteristics -t random handle = 0x0002, char properties = 0x0a, char value handle = 0x0003, uuid = 00002a00-0000-1000-8000-00805f9b34fb handle = 0x0004, char properties = 0x02, char value handle = 0x0005, uuid = 00002a01-0000-1000-8000-00805f9b34fb handle = 0x0006, char properties = 0x02, char value handle = 0x0007, uuid = 00002a04-0000-1000-8000-00805f9b34fb handle = 0x000a, char properties = 0x02, char value handle = 0x000b, uuid = 5a401524-ab2e-2548-c435-08c300000710 handle = 0x000d, char properties = 0x08, char value handle = 0x000e, uuid = 5a401525-ab2e-2548-c435-08c300000710 handle = 0x0010, char properties = 0x08, char value handle = 0x0011, uuid = 5a401529-ab2e-2548-c435-08c300000710 handle = 0x0013, char properties = 0x08, char value handle = 0x0014, uuid = 5a401528-ab2e-2548-c435-08c300000710 handle = 0x0016, char properties = 0x0a, char value handle = 0x0017, uuid = 5a401530-ab2e-2548-c435-08c300000710 handle = 0x0019, char properties = 0x02, char value handle = 0x001a, uuid = 5a401527-ab2e-2548-c435-08c300000710 handle = 0x001c, char properties = 0x02, char value handle = 0x001d, uuid = 5a401531-ab2e-2548-c435-08c300000710 handle = 0x001f, char properties = 0x0a, char value handle = 0x0020, uuid = 5a401532-ab2e-2548-c435-08c300000710 handle = 0x0022, char properties = 0x0a, char value handle = 0x0023, uuid = 5a401535-ab2e-2548-c435-08c300000710 handle = 0x0025, char properties = 0x0a, char value handle = 0x0026, uuid = 5a401533-ab2e-2548-c435-08c300000710 handle = 0x0028, char properties = 0x02, char value handle = 0x0029, uuid = 5a401534-ab2e-2548-c435-08c300000710 handle = 0x002b, char properties = 0x02, char value handle = 0x002c, uuid = 5a401536-ab2e-2548-c435-08c300000710 handle = 0x002e, char properties = 0x02, char value handle = 0x002f, uuid = 5a401537-ab2e-2548-c435-08c300000710 handle = 0x0031, char properties = 0x02, char value handle = 0x0032, uuid = 5a401538-ab2e-2548-c435-08c300000710 handle = 0x0035, char properties = 0x02, char value handle = 0x0036, uuid = 5a401624-ab2e-2548-c435-08c300000710 handle = 0x0038, char properties = 0x08, char value handle = 0x0039, uuid = 5a401625-ab2e-2548-c435-08c300000710 handle = 0x003c, char properties = 0x04, char value handle = 0x003d, uuid = 00001532-1212-efde-1523-785feabcd123 handle = 0x003e, char properties = 0x18, char value handle = 0x003f, uuid = 00001531-1212-efde-1523-785feabcd123
Bluetooth Services and Characteristics
| start | end | uuid | name | |
|---|---|---|---|---|
| 0x0001 | 0x0007 | 0x1800 | Generic Access Profile | |
| 0x0008 | 0x0008 | 0x1801 | Generic Attribute Profile | |
| 0x0009 | 0x0033 | 5a401523-ab2e-2548-c435-08c300000710 | ||
| 0x0034 | 0x003a | 5a401623-ab2e-2548-c435-08c300000710 | ||
| 0X003b | 0xffff | 00001530-1212-efde-1523-785feabcd123 |
| handle | value handle | properties | uuid | description |
|---|---|---|---|---|
| 0x0002 | 0x0003 | RW (0xa) | 00002a00-0000-1000-8000-00805f9b34fb | |
| 0x0004 | 0x0005 | R (0x2) | 00002a01-0000-1000-8000-00805f9b34fb | |
| 0x0006 | 0x0007 | R (0x2) | 00002a04-0000-1000-8000-00805f9b34fb |
| handle | value handle | properties | uuid | description |
|---|---|---|---|---|
| 0x000a | 0x000b | R (0x2) | 5a401524-ab2e-2548-c435-08c300000710 | Machine Status |
| 0x000d | 0x000e | W (0x8) | 5a401525-ab2e-2548-c435-08c300000710 | Product Start |
| 0x0010 | 0x0011 | W (0x8) | 5a401529-ab2e-2548-c435-08c300000710 | Service Control |
| 0x0013 | 0x0014 | W (0x8) | 5a401528-ab2e-2548-c435-08c300000710 | Update Product Progress |
| 0x0016 | 0x0017 | RW (0xa) | 5a401530-ab2e-2548-c435-08c300000710 | Product Progress |
| 0x0019 | 0x001a | R (0x2) | 5a401527-ab2e-2548-c435-08c300000710 | About |
| 0x001c | 0x001d | R (0x2) | 5a401531-ab2e-2548-c435-08c300000710 | |
| 0x001f | 0x0020 | RW (0xa) | 5a401532-ab2e-2548-c435-08c300000710 | |
| 0x0022 | 0x0023 | RW (0xa) | 5a401535-ab2e-2548-c435-08c300000710 | |
| 0x0025 | 0x0026 | RW (0xa) | 5a401533-ab2e-2548-c435-08c300000710 | Statistics command |
| 0x0028 | 0x0029 | R (0x2) | 5a401534-ab2e-2548-c435-08c300000710 | Statistics data |
| 0x002b | 0x002c | R (0x2) | 5a401536-ab2e-2548-c435-08c300000710 | |
| 0x002e | 0x002f | R (0x2) | 5a401537-ab2e-2548-c435-08c300000710 | |
| 0x0031 | 0x0032 | R (0x2) | 5a401538-ab2e-2548-c435-08c300000710 | Service Control Response |
| handle | value handle | properties | uuid | description |
|---|---|---|---|---|
| 0x0035 | 0x0036 | R (0x2) | 5a401624-ab2e-2548-c435-08c300000710 | |
| 0x0038 | 0x0039 | W (0x8) | 5a401625-ab2e-2548-c435-08c300000710 |
| handle | value handle | properties | uuid | description |
|---|---|---|---|---|
| 0x003c | 0x003d | W- (0x4) | 00001532-1212-efde-1523-785feabcd123 | Nordic DFU_PACKET_CHARACTERISTI |
| 0x003e | 0x003f | W N (0x18) | 00001531-1212-efde-1523-785feabcd123 | Nordic DFU_CONTROL_POINT_CHARACTERISTIC |
- R means read
- W mean write with response
- W- means write without response
- N means notification
Additional sources
- [1] https://www.thomas-electronic-online-shop.de/JURA-Smart-Connect
- [2] https://forum.fhem.de/index.php?topic=76957.0
- [3] https://community.home-assistant.io/t/control-your-jura-coffee-machine/26604
- [4] https://gitlab.com/Blueforcer/HA2JURA/snippets/1674496
- [5] https://github.com/hn/jura-coffee-machine
- [6] https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.sdk5.v15.3.0%2Flib_dfu_transport_ble.html