Reverse engineering the Mi flora plant sensor

The Xiaomi Mi plant sensor is a well-made plant sensor that does not only measure the humidity, but also fertility, temperature and environment light. Pretty cool for a small device like this. And even cooler is that it uses Bluetooth Low energy for communication with your mobile device. This should make it easily hackable.

Ok, let’s start and check what characteristics are available:

handle = 0x0002, char properties = 0x02, char value handle = 0x0003, uuid = 00002a00-0000-1000-8000-00805f9b34fb
handle = 0x0004, char properties = 0x02, char value handle = 0x0005, uuid = 00002a01-0000-1000-8000-00805f9b34fb
handle = 0x0006, char properties = 0x0a, char value handle = 0x0007, uuid = 00002a02-0000-1000-8000-00805f9b34fb
handle = 0x0008, char properties = 0x02, char value handle = 0x0009, uuid = 00002a04-0000-1000-8000-00805f9b34fb
handle = 0x000d, char properties = 0x22, char value handle = 0x000e, uuid = 00002a05-0000-1000-8000-00805f9b34fb
handle = 0x0011, char properties = 0x1a, char value handle = 0x0012, uuid = 00000001-0000-1000-8000-00805f9b34fb
handle = 0x0014, char properties = 0x02, char value handle = 0x0015, uuid = 00000002-0000-1000-8000-00805f9b34fb
handle = 0x0016, char properties = 0x12, char value handle = 0x0017, uuid = 00000004-0000-1000-8000-00805f9b34fb
handle = 0x0018, char properties = 0x08, char value handle = 0x0019, uuid = 00000007-0000-1000-8000-00805f9b34fb
handle = 0x001a, char properties = 0x08, char value handle = 0x001b, uuid = 00000010-0000-1000-8000-00805f9b34fb
handle = 0x001c, char properties = 0x0a, char value handle = 0x001d, uuid = 00000013-0000-1000-8000-00805f9b34fb
handle = 0x001e, char properties = 0x02, char value handle = 0x001f, uuid = 00000014-0000-1000-8000-00805f9b34fb
handle = 0x0020, char properties = 0x10, char value handle = 0x0021, uuid = 00001001-0000-1000-8000-00805f9b34fb
handle = 0x0024, char properties = 0x0a, char value handle = 0x0025, uuid = 8082caa8-41a6-4021-91c6-56f9b954cc34
handle = 0x0026, char properties = 0x0a, char value handle = 0x0027, uuid = 724249f0-5ec3-4b5f-8804-42345af08651
handle = 0x0028, char properties = 0x02, char value handle = 0x0029, uuid = 6c53db25-47a1-45fe-a022-7c92fb334fd4
handle = 0x002a, char properties = 0x0a, char value handle = 0x002b, uuid = 9d84b9a3-000c-49d8-9183-855b673fda31
handle = 0x002c, char properties = 0x0e, char value handle = 0x002d, uuid = 457871e8-d516-4ca1-9116-57d0b17b9cb2
handle = 0x002e, char properties = 0x12, char value handle = 0x002f, uuid = 5f78df94-798c-46f5-990a-b3eb6a065c88
handle = 0x0032, char properties = 0x0a, char value handle = 0x0033, uuid = 00001a00-0000-1000-8000-00805f9b34fb
handle = 0x0034, char properties = 0x1a, char value handle = 0x0035, uuid = 00001a01-0000-1000-8000-00805f9b34fb
handle = 0x0037, char properties = 0x02, char value handle = 0x0038, uuid = 00001a02-0000-1000-8000-00805f9b34fb
handle = 0x003b, char properties = 0x02, char value handle = 0x003c, uuid = 00001a11-0000-1000-8000-00805f9b34fb
handle = 0x003d, char properties = 0x1a, char value handle = 0x003e, uuid = 00001a10-0000-1000-8000-00805f9b34fb
handle = 0x0040, char properties = 0x02, char value handle = 0x0041, uuid = 00001a12-0000-1000-8000-00805f9b34fb

Looks like some standard characteristics (the uuid’s starting with 00002) and a lot of non-standard. Let’s check the standard characteristics first. UUID 00002a00-0000-1000-8000-00805f9b34fb should contain the device name:

# gatttool --device=C4:7C:8D:60:8F:E6 --char-read -a 0x03
Characteristic value/descriptor: 46 6c 6f 77 65 72 20 6d 61 74 65 

“46 6c 6f 77 65 72 20 6d 61 74 65” is “Flower mate” in ASCII. Cool. Seems that Xiaomi is using the standards – not something we see from every Chinese company.

How do you know that this UUID contains the name? Check out the list of GATT characteristics on the Bluetooth web site.

Ok, let’s have a look at all characteristics that return values:

0x03 : 160823-164329 : 46 6c 6f 77 65 72 20 6d 61 74 65
0x05 : 160823-164329 : 00 00
0x07 : 160823-164329 : 00
0x09 : 160823-164329 : 0a 00 14 00 00 00 f4 01
0x0e : 160823-164329 : 01 00 ff ff
0x12 : 160823-164329 : c3 c8 fd 30
0x15 : 160823-164329 : 98 00
0x17 : 160823-164329 : 1f 8e 8e 13 86 dd a0 d8 52 66
0x1d : 160823-164329 : 4c cc ca 13 fc fa f7 a6 51 50 c6 85 ee 61 85 47 7f 3d d6 6b
0x1f : 160823-164329 : 2e a1 bc 3e b3 87 94 e9 68 6f ff b7
0x2f : 160823-164329 : 00
0x33 : 160823-164329 : aa bb
0x35 : 160823-164329 : f5 00 00 00 00 00 00 10 61 00 00 00 00 00 00 00
0x38 : 160823-164329 : 64 10 32 2e 36 2e 32
0x3c : 160823-164329 : aa bb cc dd ee ff 99 88 77 66 55 44 33 22 11 10
0x3e : 160823-164329 : aa bb cc
0x41 : 160823-164329 : 81 8d 23 00

Hmm, look pretty wild. Looking at the data you have no idea what they might encode.

Let’s try something different and dump all values every 10 minutes.

We see a lot of values that do not change at all like this:

0x38 : 160823-073844 : 64 10 32 2e 36 2e 32
0x38 : 160823-074852 : 64 10 32 2e 36 2e 32
0x38 : 160823-075856 : 64 10 32 2e 36 2e 32
0x38 : 160823-080859 : 64 10 32 2e 36 2e 32
0x38 : 160823-081909 : 64 10 32 2e 36 2e 32
0x38 : 160823-082914 : 64 10 32 2e 36 2e 32
0x38 : 160823-083918 : 64 10 32 2e 36 2e 32
0x38 : 160823-084922 : 64 10 32 2e 36 2e 32
0x38 : 160823-085925 : 64 10 32 2e 36 2e 32
0x38 : 160823-090931 : 64 10 32 2e 36 2e 32
0x38 : 160823-091936 : 64 10 32 2e 36 2e 32
0x38 : 160823-092940 : 64 10 32 2e 36 2e 32
0x38 : 160823-093945 : 64 10 32 2e 36 2e 32
0x38 : 160823-094951 : 64 10 32 2e 36 2e 32
0x38 : 160823-100006 : 64 10 32 2e 36 2e 32
0x38 : 160823-101010 : 64 10 32 2e 36 2e 32
0x38 : 160823-102014 : 64 10 32 2e 36 2e 32
0x38 : 160823-103018 : 64 10 32 2e 36 2e 32
0x38 : 160823-104022 : 64 10 32 2e 36 2e 32

Others seem to change randomly like this

0x41 : 160823-073844 : d4 0d 23 00
0x41 : 160823-074852 : 31 10 23 00
0x41 : 160823-075856 : 8e 12 23 00
0x41 : 160823-080859 : f0 14 23 00
0x41 : 160823-081909 : 4d 17 23 00
0x41 : 160823-082914 : aa 19 23 00
0x41 : 160823-083918 : 02 1c 23 00
0x41 : 160823-084922 : 5f 1e 23 00
0x41 : 160823-085925 : bc 20 23 00
0x41 : 160823-090931 : 19 23 23 00
0x41 : 160823-091936 : 76 25 23 00
0x41 : 160823-092940 : d3 27 23 00
0x41 : 160823-093945 : 30 2a 23 00
0x41 : 160823-094951 : 97 2c 23 00
0x41 : 160823-100006 : f4 2e 23 00
0x41 : 160823-101010 : 51 31 23 00
0x41 : 160823-102014 : ae 33 23 00
0x41 : 160823-103018 : 06 36 23 00
0x41 : 160823-104022 : 63 38 23 00
0x41 : 160823-105025 : c0 3a 23 00

But then there is one characteristic with very controlled changes:

0x35 : 160823-073844 : f2 00 00 68 00 00 00 10 66 00 00 00 00 00 00 00
0x35 : 160823-074852 : f2 00 00 54 00 00 00 10 66 00 00 00 00 00 00 00
0x35 : 160823-075856 : f1 00 00 54 00 00 00 10 66 00 00 00 00 00 00 00
0x35 : 160823-080859 : f2 00 00 54 00 00 00 10 66 00 00 00 00 00 00 00
0x35 : 160823-081909 : f2 00 00 68 00 00 00 10 66 00 00 00 00 00 00 00
0x35 : 160823-082914 : f2 00 00 54 00 00 00 10 66 00 00 00 00 00 00 00
0x35 : 160823-083918 : f2 00 00 68 00 00 00 10 65 00 00 00 00 00 00 00
0x35 : 160823-084922 : f2 00 00 68 00 00 00 10 66 00 00 00 00 00 00 00
0x35 : 160823-085925 : f2 00 00 57 00 00 00 10 66 00 00 00 00 00 00 00
0x35 : 160823-090931 : f2 00 00 57 00 00 00 10 65 00 00 00 00 00 00 00
0x35 : 160823-091936 : f2 00 00 57 00 00 00 10 65 00 00 00 00 00 00 00
0x35 : 160823-092940 : f2 00 00 57 00 00 00 10 65 00 00 00 00 00 00 00
0x35 : 160823-093945 : f2 00 00 57 00 00 00 10 65 00 00 00 00 00 00 00
0x35 : 160823-094951 : f2 00 00 6b 00 00 00 10 65 00 00 00 00 00 00 00
0x35 : 160823-100006 : f2 00 00 6b 00 00 00 10 63 00 00 00 00 00 00 00
0x35 : 160823-101010 : f2 00 00 6b 00 00 00 10 63 00 00 00 00 00 00 00
0x35 : 160823-102014 : f2 00 00 79 00 00 00 10 65 00 00 00 00 00 00 00
0x35 : 160823-103018 : f2 00 00 79 00 00 00 10 63 00 00 00 00 00 00 00
0x35 : 160823-104022 : f2 00 00 6b 00 00 00 10 65 00 00 00 00 00 00 00
0x35 : 160823-105025 : f2 00 00 79 00 00 00 10 65 00 00 00 00 00 00 00

Seems like there are 4 bytes of values and a lot of zeros. Could these 4 byte be the sensor values? They are!
Now let’s check the values in the Mi app on the iPhone:

  • 24.2 degree celcius
  • 121 Lux
  • 16% moisture
  • 101 us/cm fertility (whatever this means)

Except for the temperature these values map nicely to the data:

  • 16 = 0x10 – byte 8
  • 121 = 0x79 – byte 4
  • 101 = 0x65 – byte 9

The only thing that isn’t yet clear is the encoding of the temperature.

Also the sensor should be able to measure up to 10000 lux. This won’t work with a single byte. So, let’s put another plant it into the bright sunlight:

25 01 00 f7 26 00 00 28 0e 01 00 00 00 00 00 00
  • Fertility is now 270, which is bytes 9 and 10 (MSB byte 9, LSB byte 10)
  • Sunlight is 9975 lux which is stored in bytes 4 and 4 (MSB byte 4, LSB byte 5)
  • And now it is also getting clear how the temperature is encoded. It is in 0.1 degree Celcius steps in bytes 1 and 2, which gives us 29.3 degree celcius in this example (which fits the data displayed by the app).

10 thoughts on “Reverse engineering the Mi flora plant sensor”

  1. Great post, good reading!

    Could you explain how you got gattool to continuously report the values?
    I think that the Xiaomi scale are using the same standard.
    gatttool –device=88:0F:10:8E:B3:5B –char-read -a 0x03 gave me the following: 4d 49 5f 53 43 41 4c 45.

    1. I don’t do continuous readings. Reading data will have a huge impact on battery life. Therefore I strongly recommend to NOT read data very often. Reading it every 30 minutes should be already much more then you need.

  2. Thank you very much for your investegations, at least until firmware 2.64 this worked great and I could get the values with the gatttool as described.

    After the firmware-update to 2.66 it seems not to work anymore, at least I get 0-values for all numbers on all sensors with handle 0x35. Any idea how to solve this?

    # gatttool –device=C4:7C:8D:60:xx:xx –char-read -a 0x35
    Characteristic value/descriptor: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

    Getting the battery-level would be great too, handle 0x38 gives me on three different sensors:
    64 13 32 2e 36 2e 36
    57 13 32 2e 36 2e 36
    4f 13 32 2e 36 2e 36
    If I look in the app, I can see, that the first byte is the battery-level, I get 100%, 87% and 79%.

    I think this handle also returns the firmware version in the last 5 bytes as plain ASCII: “2.6.6”. In your example you have “32 2e 36 2e 32” what would be “2.6.2” the initial firmware version!

  3. Good work 🙂

    When I installed Plant care to check if my reading was OK it upgraded one of my sensors to version 2.x.6 (from 2.x.2) and now the adress 0x35 is just zeros. They have proberbly moved it somewhere else. The other two I have (NOT upgraded) are working great.

    What tool did you use for scanning all characteristic? so I can find the data again

  4. Hi,
    Very nice Post 😀
    I’m pretty impressed how you reverse engineered this device!
    Can you please tell me how were you able to dump the data? (tools, software…)

    Thanks a lot for the python library as well!
    Regards.

  5. Great work! Looks more straightforward than decoding the moisture sensor outputs from Flower Power (Parrot). I recently purchased one of these and it appears they have changed their code. I get the following output at 0x35. (Characteristic value/descriptor: aa bb cc dd ee ff 99 88 77 66 00 00 00 00 00 00).

Leave a Reply

Your email address will not be published. Required fields are marked *