Skip to content

Instantly share code, notes, and snippets.

@KhaosT
Last active March 23, 2024 21:34
Show Gist options
  • Save KhaosT/6ff09ba71d306d4c1079 to your computer and use it in GitHub Desktop.
Save KhaosT/6ff09ba71d306d4c1079 to your computer and use it in GitHub Desktop.

HAP Over BTLE

HAP over BLE 2.0 changes a lot of stuff. This describes BLE 1.0 protocol. This document contains information about Apple's HomeKit Accessory Protocol over BTLE.

HAP Over BTLE shared lots of similar things with HAP Over IP (Pairing, Verifying ...) so It would be helpful to read Alex Skalozub's research on HAP Over IP before working on BTLE side.

Advertising

HomeKit on iOS identifies BTLE HomeKit accessory from its advertisement data.

A HomeKit accessory advertises a service UUID (FED4) and a service data for (FED4) which contains a 6-byte username and 3-byte flags(?)

The advertised device name will become the Accessory name in HomeKit.

Services and Characteristics

HomeKit over BTLE operates based on GATT Services and Characteristics. A HomeKit BTLE Accessory need at least these services and characteristics:

HAP Pairing Service (FED4)
|
--Pair Setup 0000004C-0000-1000-8000-0026BB765291
--Pair Verify 0000004E-0000-1000-8000-0026BB765291
--Pairing Features 0000004F-0000-1000-8000-0026BB765291
--Pairings 00000050-0000-1000-8000-0026BB765291
Accessory Info Service (FED3)
|
--Manufacturer Name 00000020-0000-1000-8000-0026BB765291
--Model Name 00000021-0000-1000-8000-0026BB765291
--Serial Number 00000030-0000-1000-8000-0026BB765291
--Identify 00000014-0000-1000-8000-0026BB765291
--Service Instance ID 00000051-0000-1000-8000-0026BB765291

Unpaired Identifying

When developer asks to identify an unpaired HomeKit Accessory, iOS Device will connect to HomeKit accessory and write "Identify Characteristic" without encryption.

Pair Setup

When user try to pair with a new HomeKit accessory, HomeKit on iOS will establish the connection to accessory. After the connection is established, iOS will first read Pairing Features from accessory to determine whether it should enforce MFi requirement or not.

After determined the MFi status of the Accessory, HomeKit will start Pair Setup sequence by writing to characteristic Pair Setup The communication at this part is unencrypted and uses TLV encoding. The process to establish a shared secret is similar to HAP Over IP. Please refer to section Establishing a shared secret in Alex's research for more details. The only thing special is that HomeKit on iOS will use queued writes when the packet size is larger than MTU.

Pair Verify

After finish Pair Setup process, HomeKit on iOS will start Pair Verify process. All the communication is done by read/write Pair Verify characteristic.

Please refer to section Pairing verification in Alex's research for more details.

Communication Encryption

After Pairing Verification, HomeKit will use encrypted read/write to communicate with accessory on updating status, changing status.

The encryption overall is similar to HAP Over IP but I'm not sure how they pick up the nonce for the encryption.

@Troyblants
Copy link

[https://gist.github.com/KhaosT/6ff09ba71d306d4c1079#hap-over-btle]()

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment