HAP over BLE 2.0 changes a lot of stuff. This describes BLE 1.0 protocol. This document contains information about Apple's HomeKit Accessory Protocol over BTLE.
HAP Over BTLE shared lots of similar things with HAP Over IP (Pairing, Verifying ...) so It would be helpful to read Alex Skalozub's research on HAP Over IP before working on BTLE side.
HomeKit on iOS identifies BTLE HomeKit accessory from its advertisement data.
A HomeKit accessory advertises a service UUID (FED4) and a service data for (FED4) which contains a 6-byte username and 3-byte flags(?)
The advertised device name will become the Accessory name in HomeKit.
HomeKit over BTLE operates based on GATT Services and Characteristics. A HomeKit BTLE Accessory need at least these services and characteristics:
HAP Pairing Service (FED4)
|
--Pair Setup 0000004C-0000-1000-8000-0026BB765291
--Pair Verify 0000004E-0000-1000-8000-0026BB765291
--Pairing Features 0000004F-0000-1000-8000-0026BB765291
--Pairings 00000050-0000-1000-8000-0026BB765291
Accessory Info Service (FED3)
|
--Manufacturer Name 00000020-0000-1000-8000-0026BB765291
--Model Name 00000021-0000-1000-8000-0026BB765291
--Serial Number 00000030-0000-1000-8000-0026BB765291
--Identify 00000014-0000-1000-8000-0026BB765291
--Service Instance ID 00000051-0000-1000-8000-0026BB765291
When developer asks to identify an unpaired HomeKit Accessory, iOS Device will connect to HomeKit accessory and write "Identify Characteristic" without encryption.
When user try to pair with a new HomeKit accessory, HomeKit on iOS will establish the connection to accessory.
After the connection is established, iOS will first read Pairing Features
from accessory to determine whether it should enforce MFi requirement or not.
After determined the MFi status of the Accessory, HomeKit will start Pair Setup sequence by writing to characteristic Pair Setup
The communication at this part is unencrypted and uses TLV encoding.
The process to establish a shared secret is similar to HAP Over IP. Please refer to section Establishing a shared secret
in Alex's research for more details.
The only thing special is that HomeKit on iOS will use queued writes when the packet size is larger than MTU.
After finish Pair Setup process, HomeKit on iOS will start Pair Verify process.
All the communication is done by read/write Pair Verify
characteristic.
Please refer to section Pairing verification
in Alex's research for more details.
After Pairing Verification, HomeKit will use encrypted read/write to communicate with accessory on updating status, changing status.
The encryption overall is similar to HAP Over IP but I'm not sure how they pick up the nonce for the encryption.
[https://gist.github.com/KhaosT/6ff09ba71d306d4c1079#hap-over-btle]()