====== Withings wireless scales ======
[[https://en.wikipedia.org/wiki/Withings|Withings]] is a French company which produced a very nice [[.withingsws30:range|range]] of wireless (802.11 and Bluetooth in the same device) scales (the sort for weighing humans, not flour and sugar). They were so nice, in fact, that in 2016 [[https://www.nokia.com|Nokia]] decided to buy them (the company, not just the scales) some time after it realised it was no longer selling very many mobile phones (or, for that matter, rubber boots). Withings then split from Nokia to be an independent company again in 2018.
The scales are designed to connect to your wireless network, send some of your most intimate data to a French web server running an old version of Ubuntu on a US$60 [[https://beagleboard.org/black|Beaglebone Black]] computer (according to the HTTP headers it sends back, anyway), from whence you can then find out how much you weigh and how badly your diet is going by connecting back to the //nuage// (French for cloud, hahaha) service using an app on your smartphone or tablet.
Hm, what a way to (a) complicate things, and (b) send your personal data across the world to a server, after you've agreed (on the app on your smartphone / tablet) that they can have complete access to (amongst other things I didn't find quite so offensive to my privacy) your:
* phone status and identity
* text messages
* camera
* location (both approximate, from networks, and accurate, from GPS)
* contacts list
* calendar (both general events, and confidential information)
* SD card (read + modify)
* user accounts on the device
* network connectivity
* Bluetooth settings
(the above list is taken from the "App info" screen after installing it on an Android tablet).
Oh, and by the way, the app has permission to automatically run on startup, and to prevent the device from sleeping.
This sort of access to your personal data may be enough to prevent you from sleeping, too.
I'm the sort of person who doesn't like my data going anywhere I'm not in control of (and I'm certainly not keeping an app like the above installed on my tablet for longer than absolutely necessary, either), so I far prefer the idea of getting the scales to talk to a server of my own instead.
Fortunately,
- I'm not the first person to think about doing this
- Withings (and in their turn, Nokia) haven't done anything particularly clever to stop it being possible
So, with the aid of the online notes from [[https://blog.chris007.de/hacking-the-withings-wifi-body-scale-2/|BEni]] (offline Dec 2018?), [[https://ww.sd.vc/wp/?s=withings|Stefan Dorn]], [[https://www.prolixium.com/mynews?id=915|Mark Kamichoff]] and [[https://poppopret.org/2013/06/10/summercon-2013-hacking-the-withings-ws-30/|Michael Coppola]] (there may be others who've done this, but these are the ones I found), I'm planning to persuade my WS-30 to talk to **my** webserver and post my bodily statistics to **my** database instead of Withings'.
===== Resetting to factory defaults =====
If, like me, you bought your scales second-hand on eBay, you probably want to do a factory reset on them to erase any settings the previous owner might have left behind.
Finding out how to do this is not entirely simple (I still haven't been able to find a downloadable user guide for the things from Nokia's healthcare Withings' website, and Withings' Nokia healthcare's online presence has now disappeared).
However, some [[https://www.manualslib.com/manual/1156371/Withings-Ws-30.html?page=43|archive sites]] still have useful data, so here's how to reset a WS-30 to factory defaults (Note: this doesn't work for a WBS01; I suspect it's not possible on that model without talking to it over Bluetooth):
- delete the device from your mobile phone / tablet's bluetooth and/or wireless 'recognised devices / networks' lists
- remove one of the batteries from the scales for 10 seconds (this is certainly an over-estimate; you just need to allow enough time for the internal CPU to stop doing anything and power up from zero in the next step)
- replace the battery and wait for "Hello" to appear on the display
- press both buttons on the back simultaneously (you don't have to press them hard; just keeping the weight of the scales balanced on two fingers is sufficient) for **20 seconds** (this is __not__ an over-estimate)
* the "Hello" will disappear after just a few seconds and the display will go completely dark while you keep the buttons pressed
- after 20 seconds, the word "Factory" should appear on the display, and the scales are now reset to default settings.
===== Display upside-down? =====
For some reason which I cannot imagine, Withings decided to provide a mode where the display shows everything [[https://support.withings.com/hc/en-us/articles/201489217|upside-down]] (ie: you would have to have the screen between the heels of your feet instead of between your toes to be able to read it conveniently, which I don't think counts as "conveniently").
I bought a WBS01 for €8 (plus €6 postage) on eBay simply because the previous owner didn't know how to correct this, and therefore sold the scales as defective. Thank you.
To correct the upside-down display:
- Remove at least one battery
- Wait at least 30 seconds
- Replace the battery
Note to eBay sellers: removing the batteries before shipping and then sending the scales to me so that I can insert new ones works just as well :)
====== Note ======
This documentation is very much a work in progress, and is currently far from complete in terms of telling you how to do anything useful. Don't bother to read any further if what you're looking for is a step-by-step guide to actually achieving something.
===== Too long; don't read... (part 1) =====
[[.withingsws30:tldr1|The next few paragraphs]] were written whilst I was working under the mistaken assumption that the setup process would be IP-based - in fact, it's Bluetooth-based.
===== Before configuring the scales =====
You don't want the scales to start talking to Withings/Nokia just as soon as you've told them what your wifi password is, so **before** going through the [[https://support.health.nokia.com/hc/en-us/articles/201488807|configuration process]] using your mobile phone or tablet, make sure to block communications from the scales on your firewall / router.
The scales have the (wireless) MAC address printed inside the battery compartment. Add a rule to your router's firewall settings to stop anything from this MAC address reaching the outside world.
(Incidentally, the MAC address of the Bluetooth interface is the wireless MAC address plus 1.)
In my case my firewall is a Banana Pi R1, so I used **iptables** to stop the things being able to find the Internet:# iptables -I FORWARD -m mac --mac-source 00:24:e4:08:15:86 -j DROP
# iptables -I FORWARD -m mac --mac-source 00:24:e4:08:15:86 -j LOG
This adds two rules to my firewall, to log all packets from the MAC address of the scales, and then drop them so they don't get out to the Internet.
My firewall is also the DHCP server, and the DNS server for my network, so the scales will acquire an address and then be able to do DNS lookups, but won't be able to reach whatever it decides to look up.
==== Create a Bluetooth device and ask the app to connect to it ====
I have a Linux laptop with a built-in Broadcom Bluetooth interface, so I gave it the device name "Withings WS30 86", started **hcidump** to capture anything which came in, and then started the Nokia app on my tablet.
I have no idea what to make of {{:technotes:bluetooth.txt|the results}}, probably because I know almost nothing about how Bluetooth devices communicate with each other.
So, maybe I can learn something useful by intercepting the communication between the app and the real scale (rather like option 3 [[.withingsws30:tldr1|above]], but this time based on Bluetooth instead of wireless networking).
[[https://github.com/conorpp/btproxy|BTproxy]] looks like what I need, so let's give that a go...
==== Too long; don't read (part 2) ====
The documentation for BTproxy lacks important information about what sort of Debian system you need to start from, as well as several of the packages you need to install.
You can [[.withingsws30:tldr2|see how I found this out]], or you can simply proceed with some more useful instructions below.
==== Installing BTproxy ====
[[https://github.com/conorpp/btproxy|The documentation for BTproxy]] misses out a **lot** of stuff which is actually needed to install and run it (assuming you're starting from a freshly installed Debian system).
These notes attempt to fill in all the gaps.
Start with Debian 9 "Stretch" or later, since Debian 8 "Jessie" doesn't have the required version of pybluez, and Debian 7 "Wheezy" doesn't have it at all.
# aptitude install bluez {libbluetooth,python}-dev python-{bluez,setuptools} gcc unzip
# wget https://github.com/conorpp/btproxy/archive/master.zip
# unzip master.zip
# cd btproxy-master
# python setup.py install
running install
... several more lines, hopefully ending with ...
Moving PyBluez-0.22-py2.7-linux-x86_64.egg to /usr/local/lib/python2.7/dist-packages
Adding PyBluez 0.22 to easy-install.pth file
Installed /usr/local/lib/python2.7/dist-packages/PyBluez-0.22-py2.7-linux-x86_64.egg
Finished processing dependencies for btproxy==0.1
There, now that wasn't so hard //once you know how//, was it?
==== Using BTproxy (or at least, trying to) ====
Firstly, check that you have at least one Bluetooth interface available:
# hciconfig
hci0: Type: Primary Bus: USB
BD Address: 00:11:67:5A:D6:2A ACL MTU: 678:8 SCO MTU: 48:10
UP RUNNING
RX bytes:988 acl:0 sco:0 events:45 errors:0
TX bytes:692 acl:0 sco:0 commands:43 errors:0
Then set up the MAC addresses of your tablet, which you want to intercept the communications with, and the Withings scale (it's the wireless MAC address, which is printed on a label in the battery compartment, plus one):
# btproxy 00:11:22:33:44:55 aa:bb:cc:dd:ee:ff
The above assumes your tablet has the MAC address 00:11:22:33:44:55 and your Withings scale has MAC address aa:bb:cc:dd:ee:ff.
If you're not sure about either of these MAC addresses, turn the devices on, make sure their Bluetooth visibility is enabled (but don't pair them or start the setup app) and run **hcitool scan**:
# hcitool scan
Scanning ...
00:16:D4:C7:A1:43 Z130
00:22:F4:F6:F7:CD Tolino Tab 7
00:24:E4:08:15:87 Withings WS30 86
These are the two MAC addresses you need to use on the BTproxy command line.
This is the point at which you find the next stupid part about BTproxy - it assumes you're not running as root, without checking, and it assumes you have the sudo command installed and configured, to acquire root privilege.
# btproxy 00:22:F4:F6:F7:CD 00:24:E4:08:15:87
Running proxy on master 00:22:F4:F6:F7:CD and slave 00:24:E4:08:15:87
/usr/local/bin/replace_bluetoothd: line 4: sudo: command not found
/usr/local/bin/replace_bluetoothd: line 9: sudo: command not found
On a Debian machine the sudo command is not installed by default, and running the command as root should be sufficient that this doesn't matter.
Delete the three instances of **sudo** from the (extremely short) bash script /usr/local/bin/replace_bluetoothd and try again:
# btproxy 00:22:F4:F6:F7:CD 00:24:E4:08:15:87
Running proxy on master 00:22:F4:F6:F7:CD and slave 00:24:E4:08:15:87
Put the scales into Bluetooth discovery mode, start the app, and select Install A Device.
You can go as far through this process as you like, and you probably won't see any output from BTproxy at all, because the two devices have simply associated with each other and aren't going via the proxy.
Turning on debug mode (**-v**) on BTproxy still shows no output at all, which makes me think it's doing nothing.
It's not at all clear to me what is __supposed__ to cause the master-slave connection to go via the proxy, instead of the two devices simply finding each other and associating directly.
Giving the Master interface a different name (with the **-1** option), or even trying the same thing with the Slave interface (**-2**), just in case the documentation is by any chance a little confusing, does not result in the name appearing in a scan of available devices from the tablet. This seems to confirm to me that it simply isn't working.
==== Progress, at last (but not a lot) ====
The notes for BTproxy do say that "If you are using bluez 5, you should try uninstalling and installing bluez 4. I've had problems with bluez 5 hanging."
This does require a bit of courage on a Debian system, because you're starting from Debian 9 "Stretch" (so that you have the required version of pybluez), and you have to go back to Debian 7 "Wheezy" in order to find bluez version 4.
However, the installation is not as hairy as you might think, and it does indeed appear to work. Once you've downgraded bluez to version 4 and restarted btproxy in debug mode, you start seeing some output!
It turns out that you need to put the slave device (the scales) into discoverable mode, wait for BTproxy to find it, and then put the master device (the tablet) into discoverable mode as well, after which BTproxy falls over with the complaint:running ['hciconfig', 'hci0', 'sspmode', '1']
Can't set Simple Pairing mode on hci0: Input/output error (5)
Command '['hciconfig', 'hci0', 'sspmode', '1']' returned non-zero exit status 1 ['hciconfig', 'hci0', 'sspmode', '1']
So, progress of a sort, but it's still not looking at all good, to me.
----
[[.:|Go up]]\\
Return to [[:|main index]].