Medtronic Guardian Connect - BT protocol #2438
Replies: 14 comments 32 replies
-
Great news and respect if they are using an open standard. Could you provide a play store link to the exact app you are using? In terms of implementing a collector, this is much easier when I have the actual device but if it really is standards compliant then it might be possible remotely. |
Beta Was this translation helpful? Give feedback.
-
@ViktorSchlaffer I believe you are sufficiently technical to understand these brief instructions. They are fairly complex though: Please enable android developer mode on your phone and then enable the hci bluetooth logging from the developer settings. You may need to turn bluetooth off/on to activate it. Allow a significant amount of data to get collected - for example 1 hour of data. Then using |
Beta Was this translation helpful? Give feedback.
-
Hello everyone, i just got my medtronic guardian model 4 sensor. I have tried 16 (!!!!) android phones, 2 iphones and i managed to have the official app only on 3 to run (and when i mean "run" i mean "run" and not "work as intended"). I tried some reverse engineering and i came to the conclusion that there is maybe this bug (flutter/flutter#96367) which causes a crash on startup. This is some memory black-magic, so i dont think that certain android versions and/or models are "incompatible", they just have maybe their memory mapped in a different way (?), or just happen to cause this bug, and they are lazy/dont care to fix it. This i could also reproduce on an iphone6, so definetly cross-plaftorm bug, so thats why im guessing to be flutter-related. Anyways, this is insane to me, on google play more than 150 people reported since november 2022 that the app does not work or freeze for them. (Remember this is a medical device, people's lives may depend on it???). I contacted the support, they "forwarded this to the developers"... Long story short i am also collecting bluetooth hci data and i could give up some of my time to help with this project. I really believe we could make this type of sensor to work with xDrip. Thanks in advance |
Beta Was this translation helpful? Give feedback.
-
Okay, happy news guys. I started reverse engineering the app(s), i almost understand the bluetooth communication, and i can talk directly with the device. However, of course there are still grey areas, which needs to be sorted out, but the hard part is over. |
Beta Was this translation helpful? Give feedback.
-
Hey @palmarci , We also went down this path, and we were able to capture the traffic between the BT transmitter and an Android phone. The "00002aa7-0000-1000-8000-00805f9b34fb" uuid should have the glucose value, but I have not been able to figure out the message format. I've also tried reading uuid "00002aaa-0000-1000-8000-00805f9b34fb",which is supposed to be the CGM session start time, as I expected that to be quite static, but the answer seems to have no static parts:
As all the fields are changing, I suspect that there is encryption on the data of these handles. If you open btsnoop files with Wireshark, and filter down with "btatt.opcode == 0x1b" those messages should be the measurement notifications sent to the phone, but it also seems to have some encryption, I got payloads like this:
If you think you can figure out more, I can share my captures with you. |
Beta Was this translation helpful? Give feedback.
-
Ive got the parsing i think: |
Beta Was this translation helpful? Give feedback.
-
guardian_characteristic_parser.zip (only for feature information) |
Beta Was this translation helpful? Give feedback.
-
I had some free time so i tried to find the encryption algorithm. And I think I found it: it's written in native c.... in libandroid-sake-lib.so. related java codes: com.medtronic.e.a.a.a.f (Top layer, calls SakeClient) |
Beta Was this translation helpful? Give feedback.
-
Any update? |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
With the 780G system you only need the Minimed Mobile app, so the phone only communicates with the pump. The Guardian 4 sensor is communicating with the pump, not yet phone.
…________________________________
Van: Pal Marci ***@***.***>
verzonden: dinsdag 19 september 2023 19:36
Aan: NightscoutFoundation/xDrip
Cc: Troxelke; Comment
Onderwerp: Re: [NightscoutFoundation/xDrip] Medtronic Guardian Connect - BT protocol (Discussion #2438)
Not until we break the encryption im afraid 😢 . I will look into the other APK, but im not expecting anything new really. By the way, how does it work together? You need two apps or just the Minimed? Does the pump directly communicate with the sensor?
—
Reply to this email directly, view it on GitHub<#2438 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AL6LOP5UYBQZZJXQYHJRYGLX3HJ2LANCNFSM6AAAAAARZMPMRU>.
You are receiving this because you commented.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Hello guys, i have been doing some work on the apps and got some very interesting results. To continue the investigation of the bluetooth communication I need some help. I have created a group chat at |
Beta Was this translation helpful? Give feedback.
-
I am currently using 780G and to this point I have been using Libre 1 & 2, Dexcom G4 & G6, Guardian 3, and now I also have access to Guardian 4 and Dexcom G7. My experience with Guardian 3 was - comparable to Dexcom G6 - so bad, that I sacrificed the benefits of the SmartGuard loop and rather used G6 instead of Guardian 3. Dexcom G7 and Libre 3 do not make wearing Guardian 4 any less inferior, so I am exercising the idea of using e.g. BGM220SC22 (or nRF52) as a proxy between Dexcom G7 and 640G/780G. I am aware that
so I would be grateful for an email if someone is still researching this topic. |
Beta Was this translation helpful? Give feedback.
-
Hello, I've been looking into the encryption protocol here for the last couple of days. I believe I've managed to fully figure out the encryption protocol. I also managed to interface with my own Guardian 4 transmitter and, just as a test using manually crafted messages, managed to verify the authentication tag in the second handshake message coming from the transmitter. I plan to write a reference implementation in the next few weeks. @palmarci, I've been unable to join Discord, but I'd be interested to know the latest findings here. Feel free to drop me an email. (edited for brevity) |
Beta Was this translation helpful? Give feedback.
-
Hi,
I have a Medtronic Guardian Connect transmitter, that has BT radio, and the transmitter is capable of communicating with an Android or IPhone mobile directly. I've tried to connect to the transmitter from my laptop to reveal some information, and it looks like the transmitter advertises a "Continuous Glucose Management Service" that is described in a Bluetooth specification. [1]
This is what I've found out so far:
https://gist.github.com/ViktorSchlaffer/75a1b6a6a9dff961da58fdaa6f40d8fa
So it looks like it's not some proprietary protocol, they're following a standard, and it might make it easier to add it an a new collector source in xDrip. What's your take on this?
(The official app from Medtronic has a 1.2 star rating in the Play store, I guess it explains why I'm trying to do this... )
Thanks,
Viktor
[1] https://www.bluetooth.com/specifications/specs/continuous-glucose-monitoring-service-1-0-1/
Beta Was this translation helpful? Give feedback.
All reactions