It's what happens when a product developer already has a design for a previous gen and needs to add "smart" with minimum effort, so they throw a Microchip UART to BLE gateway chip in. The chip basically just does single byte UART over BLE over a pair of characteristics, which is very much an impedance mismatch with how BLE is designed to work. That's why some of the things seem to not align with the spec and why the protocol seems so stateful.
On the plus side, it means de-compiling the android app is very helpful as there will be a parser for the binary protocol. It's also easier to work with for RE in some senses as the actual bluetooth code required is minimal (set up a notification and read the RX characteristic, write another).
If you are ok with opening things, you can also use a USB serial adapter to trace the UART traffic between the gateway chip & the control IC (there's an AT style protocol that's all well documented).
Fundamentally, it's probably either some basic hardcoded request/reply, or there's a "send me x datavalue every x seconds" command packet. Once you've got both sides of the UART, it will hopefully be fairly clear. Might even be plain ASCII...
There's various bits and pieces on github that might be helpful, and Microchip have some developer tooling.
I've seen this sort of thing previously (and the UUIDs match up).
https://developerhelp.microchip.com/xwiki/bin/view/applicati...
It's what happens when a product developer already has a design for a previous gen and needs to add "smart" with minimum effort, so they throw a Microchip UART to BLE gateway chip in. The chip basically just does single byte UART over BLE over a pair of characteristics, which is very much an impedance mismatch with how BLE is designed to work. That's why some of the things seem to not align with the spec and why the protocol seems so stateful.
On the plus side, it means de-compiling the android app is very helpful as there will be a parser for the binary protocol. It's also easier to work with for RE in some senses as the actual bluetooth code required is minimal (set up a notification and read the RX characteristic, write another). If you are ok with opening things, you can also use a USB serial adapter to trace the UART traffic between the gateway chip & the control IC (there's an AT style protocol that's all well documented).
Fundamentally, it's probably either some basic hardcoded request/reply, or there's a "send me x datavalue every x seconds" command packet. Once you've got both sides of the UART, it will hopefully be fairly clear. Might even be plain ASCII...
There's various bits and pieces on github that might be helpful, and Microchip have some developer tooling.
I've done something similar for a rowing machine. There is actually a bluetooth standard for fitness machines which was applicable in my situation.
https://www.bluetooth.com/specifications/specs/fitness-machi...