bg443/BikeBridge
1
10
Fork
You've already forked BikeBridge
3

Add Bosch authentication support #4

Open
opened 2025年09月06日 12:07:44 +02:00 by bg443 · 3 comments
Owner
Copy link
No description provided.

Hey, any progress? I have gathered some info about it and if you have any progress lets see what can we do?

Hey, any progress? I have gathered some info about it and if you have any progress lets see what can we do?
Author
Owner
Copy link

Hey, unfortunately I haven't had time to take a look at the Bosch app. I also don't have access to a bike with a Bosch motor to test either 😔

Please do feel free to share any information, more than happy to add support to BikeBridge.

Hey, unfortunately I haven't had time to take a look at the Bosch app. I also don't have access to a bike with a Bosch motor to test either 😔 Please do feel free to share any information, more than happy to add support to BikeBridge.

@paychorealm69 wrote in #4 (comment):

Hey, any progress? I have gathered some info about it and if you have any progress lets see what can we do?

Hi @paychorealm69 and @bg443,

A quick update specifically on the authentication front, following some extensive MITM tracing and hardware testing over the last few days.

The great news for BikeBridge is: There is no proprietary app-level authentication handshake required to read live telemetry.

Unlike Shimano (which requires a specific challenge-response payload to be written to the bike), the Bosch Smart System's Live Data Interface (LDI) relies purely on standard Bluetooth LE Secure Connections (Bonding).

Here is how authentication works for Bosch telemetry:

The user pairs the bike via the standard Android Bluetooth settings (or a standard BLE pairing request is triggered).
Android stores the Long Term Keys (LTK).
When connecting, Android automatically encrypts the BLE link in the background.
As long as the link is encrypted, the Bosch bike cleanly accepts the standard 0x0100 CCCD write to enable the telemetry notifications on characteristic 00000011-eaa2-11e9-81b4-2a2ae2dbcce4.

The Caveat for Active Commands:
There very likely is a complex, proprietary cryptographic authentication mechanism, but it appears to be strictly isolated to the proprietary EBxx services. The official Flow App likely uses these for the "eBike Lock" feature and active motor configuration.

Since BikeBridge is operating as a read-only telemetry dashboard, we can completely bypass the proprietary authentication layer and rely entirely on standard OS-level Bluetooth bonding.

We are currently tracking the implementation of the telemetry parser over in #16!

@paychorealm69 wrote in https://codeberg.org/bg443/BikeBridge/issues/4#issuecomment-10590881: > Hey, any progress? I have gathered some info about it and if you have any progress lets see what can we do? Hi @paychorealm69 and @bg443, A quick update specifically on the authentication front, following some extensive MITM tracing and hardware testing over the last few days. The great news for BikeBridge is: There is no proprietary app-level authentication handshake required to read live telemetry. Unlike Shimano (which requires a specific challenge-response payload to be written to the bike), the Bosch Smart System's Live Data Interface (LDI) relies purely on standard Bluetooth LE Secure Connections (Bonding). Here is how authentication works for Bosch telemetry: The user pairs the bike via the standard Android Bluetooth settings (or a standard BLE pairing request is triggered). Android stores the Long Term Keys (LTK). When connecting, Android automatically encrypts the BLE link in the background. As long as the link is encrypted, the Bosch bike cleanly accepts the standard 0x0100 CCCD write to enable the telemetry notifications on characteristic 00000011-eaa2-11e9-81b4-2a2ae2dbcce4. The Caveat for Active Commands: There very likely is a complex, proprietary cryptographic authentication mechanism, but it appears to be strictly isolated to the proprietary EBxx services. The official Flow App likely uses these for the "eBike Lock" feature and active motor configuration. Since BikeBridge is operating as a read-only telemetry dashboard, we can completely bypass the proprietary authentication layer and rely entirely on standard OS-level Bluetooth bonding. We are currently tracking the implementation of the telemetry parser over in #16!
Sign in to join this conversation.
No Branch/Tag specified
master
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bg443/BikeBridge#4
Reference in a new issue
bg443/BikeBridge
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?