Reversing Mpow flame S

[Ph0rk0z]

I have an MPow flame 2 and a flame S now. The S shows battery level in android. How can figure out the commands needed to make it work? Script always returns connection refused or device busy on all ports.

[TheWeirdDev]

There's a comment here about reversing the protocol using android devices.

You can figure out what AT Commands are sent and received but in order to make it work, your device needs to connect first. If it doesn't connect on any port, we can't use those commands.

Try waiting 5 seconds before trying another port. I think some ports block the device temporarily. That might be a reason you are getting device busy error.

[Ph0rk0z]

It has a serial port you can connect to but it never does that by itself.

[Ph0rk0z]

Ok, here is the magic happening:

   (Mpow Flame S)          HFP      26     Rcvd AT+BRSF=959 
   (Samsung Galaxy S III)  HFP      29     Sent   +BRSF: 3431  
   (Samsung Galaxy S III)  HFP      19     Sent   OK  
   (Mpow Flame S)          HFP      23     Rcvd AT+CIND=? 
   (Samsung Galaxy S III)  HFP      147    Sent   +CIND: ("CALL",(0,1)),("CALLSETUP",(0-3)),("SERVICE",(0-1)),("SIGNAL",(0-5)),("ROAM",(0,1)),("BATTCHG",(0-5)),("CALLHELD",(0-2))  
   (Samsung Galaxy S III)  HFP      19     Sent   OK  
   (Mpow Flame S)          HFP      22     Rcvd AT+CIND? 
   (Samsung Galaxy S III)  HFP      38     Sent   +CIND: 0,0,1,4,0,1,0  
   (Samsung Galaxy S III)  HFP      19     Sent   OK  
   (Mpow Flame S)          HFP      32     Rcvd AT+CMER=3, 0, 0, 1 
   (Samsung Galaxy S III)  HFP      20     Sent   OK  
   (Mpow Flame S)          HFP      23     Rcvd AT+CHLD=? 
   (Samsung Galaxy S III)  HFP      34     Sent   +CHLD: (0,1,2,3)  
   (Samsung Galaxy S III)  HFP      19     Sent   OK  
   (Mpow Flame S)          HFP      25     Rcvd AT+BIND=1,2 
   (Samsung Galaxy S III)  HFP      20     Sent   OK  
   (Mpow Flame S)          HFP      23     Rcvd AT+BIND=? 
   (Samsung Galaxy S III)  HFP      30     Sent   +BIND: (1,2)  
   (Samsung Galaxy S III)  HFP      19     Sent   OK  
   (Mpow Flame S)          HFP      22     Rcvd AT+BIND? 
   (Samsung Galaxy S III)  HFP      28     Sent   +BIND: 1,1  
   (Samsung Galaxy S III)  HFP      27     Sent   +BIND: 2,1  
   (Samsung Galaxy S III)  HFP      19     Sent   OK  
   (Mpow Flame S)          HFP      23     Rcvd AT+NREC=0 
   (Samsung Galaxy S III)  HFP      20     Sent   OK  
   (Mpow Flame S)          HFP      23     Rcvd AT+VGS=09 
   (Samsung Galaxy S III)  HFP      20     Sent   OK  
   (Mpow Flame S)          HFP      23     Rcvd AT+CLIP=1 
   (Samsung Galaxy S III)  HFP      20     Sent   OK  
   (Mpow Flame S)          HFP      23     Rcvd AT+CCWA=1 
   (Samsung Galaxy S III)  HFP      20     Sent   OK  
   (Mpow Flame S)          HFP      22     Rcvd AT+BTRH? 
   (Samsung Galaxy S III)  HFP      23     Sent   ERROR  
   (Mpow Flame S)          HFP      38     Rcvd AT+XAPL=0000-0000-0100,7 
   (Samsung Galaxy S III)  HFP      20     Sent   OK  
   (Mpow Flame S)          HFP      38     Rcvd AT+IPHONEACCEV=2,1,5,2,0 
   (Samsung Galaxy S III)  HFP      20     Sent   OK  
   (Mpow Flame S)          HFP      21     Rcvd AT+CLCC 
   (Samsung Galaxy S III)  HFP      20     Sent   OK  
   (Mpow Flame S)          HFP      36     Rcvd AT+BIA=1,1,1,0,0,0,1,0 
   (Samsung Galaxy S III)  HFP      20     Sent   OK  
   (Mpow Flame S)          HFP      36     Rcvd AT+CSRSF=0,0,0,1,0,0,0 
   (Samsung Galaxy S III)  HFP      23     Sent   ERROR  

[Ph0rk0z]

Its rooted with a custom rom. The stuff I posted was from HCI snoop log.

[Ph0rk0z]

Yes it shows a battery level. Its 7.1... but I don't see how the specifics of the phone matter.

[Ph0rk0z]

That is the log file.... commands between headset and phone. Some of them show up in the script but for some reason the script doesn't work.

[Ph0rk0z]

not related eh? yet same AT commands appear in the script? That's the entire dump of HFP packets after battery level was displayed. All I did was take the macs out.

[TheWeirdDev]

@superbonaci Please stop spamming.

[Ph0rk0z]

This headset looks like it uses AT commands. I checked BT GATT attributes and there are none. Afaik there is only serial and GATT when pulling BT battery. This script uses all AT. Also there is some patched branch of pulse that handles battery level which would be ideal but I've not messed with it yet. I already used a different set of modules to enable APTX/aptxHD.

Instead of repeating to me how to take a log when I rooted/custom flashed my phone maybe let me know what you're thinking and how that would even work with this script or another linux project that can return battery level. Spread knowledge not anger.