We write an application on Mi Band 7 with a service part

Introduction

Recently I bought myself a Mi band 7, at first I wanted to buy the 6th version, until I found out that the operating system was updated on the 7th and now it supports installing applications. Yes, they did not officially announce this, but the craftsmen have already made many applications. They put them as watch faces, and these are quite common applications. But all these applications work only locally on the MiBand 7 itself, not being able to interact with either the phone or the Internet. I delved into the application bytecode and Zepp OS documentation to find a way to create applications that interact with the Internet, in this article I will describe my path. As a result, I managed to make a request to the Internet from the watch and even launch a bridge for debugging applications.

This article is written purely for informational purposes. I am not advocating for anyone to redesign the code to add new features in order to use and distribute the converted software.

Why are apps not officially supported?

I am interested in this question, but unfortunately I do not know the reasons. It seems that Xiaomi Band 7 was made for xiaomi by zepp. And it was easier for them not to support another operating system, but to use existing developments for zepp watches. Therefore, this watch has a ZeppOS system. Probably Xiaomi decided not to pay for all the chips of the system and therefore the functionality of the watch is software-limited.

Start

To get started, to figure out how the system works, I tried to install a couple of applications from MelianMiko. I set it up in the simplest way, through watch face appYou can read the details on w3bsit3-dns.com. I did some research on the structure of applications and this is what I understood: an application is a bin file, which is a simple zip archive with at least a few files: app.json (Manifest), app.js (Code for initializing and de-initializing the application at startup), index.js(Page code), icon.png. Next, I went to the ZeppOS official documentation site, there described how to enable debug mode through the Zepp App. But when I tried to connect the watch through this application, I got an error:

I decided not to stop there, downloaded this application version 7.0.1, decompiled via apktool to bytecode and via jadx to java code:

apktool d com.huami.watch.hmwatchmanager_7.0.1-play_100802.apk
jadx com.huami.watch.hmwatchmanager_7.0.1-play_100802.apk -d com.huami.watch.hmwatchmanager_7.0.1-play_100802_JADX

Further, for the study of the code, it is easier to use the result of jadx, but only the result of apktool will be compiled back, so the changes will have to be made in the bytecode.

To begin with, I made sure that this application supports or once supported MiBand. For this, I found several references to MiBand 7 (officially it is called Xiaomi Smart Band 7). Its codename in the app is “MILI_L66”.

Next, I decided to trick the application (without changing it yet) and tried to connect my watch to the application, pretending to be another watch. To do this, I scanned the qr for the setup on my watch, I got this link:

https://hlth.io.mi.com/download?redir=7800&mac=CE82E4D50231&pnpNumber=103&pnpVersion=258

It contains the MAC address, pnpNumber, pnpVersion – it looks like some device identifiers. I tried to replace them, but it did not help, so I decided to see what qr codes other zepp devices have when setting up. In Google, I found a video in Amazfit Band 7 binding, scanned the code, received the following link:

https://api-watch.huami.com/forwarding/watchUS?macAddress=C9EC6C59A185&pnpNumber=117&pnpVersion=259

This link links to a completely different domain name. Next, I decided to try to simply substitute macAddress from my qr code into this URL and make a qr code from this. And it helped, my watch connected, the application set it up as Amazfit Band 7.

I found that all the functionality from the Xiaomi app is here and I can fully customize my watch. But after the setup, the application understood that I did not have Amazfit but Mi Band and did not allow me to install any applications and dials for Amazfit. Therefore, I decided to redo the application further.

Recompiling the application

In order for the application to give me the opportunity to put mini apps on my watch, I decided to make it think that I do not have Xiaomi Smart Band 7, but Amazfit Band 7. For this, just like for Mi Band 7, I found the code name for Amazfit Band 7 – “MiliBari ”:

Further I found all mentions of MILI_L66 and MILI_BARI. The HMDeviceSource class seemed to be the most interesting:

You can see in it the codes corresponding to different types of devices – their identifiers.

Next, you need to switch to the bytecode that apktools gave us.

Here I also found the bytecode of the HMDeviceSource$a.smali class and changed 3 lines in it as in the screenshots:

Now you can assemble it back, sign it, install it. The original application will have to be removed first, as the signature is no longer original.

apktool b com.huami.watch.hmwatchmanager_7.0.1-play_100802 --use-aapt2
apksigner sign --ks-key-alias alias_name --ks-pass pass:123456 --ks release-key.keystore com.huami.watch.hmwatchmanager_7.0.1-play_100802/dist/com.huami.watch.hmwatchmanager_7.0.1-play_100802.apk
adb install com.huami.watch.hmwatchmanager_7.0.1-play_100802/dist/com.huami.watch.hmwatchmanager_7.0.1-play_100802.apk

Now you can log in to the application again and connect the Mi Band as I described above by changing the qr code.

Work of the recompiled application

After these manipulations, the application began to display the functionality for amazfit band 7! Hooray! The image will first show Mi Band 7, but if you change the dial, it will change to amazfit band 7. My dial from Amazfit has risen as a native.

Also, the App Store button has now appeared, where you can put applications from the store for amazfit band 7. Not everyone has worked perfectly, but most. For some reason, there are only 5 of them in the store so far. Apparently, there is still a very small community of developers)

Next, I already tried to install my application, with the service part, at first I went the hard way, replacing the application files. Later I realized that you can use the bridge in developer mode on the application, which is much easier and allows you to display logs. It is likely that developers may stop supporting bridged debugging when this version of the application becomes obsolete. But in this article I will describe only the easier way, through the bridge. If you are interested, I can then describe the second way.

Create a project

On w3bsit3-dns.com I found user projects MelianMiko. He made a mi band simulator, and many applications, and a utility for building projects – zmake. You can use them to create simple applications, but as I understand it, zmake creates projects only without the service part that runs on the phone. Also, unlike the official assembler, it does not compress the code into a bin file, but leaves it in js format (I may be wrong here, correct me if it’s wrong). The simulator unfortunately does not work under Linux and MacOS, so I did not use it, instead I used the official Amazfit band 7 simulator.

To create a project, I used the official utility Zeus for ZeppOS. A new project can be created with the zeus create project-name command. It is necessary to select “1.0 API”, the API of the second version of MiBand 7 does not support.

Next, I will describe the contents of the assembled application, this is not very necessary information, just for general information.

When the project is ready, it can be built with the zeus build command. A zab archive will appear in the dist folder, it can be opened as a simple zip archive. It contains a manifest with a description of the application and a common.zpk archive, which also opens as a zip archive. In it you can already see the main components of the application:

• The device.zip file contains code that runs on the watch, it can be changed to bin format and installed even through the application for installing watch faces.

• The app-side.zip file contains code that runs on the phone side.

• It seems that there may still be a file describing the mini app setup using the phone application.

An excellent set of sample applications, including those with a service part, is available at github. I took the “fetch-api” example as a basis.

Bridge setup

There is nothing special here, everything is from the ZeppOS documentation. It is necessary to log in to one account in the application on the phone and in the simulator application. Enable developer mode in the application and then select the watch in the list of devices, open the developer settings at the bottom and click the enable bridge button in the drop-down list. After connecting to the bridge, you need to in the simulator application by pressing the Bridge button.

Now you can use the zeus console utility to debug the project:

zeus bridge
сonnect 
install

Request to the Internet on the button on the clock.

As I wrote above, I took as a basis an example of a project from the official zepp os github account, “fetch-api”. By changing the code in the app-side, I made a request from the phone to the domain ident.meto get my current external ip, for the sake of the example.

Conclusion

As a result, I got a small application on the clock, which can display my external ip at any time. This is certainly not the goal I was aiming for. My goal was to demonstrate that the Mi Band 7 watch actually has a hidden, software-limited functionality. This watch can not only change dials, but also work with applications. And even send data via phone to the Internet and receive a response. Such applications can be used, for example, to control a smart home) Probably in future versions of the clock this will be officially announced, but so far there is no such thing. Even the Band 7 Pro does not officially have zepp os.

PS This was my first article. I hope you enjoyed it, write comments, I will be glad to any criticism!