Getting the Mi Band authkey from an iOS device

September 8, 2023    Article    544 words    3 mins read

If you want to play with your Xiaomi Mi Band{4,5,6,7} without using the official application (Zepp/MiFit) you can do that, but there are some steps before you can pair your band/watch to your favorite Linux distro.

New devices (and older devices with updated firmware) require server based pairing. This means, that you absolutely must use the original MiFit/Amazfit/Zepp app to make the initial pairing, retrieve the pairing key and then use this key.

Currently, Mi Band 4, Mi Band 5, Mi Band 6 and Mi Band 7 are known to be the first devices with this enabled from the beginning. You must not unpair the band/watch from the original application (Zepp, MiFit) because that will change the device’s Bluetooth MAC address and a new auth key will be required (auth keys are based on the device’s MAC). Every time you hard reset the band/watch, the Bluetooth MAC address will be changed and you must get a new key.

As prerequisites, you should have Zepp Life installed on your device, create an account and pair the band/watch with your Apple device.

There are multiple ways of retrieving the authkey if you’re using an Android device (rooted or not), but if you want to do the same thing on an iOS device (iPhone), things get more complicated: you will need to jailbreak the device.

I won’t talk about a specific way of jailbreaking your device because it depends on the device hardware and the installed iOS version, but this site will help you alot in your Apple-freedom quest. Basically it’s either palera1n, checkra1n or unc0ver.

When your device is jailbroken and you have SSH access to it, next you need to figure out Zepp Life’s uuid and you can do that by grepping for a specific string inside the place where applications are stored on iOS: /var/mobile/Containers/Data/Application/. This part is done on the device itself via SSH command, so ssh mobile@192.168.x.x first, replacing 192.168.x.x with your device’s IP address.

$ ssh mobile@192.168.x.x
mobile@192.168.x.x's password:
iPhone:~ mobile% grep -rli "Zepp Life" /var/mobile/Containers/Data/Application/

Now that you know the uuid (3BDFBA67-9BC4-47EC-B1DC-738AE491CC32), use scp to retrieve the SQLite database from the iOS device, replace 192.168.x.x with your device’s IP address. Also, keep in mind that the uuid changes each time you reinstall the application, Zepp Life in this case, so the uuid will be different for you.

$ scp mobile@192.168.x.x:/var/mobile/Containers/Data/Application/3BDFBA67-9BC4-47EC-B1DC-738AE491CC32/Documents/HMDBDeviceInfoDataBaseV2.sqlite HMDBDeviceInfoDataBaseV2.sqlite
mobile@192.168.x.x's password:

Make sure you have the sqlite3 package installed.

$ sqlite3 HMDBDeviceInfoDataBaseV2.sqlite
SQLite version 3.39.5 2022-10-14 20:58:05
Enter ".help" for usage hints.
sqlite> select deviceOAuthKey, deviceID, macAddr, serialNumber from device_info;

You will only need the first part, BEF16FB4835124FF77FAE01A35CAEBAF in my example (it’s all fake data anyway), that’s the auth key. If you want to retrieve all the application data you can use scp to recursively download all the needed files.

$ scp -r mobile@192.168.x.x:/var/mobile/Containers/Data/Application/3BDFBA67-9BC4-47EC-B1DC-738AE491CC32 3BDFBA67-9BC4-47EC-B1DC-738AE491CC32/

Notice the -r (recursively) flag. You might be interested in the Documents directory, and inside it will be a numeric directory with your uid (similar to 7149747118, for example) which will hold the SQLite databases containing your band/watch data.

Once you have the auth key you can use various applications and libraries to interact with your band/watch and will no longer require the original Zepp Life (or MiFit) application.