by emeryth (emeryth at hackerspace.pl)

This is a teardown and analysis of the Xiaomi flower/plant monitor (it doesn't seem to have an official name). The analysis is not extremely in-depth because the main goal was to figure out how to use the device without the official app.

Note: While writing this down, I have found out that I am not the first to publish something about the device ( https://community.home-assistant.io/t/xiaomi-mi-plants-monitor-flower/3388 ) but everything here is my independent work.

Xiaomi Flora is a Bluetooth Low Energy device that monitors the environment of a plant.

It measures:

• Sunlight intensity
• Air temperature
• Soil moisture
• Soil fertility (via electrical conductivity)

The device is sealed well, with lots of gaskets and even manually applied conformal coating on chips. The plastic shell is fused together, so you must use a knife to take it apart.

• U1 - Dialog Semiconductor DA14580 SoC with BLE http://www.dialog-semiconductor.com/products/connectivity/bluetooth-low-energy/smartbond-da14580
• U2 - Unknown SOT353 chip, probably some kind of op-amp or other analog thing for the sensors
• U5 - Unknown SON8 chip marked “5F1 A61 J1G 1”, could be EEPROM/flash

The light and temperature sensors are placed on the top of the device.

The legs end with metal studs that are used to measure soil fertility via electrical conductance. Hidden inside the legs are two traces that end in plates, probably a capacitive method to measure soil moisture.

The device uses BLE GATT for communication, but the sensor values are not immediately available. When the original app connects to the device, it performs an elaborate initialization, but I have found out most of it isn't required.

Available handles:

0x0038 - Reading returns 7 bytes - 1 byte battery level and 6 ASCII chars of firmware version

0x0033 - You need to write 0xA01F to this handle to enable real-time data reading

0x0035 - The actual data from the sensors, can be read only after you enable real-time data, otherwise returns zeros

Example data frame, values are little-endian

Notes:

• Temperature is signed 16-bit value in tenths of degrees C, so 265 means 26.5 °C
• Light intensity in lux, not sure if 32-bit
• Moisture in percent
• Fertility in µS/cm

0x0036 - writing 0x0100 to this handle will subscribe you to sensor value notifications

Here is a short Python script to get all the interesting data from the device:

#Read data from Xiaomi flower monitor, tested on firmware version 2.6.6 

from gattlib import GATTRequester, GATTResponse
from struct import *

address = "DE:AD:BE:EF:CA:FE"
requester = GATTRequester(address)
#Read battery and firmware version attribute
data=requester.read_by_handle(0x0038)[0]
battery, version = unpack('<B6s',data)
print "Battery level:",battery,"%"
print "Firmware version:",version
#Enable real-time data reading
requester.write_by_handle(0x0033, str(bytearray([0xa0, 0x1f])))
#Read plant data
data=requester.read_by_handle(0x0035)[0]
temperature, sunlight, moisture, fertility = unpack('<hxIBHxxxxxx',data)
print "Light intensity:",sunlight,"lux"
print "Temperature:",temperature/10.,"°C"
print "Soil moisture:",moisture,"%"
print "Soil fertility:",fertility,"uS/cm"

The device stores historical data when not connected that can be later synchronized.

I have not figured it out yet, but looking at the dumps it seems to work by writing an address to handle 0x003e and the reading data from handle 0x003c.

I have no interest in changing the firmware, since you can already get all data you need from the original firmware.

But if you really want to know, the device supports OTA firmware update and there is a header with SWD on the PCB, although I was unable to connect to the cpu using OpenOCD.