Blanco Unit Protocol #1

Nailik · 2026-01-03T16:38:47Z

Nailik
Jan 3, 2026
Maintainer

This discussion should be used to discuss and reverse engineer the blanco unit ble protocol.

Goal

The main idea is to integrate blanco unit into home assistant via ble (see https://community.home-assistant.io/t/3rd-party-app-integration/695991/11).

How to

How to debug protocol with my fork of blemon:

requires rooted android phone and frida
installed blanco unit app
replace bytes2hex calls with bytesToUtf8 in blemon.js
start frida for com.blanco.unitapp package

Findings

blanco unit app 1.10.0
blanco soda device with firmware CC 3.1.5 and MC 1.1.2
data is in json format but written and read in chunks (due to ble max size per characteristics)
only characersitic with UUID 3b531d4d-ed58-4677-b2fa-1c72a86082cf seems to be used
pairing does not require internet connection
app seems to be written in flutter and doesn't use javax.crypto for token generation

##Data

sessionId (does not change while connected)
id (changes after every read/write command)
type (1 for write, 2 for read)

write commands additionally contain (both changes after repairing device)

token
salt

read commands contain

body with metadata (contains dev_id which stays consistent after repairing)

real example data after pairing with 5 digit pairing code:

[BLE Write =>] UUID: 3b531d4d-ed58-4677-b2fa-1c72a86082cf {"session":7780315,"id":9077670,"type":1,"token":"993223dcf15d3865439a66ea4b10c576ea485ccf989b6e9c235acdd27bda8634","salt":"77803159077670","body":{"meta":{"dev_type":1,"evt_ts":1767457215710,"evt_type":10,"evt_ver":1},"pars":{}}}

[BLE Read <=] UUID: 3b531d4d-ed58-4677-b2fa-1c72a86082cf  {"session":7780315,"id":9077670,"type":2,"body":{"meta":{"dev_id":"52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039","dev_type":1,"evt_ts":2706416986,"evt_type":10,"evt_ver":1,"res_type":2}}}

[BLE Write =>] UUID: 3b531d4d-ed58-4677-b2fa-1c72a86082cf {"session":7780315,"id":7604844,"type":1,"token":"6cb618c3e6a95cef6a1178c68fb34d4fa44c0b6ec09142c073ab49bd70786311","salt":"77803157604844","body":{"meta":{"dev_id":"52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039","dev_type":1,"evt_ts":1767457216910,"evt_type":7,"evt_ver":1},"opts":{"ctrl":3},"pars":{"evt_type":2}}}

[BLE Read <=] UUID: 3b531d4d-ed58-4677-b2fa-1c72a86082cf {"session":7780315,"id":7604844,"type":2,"body":{"results":[{"meta":{"dev_id":"52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039","dev_type":1,"evt_ts":2706418268,"evt_type":2,"evt_ver":1},"pars":{"sw_ver_comm_con":{"val":"3.1.5"},"sw_ver_elec_con":{"val":"101"},"sw_ver_main_con":{"val":"112"},"dev_name":{"val":"SODA-210"},"reset_cnt":{"val":5}}}]}}

[BLE Write =>] UUID: 3b531d4d-ed58-4677-b2fa-1c72a86082cf {"session":7780315,"id":8284286,"type":1,"token":"ac69ef6221d96ccdcbfbd301ed4c3dd7e9aadcbbda53ca96b766c4d9e2373c62","salt":"77803158284286","body":{"meta":{"dev_id":"52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039","dev_type":1,"evt_ts":1767457218005,"evt_type":7,"evt_ver":1},"opts":{"ctrl":3},"pars":{"evt_type":5}}}

[BLE Read <=] UUID: 3b531d4d-ed58-4677-b2fa-1c72a86082cf {"session":7780315,"id":8284286,"type":2,"body":{"results":[{"meta":{"dev_id":"52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039","dev_type":1,"evt_ts":2706419558,"evt_type":5,"evt_ver":1},"pars":{"calib_still_wtr":{"val":500},"calib_soda_wtr":{"val":500},"filter_life_tm":{"val":560},"post_flush_quantity":{"val":40},"set_point_cooling":{"val":5},"wtr_hardness":{"val":1}}}]}}

[BLE Write =>] UUID: 3b531d4d-ed58-4677-b2fa-1c72a86082cf {"session":7780315,"id":7594209,"type":1,"token":"c0c5353ef58c1d9ab9e6895ceb68060ad592d2ca26df1612d3424a6c02f40697","salt":"77803157594209","body":{"meta":{"dev_id":"52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039","dev_type":1,"evt_ts":1767457219648,"evt_type":7,"evt_ver":1},"opts":{"ctrl":2},"pars":{}}}

[BLE Read <=] UUID: 3b531d4d-ed58-4677-b2fa-1c72a86082cf {"session":7780315,"id":7594209,"type":2,"body":{"meta":{"dev_id":"52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039","dev_type":1,"evt_ts":2706420995,"evt_type":3,"evt_ver":1,"act_type":4},"pars":{"ser_no":"25F2404-56210","serv_code":"75895"}}}

[BLE Write =>] UUID: 3b531d4d-ed58-4677-b2fa-1c72a86082cf {"session":7780315,"id":3070034,"type":1,"token":"17f4d66fcc9b9428e372450ecbb705fa1455de135d2a2c2ebcfaf9610ce52fb0","salt":"77803153070034","body":{"meta":{"dev_id":"52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039","dev_type":1,"evt_ts":1767457220826,"evt_type":7,"evt_ver":1},"opts":{"ctrl":3},"pars":{"evt_type":6}}}

[BLE Read <=] UUID: 3b531d4d-ed58-4677-b2fa-1c72a86082cf {"session":7780315,"id":3070034,"type":2,"body":{"results":[{"meta":{"dev_id":"52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039","dev_type":1,"evt_ts":2706422191,"evt_type":6,"evt_ver":1},"pars":{"tap_state":{"val":0},"filter_rest":{"val":37},"co2_rest":{"val":90},"wtr_disp_active":{"val":false},"firm_upd_avlb":{"val":false},"set_point_cooling":{"val":5},"clean_mode_state":{"val":0},"err_bits":{"val":0}}}]}}

[BLE Write =>] UUID: 3b531d4d-ed58-4677-b2fa-1c72a86082cf {"session":7780315,"id":3469654,"type":1,"token":"8233afd326d15d581e0ee2f31427156d5764c2bdf467251c9971a88db5f5d3cc","salt":"77803153469654","body":{"meta":{"dev_id":"52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039","dev_type":1,"evt_ts":1767457221996,"evt_type":7,"evt_ver":1},"opts":{"ctrl":3},"pars":{"evt_type":4}}}

[BLE Read <=] UUID: 3b531d4d-ed58-4677-b2fa-1c72a86082cf {"session":7780315,"id":3469654,"type":2,"body":{"results":[{"meta":{"dev_id":"52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039","dev_type":1,"evt_ts":2706424036,"evt_type":4,"evt_ver":1},"pars":{"errs":[]}}]}}

Data stored in shared preferences (noted hashed password is simply sha256(pin)) :

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="flutter.countryCode">DE</string>
    <string name="flutter._units">{&quot;units&quot;:[{&quot;id&quot;:&quot;24e14820-e8d4-11f0-ba13-c7e07059c4aa&quot;,&quot;title&quot;:&quot;NEUE UNIT&quot;,&quot;isActive&quot;:true,&quot;device&quot;:{&quot;id&quot;:&quot;52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039&quot;,&quot;bleId&quot;:&quot;40:F5:20:B6:CC:3A&quot;,&quot;title&quot;:&quot;SODA-210&quot;,&quot;name&quot;:&quot;SODA-210&quot;,&quot;unitDeviceType&quot;:&quot;soda&quot;,&quot;registrationDone&quot;:false,&quot;hashedPassword&quot;:&quot;xxx&quot;,&quot;cachedFilterRest&quot;:37,&quot;cachedCo2Rest&quot;:89,&quot;cachedSettingsTemp&quot;:5,&quot;cachedSettingsHotTemp&quot;:-1,&quot;cachedWaterHardnessKey&quot;:1,&quot;config&quot;:{&quot;colorType&quot;:0,&quot;fittingType&quot;:0},&quot;connectedTs&quot;:1767465826081,&quot;fake&quot;:false,&quot;serialNr&quot;:&quot;25F2404-56210&quot;,&quot;serviceCode&quot;:&quot;75895&quot;,&quot;lastPingTs&quot;:0,&quot;isPingValid&quot;:false,&quot;cloudDataAccess&quot;:false,&quot;hotWaterProtectionActive&quot;:false,&quot;extensionsSetActive&quot;:false,&quot;verEsp&quot;:&quot;3.1.5&quot;,&quot;verMainCtrl&quot;:&quot;1.1.2&quot;,&quot;partNumb&quot;:&quot;&quot;,&quot;metricsIdx&quot;:0,&quot;calibrationTimestamp&quot;:0,&quot;eventCache&quot;:{&quot;list&quot;:[{&quot;cacheName&quot;:&quot;2&quot;,&quot;value&quot;:&quot;{\&quot;session\&quot;:4064741,\&quot;id\&quot;:9387919,\&quot;type\&quot;:2,\&quot;body\&quot;:{\&quot;results\&quot;:[{\&quot;meta\&quot;:{\&quot;dev_id\&quot;:\&quot;52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039\&quot;,\&quot;dev_type\&quot;:1,\&quot;evt_ts\&quot;:2715031438,\&quot;evt_type\&quot;:2,\&quot;evt_ver\&quot;:1},\&quot;pars\&quot;:{\&quot;sw_ver_main_con\&quot;:{\&quot;val\&quot;:\&quot;112\&quot;},\&quot;sw_ver_elec_con\&quot;:{\&quot;val\&quot;:\&quot;101\&quot;},\&quot;sw_ver_comm_con\&quot;:{\&quot;val\&quot;:\&quot;3.1.5\&quot;},\&quot;dev_name\&quot;:{\&quot;val\&quot;:\&quot;SODA-210\&quot;}}}]}}&quot;},{&quot;cacheName&quot;:&quot;5&quot;,&quot;value&quot;:&quot;{\&quot;session\&quot;:4064741,\&quot;id\&quot;:8349473,\&quot;type\&quot;:2,\&quot;body\&quot;:{\&quot;results\&quot;:[{\&quot;meta\&quot;:{\&quot;dev_id\&quot;:\&quot;52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039\&quot;,\&quot;dev_type\&quot;:1,\&quot;evt_ts\&quot;:2715033044,\&quot;evt_type\&quot;:5,\&quot;evt_ver\&quot;:1},\&quot;pars\&quot;:{\&quot;set_point_cooling\&quot;:{\&quot;val\&quot;:5},\&quot;calib_still_wtr\&quot;:{\&quot;val\&quot;:500},\&quot;calib_soda_wtr\&quot;:{\&quot;val\&quot;:500},\&quot;filter_life_tm\&quot;:{\&quot;val\&quot;:560},\&quot;post_flush_quantity\&quot;:{\&quot;val\&quot;:40},\&quot;wtr_hardness\&quot;:{\&quot;val\&quot;:1}}}]}}&quot;},{&quot;cacheName&quot;:&quot;commoncontrol6&quot;,&quot;value&quot;:&quot;{\&quot;session\&quot;:4064741,\&quot;id\&quot;:1070728,\&quot;type\&quot;:2,\&quot;body\&quot;:{\&quot;body\&quot;:{\&quot;meta\&quot;:{\&quot;dev_id\&quot;:\&quot;52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039\&quot;,\&quot;dev_type\&quot;:1,\&quot;evt_ts\&quot;:2715034840,\&quot;evt_type\&quot;:3,\&quot;evt_ver\&quot;:1},\&quot;pars\&quot;:{\&quot;ser_no\&quot;:\&quot;25F2404-56210\&quot;,\&quot;serv_code\&quot;:\&quot;75895\&quot;}}}}&quot;},{&quot;cacheName&quot;:&quot;6&quot;,&quot;value&quot;:&quot;{\&quot;session\&quot;:4064741,\&quot;id\&quot;:9887438,\&quot;type\&quot;:2,\&quot;body\&quot;:{\&quot;results\&quot;:[{\&quot;meta\&quot;:{\&quot;dev_id\&quot;:\&quot;52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039\&quot;,\&quot;dev_type\&quot;:1,\&quot;evt_ts\&quot;:2715036265,\&quot;evt_type\&quot;:6,\&quot;evt_ver\&quot;:1},\&quot;pars\&quot;:{\&quot;filter_rest\&quot;:{\&quot;val\&quot;:37},\&quot;co2_rest\&quot;:{\&quot;val\&quot;:89},\&quot;set_point_cooling\&quot;:{\&quot;val\&quot;:5},\&quot;wtr_disp_active\&quot;:{\&quot;val\&quot;:false},\&quot;firm_upd_avlb\&quot;:{\&quot;val\&quot;:false},\&quot;tap_state\&quot;:{\&quot;val\&quot;:0},\&quot;clean_mode_state\&quot;:{\&quot;val\&quot;:0},\&quot;err_bits\&quot;:{\&quot;val\&quot;:0}}}]}}&quot;},{&quot;cacheName&quot;:&quot;errors&quot;,&quot;value&quot;:&quot;{\&quot;session\&quot;:4064741,\&quot;id\&quot;:5033133,\&quot;type\&quot;:2,\&quot;body\&quot;:{\&quot;results\&quot;:[{\&quot;meta\&quot;:{\&quot;dev_id\&quot;:\&quot;52a62a5263f77bd49ff9760b39e613db88293631d6b25561ac9500924a3ed039\&quot;,\&quot;dev_type\&quot;:1,\&quot;evt_ts\&quot;:2715037320,\&quot;evt_type\&quot;:4,\&quot;evt_ver\&quot;:1},\&quot;pars\&quot;:{}}]}}&quot;}]},&quot;dispenseConfig&quot;:{&quot;dispenseConfig1&quot;:{&quot;amount&quot;:100,&quot;co2&quot;:1,&quot;percentage&quot;:0,&quot;name&quot;:&quot;&quot;},&quot;dispenseConfig2&quot;:{&quot;amount&quot;:100,&quot;co2&quot;:1,&quot;percentage&quot;:0,&quot;name&quot;:&quot;&quot;},&quot;dispenseConfig3&quot;:{&quot;amount&quot;:100,&quot;co2&quot;:1,&quot;percentage&quot;:0,&quot;name&quot;:&quot;&quot;},&quot;dispenseConfig4&quot;:{&quot;amount&quot;:100,&quot;co2&quot;:1,&quot;percentage&quot;:0,&quot;name&quot;:&quot;&quot;}},&quot;co2PercMedium&quot;:-1,&quot;co2PercClassic&quot;:-1,&quot;cachedStatisticDaily&quot;:&quot;&quot;,&quot;cachedStatisticWeekly&quot;:&quot;&quot;,&quot;cachedStatisticMonthly&quot;:&quot;&quot;,&quot;cachedStatisticYearly&quot;:&quot;&quot;,&quot;cachedDrinkingGoals&quot;:&quot;&quot;,&quot;absenceModeConfig&quot;:{&quot;absenceModeActive&quot;:false,&quot;absenceModeTs&quot;:0}}}]}</string>
    <boolean name="flutter.app_data" value="true" />
    <string name="flutter._app_State">{&quot;lastRoute&quot;:&quot;/home&quot;,&quot;unitId&quot;:&quot;&quot;,&quot;devId&quot;:&quot;&quot;,&quot;homeScrollPosition&quot;:0.0}</string>
    <string name="flutter.languageCode">de</string>
    <boolean name="flutter.bluetooth_perm" value="true" />
    <boolean name="flutter.location_perm" value="true" />
</map>

Reflutter:

generated apk (only works for arm64-v8a unfortunately too big to upload)
offset

 Num:    Value          Size Type    Bind   Vis      Ndx Name
     0: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND 
     1: 0000000000480000 92688 OBJECT  GLOBAL DEFAULT    7 _kDartVmSnapshotInstructions
     2: 0000000000496a40 0x5fc020 OBJECT  GLOBAL DEFAULT    7 _kDartIsolateSnapshotInstructions
     3: 0000000000000340 16176 OBJECT  GLOBAL DEFAULT    5 _kDartVmSnapshotData
     4: 0000000000004280 0x46ff40 OBJECT  GLOBAL DEFAULT    5 _kDartIsolateSnapshotData
     5: 00000000000001c8    32 OBJECT  GLOBAL DEFAULT    1 _kDartSnapshotBuildId

dart dump via reflutter 0.8.0 dump.dart.zip

Next step

Most importantly would be to find out how the session data is generated from the pin.

Answered by Nailik

Jan 4, 2026

With some blutter reverse engineering of the dart code i found out that the token is generated by:

$$\text{Token} = \text{SHA256}(\text{SHA256}(\text{Password}) + \text{Session} + \text{ID})$$

This means that development can start now.

View full answer

fear · 2026-01-03T16:57:02Z

fear
Jan 3, 2026

This is great. Ill start futher investigations when i move to my new house in April!

0 replies

Nailik · 2026-01-04T16:39:32Z

Nailik
Jan 4, 2026
Maintainer Author

With some blutter reverse engineering of the dart code i found out that the token is generated by:

$$\text{Token} = \text{SHA256}(\text{SHA256}(\text{Password}) + \text{Session} + \text{ID})$$

This means that development can start now.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Blanco Unit Protocol #1

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Blanco Unit Protocol #1

Uh oh!

Uh oh!

Nailik Jan 3, 2026 Maintainer

Goal

How to

Findings

Reflutter:

Next step

Replies: 2 comments

Uh oh!

fear Jan 3, 2026

Uh oh!

Nailik Jan 4, 2026 Maintainer Author

Nailik
Jan 3, 2026
Maintainer

fear
Jan 3, 2026

Nailik
Jan 4, 2026
Maintainer Author