Pet tracker Z8 - help please identifying protocol
It's definitely not Aquila protocol. You have to get protocol documentation for your device.
Did you find out what the protocol is? What SMS commands did you use to configure it?
"Did you find out what the protocol is? What SMS commands did you use to configure it?"
I have myself a now defunct Z8, the software no longer remembers who i am or will allow me to register again (both Android and iPhone apps from the boxes QR Code).
It appears when you register it will no longer send SMS messages with the activation auth code to validate... (on both Android and iPhone, SMS failed).. it was a cost to whomever runs the platform sending SMS messages, they've pulled it from the looks of it. There is no web interface that i can find.
I did have some partial luck with the tracker and commands.
I did make a mistake of not doing this first, it was trial and error:
before changing the SERVER location as i did, make a note of the existing settings.
Switch on your tracker and from your phone, just send:
SERVER#
It should reply with the following:
SERVER,1,hostname,port,0
I believe the the format for setting the server is:
SERVER, Command
1 or 0, for 0 for ip, 1 for hostname
hostname,
port,
0 = 0 for TCP or 1 for UDP (need to check).
I've developed an proxy so it sits in between the tracking system and tracker, i have to get the tracking servers host/IP and port and update the tracker to server host/IP and port to my proxy... when the tracker connects to my proxy, the proxy then establishes a connection to the tracking server and the proxy then forwards on the data to the server (as it would if it were connected directly), and vice versa all server sent data is forwarded to the tracker. This way i can log and monitor all interaction (app commands)..
Now the APP software is a major fail, i'm stuck.
Here are the other commands i was able to figure out:
Factory reset:
FACTORY#
factory resets the device, it doesn't reset the SERVER setting, this is now where i need that information if you can help me, just send SERVER# and could you paste the reply below.
Return the existing APN setting:
APN#
To set it:
APN,apn-name,apn-user,apn-password#
eg for EE (UK):APN,everywhere,eesecure,secure#
SERVER# and getting and setting (above)
I think this reboots:
RESET#
Return the version:
VERSION#
Get current URL location:
DW#
Language:
LANG#
returns:
LANG:1 (0=English, 1=Chinese)
to set for english:
LANG,0#
Return alarm:
SOS#
I think to set (need to try):
SOS1:number/blank,SOS2:number/blank,SOS3:number/blank#
Return the status:
STATUS#
this is as far as i've got.
once i set the server and ip..i'm just getting this every 30s:
PC,<IMEI#>,1{<U101#>}
I need this: STATUS# on a Z8 tracker that hasn't been updated.
I want to crack this tracker and get the server communication protocol.
Does anyone watching have anything they can add to help?
Hi Neil, the original settings for the server were: SERVER,1,dv.yintaifu.com.cn,8889,0
Would be great if you figure out the protocol, I have given up with it. I still have not found a good alternative cheap collar tracker that works with traccar yet. Cheers
Nigel,
That's a great help... it's a start... another brick wall (as said prior)
I've got the tracker pointing to my server, where i have written a little GPS proxy (middleman)... as soon as i put in the settings you gave me and switched on the tracker, i got this (redacted with #):
2019/12/20 22:48:35 SVR: [Len: 16] - PC,1{<C101#1>}
2019/12/20 22:48:36 TRK: [Len: 32] - PC,351############,1{<U102#1>}
2019/12/20 22:48:37 SVR: [Len: 145] - PC,1{<C102#1,tm=2019-12-20 22:48:37,wkmd=1,fw=0,sos1=+44##########,sos2=,sos3=,mon=,TimeZone=0,val=0,fang=0,oil=1,sportgoal=0,heartinterval=0>}
2019/12/20 22:48:40 TRK: [Len: 44] - PC,351############,1{<U104#1,27,33,0,274>}
2019/12/20 22:48:40 SVR: [Len: 16] - PC,1{<C104#1>}
2019/12/20 22:48:46 TRK: [Len: 102] - PC,351############,1{<U103#;;3,####,907,19,AA##,907,21,####,907,12,##,EA;201219,224843|33|FFFFFFFD>}
2019/12/20 22:48:47 SVR: [Len: 16] - PC,1{<C103#1>}
2019/12/20 22:50:40 TRK: [Len: 44] - PC,351############,1{<U104#0,33,37,0,289>}
2019/12/20 22:50:40 SVR: [Len: 16] - PC,1{<C104#1>}It looks like it's just heart beating now (repeating the last 2 lines)
The issues i've found, there is no web portal i can't login to the apps (i have an iphone and android) says i'm not registered (which i did in the past) and it won't accept new registrations as it tries to send an SMS verification code from their server and it's failing with "Sms send false" on both apps, looks like i'm not alone here, i had a look on ebay listings still selling this and someone said no one in the UK can register. Yet they're still being sold.
I have the Z8, there is a Z8-A and Z8-B (different cover to the A)
The back of the box QR code takes me to: app.yintaifu.com.cn
Unless i can get into the app, then i can't start debugging the data via the commands.
Can you still login to your app?
Neil
I found out what the login is for the app..... phone number is the IMEI number and password is the last 6 digits... i'm in now.
The app interface is so basic, very few options..... i'm seeing a pattern with the commands when watching what is being exchanged.
Monitoring mode either 1 hour or 10s.. that's all the app is allowing.... others i've got here you can send reporting time in seconds 1s to hours).
This doesn't have wifi either, no good if a cat gets locked in a shed (LBS mode can report up 1000m away).
I see the following being sent via the server to the tracker, when switching between the 2 Location mode options (1hr or 10s):
When switching Location mode, to 1h:
Server Sends: PC,1{<D212#YYYYMMDDHHMMSS,0>}
D212# looks like the command for 1 hour mode. followed by current server time (GMT) in Year (YYYY) Month (MM) Date (DD) Hour (HH) Min (MM) sec (SS) The trailing ",0" = 1 hour mode (looks like it powers down GPS to conserve battery)
The Tracker acknowledged the change by replying back with the same time ",1":
PC,IMEI#,1{<C212#YYYYMMDDHHMMSS,1>}
C212 looks the like the tracker reply to server command: D212
if you text: STATUS#
You will see the setting as "Mode:saving"
Switching back from 1hr to 10s
Server sends: PC,1{<D212#YYYYMMDDHHMMSS,1>}
Same D212 command followed by # and server time followed ",1" = 10s mode
The tracker replies back to confirm set (app acknowledges this):
PC,IMEI,1{<C212#YYYYMMDDHHMMSS,1>}
if you text: STATUS#
You will see the setting as "Mode:tracking"
That's the Location mode figured out.. need to use what i've discovered to decode the GPS v LBS location Lng and Lat.
The heart beat that is sent to keep the connection open between the tracker and server:
PC,IMEI,1{<U104#1,18,22,0,4>}
The 22 is the battery level.
It shouldn't take too long to crack this now.
As for other trackers, The D79 might be worth looking at or the RF-V43 (2G, 3G and 4G support with wifi location support (wifi = beacons, mac address and db level from tracker))
Thanks for your help, finding the SERVER command via google, it what helped me unlock this, i was just missing the app login and the tracking server port and host.
Neil.
Neil, just to confirm - this seems to send a different protocol, other than the chinese Traccar already has implemented?
What does the line look line when it sends GPS coordinates?
Jean,
The line in the example above (redacted because it has my IMEI and GPS cords (encoded)), this command is from the tracker to the server and the only one i can see so far that updates the apps location, starts:
Starts: "PC,351############,1{<U103#" and ends: "DDMMYY,HHMMSS|BAT_LEVEL|FFFFFFFD>}"
Looks like when there is no update, the following is sent:
{<U103#;;;211219,102113|100|FFFFFFFD>}
All these are wrapped by {<?@@@#DATA>}
? = Letter
@ = Digit
DATA for "U103#"
Looks like "data;data;data;DDMMYY,HHMMSS|BAT_LEVEL|FFFFFFFD
there are 3 fields terminated by ; i'm seeing a mix of empty fields (all) or partial.
my tracker is indoors the app is reporting LBS mode, once i get a base line on this from indoors, i'll take it mobile and see what difference in what is being sent.
Question for you, do you have the Z8 or Z8-A? trying to figure out the difference.. as i have just the Z8.
For me STATUS# returns
IMEI:{redacted};Battery:3.97V;GSMl:Weak;GPRS:unconnect;GPS:OFF;Firewall:Off;Mode:tracking 1h
VERSION#[Version]T02GW_H01_V03_1903
I have a yellow Z8, it just says Model: Z8 on the sticker.
I haven't done anything with it yet.
How were you able to figure out the SMS commands?
SERVER#SERVER,1,dv.yintaifu.com.cn,8889,0
Connecting it to USB on the computer says MediaTek, and it sets up a virtual COM port. There is some software to configure MediaTek devices, but it doesn't seem to want to talk with this one.
My version is: [Version]T02G_CJ_H01_V02_1806
For location information, Tracker sends:
PC,351############,1{<U103#**DATA**>}
Server acknowledges by replying with:
PC,1{<C103#1>}
The Location Data: {<U103#**DATA**>}
DATA = three blocks of delimited by ";" (no quotes) eg: ";;;" followed by DDMMYY,HHMMSS|BAT_LEVEL|########
######## = Hex, only variations i've seen so far: FFFFFFFD which from a cold boot with only LBS data being sent (not GPS fix), once it got a GPS location fix it sending FFFFFFFF even if it lost the GPS fix and returned to LBS.... I have seen it return to FFFFFFFD later on if tracker has been indoors out of GPS sight for a while.
First Field Block: GPS Data (ending delimiter ";") with a GPS fix, if there is no fix this field is empty:
HHMMSS,A,####.####,N,#####.####,E,#.##,###.##,DDMMYY,#?;
HHMMSS, - Hours Minutes Seconds
A, = must the the accuracy A / V mode seen on most trackers:
####.####,N,#####.####,E, - is the GPS location data in: DMS (degrees, minutes, seconds).
#.##, - no idea, still investigating (wonder if this is altitude in metres)
###.##, - no idea, still investigating
DDMMYY - Day, Month, Year
#? = This might be the number of satellites in view, when returning this fix, this falls in the range of typical number, number starts at 4 (which is minimum number for a trilateration (3 for position + 1 for altitude = for the your actual position) and has been sitting around 7 to 10, which is typical. There are 4 systems, not all supported by all trackers. the older US GPS is, EU Galileo isn't, nor the Russian Glosnass. As this is Chinese made, it might support the BeiDou GPS system.. i need to check.
Second Field Block: (ending delimiter ";") - Empty in GPS or LBS tracking sending mode (wonder if it was reserved for WIFI scanned data), tracker doesn't appear to support)
Third Field Block: LBS Data (ending delimiter ";") this is can also empty at times when GPS field block is populated, i've seen instances of it included with GPS fixes or not sent, however, if there is no GPS fix, then this is included:
This is a sample of what i got, there appears to be a repeating group of 3 (final 3 appear different from the rest).
I can only guess this is GSM cell tower data, wondering of the first number is signal strength (or db level), mast id in hex, then maybe network id???
5,AA5B,907,19,2304,907,15,E3DE,907,6,77E5,907,3,4EB3,907,3,1E,EA;
I need to compare this to other trackers LBS data.
The mode in the app is misleading, 10s (tracking mode) or 1 hour (power saving).. the tracking mode doesn't return every 10s, the tracker only sends data when it has changed, then you have to wait mins at times.
If you send: PC,1{<D205#YYYYMMDDHHMMSS>} from the server to the tracker, the tracker will respond with
To acknowledge request:
PC,351############,1{<C205#YYYYMMDDHHMMSS,1>}
followed by tracking data (U103) as above:
PC,351############,1{<U103#**DATA**>}
The server then acknowledges receipt by sending:
PC,1{<C103#1>}
That wraps up everything i've seen so far.
Is it possible to write up a sample parser for only the basic information needed (timestamp and GPS)
Hi, I am using various chinese GPS trackers sucessfully with awesome Traccar(v0.5.0), which have all been pretty easy to configure. I have just bought a tracker for my dog which is called a Z8 and can be found at gearbest(https://uk.gearbest.com/dog-health-supplies/pp_009635405806.html?wid=1433363). I have discovered the SMS commands to repoint it to my traccar instance (Server,1,domainname,port,0#) but am struggling to find the right port and protcol. I have tried all the typical chinese clone ports and tried to identify the port from HEX. When configured for port 5001, I get the output in the logs below.
Converting from HEX I get:
Does this mean it is protocol U101? If so, I have tried port 5089 and just get the same hex below:
Any help greatly appreciated, thanks.