Hersch LEM 50 | Hack #02

Hey there! 👋

In this post I’m going to present you how to hack the Hersch LEM 50. Happy reading! 📚

For this device I will use: Visual Studio 2019 (C#), integrated bluetooth in your PC and an android smartphone.

Prehistory


Weeks ago, I started to search for any solution to detail measure my garden and automatically import measure data to any garden planner.
If you are looking for similar solution or maybe just want to measure your room or flat I recommend you this device.


The idea of how an automatic measurement could work came from the observation of my new Roborock S5 Max vacuum cleaner.

I saw that it often is spinning around to measure the room and automatically updating the map in the app. Very interesting.


Then I thought about if I could make the same thing with a self automated measuring device but not limited to the small room only.

The device


Thus I started to search for any laser distance meter that is able to measure distances to maximum 50 meter or longer.

Therefore I bought the Laser Distance Meter LEM 50 by HERSCH. It can measure distances to maximum 50 meter and has bluetooth connection.

There is no official specification of the connection API so I needed to reverse engineer the capabilities of the remote control of the device via bluetooth.

Reverse Engineering


In the first step I used the nRF Connect application on my phone and connected it with my phone to see which bluetooth services and characteristics are provided by the Hersch LEM 50 bluetooth interface.

While playing with the device I’ve seen that one notified characteristic is changing the value each time I have executed the measure on the device.
It took a few hours to encode the value. I resolved, that the device is just sending the measured data as a string value.

Wireshark


The next challenge was to figure out, how to remotely trigger the measure button.

Fortunately, the vendor of the device is providing a standard application “Workpro Space” for measure and sketch.

The application is terrible to work with on a construction site, but enough for my purposes.

So I have connected the app with the measure device and played around while
the android system has captured the entire bluetooth communication. There is a button “measure ID” in the app. After clicking that button twice, the measure of distance was triggered remotely. Great!
I saw, that the measured distance was also transferred and visible in the app.

Thus, I captured everything that you need to remotely control the device. I transferred the captured bluetooth session to my computer and used Wireshark to hack the communication.
I previously used the decoded distance value to find that value in wireshark and just scanned previous messages to find the bluetooth command which triggers measure.
And et voilà! the device is using the same characteristic to send the measured data and to trigger the measure button when you send this byte array.

The next step was to write a test program to demonstrate how the hersch LEM 50 device can be controlled remotely.

Implement in Visual Studio


I created a C# project and added the Assemblies:

Windows Runtime: C:\ProgramFiles(x86)\Reference Assemblies\Microsoft\Framework.NETCore\v4.5\System.Runtime.WindowsRuntime.dll Windows: C:\Program Files (x86)\Windows Kits\10\UnionMetadata\10.0.17763.0\Windows.winmd

Then I connected my PC with the device via C#. In the standard Microsoft-Bluetooth library is an event
called “ValueChanged”. This is event appears when the Value of the Device changed. Therefore I wanted, that
every time when the event appears they will show the changed value.

private void gattCharacteristics_1_ValueChanged(GattCharacteristic sender, GattValueChangedEventArgs args)
        {
            byte[] buffer = args.CharacteristicValue.ToArray();
           
            int counter = 0;
            foreach (var elem in buffer)
            {
                Console.WriteLine(String.Format("{0, 0:d3}: {1, 0:d3} 0x{2, 0:X2}", counter, elem, elem));
                counter++;
            }

            Console.WriteLine(new System.Text.ASCIIEncoding().GetString(buffer));
        }

You can encode this value with an AsciiEncoding from the System.

But for an automatized measure system you need to press the button from far. To Implement the sending of the command to the device you can use this Method in your first characteristic.

private async void SendCommandToDevice()
        {
            var writer = new DataWriter();
            writer.WriteBytes(new byte[] { 0x64, 0x74, 0x0d, 0x0a, 0x00 
         
            
            });
            GattCommunicationStatus result = await sendCommandCharacteristic.WriteValueAsync(writer.DetachBuffer());
            if (result == GattCommunicationStatus.Success)
            {
                Console.WriteLine("Command was sent successfully...");
            }
        }


I want to remind that you have to do this method twice for a complete measuring!
Here is the link for the full source code: https://github.com/auto-scripting/LasterDistanceMeterHack

ESP32


I placed the device on the 3D printed parts connected to the step motor and used ESP32 to control the whole measure process.
The step motor has a resolution up to 8000 steps for 360 degree, with this resolution and some math with distance angle and sine, cosine and tangent calculation I was able to create a map with resolution of some millimeters on the distance of many meters.

A great feature of Hersch LEM 50 is, that it has a build in spirit level, this brings to more accurate results.

Once my test equipment and software was done I tried it in my garden and here you can see the measured garden.

I really hope you enjoyed the post, you can now read other posts! 👋

Links


A good start with reverse engineering!

Workpro Space

Hersch LEM 50

Add a Comment

Your email address will not be published. Required fields are marked *