Ngeco power2max cycling Bluetooth LE powermeter

[Russhined]

Does anyone have experience of unbricking Bluetooth Stack GATT characteristics?

The power2max ngeco cycling powermeter is hardware which comes software disabled out of the box, and needs to be registered to broadcast certain premium data features. This is done via the internet and their proprietary mobile app

The unregistered the hardware broadcasts "0" zero for the premium characteristic features

The crank revolution data is enabled "1"

A blog here touches on a similar problem https://ptx2.net/posts/unbricking-a-bike-with-a-raspberry-pi/

I have successfully sniffed and captured the bluetooth transactions[?] and also have identified that the power meter has the following functions in the bluetooth stack[?] here is an excerpt of the data I've captured with some of the identification codes removed
------------------------------------------------------------------------
Packet capture file
------------------------------------------------------------------------
Bluetooth Attribute Protocol
Opcode: Handle Value Notification (0x1b)
0... .... = Authentication Signature: False
.0.. .... = Command: False
..01 1011 = Method: Handle Value Notification (0x1b)
Handle: 0x001f (Cycling Power: Cycling Power Measurement)
[Service UUID: Cycling Power (0x1818)]
[UUID: Cycling Power Measurement (0x2a63)]
Flags: 0x0020, Crank Revolution Data, accumulated_torque_source: Wheel Based
000. .... .... .... = Reserved: 0x0
...0 .... .... .... = Offset Compensation Indicator: False
.... 0... .... .... = Accumulated Energy: False
.... .0.. .... .... = Bottom Dead Spot Angle: False
.... ..0. .... .... = Top Dead Spot Angle: False
.... ...0 .... .... = Extreme_angles: False
.... .... 0... .... = Extreme Torque Magnitudes: False
.... .... .0.. .... = Extreme Force Magnitudes: False
.... .... ..1. .... = Crank Revolution Data: True
.... .... ...0 .... = Wheel Revolution Data: False
.... .... .... 0... = accumulated_torque_source: Wheel Based (0x0)
.... .... .... .0.. = Accumulated Torque: False
.... .... .... ..0. = Pedal Power Balance Reference: False
.... .... .... ...0 = Pedal Power Balance: False
Instantaneous Power: 0
Crank Revolution Data Cumulative Crank Revolutions: 115
Crank Revolution Data Last Crank Event Time: 48109
-------------------------------------------------------------------------
Bluetooth Stack log file
-------------------------------------------------------------------------
- Device Name [R W] (0xremoved)
- Appearance [R] (0xremoved)
- Peripheral Preferred Connection Parameters [R] (0xremoved)
Generic Attribute (0x1801)
- Service Changed (0x2A05)
Client Characteristic Configuration (0x2902)
Battery Service (0x180F)
- Battery Level [N R] (0x2A19)
Client Characteristic Configuration (0x2902)
Device Information (0x180A)
- Manufacturer Name String [R] (0xremoved)
- Model Number String [R] (0xremoved)
- Serial Number String [R] (0xremoved)
Cycling Power (0x1818)
- Cycling Power Measurement [N] (0x2A63)
Client Characteristic Configuration (0x2902)
- Cycling Power Feature [R] (0x2A65)
- Sensor Location [R] (0x2A5D)
- Unknown Characteristic [N R] (00004558-0000-1000-8000-00805f9b34fb)
Client Characteristic Configuration (0x2902)
- Cycling Power Control Point [I W] (0x2A66)
Client Characteristic Configuration (0x2902)
Nordic UART Service (6e400001-b5a3-f393-e0a9-e50e24dcca9e)
- TX Characteristic [N] (6e400003-b5a3-f393-e0a9-e50e24dcca9e)
Client Characteristic Configuration (0x2902)
- RX Characteristic [W WNR] (6e400002-b5a3-f393-e0a9-e50e24dcca9e)
Device Firmware Update Service (00001530-1212-efde-1523-785feabcd123)
- DFU Packet [WNR] (00001532-1212-efde-1523-785feabcd123)
- DFU Control Point [N W] (00001531-1212-efde-1523-785feabcd123)
Client Characteristic Configuration (0x2902)
- DFU Version [R] (00001534-1212-efde-1523-785feabcd123)

-------------------------------------------------

I have tried 'writing' to the power meter using light blue Android app to enable the premium features without success.

I can provide more information if anyone is interested in helping me figure this out

 

[Russhined]

- power2max android app
https://apkcombo.com/power2max/org.saxonar.p2m_ng_service/download/apk