FreeStyle Libre 2

Reverse engineering in progress.

Important device notes

USB IDs

Device	Vendor ID	Product ID
FreeStyle Libre 2	1a61	3950

Protocol

This device uses the shared HID protocol used by other meters in the FreeStyle family, but introduces encryption.

Text commands are sent by the original software as message type 0x21, with responses as 0x60.

Encryption

Following the handshake (Authorization), most of the messages sent to and by the Libre 2 devices are encrypted and protected with a 32-bit Message Authorization Code (MAC), and a 32-bit sequence number, independent between software and device.

The encryption covers the 55 bytes following the message type, while the MAC is calculated on the first 60 bytes of the message. A 64-bit MAC is calculated, but only 4 bytes of it are used.

Known messages that are not encrypt are pre-initialization commands, keep-alive commands (0x22) and error responses.

Authorization Sequence

START AUTHORIZE, CHALLENGE

The START AUTHORIZE message contains nothing but the sub-command itself.

The CHALLENGE response message contains the 8 bytes of the challenge, as well as 7 bytes of the initialization vector for encryption (zero-padded).

request-challenge-cmd = %x14 %x01 %x11
challenge-response = %x33 %x10 %x16 challenge-content challenge-iv
challenge-content = 8OCTET
challenge-iv = 7OCTET

CHALLENGE RESPONSE

The CHALLENGE RESPONSE message contains the response to the challenge expected by the device to authorize the requests from the software. The format of the message is as follows:

challenge-response-cmd = %x14 %x1A %x17
                         challenge-response-encrypted %x01
                         challenge-response-mac
challenge-response-encrypted = 16 OCTET
challenge-response-mac = 8 OCTET

The procedure to calculate the challenge is not currently reversed, but some useful notes:

The authorization keys are generated based on the serial number of the device and the strings AuthrEnc (for encryption) and AuthrMac (for MAC).
The challenge-response-encrypted buffer is generated by encrypting challenge-content together with 8 bytes of random. The encryption is initialized with the initialization vector challenge-iv.
The challenge-response-mac is calculated on the first 20-bytes of the message, including the message type, length, and the constant 0x01.

CHALLENGE ACCEPTED

challenge-accepted-response = %x14 %x22 %x18
                              encrypted-challenge-response
                              (13 OCTET)
                              challenge-response-mac
encrypted-challenge-response = 16 OCTET

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search