Custom Firmware For Cheap Fitness Trackers

The concept of wearable hardware is an enticing one, but it can be difficult to tackle for the first-time maker. While many of us are experienced at designing PCBs and soldering up arcane gadgets, interfacing with the soft and fleshy human form can present unforeseen difficulties. There’s a way around that, of course – leveraging an existing platform where someone else has already done the work. That’s precisely what [Aaron Christophel] has done, by reverse engineering and developing custom firmware for cheap fitness trackers (Google Translate).

The first part of [Aaron]’s work consisted of research and disassembly. After purchasing a wide variety of fitness trackers online, he eventually came across his favored unit, the Tracker I6HRC by IWOWNFIT. This features an NRF52832 microcontroller, as well as an IPS display, some Flash storage, and a vibration motor. Connectivity is handled over Bluetooth Low Energy. [Aaron] particularly rates it for the well-made case that can be disassembled without damage, and the spare USB 2.0 pads on the board which can be used to program the device over the SWD interface.

[Aaron] has developed an Arduino-compatible firmware which is discussed further in a forum post.  Most of the peripherals on board have been explored, and reducing power consumption is a current area of active development.

Firmware hacks are always fun – have you considered giving your TV a custom boot screen? Have a FitBit original instead of the clone? There’s a hack for that too.

[Thanks to Jim for the tip!]

37 thoughts on “Custom Firmware For Cheap Fitness Trackers

  1. Nice, I’m trying to make something in this kind of space, so I’ve just ordered one of these to look at more closely. I might start some documentation for my project for eventual HaD submission.

    1. I was looking on the typical China sites and for about 5-10 bucks more you can get cheap fitness trackers, still with a NRF52 microcontroller, with u-blox GPS chip in them as well. But they only have like a 6 hour battery life if the GPS functionality is enabled (20 days standby, with GPS disabled). And the GPS chip from cold start, takes about 40 seconds to get a lock.

        1. Was searching around aliexpress, I did not note the link, because I thought about it and decided not to get one. Went back through my browser history.
          I initially saw this one on sale for $44 (NORDIC 52832 and u-blox), and went I can do better,
          https://www.aliexpress.com/item/KAIHAI-smart-watch-fitness-tracker-wristband-bracelet-gps-Positioning-without-phone-Pedometer-Heart-rate-Monitor-Pace/32851954981.html
          and then I found this one for ~ $19 (NORDIC 52832 and u-blox) you get the lowest price if you select random color.
          https://www.aliexpress.com/item/Greentiger-W7-smart-bracelet-GPS-heart-rate-smart-wristband-fitness-tracker-Music-Control-Sport-Smart-band/32922427015.html

        2. I’ll try posting again using only words maybe direct links are not allowed, on ali express you should find one at around 20 bucks if you search for – Greentiger W7 smart bracelet GPS.

      1. Hi Aaron, about the I6HRC – the swd pins are on usb data pins by default so it is flashable without opening it or is this your hack to connect it there after opening it? I dont see the connections anywhere on the photos.
        What nordic softdevice/SDK version is there by default? Can you read original firmware via SWD or the flash is protected? Can the display be updated directly without using that font chip (why it is there anyway?). Thanks.

        1. Hi, unfortunatly the SWD pins are not connected by default, there are testpads on the pcb labeld as clk and dio and you have to connect so called kupferlackdraht to the usb D pins. It is hard to make a picture of it because it is behind the display.

          I don’t know the original softdevice. nRFgo just says it is unknown with the id 0x0091 and a size of 124kb so maybe custom. also a 32Kb bootloader and 356kb Application.

          I was able to read the Original firmware but when i tried to flash it again i doesnt boot anymore. via IDA it is readable, also i have the update file of the firmware but without bootloader and flashdevice.

          I dont use the Font Chip at all right now, so the display works without it, The font chip has 64kB writeable flash so i think thats one reason for it to be there, the nrf52 chip has no eeprom so maybe this is another reason.
          Plus the font Chip has more language support it is easyer to write the firmware for it.

          in most of the tracker i teared down is this font chip in some of them even one font chip and one 1mB flash chip.

          1. Thanks a lot for the info. 0x91 is S132 V3.1.0 https://devzone.nordicsemi.com/f/nordic-q-a/1171/how-do-i-access-softdevice-version-string So maybe one cannot update it without having their private key. Anyway I guess I’ll probably get it, I see it on aliexpress for $19.28 which is not that bad. There is also Lenovo HX-03F for similar price (on gearbest when on sale) and with gpio pins already available on usb data pins however it may be harder to open and close without damage for SWD hacking and I don’t know soft device/SDK version. This I6HRC looks easier to close without visible damage (just like DS-D6).

      2. I am asking to figure out whether there is a way to update it via Nordic DFU without opening it. SDK>11 means updates are probably signed. With DS-D6 the update works and there are GPIO pins available on USB data pins however the display is only 128×32 OLED so for higher price (currently $17 on ebay) it is not that much attractive. I got few of them for $7.99 and another couple for $9.99 which was pretty good for 52832.
        And BTW with nRF52832 I’d suggest Espruino, the power manangement is excellent and there is plenty of flash and RAM so it is a good fit.

        1. I did find your github entry before and read it, the oled display is the only bad thing on that tracker.
          There Are V10 Fitness tracker that where at 9,99€ on Amazon with prime and i got 10 of them to tinker. also with nrf52832 and ips display etc., so thats a good deal.

          i have tested the dfu functions and wrote an app to bring the i6hrc into DFU mode but when i try to update it it says wrong package that could indicate that the secure features are enabled.

          I never used espruino, arduino is my world i think :D i am down to 35uA with ble and Accel activated so i think thats not too bad, i know it could be better.

          1. Do you have a link for said product? I bought couple fitness trackers on aliexpress that said it had nrf51822 on them but they didn’t. So I want to be more sure this time.

          2. Be very careful to check the listing shows what MCU is in the watch.

            i.e either nRF51822 or nRF52832

            Often they are falsely advertised as nRF52xxx or nRF51xxx and when you take them apart you find they have a TI MCU or another manufacturer.

            I’ve bought several which didn’t have the MCU in them that I expected.

            At least if the watch is advertised as having a specific MCU, you have ground to complain and get your money back, if you receive the same looking watch which contains a different MCU.

            BTW. One thing that is rather useful about the nRF51822 in terms of hacking, is the device read protection is not correctly implemented in the silicon, and its possible to read the flash by using a bit GDB or OpenOCD scripting, and a bit of manual hacking to start with. (Its all documented on the web in various places)

          1. well, if you have firmware dump over swd one could possibly get the other key somehow from bootloader binary?
            You always need the other key to verify, isn’t it?

          2. oh, no sorry. there should be no public key in the update package, public key should be in the bootloader instead so it can verify the update which has been signed with private key, so no the private one is not there.

          3. Yes i mean the sign is in the .dat file so only the IWOWNFIT company has the Privat key so we cannot use DFU without opening the tracker once. Here is some good info on that: https:/devzone.nordicsemi. * com/b/blog/posts/getting-started-with-nordics-secure-dfu-bootloader remove the star.

            i think we should find a better way to communicate public this is getting hard to read ! Maybe a public telegram Group ?

  2. Curt White has also done a load of work on fitness trackers, and hackaday have a post about his work

    https://hackaday.com/tag/x9-pro/

    https://github.com/curtpw/nRF5x-device-reverse-engineering

    Devices like the ID107HR have firmware which has OTA firmware updates, however AFIK no one has got a reliable build process to these, using OTA, because the application firmware needs to call the OTA function.

    A few people have tried to replace the original bootloader + OTA handler in the ID107HR, but the manufacturer uses non-standard vectors which can’t be changed in the nRF52 without connecting via SWD and doing a complete erase.

    In theory, the you could write application code which dumped the entire (read protected) memory in the watch, and send it via OTA or wire a USB to Serial etc to some spare pins, but I don’t think anyone has had the time and inclination to do that.

    Its far easier and more practical, just to find a watch like the X9-pro, which is easy to take apart, and solder some wires to the SWD pins.

    BTW. Dismantling any of these watches which are waterproof , almost destroys the case unless you are really careful, since they are glued together, and won’t simply pop apart

    1. >Devices like the ID107HR have firmware which has OTA firmware updates, however AFIK no one has got a reliable build process to these, using OTA, because the application firmware needs to call the OTA function.

      I got it running with DS-D6, it has non-standard DFU update over BLE (different service IDs so nRF Connect won’t see it as DFU when in update mode) however its custom bootloader also accepts serial DFU with standard Nordic nrfutil and my build of Espruino for matching SoftDevice just works. If ID107HR does not use signed updates (Nordic feature added in SDK12) there should be a way if you know correct app start address for matching soft device. The same binary when flashed over SWD directly did not work for me but when flashed via DFU package it works fine with original bootloader and softdevice.

      1. So if it accepts the package and flashes it I guess it is only about correct linking. yes you cannnot relocate bootloader and need to just accept what is setup in UICR registers, you also cannot update softdevice to different major version, but as long as you don’t mess with these and package just the app correctly linked it should work when updated via package (and not SWD).

        1. @fanoush

          Yes.

          That’s correct.

          Our plan was to replace the bootloader with a version which always went into OTA for a short period of time, so that coding stuff-ups could be handled by waiting for the battery to go flat.
          But the guys who were interested in doing this, half bricked their watches while trying to replace the bootloader via OTA.

          i.e you only get one shot at replacing the bootloader via OTA, and after that you need to buy another watch if you want to try again.

          The watches that had corrupted bootloaders, can be used, but only if you break them apart, which virtually ruins the case, since its firmly glued closed.

          And of course the manufacturer may have changed the whole OTA system since I last looked at them, so this would never be a guaranteed long term strategy for repurposing the ID107HR

          1. Well, there is no _long_ term strategy with specific device anyway, it is a success if you figure out details when it is still sold :-) Well at least for the cheap stuff. And I guess once the device is in production they won’t change bootloader or Nordic SDK version, they just fix the app.

            As for coding errors – there is at least a watchdog (which sadly clears GPREGRET register) and it may help a bit if one sets DFU flag right at the beginning of the app code so next random reboot goes to DFU mode and also check for reset reason on the beginning and if the reset reason is watchdog (or poweron) then again immediatelly set DFU flag and reboot to bootloader without continuing with app code. This does not prevent bad flash but at least most of bugs in the app. Also once your app is flashed, the bootloader and UICR may possibly be cleared (then soft device runs your app directly at boot time) and/or reflashed from the app itself. But yes, there is often just one shot for each such stage so first device needs to be opened. But with a bit of luck it may be the last one :-) Well at least if signed updates are not used.

        2. Yes. Its a pain that the watchdog cant be used, because of the GPREGRET issue.

          BTW.

          I did contact one of the manufacturers on Alibaba, asking about the minimum order quantity for watches with a custom bootloader installed, for a commercial project, and they initially said 1000, but then changed their mind and said 50,000 !

          My client was willing to by 1000 but not 50,000 devices. So the project was stopped.

      2. Last time I looked the ID107HR does not used signed firmware either. But my ID107HR is at last a year old now, and the new versions may use the newer softdevice and sign/encrypt the firmware.

  3. I have no desire to hack a fitness tracker, but I have often thought about how much fun it would be to hack a car GPS. I think it would be a riot to have a mode where ti ti (ti ti is the little person who lives in the gps and tells you where to turn etc) gets pissed when you don’t do what she says. No more “recalculating” instead it might be you missed another turn you dumbass.

    1. Do you live in France? (Titi sounds french) At least one “Mappy”-device (sorry, i don’t recall the name and i don’t own it anymore) uses Windows CE and shows up as a mass storage device with all the binaries on a computer. Should be relatively easy to hack (if you know your assembly-language). I did not look closely at the voice files but they aren’t encrypted or obfuscated, if you fiddle a bit with the settings you can import them as raw directly into Audacity. Have fun!

  4. Thank you for the insight. No, I live in the US. We have always just called the little synth voice in the GPS Tai-Tai, thinking more like something Asian.

    We have old Garmin GPS’s. I don’t think they have any actual audio files but use the speech synth. Still, someplace in the bowels of her rom there are no doubt the text strings she blurts out. You could have a bit of fun just changing some of them, but I was thinking more like having counters and timers, so if you don’t listen to her for a while she gets progressively madder at you, and when you start listening again she starts to calm down.

    1. The problem is accessing the memory. On the device i described it’s easy, on other it might involve taking the thing appart and looking for JTAG/some other debugging/programming header. You might be lucky or not. First step before looking for a screwdriver would be asking Google (and HaD) if somebody did it before.
      (And altough i don’t use Google for most of my searches i would use it for this particular search because you may get better results.)
      If you got a memory-dump the first thing to do would be to open it in a hex editor and have a look. Then you can use “strings” and look for readable stuff. Binwalk is also a great tool to figure out what you got. Then you can take it to your favorite disassembler, but understanding the result is complicated / a lot of work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.