Custom Firmware For Cheap Fitness Trackers

The concept of wearable hardware is an enticing one, but it can be difficult to tackle for the first-time maker. While many of us are experienced at designing PCBs and soldering up arcane gadgets, interfacing with the soft and fleshy human form can present unforeseen difficulties. There’s a way around that, of course – leveraging an existing platform where someone else has already done the work. That’s precisely what [Aaron Christophel] has done, by reverse engineering and developing custom firmware for cheap fitness trackers (Google Translate).

The first part of [Aaron]’s work consisted of research and disassembly. After purchasing a wide variety of fitness trackers online, he eventually came across his favored unit, the Tracker I6HRC by IWOWNFIT. This features an NRF52832 microcontroller, as well as an IPS display, some Flash storage, and a vibration motor. Connectivity is handled over Bluetooth Low Energy. [Aaron] particularly rates it for the well-made case that can be disassembled without damage, and the spare USB 2.0 pads on the board which can be used to program the device over the SWD interface.

[Aaron] has developed an Arduino-compatible firmware which is discussed further in a forum post.  Most of the peripherals on board have been explored, and reducing power consumption is a current area of active development.

Firmware hacks are always fun – have you considered giving your TV a custom boot screen? Have a FitBit original instead of the clone? There’s a hack for that too.

[Thanks to Jim for the tip!]

51 thoughts on “Custom Firmware For Cheap Fitness Trackers

  1. Nice, I’m trying to make something in this kind of space, so I’ve just ordered one of these to look at more closely. I might start some documentation for my project for eventual HaD submission.

    1. I was looking on the typical China sites and for about 5-10 bucks more you can get cheap fitness trackers, still with a NRF52 microcontroller, with u-blox GPS chip in them as well. But they only have like a 6 hour battery life if the GPS functionality is enabled (20 days standby, with GPS disabled). And the GPS chip from cold start, takes about 40 seconds to get a lock.

        1. Was searching around aliexpress, I did not note the link, because I thought about it and decided not to get one. Went back through my browser history.
          I initially saw this one on sale for $44 (NORDIC 52832 and u-blox), and went I can do better,

          and then I found this one for ~ $19 (NORDIC 52832 and u-blox) you get the lowest price if you select random color.

        2. I’ll try posting again using only words maybe direct links are not allowed, on ali express you should find one at around 20 bucks if you search for – Greentiger W7 smart bracelet GPS.

      1. Hi Aaron, about the I6HRC – the swd pins are on usb data pins by default so it is flashable without opening it or is this your hack to connect it there after opening it? I dont see the connections anywhere on the photos.
        What nordic softdevice/SDK version is there by default? Can you read original firmware via SWD or the flash is protected? Can the display be updated directly without using that font chip (why it is there anyway?). Thanks.

        1. Hi, unfortunatly the SWD pins are not connected by default, there are testpads on the pcb labeld as clk and dio and you have to connect so called kupferlackdraht to the usb D pins. It is hard to make a picture of it because it is behind the display.

          I don’t know the original softdevice. nRFgo just says it is unknown with the id 0x0091 and a size of 124kb so maybe custom. also a 32Kb bootloader and 356kb Application.

          I was able to read the Original firmware but when i tried to flash it again i doesnt boot anymore. via IDA it is readable, also i have the update file of the firmware but without bootloader and flashdevice.

          I dont use the Font Chip at all right now, so the display works without it, The font chip has 64kB writeable flash so i think thats one reason for it to be there, the nrf52 chip has no eeprom so maybe this is another reason.
          Plus the font Chip has more language support it is easyer to write the firmware for it.

          in most of the tracker i teared down is this font chip in some of them even one font chip and one 1mB flash chip.

          1. Thanks a lot for the info. 0x91 is S132 V3.1.0 So maybe one cannot update it without having their private key. Anyway I guess I’ll probably get it, I see it on aliexpress for $19.28 which is not that bad. There is also Lenovo HX-03F for similar price (on gearbest when on sale) and with gpio pins already available on usb data pins however it may be harder to open and close without damage for SWD hacking and I don’t know soft device/SDK version. This I6HRC looks easier to close without visible damage (just like DS-D6).

      2. I am asking to figure out whether there is a way to update it via Nordic DFU without opening it. SDK>11 means updates are probably signed. With DS-D6 the update works and there are GPIO pins available on USB data pins however the display is only 128×32 OLED so for higher price (currently $17 on ebay) it is not that much attractive. I got few of them for $7.99 and another couple for $9.99 which was pretty good for 52832.
        And BTW with nRF52832 I’d suggest Espruino, the power manangement is excellent and there is plenty of flash and RAM so it is a good fit.

        1. I did find your github entry before and read it, the oled display is the only bad thing on that tracker.
          There Are V10 Fitness tracker that where at 9,99€ on Amazon with prime and i got 10 of them to tinker. also with nrf52832 and ips display etc., so thats a good deal.

          i have tested the dfu functions and wrote an app to bring the i6hrc into DFU mode but when i try to update it it says wrong package that could indicate that the secure features are enabled.

          I never used espruino, arduino is my world i think :D i am down to 35uA with ble and Accel activated so i think thats not too bad, i know it could be better.

          1. Do you have a link for said product? I bought couple fitness trackers on aliexpress that said it had nrf51822 on them but they didn’t. So I want to be more sure this time.

          2. Be very careful to check the listing shows what MCU is in the watch.

            i.e either nRF51822 or nRF52832

            Often they are falsely advertised as nRF52xxx or nRF51xxx and when you take them apart you find they have a TI MCU or another manufacturer.

            I’ve bought several which didn’t have the MCU in them that I expected.

            At least if the watch is advertised as having a specific MCU, you have ground to complain and get your money back, if you receive the same looking watch which contains a different MCU.

            BTW. One thing that is rather useful about the nRF51822 in terms of hacking, is the device read protection is not correctly implemented in the silicon, and its possible to read the flash by using a bit GDB or OpenOCD scripting, and a bit of manual hacking to start with. (Its all documented on the web in various places)

          1. well, if you have firmware dump over swd one could possibly get the other key somehow from bootloader binary?
            You always need the other key to verify, isn’t it?

          2. oh, no sorry. there should be no public key in the update package, public key should be in the bootloader instead so it can verify the update which has been signed with private key, so no the private one is not there.

          3. Yes i mean the sign is in the .dat file so only the IWOWNFIT company has the Privat key so we cannot use DFU without opening the tracker once. Here is some good info on that: https:/devzone.nordicsemi. * com/b/blog/posts/getting-started-with-nordics-secure-dfu-bootloader remove the star.

            i think we should find a better way to communicate public this is getting hard to read ! Maybe a public telegram Group ?

  2. Curt White has also done a load of work on fitness trackers, and hackaday have a post about his work

    Devices like the ID107HR have firmware which has OTA firmware updates, however AFIK no one has got a reliable build process to these, using OTA, because the application firmware needs to call the OTA function.

    A few people have tried to replace the original bootloader + OTA handler in the ID107HR, but the manufacturer uses non-standard vectors which can’t be changed in the nRF52 without connecting via SWD and doing a complete erase.

    In theory, the you could write application code which dumped the entire (read protected) memory in the watch, and send it via OTA or wire a USB to Serial etc to some spare pins, but I don’t think anyone has had the time and inclination to do that.

    Its far easier and more practical, just to find a watch like the X9-pro, which is easy to take apart, and solder some wires to the SWD pins.

    BTW. Dismantling any of these watches which are waterproof , almost destroys the case unless you are really careful, since they are glued together, and won’t simply pop apart

    1. >Devices like the ID107HR have firmware which has OTA firmware updates, however AFIK no one has got a reliable build process to these, using OTA, because the application firmware needs to call the OTA function.

      I got it running with DS-D6, it has non-standard DFU update over BLE (different service IDs so nRF Connect won’t see it as DFU when in update mode) however its custom bootloader also accepts serial DFU with standard Nordic nrfutil and my build of Espruino for matching SoftDevice just works. If ID107HR does not use signed updates (Nordic feature added in SDK12) there should be a way if you know correct app start address for matching soft device. The same binary when flashed over SWD directly did not work for me but when flashed via DFU package it works fine with original bootloader and softdevice.

      1. So if it accepts the package and flashes it I guess it is only about correct linking. yes you cannnot relocate bootloader and need to just accept what is setup in UICR registers, you also cannot update softdevice to different major version, but as long as you don’t mess with these and package just the app correctly linked it should work when updated via package (and not SWD).

        1. @fanoush


          That’s correct.

          Our plan was to replace the bootloader with a version which always went into OTA for a short period of time, so that coding stuff-ups could be handled by waiting for the battery to go flat.
          But the guys who were interested in doing this, half bricked their watches while trying to replace the bootloader via OTA.

          i.e you only get one shot at replacing the bootloader via OTA, and after that you need to buy another watch if you want to try again.

          The watches that had corrupted bootloaders, can be used, but only if you break them apart, which virtually ruins the case, since its firmly glued closed.

          And of course the manufacturer may have changed the whole OTA system since I last looked at them, so this would never be a guaranteed long term strategy for repurposing the ID107HR

          1. Well, there is no _long_ term strategy with specific device anyway, it is a success if you figure out details when it is still sold :-) Well at least for the cheap stuff. And I guess once the device is in production they won’t change bootloader or Nordic SDK version, they just fix the app.

            As for coding errors – there is at least a watchdog (which sadly clears GPREGRET register) and it may help a bit if one sets DFU flag right at the beginning of the app code so next random reboot goes to DFU mode and also check for reset reason on the beginning and if the reset reason is watchdog (or poweron) then again immediatelly set DFU flag and reboot to bootloader without continuing with app code. This does not prevent bad flash but at least most of bugs in the app. Also once your app is flashed, the bootloader and UICR may possibly be cleared (then soft device runs your app directly at boot time) and/or reflashed from the app itself. But yes, there is often just one shot for each such stage so first device needs to be opened. But with a bit of luck it may be the last one :-) Well at least if signed updates are not used.

        2. Yes. Its a pain that the watchdog cant be used, because of the GPREGRET issue.


          I did contact one of the manufacturers on Alibaba, asking about the minimum order quantity for watches with a custom bootloader installed, for a commercial project, and they initially said 1000, but then changed their mind and said 50,000 !

          My client was willing to by 1000 but not 50,000 devices. So the project was stopped.

      2. Last time I looked the ID107HR does not used signed firmware either. But my ID107HR is at last a year old now, and the new versions may use the newer softdevice and sign/encrypt the firmware.

  3. I have no desire to hack a fitness tracker, but I have often thought about how much fun it would be to hack a car GPS. I think it would be a riot to have a mode where ti ti (ti ti is the little person who lives in the gps and tells you where to turn etc) gets pissed when you don’t do what she says. No more “recalculating” instead it might be you missed another turn you dumbass.

    1. Do you live in France? (Titi sounds french) At least one “Mappy”-device (sorry, i don’t recall the name and i don’t own it anymore) uses Windows CE and shows up as a mass storage device with all the binaries on a computer. Should be relatively easy to hack (if you know your assembly-language). I did not look closely at the voice files but they aren’t encrypted or obfuscated, if you fiddle a bit with the settings you can import them as raw directly into Audacity. Have fun!

  4. Thank you for the insight. No, I live in the US. We have always just called the little synth voice in the GPS Tai-Tai, thinking more like something Asian.

    We have old Garmin GPS’s. I don’t think they have any actual audio files but use the speech synth. Still, someplace in the bowels of her rom there are no doubt the text strings she blurts out. You could have a bit of fun just changing some of them, but I was thinking more like having counters and timers, so if you don’t listen to her for a while she gets progressively madder at you, and when you start listening again she starts to calm down.

    1. The problem is accessing the memory. On the device i described it’s easy, on other it might involve taking the thing appart and looking for JTAG/some other debugging/programming header. You might be lucky or not. First step before looking for a screwdriver would be asking Google (and HaD) if somebody did it before.
      (And altough i don’t use Google for most of my searches i would use it for this particular search because you may get better results.)
      If you got a memory-dump the first thing to do would be to open it in a hex editor and have a look. Then you can use “strings” and look for readable stuff. Binwalk is also a great tool to figure out what you got. Then you can take it to your favorite disassembler, but understanding the result is complicated / a lot of work.

  5. Hi Aaron,

    Great work there. I got myself one of the I6HRC and managed to take it apart to change the firmware. I am trying to program it directly using Nordic SDK on Segger Embedded Studio. I got the pin reference from the forum post here:

    I am able to turn on the motor, communicate with the accelerometer. However, I just cannot get something to display on the screen. The backlight is not turning on at all. Is there a pin the controls the backlight or turns on the LCD? Is it P0.30? I tried to set it to high, but nothing happens.

    1. Hi, you got the wrong pinout i think.

      Here is the right one for the I6HRC Tracker:

      You Are kind of right. the “Master Power pin is P0.30 for the overall power supply and the Backlight Driver pin is P0.04 you need to set P0.30 high and then you can set P0.04 high or give out a PWM signal. bedder is PWM because on full backlight it takes about 20mA

      Have a nice day.

      1. Thanks Aaron for the quick reply. I will try it out soon. I was looking at the same pin out table, its just that I couldn’t understand what language it is (German?).

        So now I understand that P0.04 is to turn on the LCD backlight. But I am confuse about the function of P0.30. When you say master power, do you mean P0.30 controls power to the LCD, Heart rate monitor, accelerometer etc?

        1. Unfortunately i haven’t really figured it out what P0.30 really does, Display sensor is still working without it. you have to turn it on for the back-light.
          Maybe the light sensor is on it.
          In every sketch i turn the P0.30 on when the MCU comes out of the sleep mode.

  6. Hi Aaron,

    I have a question on the touchscreen. In the pin mapping table, it says pin P0.26 and P0.27 is used for touch and they are active LOW.

    I tried to go a simple digital read, but it is not responding. How are you detecting the touch? Do you use a simple digital read too? Or are you using the capsense library provided by Nordic?

    is there a touch controller IC in the PCB?

    1. Hi Kian,
      Yes it is P0.26 and P0.27 and i use then only with digitalRead, because there is one Touch controller.
      so it should work it is also not needed to turn any other pin high, it should directly work.

      maybe you didnt set them as input?

      Do you have the I6HRC ?

      have a nice day.

      1. Hi Aaron,

        Yes, I have the I6HRC. They are easily available on taobao (china website).

        I got the touch sensing to work already. Thanks. Its not easy doing the development using Nordic SDK. But if offer much more functions and features compared to using Arduino to program.

  7. Hello .
    My company has to develop a BLE bracelet for disabled people. In particular, the bracelet must give some commands for the operation of a wheelchair with an electric motor.
    The bracelet must recognize some typical movements of those who use a wheelchair. in particular the thrust on the wheels.
    Another important function is an immediate stop command for dangerous situations.
    Our electronic control can communicate in BT with the bracelet which will be read as sleves.
    Can anyone help us in this development?
    We want to use a product on the market that already has the necessary certifications for sale and use it as an accessory to our system.
    We clearly pay for this development.
    Thanks to you.

  8. hi everyone, i have a chinese smartwatch D20, it has a HS6620 microprocessor, the board has not many details, but i would like to get the opinion of someone else coalified, i would like to hack de firmeware like a personal proyect

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.