Bike Computer Exploration Uncovers A Hidden Android

As a happy side-effect of the smartphone revolution, the world is now awash with tiny computers that are incredibly cheap thanks to the nearly unfathomable volumes in which their components are manufactured. There wouldn’t be a $10 Raspberry Pi Zero if the billions of smartphones that were pumped out before it hadn’t dropped the cost of the individual components to literal pennies. That also means that smartphone hardware, or at least systems that are very close to it, have started to pop up in some unexpected places.

When [Joshua Wise] recently took ownership of a Wahoo ELEMNT BOLT bike computer, he wondered how it worked. With impressive list of features such as Internet connectivity, GPS mapping, and Bluetooth Low Energy support, he reasoned the pocket-sized device must have some pretty decent hardware under the hood. With some poking and prodding he found the device was powered by a MediaTek SoC and incredibly had a full-blown install of Android running in the background.

So how does one find out that their lowly bike computer is essentially a cleverly disguised smartphone? If you’re [Joshua], you listen to who it’s trying to talk do when doing a firmware update over the Internet. He used mitmproxy running between his Internet connection and a WiFi access point setup specifically for the BOLT, from there, he was able to see all of the servers it was connecting to. Seeing the device pull some data down from MediaTek’s servers was a pretty good indication of whose hardware was actually inside the thing, and when it ultimately downloaded some Android .apk files from the Wahoo website, it became pretty clear what operating system it was running underneath the customized user interface.

Further examination of the Bolt’s software brought to light a few troubling issues. It turned out that the firmware made extensive use of Apache-licensed code, for which no attribution was given. [Joshua] contacted the company and was eventually referred to the Wahoo’s CEO, Chip Hawkins. Refreshingly, Chip was not only very interested in getting the licensing issues sorted out, but even had some tips on hacking and modifying the device, including how to enable ADB.

Before the publication of this article, we reached out to Chip Hawkins (yes, he really does respond to emails) for a comment, and he told us that not only has he made sure that all of the open source packages used have now been properly attributed to their original authors, but that his team has been providing source code and information to those who request it. He says that he’s been proud to see owners of his products modifying them for their specific needs, and he’s happy to facilitate that in any way that he can.

Open source license compliance is a big deal in the hacking community, and we’ve seen how being on the wrong side of the GPL can lead to lost sales. It’s good to see Wahoo taking steps to make sure they comply with all applicable licences, but we’re even more impressed with their positive stance on customers exploring and modifying their products. If more companies took such an enlightened approach to hacking, we’d all be a lot better off.

[Thanks to Roman for the tip.]

26 thoughts on “Bike Computer Exploration Uncovers A Hidden Android

  1. Wow, I’m very happy to read a story about a company putting right its open source obligations, and engaging with hackers in this way. I googled the device name immediately when I read it in the article and was a little put off by the relatively high price, but I’ll definitely consider it when it’s time for me to resume my cycling commute.

    1. I’ll admit to being pretty surprised at the price myself, but I’ve also never purchased a high-end bike computer, so not really sure what the market is like. The fact that Joshua picked this over the Garmin to me seemed to say that the value was there.

      1. $300 seemed like a lot when I bought my ELEMNT a couple of years ago, but it has been amazingly reliable. A long-battery-life, weather-resistant GPS that can keep me from getting lost on long rides is well worth the money, especially when amortized over the number of miles I’ve had it– and it’s still less expensive than many of its peers.

  2. What you may be seeing is the last gasp of dedicated bike instrumentation as apps like Strava & mapping software take over for the tiny LCD screens of the past. An old phone, or no-contract special plus a clip to hold it on the bars and off you go.

    What would be interesting would be a bluetooth cadence sensor for those apps…hmmm…..

    1. I have made one for my stationary bike (and racing game controller in one) with ESP32 and a Hall sensor and it was rather easy, as I was provided with excellent help from NeilKolban and other people involved with ESP32 sources).

      Weatherproofing it would be the tough part, I guess.

    2. I disagree. These things can usually take a few knocks and cope with rain etc. Battery lasts longer than a phone running GPS (12 hours runtime needed by some enthusiastic riders).

      1. Correct. Dedicated cycling computers are not going anywhere. ANT+ communication, long battery life, tactile button (because a wet phone screen doesn’t work), and to top it off, IIRC, rules prevent use of a phone when bike racing.

        1. For the few percent of the real bike enthusiasts I can see a dedicated computer being what you need. On the flip side, for the vast majority of casual riders, I can see the old phone based systems being perfectly serviceable. The vast majority of the people I know are casual fair weather bikers.

          1. Sure, casual riders are just fine with a phone mount. But there are a lot of serious cyclists out there. I just did a quick Google search and saw that there were 70,000 USAC racing members in 2013. A large chunk of racers don’t bother with USAC licensing and only participate in unsanctioned races, so we can add a lot to that number…. And that’s only for the US, which is not exactly a country made of cycling fans.

    3. That isn’t even remotely true. Phones mounted to handlebars don’t have the durability, battery life, and usability (especially with sweaty hands) that dedicated bike computers have.

      1. And think about aerodynamics :)

        As a passionate road bike rider myself, a dedicated bike computer is far better suited. Formfactor and usability are the main pros, readability and aero dynamics minor ones.

        1. Don’t forget reliability! It’s a data acquisition device as its #1 function. As a pro level racer, losing data is not cool. My ELEMNT has been rock solid for several years now; I can’t say the same for my old Garmins.

      2. Another factor is that my OLED phone screen would be hard to read in bright light, but I can read the reflective LCD display of my Garmin just fine. I’ve had a garmin edge for about 10 years. When the first one became unreliable, I had the choice of just using my phone and the free app, or to shell out $200 for another Garmin Edge. It wasn’t a hard decision to get another Edge, for all the reasons just stated.

  3. This is some great investigative hacking! I admire the Bolt’s simplicity over the competition’s need to add more and more to a cycling computer but falling on their face for speed and battery life – I never would have thought it ran Android. Great work form the Wahoo team in execution but also in appearing to embrace the exploration rather than send in the lawyers.

  4. I have an Elemnt Bolt, and it isn’t exactly a secret that it is running Android. If you connect it to a PC, there are Android-related folders in the file system. Also, if you look at the device name on a router when it connects to wifi, its name contains the word “android” (I don’t remember exactly what it is called).

    It is nice that the CEO seems interested in supporting hacking the device.

    1. I don’t see why not, as long as the display supports grayscale graphics and you have some way of controlling the game using a custom apk. It would take some time to dump the firmware and look over the kernel to see what support is there, and i’m sure that similar things are going to happen very soon seeing that the company that produces these are warming up to the hacking community.

Leave a Reply to Mc Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.