OTA Flash Tool Makes Fitness Tracker Hacking More Accessible

Over the last several months, [Aaron Christophel] has been working on creating a custom firmware for cheap fitness trackers. His current target is the “D6 Tracker” from a company called MPOW, which can be had for as little as $7 USD. The ultimate goal is to make it so anyone will be able to write their own custom firmware for this gadget using the Arduino IDE, and with the release of his new Android application that allows wirelessly flashing the device’s firmware, it seems like he’s very close to realizing that dream.

Previously, [Aaron] had to crack open the trackers and physically connect a programmer to update the firmware on the NRF52832-based devices. That might not be a big deal for the accomplished hardware hacker, but it’s a bit of a hard sell for somebody who just wants to see their own Arduino code running on it. But with this new tool, he’s made it so you can easily switch back and forth between custom and original firmware on the D6 without even having to take it off your wrist.

After the break, you can see the video that [Aaron] has put together which talks about the process of flashing a new firmware image. It’s all very straightforward: you simply pick the device from the list of detected BLE devices, the application puts the tracker into bootloader mode, and then you select the DFU file you want to flash.

There are a couple of ready-made firmwares you can put on the D6 right now, but where’s the fun in that? [Aaron] has put together a customized version of the Arduino IDE that provides everything you need to start writing and flashing your own firmware. If you’ve ever dreamed about creating a wearable device that works exactly the way you want, it’s hard to imagine a cheaper or easier way to get in on the action.

When we last heard from [Aaron] earlier this year, he was working on the IWOWN I6HRC tracker. But it looks like the availability of those devices has since dried up. So if you’re going to try your hand at hacking the MPOW D6, it might be wise to buy a few now while they’re still cheap and easy to find.

25 thoughts on “OTA Flash Tool Makes Fitness Tracker Hacking More Accessible

  1. Anyone else bothered by the fact that you can flash this over the air with no user intervention? Would be prudent to have the bootloader require holding down the button on boot to get into flash update mode. Seems ripe for someone wanting to hack you fitness tracker without your knowledge.

    1. Well, since you mention it…

      I originally had a line in here wondering the same thing, as it seems there’s nothing preventing somebody from weaponizing the firmware update mechanism and remotely bricking all the D6 trackers within BLE range. But realistically, I don’t know what the chances are of you actually running into another person running one of these ultra-cheap fitness bands in the real-world, so the damage of such an attack might be pretty limited.

    2. It is indeed a security risk, but high is the possibility to find one in the wild.

      Also only one device can connect at the time, if you have the smartphone nearby and connected to the D6 it will not be shown on other devices while scanning or in the D6Flasher

      1. Location Services and Bluetooth access are now linked.
        Can’t sync your fitbit without having Location Services on and available to the fitbit app.
        Google enforces it, not fitbit, but the app will let you know if you try to thwart it.

  2. I have the same issue with the Bose Hearphone app. You can download it, but you have to enable location services to use it. YUCK. This exceeds my interest in the Hearphone app.

        1. You can try to take the permission away after devices are set up, the permission is needed only for scanning nearby devices and getting a list of them (as someone can derive you location from such list). Once the app has mac address it can connect without this permission so you may try denying the dialog next time and see if it connects and works.

  3. Actually MPOW is just a seller brand. The manufacturer is Desay Infor Technology and make more devices for other brands like Lenovo an the internal design (ttl serial on usb data pins, nrf52 pinout, bootloader, firmware)seems to be basically the same for all nrf52832 devices they make. DS-D6 is cheapest but if you prefer wider OLED display or color one you may also check Lenovo HX03W of HX03F. More info here https://github.com/fanoush/ds-d6

    1. Thanks! Several of these devices are now making their way slowly to my mailbox.
      I’m terribly tired of Fitbit’s sloppy software quality, crappy app UI, and hazardous firmware updates, although I am fond of their hardware (I like the Zip: the most accurate step counting, and HR2).
      (I accidentally “reported” your comment while looking for some way to favorite it or +1 it.
      I think it’ll be pretty clear what happened).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.