Pulling Display Data Off Of A Fitness Tracker

[Aaron Christophel] writes in with yet another clever hack for his D6 Fitness Tracker. Using OpenOCD and Pygame, he shows how you can pull data right off the tracker’s screen and sent it to the computer.

This one appealed to us for its brevity. First [Aaron] launches the OpenOCD server which connects to the D6. Then, a short Python script connects to the server through telnet, reads the screen data, and uses a look-up table to turn the data into a duplicate display on the PC screen. If you’re more of a visual learner, there’s a demonstration video after the break.

The D6 is a popular fitness tracker that’s often re-branded and sold at a very low cost. [Aaron] is a big fan of these Nordic nRF52 powered devices, and we’ve covered some of his hacks before. If you’d like to learn more about these interesting little devices there’s quite a write-up on their inner-workings here.

Continue reading “Pulling Display Data Off Of A Fitness Tracker”

Punch Through Switches Gears, Shucks Beans

Do you own a LightBlue Bean or Bean+ from Punch Through? If you don’t have one now, you probably never will, as the company has recently announced they’re no longer selling or supporting the Bluetooth Low Energy microcontrollers. The company says that after selling more than 100,000 Bean devices, the challenge of keeping up with a constantly evolving software ecosystem became too difficult, and they are instead going to focus their efforts on advising other companies on how to best develop Bluetooth products.

Frankly, that sounds a bit like getting advice on how to build a fully armed and operational battle station from the Empire, but who are we to judge. While the Bean family of devices clearly wasn’t able to go the distance, Punch Through at least got them out the door and supported them for longer than many might have expected given the increased competition in the BLE market. It’s not hard to do the math: the LightBlue Bean retailed for around $35 USD, and today you can get a BLE-capable ESP32 for five bucks.

So what happens to all those Beans out in the wild? Normally, the parent company dropping support for a microcontroller wouldn’t be that big of a deal, but this time around we have the “Bean Loader” to contend with. This piece of software is used to push code to the device over Bluetooth, and it’s possible that the constant march of operating system upgrades (especially on mobile devices) will eventually break it. Long story short, there’s nothing to worry about in the short term. But down the road, these Beans might be baked.

Luckily, Punch Through did provide some pretty extensive documentation for the Beans. If there’s significant demand, we imagine the community will do their best to take over development of whatever ancillary software is required to keep the hardware usable for the foreseeable future. Speaking of which, the schematics and PCB layouts for both the Bean and Bean+ have been released under the Creative Commons Attribution 4.0 International license, so it’s not outside the realm of possibility that somebody else might put them back into production.

[Thanks to Chris for the tip.]

OTA Flash Tool Makes Fitness Tracker Hacking More Accessible

Over the last several months, [Aaron Christophel] has been working on creating a custom firmware for cheap fitness trackers. His current target is the “D6 Tracker” from a company called MPOW, which can be had for as little as $7 USD. The ultimate goal is to make it so anyone will be able to write their own custom firmware for this gadget using the Arduino IDE, and with the release of his new Android application that allows wirelessly flashing the device’s firmware, it seems like he’s very close to realizing that dream.

Previously, [Aaron] had to crack open the trackers and physically connect a programmer to update the firmware on the NRF52832-based devices. That might not be a big deal for the accomplished hardware hacker, but it’s a bit of a hard sell for somebody who just wants to see their own Arduino code running on it. But with this new tool, he’s made it so you can easily switch back and forth between custom and original firmware on the D6 without even having to take it off your wrist.

After the break, you can see the video that [Aaron] has put together which talks about the process of flashing a new firmware image. It’s all very straightforward: you simply pick the device from the list of detected BLE devices, the application puts the tracker into bootloader mode, and then you select the DFU file you want to flash.

There are a couple of ready-made firmwares you can put on the D6 right now, but where’s the fun in that? [Aaron] has put together a customized version of the Arduino IDE that provides everything you need to start writing and flashing your own firmware. If you’ve ever dreamed about creating a wearable device that works exactly the way you want, it’s hard to imagine a cheaper or easier way to get in on the action.

When we last heard from [Aaron] earlier this year, he was working on the IWOWN I6HRC tracker. But it looks like the availability of those devices has since dried up. So if you’re going to try your hand at hacking the MPOW D6, it might be wise to buy a few now while they’re still cheap and easy to find.

Continue reading “OTA Flash Tool Makes Fitness Tracker Hacking More Accessible”

Broken HP-48 Calculator Reborn As Bluetooth Keyboard

Considering their hardware specification, graphing calculators surely feel like an anachronism in 2019. There are plenty of apps and other software available for that nowadays, and despite all preaching by our teachers, we actually do carry calculators with us every day. On the other hand, never underestimate the power of muscle memory when using physical knobs and buttons instead of touch screen or mouse input. [epostkastl] combined the best of both worlds and turned his broken HP-48 into a Bluetooth LE keyboard to get the real feel with its emulated counterpart.

Initially implemented as USB device, [epostkastl] opted for a wireless version this time, and connected an nRF52 based Adafruit Feather board to the HP-48’s conveniently exposed button matrix pins. For the software emulation side, he uses the Emu48, an open source HP calculator emulator for Windows and Android. The great thing about Emu84 is that it supports fully customizable mappings of regular keyboard events to the emulated buttons, so you can easily map, say, the cosine button to the [C] key. The rest is straight forward: scanning the button matrix detects button presses, maps them to a key event, and sends it as a BLE HID event to the receiving side running Emu84.

As this turns [epostkastl]’s HP-48 essentially into a regular wireless keyboard in a compact package — albeit with a layout that outshines every QWERTY vs Dvorak debate. It can of course also find alternative use cases, for examples as media center remote control, or a shortcut keyboard. After all, we’ve seen the latter one built as stomp boxes and from finger training devices before, so why not a calculator?

Continue reading “Broken HP-48 Calculator Reborn As Bluetooth Keyboard”

New Bluetooth 5 Channel Hopping Reverse Engineered For Jamming And Hijacking

Bluetooth Low Energy (BLE) 5 has been around since 2016 with the most recent version 5.2 published just this year. There’s not much hardware out there that’s using the new hotness. That didn’t stop [Damien Cauquil] from picking apart BLE 5’s new frequency hopping techniques and updating his BtleJack tool to allow sniffing, jamming and hijacking hardware using the new protocol.

As you can imagine, the BLE standard a complicated beast and just one part of it is the topic here: the PRNG-based frequency hopping scheme that is vastly different from BLE 4.x and earlier. The new standard, called Channel Selection Algorithm (CSA) #2 — uses 65535 possible channels, compared to just 37 channels used by its predecessor. Paired devices agree to follow a randomized list of all possible channels in sequence so that they remain in synchronization between hops. This was put in place to help avoid collisions, making it possible for many more BLE devices to operate in close proximity. This is important to note since it quickly becomes obvious that it’s not a robust security measure by any means.

To begin channel hopping the two devices must first agree on an order in which to hop, ensuring they’ll meet one another after each leap. To do so they both run the same 32-bit seed number through a PRNG algorithm, generating a list that will then be followed exactly in order. But it turns out this is not very difficult to figure out. All that’s needed is the access address whose top 16-bits are publicly available if you’re already sniffing packets, and the bottom 16-bits is the counter that increments the hop address list.

If you want to jam or hijack BLE 5 communication you need to establish which “randomized” channel list is being used, and the value of the counter that serves as an index to this list. To do so, [Damien] sniffs packets on two different channels. These channels will be used over and over again as it loops through the channel list, so calculating how much time occurs between each channel indicates how far apart these channels are on the list.

In practice, [Damien] first implemented a sieve (the same concept as the Sieve of Eratosthenes for finding primes) that starts with a list of all possibilities and removes those that don’t contain a matching timing between the two channels. Keep doing this, and eventually, you’ll whittle your list down to one possible channel order.

This certainly worked, but there were timing issues that sometimes meant you could learn the seed but couldn’t then sync with it after the fact. His second approach uses pattern matching. By measuring hops on 11 consecutive channels, he’s able to synchronize with target devices in a minute or less. From there, jamming or hijacking methods come into play. The randomization of this scheme is really marginal. A more robust technique would have used an internal state in both devices to generate the next hopping channel. This would have been much more difficult for an attacker to figure out. From the device perspective, CSA #2 takes very little computation power which is key for power-sipping IoT devices most often using BLE.

As mentioned before, [Damien] had trouble finding any hardware in the wild using the BLE 5 standard. His proof of concept is built on a pair of nRF52840 development boards. Because it needs more testing, the code hasn’t been merged into the main version of BtleJack, but you can still get it right now by heading over to BtleJack repo on GitHub.

Neat Smart(ish) Watch Build Uses BLE

Digital watches are a pretty neat idea, and are a great way to experiment with designing and building low-power circuits. That’s what [Eric Min] did with this neat smart watch build. It’s based around an nRF52832 SoC that does all of the heavy lifting, including connecting to a smartphone to get the time when the battery is replaced. It also has a decent quantity of blinky LEDs, which is important on any project of this type.

Continue reading “Neat Smart(ish) Watch Build Uses BLE”

Scratch Built Smartwatch Looks Pretty Darn Sharp With 3D Printed Case And Round LCD

These days, if you want a smart watch, you’re spoiled for choice. The major smartphone players all have devices on the market, and there’s plenty of third party manufacturers vying for your dollar, too. You might think it’s impossible achieve the same finish with a 3D printer and a reflow oven, but you’re wrong. [Samson March] didn’t quite fancy something off the shelf, though, and instead build an amazing smartwatch of his own.

The beautiful case is printed in a woodfilled PLA — consisting of 70% plastic and 30% sawdust. This allows it to be sanded and stained for an attractive final product. Printing artifacts actually add to the look here, creating somewhat of a woodgrain effect. There’s a round LCD for a more classical watch look, which displays various graphics and even contact photos for incoming messages. Like most smartwatches on the market, it uses Bluetooth Low Energy for communication, and has a rechargeable lithium battery inside. Estimated battery life is approximately one week, depending on the frequency of use, and the recharging base he fabricated is as beautiful as the watch itself.

It’s a tidy build that shows off [Samson]’s design skills, and files are available on GitHub if you’d like to make your own. Laying out the full design in Fusion 360 prior to the build enabled the watch to be optimized for size constraints, creating an attractive and comfortable piece. With that said, if you’re a fan of a more hardcore electronic aesthetic, perhaps something 8-bit might be more your speed.

[via reddit, thanks to Aliasmk for the tip!]