Hacking The Xiaomi Mi Band 8 With Custom Firmware

December 7, 2023 by Maya Posch 11 Comments

Over the past years, fitness trackers have gone from fairly unobtrusive bands that relied mostly on smartphone apps for interaction to essentially being fashion statements and smart watches, with large screens and impressive specs. The Xiaomi Mi Band 8 is no exception, with a zippy MCU and a 1.62″ AMOLED screen that just asks for some serious rick-rolling. This was a challenge which [Aaron Christophel] was all too happy to accept, resulting in some reverse-engineering and flashing of custom firmware onto one of these marvels of modern wearable technology.

Block Diagram for the Apollo4 Blue Lite. (Credit: Ambiq)

The Mi Band 8 is built around an Ambiq Apollo4 Blue Lite MCU which features a Cortex-M4 core for applications, along with a Bluetooth LE radio and a lot of SRAM and Flash. This naturally implies an SWD interface for programming, which was mostly a matter of reverse-engineering the PCB to find the locations for these signals and realizing that the original firmware disables the SWD interface on boot. Unfortunately the Ambiq SDK requires you to create an account, but you can get the basics from [Aaron]’s GitHub project. It appears that for BLE you do need the full SDK, and OTA updates feature a signing check, so physical access is required.

So far the display, touchscreen and light sensor are working, with the remaining peripherals just a matter of time. With a list price of around $64 for one of these fitness bands with a 192 x 490 touch-enabled AMOLED display and a variety of health-related sensors, they’d seem to be a fun toy to hack, especially when found on sale or used.

Continue reading “Hacking The Xiaomi Mi Band 8 With Custom Firmware” →

Amazon Halo Teardown Is Supremely Thorough

December 31, 2020 by Anool Mahidharia 10 Comments

We rarely see teardowns this detailed. [txyzinfo] wanted to know what hardware was under the hood, and did an amazing Amazon Halo Teardown.

Sometime around the middle of 2020, Amazon jumped on to the health and fitness tracker space with the introduction of the Halo — a $100 device with an add on $4 monthly subscription service if you wanted additional features, which Amazon calls “labs”, many of which are third-party services. The device does not have any display at all, and any metrics that need to be displayed (heart rate, steps, calories, etc.) show up on the Halo phone app. Halo’s focus is more on health, rather than fitness. It helps monitor your active and sleep states, keeps track of body fat, and reports your emotional state.

We won’t delve much in to the pros and cons of the device, other than mention two features which have the potential to creep out most folks. The device has a pair of microphones, which listen to the “tone” of your voice and report on your emotional state. The other is its use of your phone via the companion app, to take photos of you, preferably dressed in your undergarments. Your front, back and side photos get uploaded to Amazon servers, get converted to a 3D model, and then downloaded back to your phone. Amazon mentions that the photos are never retained and deleted from their servers once your 3D model is transferred back to the phone. Amazon’s ML algorithms then calculate your body fat percentage. More worryingly, the app offers a slider which you can move to see how you will “look” if you have higher or lower body fat percentages.

Fortunately for us hardware hacker types, [txyzinfo] wanted to unlock all the secrets Amazon poured into this design. Even if the device in particular does not interest you, the techniques he uses are very educational and will prove a useful addition to your skills. The device does not have any external fasteners, with the back cover being held together with glue. [txyzinfo] starts off by applying a solvent around the back cover to soften the glue, then works with his spudger to pry it open. The back cover appears to have an antenna with touch-contact terminations without a connector. The main body holds the rest of the electronics, and can be easily removed by unscrewing the four corner screws. Using a combination of solvent to soften the glue at various points, and snips to cut off retaining plastic tabs, he manages to untangle the hybrid rigid-flex PCB assembly from its plastic-metal clam-shell.

He uses a hot-air blower to cleanly separate the flex PCB parts attached to the rigid PCB. With all the flex pieces removed, he is left with the main part of the device — the rigid PCB with most parts potted under a metal shield filled with what appears to be a soft, grey compound. At this point, we are not sure if the potting compound is for heat dissipation, or just to obfuscate reverse engineering. His next action gives us a severe case of the heebie jeebies, as he clamps the PCB to a milling machine, and mills away the sides of the metal shield. Next, he heats the whole assembly with the hot air gun to melt all the solder, applying some generous amounts of flux, using the spudger to pull apart the PCB from the components embedded in the potting compound. Check out the video after the break to see his tear down techniques in action.

His plan was to identify as many parts as he could, but he wasn’t very successful, and managed to identify just a few — the two MEMS microphones, two temperature sensors and the LED driver on the flex PCB, and the photo-diodes, 6-axis IMU, battery charger and flash memory on the main board. The board has an uncommon 5-layer stack up, with the centre layer being ground. PCB de-layering is a time consuming process and requires a lot of patience, but in the end, he was able to get a pretty good result. He found some oddities in the track layout and was able to identify some of the more common connections to the I2C bus and between the micro-controller and its memory. He also located several test points which seem promising for a second round of investigations. Sometime in the future, he plans to get another Halo and have a go at it using the JTAGulator and GoodFET.

Tear downs are a favourite for all hackers, as is evident by the regularity with which we keep seeing them. If this one hasn’t whetted your appetite, then check out this other Fitness Tracker Teardown which is a lesson in Design for Manufacture.

Continue reading “Amazon Halo Teardown Is Supremely Thorough” →

Giving Recalled Fitness Trackers A Second Chance

November 18, 2020 by Tom Nardi 6 Comments

When it was released back in 2012, the Basis B1 fitness tracker was in many ways ahead of its time. In fact, the early smartwatch was so impressive that Intel quickly snapped up the company and made it the cornerstone of their wearable division. Unfortunately a flaw in their next watch, the Basis Peak, ended up literally burning some wearers. Intel was forced to recall the whole product line, and a year later dissolved their entire wearable division.

Given their rocky history, it’s probably no surprise that these gadgets can be had quite cheaply on the second hand market. But can you do anything with them? That’s what [Ben Jabituya] recently decided to find out, and the results of his experiments certainly look very promising. So far he hasn’t found a way to activate a brand-new Basis watch, but assuming you can get your hands on one that was actively being used when Intel pulled the plug, his hacks can be used to get it back up and running.

The Basis Android application has long since been removed from the Play Store, but [Ben] said it wasn’t too hard to find an old version floating around on the web. After decompiling the application he discovered the developers included a backdoor that lets you configure advanced options that would normally be hidden.

How do you access it? As a reminder of the era in which the product was developed, you simply need to log into the application using Jersey and Shore as the username and password, respectively.

Between the developer options and API information he gleaned from the decompiled code, [Ben] was able to create a faux Basis authentication server and point the application to it. That let him get past the login screen, after which he was able to sync with the watch and download its stored data. Between examinations with a hex editor and some open source code that was already available online, he was able to write a Python script for parsing the data which he’s been kind enough to share with the world.

We’re very pleased to see an open source solution that not only gets these “bricked” smartwatches back online, but allows the user to keep all of the generated data under their own control. If you’d like to do something similar with a device that doesn’t have a history of releasing the Magic Smoke, the development of an open source firmware for more modern fitness trackers might be of interest.

Continue reading “Giving Recalled Fitness Trackers A Second Chance” →

Climbing Everest One Hill At A Time – And Keeping Track Of It

October 17, 2020 by Sven Gregori 10 Comments

The internet is full of self-proclaimed challenges, ranging from some absolutely pointless fads to well-intended tasks with an actual purpose. In times of TikTok, the latter is of course becoming rarer, as a quick, effortless jump on the bandwagon is just easier for raising your internet points. Cyclists on the other hand love a good challenge where they compete with one another online, testing their skills and gamifying their favorite activity along the way. One option for that is Everesting, where you pick a hill of your choice, and within a single session you ride it up and down as many times as it takes until you accumulated the height of Mount Everest on it. Intrigued by the idea, but not so much its competitive aspect, [rabbitcreek] became curious how long it would take him to reach that goal with his own casual bicycle usage, so he built a bicycle computer to measure and keep track of it.

While the total distance and time factors into the actual challenge, [rabbitcreek]’s primary interest was the accumulated height, so the device’s main component is a BMP388 barometric pressure sensor attached to a battery-powered ESP32. An e-paper display shows the total height and completed percentage, along with some random Everest-related pictures. Everything is neatly packed together in a 3D-printed case that can be mounted on the bicycle’s handlebar, and the STL files are available along with the source code in his write-up.

Of course, if you’re actually interested in the challenge itself, you probably have an assortment of sports tracking equipment anyway, but this is a nice addition to keep track as you go, and has a lower risk of ransomware attacks. And in case [rabbitcreek] sounds like a familiar name to you, he’s indeed become a Hackaday regular with his environmental hacks like the tide clock, a handheld particle sniffer, or logging temperatures in the Alaskan wilderness.

E4 Empatica device for measuring location, temperature, skin conductance, sleep, etc. on arm

Choosing The Optimal Sampling Rate For Your DIY Heart Rate Monitor

September 3, 2020 by Orlando Hoilett 19 Comments

With wearables still trying to solidify themselves in the consumer health space, there are a number of factors to consider to improve the reliability of such devices in monitoring biometrics. One of the most critical such parameters is the sampling rate. By careful selection of this figure, developers can minimize errors in the measurement, preserve power, and reduce costs spent on data storage. For this reason, [Brinnae Bent] and [Dr. Jessilyn Dunn] wanted to determine the optimal sampling rate for wrist-worn optical heart rate monitors. We’ve shared their earlier paper on analyzing the accuracy of consumer health devices, so they’ve done a lot of work in this space.

The results of their paper probably don’t surprise anyone. The lower the sampling rate, the lower the accuracy of the measurement, and the higher the sampling rate the more accurate the measurement when compared to the gold standard electrocardiogram. They also found that metrics such as root mean square of successive differences (RMSSD), used for calculating heart rate variability, requires sampling rates greater than 64 Hz, the nominal sampling rate of the wearable they were investigating and of other similar devices. That might suggest why your wearable is a bit iffy when monitoring your sleeping habits. They even released the source code for their heart rate variability analysis, so there’s a nice afternoon read if you were looking for one.

What really stood out to us about their work is how they thoroughly backed up their claims with data. Something crowdfunding campaigns could really learn from.

Reliability Check: Consumer And Research-Grade Wrist-Worn Heart Rate Monitors

April 7, 2020 by Orlando Hoilett 12 Comments

Wearables are ubiquitous in today’s society. Such devices have evolved in their capabilities from step counters to devices that measure calories burnt, sleep, and heart rate. It’s pretty common to meet people using a wearable or two to track their fitness goals. However, a big question remains unanswered. How accurate are these wearable devices? Researchers from the Big Ideas Lab evaluated a group of wearables to assess their accuracy in measuring heart rate.

Unlike other studies with similar intentions, the Big Ideas Lab specifically wanted to address whether skin color had an effect on the accuracy of the heart rate measurements, and an FDA-cleared Bittium Faros 180 electrocardiogram was used as the benchmark. Overall, the researchers found that there was no difference in accuracy across skin tones, meaning that the same wearable will measure heart rate on a darker skin-toned individual the same as it would on a lighter skin-toned. Phew!

However, that may be the only good news for those wanting to use their wearable to accurately monitor their heart rate. The researchers found the overall accuracy of the devices relative to ECG was a bit variable with average errors of 7.2 beats per minute (BPM) in the consumer-grade wearables and 13.9 BPM in the research-grade wearables at rest. During activity, errors in the consumer-grade wearables climbed to an average of 10.2 BPM and 15.9 in the research-grade wearables. It’s interesting to see that the research-grade devices actually performed worse than the consumer devices.

And there’s a silver lining if you’re an Apple user. The Apple Watch performed consistently better than all other devices with mean errors between 4-5 BPM during rest and during activity, unless you’re breathing deeply, which threw the Apple for a loop.

So, it seems as if wrist-worn heart rate monitors still have some work to do where accuracy is concerned. Although skin tone isn’t a worry, they all become less accurate when the subject is moving around.

If you’d like to try your own hand with fitness trackers, have a look at this completely open project, or go for the gold standard with a wearable DIY ECG.

Pavlok Gets A Literally Shocking Teardown

February 2, 2020 by Tom Nardi 36 Comments

Apparently, there is a wrist-mounted device that delivers electric shocks to the wearer when it receives the appropriate command over Bluetooth. No, it’s not part of some kind of house arrest program. If you can believe it, the gadget is actually intended to help break bad habits or wake up exceptionally deep sleepers. We don’t know which of those problems [Becky Stern] has, but we’re glad to see she decided to take hers apart before the 21st century self-flagellation started.

Called the Pavlok and available for $180 USD from various online retailers, the device looks like a chunky fitness tracker. But in place of the screen that would show you how many steps you’ve taken or your current heart rate, there’s a lighting bolt button that you can press when you want to shock yourself. With the smartphone application, you can control the device remotely with a handy desktop widget that allows you to select the intensity of the shock. No, we aren’t making any of this up. Check out the video after the break to see it in action.

When [Becky] tried to take the Pavlok apart, she found that it was nearly impossible to handle it without inadvertently triggering a shock. So until she could get the case open and physically disconnect the battery, all she could do was turn the intensity down in the application and work through the occasional jolts from the device. We can only hope that more devices don’t adopt a similar sense of self-preservation.

Once inside she found mainly the same kind of hardware you’d expect in a standard, non-masochistic, fitness wearable. There’s a nRF52832 Bluetooth SoC, a MMA8451Q accelerometer, a PCF85063A I2C RTC, and a FXAS21002C gyroscope. What you’re somewhat less likely to find inside your FitBit however is the LPR6235 coupled inductor and beefy capacitors which are used to build up a high-voltage charge from the standard 3.7 V LiPo battery.

We’ve been very interested in the recent projects which are creating custom firmwares for commercially available fitness wearables, as it could be an express route to a hacker-friendly smartwatch. While the Pavlok has some compelling hardware, and the programming header [Becky] identified looks interesting, we don’t like the idea of being one misplaced if statement away from riding the lightning.

Continue reading “Pavlok Gets A Literally Shocking Teardown” →