Amazon Halo Teardown Is Supremely Thorough

We rarely see teardowns this detailed. [txyzinfo] wanted to know what hardware was under the hood, and did an amazing Amazon Halo Teardown.

Sometime around the middle of 2020, Amazon jumped on to the health and fitness tracker space with the introduction of the Halo — a $100 device with an add on $4 monthly subscription service if you wanted additional features, which Amazon calls “labs”, many of which are third-party services. The device does not have any display at all, and any metrics that need to be displayed (heart rate, steps, calories, etc.) show up on the Halo phone app. Halo’s focus is more on health, rather than fitness. It helps monitor your active and sleep states, keeps track of body fat, and reports your emotional state.

We won’t delve much in to the pros and cons of the device, other than mention two features which have the potential to creep out most folks. The device has a pair of microphones, which listen to the “tone” of your voice and report on your emotional state. The other is its use of your phone via the companion app, to take photos of you, preferably dressed in your undergarments. Your front, back and side photos get uploaded to Amazon servers, get converted to a 3D model, and then downloaded back to your phone. Amazon mentions that the photos are never retained and deleted from their servers once your 3D model is transferred back to the phone. Amazon’s ML algorithms then calculate your body fat percentage. More worryingly, the app offers a slider which you can move to see how you will “look” if you have higher or lower body fat percentages.

Fortunately for us hardware hacker types, [txyzinfo] wanted to unlock all the secrets Amazon poured into this design. Even if the device in particular does not interest you, the techniques he uses are very educational and will prove a useful addition to your skills. The device does not have any external fasteners, with the back cover being held together with glue. [txyzinfo] starts off by applying a solvent around the back cover to soften the glue, then works with his spudger to pry it open. The back cover appears to have an antenna with touch-contact terminations without a connector. The main body holds the rest of the electronics, and can be easily removed by unscrewing the four corner screws. Using a combination of solvent to soften the glue at various points, and snips to cut off retaining plastic tabs, he manages to untangle the hybrid rigid-flex PCB assembly from its plastic-metal clam-shell.

He uses a hot-air blower to cleanly separate the flex PCB parts attached to the rigid PCB. With all the flex pieces removed, he is left with the main part of the device — the rigid PCB with most parts potted under a metal shield filled with what appears to be a soft, grey compound. At this point, we are not sure if the potting compound is for heat dissipation, or just to obfuscate reverse engineering. His next action gives us a severe case of the heebie jeebies, as he clamps the PCB to a milling machine, and mills away the sides of the metal shield. Next, he heats the whole assembly with the hot air gun to melt all the solder, applying some generous amounts of flux, using the spudger to pull apart the PCB from the components embedded in the potting compound. Check out the video after the break to see his tear down techniques in action.

His plan was to identify as many parts as he could, but he wasn’t very successful, and managed to identify just a few — the two MEMS microphones, two temperature sensors and the LED driver on the flex PCB, and the photo-diodes, 6-axis IMU, battery charger and flash memory on the main board. The board has an uncommon 5-layer stack up, with the centre layer being ground. PCB de-layering is a time consuming process and requires a lot of patience, but in the end, he was able to get a pretty good result. He found some oddities in the track layout and was able to identify some of the more common connections to the I2C bus and between the micro-controller and its memory. He also located several test points which seem promising for a second round of investigations. Sometime in the future, he plans to get another Halo and have a go at it using the JTAGulator and GoodFET.

Tear downs are a favourite for all hackers, as is evident by the regularity with which we keep seeing them. If this one hasn’t whetted your appetite, then check out this other Fitness Tracker Teardown which is a lesson in Design for Manufacture.

Continue reading “Amazon Halo Teardown Is Supremely Thorough”

Bike Computer Powers On Long After Your Legs Give Out

A typical bicycle computer from the store rack will show your speed, trip distance, odometer, and maybe the time. We can derive all this data from a magnet sensor and a clock, but we live in a world with all kinds of sensors at our disposal. [Matias N.] has the drive to put some of them into a tidy yet competent bike computer that has a compass, temperature, and barometric pressure.

The brains are an STM32L476 low-power controller, and there is a Sharp Memory LCD display as it is a nice compromise between fast refresh rate and low power. E-paper would be a nice choice for outdoor readability (and obviously low power as well) but nothing worse than a laggy speedometer or compass.

In a show of self-restraint, he didn’t try to replace his mobile phone, so there is no GPS, WiFi, or streaming music. Unlike his trusty phone, you measure the battery life in weeks, plural. He implemented EEPROM memory for persistent data through power cycles, and the water-resistant board includes a battery charging circuit for easy topping off between rides.

When you toss the power of a mobile phone at a bike computer, someone will unveil the Android or you can measure a different kind of power from your pedals.

Continue reading “Bike Computer Powers On Long After Your Legs Give Out”

Custom Firmware For Cheap Fitness Trackers

The concept of wearable hardware is an enticing one, but it can be difficult to tackle for the first-time maker. While many of us are experienced at designing PCBs and soldering up arcane gadgets, interfacing with the soft and fleshy human form can present unforeseen difficulties. There’s a way around that, of course – leveraging an existing platform where someone else has already done the work. That’s precisely what [Aaron Christophel] has done, by reverse engineering and developing custom firmware for cheap fitness trackers (Google Translate).

The first part of [Aaron]’s work consisted of research and disassembly. After purchasing a wide variety of fitness trackers online, he eventually came across his favored unit, the Tracker I6HRC by IWOWNFIT. This features an NRF52832 microcontroller, as well as an IPS display, some Flash storage, and a vibration motor. Connectivity is handled over Bluetooth Low Energy. [Aaron] particularly rates it for the well-made case that can be disassembled without damage, and the spare USB 2.0 pads on the board which can be used to program the device over the SWD interface.

[Aaron] has developed an Arduino-compatible firmware which is discussed further in a forum post.  Most of the peripherals on board have been explored, and reducing power consumption is a current area of active development.

Firmware hacks are always fun – have you considered giving your TV a custom boot screen? Have a FitBit original instead of the clone? There’s a hack for that too.

[Thanks to Jim for the tip!]

Toilet Seat Could Save Your Ass

Our morning routine could be appended to something like “breakfast, stretching, sit on a medical examiner, shower, then commute.” If we are speaking seriously, we don’t always get to our morning stretches, but a quick medical exam could be on the morning agenda. We would wager that a portion of our readers are poised for that exam as they read this article. The examiner could come in the form of a toilet seat. This IoT throne is the next device you didn’t know you needed because it can take measurements to detect signs of heart failure every time you take a load off.

Tracking heart failure is not just one test, it is a buttload of tests. Continuous monitoring is difficult although tools exist for each test. It is unreasonable to expect all the at-risk people to sit at a blood pressure machine, inside a ballistocardiograph, with an oximeter on their fingers three times per day. Getting people to browse Hackaday on their phones after lunch is less of a struggle. When the robots overthrow us, this will definitely be held against us.

We are not sure if this particular hardware will be open-source, probably not, but there is a lesson here about putting sensors where people will use them. Despite the low rank on the glamorous scale, from a UX point of view, it is ingenious. How can we flush out our own projects to make them usable? After all, if you build a badass morning alarm, but it tries to kill you, it will need some work and if you make a gorgeous clock with the numbers all messed up…okay, we dig that particular one for different reasons.

Via IEEE Spectrum.

34C3: Fitbit Sniffing And Firmware Hacking

If you walked into a gym and asked to sniff exercise equipment you would get some mighty strange looks. If you tell hackers you’ve sniffed a Fitbit, you might be asked to give a presentation. [Jiska] and [DanielAW] were not only able to sniff Bluetooth data from a run-of-the-mill Fitbit fitness tracker, they were also able to connect to the hardware with data lines using test points etched right on the board. Their Fitbit sniffing talk at 34C3 can be seen after the break. We appreciate their warning that opening a Fitbit will undoubtedly void your warranty since Fitbits don’t fare so well after the sealed case is cracked. It’s all in the name of science.

There’s some interesting background on how Fitbit generally work. For instance, the Fitbit pairs with your phone which needs to be validated with the cloud server. But once the cloud server sends back authentication credentials they will never change because they’re bound to to the device ID of the Fitbit. This process is vulnerable to replay attacks.

Data begin sent between the Fitbit and the phone can be encrypted, but there is a live mode that sends the data as plain text. The implementation seemed to be security by obscurity as a new Bluetooth handle is used for this mode. This technique prevents the need to send every encrypted packet to the server for decryption (which would be for every heartbeat packet). So far the fix for this has been the ability to disable live mode. If you have your own Fitbit to play with, sniffing live mode would be a fun place to start.

The hardware side of this hack begins by completely removing the PCB from the rubber case. The board is running an STM32 and the team wanted to get deep access by enabling GDB. Unfortunately, the debug pins were only enabled during reset and the stock firmware disables them at startup (as it should). The workaround was to rewrite the firmware so that the necessary GPIO remain active and there’s an interesting approach here. You may remember [Daniel Wegemer] from the Nexmon project that reverse engineered the Nexus 5 WiFi. He leveraged the binary patching he used on Nexmon to patch the Fitbit firmware to enable debugging support. Sneaky!

For more about 34C3 we have a cheatsheet of the first day and for more about Fitbit security, check out this WAV file.

Continue reading “34C3: Fitbit Sniffing And Firmware Hacking”

Gamify Your Workout With This Wearable Console Controller

‘Tis soon to be the season when resolutions falter and exercise equipment purchased with the best of intentions is cast aside in frustration. But with a little motivation, like making your exercise machine a game console controller, you can maximize your exercise gear investment and get in some guilt-free gaming to boot.

Honestly, there is no better motivation for keeping up with exercise than taking classes, but not many people have the discipline — or the pocketbook — to keep going to the gym for the long haul. With this in mind, [Jason] looked for a way to control PS4  games like Mario Karts or TrackMania with his recumbent bike. In an attempt to avoid modifying the bike, [Jason] decided on a wearable motion sensor for his ankle. Consisting of an Uno, an MPU9250 accelerometer, and a transmitter for the 433-MHz ISM band, the wearable sends signals to a receiver whenever the feet are moving. This simulates pressing the up arrow controller key to set the game into action. Steering and other game actions are handled by a regular controller; we’d love to see this expanded to include strain gauges on the recumbent bike’s handles to allow left-right control by shifting weight in the seat. Talk about immersive gameplay!

While we like the simplicity of [Jason]’s build and the positive reinforcement it provides, it’s far from the first exercise machine hack we’ve seen. From making Google Street View bike-controlled to automatically logging workouts, exercise machines are ripe for the hacking.

Continue reading “Gamify Your Workout With This Wearable Console Controller”

Fitness Tracker Teardown Is A Lesson In Design For Manufacture

If the trends are anything to go on, after the success of Fitbit we are nearing a sort of fitness tracker singularity. Soon there will be more fitness trackers on wrists and ankles then there will be stars in the sky. We will have entire generations who will grow up not knowing what life is like without the ever-present hug of a heart monitor strapped across their chest. Until then though, we can learn a bit of design for manufacture from this excellent teardown of a watch shaped fitness tracker.

This tracker has a nice round e-paper screen, which could be a welcome part in a project if they start washing up on the shores of eBay. The rest of the watch is a basic Bluetooth low energy module and the accessory electronics wrapped in a squishy plastic casing.

There’s a lot of nice engineering inside the watch. As far as the electronics go, it’s very low power. On top of that is plenty of clever cost optimization; from a swath of test points to reduce quality issues in the hands of consumers to the clever stamped and formed battery tabs which touch the CR2032 that powers it.

The teardown covers more details: the switch, what may be hiding behind the epoxy globs, the plastics, and more. One thing that may be of interest to those that have been following Jenny’s excellent series is the BOM cost of the device. All in all a very educational read.