It's interesting that somehow, because this is reverse engineered now and I can do funny things with it and hack around with it, I actually consider to buy this thing.
I would wish that more companies would allow for modifications / hacks right from the start and actually support that. That would attract the hacker community and might result in many more interesting use cases.
I got one as a present and oh, how I hate Nike for not even caring about android users, much less of using this kind of sensitive data without uploading to their cloud.
The device itself is usable as a quite ok step counter requiring Windows only software to even do _anything_ with it.
As it measures mainly walking, I cannot even recommend it for the intended purpose.
I wonder if there is a market boost that comes from having your stuff hacked.
Using the Keurig 2.0 as an example: Adding DRM to the coffee maker turned off a lot of people. But once a hack was discovered it generated more publicity for the company. It makes me want to buy one just because I know I can get around the DRM. If it never had DRM, I don't think I would want one as bad.
FYI, I've recently worked on a similar project, and I tried both the ubertooth and this TI development kit device [1]. The TI device and software was much more reliable and is pretty much plug in and go. Did you do all of this through an Android phone? Very cool.
So I'm confused.. was author just not able to follow thru code path to find that the auth token was just spamming 1's? or was it a bit more cryptic than that?
the real code in the APK for computing the auth_token was probably some developers some pride and joy, worked weeks on it.. but when it came time to ship, damn thing wouldnt work with the shipped hardware.. so they buried a small assignment which overwrote the original computed auth token just to make the thing work? where is THAT code, i'd like to see it! If so, that is one of those great snippets where you can visually see the developer gave up. We should have a name for that sort of thing (I'm guilty of the same.. in my.. older works).
author here ... it's not THAT easy, that specific piece of code was highly obfuscated by proguard ( you know the a.class, b.class, c.class thing? XD ) and everything made me think about the "correct" algorithm, still I can't find where that 0xFF... is being set :P
In other words, obsfuscation was used instead of just applying good practice, and good practice is seemingly harder to debug for development than obsfuscation.
This is great video and thanks for the link, but just to be clear to others it is not a teardown of the current BLE capable model that the OP has reverse engineered.
Fun stuff. I would also recommend using some kind of packet sniffer to collect sample data which can make your static analysis easier. To do this, buy the CC2541 development kit with packet sniffer for about $25. Alternatively, you can write a BLE proxy (using two Bluetooth adapters). To Apple’s credit, the CoreBluetooth API on iOS does not let the app know the MAC address of the peripheral, so the app will never know that it is talking to your proxy vs the actual device.
yeah I thought about physical sniffing and wanted to buy/build a bt sniffer myself ... but you know, some Android versions have a builtin bt sniffing feature ;)
Hardware reverse engineering has gotten so much easier since everyone is obligated to deliver some useless Android (preferred) or iPhone app with their consumer junk. No one seems to bother with obfuscation.
Very interesting, I've not yet ventured in to the BLE protocol world yet. I'd love to see what the Fitbit protocol looks like, they require a special USB dongle just to connect to Macs that already have BLE built-in, yet iOS hardware works on its own. Strange.
My first opportunity to reverse engineer undocumented hardware was Ubiquiti Networks Airview2 900MHz/2.4GHz spectrum analyzer USB sticks, the cheap $39 ones that hit the market back when Wi-Spy sticks were really the only comparable hardware and were quite a bit more expensive. They have an undocumented serial protocol for controlling the device and getting RF power level readings (and the proper info to parse it).
Once I got the basic command set figured out I wrote up documentation and a Python library[1]. Without reverse engineering the device firmware or the original software it was basically blind guessing (and later automated guessing). Finding a new command and being able to put more and more of the puzzle pieces together to see the big picture is really fun :)
Thanks for writing this. I think I'll try reversing Fitbit beyond Galileo. Also, for those who don't know, Wireshark can sniff the Fitbit dongle using usbmon module incase you don't have a BTLE enabled device. MITMProxy is also great for making dumps to be studied.
Even if you are allowed to reverse engineer software in certain cases, directly taking what you learned from the effort and using it to write other code by yourself is another matter. It's the sort of situation we have "clean room" reverse engineering[1] procedures for.
I would wish that more companies would allow for modifications / hacks right from the start and actually support that. That would attract the hacker community and might result in many more interesting use cases.