Create your own Fitness Tracker Firmware presented at ReconMontreal2018 2018

by Daniel Wegemer, Jiska Classen,

Summary : The Fitbit ecosystem is briefly introduced to show how server, tracker and smartphone app work under normal conditions when transferring all data to the proprietary Fitbit cloud.We explain in detail how we reverse-engineered Fitbit Flex firmware, including functions such as encryption libraries, BLE communication, proprietary protocol parsing, and accelerometer processing.Apart from understanding the software running on the trackers we also introduce modifications in the firmware via binary patching. We show how we modified the Nexmon framework to alter Fitbit firmware.A demonstration of wirelessly flashing custom firmware on a Fitbit Flex is shown. Firmware flashing requires understanding of the proprietary protocol, encryption, and a bunch of validity checks. In contrast to wired flashing, no hardware teardown is required.We publish new firmware modifications along with this talk that enable raw accelerometer readings.