Reverse engineering iFit Bluetooth communication

Hi everyone,

I recently had the chance to use a treadmill with iFit on it. iFit is a service/app that lets you follow predefined workouts. In my case, my phone connected to the treadmill over Bluetooth, the iFit app loaded a map, and then the app controlled the treadmill belt speed and incline automatically.

Unfortunately, iFit is a paid service so unless I have consistent access to iFit enabled treadmills it doesn’t make sense to pay for a subscription.

This got me thinking that I could reverse engineer the communication protocol and write my own app to control the treadmill.

So, I enabled Bluetooth HCI sniffing in my phone and captured a few iFit sessions.

The good news is that Wireshark is able to load the resulting packet files and shows Bluetooth BLE traffic.

The bad news is that it doesn’t seem to know how to decode and print the higher level BT BLE protocol iFit uses.

I can see what appears to be the iFit traffic between my phone and the treadmill but each message is displayed as two or more lower-level-protocol messages. Wireshark is unable to assemble these into meaningful higher level messages.

A quick googling shows other people have encountered this same issue, despite the higher level protocol still being a standard BT BLE protocol (I’ll have to review my notes to find which one).

Does anyone here have experience with this kind of stuff? If so, could you point me in the right direction?



I’m also trying to do something similar with my bike. We’re you able to find out more information?

Still no progress, sadly.
I’ll make sure to post a follow up if I find anything.

Good luck on your research!

Sports equipment usually communicate over the ANT+ protocol:

I recently saw a defcon talk on it! (of course there is)

Unfortunately, I don’t think it applies. This is definitely BTLE.