Reverse engineering iFit Bluetooth communication

Hi everyone,

I recently had the chance to use a treadmill with iFit on it. iFit is a service/app that lets you follow predefined workouts. In my case, my phone connected to the treadmill over Bluetooth, the iFit app loaded a map, and then the app controlled the treadmill belt speed and incline automatically.

Unfortunately, iFit is a paid service so unless I have consistent access to iFit enabled treadmills it doesn’t make sense to pay for a subscription.

This got me thinking that I could reverse engineer the communication protocol and write my own app to control the treadmill.

So, I enabled Bluetooth HCI sniffing in my phone and captured a few iFit sessions.

The good news is that Wireshark is able to load the resulting packet files and shows Bluetooth BLE traffic.

The bad news is that it doesn’t seem to know how to decode and print the higher level BT BLE protocol iFit uses.

I can see what appears to be the iFit traffic between my phone and the treadmill but each message is displayed as two or more lower-level-protocol messages. Wireshark is unable to assemble these into meaningful higher level messages.

A quick googling shows other people have encountered this same issue, despite the higher level protocol still being a standard BT BLE protocol (I’ll have to review my notes to find which one).

Does anyone here have experience with this kind of stuff? If so, could you point me in the right direction?

Thanks.

Hey,

I’m also trying to do something similar with my bike. We’re you able to find out more information?

Still no progress, sadly.
I’ll make sure to post a follow up if I find anything.

Good luck on your research!

Sports equipment usually communicate over the ANT+ protocol: https://en.wikipedia.org/wiki/ANT_(network)

I recently saw a defcon talk on it! (of course there is)

Unfortunately, I don’t think it applies. This is definitely BTLE.

I was looking for the same, but having no Android devices I am still struggling with Bluetooth sniffing :frowning_face:

Anyway, I found this article:

It is about a different protocol, but could be useful to find similarities.
Let me know if I can help you on something…

1 Like

Nice, thanks for the info.

I stumbled on a wireshark thread a few days ago that lead me to believe there are wireshark modules I could enable to get my packets re-assembled correctly. I haven’t tried yet, but I’ll let this thread know my results when I do.

can you please share the trace?

I have NordicTrack S25 and I am interested to make my own workouts too.

Thanks.

I’ll see what I can do. I want to make sure there’s no private data in the capture first.

I just saw someone already make it:

I will try to figure out how to install it on a Raspberry Pi

Great find!

When I have time I’m hoping to write a C# driver for this. I’ll let this thread know of my progress.
I won’t have access to an iFit device for a while, though, so testing should be fun.

I had another look at my capture files today. Unfortunately, I think my captures are incomplete.

I should be seeing btatt traffic in both directions between my phone and the treadmill but I’m only seeing responses from the treadmill. And, to make things worse, it looks like the majority of those responses are truncated. I must not have configured my phone correctly when I recorded the sessions.

It will be a while before I get access to this iFit treadmill again, but I’ll post any progress I make here.