Skip to content
This repository has been archived by the owner on Apr 14, 2018. It is now read-only.

Support Fitbit Zip #49

Open
ghost opened this issue Apr 23, 2013 · 9 comments
Open

Support Fitbit Zip #49

ghost opened this issue Apr 23, 2013 · 9 comments

Comments

@ghost
Copy link

ghost commented Apr 23, 2013

Libfitbit currently does not support the Fitbit Zip (and newer fitbits)

I'm staging this so it can be a sponsored issue on FreedomSponsors

@jcollie
Copy link

jcollie commented May 10, 2013

Do the Zip and Flex support the same protocol? From what I'm seeing the Flex uses BlueTooth 4.0. I don't have a phone that support BT4.0 and my only Windows/Mac machine is a Windows 7 VM on my Linux desktop at work. I can forward the Fitbit base USB to the VM and make things work, but I'd rather have a native Linux solution.

@n5rgn
Copy link

n5rgn commented Jul 30, 2013

@jcollie:

I expect the Zip and Flex to be the same, since they both have the Bluetooth 4.0 base station.

I installed XP as a VMware guest under Linux. I set USB monitoring/debugging on for that VM and let it log while I (a) plugged the base station in, (b) did a sync with my Flex, and (c) unplugged the base station. I edited the non-fitbit stuff out of the log and put it here (good for 30 days): http://pastebin.com/p3DY5kHU

I made a couple of "NOTE:"s in it. I've only given the data a brief look so far. I'll report back when I discover more.

@n5rgn
Copy link

n5rgn commented Aug 5, 2013

OK, I think I've had an epiphany. It ain't about BTLE or 4.0.

On Windows (tested on XP and 7), the Fitbit Flex dongle shows up as 2 HIDs. On Windows it also shows up as 2 generic USB devices and 1 "USB Composite Device". In the VM USB capture I did (see earlier post) there were what I understand from my little bit of USB reading, a total of 4 USB endpoints: 1 and 81, 2 and 82 (will edit comment when I get a chance to verify this). USB endpoints 1 and 81 appear to be a singular control path, while endpoints 2 and 82 appear to be the data comm path (to/from the tracker).

More to come, comments and admonishments welcomed.

@n5rgn
Copy link

n5rgn commented Aug 5, 2013

Observations

Windows 7:
Flex dongle shows up as 2 x USB HID devices, 2 x generic USB devices, 1 x "USB Composite Device"

Fedora 18 LInux:
Flex dongle shows up as 2 x HID devices

Samsung Galaxy Victory (has Bluetooth 4.0):
Fitbit Android app does not find and sync with fitbit Flex tracker. Makes me think the app may be tweaked for the few supported (Galaxy) Android devices.

USB debug monitor of Win XP under VMware shows the USB endpoints discussed in my previous comment. XP VM guest doesn't show any bluetooth devices present, supporting my theory that BT has little or nothing to do with tracker/dongle support (outside of the iOS platforms?).

I've studied the USB traffic capture some more and I'll share my observations in the next day or so, when I've had time to organize them.

@qdot
Copy link
Member

qdot commented Aug 5, 2013

ifixit just did a teardown on the flex.

http://ifixit.org/5042/fitbit-flex-teardown/

So yeah, looks like one of the TI CC25xx radios that you can shove whatever you want over as well as BTLE. So they're probably just casing it up as an HID packet so it "just works" on windows, super common tactic. Now the question is if the data bank breakdowns look mostly the same as they did on ANT, since they were only using ANT for negotiation anyways, then it was a raw dump from then on.

BTW: No, no one ever really talks on the IRC channel, and yes, welcome to the loneliness of reverse engineering hardware. Get used to no one replying, because not many people do this. Posting info on bugs here is probably the best way to communicate, as it will at least persist more than IRC and I'll provide advice where I can/when I have time.

@n5rgn
Copy link

n5rgn commented Aug 5, 2013

Wow, nice to know that my so-called "epiphany" has some support - it'll make my 12 hour road trip that much more worthwhile. Thinking about the problem helped keep me from falling asleep at 80 MPH on I-35 ;)

If what I think is true, 2 things need to be created/changed for libfitbit, (1) handling the handshake/protocol to the [now known] TI device and dongle discovery/identification. Earlier reports said that the USB VID:PID are the same for the ANT-based and newer BT LT dongles. That could complicate things. I only have a Flex to look at and have not looked at the libfitbit enough to really understand where changes might fit in. I'm excited about this since I think the missing bits can be figured out quickly - again, if my road-hypnotised thoughts are correct.

@emnullfuenf
Copy link

@sansneural Could you please repost the USB dump on pastebin?

Here's my dump from USB Prober on OS X:
http://pastebin.com/MEtW2tWe

@n5rgn
Copy link

n5rgn commented Oct 21, 2013

@emnullfuenf

Sorry, I'll have to wait until tomorrow to get the dmesg and lsusb info, but I think most of it can be found in issue #46 here (look for links in my comments).

In summary, though, the new (BT LE) Fitbit stuff seem to all be USB ID'd as 0x2687/0xFB01 which is unique from the older gen devices. Should be easy enough to distinguish between them.

In further summary, the new devices' data dump is encrypted and we don't have a clue as yet to break it. Which is probably good, but hey.

@emnullfuenf
Copy link

@sansneural Thanks for the link! I'll follow the other topic, too.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants