Precision PWM Frequency for Arduino / ATmega 328P

I’m working on an application where I need fine adjustment of PWM frequency. The existing PWM code that I found, such as the Arduino PWM Frequency Library, only allows integral frequencies to be selected. On pins supported by 16-bit timers, the Arduino PWM Frequency Library allows fine adjustment of duty cycle, but not frequency. After searching for a while, I found an interesting article in Udo Klein’s Blinkenlight blog: Flexible Sweep. In the article, Klein has an Arduino sketch which sweeps the LEDs of a Blinkenlight board from 0-999.9999 Hz in increments of .0001 Hz.

I hacked his sketch into PrecisionPWM, which outputs PWM to any arbitrary digital pin in increments of .0001 Hz. What’s nice is that since it doesn’t use the ATmega’s internal PWM generator, you can use it on any arbitrary digital pin, whether or not it supports hardware PWM.

Download from github: PrecisionPWM

How to Dramatically Speed Up AVRDUDE with USBasp or USBtinyISP Programmers

AVRDUDE has a little-known command line parameter, -B, which sets the bitclock, and can dramatically speed up writing/reading firmware to/from an AVR MCU when using a USBasp or USBtinyISP. For a USBasp, simply add -B0.5 to your command line parameters. Example:

avrdude -cusbasp -B0.5 -pm3280 -U flash:w:firmware.hex

In my tests, adding -B0.5 reduces the time to write & verify a hex file by about 2/3! For the USBtinyISP, add -B1 to your command line parameters. Example:

avrdude -cusbtiny -B1 -pm3280 -U flash:w:firmware.hex

The speedup is even more dramatic with the USBtinyISP. In a specific test, I found that write/verify time dropped from 59 sec to 17 sec!

You can also speed up programming from the Arduino GUI. Simply edit your boards.txt file. In older versions of Arduino, it can be found in <ArduinoFolder>/hardware/arduino/avr/boards.txt. For Arduino 1.8.x, it’s located in C:\Users\<YourUserName>\AppData\Local\Arduino15\packages\arduino\hardware\avr\<version>\boards.txt.

For the USBasp, add the -B0.5 parameter to the usbasp.program.extra_params line:

usbasp.program.extra_params=-Pusb -B0.5

In order to realize the speed gain in programming, the USBasp must have firmware which supports the setting of SCK. If AVRDUDE gives you this warning:

avrdude: warning: cannot set sck period. please check for usbasp firmware update.

then you must update your USBasp’s firmware. Follow the instructions in my article:
How to Update the Firmware on a USBasp V2.0

For the USBtinyISP, add the -B1 parameter to the usbtinyisp.program.extra_params line:


If the Arduino GUI is already running, you must restart it in order to load the new settings.

WS2812B LED (NeoPixel) Control: Part 2 – WiFi Control via Art-Net on ESP8266


For wireless control of WS2812B (NeoPixel) LEDs, I initially played with Bluetooth SPP (Serial Port Profile), due to the simplicity of setting up the host software… from the host’s software’s point of view, the connection just looks like a physical serial port. Unfortunately, the flakiness of my Windows 8.1 PCs’ Bluetooth SPP support caused me to abandon that solution.


ESP8266 modules provide a very low cost method of interfacing WS2812Bs to WiFi. Adafruit’s Huzzah module costs $9.95, but on eBay, NodeMCU clones, such as the LoLin NodeMCU board can be had for ~$3 shipped from China. This makes it even cheaper than the Arduino/Bluetooth combination!

What’s more, the LoLin board has a CH340G onboard, so it doesn’t require a FTDI cable to connect it to your host computer for programming. I ordered a few of the LoLin boards, but in the meantime, I started playing with the Adafruit Huzzah boards I had on hand.

With the addition of ESP8266 support via the Board Manager, Arduino becomes an easy to use platform for code development. Also, there are easily obtainable libraries for both WiFi configuration and control of the WS2812Bs.

One extra complexity of using an ESP8266 to control WS2812Bs is that the ESP8266 is a 3.3V device, while the WS2812B is a 5V device, (usually) necessitating level shifting. The WS2812B datasheet shows a threshold of >= 0.7VDD for logic HIGH, and <= 0.3VDD for logic LOW. The allowed VDD ranges from +3.5-5.3V. Interestingly, some WS2812Bs can actually work when powered by 3.3V, and driven by 3.3V logic, even though it’s out of spec, but many cannot. On the other hand, it’s totally within spec to be powered by 3.7V and driven by 3.3V logic. So, if you use a 3.7V LiPo battery to power the WS2812B strand, the WS2812B data line can be connected directly to the ESP8266 without any level shifting! If you choose to go this route, power the Huzzah from its VBat terminal, so that the 3.7V will be regulated down to 3.3V to power the ESP8266. More details are available in Adafruit’s NeoPixel Uber Guide.

Since I want to be able to drive long strands of LEDs, I elected to go the 5V power with level shifter route. Also, I have lots of 5V power supplies laying around. There are many different ways to do level shifting, either passive or active. The WS2812B has tight timing requirements, and runs at 800KHz, so care has to be taken in order to avoid signal distortion. One of the most reliable methods is to use a 74AHCT125 level shifter IC. I decided to first try a simple diode and pullup resistor circuit (credit: RPi GPIO Interface Circuits):

The circuit is currently working flawlessly for me, driving my 5m long strand of 150 LEDs.


In order to send data to our WS2812Bs over WiFi, we need some sort of IP protocol. Art-Net is a royalty-free protocol, which sends DMX data embedded in UDP packets. I decided to go with Art-Net because it is an industry standard that is supported by a variety of Pro software, and Jinx! and Glediator can talk to it.


I will not go into how to set up Arduino to compile sketches for the ESP8266, as that is discussed elsewhere. To compile for the Huzzah, select it as the compile target from the Tools pulldown menu:

Tools -> Board -> Adafruit HUZZAH ESP8266

I created a sketch, which is a mashup of a few different projects from github. The code is in my github repo: WS2812ArtNet. I stripped the Adafruit NeoPixel library down to the bare metal, and added a captive portal for configuring the WiFi connection. Also, it supports a hardware pin to erase the WiFi settings. Configuration is done via a few defines in WS2812ArtNet.ino. See the #defines for PIXEL_CNT, PIN_DATA, PIN_LED, and PIN_FACTORY_RESET. At a minimum, PIXEL_CNT must be set to the number of LEDs in your strand.

PIN_DATA is used to select the pin that’s used to drive the data to the LED strand.

PIN_LED is used to select the a pin which blinks an LED every time an Art-Net packet is received. This makes it easy to tell if the board is receiving data. In addition, the LED is initially off at boot-up, and turns solid red when the ESP8266 connects successfully to a WiFi AP. By default, PIN_LED = 0, which makes it control the onboard red LED on the Huzzah.

PIN_FACTORY_RESET wipes out any saved settings and clears the EEPROM when it’s grounded for 2 sec.

To load the WS2812ArtNet sketch into the ESP8266, first press the GPIO0 and Reset buttons simultaneously, and then let go of the Reset button. The red LED will then glow dimly, indicating that the bootloader is active. Once the sketch is loaded, when the ESP8266 initially boots up, it will create a WiFi AP with SSID WS2812ArtNet_hh-h. Use a computer, phone, etc to connect to the AP. Upon connection, it should automatically present a captive portal for configuration:

If the captive portal doesn’t automatically launch, open a web browser, and point it to Tap on Configure WiFi, and the ESP8266 will automatically scan for available APs:

Tap the desired AP’s SSID, and type in the passphrase. Additionally, you can also choose a starting Art-Net universe, and configure a static IP. After you tap save, the ESP8266 will reboot. If it connects successfully to your AP, the onboard red LED will light. Then, the LED strand will go into the startup test sequence of lighting up red, green, and blue, and then turning off. Once Art-Net data is received, the LED still start blinking with every packet it receives.  If you have trouble during setup, you can see debug messages by opening the ESP8266’s serial port in a terminal set to 115200,N,8,1.


When configuring Jinx!/Glediator, select GRB as the pixel data format.


Prev: WS2812B LED (NeoPixel) Control: Part 1 – Serial Control via 8-bit ATmega (Arduino)

WS2812B LED (NeoPixel) Control: Part 1 – Serial Control via 8-bit ATmega (Arduino)


I’ve been laying the groundwork for doing some projects using remote controlled RGB LEDs. My first attempt was Lampduino, which used discrete RGB LEDs, and an ITEAD Colorduino as a controller. In that project, I ran into several pitfalls:

  • though inexpensive, assembly of the LED matrix was very labor intensive
  • the LED’s were rather dim, due to the limited drive capability of the Colorduino
  • the frame rate was slow, due to limited baud rate and RAM
  • while it was scalable, I didn’t like the idea of having to use a separate Colorduino for every 64 LEDs

A few years have passed, and WS2812B LEDs have dropped enough in price enough to get into the range that I feel is affordable. They can be found on eBay and AliExpress very cheaply. Also, they can be controlled without any specialized hardware – all that is needed is one GPIO pin. There are libraries available for many of the popular microcontrollers. Some examples are Arduino, ESP8266, Teensy 3.x, and Raspberry Pi.


The other piece of the puzzle is control software. For Lampduino, I hacked uRaNGaTaNG’s mtXcontrol Processing sketch into rgbMtx, but I found Processing to be a very limiting platform, which was hard to debug. This time around, I found a couple of interesting free LED control programs, which are both quite powerful. The first one is Jinx! LED Matrix Control, which runs on Windows only, and the second is Glediator, which is a Java app. Both programs, while free, are not open source. However, they are both powerful enough to do some interesting things.


I decided to start my experiments with an Arduino Pro Mini clone, because they have a tiny footprint, are cheap (clones are <$2 shipped from China on eBay), and I happened to have some laying around. Also, the Arduino Pro Mini’s ATmega 328P MCU runs at 5V, so no level shifting is required when interfacing to WS2812Bs. Glediator’s creator, Solderlab, has barebones, fast serial client Arduino sketch which can be downloaded at: WS2812-Glediator-Interface. It can run on any 8-bit ATmega-based Arduino such as the Mega, UNO, Deumilanove, etc. The code that outputs the data to the LEDs is written in assembly language, and is thus, very fast & compact. Also, rather than using Arduino’s Serial library, it contains its own very compact serial code. At the expense of a little bit of speed, I decided to generalize it a bit, and add my own packet protocol. My code is on github at: WS2812Remote. The main changes that I made in my version of the code are:

  • Since I didn’t understand the Glediator example’s serial code, I reverted to using Arduino’s built-in Serial library. I’ve tested it with baud rates up to 1000000 and an FTDI cable on a Windows PC, and it works fine
  • I added support for my own packet protocol. Glediator’s serial protocol is extremely simple. Each frame starts with 0x01, followed by the pixel data stream. My simple packet protocol adds an XOR check byte, as well as a few simple commands such as color fill and blanking of the LEDs.

I also wrote a C++ program, called pkt_test, which demonstrates usage of my packet protocol.

Hookup of the WS2812B LED strand to the Arduino is quite simple. You can use any 8-bit Arduino. First, you must select a data pin to drive the strand. I arbitrarily decided to use pin PD2. For speed and compactness, instead of using Arduino functions to access the data pin, the code refers to the ATmega port and pin numbers, rather than Arduino’s rather arbitrary digital pin numbers. On the Arduino Pro Mini, digital pin 2 = PD2, as can be seen from the following pin mapping diagram:


So WS2812Remote.h is configured as follows:

#define DATA_PIN 2

Next, PIXEL_CNT needs to be set to the number of LEDs in your strand. I tested with an Adafruit NeoPixel ring containing 16 LEDs:

#define PIXEL_CNT   16

Connect your the data input pin of the first LED of your WS2812B strand to your selected data pin. Adafruit recommends a 300-500 ohm inline resistor to protect from voltage spikes. The NeoPixel ring I used already has a resistor onboard, so I didn’t need it. I connected the +5V and GND pins directly to the corresponding pins on the Arduino. To protect against current inrush when powering it up, Adafruit also recommends connecting a 100uf capacitor between the +5V and GND pins. However, it’s not necessary if you’re just going to power it from USB, which is what I did, since I was only powering 16 LEDs. For large strands, you will need an external power supply to supply sufficient current, as each LED can draw up to 60mA at full brightness. If using an external power supply, make sure to always apply power to the WS2812B strand before the data pin!


I used the same FTDI cable that I used for programming the Arduino as a virtual com port for sending data to it. When configuring Jinx! or Glediator, select Glediator protocol. For speed, the sketch just receives raw pixel data, and dumps it out to the LED strand, so the data format is in native GRB order.

When configuring Jinx! or Glediator, select Glediator as the device type (Jinx!) or output mode (Glediator). Make sure that the baud rate of the corresponding com port matches BAUD_RATE as defined in your sketch. I tested 115200 and 1000000 bps with my FTDI cable, and both worked fine with both programs. It failed at 1250000 bps.

If you want to play around with my packet protocol, the pkt_test code is self explanatory. I tested it with Visual Studio 2015 in Windows 8.1, and g++ in Debian linux 8.2.0. Prior to compilation, set COMM_PORT to correspond to your Arduino’s serial port. Also, confirm that BAUD_RATE in ../WS2812Remote.h matches the value that was used when loading the Arduino sketch. To compile and run pkt_test in linux, use:

g++ pkt_test.cpp serialib.cpp -o pkt_test
sudo ./pkt_test


My first inclination for wireless control was to use Bluetooth, due to its simplicity. The Bluetooth SPP (Serial Port Profile) makes it easy to construct a wireless virtual serial interface between a host computer and the Arduino. This allows you to use exactly the same host software configuration that you would for a direct serial connection to the host. I had an Elechouse EHB Serial Bluetooth Module in my parts bin (very similar to the ubiquitous HC-05), so I decided to try it out.

Before using the EHB module can be used, it must be configured with a series of simple AT commands. I hooked it up to my Windows PC with my FTDI cable, and used PuTTY as a serial terminal to configure it. Connecting the EHB module to the Arduino is quite straightforward:

Arduino -> EHB

5v -> VCC

Pairing the EHB to a host computer creates a virtual serial port for the host software to access. Unfortunately, I was using Windows 8.1 as my host computer, and its handling of Bluetooth SPP clients is rather flaky. Every time I powered down the LED controller, I had to unpair/pair the Bluetooth in order to get the virtual serial port to work properly. While it worked flawlessly when the virtual serial port was functional, ultimately, I abandoned Bluetooth due to the flakiness of Windows’ Bluetooth SPP support. Perhaps Linux can handle it better.

Next: WS2812B LED (NeoPixel) Control: Part 2 – WiFi Control via ARTnet on ESP8266

HowTo: Fix AVRDUDE 6.3/Arduino 1.6.10+ Compatibility Issues with USBasp Clones

I recently upgraded to Arduino 1.6.13, and found that I could no longer program my boards with my Chinese USBasp clone programmer. When the Arduino IDE tried to load the firmware with my USBasp, AVRDUDE couldn’t find my USBasp, and gave this error:

avrdude: error: could not find USB device with vid=0x16c0 pid=0x5dc vendor=’’ product=’USBasp’

It turns out that the that AVRDUDE 6.3, which is bundled with Arduino 1.6.10+, has timing issues with USBasps. The fix is to replace your libUSB-win32 driver with libusbK v3.0.7.0. An easy way to install libusbK v3.0.7.0 is to use zadig. Download the zadig from

Plug your USBasp into your PC.

Launch zadig, and from the menubar, select Options->List All Devices

Next, from the top listbox, select USBasp.

From the Driver selector box, click the up or down arrow key until libusbK (v3.0.7.0) appears.

Finally, click the Replace Driver button.

The screen should look like this:


You do not have to reboot or disconnect/reconnect your USBasp. After Zadig finishes installing libusbK, AVRDUDE 6.3 will start working correctly with your USBasp.

NOTE: the version of AVRDUDE that Arduino 1.6.x uses is actually controlled by the Boards Manager (Tools->Board->Boards Manager). Even if you have a version of Arduino 1.6.x prior to 1.6.10, if your Arduino AVR Boards by Arduino is version 1.6.10+, it will use AVRDUDE 6.3.

HowTo: Clean Hydration Bladder Hose/Tubing

If you use a hydration pack, sooner or later, your hose is going to get gunked up with disgusting biofilms or other residues. Biofilms tend to be resistant to disinfectants such as bleach and hydrogen peroxide, so how can you clean the junk out of your hose? I didn’t feel like spending the $$ for a Camelbak cleaning kit, so I found a simple and cheap solution. Simply use a pair of shoelaces.

The shoelaces have to be longer than the length of your hydration hose/tubing. Make sure to use round laces, rather than flat laces. The diameter of the laces has to be smaller than the inside diameter of your hose, in order for them to easily pass through. I happened to have a pair of dress shoe laces I got from a $.99 store.

Small diameter paracord will work, as well, but it doesn’t have the nicely finished ends, which are easier to thread. If you use paracord, wrap the end with a bit of tape to simulate the plastic end of a shoelace, and it will pass through your hose more easily.

First, soak your hose until the gunk inside it softens up. Next, get out the excess water by holding the hose on one end, and cracking it like a whip. Tie the shoelaces together with a knot that’s small enough to pass through the hose, but big enough to be a tight fit to scrub the walls of the tube clean:


In the photo above, the knot has white slime on it, because I’ve already used it to scrub out my hose. I just used a basic overhand knot. Next, thread one end of a shoelace through the tube:


It’s easiest to thread the shoelace through the hose if you clamp the hose between your legs, straighten the hose vertically, and let gravity help you push the shoelace through the top. Finally, just alternately pull ends of the shoelaces to work the knot back and forth through the tube, wiping the junk out of the hose. Wash the gunk off the knot and repeat the process until the hose is clean. Wash the shoelaces, and then soak the hose and shoelaces in some water with a bit of bleach, in order to kill the bacteria and mold.

If you find it hard to get the knot to fit through the hose, try a square knot, which is a bit smaller:

If the attachments of your hose easily remove, you can also get away with using just 1 shoelace. Just tie an overhand knot at one end. However, you will have to re-thread the shoelace through the hose after each pull. In my case, the threaded connector at one end of my hose was impossible to remove without cutting it off.

I find that hanging the hose to air dry doesn’t work very well, even if I leave it for a few days. The quickest way to dry it is to first crack it like a whip to expel as much water as possible, and then use forced air to dry out the remaining moisture. I have sleep apnea, so I use my CPAP to blow air through the hose:


If you have a fish pump, you can attach the air hose to the hydration tube, and use that to blow air through until it’s completely dry.

How to R&R Pentalobe Screws Without a Special Screwdriver

Apple likes to use annoying pentalobe screws on their devices. While it’s relatively easy to buy a pentalobe screwdriver, why bother, when you probably already have a substitute in your house? Anyone who uses x-acto knives should have a pile of blades with broken off tips. These blades are a quick and dirty surrogate for a pentalobe screwdriver. The tool:


Simply stab the tip of the x-acto knife into the pentalobe screw, and carefully twist:


The screws are so tiny that there isn’t much friction, so even though the knife blade isn’t a perfect fit, I’ve never stripped a screw. The same method works on small Torx and Philips screws. I’ve used this technique on many different devices over the years.

iPhone 6 Over Temperature after Replacing Battery

I just replaced the battery in my iPhone 6. When I attempted to power it up with the new battery, I was greeted with this ominous screen:


which is strange, because there’s no way that it was too hot, since it was just booting up, and it wasn’t even warm in the room where I was doing the work. I was worried that maybe I had broken something during the battery swap, but luckily, it was just bad contact in the battery connector.  It turns out that there is a temperature sensor in the battery, and if it has a bad connection, then the iPhone will think that the battery is overheating. I tried pressing down on the battery connector, but that didn’t work. Next, I simply disconnected/reconnected the battery connector, and it booted up normally. Whew!

So, if you replace your iPhone battery, and it suddenly gets the over temperature warning screen, first check the battery connection. If the warning still won’t go away, but it goes away when you reconnect your old battery, then your new battery probably has a bad temperature sensor.

To replace the battery, I mostly followed the procedure in: iPhone 6 Battery Replacement. However, I slightly modified the procedure:

  1. To remove the screen, I simply attached a suction cup at the end of the screen near the button. Then, while pulling up on the suction cup just enough to make a gap between the bottom of the screen and the back, I slid a guitar pick into the gap, starting at the bottom, and working my way down the edges of the phone, pushing it in gently. You can feel the clips releasing as you push the guitar pick in, and the screen will start to pop out, clip by clip. In Step 6 of the iFixIt instructions, they don’t emphasize the need to release the clips. If you just pull up, you’ll probably damage some or all of them.
  2. I didn’t bother disconnecting the screen. In iFixIt’s instructions, they ask you to unscrew the screen connectors and completely remove the screen. Presumably, this is so that you don’t risk damaging the screen connector, lest you let it swivel back more than 90 degrees from the back. I didn’t bother disconnecting the screen, and instead, held it ajar with my left hand while doing everything else with my right hand. This is because the tiny connectors are very fragile in the iPhone, and I didn’t want to damage the screen connector when disconnecting it, or losing the screws (I had a very bad experience when I was trying to change the battery of my iPhone 4 a few years ago.. the replacement came with a connector that was very tight.. and when I tried to disconnect it, the whole socket broke off the PCB, rendering the iPhone useless).
  3. I don’t have a pentalobe screwdriver, and I don’t intend to buy one. I’ve successfully removed/replaced the screws at the bottom of several iPhones using a Xacto knife as a screwdriver. The tips of my #11 Xacto blades always break off, and the broken off tip fits perfectly into the pentalobe screws.

Now, I’m waiting for the replacement battery to charge up, to see if it’s any good. I always have trouble finding replacement batteries that actually work better than the broken old batteries that they replace. There are a lot of shady suppliers out there who sell used or low quality batteries. I used the free Battery Life app to check the charge cycle count:


The vendor I bought the battery from claimed that it would have zero charge cycle count, and it has one, but that’s close enough, so I’ll let it slide for now. The capacity is also at 1752/1752, as expected. Of course, these stats could be faked, but at least they appear to be OK, which is some piece of mind. Only usage testing will reveal whether or not I managed to buy a good replacement battery, or another dud.

Update 20160804: So, it turns out that my phone was constantly running hot with the “hand picked” replacement battery I bought on Amazon. I highly recommend that anyone who replaces their battery on an iOS product check it with the free Battery Life app. I found out that the controller chip in the replacement battery was fake. The only stats that would change were the battery voltage and charge leve. The discharge current, temperature, capacity, and cycle count were fixed. After a month of using the battery, the Cycles were still 1! I contacted the seller, and they quickly refunded my money without asking me to send back the defective battery. Buyer beware!

Hacking a Proform 12.0TT Treadmill with iFit Live

I recently bought a Proform 12.0TT treadmill from Costco. One of the major reasons I picked this particular treadmill was because it supports iFit Live, which is supposed to allow you to make custom workouts with google maps. Unfortunately, iFit Live has turned out to be complete garbage. My first frustrations started when I tried to connect my treadmill to my iFit account. I spent a couple of hours and got nowhere, because it kept complaining that it wasn’t able to contact the iFit server. I thought maybe it was that my WiFi wasn’t configured correctly, even though the treadmill was able to obtain a valid IP address. I tried submitting a support ticket, and was completely appalled by the horrible total lack of support. They didn’t even bother to respond to my ticket for more than a week, and by that time, I’d figured out that there server had gone down for a few days… one day, it finally just started talking to their server.

iFit Live, which is the only way to make custom workouts is quite expensive, and the treadmill doesn’t even come with so much as a free trial. It costs $9.99/mo or $99/yr. I was thinking of trying it out, but with their crappy support, I don’t want to give them my money. The worst part is that there’s this really cool iFit app that runs on iOS and Android that lets you visualize your workouts in realtime, but it only works on a handful of treadmills, and mine is not included on the list. Of course, they don’t tell you this, so I didn’t figure it out until I’d already bought the treadmill. Doing the workouts on the treadmill’s rather ugly and primitive display isn’t nearly as cool as via google Street View, or at least tracking it on a live google map.

The treadmill’s controller is garbage, too. It doesn’t let you customize the built-in workouts, and doesn’t even let you input things such as age/gender/weight, so the calorie calculations are completely worthless. I started thinking about hacking my own controller for the treadmill, but then decided to first see what could be done via software.

It turns out the treadmill has a built in telnetd, and if you telnet to its IP number, you can log in as root without using any password. ssh is also supported, but it requires the root password. Once you telnet in, it’s readily apparent that it’s running embedded Linux of some sort on an ARM processor. The treadmill control stuff is all in directory /icon/bin. Here is a list of the running processes:

# ps
PID Uid VSZ Stat Command
1 root 652 S init
2 root SWN [ksoftirqd/0]
3 root SW< [events/0]
4 root SW< [khelper]
5 root SW< [kthread]
16 root SW< [kblockd/0]
19 root SW< [khubd]
50 root SW [pdflush]
51 root SW [pdflush]
52 root SW [kswapd0]
53 root SW< [aio/0]
666 root SW [sdioeventd]
667 root SW [sdiod0]
669 root SW [mtdblockd]
709 root SW [nandeventd]
710 root SW [nandthread]
713 root SW< [scsi_eh_0]
739 root 3148 S /usr/bin/syslogd -S -b 10 -D -s 32 -O /tmp/logfile.tx
753 root 2292 S /usr/bin/dropbear
783 root SW [RtmpTimerTask]
784 root SW [RtmpMlmeTask]
785 root SW [RtmpCmdQTask]
786 root SW [RtmpWscTask]
792 root 3124 S /usr/bin/httpd -f -p 8080 -h /icon/bin/html
793 root 3020 S sslwrap -cert /usr/bin/sslwrap.cert -accept 443 -port
794 root 2880 S ./utwatch
795 root 652 S init
796 root 652 S init
798 root 652 S init
800 root 652 S init
810 root 2740 S utaudio
811 root 6476 S utcompete
812 root 2864 S utcontrol
813 root 2744 S utdevcom
814 root 2764 S utinput
815 root 2740 S utlog
816 root 6940 S utnetstatus
817 root 2200 S utuserlog
819 root 2740 S utvalues
820 root 2888 S utwifi
826 root 2872 S utwpl
827 root 2272 S utdisplay
828 root 2740 S utworkout
831 root 4640 R N web_serv
928 root 652 S udhcpc -i apcli0 -a -n -t 4
974 root 664 S telnetd
7348 root 764 S /bin/sh
26665 root 764 S /bin/sh
14635 root 656 R ps
14636 root 648 R sh -c iwconfig

From dmesg, I found that it’s running on a NuMicro NUC950 MCU running at 200MHz with 32MB RAM and 130MB of NAND flash. Here is the entire output of dmesg after bootup:

# dmesg
Linux version (sbarton@sbarton-VirtualBox) (gcc version 4.2.1) #95 PREEMPT Thu Nov 21 10:08:23 MST 2013
CPU: ARM926EJ-Sid(wb) [41069265] revision 5 (ARMv5TEJ)
Machine: NUC950
Memory policy: ECC disabled, Data cache writeback
On node 0 totalpages: 8192
DMA zone: 8192 pages, LIFO batch:1
CPU NUC950 (id 0x02900910 system clock:200MHZ)
CPU0: D VIVT write-back cache
CPU0: I cache: 8192 bytes, associativity 4, 32 byte lines, 64 sets
CPU0: D cache: 8192 bytes, associativity 4, 32 byte lines, 64 sets
Built 1 zonelists
Kernel command line: root=/dev/ram0 console=ttyS0,115200n8 initrd=0xa00000,4000000 mem=32M
PID hash table entries: 256 (order: 8, 1024 bytes)
Console: colour dummy device 80×30
selected clock e4e1c0 quot 7
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 32MB = 32MB total
Memory: 26440KB available (1676K code, 309K data, 80K init)
Calibrating delay loop… 99.73 BogoMIPS (lpj=498688)
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
checking if image is initramfs…it isn’t (no cpio magic); looks like an initrd
Freeing initrd memory: 3906K
NET: Registered protocol family 16
* You selcet NUC950,Start Init NUC950EVB *
SCSI subsystem initialized
usbcore: registered new driver usbfs
usbcore: registered new driver hub
NET: Registered protocol family 2
IP route cache hash table entries: 256 (order: -2, 1024 bytes)
TCP established hash table entries: 1024 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 1024 bind 512)
TCP reno registered
NetWinder Floating Point Emulator V0.97 (double precision)
io scheduler noop registered (default)
NUC900 uart driver has been initialized successfully!
nuc900-uart.0: nuc900_serial0 at MMIO 0xb8000000 (irq = 7) is a NUC900
nuc900-uart.1: nuc900_serial1 at MMIO 0xb8000100 (irq = 8) is a NUC900
nuc900-uart.2: nuc900_serial2 at MMIO 0xb8000200 (irq = 9) is a NUC900
RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize
loop: loaded (max 8 devices)
Card0 Detect !!!
NUC900 SD driver has been initialized successfully!
CFI: Found no nuc900nor device at location zero
probe failed
NUC900 USB host driver has been initialized successfully!
nuc900-ehci nuc900-ehci: Nuvoton nuc900 EHCI Host Controller
nuc900-ehci nuc900-ehci: new USB bus registered, assigned bus number 1
nuc900-ehci nuc900-ehci: irq 15, io mem 0xb0005000
nuc900-ehci nuc900-ehci: USB 2.0 started, EHCI 0.95, driver 10 Dec 2004
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
nuc900-ohci nuc900-ohci: Nuvoton nuc900 ohci Host Controller
nuc900-ohci nuc900-ohci: new USB bus registered, assigned bus number 2
nuc900-ohci nuc900-ohci: io mem 0xb0007000
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
Initializing USB Mass Storage driver…
usb 1-2: new high speed USB device using nuc900-ehci and address 2
usb 1-2: configuration #1 chosen from 1 choice
usbcore: registered new driver usb-storage
USB Mass Storage support registered.
ts: Compaq touchscreen protocol output
i2c /dev entries driver
nuc900-i2c-p0 nuc900-i2c-p0: bus frequency set to 100 KHz
nuc900-i2c-p0 nuc900-i2c-p0: i2c-0: nuc900 I2C port0 adapter
client [NAU882] registered with bus id 0-001a
NUC900 Audio driver has been initialized successfully!
TCP bic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
RAMDISK: Compressed image found at block 0
VFS: Mounted root (romfs filesystem) readonly.
Freeing init memory: 80K
selected clock e4e1c0 quot 7
selected clock e4e1c0 quot 7
selected clock e4e1c0 quot 7
gnand: module license ‘Nuvoton’ taints kernel.
NAND: nand_init!!!!!
1. ===> write SMCSR
scsi0 : Nuvoton NUC900 GNAND DRIVER!
nand card init
1. ===> write SMCSR
Card0 Removed
card reset4. ===> write SMCSR
6. ===> write SMCSR
fmiCheckInvalidBlock pSM0->uLibStartBlock=2
Valid P2LN 577, block 1022

===> nand total sectors 253696 <size 129892352>
Vendor: NUVOTON Model: GNAND DRIVER Rev: 2.00
Type: Direct-Access ANSI SCSI revision: 00
SCSI device sda: 253696 512-byte hdwr sectors (130 MB)
sda: Write Protect is off
sda: Mode Sense: 03 00 00 00
sda: got wrong page
sda: assuming drive cache: write through
SCSI device sda: 253696 512-byte hdwr sectors (130 MB)
sda: Write Protect is off
sda: Mode Sense: 03 00 00 00
sda: got wrong page
sda: assuming drive cache: write through
sda: sda1 sda2 sda3 sda4 < sda5 >
sd 0:0:0:0: Attached scsi removable disk sda
EXT2-fs warning: mounting unchecked fs, running e2fsck is recommended
rtusb init rt3070AP —>
=== pAd = c2804000, size = 778504 ===

RTMPAllocTxRxRingMemory, Status=0
RTMPAllocAdapterBlock, Status=0
usbcore: registered new driver rt3070AP
(Efuse for 3062/3562/3572) Size=0x2d [2d0-2fc]
RTMP_TimerListAdd: add timer obj c2893b98!
RTMP_TimerListAdd: add timer obj c2861ed0!
RTMP_TimerListAdd: add timer obj c2861eb8!
RTMP_TimerListAdd: add timer obj c2861ea0!
RTMP_TimerListAdd: add timer obj c28081a8!
RTMP_TimerListAdd: add timer obj c2807dc4!
RTMP_TimerListAdd: add timer obj c280818c!
RTMP_TimerListAdd: add timer obj c2808414!
RTMP_TimerListAdd: add timer obj c2808394!
RTMP_TimerListAdd: add timer obj c280b240!
RTMP_TimerListAdd: add timer obj c280ae5c!
RTMP_TimerListAdd: add timer obj c280b224!
RTMP_TimerListAdd: add timer obj c280b4ac!
RTMP_TimerListAdd: add timer obj c280b42c!
RTMP_TimerListAdd: add timer obj c280e2d8!
RTMP_TimerListAdd: add timer obj c280def4!
RTMP_TimerListAdd: add timer obj c280e2bc!
RTMP_TimerListAdd: add timer obj c280e544!
RTMP_TimerListAdd: add timer obj c280e4c4!
RTMP_TimerListAdd: add timer obj c2811370!
RTMP_TimerListAdd: add timer obj c2810f8c!
RTMP_TimerListAdd: add timer obj c2811354!
RTMP_TimerListAdd: add timer obj c28115dc!
RTMP_TimerListAdd: add timer obj c281155c!
RTMP_TimerListAdd: add timer obj c2814408!
RTMP_TimerListAdd: add timer obj c2814024!
RTMP_TimerListAdd: add timer obj c28143ec!
RTMP_TimerListAdd: add timer obj c2814674!
RTMP_TimerListAdd: add timer obj c28145f4!
RTMP_TimerListAdd: add timer obj c28174a0!
RTMP_TimerListAdd: add timer obj c28170bc!
RTMP_TimerListAdd: add timer obj c2817484!
RTMP_TimerListAdd: add timer obj c281770c!
RTMP_TimerListAdd: add timer obj c281768c!
RTMP_TimerListAdd: add timer obj c281a538!
RTMP_TimerListAdd: add timer obj c281a154!
RTMP_TimerListAdd: add timer obj c281a51c!
RTMP_TimerListAdd: add timer obj c281a7a4!
RTMP_TimerListAdd: add timer obj c281a724!
RTMP_TimerListAdd: add timer obj c28380c0!
RTMP_TimerListAdd: add timer obj c2837cdc!
RTMP_TimerListAdd: add timer obj c28380a4!
RTMP_TimerListAdd: add timer obj c283832c!
RTMP_TimerListAdd: add timer obj c28380dc!
RTMP_TimerListAdd: add timer obj c28380f8!
RTMP_TimerListAdd: add timer obj c2838114!
RTMP_TimerListAdd: add timer obj c286a7e4!
RTMP_TimerListAdd: add timer obj c286a854!
RTMP_TimerListAdd: add timer obj c286a7fc!
RTMP_TimerListAdd: add timer obj c283864c!
RTMP_TimerListAdd: add timer obj c28056c8!
RTMP_TimerListAdd: add timer obj c2808760!
RTMP_TimerListAdd: add timer obj c280b7f8!
RTMP_TimerListAdd: add timer obj c280e890!
RTMP_TimerListAdd: add timer obj c2811928!
RTMP_TimerListAdd: add timer obj c28149c0!
RTMP_TimerListAdd: add timer obj c2817a58!
RTMP_TimerListAdd: add timer obj c2838378!
RTMP_TimerListAdd: add timer obj c28623d0!
Key1Str is Invalid key length(0) or Type(0)
Key2Str is Invalid key length(0) or Type(0)
Key3Str is Invalid key length(0) or Type(0)
Key4Str is Invalid key length(0) or Type(0)
1. Phy Mode = 9
2. Phy Mode = 9
NVM is Efuse and its size =2d[2d0-2fc]
(Efuse for 3062/3562/3572) Size=0x2d [2d0-2fc]
3. Phy Mode = 9
MCS Set = ff 00 00 00 01
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
RTMP_TimerListAdd: add timer obj c28620e8!
Main bssid = ac:a2:13:2b:a4:c4
== rt28xx_init, Status=0
0x1300 = 00064320
selected clock e4e1c0 quot 7
selected clock e4e1c0 quot 7
selected clock e4e1c0 quot 7
RTMP_TimerListAdd: add timer obj c28a97a0!
RTMP_TimerListAdd: add timer obj c28a9944!
/home/user/2011_0517_RT5370_RT5372_RT5390U_Linux_AP_V2.6.0.0_DPA_1/MODULE/os/linux/../../ap/ap_data.c:3731 assert pEntry->Aid == pRxWI->WirelessCliIDfailed
RTMP_TimerListAdd: add timer obj c28bd0ec!
Rcv Wcid(1) AddBAReq
Start Seq = 00000003
RTMP_TimerListAdd: add timer obj c28be500!
ra0 (WE) : Driver using old /proc/net/wireless support, please fix driver !

There are a bunch of shell scripts in there to do various things. When the machine boots up, it runs, which in turn runs, and then This loads a bunch of utXXX processes, which are all ELF binaries, unfortunately, and run the core functions of the treadmill. downloads the latest scheduled workout in your iFit account into /icon/bin/iFit/download/wpl2. It uses http downloads from iFit’s server, The server host name is stored in the IFIT_SERVER environment variable, so it’s quite easy to redirect it to download from a different server. I envision writing a local http server to emulate some of the iFit server’s functionality. It’s easy to follow what the script does by just typing bash -x in the shell. The server uses SOAP for its API (templates contained in /icon/bin/iFit/network), and downloads are handled via a binary called soap_get.
It turns out that the workouts are consist of 2 files:, and a file with .wpl extension, which is the actual workout data. the name of the .wpl file is the first field in Unfortunately, wpl is a proprietary binary format, so it will take some effort to figure it out, but once that is done, it will be possible to create your own custom workouts without using! The built-in workouts are all stored in /icon/bin/iFit/builtin/builtin.xx where xx is a number.

To get the files off of the machine for easy examination, all you have to do is launch the built-in ftpd command to get an anonymous ftp server. Even though it’s already configured in inetd.conf, the server won’t start unless you launch it manually on the command line:

# tcpsvd -vE 21 ftpd /
tcpsvd: listening on, starting

Substitute your treadmill’s IP number where I have I dumped out the whole /icon/bin directory for perusal. I used the Filezilla ftp client on MS Windows.

One final thing… checks for and downloads the latest firmware. The firmware updates are in the form of a .tgz file. You can take a look at the contents by looking at /icon/restore/app.tgz, which is a copy of the firmware that’s probably for recovering from a botched update..

That’s all for now. I’m surprised that iFit left the system so wide open. It’s possible that when they find out that people are hacking their systems that they will close the telnet backdoor, so if you want to play, it’s probably a good idea not to update your firmware.

If you play around with your iFit, please share your discoveries in the comments below.


Update 2016-04-04: Thanks to Stefano Livi’s uber hacking skillz, I’ve created a github repo: iFitWPL. Using information provided by Stefano, I wrote a C++ program to (mostly) decode WPL files. I have not yet had time to write code to create new WPL files, but there is a file where Stefano shows code in an obscure programming language to create a new WPL: Notes_on_wpl.txt. Please contribute to the github repo, and feel free to discuss any progress in the comments below.

Update 2017-01-10: My Proform treadmill’s motor crapped out. The treadmill never lived up to my expectations, and Costco is letting me return it, so I’m not going to be doing any more hacking on this. Believe it or not, Costco sent a truck to pick up the treadmill, even though I’d had it over a year. Now looking for a better quality treadmill to replace it!

HowTo: Upgrade Scosche Rhythm+ Firmware


The Scosche Rhythm+ is an optical BLE/ANT+ armband heart rate monitor that’s highly recommended by DC Rainmaker. There are many posts around the Internet which claim that it doesn’t have updateable firmware, but that’s not always the case. Prior to firmware V2.5, the Rhythm+ had to be sent back to Scosche for firmware updates, but if you’re lucky to have firmware 2.5+ installed, you can update the firmware yourself with your phone and Scosche’s Fitness Utility. The procedure is quick and easy. Pair the Rhythm+ to your phone and launch the Fitness Utility. You will be presented with the Attributes screen, which lists the current firmware version:


If you have Firmware Revision 2.5 or higher, tap the Commands button, and you’ll be presented with this screen:


Tap the Firmware Update Start button, and the utility will update you to the latest firmware. I got a nice new feature when I upgraded mine to firmware 2.62. Now, after setting my HR Zone Min and HR Zone Max via the Fitness Utility, the LED on the Rhythm+ blinks blue when my HR is below HR Zone Min, purple when I’m between HR Zone Min & Max, and red when I’m above HR Zone Max. I guess if you only use ANT+, and want to save some battery life, you can turn off the BLE Radio as well, but I haven’t tried playing with any of the other functions yet, and I have no idea how you would turn BLE on again, since the app communicates via BLE.

Update 2016-07-11: Reader Atle posted below that v2.62 adds another function for iOS users … click once to start/stop music, and double click to advance tracks in the playlist. I wonder if this works on Android, as well.