Hacking a Proform 12.0TT Treadmill with iFit Live

I recently bought a Proform 12.0TT treadmill from Costco. One of the major reasons I picked this particular treadmill was because it supports iFit Live, which is supposed to allow you to make custom workouts with google maps. Unfortunately, iFit Live has turned out to be complete garbage. My first frustrations started when I tried to connect my treadmill to my iFit account. I spent a couple of hours and got nowhere, because it kept complaining that it wasn’t able to contact the iFit server. I thought maybe it was that my WiFi wasn’t configured correctly, even though the treadmill was able to obtain a valid IP address. I tried submitting a support ticket, and was completely appalled by the horrible total lack of support. They didn’t even bother to respond to my ticket for more than a week, and by that time, I’d figured out that there server had gone down for a few days… one day, it finally just started talking to their server.

iFit Live, which is the only way to make custom workouts is quite expensive, and the treadmill doesn’t even come with so much as a free trial. It costs $9.99/mo or $99/yr. I was thinking of trying it out, but with their crappy support, I don’t want to give them my money. The worst part is that there’s this really cool iFit app that runs on iOS and Android that lets you visualize your workouts in realtime, but it only works on a handful of treadmills, and mine is not included on the list. Of course, they don’t tell you this, so I didn’t figure it out until I’d already bought the treadmill. Doing the workouts on the treadmill’s rather ugly and primitive display isn’t nearly as cool as via google Street View, or at least tracking it on a live google map.

The treadmill’s controller is garbage, too. It doesn’t let you customize the built-in workouts, and doesn’t even let you input things such as age/gender/weight, so the calorie calculations are completely worthless. I started thinking about hacking my own controller for the treadmill, but then decided to first see what could be done via software.

It turns out the treadmill has a built in telnetd, and if you telnet to its IP number, you can log in as root without using any password. ssh is also supported, but it requires the root password. Once you telnet in, it’s readily apparent that it’s running embedded Linux of some sort on an ARM processor. The treadmill control stuff is all in directory /icon/bin. Here is a list of the running processes:

# ps
PID Uid VSZ Stat Command
1 root 652 S init
2 root SWN [ksoftirqd/0]
3 root SW< [events/0]
4 root SW< [khelper]
5 root SW< [kthread]
16 root SW< [kblockd/0]
19 root SW< [khubd]
50 root SW [pdflush]
51 root SW [pdflush]
52 root SW [kswapd0]
53 root SW< [aio/0]
666 root SW [sdioeventd]
667 root SW [sdiod0]
669 root SW [mtdblockd]
709 root SW [nandeventd]
710 root SW [nandthread]
713 root SW< [scsi_eh_0]
739 root 3148 S /usr/bin/syslogd -S -b 10 -D -s 32 -O /tmp/logfile.tx
753 root 2292 S /usr/bin/dropbear
783 root SW [RtmpTimerTask]
784 root SW [RtmpMlmeTask]
785 root SW [RtmpCmdQTask]
786 root SW [RtmpWscTask]
792 root 3124 S /usr/bin/httpd -f -p 8080 -h /icon/bin/html
793 root 3020 S sslwrap -cert /usr/bin/sslwrap.cert -accept 443 -port
794 root 2880 S ./utwatch
795 root 652 S init
796 root 652 S init
798 root 652 S init
800 root 652 S init
810 root 2740 S utaudio
811 root 6476 S utcompete
812 root 2864 S utcontrol
813 root 2744 S utdevcom
814 root 2764 S utinput
815 root 2740 S utlog
816 root 6940 S utnetstatus
817 root 2200 S utuserlog
819 root 2740 S utvalues
820 root 2888 S utwifi
826 root 2872 S utwpl
827 root 2272 S utdisplay
828 root 2740 S utworkout
831 root 4640 R N web_serv
928 root 652 S udhcpc -i apcli0 -a -n -t 4
974 root 664 S telnetd
7348 root 764 S /bin/sh
26665 root 764 S /bin/sh
14635 root 656 R ps
14636 root 648 R sh -c iwconfig
#

From dmesg, I found that it’s running on a NuMicro NUC950 MCU running at 200MHz with 32MB RAM and 130MB of NAND flash. Here is the entire output of dmesg after bootup:

# dmesg
Linux version 2.6.17.14 (sbarton@sbarton-VirtualBox) (gcc version 4.2.1) #95 PREEMPT Thu Nov 21 10:08:23 MST 2013
CPU: ARM926EJ-Sid(wb) [41069265] revision 5 (ARMv5TEJ)
Machine: NUC950
Memory policy: ECC disabled, Data cache writeback
On node 0 totalpages: 8192
DMA zone: 8192 pages, LIFO batch:1
CPU NUC950 (id 0x02900910 system clock:200MHZ)
CPU0: D VIVT write-back cache
CPU0: I cache: 8192 bytes, associativity 4, 32 byte lines, 64 sets
CPU0: D cache: 8192 bytes, associativity 4, 32 byte lines, 64 sets
Built 1 zonelists
Kernel command line: root=/dev/ram0 console=ttyS0,115200n8 initrd=0xa00000,4000000 mem=32M
PID hash table entries: 256 (order: 8, 1024 bytes)
Console: colour dummy device 80×30
selected clock e4e1c0 quot 7
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 32MB = 32MB total
Memory: 26440KB available (1676K code, 309K data, 80K init)
Calibrating delay loop… 99.73 BogoMIPS (lpj=498688)
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
checking if image is initramfs…it isn’t (no cpio magic); looks like an initrd
Freeing initrd memory: 3906K
NET: Registered protocol family 16
********************************************
* You selcet NUC950,Start Init NUC950EVB *
********************************************
SCSI subsystem initialized
usbcore: registered new driver usbfs
usbcore: registered new driver hub
NET: Registered protocol family 2
IP route cache hash table entries: 256 (order: -2, 1024 bytes)
TCP established hash table entries: 1024 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 1024 bind 512)
TCP reno registered
NetWinder Floating Point Emulator V0.97 (double precision)
io scheduler noop registered (default)
NUC900 uart driver has been initialized successfully!
nuc900-uart.0: nuc900_serial0 at MMIO 0xb8000000 (irq = 7) is a NUC900
nuc900-uart.1: nuc900_serial1 at MMIO 0xb8000100 (irq = 8) is a NUC900
nuc900-uart.2: nuc900_serial2 at MMIO 0xb8000200 (irq = 9) is a NUC900
RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize
loop: loaded (max 8 devices)
Card0 Detect !!!
NUC900 SD driver has been initialized successfully!
CFI: Found no nuc900nor device at location zero
probe failed
NUC900 USB host driver has been initialized successfully!
nuc900-ehci nuc900-ehci: Nuvoton nuc900 EHCI Host Controller
nuc900-ehci nuc900-ehci: new USB bus registered, assigned bus number 1
nuc900-ehci nuc900-ehci: irq 15, io mem 0xb0005000
nuc900-ehci nuc900-ehci: USB 2.0 started, EHCI 0.95, driver 10 Dec 2004
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
nuc900-ohci nuc900-ohci: Nuvoton nuc900 ohci Host Controller
nuc900-ohci nuc900-ohci: new USB bus registered, assigned bus number 2
nuc900-ohci nuc900-ohci: io mem 0xb0007000
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
Initializing USB Mass Storage driver…
usb 1-2: new high speed USB device using nuc900-ehci and address 2
usb 1-2: configuration #1 chosen from 1 choice
usbcore: registered new driver usb-storage
USB Mass Storage support registered.
ts: Compaq touchscreen protocol output
i2c /dev entries driver
nuc900-i2c-p0 nuc900-i2c-p0: bus frequency set to 100 KHz
nuc900-i2c-p0 nuc900-i2c-p0: i2c-0: nuc900 I2C port0 adapter
client [NAU882] registered with bus id 0-001a
NUC900 Audio driver has been initialized successfully!
TCP bic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
RAMDISK: Compressed image found at block 0
VFS: Mounted root (romfs filesystem) readonly.
Freeing init memory: 80K
selected clock e4e1c0 quot 7
selected clock e4e1c0 quot 7
selected clock e4e1c0 quot 7
gnand: module license ‘Nuvoton’ taints kernel.
NAND: nand_init!!!!!
1. ===> write SMCSR
scsi0 : Nuvoton NUC900 GNAND DRIVER!
nand card init
1. ===> write SMCSR
Card0 Removed
card reset4. ===> write SMCSR
6. ===> write SMCSR
fmiCheckInvalidBlock pSM0->uLibStartBlock=2
Valid P2LN 577, block 1022

===> nand total sectors 253696 <size 129892352>
Vendor: NUVOTON Model: GNAND DRIVER Rev: 2.00
Type: Direct-Access ANSI SCSI revision: 00
SCSI device sda: 253696 512-byte hdwr sectors (130 MB)
sda: Write Protect is off
sda: Mode Sense: 03 00 00 00
sda: got wrong page
sda: assuming drive cache: write through
SCSI device sda: 253696 512-byte hdwr sectors (130 MB)
sda: Write Protect is off
sda: Mode Sense: 03 00 00 00
sda: got wrong page
sda: assuming drive cache: write through
sda: sda1 sda2 sda3 sda4 < sda5 >
sd 0:0:0:0: Attached scsi removable disk sda
EXT2-fs warning: mounting unchecked fs, running e2fsck is recommended
rtusb init rt3070AP —>
=== pAd = c2804000, size = 778504 ===

RTMPAllocTxRxRingMemory, Status=0
RTMPAllocAdapterBlock, Status=0
usbcore: registered new driver rt3070AP
(Efuse for 3062/3562/3572) Size=0x2d [2d0-2fc]
RTMP_TimerListAdd: add timer obj c2893b98!
RTMP_TimerListAdd: add timer obj c2861ed0!
RTMP_TimerListAdd: add timer obj c2861eb8!
RTMP_TimerListAdd: add timer obj c2861ea0!
RTMP_TimerListAdd: add timer obj c28081a8!
RTMP_TimerListAdd: add timer obj c2807dc4!
RTMP_TimerListAdd: add timer obj c280818c!
RTMP_TimerListAdd: add timer obj c2808414!
RTMP_TimerListAdd: add timer obj c2808394!
RTMP_TimerListAdd: add timer obj c280b240!
RTMP_TimerListAdd: add timer obj c280ae5c!
RTMP_TimerListAdd: add timer obj c280b224!
RTMP_TimerListAdd: add timer obj c280b4ac!
RTMP_TimerListAdd: add timer obj c280b42c!
RTMP_TimerListAdd: add timer obj c280e2d8!
RTMP_TimerListAdd: add timer obj c280def4!
RTMP_TimerListAdd: add timer obj c280e2bc!
RTMP_TimerListAdd: add timer obj c280e544!
RTMP_TimerListAdd: add timer obj c280e4c4!
RTMP_TimerListAdd: add timer obj c2811370!
RTMP_TimerListAdd: add timer obj c2810f8c!
RTMP_TimerListAdd: add timer obj c2811354!
RTMP_TimerListAdd: add timer obj c28115dc!
RTMP_TimerListAdd: add timer obj c281155c!
RTMP_TimerListAdd: add timer obj c2814408!
RTMP_TimerListAdd: add timer obj c2814024!
RTMP_TimerListAdd: add timer obj c28143ec!
RTMP_TimerListAdd: add timer obj c2814674!
RTMP_TimerListAdd: add timer obj c28145f4!
RTMP_TimerListAdd: add timer obj c28174a0!
RTMP_TimerListAdd: add timer obj c28170bc!
RTMP_TimerListAdd: add timer obj c2817484!
RTMP_TimerListAdd: add timer obj c281770c!
RTMP_TimerListAdd: add timer obj c281768c!
RTMP_TimerListAdd: add timer obj c281a538!
RTMP_TimerListAdd: add timer obj c281a154!
RTMP_TimerListAdd: add timer obj c281a51c!
RTMP_TimerListAdd: add timer obj c281a7a4!
RTMP_TimerListAdd: add timer obj c281a724!
RTMP_TimerListAdd: add timer obj c28380c0!
RTMP_TimerListAdd: add timer obj c2837cdc!
RTMP_TimerListAdd: add timer obj c28380a4!
RTMP_TimerListAdd: add timer obj c283832c!
RTMP_TimerListAdd: add timer obj c28380dc!
RTMP_TimerListAdd: add timer obj c28380f8!
RTMP_TimerListAdd: add timer obj c2838114!
RTMP_TimerListAdd: add timer obj c286a7e4!
RTMP_TimerListAdd: add timer obj c286a854!
RTMP_TimerListAdd: add timer obj c286a7fc!
RTMP_TimerListAdd: add timer obj c283864c!
RTMP_TimerListAdd: add timer obj c28056c8!
RTMP_TimerListAdd: add timer obj c2808760!
RTMP_TimerListAdd: add timer obj c280b7f8!
RTMP_TimerListAdd: add timer obj c280e890!
RTMP_TimerListAdd: add timer obj c2811928!
RTMP_TimerListAdd: add timer obj c28149c0!
RTMP_TimerListAdd: add timer obj c2817a58!
RTMP_TimerListAdd: add timer obj c2838378!
RTMP_TimerListAdd: add timer obj c28623d0!
–>RTUSBVenderReset
RTUSBVenderReset
Key1Str is Invalid key length(0) or Type(0)
Key2Str is Invalid key length(0) or Type(0)
Key3Str is Invalid key length(0) or Type(0)
Key4Str is Invalid key length(0) or Type(0)
1. Phy Mode = 9
2. Phy Mode = 9
NVM is Efuse and its size =2d[2d0-2fc]
(Efuse for 3062/3562/3572) Size=0x2d [2d0-2fc]
3. Phy Mode = 9
MCS Set = ff 00 00 00 01
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
RTMP_TimerListAdd: add timer obj c28620e8!
Main bssid = ac:a2:13:2b:a4:c4
== rt28xx_init, Status=0
0x1300 = 00064320
selected clock e4e1c0 quot 7
selected clock e4e1c0 quot 7
selected clock e4e1c0 quot 7
RTMP_TimerListAdd: add timer obj c28a97a0!
RTMP_TimerListAdd: add timer obj c28a9944!
/home/user/2011_0517_RT5370_RT5372_RT5390U_Linux_AP_V2.6.0.0_DPA_1/MODULE/os/linux/../../ap/ap_data.c:3731 assert pEntry->Aid == pRxWI->WirelessCliIDfailed
RTMP_TimerListAdd: add timer obj c28bd0ec!
Rcv Wcid(1) AddBAReq
Start Seq = 00000003
RTMP_TimerListAdd: add timer obj c28be500!
ra0 (WE) : Driver using old /proc/net/wireless support, please fix driver !

There are a bunch of shell scripts in there to do various things. When the machine boots up, it runs go.sh, which in turn runs loadapp.sh, and then runapp.sh. This loads a bunch of utXXX processes, which are all ELF binaries, unfortunately, and run the core functions of the treadmill. download.sh downloads the latest scheduled workout in your iFit account into /icon/bin/iFit/download/wpl2. It uses http downloads from iFit’s server, machines.iconfitness.com. The server host name is stored in the IFIT_SERVER environment variable, so it’s quite easy to redirect it to download from a different server. I envision writing a local http server to emulate some of the iFit server’s functionality. It’s easy to follow what the script does by just typing bash -x download.sh in the shell. The server uses SOAP for its API (templates contained in /icon/bin/iFit/network), and downloads are handled via a binary called soap_get.
It turns out that the workouts are consist of 2 files: layout.fit, and a file with .wpl extension, which is the actual workout data. the name of the .wpl file is the first field in layout.fit. Unfortunately, wpl is a proprietary binary format, so it will take some effort to figure it out, but once that is done, it will be possible to create your own custom workouts without using ifit.com! The built-in workouts are all stored in /icon/bin/iFit/builtin/builtin.xx where xx is a number.

To get the files off of the machine for easy examination, all you have to do is launch the built-in ftpd command to get an anonymous ftp server. Even though it’s already configured in inetd.conf, the server won’t start unless you launch it manually on the command line:

# tcpsvd -vE 192.168.1.111 21 ftpd /
tcpsvd: listening on 192.168.1.111:21, starting

Substitute your treadmill’s IP number where I have 192.168.1.111. I dumped out the whole /icon/bin directory for perusal. I used the Filezilla ftp client on MS Windows.

One final thing… download_firmware.sh checks for and downloads the latest firmware. The firmware updates are in the form of a .tgz file. You can take a look at the contents by looking at /icon/restore/app.tgz, which is a copy of the firmware that’s probably for recovering from a botched update..

That’s all for now. I’m surprised that iFit left the system so wide open. It’s possible that when they find out that people are hacking their systems that they will close the telnet backdoor, so if you want to play, it’s probably a good idea not to update your firmware.

If you play around with your iFit, please share your discoveries in the comments below.

 

Update 2016-04-04: Thanks to Stefano Livi’s uber hacking skillz, I’ve created a github repo: iFitWPL. Using information provided by Stefano, I wrote a C++ program to (mostly) decode WPL files. I have not yet had time to write code to create new WPL files, but there is a file where Stefano shows code in an obscure programming language to create a new WPL: Notes_on_wpl.txt. Please contribute to the github repo, and feel free to discuss any progress in the comments below.

Update 2017-01-10: My Proform treadmill’s motor crapped out. The treadmill never lived up to my expectations, and Costco is letting me return it, so I’m not going to be doing any more hacking on this. Believe it or not, Costco sent a truck to pick up the treadmill, even though I’d had it over a year. Now looking for a better quality treadmill to replace it!

There are 49 Comments to "Hacking a Proform 12.0TT Treadmill with iFit Live"

  • Alan Kirk says:

    Sam, Thanks for the post. Have you thought about letting COSTCO know of your displeasure and maybe future customers could be alerted to the inadequacy of the iFit product. Since you have a much better appreciation of the problem, the COSTCO home gym equipment buyers might be able to negotiate a better package next time. I suspect the buyers have little knowledge of this issue.

    • lincomatic says:

      That’s a good idea. I am still on the fence about returning the treadmill to Costco, too. But it’s so big & heavy that I’ll probably end up keeping it. The actual treadmill part of it is decent quality (although it has a slight defect in the welding of one of the supports that I’m not going to bother fixing, since dealing with Proform’s tech support is equally bad, from what I hear).

  • Justin O'Reilly says:

    Hey. I am glad I stumbled upon your post. I was doing a little digging and found out the root password to the iFit Live Module. Shoot me an email and maybe we can discuss how to get this bad boy to be useful.

    • hess9830 says:

      Hi Justin,
      My iFit Live Module doesn’t allow telnet so Im trying to figure out how to ssh as root. You mention you were able to figure out the root password? Would you mind explaining how you did this.

  • Stefano Livi says:

    Hey. I am am also the (not so) proud owner of a 12.0TT. In my case, I noticed that the velocity was not constant day-to-day, even though the console was showing that. After comparing three different measuring techniques (pace counter, band length, and rolling wheel) I establish that the console was showing between 5% and 25% higher speed than real (the other measurements showed +/-2% variation between them).
    Opening up the motor housing, I found out that the reed relay which should give the speed measurement was just not there! I complained with ProForm and have not heard from them yet, but seriously suspect that they even saved on the 10-15$ of the little device.

    Also, I was upset of the IFit problems reported above, and have hacked the proprietary wpl code. If anybody is interested, I will send description of what it contains, and how to read/write it. Just send me a PM.

    • lincomatic says:

      Wow, I suspected that the speed was off, but not by that much! How about the distance error? Is it directly correlated with speed error? I noticed that mine is missing the reed switch, as well. I suspect they’re estimating speed by the PWM signal they’re sending the motor. My idea was to hack in a BT 4.0 bike speed/distance sensor so that I could use a smartphone app to track my workouts… I tried to use the magnet on the roller that’s for the missing reed switch. Unfortunately, the diameter of the roller is so much smaller than what the bike sensor expects that it doesn’t work.

    • Raul Gaxiola says:

      Hi Stefano, I’m interested on understanding wpl files, can you help me with that?

      best regards

    • Peter King says:

      I don’t have this product but a proform tour de france bike which is very similar in terms of using ifit and similar arm embeded linux. I would be very intesrested in any information regarding wpl files.

      • lincomatic says:

        Thanks to the excellent hacking abilities of Stefano Livi, I’ve created a C++ program which can decode most of the WPL files.
        It is on github: https://github.com/lincomatic/iFitWPL
        Take a look at his Notes_on_wpl.txt, which I’ve included for some more info and sample code.
        Please feel free to contribute to the repo if you enhance the code.
        I’m currently too busy to take it to the next level, which is to write the WPL files as well as decode them.

  • Stefano Livi says:

    What is worse, is that velocity varies, and it varies a lot. I noticed that my heart beat was changing very much while exercising, day-to-day, and started having thought. Then I went on travel, and saw that on professional treadmills my heart was much more constant. That raised a flag.
    The clock on the treadmill is quite accurate, but distance is calculated from the velocity, therefore has the same error.
    My plan forward is to get a reed relay from Radio Shack (4$) and mount it near the magnet of the roller. An Arduino to read the reed (tongue twisting) and at least I would know how fast and how long I would be running. Will post again if successful.

  • Simon Batchelor says:

    Interesting…!

    I have an elliptical machine and a “pre 2015” ifit live module. You can see the files mentioned (or last workout anyway) if you plug it into a PC. It mounts as a disk. Interesting the wifi key is stored in plain text 🙂

    What has annoyed me is that there is no option to simulate incline of the iFit workout using the machines power ramp. It always uses resistance. I thought about (but not too much) trying to see if this interpretation is encoded into the wpl2 file.

    What makes me think it may be is that a colleague has a different machine/the 2015 wifi module. When he downloads from ifit he gets similar results to me. When he uses his ipad (yes his elliptical works) to download the workout – his machine controls the ramp and the ipad can be used to control resistance. Shame he’s leaving soon as I’d like to work that out!

    Anyway, I’ll probably never get round to looking at this, so wish you luck

  • Drew says:

    I recently purchased an iFit module (2015 edition; doesn’t mount as a USB disk) for a norictrack elliptical, and I’m trying to use the advice here to get into the system and maybe get my own workouts running. My module has working telnet, but the ftp daemon is already running and doesn’t show much to anonymous logins. Should I be quitting that service and relaunching a new one? I’m relatively new to this sort of thing so I’m being cautious (not willing to risk breaking things yet). I am also trying to extract the root password file from passwd, but have not been successful yet.

    • lincomatic says:

      Don’t worry, killing the ftp daemon is OK. It will just restart at the next boot.

      If you manage to extract the root password, pls let us know. Thanks.

  • Nicholas says:

    This is awesome. I have another iFit exercise machine (Nordictrack Audiostrider 990, an elliptical machine) and I’ve hoped someone would work out how to get access to this stuff. Ideally, I’d like to see a custom controller for the whole machine, so you could interface it with a computer and use it for immersive input and output. E.g., play Skyrim, and actually run your character around, with the speed controlled by your actual speed, elevation controlled by the terrain you’re crossing, and maybe resistance tied to how much your character is carrying. That sort of thing. My impression is that all the necessary hardware is present, but they’ve certainly not documented it well or made it easy to work with in this capacity.

    • lincomatic says:

      It would probably not be that difficult to hack it. I don’t like their controller, either. But my problemnis lack of time to work on it. Too many other projects

    • Deegan says:

      Hey Nicolas,. Did you get anywhere with this? I just bought the 990 and was thinking the same thing.

  • Gianluca says:

    Hi Stefano, i am interesting about wpl files workout and Google Street functionaltity without ifit-live account with my norditrack C200. Can you contact me via email ? Thanks in advance.

  • Javier says:

    I guys! Good work!
    I am working with “pre 2015” external iFit Live module. At “NETWORK” folder there are all the templates to connect with webservices, where is possible to download all the history and joined programs (if you have an active account at iFit.com).
    With this, now I have an extense workout libraries and all my history at local mysql bbdd.
    Next step: local mobile app to select programs and see the schedule!
    Keep you updated!

  • Steve says:

    I keep trying to telnet into my Proform 920NE on port 23 but it refuses the connection. Ive used Windows telnet and PuTTY. Any help would be appreciated

    • lincomatic says:

      Are you sure you’re trying to connect to the correct IP number? I wonder if yours runs a different firmware. Have you tried scanning it to see what ports are open?

  • Steve says:

    Thanks for the reply. I have the correct IP address. It’s connected via WiFi to my network. Running netstat doesn’t help. Other than trying to connect on every port one at a time I don’t know how to find the ports that the applications on the ifit console are listening to.
    Steve

  • alain chiasson says:

    OMG! I bought a Nordicktrack T5.7 back in 2012 with the ifit Wifi – same issues – crappy service, bad stats etc. I figured they got their act together !! Guess not. It never dawned on me to just try telnet to it. I have ( I presume) the older wifi module.

    I know what I am doing tonight !!

    for port scanning – you can try nmap. I use it all the time to find open ports on systems ( when developers get a hold of a system – you never know what thye do !).

    https://nmap.org/

    Will followup !!

  • Tom says:

    I have a Healthrider (made by Icon) and have a subscription to iFit live which will last another few months. If it’s any use I can probably sort out packet captures etc.

    • lincomatic says:

      Packet captures would probably be useful. Then we could make a fake server.

      • Tom says:

        I connected the treadmill via my laptop and have a Wireshark capture of its traffic doing various things (rough timeline in the accompanying textfile).
        I appreciate it contains a hash used to authenticate to the server which is almost certainly personal to me; please don’t use it on the ifit servers without contacting me first!
        The file is here

        • lincomatic says:

          Cool stuff! Thanks for keeping us in the loop on your progress. Unfortunately, I still have too many things on my plate to work on this

  • Taiko says:

    Great blog! before reading this I just ordered a Nordictack 2450, it’s still on the way to my home and I really hope the telnet backdoor is still accessible.

  • Matt says:

    If anybody knows the root password I would appreciate. My proform is the Pro 9000 and either it never had telnet or they plugged that hole. I can only ssh.
    Not only is iFit worthless, my treadmill actual forces me to watch advertisements for the service after every software update. I didn’t realize my $2000 treadmill would be ad supported.

    • lincomatic says:

      What an awful, greedy company! Your 9000 is a lot fancier than mine. I think it’s probably running Android, not the simple embedded Linux that drives the lower end models.

  • Greg says:

    Has anyone found a way to control the incline this way? I just stumbled upon runningsocial and was wondering how feasible it would be to have it trigger incline changes on the treadmill.

    • Tom says:

      I’ll be having a good dig in this direction shortly. I’m hoping to explore exactly what the process is doing to work out how it interfaces with the treadmill. I noticed a fair bit of I2C in dmesg – I wonder if it’s using that.

  • stuck says:

    SO glad I found this thread! I’ve got the 2012 version of the TdF bike, but much of this is useful info, since it’s a worthless piece of S*** atm.
    Ideally, I’ll get a wholly stand-alone hardware interface to the bike eventually.

  • Mike says:

    Stumbled onto this page after searching “iFit Strava API”, which I feel should exist, or as I’m now realizing, maybe a whole replacement to iFit firmware could just come to exist.

    I have a NordicTrac and I share many of the frustrations expressed here regarding iFit. It would be awesome if the starting-line issues are hacked away so that an open alternative could come to exist! Would gladly support as I have time. I’d love to build my own program to create custom interval workouts, etc.

    • lincomatic says:

      Sorry, I don’t have the root password, that’s why I was pleasantly surprised that I could be root via telnet with no password

  • barban says:

    Hi friends, I can ping my iFit Live WiFi module but I cannot connect to it in any way (telnet, ssh, …): nmap reports that all the device’s ports are filtered :(. So, do you mind to share the firmware (/icon/restore/app.tgz) via gdrive or similar ? Thanks!!!

    • lincomatic says:

      If you can’t get in, how are you going to copy it into your module?

      • barban says:

        Hi lincomatic, I would like to dig into the linux filesystem to have a look at the code. I think it could be usefull to find information concerning the web service OASP requests and the wpl format as an alternative way w.r.t. analizing the pcap recorded traffic. By the way, it is not clear to me the reason I cannot acces by telnet (my fw version should be EXIF2009 v106,003). BR

        • lincomatic says:

          I have a feeling that they closed to telnet loophole (maybe partly because of my blog 🙁 ). Maybe you can crack the root PW. I sent you an email

          • barban says:

            In my case, I cannot connect to the wifi module at all (telnet and ssh ports are filtered), so it is not a matter of root password. It is not clear to me if my WiFi AP denies client-to-client communications od devices attached to it or if the telnet and ssh services have been removed form the firmware. I will investigate this point. BR

          • lincomatic says:

            Have you checked the motherboard for a serial port? Maybe that’s your best bet. Mine was built-in, not iFit module, so it’s different from yours. If you care to post photos of your PCB, maybe I can help look.

  • n_v says:

    Hi. I just connected to my new ifit Live module through telnet. I has fw EXIF2012 1.0.1. The module is apparently trying to download new firmware (red and flashing green leds). How can I avoid that, to maintain the telnet loophole? Thanks.

    • lincomatic says:

      You can prevent firmware downloads by renaming /icon/bin/download_firmware.sh to some other name like download_firmware.sh.sav. But there’s another copy
      in the /icon/restore/app.tgz file, which is used whenever it tries to do a factory reset. You have to also deal with the copy inside app.tgz.

  • KR says:

    I have a NordicTrack treadmill and want to create some finely-tuned interval training workouts. I subscribed to iFit and although it allows me to create workouts, their graphical interface doesn’t provide the granularity that I’d like.

    I’m wondering if anybody on this thread has had any luck figuring out a way to create custom workouts that can be uploaded to the treadmill. I’m not linux savvy, but have enough tech savvy to follow a guided process. 🙂

    Thanks!

  • Dave says:

    I’ve got an ancient elliptical, no internet connectivity, but does support iFit audio. Probably proprietary, but have you come across any documentation of how that data is encoded? Main project is to web enable the machine, this is just a side research.

    Also – the machine has a rj11 jack on the back (plus a 3 pin connector under an access panel); some searching on the daughterboard behind that jack shows it is used in a variety of fitness machines, probably for diagnostics. Did yours have one and if it did, did you figure out what it was for?

    Here’s the main project thread if you are interested:
    https://groups.google.com/forum/#!topic/23b-shop/nJ70g4ks9D4

  • iwaddo says:

    Hi, I’ve a NordicTrack Elliptical and an expired iFit account, I’ve also got two plug-in modules. I was wondering if it were possible to ‘program’ the module with my own routines and found this site. I’m reasonably IT literate and can follow most of the information no this site but was wondering if anyone has actually set-up a way to program the module or create a local server and use your own routines.

  • db says:

    Has anyone ever sniffed the UART BRAIN rs232 connector on the back of the module socket? I am sniffing it now without an iFit module and all I get is “TYPETYPETYPE…” over and over again. I’ve tried sending it everything I can think of. I have a used module on the way, but was hoping I could figure out the direct serial commands.

Write a Comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>