Hacking a Proform 12.0TT Treadmill with iFit Live

I recently bought a Proform 12.0TT treadmill from Costco. One of the major reasons I picked this particular treadmill was because it supports iFit Live, which is supposed to allow you to make custom workouts with google maps. Unfortunately, iFit Live has turned out to be complete garbage. My first frustrations started when I tried to connect my treadmill to my iFit account. I spent a couple of hours and got nowhere, because it kept complaining that it wasn’t able to contact the iFit server. I thought maybe it was that my WiFi wasn’t configured correctly, even though the treadmill was able to obtain a valid IP address. I tried submitting a support ticket, and was completely appalled by the horrible total lack of support. They didn’t even bother to respond to my ticket for more than a week, and by that time, I’d figured out that there server had gone down for a few days… one day, it finally just started talking to their server.

iFit Live, which is the only way to make custom workouts is quite expensive, and the treadmill doesn’t even come with so much as a free trial. It costs $9.99/mo or $99/yr. I was thinking of trying it out, but with their crappy support, I don’t want to give them my money. The worst part is that there’s this really cool iFit app that runs on iOS and Android that lets you visualize your workouts in realtime, but it only works on a handful of treadmills, and mine is not included on the list. Of course, they don’t tell you this, so I didn’t figure it out until I’d already bought the treadmill. Doing the workouts on the treadmill’s rather ugly and primitive display isn’t nearly as cool as via google Street View, or at least tracking it on a live google map.

The treadmill’s controller is garbage, too. It doesn’t let you customize the built-in workouts, and doesn’t even let you input things such as age/gender/weight, so the calorie calculations are completely worthless. I started thinking about hacking my own controller for the treadmill, but then decided to first see what could be done via software.

It turns out the treadmill has a built in telnetd, and if you telnet to its IP number, you can log in as root without using any password. ssh is also supported, but it requires the root password. Once you telnet in, it’s readily apparent that it’s running embedded Linux of some sort on an ARM processor. The treadmill control stuff is all in directory /icon/bin. Here is a list of the running processes:

# ps
PID Uid VSZ Stat Command
1 root 652 S init
2 root SWN [ksoftirqd/0]
3 root SW< [events/0]
4 root SW< [khelper]
5 root SW< [kthread]
16 root SW< [kblockd/0]
19 root SW< [khubd]
50 root SW [pdflush]
51 root SW [pdflush]
52 root SW [kswapd0]
53 root SW< [aio/0]
666 root SW [sdioeventd]
667 root SW [sdiod0]
669 root SW [mtdblockd]
709 root SW [nandeventd]
710 root SW [nandthread]
713 root SW< [scsi_eh_0]
739 root 3148 S /usr/bin/syslogd -S -b 10 -D -s 32 -O /tmp/logfile.tx
753 root 2292 S /usr/bin/dropbear
783 root SW [RtmpTimerTask]
784 root SW [RtmpMlmeTask]
785 root SW [RtmpCmdQTask]
786 root SW [RtmpWscTask]
792 root 3124 S /usr/bin/httpd -f -p 8080 -h /icon/bin/html
793 root 3020 S sslwrap -cert /usr/bin/sslwrap.cert -accept 443 -port
794 root 2880 S ./utwatch
795 root 652 S init
796 root 652 S init
798 root 652 S init
800 root 652 S init
810 root 2740 S utaudio
811 root 6476 S utcompete
812 root 2864 S utcontrol
813 root 2744 S utdevcom
814 root 2764 S utinput
815 root 2740 S utlog
816 root 6940 S utnetstatus
817 root 2200 S utuserlog
819 root 2740 S utvalues
820 root 2888 S utwifi
826 root 2872 S utwpl
827 root 2272 S utdisplay
828 root 2740 S utworkout
831 root 4640 R N web_serv
928 root 652 S udhcpc -i apcli0 -a -n -t 4
974 root 664 S telnetd
7348 root 764 S /bin/sh
26665 root 764 S /bin/sh
14635 root 656 R ps
14636 root 648 R sh -c iwconfig
#

From dmesg, I found that it’s running on a NuMicro NUC950 MCU running at 200MHz with 32MB RAM and 130MB of NAND flash. Here is the entire output of dmesg after bootup:

# dmesg
Linux version 2.6.17.14 (sbarton@sbarton-VirtualBox) (gcc version 4.2.1) #95 PREEMPT Thu Nov 21 10:08:23 MST 2013
CPU: ARM926EJ-Sid(wb) [41069265] revision 5 (ARMv5TEJ)
Machine: NUC950
Memory policy: ECC disabled, Data cache writeback
On node 0 totalpages: 8192
DMA zone: 8192 pages, LIFO batch:1
CPU NUC950 (id 0x02900910 system clock:200MHZ)
CPU0: D VIVT write-back cache
CPU0: I cache: 8192 bytes, associativity 4, 32 byte lines, 64 sets
CPU0: D cache: 8192 bytes, associativity 4, 32 byte lines, 64 sets
Built 1 zonelists
Kernel command line: root=/dev/ram0 console=ttyS0,115200n8 initrd=0xa00000,4000000 mem=32M
PID hash table entries: 256 (order: 8, 1024 bytes)
Console: colour dummy device 80×30
selected clock e4e1c0 quot 7
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 32MB = 32MB total
Memory: 26440KB available (1676K code, 309K data, 80K init)
Calibrating delay loop… 99.73 BogoMIPS (lpj=498688)
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
checking if image is initramfs…it isn’t (no cpio magic); looks like an initrd
Freeing initrd memory: 3906K
NET: Registered protocol family 16
********************************************
* You selcet NUC950,Start Init NUC950EVB *
********************************************
SCSI subsystem initialized
usbcore: registered new driver usbfs
usbcore: registered new driver hub
NET: Registered protocol family 2
IP route cache hash table entries: 256 (order: -2, 1024 bytes)
TCP established hash table entries: 1024 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 1024 bind 512)
TCP reno registered
NetWinder Floating Point Emulator V0.97 (double precision)
io scheduler noop registered (default)
NUC900 uart driver has been initialized successfully!
nuc900-uart.0: nuc900_serial0 at MMIO 0xb8000000 (irq = 7) is a NUC900
nuc900-uart.1: nuc900_serial1 at MMIO 0xb8000100 (irq = 8) is a NUC900
nuc900-uart.2: nuc900_serial2 at MMIO 0xb8000200 (irq = 9) is a NUC900
RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize
loop: loaded (max 8 devices)
Card0 Detect !!!
NUC900 SD driver has been initialized successfully!
CFI: Found no nuc900nor device at location zero
probe failed
NUC900 USB host driver has been initialized successfully!
nuc900-ehci nuc900-ehci: Nuvoton nuc900 EHCI Host Controller
nuc900-ehci nuc900-ehci: new USB bus registered, assigned bus number 1
nuc900-ehci nuc900-ehci: irq 15, io mem 0xb0005000
nuc900-ehci nuc900-ehci: USB 2.0 started, EHCI 0.95, driver 10 Dec 2004
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
nuc900-ohci nuc900-ohci: Nuvoton nuc900 ohci Host Controller
nuc900-ohci nuc900-ohci: new USB bus registered, assigned bus number 2
nuc900-ohci nuc900-ohci: io mem 0xb0007000
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
Initializing USB Mass Storage driver…
usb 1-2: new high speed USB device using nuc900-ehci and address 2
usb 1-2: configuration #1 chosen from 1 choice
usbcore: registered new driver usb-storage
USB Mass Storage support registered.
ts: Compaq touchscreen protocol output
i2c /dev entries driver
nuc900-i2c-p0 nuc900-i2c-p0: bus frequency set to 100 KHz
nuc900-i2c-p0 nuc900-i2c-p0: i2c-0: nuc900 I2C port0 adapter
client [NAU882] registered with bus id 0-001a
NUC900 Audio driver has been initialized successfully!
TCP bic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
RAMDISK: Compressed image found at block 0
VFS: Mounted root (romfs filesystem) readonly.
Freeing init memory: 80K
selected clock e4e1c0 quot 7
selected clock e4e1c0 quot 7
selected clock e4e1c0 quot 7
gnand: module license ‘Nuvoton’ taints kernel.
NAND: nand_init!!!!!
1. ===> write SMCSR
scsi0 : Nuvoton NUC900 GNAND DRIVER!
nand card init
1. ===> write SMCSR
Card0 Removed
card reset4. ===> write SMCSR
6. ===> write SMCSR
fmiCheckInvalidBlock pSM0->uLibStartBlock=2
Valid P2LN 577, block 1022

===> nand total sectors 253696 <size 129892352>
Vendor: NUVOTON Model: GNAND DRIVER Rev: 2.00
Type: Direct-Access ANSI SCSI revision: 00
SCSI device sda: 253696 512-byte hdwr sectors (130 MB)
sda: Write Protect is off
sda: Mode Sense: 03 00 00 00
sda: got wrong page
sda: assuming drive cache: write through
SCSI device sda: 253696 512-byte hdwr sectors (130 MB)
sda: Write Protect is off
sda: Mode Sense: 03 00 00 00
sda: got wrong page
sda: assuming drive cache: write through
sda: sda1 sda2 sda3 sda4 < sda5 >
sd 0:0:0:0: Attached scsi removable disk sda
EXT2-fs warning: mounting unchecked fs, running e2fsck is recommended
rtusb init rt3070AP —>
=== pAd = c2804000, size = 778504 ===

RTMPAllocTxRxRingMemory, Status=0
RTMPAllocAdapterBlock, Status=0
usbcore: registered new driver rt3070AP
(Efuse for 3062/3562/3572) Size=0x2d [2d0-2fc]
RTMP_TimerListAdd: add timer obj c2893b98!
RTMP_TimerListAdd: add timer obj c2861ed0!
RTMP_TimerListAdd: add timer obj c2861eb8!
RTMP_TimerListAdd: add timer obj c2861ea0!
RTMP_TimerListAdd: add timer obj c28081a8!
RTMP_TimerListAdd: add timer obj c2807dc4!
RTMP_TimerListAdd: add timer obj c280818c!
RTMP_TimerListAdd: add timer obj c2808414!
RTMP_TimerListAdd: add timer obj c2808394!
RTMP_TimerListAdd: add timer obj c280b240!
RTMP_TimerListAdd: add timer obj c280ae5c!
RTMP_TimerListAdd: add timer obj c280b224!
RTMP_TimerListAdd: add timer obj c280b4ac!
RTMP_TimerListAdd: add timer obj c280b42c!
RTMP_TimerListAdd: add timer obj c280e2d8!
RTMP_TimerListAdd: add timer obj c280def4!
RTMP_TimerListAdd: add timer obj c280e2bc!
RTMP_TimerListAdd: add timer obj c280e544!
RTMP_TimerListAdd: add timer obj c280e4c4!
RTMP_TimerListAdd: add timer obj c2811370!
RTMP_TimerListAdd: add timer obj c2810f8c!
RTMP_TimerListAdd: add timer obj c2811354!
RTMP_TimerListAdd: add timer obj c28115dc!
RTMP_TimerListAdd: add timer obj c281155c!
RTMP_TimerListAdd: add timer obj c2814408!
RTMP_TimerListAdd: add timer obj c2814024!
RTMP_TimerListAdd: add timer obj c28143ec!
RTMP_TimerListAdd: add timer obj c2814674!
RTMP_TimerListAdd: add timer obj c28145f4!
RTMP_TimerListAdd: add timer obj c28174a0!
RTMP_TimerListAdd: add timer obj c28170bc!
RTMP_TimerListAdd: add timer obj c2817484!
RTMP_TimerListAdd: add timer obj c281770c!
RTMP_TimerListAdd: add timer obj c281768c!
RTMP_TimerListAdd: add timer obj c281a538!
RTMP_TimerListAdd: add timer obj c281a154!
RTMP_TimerListAdd: add timer obj c281a51c!
RTMP_TimerListAdd: add timer obj c281a7a4!
RTMP_TimerListAdd: add timer obj c281a724!
RTMP_TimerListAdd: add timer obj c28380c0!
RTMP_TimerListAdd: add timer obj c2837cdc!
RTMP_TimerListAdd: add timer obj c28380a4!
RTMP_TimerListAdd: add timer obj c283832c!
RTMP_TimerListAdd: add timer obj c28380dc!
RTMP_TimerListAdd: add timer obj c28380f8!
RTMP_TimerListAdd: add timer obj c2838114!
RTMP_TimerListAdd: add timer obj c286a7e4!
RTMP_TimerListAdd: add timer obj c286a854!
RTMP_TimerListAdd: add timer obj c286a7fc!
RTMP_TimerListAdd: add timer obj c283864c!
RTMP_TimerListAdd: add timer obj c28056c8!
RTMP_TimerListAdd: add timer obj c2808760!
RTMP_TimerListAdd: add timer obj c280b7f8!
RTMP_TimerListAdd: add timer obj c280e890!
RTMP_TimerListAdd: add timer obj c2811928!
RTMP_TimerListAdd: add timer obj c28149c0!
RTMP_TimerListAdd: add timer obj c2817a58!
RTMP_TimerListAdd: add timer obj c2838378!
RTMP_TimerListAdd: add timer obj c28623d0!
–>RTUSBVenderReset
RTUSBVenderReset
Key1Str is Invalid key length(0) or Type(0)
Key2Str is Invalid key length(0) or Type(0)
Key3Str is Invalid key length(0) or Type(0)
Key4Str is Invalid key length(0) or Type(0)
1. Phy Mode = 9
2. Phy Mode = 9
NVM is Efuse and its size =2d[2d0-2fc]
(Efuse for 3062/3562/3572) Size=0x2d [2d0-2fc]
3. Phy Mode = 9
MCS Set = ff 00 00 00 01
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
SYNC – BBP R4 to 20MHz.l
RTMP_TimerListAdd: add timer obj c28620e8!
Main bssid = ac:a2:13:2b:a4:c4
== rt28xx_init, Status=0
0x1300 = 00064320
selected clock e4e1c0 quot 7
selected clock e4e1c0 quot 7
selected clock e4e1c0 quot 7
RTMP_TimerListAdd: add timer obj c28a97a0!
RTMP_TimerListAdd: add timer obj c28a9944!
/home/user/2011_0517_RT5370_RT5372_RT5390U_Linux_AP_V2.6.0.0_DPA_1/MODULE/os/linux/../../ap/ap_data.c:3731 assert pEntry->Aid == pRxWI->WirelessCliIDfailed
RTMP_TimerListAdd: add timer obj c28bd0ec!
Rcv Wcid(1) AddBAReq
Start Seq = 00000003
RTMP_TimerListAdd: add timer obj c28be500!
ra0 (WE) : Driver using old /proc/net/wireless support, please fix driver !

There are a bunch of shell scripts in there to do various things. When the machine boots up, it runs go.sh, which in turn runs loadapp.sh, and then runapp.sh. This loads a bunch of utXXX processes, which are all ELF binaries, unfortunately, and run the core functions of the treadmill. download.sh downloads the latest scheduled workout in your iFit account into /icon/bin/iFit/download/wpl2. It uses http downloads from iFit’s server, machines.iconfitness.com. The server host name is stored in the IFIT_SERVER environment variable, so it’s quite easy to redirect it to download from a different server. I envision writing a local http server to emulate some of the iFit server’s functionality. It’s easy to follow what the script does by just typing bash -x download.sh in the shell. The server uses SOAP for its API (templates contained in /icon/bin/iFit/network), and downloads are handled via a binary called soap_get.
It turns out that the workouts are consist of 2 files: layout.fit, and a file with .wpl extension, which is the actual workout data. the name of the .wpl file is the first field in layout.fit. Unfortunately, wpl is a proprietary binary format, so it will take some effort to figure it out, but once that is done, it will be possible to create your own custom workouts without using ifit.com! The built-in workouts are all stored in /icon/bin/iFit/builtin/builtin.xx where xx is a number.

To get the files off of the machine for easy examination, all you have to do is launch the built-in ftpd command to get an anonymous ftp server. Even though it’s already configured in inetd.conf, the server won’t start unless you launch it manually on the command line:

# tcpsvd -vE 192.168.1.111 21 ftpd /
tcpsvd: listening on 192.168.1.111:21, starting

Substitute your treadmill’s IP number where I have 192.168.1.111. I dumped out the whole /icon/bin directory for perusal. I used the Filezilla ftp client on MS Windows.

One final thing… download_firmware.sh checks for and downloads the latest firmware. The firmware updates are in the form of a .tgz file. You can take a look at the contents by looking at /icon/restore/app.tgz, which is a copy of the firmware that’s probably for recovering from a botched update..

That’s all for now. I’m surprised that iFit left the system so wide open. It’s possible that when they find out that people are hacking their systems that they will close the telnet backdoor, so if you want to play, it’s probably a good idea not to update your firmware.

If you play around with your iFit, please share your discoveries in the comments below.

 

Update 2016-04-04: Thanks to Stefano Livi’s uber hacking skillz, I’ve created a github repo: iFitWPL. Using information provided by Stefano, I wrote a C++ program to (mostly) decode WPL files. I have not yet had time to write code to create new WPL files, but there is a file where Stefano shows code in an obscure programming language to create a new WPL: Notes_on_wpl.txt. Please contribute to the github repo, and feel free to discuss any progress in the comments below.

Update 2017-01-10: My Proform treadmill’s motor crapped out. The treadmill never lived up to my expectations, and Costco is letting me return it, so I’m not going to be doing any more hacking on this. Believe it or not, Costco sent a truck to pick up the treadmill, even though I’d had it over a year. Now looking for a better quality treadmill to replace it!

91 thoughts on “Hacking a Proform 12.0TT Treadmill with iFit Live”

  1. Sam, Thanks for the post. Have you thought about letting COSTCO know of your displeasure and maybe future customers could be alerted to the inadequacy of the iFit product. Since you have a much better appreciation of the problem, the COSTCO home gym equipment buyers might be able to negotiate a better package next time. I suspect the buyers have little knowledge of this issue.

    1. That’s a good idea. I am still on the fence about returning the treadmill to Costco, too. But it’s so big & heavy that I’ll probably end up keeping it. The actual treadmill part of it is decent quality (although it has a slight defect in the welding of one of the supports that I’m not going to bother fixing, since dealing with Proform’s tech support is equally bad, from what I hear).

  2. Hey. I am glad I stumbled upon your post. I was doing a little digging and found out the root password to the iFit Live Module. Shoot me an email and maybe we can discuss how to get this bad boy to be useful.

    1. Hi Justin,
      My iFit Live Module doesn’t allow telnet so Im trying to figure out how to ssh as root. You mention you were able to figure out the root password? Would you mind explaining how you did this.

  3. Hey. I am am also the (not so) proud owner of a 12.0TT. In my case, I noticed that the velocity was not constant day-to-day, even though the console was showing that. After comparing three different measuring techniques (pace counter, band length, and rolling wheel) I establish that the console was showing between 5% and 25% higher speed than real (the other measurements showed +/-2% variation between them).
    Opening up the motor housing, I found out that the reed relay which should give the speed measurement was just not there! I complained with ProForm and have not heard from them yet, but seriously suspect that they even saved on the 10-15$ of the little device.

    Also, I was upset of the IFit problems reported above, and have hacked the proprietary wpl code. If anybody is interested, I will send description of what it contains, and how to read/write it. Just send me a PM.

    1. Wow, I suspected that the speed was off, but not by that much! How about the distance error? Is it directly correlated with speed error? I noticed that mine is missing the reed switch, as well. I suspect they’re estimating speed by the PWM signal they’re sending the motor. My idea was to hack in a BT 4.0 bike speed/distance sensor so that I could use a smartphone app to track my workouts… I tried to use the magnet on the roller that’s for the missing reed switch. Unfortunately, the diameter of the roller is so much smaller than what the bike sensor expects that it doesn’t work.

    2. Hi Stefano, I’m interested on understanding wpl files, can you help me with that?

      best regards

    3. I don’t have this product but a proform tour de france bike which is very similar in terms of using ifit and similar arm embeded linux. I would be very intesrested in any information regarding wpl files.

      1. Thanks to the excellent hacking abilities of Stefano Livi, I’ve created a C++ program which can decode most of the WPL files.
        It is on github: https://github.com/lincomatic/iFitWPL
        Take a look at his Notes_on_wpl.txt, which I’ve included for some more info and sample code.
        Please feel free to contribute to the repo if you enhance the code.
        I’m currently too busy to take it to the next level, which is to write the WPL files as well as decode them.

  4. What is worse, is that velocity varies, and it varies a lot. I noticed that my heart beat was changing very much while exercising, day-to-day, and started having thought. Then I went on travel, and saw that on professional treadmills my heart was much more constant. That raised a flag.
    The clock on the treadmill is quite accurate, but distance is calculated from the velocity, therefore has the same error.
    My plan forward is to get a reed relay from Radio Shack (4$) and mount it near the magnet of the roller. An Arduino to read the reed (tongue twisting) and at least I would know how fast and how long I would be running. Will post again if successful.

  5. Interesting…!

    I have an elliptical machine and a “pre 2015” ifit live module. You can see the files mentioned (or last workout anyway) if you plug it into a PC. It mounts as a disk. Interesting the wifi key is stored in plain text 🙂

    What has annoyed me is that there is no option to simulate incline of the iFit workout using the machines power ramp. It always uses resistance. I thought about (but not too much) trying to see if this interpretation is encoded into the wpl2 file.

    What makes me think it may be is that a colleague has a different machine/the 2015 wifi module. When he downloads from ifit he gets similar results to me. When he uses his ipad (yes his elliptical works) to download the workout – his machine controls the ramp and the ipad can be used to control resistance. Shame he’s leaving soon as I’d like to work that out!

    Anyway, I’ll probably never get round to looking at this, so wish you luck

  6. I recently purchased an iFit module (2015 edition; doesn’t mount as a USB disk) for a norictrack elliptical, and I’m trying to use the advice here to get into the system and maybe get my own workouts running. My module has working telnet, but the ftp daemon is already running and doesn’t show much to anonymous logins. Should I be quitting that service and relaunching a new one? I’m relatively new to this sort of thing so I’m being cautious (not willing to risk breaking things yet). I am also trying to extract the root password file from passwd, but have not been successful yet.

    1. Don’t worry, killing the ftp daemon is OK. It will just restart at the next boot.

      If you manage to extract the root password, pls let us know. Thanks.

  7. This is awesome. I have another iFit exercise machine (Nordictrack Audiostrider 990, an elliptical machine) and I’ve hoped someone would work out how to get access to this stuff. Ideally, I’d like to see a custom controller for the whole machine, so you could interface it with a computer and use it for immersive input and output. E.g., play Skyrim, and actually run your character around, with the speed controlled by your actual speed, elevation controlled by the terrain you’re crossing, and maybe resistance tied to how much your character is carrying. That sort of thing. My impression is that all the necessary hardware is present, but they’ve certainly not documented it well or made it easy to work with in this capacity.

    1. It would probably not be that difficult to hack it. I don’t like their controller, either. But my problemnis lack of time to work on it. Too many other projects

  8. Hi Stefano, i am interesting about wpl files workout and Google Street functionaltity without ifit-live account with my norditrack C200. Can you contact me via email ? Thanks in advance.

  9. I guys! Good work!
    I am working with “pre 2015” external iFit Live module. At “NETWORK” folder there are all the templates to connect with webservices, where is possible to download all the history and joined programs (if you have an active account at iFit.com).
    With this, now I have an extense workout libraries and all my history at local mysql bbdd.
    Next step: local mobile app to select programs and see the schedule!
    Keep you updated!

  10. I keep trying to telnet into my Proform 920NE on port 23 but it refuses the connection. Ive used Windows telnet and PuTTY. Any help would be appreciated

    1. Are you sure you’re trying to connect to the correct IP number? I wonder if yours runs a different firmware. Have you tried scanning it to see what ports are open?

  11. Thanks for the reply. I have the correct IP address. It’s connected via WiFi to my network. Running netstat doesn’t help. Other than trying to connect on every port one at a time I don’t know how to find the ports that the applications on the ifit console are listening to.
    Steve

  12. OMG! I bought a Nordicktrack T5.7 back in 2012 with the ifit Wifi – same issues – crappy service, bad stats etc. I figured they got their act together !! Guess not. It never dawned on me to just try telnet to it. I have ( I presume) the older wifi module.

    I know what I am doing tonight !!

    for port scanning – you can try nmap. I use it all the time to find open ports on systems ( when developers get a hold of a system – you never know what thye do !).

    https://nmap.org/

    Will followup !!

  13. I have a Healthrider (made by Icon) and have a subscription to iFit live which will last another few months. If it’s any use I can probably sort out packet captures etc.

      1. I connected the treadmill via my laptop and have a Wireshark capture of its traffic doing various things (rough timeline in the accompanying textfile).
        I appreciate it contains a hash used to authenticate to the server which is almost certainly personal to me; please don’t use it on the ifit servers without contacting me first!
        The file is here

        1. Cool stuff! Thanks for keeping us in the loop on your progress. Unfortunately, I still have too many things on my plate to work on this

  14. Great blog! before reading this I just ordered a Nordictack 2450, it’s still on the way to my home and I really hope the telnet backdoor is still accessible.

  15. If anybody knows the root password I would appreciate. My proform is the Pro 9000 and either it never had telnet or they plugged that hole. I can only ssh.
    Not only is iFit worthless, my treadmill actual forces me to watch advertisements for the service after every software update. I didn’t realize my $2000 treadmill would be ad supported.

    1. What an awful, greedy company! Your 9000 is a lot fancier than mine. I think it’s probably running Android, not the simple embedded Linux that drives the lower end models.

  16. Has anyone found a way to control the incline this way? I just stumbled upon runningsocial and was wondering how feasible it would be to have it trigger incline changes on the treadmill.

    1. I’ll be having a good dig in this direction shortly. I’m hoping to explore exactly what the process is doing to work out how it interfaces with the treadmill. I noticed a fair bit of I2C in dmesg – I wonder if it’s using that.

  17. SO glad I found this thread! I’ve got the 2012 version of the TdF bike, but much of this is useful info, since it’s a worthless piece of S*** atm.
    Ideally, I’ll get a wholly stand-alone hardware interface to the bike eventually.

  18. Stumbled onto this page after searching “iFit Strava API”, which I feel should exist, or as I’m now realizing, maybe a whole replacement to iFit firmware could just come to exist.

    I have a NordicTrac and I share many of the frustrations expressed here regarding iFit. It would be awesome if the starting-line issues are hacked away so that an open alternative could come to exist! Would gladly support as I have time. I’d love to build my own program to create custom interval workouts, etc.

    1. Sorry, I don’t have the root password, that’s why I was pleasantly surprised that I could be root via telnet with no password

  19. Hi friends, I can ping my iFit Live WiFi module but I cannot connect to it in any way (telnet, ssh, …): nmap reports that all the device’s ports are filtered :(. So, do you mind to share the firmware (/icon/restore/app.tgz) via gdrive or similar ? Thanks!!!

      1. Hi lincomatic, I would like to dig into the linux filesystem to have a look at the code. I think it could be usefull to find information concerning the web service OASP requests and the wpl format as an alternative way w.r.t. analizing the pcap recorded traffic. By the way, it is not clear to me the reason I cannot acces by telnet (my fw version should be EXIF2009 v106,003). BR

        1. I have a feeling that they closed to telnet loophole (maybe partly because of my blog 🙁 ). Maybe you can crack the root PW. I sent you an email

          1. In my case, I cannot connect to the wifi module at all (telnet and ssh ports are filtered), so it is not a matter of root password. It is not clear to me if my WiFi AP denies client-to-client communications od devices attached to it or if the telnet and ssh services have been removed form the firmware. I will investigate this point. BR

          2. Have you checked the motherboard for a serial port? Maybe that’s your best bet. Mine was built-in, not iFit module, so it’s different from yours. If you care to post photos of your PCB, maybe I can help look.

  20. Hi. I just connected to my new ifit Live module through telnet. I has fw EXIF2012 1.0.1. The module is apparently trying to download new firmware (red and flashing green leds). How can I avoid that, to maintain the telnet loophole? Thanks.

    1. You can prevent firmware downloads by renaming /icon/bin/download_firmware.sh to some other name like download_firmware.sh.sav. But there’s another copy
      in the /icon/restore/app.tgz file, which is used whenever it tries to do a factory reset. You have to also deal with the copy inside app.tgz.

  21. I have a NordicTrack treadmill and want to create some finely-tuned interval training workouts. I subscribed to iFit and although it allows me to create workouts, their graphical interface doesn’t provide the granularity that I’d like.

    I’m wondering if anybody on this thread has had any luck figuring out a way to create custom workouts that can be uploaded to the treadmill. I’m not linux savvy, but have enough tech savvy to follow a guided process. 🙂

    Thanks!

  22. I’ve got an ancient elliptical, no internet connectivity, but does support iFit audio. Probably proprietary, but have you come across any documentation of how that data is encoded? Main project is to web enable the machine, this is just a side research.

    Also – the machine has a rj11 jack on the back (plus a 3 pin connector under an access panel); some searching on the daughterboard behind that jack shows it is used in a variety of fitness machines, probably for diagnostics. Did yours have one and if it did, did you figure out what it was for?

    Here’s the main project thread if you are interested:
    https://groups.google.com/forum/#!topic/23b-shop/nJ70g4ks9D4

  23. Hi, I’ve a NordicTrack Elliptical and an expired iFit account, I’ve also got two plug-in modules. I was wondering if it were possible to ‘program’ the module with my own routines and found this site. I’m reasonably IT literate and can follow most of the information no this site but was wondering if anyone has actually set-up a way to program the module or create a local server and use your own routines.

  24. Has anyone ever sniffed the UART BRAIN rs232 connector on the back of the module socket? I am sniffing it now without an iFit module and all I get is “TYPETYPETYPE…” over and over again. I’ve tried sending it everything I can think of. I have a used module on the way, but was hoping I could figure out the direct serial commands.

    1. Did you ever get around to snooping on the serial protocol? I’d love to make a Homebrew ifit module that would plug into the card slot, but don’t really want to shell out for the iFit wifi module and subscription just to figure out what it’s sending. I have some ESP32s that would be perfect for this sort of thing if I just new how to talk to it. Maybe I could even get it talking to Zwift…

        1. The commenter I was replying to had asked about the UART BRAIN serial port on the module daughterboard, and said he had a used module on the way. Unfortunately he didn’t link a website so I can’t follow up. If you’ve got his contact info would you mind passing it along?

          1. Sorry Brad, I never figured it out even with the module, but it’s bothering me now and I may go try again. The main problem I’m having is I refuse to subscribe to iFit just to configure the wifi. If I could get around that, or if someone with a activated module could sniff serial data, either would help. I may try issuing the ascii values from the github directly into the terminal.

          2. Somehow it never occurred to me to open up the ifit module. *facepalm* There’s a SD card inside with all sorts of configuration files. I’ll report back if I find anything.

  25. Just a thought – has anyone considered starting over with a Raspberry Pi? As with most things I’m sure it would be more difficult than it sounds, but perhaps not as difficult as trying to make something of this iFit junk. Not sure how much time I’ll have to spend on it, but I think I’ll pursue this direction.

  26. I just picked up a Nordic track C900 that someone was giving away. It’s got a slot on the back for an iFit module, and I’d love to hijack that port to get control over the unit. If anyone has access to a module and the ability to grab a dump of the serial traffic between the module and the board – or is just done with the thing and would be willing to give me the module – please hit me up. You can find my info on my GitHub page, linked from my name above this post.

  27. I have a old nordictrack eliptical with iFit support – just audio. Old gesr – still works.

    I did create a psp program years ago that could control the eliptical. I also figured out the control sound format – for eliptical, treadmill and bicycle equipment. The patent on the sound control mechanism ran out in 2004 (see patent https://patents.justia.com/patent/5645509). The patent describes the audio pretty well.

    I’ll dig up my old notes (multiple computers ago) and see what I still have – may not be useful at all… or not. Should be possible to get working on some device that is kind of current today. The controls to the devices were easy audio bits – incline and resistance for example and they had to be in a well timed pattern. Easy to software create.

    I’m tempted to see if i can get it talking again to something… a simple set of text directions driving it would be nice – wait till time #:## and then incline to x and resistsnce to y. Simple – but all that is needed.

    Dave

  28. has anyone worked out the ssh root password? I used to be able to telnet, but no more. I wanted to have another go at seeing what coudl be done internally but can’t do that anymore. If I do a factory reset, would it perhaps go back to having the telnet, or does that not reset firmware?

    1. That’s too bad that they closed the telnet loophole. I doubt that doing a factory reset would revert the firmware, but I guess it doesn’t hurt to try

    2. On my proform treadmill, you can break out to desktop mode during bootup by drawing figure 8 or pressing the back button. When prompted, force close application. click on the 4×4 grid icon. Click on dev tools, scroll down and open Terminal Emulator. Plug in usb keyboard. At $ prompt, type this command. /system/bin/busybox su – root. You will now have root access.

  29. I’m still trying to get a hold of an iFit module for my old treadmill. I want to reverse engineer the card slot so that folks could control iFit hardware without an iFit subscription (think Arduino, IoT, etc.). If anyone has one, hit me up!

  30. I found a site by chance that gave two passwords…
    icon2011
    winbond
    The site was http://en.hackdig.com/04/41696.htm

    They worked on a new exercise machine, I have no intention of updating with thier firmware or paying for a membership of iFit.

    Let me know if these work for you.
    @lincomatic:Cheers for the info above.

  31. Hi,
    I have an old EXIF09 Module which is no longer supported because Adobe Air is no longer supported. Has anyone found a way to bring one back to life by putting correctly formatted files directly onto the device (to update the wifi details as an example).

    Many thanks.

    1. I have a NordicTrack A.C.T. treadmill with an EXIF12 module which I had purchased for it. The guidance on this page for getting into the system is the same (telnet & ftp). I’m in the process of reverse engineering the WPL binary — it uses the same record format as what’s described on the github but different record types/content. Which makes sense, because speed/miles/incline have no meaning on an elliptical; instead it is resistance and target pace. It appears (I am not positive on this yet) that workout segments are delimited by stride counts and not distance or time, but there are some extra bytes / scaling going on that I haven’t figured out yet. Just sharing in case there’s interest. This blog post is pretty old but my elliptical is not that old (few years) so maybe this stuff is still relevant.

    2. I have the same issue. If you change the date on your PC to earlier than Oct 2017 then its possible to get Air to install and run, however I’m now stuck at the “udpating firmware” stage

      1. @Ncoop: You Sir, are a legend! Thanks to your advice to turn the date back, I’ve been able to revive my EXIF09. Cheers, I owe you a beer! I was about to give up and buy a used EXIF12 off eBay.
        The Firmware update worked OK for me, it just took a few minutes to download. I can send you the Firmware binaries it stored in the .iFitLive folder on my PC if it helps?

          1. Hmm,
            Not sure that download address I added is legit, the download size doesn’t match the file size that I uploaded. Give me a drop box / cloud address and I’ll drop the binaries in there,

        1. Chris,

          Any chance you still have the firmware files for you EXIF09? Mine stopped being recognized and I had to reformat. Any help would be appreciated.

          Thanks

    3. I stumbled across your post. I need to connect my EXIF2009 v106,002 to wifi and have not be able to of find a way to. Can you help?

  32. Chris,

    Any insight on the files generated to connect to a wifi network. I purchased an EXIF09 to get my treadmill onto wifi but do not have an ifit account. Was hoping to get it connected to my network without getting an account so i could leave it at the old firmware for the time being and see what i can figure out.

    Thanks!

  33. My Proform treadmill is sitting in an IoT-only VLAN thank goodness because I believe the FTP server it talks to for updates was hacked and they uploaded new firmware and used the treadmill as a command and control server for Ransomware bot nets. What a piece of junk. Block it. Don’t let it on your network.

  34. If any of you have a EXIF2009 that you’re willing to pry open that would help me out greatly.

    If you’ve successfully joined it to your wifi router, I’d like to read the config files. Te shell snaps off from around the middle and there’s a plain ol’ SD card in there. There’s a bunch of config files I’d like to compare with mine.

    1. derp..never mind. I was using a charge only cable. It’s been so long since i messed with this thing I forgot it was a flash reader. Files would still help though.

    2. How were you able to get it to connect to wifi? I can not get mine to connect nor can I find it on my wifi. Please help..

  35. I’m still looking for a used one that I can hook up to a logic analyzer and hopefully document the serial protocol between the treadmill and the module. If anyone has one, hit me up!

  36. I have a X 9i, incline treadmill, I am NOT Software savvy, what options do I have to break into the treamill without having to sign up with iFit.

  37. The “obscure programming language” is IDL (Interactive Data Language) used for data analysis and visualization, mostly used in scientific fields such as astronomy, physics and medical imaging, among others.

    Currently hacking up a treadmill for microcomputer control for a second time and looking around to see what others have done in the intervening decade since I last did this.

  38. Hi, did anyone manage to get a copy of the firmware for an EXIF09? I have changed my router and so I need to configure, but even digging an old XP laptop out, back dating the clock, installing Adobe Air and the software, the iFit setup software won’t get past the login stage – either with an old free account or a new premium trial account. I’m guessing maybe they’ve turned off their server for this old version, in which case there’s probably no advantage to connecting it anyway…

  39. Have the TDF bike, white body and 3″ screen. Interested in zwift. Willing to help and I’m pretty computer savvy.

  40. Hi All, so I’m able to telnet into the treadmill, may you please help me to either control the treadmill via the telnet screen or customize a workout and download it in the treadmill ?

  41. We have a Proform treadmill with a iFit Wireless Module slot in it (we never purchased the iFit module though). Has anyone done any work on reverse engineering the pinouts of the slot? I wonder if that would be an easier route to controlling the treadmill rather than trying to hack the module itself?

  42. I’m trying to update my internet provider to EXIF09. I tried backdating the clock, etc. but it tells me the clock is incorrect. I have a current subscription to iFit…but thinking it’s not going to do me any good if I can’t get the wifi updated. Any suggestions?

    1. Sorry, I don’t have my Proform anymore.. the motor died after almost exactly 1yr, and Costco gave me a refund. I think your best bet is to call their tech support

  43. My fit console is not booting up, making me force close the process and now I get a blank screen not responding. Anyone have suggestions, please send me a message

Leave a Reply