HowTo: Downgrade Scosche Rhythm+ Firmware

REVISED 20180116

In my previous article, HowTo: Upgrade Scosche Rhythm+ Firmware, I showed how to update Scosche Rhythm+ firmware via their Fitness Utility iOS app. Some people have had issues with the 3.01 firmware installed by the latest V2 Fitness Utility, notably incompatibility with certain apps, and/or flaky readings.

I contacted Scosche via live chat, and they told me that there was no way to downgrade from 3.01, except for sending the unit back to them. The V2 Fitness Utility no longer has a Firmware Update button, so there’s no way to use it to install any firmware other than v3.01. Instead of sending mine back to them, I decided to try to get a hold of an older version of Fitness Utility, in order to downgrade the firmware. It turned out to be a very laborious and time consuming procedure. I was hoping that I could share the IPA file of Fitness Utility 1.4.1 so everyone else could save a lot of time, but as reader Hap noted in the comments below, IPA files are tied to specific Apple IDs.

If you want to downgrade your firmware yourself, rather than send it back to Scosche, follow the rather lengthy and complicated procedure below.

To obtain the older version of Fitness Utility, I loosely followed the procedure from How to legally download any previous version of an App Store app through iTunes, but it was somewhat outdated, so I will summarize my own procedure below. I am not going to explain the nuts and bolts of what each step does, since that’s covered in the linked article.

Current versions of iTunes no longer support app installs, so you need to downgrade to an older version. The linked article states that there’s yet another hurdle, in that as of iTunes 12.5, Apple is using certificate pinning, which nullifies the ability of Fiddler to snoop HTTPS traffic. I tried an older version of iTunes, but it was no longer able to communicate with the App Store (Apple just LOVES to put up hurdle after hurdle for us!). After much searching, I discovered that in December 2017, Apple quietly released iTunes 12.6.3 for enterprise users who still need the ability to do app installs. Because it uses certificate pinning, I had to devise a procedure to get around that.

Note for Mac users: You can probably follow the same basic procedure using Charles Proxy, but I don’t have the ability to walk you through that.

WARNING: THE PROCEDURE BELOW IS PROVIDED AS A RESULT OF MY OWN FINDINGS. THERE IS ABSOLUTELY NO WARRANTY, AND THERE IS A SMALL POSSIBILITY THAT YOUR DEVICE CAN BECOME BRICKED DURING A FIRMWARE UPDATE. MAKE SURE THAT YOUR DEVICE IS FULLY CHARGED BEFORE STARTING. IN FOLLOWING THE INSTRUCTIONS BELOW, YOU AGREE TO RELEASE ME FROM ALL LIABILITY, AND PROCEED AT YOUR OWN RISK.

How to download Fitness Utility 1.4.1 and use it to downgrade your Rhythm+ to firmware 2.62:

    1. Find your current iTunes folder, and rename it to iTunes.sav, or just move it to a new location. On Windows 10, it’s located at C:\Users\<yourusername>\Music\iTunes. (Don’t worry, after you’re done, you can reinstall the latest iTunes, and restore your old iTunes folder).
    2. Download and install iTunes 12.6.3
    3. Download and install Fiddler. DO NOT START FIDDLER YET
    4. Launch iTunes 12.6.3 and download any random app. iTunes will prompt you to log in with your Apple ID. This is the loophole we use to get around the certificate pinning. It turns out that iTunes 12.6.3 only checks the certificate during the login process, and doesn’t detect when we later swap in Fiddler‘s fake root certificate so that it can snoop HTTPS traffic.
    5. Before proceeding, it’s best to kill any programs on your computer that access the web, because they will pollute your Fiddler capture. If you have your web browser open in order to read this article, kill all of your other tabs that might be accessing the web in the background.
    6. Launch Fiddler.
    7. In Fiddler, go to the File menu and uncheck File->Capture Traffic
    8. From the Fiddler menu, go to Tools->Options->HTTPS. Check the Capture HTTPS CONNECTs and Decrypt HTTPS traffic checkboxes. A dialog box will pop up asking if you want to Trust the Fiddler Root certificate. Select Yes to it, and all of the ensuing dialog boxes. Don’t worry, after we’re done, we will remove the fake certificate, and restore your original.
    9. In Fiddler, go to the menu to check Rules->Automatic Breakpoints ->Before Requests
    10. Launch iTunes and search for Fitness Utility in the App Store
    11. In Fiddler, go to the File menu and check File->Capture Traffic
    12. In iTunes, click the button to download Fitness Utility
    13. A few requests with red icons on the left will appear in the Fiddler capture pane. Select
      HTTP Tunnel to upp.itunes.apple.com:443  and click the green Run to Completion button in the right pane. Next, select
      HTTP Tunnel to p14-buy.itunes.apple.com:443 in the left pane, and click the green Run to Completion button in the right pane
    14. A new request should appear in the Fiddler capture pane: HTTPS p14-buy.itunes.apple.com /WebObjects/MZBuy.woa/wa/buyProduct  Select it in the capture pane, and then in the right pane, click the TextView tab, look for

      <plist version=”1.0″>
      <dict>
      <key>appExtVrsId</key>
      <string>821322483</string>

      and replace 821322483 with 813634417.

    15. In Fiddler, go to the menu to check Rules->Automatic Breakpoints ->Disable
    16. Make sure the HTTPS p14-buy.itunes.apple.com /WebObjects/MZBuy.woa/wa/buyProduct request is selected in the Fiddler capture pane, and click the green Run to Completion button.
    17. After iTunes shows that Fitness Utility is downloaded, verify that you have the Fitness Utility 1.4.1.ipa file in C:\Users\<yourusername>\Music\iTunes\iTunes Media\Mobile Applications
    18. Connect your iOS device to your computer, and use iTunes 12.6.3 to install the Fitness Utility 1.4.1 to your iOS device, or use iFunBox instead as described below in Update 20170112
    19. Launch Fitness Utility 1.4.1 on your iOS device and turn on your Rhythm+. WARNING: MAKE SURE YOUR RHYTHM+ IS FULLY CHARGED BEFORE UPGRADING THE FIRMWARE. IF IT DIES DURING A FIRMWARE UPGRADE, IT MAY BE RENDERED UNUSABLE.
    20. Tap the Commands button at the top right of the screen, and then tap the Start button next to Firmware Update.
    21. After the update is completed, power cycle your Rhythm+
    22. You can check that the firmware version is now 2.62 by tapping the Attributes button at the top left of Fitness Utility.
    23. VERY IMPORTANT: Once you verify proper operation of Fitness Utility, on your computer, have Fiddler restore your original root certificate with Tools->Options->HTTPS->Actions->Reset All Certificates.
    24. Copy your Fitness Utility 1.4.1.ipa file somewhere so that you can reuse it in the future if you wish.
    25. Delete the new iTunes folder, restore your old iTunes folder by renaming iTunes.sav to iTunes, uninstall iTunes 12.6.3, and reinstall your original version of iTunes.

Now that you have your own copy of Fitness Utility 1.4.1.ipa, you are free to try any future firmware upgrades from Scosche, because it’s easy to go back to a working version if you don’t like the new one. If you use iFunBox, you don’t even have to mess with swapping out iTunes versions.

If you prefer to downgrade to firmware v2.4, you can use Fitness Utility 1.4.1 and follow the procedure below:

*** WARNING: DOWNGRADING TO FIRMWARE V2.4 DISABLES THE ABILITY TO UPDATE FIRMWARE VIA FITNESS UTILITY. IF YOU LATER CHANGE YOUR MIND, AND WANT TO INSTALL A DIFFERENT VERSION, YOU WILL HAVE TO SEND THE UNIT BACK TO SCOSCHE. ***

  1. download firmware 2.4 and unzip it.
  2. send the unzipped HEX file to an e-mail address accessible from your iOS device
  3. open the e-mail you sent on your iOS device, tap the attachment, and then scroll through the on screen icons until you find Copy to Fitness Utility, and tap the icon.
  4. Turn on your Rhythm+ and follow steps 19-22 above.

The above method actually works with any version of firmware HEX file that you are able to obtain.


Update 20180112: I tried installing Fitness Utility 1.4.1.ipa with iFunBox instead of iTunes, and it also works. Launch iFunBox with your phone connected to your computer, and install the app by clicking the Install App(*.ipa) from the main screen. Firmware 2.4: scosche-rhythmplus-2_4.zip

 

Downloads:
iTunes 12.6.3 (allows App installs): https://support.apple.com/en-us/HT208079

 

Previous article: HowTo: Upgrade Scosche Rhythm+ Firmware

There are 32 Comments to "HowTo: Downgrade Scosche Rhythm+ Firmware"

  • Stephen ONeal says:

    I did what you said above, but when I open the app on my phone it asks for my apple ID and password. I enter it and then nothing happens. I am using an iphoneX. Any thoughts?

    • lincomatic says:

      You open Fitness Utility, and it asks for your Apple ID? Weird. Have you ever installed Fitness Utility before? If not, maybe you need to first authorize the app by downloading the latest version from the App Store. Just install the latest version, start it once, delete it, and then install my older version

      • Stephen ONeal says:

        It is weird..I had the newest version and deleted it prior. I will do it again….I had to use configurator 2 to install the app since my version of iTunes no longer allows app installs.

        • Stephen ONeal says:

          Just tried doing it again…same thing happened. When I type in my Apple ID and password in the app it gives me a black screen and then goes back to my home screen. If I install the current version from the app store it works like normal. Never had an app ask for my password like this before.

          • lincomatic says:

            I think your problem is that Configurator 2 isn’t install the application properly. I was thinking maybe the problem was with iOS 11, so I installed on my iPhone 6 that has iOS 11, and it still works fine. I’ve updated the procedure above with more details.. please try the new procedure and report back

      • Stephen ONeal says:

        I tired doing it the ifunbox way and it was exactly the same. The app opens with a black screen and asks for an Apple ID and password. Have you tried this procedure on anyone else’s phone that is on a different itunes account? Would be awesome if this would work because Scosche is less than helpful.

        • lincomatic says:

          Please see my response to Hap’s comment above. I will have to update the procedure to explain how to download your own copy of the old version of Fitness Utility.

  • Hap says:

    Thanks for posting this and investigating the issue. Unfortunately your method won’t work for anyone else. Apple IPAs are tied to a specific Apple ID and they cannot be redistributed. You can double click the application in iTunes to try and authorize it but it will bring up your Yahoo address because that’s presumably the one you used to download the IPA.

    How did you manage to obtain a copy of the old Fitness Utility? Maybe if it’s not tied specifically to your account or computer it’s something other users can try. Was it from the backed up Mobile Applications folder in your iTunes folder? I checked mine and unfortunately I don’t have that. I’m also trying some other method I found to download older versions of applications using a MITM and Fiddler but the instructions are a few years old and I don’t know if it will still work.

    • lincomatic says:

      Thank you for bringing this to my attention. Oh well, I was trying to avoid having everyone go through the rather laborious and time consuming process of downloading their own copy of Fitness Utility. I had to us a modified version of the procedure documented in How to legally download any previous version of an App Store app through iTunes, using iTunes 12.6.3 to do it. I will try to reconstruct the procedure and document it when I have time in a few days.

      • Stephen O'Neal says:

        Thanks for trying. Not sure why the firmware upgrade to 3.0.1 has been so bad. I have two Rhythm+ units both worked great before the update. Shame it has been 6 months and they seem reluctant to do anything about it.

      • Hap says:

        Thanks for posting this! I was struggling to get it working because of the certificate pinning issue. I tried to download an older version of iTunes but that led to all sorts of issues.

        FWIW Scoche said they will update the firmware in the coming months to address the issue in the comment’s section of DC rainmaker’s post about the new HRM monitor.

        Still I don’t think it’s OK for them to leave it broken for 6+ months without saying a word or allowing users to downgrade. I actually bought another unit to test and it came with a newer 3.10 firmware (not a typo) and it didn’t work either. The high readings appeared to be resolved but it just kept locking onto my cadence instead of heart rate when I started jogging. Hopefully the new firmware they’re planning to release isn’t 3.10.

        • lincomatic says:

          That’s great news that Scosche isn’t abandoning the Rhythm+ and is still working on firmware updates. I am kicking myself now, because in the process of testing out different scenarios for writing this blog entry, I forgot that loading firmware 2.4 disables the ability to do OTA BT firmware updates, so my unit is now stuck at firmware 2.4 unless I send it back to Scosche! So then entire article above doesn’t even apply to me anymore, despite all my hard work to document it for everyone else!

          • lincomatic says:

            Incidentally, I didn’t want to disclose it in the article above, but since IPA files are just ZIP files, if you open up the Fitness Utility IPAs as ZIP files, you will find inside them the firmwares in HEX format. What’s really crazy is that Fitness Utility V2 actually contains a copy of firmware 2.62 inside (R19_V262.hex) that I don’t know how to access via the UI! Also, inside are two other HEX files, 09142016_3_0_RhythmP.hex and 12072016_3_0a_RhythmP.hex. I am not sure what the difference is between them, but they should both be installable with the email to Fitness Utility 1.4.1 method.

          • Hap says:

            Sorry to hear about your downgrade. If it’s any consolation I followed your instructions and was able to downgrade successfully! You’ve saved at least one unit from being unusable.

            I’ve already deleted the app from my iPhone after saving a copy of the ipa just in case. I don’t plan on ever upgrading even after they release a fixed version. Based on what I’ve read on Amazon other firmware upgrades in the past have broken ANT functionality. It’s too risky to potentially break the unit without knowing what improvements the firmware brings.

            I’m usually on the side of keeping all my devices updated so this is new for me.

          • lincomatic says:

            Awesome that I got the write up right this time w/o making any errors! so many steps, I wasn’t sure if I left something out. Congrats

  • Jef says:

    Thank you so much for this. I am experiencing weird readings on my Rhythm+, which I suspect trace back to the upgrade to firmware 3.01.
    I would love to follow your procedure, unfortunately the link to download Fitness Utility v 1.4.1 on your site doesn’t work at all (tested on Chrome and Firefox). The links to get iTunes 12.6.3 via Apple work well.
    Any chance you could fix this ?
    Huge thanks in advance.

  • Jef says:

    Oops, sorry … forget my comment. I hadn’t seen the edit at the top of your post.
    Cheers. Jef

  • lincomatic says:

    OK, the revised procedure is now posted above, including how to download your own copy of Fitness Utility 1.4.1. It was a royal pain in the ass, and even more of a royal pain in the ass to document. Have fun!

    • Paul says:

      Thank you so much for providing revised procedure! Successfully downgraded to 2.62

    • peter says:

      it took me some time to get the 1.4.1 from itunes on the phone. For some reason it didn’t work. I uninstalled both fiddler and itunes and started all over and then it worked!

      the firmware installation of 2.62 went amazingly quick (few seconds). I really hope this gets rid of all the weird values I was getting.

      Question: I assume it does no harm in leaving the 12.6.3 iTunes version installed? My version before was older so this is newer, which seems no problem, right?

      Thanks again for the great post!

      • peter says:

        One extra question, I see there is a new version of Fitness Utility (3.0) where they explicitely say the 3.01 firmware has been removed from the app…
        Did anyone try this version of the app already and to which firmware it upgrades? 3.0 or 2.62? If it would do 2.62, then that would be the easiest way to downgrade.
        After all the effort to get it back on 2.62 again, I’m not really in the mood to try myself 🙂

        • Stephen ONeal says:

          The description on the new app update says they took the firmware updating ability away in the newest version. While a bit long. The process described here worked like a charm. Can’t wait to give it a try tomorrow morning at OrangeTheory.

          • peter says:

            I was a bit dissappointed today. The HR readings were on 2.62 even worse than last time on 3.01.
            My target was around 135 and on a steady pace it kept jumping from the 120’s to the 140’s or 150’s.
            I wore the unit as usual on my upper arm (between elbow and shoulder) facing inside and really tight (as usual).
            Next time I’ll connect via BT Smart again (I was still using the Wahoo workaround for iSmoothRun as I mentioned in the “upgrade” post). Maybe that helps…

        • lincomatic says:

          They took the updating feature out temporarily. BTW, it’s easy to downgrade next time, as long as you keep the IPA. You can just restore the 1.4.1 IPA with iFunBox and skip swapping out the iTunes. But to answer your other question, you can stick with iTunes 12.6.3 if you wish. I had a newer version, so my current iTunes backups were incompatible

          • peter says:

            Thanks for the answer.
            About iFunBox, I don’t seem to get this working. If I open it, it is just a blank screen. If I’m lucky I can click the gear-icon to change language but that’s it. Nothing shows there.
            I remember I tried that tool before.
            I’m on Windows 10.
            Any ideas?

          • lincomatic says:

            I’m running Win10 as well, and it works fine. Try uninstall-reinstall? If not, there are currently 3 different versions in the downloads, try a different version.

          • peter says:

            hello, thanks for the tip.
            I tried all versions.
            The classic version crashed on starting (both 32 and 64bit)
            The 4.0 version was the one I tried before.
            3.0 seemed to work! I could push an IPA to the phone.
            Thanks

  • Stephen ONeal says:

    It worked! Both of my Rhythm+ have been downgraded…one thing that is odd…the one that they sent me as a replacement and had the number that shows up in the bluetooth settings stamped on it…similar to what the ones that OTF sells….now the number that shows up in BT settings is different…not a big deal, just thought it was interesting. But both have been rolled back to 2.62…

    On a different note did any one notice that Scosche updated the app last night and removed the ability to update the firmware…finally admitting something was wrong. Took long enough. Thanks for the help.

    • Stephen ONeal says:

      Used the Rhythm+ with the 2.62 this morning at Orange Theory.

      The Good: It tracked my heart rate great. Used FITIV on my apple watch paired with the Rhythm+ did a great job.

      The Bad: The number that showed in my BT settings when the Rhythm+ is paired changed on this unit with the firmware downgrade. It used to match a number stamped on the underside of the Rhythm+ Orangetheory uses this number for the Rhythm+ to connect to their system. We tired using the stamped number and the number that was showing up in my BT settings and neither seemed to work. I think it should work with the number in the settings, so I am going to get to the gym earlier on Monday and see.

      • lincomatic says:

        Hmm, I’m not sure which number you’re talking about. There’s a field to change the device name in Fitness Utility on the first page, so you can change the number that displays there. What’s the format of this number you need?

  • Stephen ONeal says:

    Not an expert on Ant+ and bluetooth, but I know the device broadcasts a number that Orangetheory uses to identify a user to sync with their system. The number that my unit broadcasts changed when I downgraded. I will do a little research and see what exactly I need.

Write a Comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>