HowTo: Downgrade Scosche Rhythm+ Firmware

REVISED 20180116

In my previous article, HowTo: Upgrade Scosche Rhythm+ Firmware, I showed how to update Scosche Rhythm+ firmware via their Fitness Utility iOS app. Some people have had issues with the 3.01 firmware installed by the latest V2 Fitness Utility, notably incompatibility with certain apps, and/or flaky readings.

I contacted Scosche via live chat, and they told me that there was no way to downgrade from 3.01, except for sending the unit back to them. The V2 Fitness Utility no longer has a Firmware Update button, so there’s no way to use it to install any firmware other than v3.01. Instead of sending mine back to them, I decided to try to get a hold of an older version of Fitness Utility, in order to downgrade the firmware. It turned out to be a very laborious and time consuming procedure. I was hoping that I could share the IPA file of Fitness Utility 1.4.1 so everyone else could save a lot of time, but as reader Hap noted in the comments below, IPA files are tied to specific Apple IDs.

If you want to downgrade your firmware yourself, rather than send it back to Scosche, follow the rather lengthy and complicated procedure below.

To obtain the older version of Fitness Utility, I loosely followed the procedure from How to legally download any previous version of an App Store app through iTunes, but it was somewhat outdated, so I will summarize my own procedure below. I am not going to explain the nuts and bolts of what each step does, since that’s covered in the linked article.

Current versions of iTunes no longer support app installs, so you need to downgrade to an older version. The linked article states that there’s yet another hurdle, in that as of iTunes 12.5, Apple is using certificate pinning, which nullifies the ability of Fiddler to snoop HTTPS traffic. I tried an older version of iTunes, but it was no longer able to communicate with the App Store (Apple just LOVES to put up hurdle after hurdle for us!). After much searching, I discovered that in December 2017, Apple quietly released iTunes 12.6.3 for enterprise users who still need the ability to do app installs. Because it uses certificate pinning, I had to devise a procedure to get around that.

Note for Mac users: You can probably follow the same basic procedure using Charles Proxy, but I don’t have the ability to walk you through that.

WARNING: THE PROCEDURE BELOW IS PROVIDED AS A RESULT OF MY OWN FINDINGS. THERE IS ABSOLUTELY NO WARRANTY, AND THERE IS A SMALL POSSIBILITY THAT YOUR DEVICE CAN BECOME BRICKED DURING A FIRMWARE UPDATE. MAKE SURE THAT YOUR DEVICE IS FULLY CHARGED BEFORE STARTING. IN FOLLOWING THE INSTRUCTIONS BELOW, YOU AGREE TO RELEASE ME FROM ALL LIABILITY, AND PROCEED AT YOUR OWN RISK.

How to download Fitness Utility 1.4.1 and use it to downgrade your Rhythm+ to firmware 2.62:

    1. Find your current iTunes folder, and rename it to iTunes.sav, or just move it to a new location. On Windows 10, it’s located at C:\Users\<yourusername>\Music\iTunes. (Don’t worry, after you’re done, you can reinstall the latest iTunes, and restore your old iTunes folder).
    2. Download and install iTunes 12.6.3
    3. Download and install Fiddler. DO NOT START FIDDLER YET
    4. Launch iTunes 12.6.3 and download any random app. iTunes will prompt you to log in with your Apple ID. This is the loophole we use to get around the certificate pinning. It turns out that iTunes 12.6.3 only checks the certificate during the login process, and doesn’t detect when we later swap in Fiddler‘s fake root certificate so that it can snoop HTTPS traffic.
    5. Before proceeding, it’s best to kill any programs on your computer that access the web, because they will pollute your Fiddler capture. If you have your web browser open in order to read this article, kill all of your other tabs that might be accessing the web in the background.
    6. Launch Fiddler.
    7. In Fiddler, go to the File menu and uncheck File->Capture Traffic
    8. From the Fiddler menu, go to Tools->Options->HTTPS. Check the Capture HTTPS CONNECTs and Decrypt HTTPS traffic checkboxes. A dialog box will pop up asking if you want to Trust the Fiddler Root certificate. Select Yes to it, and all of the ensuing dialog boxes. Don’t worry, after we’re done, we will remove the fake certificate, and restore your original.
    9. In Fiddler, go to the menu to check Rules->Automatic Breakpoints ->Before Requests
    10. Launch iTunes and search for Fitness Utility in the App Store
    11. In Fiddler, go to the File menu and check File->Capture Traffic
    12. In iTunes, click the button to download Fitness Utility
    13. A few requests with red icons on the left will appear in the Fiddler capture pane. Select
      HTTP Tunnel to upp.itunes.apple.com:443  and click the green Run to Completion button in the right pane. Next, select
      HTTP Tunnel to p14-buy.itunes.apple.com:443 in the left pane, and click the green Run to Completion button in the right pane
    14. A new request should appear in the Fiddler capture pane: HTTPS p14-buy.itunes.apple.com /WebObjects/MZBuy.woa/wa/buyProduct  Select it in the capture pane, and then in the right pane, click the TextView tab, look for

      <plist version=”1.0″>
      <dict>
      <key>appExtVrsId</key>
      <string>821322483</string>

      and replace 821322483 with 813634417.

    15. In Fiddler, go to the menu to check Rules->Automatic Breakpoints ->Disable
    16. Make sure the HTTPS p14-buy.itunes.apple.com /WebObjects/MZBuy.woa/wa/buyProduct request is selected in the Fiddler capture pane, and click the green Run to Completion button.
    17. After iTunes shows that Fitness Utility is downloaded, verify that you have the Fitness Utility 1.4.1.ipa file in C:\Users\<yourusername>\Music\iTunes\iTunes Media\Mobile Applications
    18. Connect your iOS device to your computer, and use iTunes 12.6.3 to install the Fitness Utility 1.4.1 to your iOS device, or use iFunBox instead as described below in Update 20170112
    19. Launch Fitness Utility 1.4.1 on your iOS device and turn on your Rhythm+. WARNING: MAKE SURE YOUR RHYTHM+ IS FULLY CHARGED BEFORE UPGRADING THE FIRMWARE. IF IT DIES DURING A FIRMWARE UPGRADE, IT MAY BE RENDERED UNUSABLE.
    20. Tap the Commands button at the top right of the screen, and then tap the Start button next to Firmware Update.
    21. After the update is completed, power cycle your Rhythm+
    22. You can check that the firmware version is now 2.62 by tapping the Attributes button at the top left of Fitness Utility.
    23. VERY IMPORTANT: Once you verify proper operation of Fitness Utility, on your computer, have Fiddler restore your original root certificate with Tools->Options->HTTPS->Actions->Reset All Certificates.
    24. Copy your Fitness Utility 1.4.1.ipa file somewhere so that you can reuse it in the future if you wish.
    25. Delete the new iTunes folder, restore your old iTunes folder by renaming iTunes.sav to iTunes, uninstall iTunes 12.6.3, and reinstall your original version of iTunes.

Now that you have your own copy of Fitness Utility 1.4.1.ipa, you are free to try any future firmware upgrades from Scosche, because it’s easy to go back to a working version if you don’t like the new one. If you use iFunBox, you don’t even have to mess with swapping out iTunes versions.

If you prefer to downgrade to firmware v2.4, you can use Fitness Utility 1.4.1 and follow the procedure below:

*** WARNING: DOWNGRADING TO FIRMWARE V2.4 DISABLES THE ABILITY TO UPDATE FIRMWARE VIA FITNESS UTILITY. IF YOU LATER CHANGE YOUR MIND, AND WANT TO INSTALL A DIFFERENT VERSION, YOU WILL HAVE TO SEND THE UNIT BACK TO SCOSCHE. ***

  1. download firmware 2.4 and unzip it.
  2. send the unzipped HEX file to an e-mail address accessible from your iOS device
  3. open the e-mail you sent on your iOS device, tap the attachment, and then scroll through the on screen icons until you find Copy to Fitness Utility, and tap the icon.
  4. Turn on your Rhythm+ and follow steps 19-22 above.

The above method actually works with any version of firmware HEX file that you are able to obtain.


Update 20180112: I tried installing Fitness Utility 1.4.1.ipa with iFunBox instead of iTunes, and it also works. Launch iFunBox with your phone connected to your computer, and install the app by clicking the Install App(*.ipa) from the main screen. Firmware 2.4: scosche-rhythmplus-2_4.zip

 

Downloads:
iTunes 12.6.3 (allows App installs): https://support.apple.com/en-us/HT208079

 

Previous article: HowTo: Upgrade Scosche Rhythm+ Firmware

There are 54 Comments to "HowTo: Downgrade Scosche Rhythm+ Firmware"

  • Stephen ONeal says:

    I did what you said above, but when I open the app on my phone it asks for my apple ID and password. I enter it and then nothing happens. I am using an iphoneX. Any thoughts?

    • lincomatic says:

      You open Fitness Utility, and it asks for your Apple ID? Weird. Have you ever installed Fitness Utility before? If not, maybe you need to first authorize the app by downloading the latest version from the App Store. Just install the latest version, start it once, delete it, and then install my older version

      • Stephen ONeal says:

        It is weird..I had the newest version and deleted it prior. I will do it again….I had to use configurator 2 to install the app since my version of iTunes no longer allows app installs.

        • Stephen ONeal says:

          Just tried doing it again…same thing happened. When I type in my Apple ID and password in the app it gives me a black screen and then goes back to my home screen. If I install the current version from the app store it works like normal. Never had an app ask for my password like this before.

          • lincomatic says:

            I think your problem is that Configurator 2 isn’t install the application properly. I was thinking maybe the problem was with iOS 11, so I installed on my iPhone 6 that has iOS 11, and it still works fine. I’ve updated the procedure above with more details.. please try the new procedure and report back

      • Stephen ONeal says:

        I tired doing it the ifunbox way and it was exactly the same. The app opens with a black screen and asks for an Apple ID and password. Have you tried this procedure on anyone else’s phone that is on a different itunes account? Would be awesome if this would work because Scosche is less than helpful.

        • lincomatic says:

          Please see my response to Hap’s comment above. I will have to update the procedure to explain how to download your own copy of the old version of Fitness Utility.

  • Hap says:

    Thanks for posting this and investigating the issue. Unfortunately your method won’t work for anyone else. Apple IPAs are tied to a specific Apple ID and they cannot be redistributed. You can double click the application in iTunes to try and authorize it but it will bring up your Yahoo address because that’s presumably the one you used to download the IPA.

    How did you manage to obtain a copy of the old Fitness Utility? Maybe if it’s not tied specifically to your account or computer it’s something other users can try. Was it from the backed up Mobile Applications folder in your iTunes folder? I checked mine and unfortunately I don’t have that. I’m also trying some other method I found to download older versions of applications using a MITM and Fiddler but the instructions are a few years old and I don’t know if it will still work.

    • lincomatic says:

      Thank you for bringing this to my attention. Oh well, I was trying to avoid having everyone go through the rather laborious and time consuming process of downloading their own copy of Fitness Utility. I had to us a modified version of the procedure documented in How to legally download any previous version of an App Store app through iTunes, using iTunes 12.6.3 to do it. I will try to reconstruct the procedure and document it when I have time in a few days.

      • Stephen O'Neal says:

        Thanks for trying. Not sure why the firmware upgrade to 3.0.1 has been so bad. I have two Rhythm+ units both worked great before the update. Shame it has been 6 months and they seem reluctant to do anything about it.

      • Hap says:

        Thanks for posting this! I was struggling to get it working because of the certificate pinning issue. I tried to download an older version of iTunes but that led to all sorts of issues.

        FWIW Scoche said they will update the firmware in the coming months to address the issue in the comment’s section of DC rainmaker’s post about the new HRM monitor.

        Still I don’t think it’s OK for them to leave it broken for 6+ months without saying a word or allowing users to downgrade. I actually bought another unit to test and it came with a newer 3.10 firmware (not a typo) and it didn’t work either. The high readings appeared to be resolved but it just kept locking onto my cadence instead of heart rate when I started jogging. Hopefully the new firmware they’re planning to release isn’t 3.10.

        • lincomatic says:

          That’s great news that Scosche isn’t abandoning the Rhythm+ and is still working on firmware updates. I am kicking myself now, because in the process of testing out different scenarios for writing this blog entry, I forgot that loading firmware 2.4 disables the ability to do OTA BT firmware updates, so my unit is now stuck at firmware 2.4 unless I send it back to Scosche! So then entire article above doesn’t even apply to me anymore, despite all my hard work to document it for everyone else!

          • lincomatic says:

            Incidentally, I didn’t want to disclose it in the article above, but since IPA files are just ZIP files, if you open up the Fitness Utility IPAs as ZIP files, you will find inside them the firmwares in HEX format. What’s really crazy is that Fitness Utility V2 actually contains a copy of firmware 2.62 inside (R19_V262.hex) that I don’t know how to access via the UI! Also, inside are two other HEX files, 09142016_3_0_RhythmP.hex and 12072016_3_0a_RhythmP.hex. I am not sure what the difference is between them, but they should both be installable with the email to Fitness Utility 1.4.1 method.

          • Hap says:

            Sorry to hear about your downgrade. If it’s any consolation I followed your instructions and was able to downgrade successfully! You’ve saved at least one unit from being unusable.

            I’ve already deleted the app from my iPhone after saving a copy of the ipa just in case. I don’t plan on ever upgrading even after they release a fixed version. Based on what I’ve read on Amazon other firmware upgrades in the past have broken ANT functionality. It’s too risky to potentially break the unit without knowing what improvements the firmware brings.

            I’m usually on the side of keeping all my devices updated so this is new for me.

          • lincomatic says:

            Awesome that I got the write up right this time w/o making any errors! so many steps, I wasn’t sure if I left something out. Congrats

          • Noel says:

            I got a Rhythm+ in 2016 and had zero problems with it up until it got water inside and died. Amazon delivered my new on yesterday and it has 3.10. I paired it okay to my Garmin FR230 but haven’t done a run yet. I plan to do 5 miles later today. Hope all goes well. My old one still turns on but the LEDs do not flash. I need to check the firmware version of that one because it was rock solid. Out of curiosity, do you know what is the oldest firmware is that still supports OTA updates? Also, could you provide a link to the old IPA. I can use Cydia Impactor to resign it for my own phone.

          • lincomatic says:

            In this article, I talked about OTA upgrades.. 2.5 is the furthest back you can go
            http://blog.lincomatic.com/?p=1843

          • Noel says:

            Here is my first run on my brand new monitor which came with 3.10. Looks okay to me. I have it paired via ANT to my Garmin FR230. I’m not going to mess with the firmware unless it starts acting up.
            https://connect.garmin.com/modern/activity/2538713938

          • lincomatic says:

            Wow, that’s pretty impressive. Hardly ever get such smooth plots. Did you ever get decent plots like that with older firmwares?
            I’m trying to decide whether or not it’s worth it to send mine back to Scosche to upgrade, since I killed the OTA on mine by accidentally installing
            installing 2.4.

          • Noel says:

            I order my first Rhythm+ on February 8, 2016. That one was very stable too but I’m not sure what the firmware version was. It always worked well so I never had to mess with it.

          • Noel says:

            Second run with 3.10:
            https://connect.garmin.com/modern/activity/2546161823

            It did drop the signal completely right after the 2 mile mark for about 28secs. Then right after the 4 mile mark the rate dipped a little for no apparent reason. Later in the run around the 8 mile mark it dipped dramatically but this dip was during a walk so I think it’s actually correct. So to me it looks like 3.10 is fairly stable. At least on my FR230 via ANT it is.

          • lincomatic says:

            Except for the weird drop out, it looks pretty good. I often get a huge jump in HR in the beginning of a run for a few minutes, before it stabilizes. And this is with 2.4. Do you notice any new features?

  • Jef says:

    Thank you so much for this. I am experiencing weird readings on my Rhythm+, which I suspect trace back to the upgrade to firmware 3.01.
    I would love to follow your procedure, unfortunately the link to download Fitness Utility v 1.4.1 on your site doesn’t work at all (tested on Chrome and Firefox). The links to get iTunes 12.6.3 via Apple work well.
    Any chance you could fix this ?
    Huge thanks in advance.

  • Jef says:

    Oops, sorry … forget my comment. I hadn’t seen the edit at the top of your post.
    Cheers. Jef

  • lincomatic says:

    OK, the revised procedure is now posted above, including how to download your own copy of Fitness Utility 1.4.1. It was a royal pain in the ass, and even more of a royal pain in the ass to document. Have fun!

    • Paul says:

      Thank you so much for providing revised procedure! Successfully downgraded to 2.62

    • peter says:

      it took me some time to get the 1.4.1 from itunes on the phone. For some reason it didn’t work. I uninstalled both fiddler and itunes and started all over and then it worked!

      the firmware installation of 2.62 went amazingly quick (few seconds). I really hope this gets rid of all the weird values I was getting.

      Question: I assume it does no harm in leaving the 12.6.3 iTunes version installed? My version before was older so this is newer, which seems no problem, right?

      Thanks again for the great post!

      • peter says:

        One extra question, I see there is a new version of Fitness Utility (3.0) where they explicitely say the 3.01 firmware has been removed from the app…
        Did anyone try this version of the app already and to which firmware it upgrades? 3.0 or 2.62? If it would do 2.62, then that would be the easiest way to downgrade.
        After all the effort to get it back on 2.62 again, I’m not really in the mood to try myself 🙂

        • Stephen ONeal says:

          The description on the new app update says they took the firmware updating ability away in the newest version. While a bit long. The process described here worked like a charm. Can’t wait to give it a try tomorrow morning at OrangeTheory.

          • peter says:

            I was a bit dissappointed today. The HR readings were on 2.62 even worse than last time on 3.01.
            My target was around 135 and on a steady pace it kept jumping from the 120’s to the 140’s or 150’s.
            I wore the unit as usual on my upper arm (between elbow and shoulder) facing inside and really tight (as usual).
            Next time I’ll connect via BT Smart again (I was still using the Wahoo workaround for iSmoothRun as I mentioned in the “upgrade” post). Maybe that helps…

        • lincomatic says:

          They took the updating feature out temporarily. BTW, it’s easy to downgrade next time, as long as you keep the IPA. You can just restore the 1.4.1 IPA with iFunBox and skip swapping out the iTunes. But to answer your other question, you can stick with iTunes 12.6.3 if you wish. I had a newer version, so my current iTunes backups were incompatible

          • peter says:

            Thanks for the answer.
            About iFunBox, I don’t seem to get this working. If I open it, it is just a blank screen. If I’m lucky I can click the gear-icon to change language but that’s it. Nothing shows there.
            I remember I tried that tool before.
            I’m on Windows 10.
            Any ideas?

          • lincomatic says:

            I’m running Win10 as well, and it works fine. Try uninstall-reinstall? If not, there are currently 3 different versions in the downloads, try a different version.

          • peter says:

            hello, thanks for the tip.
            I tried all versions.
            The classic version crashed on starting (both 32 and 64bit)
            The 4.0 version was the one I tried before.
            3.0 seemed to work! I could push an IPA to the phone.
            Thanks

  • Stephen ONeal says:

    It worked! Both of my Rhythm+ have been downgraded…one thing that is odd…the one that they sent me as a replacement and had the number that shows up in the bluetooth settings stamped on it…similar to what the ones that OTF sells….now the number that shows up in BT settings is different…not a big deal, just thought it was interesting. But both have been rolled back to 2.62…

    On a different note did any one notice that Scosche updated the app last night and removed the ability to update the firmware…finally admitting something was wrong. Took long enough. Thanks for the help.

    • Stephen ONeal says:

      Used the Rhythm+ with the 2.62 this morning at Orange Theory.

      The Good: It tracked my heart rate great. Used FITIV on my apple watch paired with the Rhythm+ did a great job.

      The Bad: The number that showed in my BT settings when the Rhythm+ is paired changed on this unit with the firmware downgrade. It used to match a number stamped on the underside of the Rhythm+ Orangetheory uses this number for the Rhythm+ to connect to their system. We tired using the stamped number and the number that was showing up in my BT settings and neither seemed to work. I think it should work with the number in the settings, so I am going to get to the gym earlier on Monday and see.

      • lincomatic says:

        Hmm, I’m not sure which number you’re talking about. There’s a field to change the device name in Fitness Utility on the first page, so you can change the number that displays there. What’s the format of this number you need?

        • Stephen ONeal says:

          The use what is called the Device ID. I also read something about needing the manufacturer number…I found somewhere that Scosche is 82…in the past the device ID worked using the number that displayed in my bluetooth settings. We shall see in the morning.

  • Stephen ONeal says:

    Not an expert on Ant+ and bluetooth, but I know the device broadcasts a number that Orangetheory uses to identify a user to sync with their system. The number that my unit broadcasts changed when I downgraded. I will do a little research and see what exactly I need.

  • Stephen ONeal says:

    I ended up sending one (the newer one) of my Rhythm+ back to Scosche for a firmware fix. I was able to downgrade both of them to 2.62, but the one I sent in would not connect with the Ant+ at OrangeTheory fitness after the downgrade. It will interesting to see what firmware it comes back with. I have not tried my older unit at OrangeTheory yet. I will do so on Friday morning. However, they both work great on Bluetooth with no crazy abnormal readings and no drop outs other than the slight blip when doing certain arm centric exercises.

    • lincomatic says:

      That’s really strange. Mine connected OK w/ my Garmin via ANT+ with all the versions I threw on it, including 2.62.

      • Stephen ONeal says:

        I took my older Rhythm+ in to Orangetheory this morning and it worked like a charm. First workout at 2.62 in at least 6 months. No dropouts. No crazy readings. Thanks for the help. Can’t wait to see what firmware Scosche puts on my other one when it is sent back.

        Thanks for all your help with this. I really appreciate it.

  • Jef says:

    Again, HUGE thanks for this!
    I was able to downgrade my Rhythm+ from 3.01 to 2.62. Haven’t tested it yet, but I hope that this will end the beyond erratic HR readings observed since fw 3.01.
    For info, two glitches encountered in the process :
    – needed several attempts pressing the “firmware update” button in the Fitness Utility app for it to actually do the job. On first attempts, progress bar would appear but freeze immediately. Had to shutdown the app on the iPhone, and power cycle the Rhythm+ …. with quite shaky hands given the fear of bricking the device. Fourth or fifth attempt was success … and relief.
    – Also, on Fiddler, the “reset all certificates” doesn’t seem to remove all certificates installed. Fiddler “DO_NOT_TRUST_FiddlerRoot” still appear in my Trusted Root Authorities Certification Store (as viewed with certmgr.msc). I hope that this doesn’t raise any security issue for the future.
    Cheers. Jef

    • lincomatic says:

      Strange, I didn’t have any problems w/ removing the DO_NOT_TRUST certificate. I just checked with certmgr.msc, and it’s indeed removed.
      I would try to remove it again with Fiddler. If it doesn’t remove, can you try removing it with certmgr?

  • Jef says:

    I tried several times to remove it with Fiddler, with same outcome. I also thought this might come from having left the “decrypt HTTPS” box ticked, so I unchecked it before selecting “reset all certificates” but again it recreated a new one. Fiddlers does what it states in the first pop-up windows after you select the reset i.e. “Progress Telerik Fiddler will delete all interception certificates and recreate a new root certificate for use in decrypting traffic”. I am surprised this doesn’t happen for you, unless we have a different version of Fiddler (mine is Fiddler 4 – build 5.0.20173.50948).
    Anyhow, I have successfully deleted this DO_NOT_TRUST certificate with certmgr (exported a backup before just in case). So, hopefully solved for good.

  • Noel says:

    Could you share the old ipa for others to use? It is very easy to resign an ipa so it can be used on another device using Cydia Impactor.

  • Martynas says:

    Hello all, quick question is there any point to upgrade band from 2.2 to 2.6? Or I am going to be ok with 2.2?

  • Stephen O'Neal says:

    I see sosche has a new app out to work with the Rhytyhm* and the new rhythm24. Mine says I can upgrade my + to 3.4. Scared to do it. Anyone tried this yet. App is called Rhythm Sync. Looks much better than the fitness utility one.

Write a Comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>