HowTo: Downgrade Scosche Rhythm+ Firmware

REVISED 20180116

In my previous article, HowTo: Upgrade Scosche Rhythm+ Firmware, I showed how to update Scosche Rhythm+ firmware via their Fitness Utility iOS app. Some people have had issues with the 3.01 firmware installed by the latest V2 Fitness Utility, notably incompatibility with certain apps, and/or flaky readings.

I contacted Scosche via live chat, and they told me that there was no way to downgrade from 3.01, except for sending the unit back to them. The V2 Fitness Utility no longer has a Firmware Update button, so there’s no way to use it to install any firmware other than v3.01. Instead of sending mine back to them, I decided to try to get a hold of an older version of Fitness Utility, in order to downgrade the firmware. It turned out to be a very laborious and time consuming procedure. I was hoping that I could share the IPA file of Fitness Utility 1.4.1 so everyone else could save a lot of time, but as reader Hap noted in the comments below, IPA files are tied to specific Apple IDs.

If you want to downgrade your firmware yourself, rather than send it back to Scosche, follow the rather lengthy and complicated procedure below.

To obtain the older version of Fitness Utility, I loosely followed the procedure from How to legally download any previous version of an App Store app through iTunes, but it was somewhat outdated, so I will summarize my own procedure below. I am not going to explain the nuts and bolts of what each step does, since that’s covered in the linked article.

Current versions of iTunes no longer support app installs, so you need to downgrade to an older version. The linked article states that there’s yet another hurdle, in that as of iTunes 12.5, Apple is using certificate pinning, which nullifies the ability of Fiddler to snoop HTTPS traffic. I tried an older version of iTunes, but it was no longer able to communicate with the App Store (Apple just LOVES to put up hurdle after hurdle for us!). After much searching, I discovered that in December 2017, Apple quietly released iTunes 12.6.3 for enterprise users who still need the ability to do app installs. Because it uses certificate pinning, I had to devise a procedure to get around that.

Note for Mac users: You can probably follow the same basic procedure using Charles Proxy, but I don’t have the ability to walk you through that.

WARNING: THE PROCEDURE BELOW IS PROVIDED AS A RESULT OF MY OWN FINDINGS. THERE IS ABSOLUTELY NO WARRANTY, AND THERE IS A SMALL POSSIBILITY THAT YOUR DEVICE CAN BECOME BRICKED DURING A FIRMWARE UPDATE. MAKE SURE THAT YOUR DEVICE IS FULLY CHARGED BEFORE STARTING. IN FOLLOWING THE INSTRUCTIONS BELOW, YOU AGREE TO RELEASE ME FROM ALL LIABILITY, AND PROCEED AT YOUR OWN RISK.

How to download Fitness Utility 1.4.1 and use it to downgrade your Rhythm+ to firmware 2.62:

    1. Find your current iTunes folder, and rename it to iTunes.sav, or just move it to a new location. On Windows 10, it’s located at C:\Users\<yourusername>\Music\iTunes. (Don’t worry, after you’re done, you can reinstall the latest iTunes, and restore your old iTunes folder).
    2. Download and install iTunes 12.6.3
    3. Download and install Fiddler. DO NOT START FIDDLER YET
    4. Launch iTunes 12.6.3 and download any random app. iTunes will prompt you to log in with your Apple ID. This is the loophole we use to get around the certificate pinning. It turns out that iTunes 12.6.3 only checks the certificate during the login process, and doesn’t detect when we later swap in Fiddler‘s fake root certificate so that it can snoop HTTPS traffic.
    5. Before proceeding, it’s best to kill any programs on your computer that access the web, because they will pollute your Fiddler capture. If you have your web browser open in order to read this article, kill all of your other tabs that might be accessing the web in the background.
    6. Launch Fiddler.
    7. In Fiddler, go to the File menu and uncheck File->Capture Traffic
    8. From the Fiddler menu, go to Tools->Options->HTTPS. Check the Capture HTTPS CONNECTs and Decrypt HTTPS traffic checkboxes. A dialog box will pop up asking if you want to Trust the Fiddler Root certificate. Select Yes to it, and all of the ensuing dialog boxes. Don’t worry, after we’re done, we will remove the fake certificate, and restore your original.
    9. In Fiddler, go to the menu to check Rules->Automatic Breakpoints ->Before Requests
    10. Launch iTunes and search for Fitness Utility in the App Store
    11. In Fiddler, go to the File menu and check File->Capture Traffic
    12. In iTunes, click the button to download Fitness Utility
    13. A few requests with red icons on the left will appear in the Fiddler capture pane. Select
      HTTP Tunnel to upp.itunes.apple.com:443  and click the green Run to Completion button in the right pane. Next, select
      HTTP Tunnel to p14-buy.itunes.apple.com:443 in the left pane, and click the green Run to Completion button in the right pane
    14. A new request should appear in the Fiddler capture pane: HTTPS p14-buy.itunes.apple.com /WebObjects/MZBuy.woa/wa/buyProduct  Select it in the capture pane, and then in the right pane, click the TextView tab, look for

      <plist version=”1.0″>
      <dict>
      <key>appExtVrsId</key>
      <string>821322483</string>

      and replace 821322483 with 813634417.

    15. In Fiddler, go to the menu to check Rules->Automatic Breakpoints ->Disable
    16. Make sure the HTTPS p14-buy.itunes.apple.com /WebObjects/MZBuy.woa/wa/buyProduct request is selected in the Fiddler capture pane, and click the green Run to Completion button.
    17. After iTunes shows that Fitness Utility is downloaded, verify that you have the Fitness Utility 1.4.1.ipa file in C:\Users\<yourusername>\Music\iTunes\iTunes Media\Mobile Applications
    18. Connect your iOS device to your computer, and use iTunes 12.6.3 to install the Fitness Utility 1.4.1 to your iOS device, or use iFunBox instead as described below in Update 20170112
    19. Launch Fitness Utility 1.4.1 on your iOS device and turn on your Rhythm+. WARNING: MAKE SURE YOUR RHYTHM+ IS FULLY CHARGED BEFORE UPGRADING THE FIRMWARE. IF IT DIES DURING A FIRMWARE UPGRADE, IT MAY BE RENDERED UNUSABLE.
    20. Tap the Commands button at the top right of the screen, and then tap the Start button next to Firmware Update.
    21. After the update is completed, power cycle your Rhythm+
    22. You can check that the firmware version is now 2.62 by tapping the Attributes button at the top left of Fitness Utility.
    23. VERY IMPORTANT: Once you verify proper operation of Fitness Utility, on your computer, have Fiddler restore your original root certificate with Tools->Options->HTTPS->Actions->Reset All Certificates.
    24. Copy your Fitness Utility 1.4.1.ipa file somewhere so that you can reuse it in the future if you wish.
    25. Delete the new iTunes folder, restore your old iTunes folder by renaming iTunes.sav to iTunes, uninstall iTunes 12.6.3, and reinstall your original version of iTunes.

Now that you have your own copy of Fitness Utility 1.4.1.ipa, you are free to try any future firmware upgrades from Scosche, because it’s easy to go back to a working version if you don’t like the new one. If you use iFunBox, you don’t even have to mess with swapping out iTunes versions.

If you prefer to downgrade to firmware v2.4, you can use Fitness Utility 1.4.1 and follow the procedure below:

*** WARNING: DOWNGRADING TO FIRMWARE V2.4 DISABLES THE ABILITY TO UPDATE FIRMWARE VIA FITNESS UTILITY. IF YOU LATER CHANGE YOUR MIND, AND WANT TO INSTALL A DIFFERENT VERSION, YOU WILL HAVE TO SEND THE UNIT BACK TO SCOSCHE. ***

  1. download firmware 2.4 and unzip it.
  2. send the unzipped HEX file to an e-mail address accessible from your iOS device
  3. open the e-mail you sent on your iOS device, tap the attachment, and then scroll through the on screen icons until you find Copy to Fitness Utility, and tap the icon.
  4. Turn on your Rhythm+ and follow steps 19-22 above.

The above method actually works with any version of firmware HEX file that you are able to obtain.


Update 20180112: I tried installing Fitness Utility 1.4.1.ipa with iFunBox instead of iTunes, and it also works. Launch iFunBox with your phone connected to your computer, and install the app by clicking the Install App(*.ipa) from the main screen. Firmware 2.4: scosche-rhythmplus-2_4.zip

 

Downloads:
iTunes 12.6.3 (allows App installs): https://support.apple.com/en-us/HT208079

 

Previous article: HowTo: Upgrade Scosche Rhythm+ Firmware

HowTo: Upgrade Scosche Rhythm+ Firmware

rhythmplus

The Scosche Rhythm+ is an optical BLE/ANT+ armband heart rate monitor that’s highly recommended by DC Rainmaker. There are many posts around the Internet which claim that it doesn’t have updateable firmware, but that’s not always the case. Prior to firmware V2.5, the Rhythm+ had to be sent back to Scosche for firmware updates, but if you’re lucky to have firmware 2.5+ installed, you can update the firmware yourself with your phone and Scosche’s Fitness Utility.

*** WARNING WARNING READ BEFORE UPDATING: Read all of the updates at the bottom of this article before attempting a firmware update. Sometimes, a unit has gotten bricked by the procedure, but apparently, it has been fixed in Version 2 of the app. Also, read the comments left by other users. It seems that the data in the newer firmware 3.0+ also causes issues with data corruption in certain apps.  Before starting a firmware update, make sure that your device is fully charged, because it can be rendered unusable if the battery dies during the procedure ***

The procedure is quick and easy. Pair the Rhythm+ to your phone and launch the Fitness Utility. You will be presented with the Attributes screen, which lists the current firmware version:

IMG_4795

If you have Firmware Revision 2.5 or higher, tap the Commands button, and you’ll be presented with this screen:

IMG_4794

Tap the Firmware Update Start button, and the utility will update you to the latest firmware.

I got a nice new feature when I upgraded mine to firmware 2.62. Now, after setting my HR Zone Min and HR Zone Max via the Fitness Utility, the LED on the Rhythm+ blinks blue when my HR is below HR Zone Min, purple when I’m between HR Zone Min & Max, and red when I’m above HR Zone Max. I guess if you only use ANT+, and want to save some battery life, you can turn off the BLE Radio as well, but I haven’t tried playing with any of the other functions yet, and I have no idea how you would turn BLE on again, since the app communicates via BLE.

Update 2016-07-11: Reader Atle posted below that v2.62 adds another function for iOS users … click the button on the unit once to start/stop music, and double click to advance tracks in the playlist. I wonder if this works on Android, as well.

*** 20170327: WARNING: I HAVE RECEIVED MULTIPLE REPORTS OF THEIR UNITS WITH NEWER FIRMWARE GETTING BRICKED BY APPLYING THE FIRMWARE UPDATE. IF YOU HAVE A UNIT WITH NEWER FIRMWARE >2.62, APPARENTLY, THE UTILITY IS BADLY DESIGNED, OR HASN’T BEEN UPDATED IN A LONG TIME, AND CAN CORRUPT UNITS WITH NEWER FIRMWARE. AT THIS TIME, I *DO NOT* RECOMMEND UPDATING YOUR UNIT IF IT HAS NEWER FIRMWARE. IF YOUR UNIT GETS BRICKED, CONTACT SCOSCHE CUSTOMER SUPPORT … IT IS THEIR FAULT IF THEIR SOFTWARE BRICKS YOUR UNIT ***

** 20170509: A reader below said: “If you see blinking Red-blue led so seems like bricked but don’t be upset just put on charge unit and the device will be reset.” Please leave a comment below if it works to resurrect your bricked unit ***

Update 2017-06-16: As reader Occamsrazor states below, the Fitness Utility has been updated to Version 2. The description on iTunes shows that it has some new features, but it’s rather cryptic. I was able to use it to update my 2.62 FW to 3.01. You no longer have to press a firmware upgrade button. If your unit is eligible for updating the firmware, it will automatically prompt you when you connect your device. The new app has several new undocumented functions. I tried to enter my birthday, height, etc, but it doesn’t seem to work. If anyone figures out the advanced features, please post below. Apparently, it’s possible to record a workout in the band itself, and then export a CSV file, but I can’t get any of the functionality to work. Also, there are some reports that the new version is a lot less likely to brick your unit, but YMMV. It worked OK for me.

Update 2018-01-09: 1) I’m not absolutely certain, but I feel that my Rhythm+ has gotten flaky since updating to v3.01 firmware. The heart rate is often very low or very high. I decided to try downgrading my firmware. If you are having issues, and want to try a different version of firmware, I have documented how to downgrade in a new article: HowTo: Downgrade Scosche Rhythm+ Firmware. 2) I was wrong above. You don’t need v2.62 firmware to get the feature that setting the Min & Max heart rates make your LED flash purple/blue/red when the heart rate is below Min/in between Min & Max/Max HR. v2.4 firmware actually supports that feature.

 

Next article: HowTo: Downgrade Scosche Rhythm+ Firmware

Build a Bluetooth Low Energy (BLE) Controlled RGB LED

I have been wanting to play with my RedBearLab BLE Shield for some time, but have been too busy. This weekend, I finally was able to allocate some time to experiment with it. I decided to do something relatively easy as my first project, so as to familiarize myself with the Bluetooth API’s on both the Arduino and the host side. Wirelessly controlling an RGB LED seemed like something fun to do.  RedBearLab has some example programs for Mac OSX and iOS in their BLE SDK.  I decided to start with OSX, since the compiler and SDK are a free download from Apple.

One nice thing about BLE is that you can write iOS apps that talk to it without going through Apple’s expensive MFA program.  Apple is being asinine, as usual, and decided not to support the RFCOMM profile, which allows older versions of Bluetooth to emulate serial ports, and talk to arbitrary devices.  However, they still force you to pay them $99 per year (yes, per year, not a one-time fee) for the *privilege* of being able to run your own iOS apps on an actual device.  Annoying and evil…

While recent Apple computers have Bluetooth 4.0 support built-in, I have an older Mac Book Pro from 2008.  I bought a cheap CSR BT 4.0 dongle on eBay for <$10.

My Mac is running OSX Mountain Lion, but I was not able to get it working at first, even though I followed the hack described at: https://discussions.apple.com/thread/2265096?start=0&tstart=0. (Note: I deleted the bcdDevice key, rather than updating it as described in the article).  Then I noticed that Apple wanted to install an OSX update.  Once I updated to OSX 10.7.5, the dongle started working properly.  What’s strange is, with the update, I found that there is actually a kext which is configured to directly support my dongle (USB VID = 0x0a12, PID = 0x0001) straight out of the box, but for some strange reason, OSX was detecting it as a Broadcom device, rather than Cambridge Silicon Radio.  While the dongle is working now with the hack, it is a bit flaky on my Mac, and sometimes can’t talk to the BLE Shield, unless I unplug/plug it in or retry several times.  On the other hand, it works flawlessly on my Windows 8 machine.  If anyone knows of a cheap and reliable BT 4.0 dongle for OSX, please leave a comment below.  FYI, when you plug in the BT 4.0 dongle, OSX automatically disables the built-in Bluetooth controller.

Schematic:

I used a common-cathode RGB LED.  Here is the schematic:

 

 

The brightness of each color channel is controlled via PWM, using a value from 0-255.  The BLE Shield uses pins D8 and D9 for communication.  My Arduino Duemilanove has 6 PWM pins: D11, D10, D9, D6, D5, and D3.  Therefore, I decided to use D6=red, D5=green, and D3=blue. I wired it up on a mini protoboard.  To diffuse the light, I drilled a small hole into a Ping-Pong ball, and attached it to the LED.  Here is my test rig:

 

 

I have uploaded all of the code for this project to github: https://github.com/lincomatic/BleRgbLed

Arduino Sketch:

The Arduino code for this project is in BleRgbLed.ino.  Before you can compile the sketch, you must install the BLE Arduino library.  Simply unzip libBLEShield_v1.0.zip into <arduinosketchbook>/libraries.  You will have two subfolders, BLE/ and BluetoothLowEnergy/.

To maintain communication integrity between the host and the Arduino, I decided to implement a simple 5-byte packet format:

<sync byte><red><green><blue><checksum>

where

 <sync byte> = 0xA5

and

<checksum> = <red> XOR <green> XOR <blue>

This way, if the signal drops out or some packets get corrupted, the Arduino can reject bad data, and easily regain sync.

OSX Cocoa App:

The Mac OSX app is very straightforward, using 3 sliders, one for each color, to control the LED:

As a template, I used RedBearLab’s SimpleControl_Mac example, which is included in their BLE SDK.  To compile the app, your Mac must be running OSX 10.7.2+, and you must use XCode 4.2+. To compile an OSX or iOS app that talks to the BLE shield, you must add two frameworks to your project:  1) BLE_Framework from RedBearLab’s SDK and 2) IOBluetooth.framework from Apple’s SDK.

It would be very straightforward to port the app to iOS, using the SimpleControl_IOS sample as a template, but I haven’t done it yet, because my Apple Developer license expired, and I don’t want to spend another $99 for a new one.  It is supposedly possible to run it on your Mac via the iOS Simulator without a developer license, but I wasn’t able to get the simulator to connect to the BLE shield through my BT4.0 dongle.  iPhone 4S/5 and late model iPads have BLE built-in.  I believe you need to be running iOS 5.1+ to use BLE API’s.

Here is what it looks like in a darkened room.  It’s bright enough to make a nice night light. It looks a bit like an Ambient Orb, and with a bit of extra coding, could actually behave like one. With some transistors to drive more current, you could drive RGB LED strips, and make multicolored under-counter kitchen lighting.

I think it would be cool to use the LED as a notifier for SMS messages, voice mail, etc for an iPhone, but I am not yet sure whether or not the proper API’s are available.

I am more comfortable programming Microsoft Windows apps… if anyone has any good examples for getting started with BLE communication API’s under Windows, please leave a comment below.

One of my goals is to build wirelessly controlled RGB LED goggles for photic brain stimulation – once I get this working, I will post a blog entry.

Code Download: https://github.com/lincomatic/BleRgbLed

Previous Post: RedBearLab BLE Shield – First Look