Hacking Polar Loop - Part 1

This is a first post from a series about hacking Polar Loop activity tracker.

Code can be found on GitHub.

Introduction

Polar Loop is an activity tracker from Polar Electro. Basically it is a wrist band, that monitors your activity (movement). Since I bought one, I was curius how it works.

After few months of usage, I decide it is a time to hack it. So, let's go.

Gathering info

Polar enviroment contains:

1. Device (Polar Loop)
2. Polar Web application (Polar Flow)
3. Windows sync application (Polar FlowSync)
4. Mobile application

Device

Polar Loop is using BLE (Bluetooth Low Energy; Bluetooth Smart). It means, it had to be certified by FCC (Federal Communications Commission). It means, set of documents is publicly available.
I used great FCC documents search engine: https://fcc.io/.

FCC ID for Polar Loop is INW0C.

The most interesting one is Internal Photos.
Now I knew what is inside:

• STM32L151QCH6 - Ultra-low power ARM Cortex-M3 MCU, 256 Kb Flash, 32MHz CPU, USB 
• CC2541 - SimpleLink Bluetooth Smart and Proprietary Wireless MCU
• AS1130 - LED Driver IC
• 25PX16VG - Serial Flash memory
• Y434 NS01 - ??? (let me know in comments if you know what is it)

Attack vector

There are three ways how to access device:

1. Button - highly inlikely to hack it via single button (tried anyway ;p)
2. Bluetooth Smart - skipped.
3. USB - Winner!

I focused on USB. Polar Loop is recognized as USB HID device. Obviously, it is the best place to start.

USB communication

Quick USB HID class intro. USB HID drivers are included in most modern OS. 

Device describes how it will communicate. Communication is realized using Reports. Device can handle more than one report.

Polar Loop is using only one report:

• Report Type: Output
• Report ID: 1
• Report Length: 64

It means, device is accepting raw byte array of size 64.

Initial investigation was done using USBlyzer and Wireshark.

More soon...