Hacking Polar Loop - Part 2

USB Communication

Please read first post first.
Code can be found on GitHub.

Polar Loop is recognized as USB HID device. As it was described in previous post, it is using only one report:
  • Report Type: Output
  • Report ID: 1
  • Report Length: 64
It is a request-response communication. Each response is raw byte array of length 64 (similar to input report). Communication is not encrypted.

Still, communication looks like binary data with some human-readable strings. Most of them seems to be paths:
  • /
  • /U/UDB.BPB
  • etc.
This information was enough to guess that Polar Loop is storing information in serialized way.
BPB...PB...Protocol Buffers...Google Protocol Buffers :)

Google Protocol Buffers (PB)

"Protocol buffers are a language-neutral, platform-neutral extensible mechanism for serializing structured data."

Unfortunately, serialized data is not self-describing. Endpoints, however, have to know, how to serialize/deserialize data. PB compiler is used to generate language specific code from plain proto files. Code generated by PB compiler includes compiled proto file.

Thesis: If Polar is using PB, it has to have compiled PB code included in applications.

After few tries, I knew how it should look. Each compiled proto file string must have '.proto' substring. Not to much to search.

First, I checked Polar FlowSync - fail. Hooking network traffic confirmed, that Polar Flow is just passing data retrieved via USB to remote location. It means, PB code is included in server applications.

Second try - Android application - Polar Flow. Success! I found more than 50 compiled proto files descriptors.


Pbd is a Python module to disassemble serialized protocol buffers descriptors. It was created specially for this project. Right now it is more popular than Loophole ;)

You can find code on GitHub.

At this point I had plain proto files!

3 komentarze:

  1. Hi! Thank you for your effort! It was extremely helpfull.
    Polar just pushed strava live segments update which is not available without premium subscription. So i decided to hack it. Almost done, but segment TST.BPB are not compatible with .proto file you captured. I don't have android device to get new descriptors from the app. Could you update .proto dumps please?
    Could you contact me by email on github for more details, please? https://github.com/Antash/polar
    Kind regards,

    1. Hi Anton, I am very interested by the live segments functionnality for My Polar V650. Hope you will relesase it soon. I will wait and watch to your github repository.
      Best regards

  2. Hi! is it work with the polar loop 2? or did i have to try it to find out?