Decoding the Nike+iPod


The Nike+iPod widget is a pretty interesting little device. If you're unfamiliar with it, basically it works like this - you take a small module and put it in your shoe. As you run/walk/samba, it sends data wirelessly to a receiver connected to your iPod or via the Bluetooth protocol on your iPhone (EDIT - it doesn't communicate via Bluetooth, but rather the receiver is integrated into the Bluetooth chip. It still communicates over 2.4GHz. Sorry for any confusion!). (3GS, 4 or 4S). Your iPod/iPhone takes this data, interprets it, and spits out some useful information for keeping track of your workouts. Pretty cool.

It's become obvious to many people that having access to this data could open up other possibilities - basically, everyone wants to hack the Nike+iPod. Unfortunately, the packet payload is encrypted and pretty tricky to make much sense of. That's where this customer project from Dmitry Grinberg comes in.

Dmitry knew the Nike+iPod used a nRF2402 transmitter to transmit the data and he used this as a starting point for understanding how the Nike+iPod works. He happened to have a nRF24L01+ transceiver module and he set this up to receive the data. The next step was a lot of data dumping (and using a logic analyzer) to get all the information he needed.

Finally, Dmitry sat down with copies of the iPhone and iPod OS images and an ARM disassembler and worked to decode the data packets. After some serious decoding - he had success! Here's a sample payload:

offset:    00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14
data:    06 08 5A E2 2E 01 00 26 00 00 4A 01 00 8D 00 00 A7 EC 02 4B 64
use:    ?C B  K  JK D  D  D  G  G  G  E  E  E  H  H  H  A  A  AB !! !!
USES:
    ? - [partially] unknown
    A - serial number component
    B - on hours
    C - packet type
    D - walking step count
    E - running step count
    G - lifetime walking miles
    H - lifetime running miles
    J - some flags (4 known to be used, one not used anywhere)
    K - "Tc"
    ! - unused apparently


The guts of the Nike+iPod.

Be sure to check out Dmitry's webpage for more detailed information of decoding the Nike+iPod system - he does a great job of documentation. You can also check out our experience dissecting the Nike+iPod and this tutorial about turning your Nike+iPod into an "iFob" for your car. Great work Dmitry!


Comments 7 comments

  • It’s just 2.4GHz GFSK modulated data stream. not bluetooth (no frequency hopping)

    Dmitry G.

    • Right you are - I should have written it is integrated into the Bluetooth chip. My apologies!

      • it is integrated into the bluetooth chip in the iPhone, yes. That is to say the bluetooth chip is used to receive this data

  • What Dmitry has done is a core aspect to any hacking. That is you take a successful device and understand how it works and then from there, you can make your own and not be stuck using the iPod or creating your own iPhone App for it.
    I can see a series of devices from what he has done for multiple platforms.
    A suggestion on a product:
    Do everything the Nike+iPod does, only use LilyPad. From here, have the LilyPad control a GPS and a logger system. Use a format so you can put it on Google Earth.

  • Just wondering how to type an asterik…

    *

    oh…

    but how bout 2?

    **

    (*)but not with txt in b/w(*)

    oh! back slashes \\\\

    New\nline… nope.

  • This is awesome! I tried hacking through the data for an afternoon or two but gave up. Just a clarification - does it actually run bluetooth or some other 2.4GHz protocol?


This Week

This Month

Heartbleed

Happy Arduino Day!