Fossil Hybrid HR
About the device
The Fossil Hybrid HR is an ePaper Hybrid smartwatch with real hands on a round epaper display with over two weeks of battery.
Feature support matrix
|Sleep tracking||No||Not tracked by watch but calculated by algorithm in official app|
|Dismiss call with SMS||Yes|
|Music info and control||Yes|
|Watchface configuration||WIP||Currently only working with firmware DN188.8.131.52r and lower|
|Tasker actions||Yes||See below for configuration examples|
Known firmware versions
|Version||From Fossil app||md5sum||Comments|
|DN184.108.40.206r.prod.v8||unknown||Pre-installed, probably no real functionality except firmware update|
|DN220.127.116.11r.v9||works, but see notes|
|DN18.104.22.168r.v5||works, but see notes|
|DN22.214.171.124r.v7||4.5.0||works, but see notes|
|DN126.96.36.199r.v5||4.6.0||watchface configuration not working|
|DN188.8.131.52r.v1||4.6.0||upgrading will invalidate your key, watchface configuration not working|
|DN184.108.40.206r.v4||4.7.0||watchface configuration not working|
- Downgrades seem possible, going from DN220.127.116.11r.v9 back to DN18.104.22.168r.v4 was successful, and downgrade from DN22.214.171.124r.v5 to DN126.96.36.199r.v7 to DN188.8.131.52r.v5 as well
- When upgrading through Gadgetbridge features seem to break, this does not seem to be the case when upgrading through the official app
- From 184.108.40.206 menu items vanish (music control, stop watch, etc), setting button functions break, so most features are inaccessible, this is because watchapps are now seperate and are only installed through the official app. There is a way to flash them with Gadgetbridge but we cannot re-distribute them.
Obtaining the neccessary secret key
Unfortunately the device is pretty locked down and it is neccessary to use the official app at least once. This is has two reasons:
- The device seems to come with a demo firmware that is not functional and needs to be updated once
- There is a secret per-device key that gets negotiated with the Fossil servers. This process seems to be cryptographically secure, unfortunately.
Method 1: The hard way using mitmproxy (sniffing decrypted https traffic)
To do it this way, you need the following
- A rooted Android device (if you can use a junk tablet which is not your phone)
- A PC running Linux on the same network
- mitmproxy and knowledge of using of how to use it.
The procedure is generally speaking (there should be detailed tutorials on using mitmproxy elsewhere)
- Run mitmproxy
- Convert the auto-generated certificate to your rooted android phone in the appropriate folder
- Setup iptables to forward traffic though mitmproxy
- Test if mitmproxy works (you should see decryted output when you use the browser and go so some https site)
Running the Fossil App with mitmproxy enabled
- Now when you register a new device you can inspect the traffic from/to Fossil servers in mitmproxy. Facebook is also fed with data. You cannot opt out, but you can block the traffic.
- Look for a PATCH request to the Fossil server ending with /secret-key (even if it has a 404 response)
- press enter on that request and loop at the JSON. There your will see a 256 byte key that is base64 encoded, it will look something like this:
- Do the following (insert your key)
echo "eriwogvjmerighDFGWERj45jdfgsd345FDGdfgdfgdf=" | base64 -d | hexdump -C
- Take the first 16 bytes of the output, in our example this is
7a b8 b0 a2 0b e3 99 ea e2 82 10 c5 19 61 11 8f, remove the spaces and prefix with 0x, igrore the second 16 bytes (second line), we don't need it.
- This is your key you need for Gadgetbridge (here: 0x7ab8b0a20be399eae28210c51961118f)
**NOTE: You need to fininsh the firmware installation to the Watch, and then activate your watch, if the process is interrupted, you need to start over, and you will get a new key, the old one will be invalid, so keep you mitmproxy running till the watch is usable. **
Method 2: The easy way using a patched app which will reveal the key
There is a patched original app which will reveal the keys, the code Gadgetbridge developers did not test it, this is not a recommendation, but it might work for you:
Method 3: Using FossilHRAuthenticator
Create a shared secret for Fossil HR watches and more - this app allows authenticating against all endpoints that support the same protocol. I, for instance, use the authenticator to authenticate my Fossil HR against the Fossil servers.
- Uninstall the fossil app if you plan to use Gadgetbridge on the same device you obtained the key on, unpair the Watch from Android settings if it is paired
- Press the + button in Gadgetbridge, long press on the Found "Fossil" Watch, enter the secret key (make sure you have no line breaks or spaces in your input)
- Go back and tap on the Fossil watch in the list
- Should connect
- Configure one or more Actions in Gadgetbridge. These will be your Commute destinations. Example: "Test"
- Create a profile in Tasker with the event "Intent Received" with the following content:
- Action: nodomain.freeyourgadget.gadgetbridge.Q_COMMUTE_MENU
- Create a task in Tasker with the following content:
- If: %extra_action EQ Test
- Send Intent
- Action: nodomain.freeyourgadget.gadgetbridge.Q_SET_MENU_MESSAGE
- Extra: EXTRA_MESSAGE:Test action received!
- Extra: EXTRA_FINISHED:true
You may set EXTRA_FINISHED to false if the watch is to wait for more content from the phone, and then send another intent with more content.
- Configure a custom widget in Gadgetbridge
- Create a task in Tasker and add the action Send Intent with the following content:
- Action: "nodomain.freeyourgadget.gadgetbridge.Q_SET_WIDGET_CONTENT"
- Extra: "EXTRA_WIDGET_ID_temp:78°F"
- Data Backup
- Permissions Explained
- Sports Activities Workouts
- Activity Sessions List
- Activity and Sleep Charts
- Heartrate measurement
- GPS recording of sports activities
- Integrating Sports Tracking apps with Gadgetbridge Sports Activities/Workouts
- Huami devices
- MyKronoz ZeTime
- Casio devices
- Fossil Hybrid HR
- How to Release
- Developer Documentation
- BT Protocol Reverse Engineering
- Support for a new Device
- New Device Tutorial
- Translating Gadgetbridge