8 Fossil Hybrid HR
Andreas Shimokawa edited this page 5 months ago

Gadgetbridge support for Fossil Hybrid HR is WIP, there is no sleep tracking yet

About the device

The Fossil Hybrid HR is an ePaper Hybrid smartwatch with real hands on a round epaper display with over two weeks of battery.

Known firmware versions:

Version md5sum Comments
DN1.0.2.3r.prod.v8 unknown Pre-installed, probably no real functionality except firmware update
DN1.0.2.12r.v2 be93342d27f6b837688a05098d240051
DN1.0.2.14r.v4 2af029ab917ed7825287f69abd2b4904
DN1.0.2.16r.v9 06a7f6d32c36ddea28019805e76c6c32 recommended
DN1.0.2.17r.v3(v5) reporded as v3 via BLE protocol, but v5 on the watch. Setting alarms with Gadgetbrige is broken. Reject calls option is not available

Notes:

  • Firmware update needs Gadgetbridge 0.43.2 (not yet released, code is in master)
  • Downgrades seem possible, going from DN1.0.2.16r.v9 back to DN1.0.2.14r.v4 was successful

Obtaining the neccessary secret key

Unfortunately the device is pretty locked down and it is neccessary to use the official app at least once. This is has two reasons:

  1. The device seems to come with a demo firmware that is not functional and needs to be updated once
  2. There is a secret per-device key that gets negotiated with the Fossil servers. This process seems to be cryptographically secure, unfortunately.

Method 1: The hard way using mitmproxy (sniffing decrypted https traffic)

Requirements

To do it this way, you need the following

  • A rooted Android device (if you can use a junk tablet which is not your phone)
  • A PC running Linux on the same network
  • mitmproxy and knowledge of using of how to use it.

The procedure is generally speaking (there should be detailed tutorials on using mitmproxy elsewhere)

  • Run mitmproxy
  • Convert the auto-generated certificate to your rooted android phone in the appropriate folder
  • Setup iptables to forward traffic though mitmproxy
  • Test if mitmproxy works (you should see decryted output when you use the browser and go so some https site)

Running the Fossil App with mitmproxy enabled

  • Now when you register a new device you can inspect the traffic from/to Fossil servers in mitmproxy. Facebook is also fed with data. You cannot opt out, but you can block the traffic.
  • Look for a PATCH request to the Fossil server ending with /secret-key (even if it has a 404 response)
  • press enter on that request and loop at the JSON. There your will see a 256 byte key that is base64 encoded, it will look something like this: "secretKey": "eriwogvjmerighDFGWERj45jdfgsd345FDGdfgdfgdf="
  • Do the following (insert your key) echo "eriwogvjmerighDFGWERj45jdfgsd345FDGdfgdfgdf=" | base64 -d | hexdump -C
  • Take the first 16 bytes of the output, in our example this is 7a b8 b0 a2 0b e3 99 ea e2 82 10 c5 19 61 11 8f, remove the spaces and prefix with 0x, igrore the second 16 bytes (second line), we don’t need it.
  • This is your key you need for Gadgetbridge (here: 0x7ab8b0a20be399eae28210c51961118f)

**NOTE: You need to fininsh the firmware installation to the Watch, and then activate your watch, if the process is interrupted, you need to start over, and you will get a new key, the old one will be invalid, so keep you mitmproxy running till the watch is usable. **

Method 2: The easy way using a patched app which will reveal the key

There is a patched original app which will reveal the keys, the code Gadgetbridge developers did not test it, this is not a recommendation, but it might work for you:

https://www.reddit.com/r/FossilHybrids/comments/g5ba38/hybrid_hr_enhanced_android_app_v4301_with_dnd/

Using Gadgetbridge

  • Uninstall the fossil app if you plan to use Gadgetbridge on the same device you obtained the key on, unpair the Watch from Android settings if it is paired
  • Press the + button in Gadgetbridge, long press on the Found “Fossil” Watch, enter the secret key (make sure you have no line breaks or spaces in your input)
  • Go back and tap on the Fossil watch in the list
  • Should connect