40 Fossil Hybrid HR
gohrner edited this page 3 days ago

Fossil / Skagen Hybrid HR

About the device

The Fossil Hybrid HR is an ePaper Hybrid smartwatch with real hands on a round epaper display with over two weeks of battery. The same device is also sold with slightly different cases under the Skagen brand.

Feature support matrix

Feature Supported Notes
Time synchronization Yes
Hands calibration Yes
Steps Yes
Heart rate Yes
Sleep tracking No Not tracked by watch but calculated by algorithm in official app
GPS workouts No
Phone notifications Yes
Call accept/decline Yes
Dismiss call with SMS Yes
Weather info Yes
Physical buttons Yes
Music info and control Yes
Alarms Yes
Watchface configuration Yes Watchfaces on firmware DN1.0.2.20r and up are only supported by Gadgetbridge 0.59.0 and up
Tasker/Intent actions Yes See below for configuration examples

Known firmware versions

Version From Fossil app md5sum Comments
DN1.0.2.3r.prod.v8 unknown Pre-installed, probably no real functionality except firmware update
DN1.0.2.12r.v2 be93342d27f6b837688a05098d240051
DN1.0.2.14r.v4 2af029ab917ed7825287f69abd2b4904
DN1.0.2.16r.v9 06a7f6d32c36ddea28019805e76c6c32 ok
DN1.0.2.17r.v3(v5) 4.3.0 ok
DN1.0.2.18r.v9 works, but see notes
DN1.0.2.19r.v5 works, but see notes
DN1.0.2.19r.v7 4.5.0 works, but see notes
DN1.0.2.20r.v5 4.6.0 works, but see notes
DN1.0.2.21r.v1 4.6.0 upgrading will invalidate your auth key, works, but see notes
DN1.0.2.22r.v4 4.7.0 works, but see notes
DN1.0.2.22r.v5 4.8.0 works, but see notes

Notes:

  • Downgrades seem possible, going from DN1.0.2.16r.v9 back to DN1.0.2.14r.v4 was successful, and downgrade from DN1.0.2.20r.v5 to DN1.0.2.19r.v7 to DN1.0.2.17r.v5 as well
  • When upgrading through Gadgetbridge features seem to break, this does not seem to be the case when upgrading through the official app
    • From 1.0.2.18 menu items vanish (music control, stop watch, etc), setting button functions break, so most features are inaccessible, this is because watchapps are now seperate and are only installed through the official app. There is a way to flash them with Gadgetbridge but we cannot re-distribute them.
  • To make sure the watch is in fully working condition, upgrade it using the latest official Fossil app before switching to Gadgetbridge

Obtaining the neccessary secret key

Unfortunately the device is pretty locked down and it is neccessary to use the official app at least once. This is has two reasons:

  1. The device seems to come with a demo firmware that is not functional and needs to be updated once
  2. There is a secret per-device key that gets negotiated with the Fossil servers. This process seems to be cryptographically secure, unfortunately.

Method 1: The hard way using mitmproxy (sniffing decrypted https traffic)

Requirements

To do it this way, you need the following

  • A rooted Android device (if you can use a junk tablet which is not your phone)
  • A PC running Linux on the same network
  • mitmproxy and knowledge of using of how to use it.

The procedure is generally speaking (there should be detailed tutorials on using mitmproxy elsewhere)

  • Run mitmproxy
  • Convert the auto-generated certificate to your rooted android phone in the appropriate folder
  • Setup iptables to forward traffic though mitmproxy
  • Test if mitmproxy works (you should see decryted output when you use the browser and go so some https site)

Running the Fossil App with mitmproxy enabled

  • Now when you register a new device you can inspect the traffic from/to Fossil servers in mitmproxy. Facebook is also fed with data. You cannot opt out, but you can block the traffic.
  • Look for a PATCH request to the Fossil server ending with /secret-key (even if it has a 404 response)
  • press enter on that request and loop at the JSON. There your will see a 256 byte key that is base64 encoded, it will look something like this: "secretKey": "eriwogvjmerighDFGWERj45jdfgsd345FDGdfgdfgdf="
  • Do the following (insert your key) echo "eriwogvjmerighDFGWERj45jdfgsd345FDGdfgdfgdf=" | base64 -d | hexdump -C
  • Take the first 16 bytes of the output, in our example this is 7a b8 b0 a2 0b e3 99 ea e2 82 10 c5 19 61 11 8f, remove the spaces and prefix with 0x, igrore the second 16 bytes (second line), we don't need it.
  • This is your key you need for Gadgetbridge (here: 0x7ab8b0a20be399eae28210c51961118f)

**NOTE: You need to fininsh the firmware installation to the Watch, and then activate your watch, if the process is interrupted, you need to start over, and you will get a new key, the old one will be invalid, so keep you mitmproxy running till the watch is usable. **

Method 2: The easy way using a patched app which will reveal the key

There is a patched original app which will reveal the keys, the code Gadgetbridge developers did not test it, this is not a recommendation, but it might work for you:

https://www.reddit.com/r/FossilHybrids/comments/k81kkq/unofficial_enhanced_android_app_based_on_v460/

Method 3: Using FossilHRAuthenticator

Create a shared secret for Fossil HR watches and more - this app allows authenticating against all endpoints that support the same protocol. I, for instance, use the authenticator to authenticate my Fossil HR against the Fossil servers.

https://github.com/dakhnod/FossilHRAuthenticator

Using Gadgetbridge

  • Uninstall the fossil app if you plan to use Gadgetbridge on the same device you obtained the key on, unpair the Watch from Android settings if it is paired
  • Press the + button in Gadgetbridge, long press on the Found "Fossil" Watch, enter the secret key (make sure you have no line breaks or spaces in your input)
  • Go back and tap on the Fossil watch in the list
  • Should connect

Using Tasker, Easer or another automation app

Note: information taken from here, here and here.

Commute app

  1. Configure one or more Actions in Gadgetbridge. These will be your Commute destinations. Example: "Test"
  2. Create a profile in Tasker with the event "Intent Received" with the following content:
    • Action: nodomain.freeyourgadget.gadgetbridge.Q_COMMUTE_MENU
  3. Create a task in Tasker with the following content:
    • If: %extra_action EQ Test
    • Send Intent
      • Action: nodomain.freeyourgadget.gadgetbridge.Q_SET_MENU_MESSAGE
      • Extra: EXTRA_MESSAGE:Test action received!
      • Extra: EXTRA_FINISHED:true

You may set EXTRA_FINISHED to false if the watch is to wait for more content from the phone, and then send another intent with more content.

Custom widgets (firmware DN1.0.2.20r and newer)

  1. Configure one or more custom widgets in Gadgetbridge 0.63.0 or higher
  2. Note down the widget numbers as shown on the watch
  3. Create a task with name Send custom widget 0 config in Tasker and add the action Send Intent with the following content:
    • Action: nodomain.freeyourgadget.gadgetbridge.Q_PUSH_CONFIG
    • Extra: EXTRA_CONFIG_JSON:{"push":{"set":{"widgetCustom0._.config.upper_text":"%par1","widgetCustom0._.config.lower_text":"%par2"}}}
  4. Create more tasks like the above for every custom widget number. This greatly reduces complexity in using it later on
  5. To send data to the custom widgets, create another task which will retrieve/generate the text and add the action Perform Task with for example the following content:
    • Name: Send custom widget 0 config
    • Parameter 1: Home
    • Parameter 2: 21°C

Custom widgets (firmware DN1.0.2.19r and older)

  1. Configure a custom widget in Gadgetbridge
  2. Create a task in Tasker and add the action Send Intent with the following content:
    • Action: nodomain.freeyourgadget.gadgetbridge.Q_SET_WIDGET_CONTENT
    • Extra: EXTRA_WIDGET_ID_temp:21°C

Do Not Disturb functionality

In the Hybrid HR settings on the watch, there is an option to mirror the Do Not Disturb mode on the phone. For this feature to work as expected, notifications will have to be sent to the watch regardless of the active Do Not Disturb mode on the phone. To achieve this, Gadgetbridge's global Do Not Disturb option in Notification Settings must be disabled. If this setting is enabled, all notifications that are suppressed by the phone's Do Not Disturb setting will be ignored completely.