top of page

Resurrecting Basis Watches after the 2016 Intel Recall

Updated: Nov 10, 2020


Retrospective

It seems fitness tracking has become more of a thing that it was when the Basis B1 was initially released in 2012/2013.


Several years on and the market has seen advancements in many areas, such as the ability to track stress through heartrate variability and a wider range of form factors. There's also a lot more effort put into gaining intelligence from the data and providing deeper insights.


But having said that, I can't help but feel almost all of these devices are still lagging in many ways behind the Basis B1 and Peak. Basis watches had the ability to track a wide range of metrics that even today the vast majority of fitness trackers simply don't monitor at all, there was also methods of exporting some of the key low-level data for users to process themselves. Both watches tracked:


- Heartrate

- Skin & Ambient Temperature

- Perspiration

- Motion (triple-axis accelerometer)


Along with great hardware, the data handling had proved to be effective, particular with respect to sleep tracking where they were widely regarded as a leader for consumer devices. It amazes me how restrictive manufacturers have become in providing customers their own bio-data, Garmin for example, apparently charge a staggering amount to access their health API and even then there's an exhaustive form to fill after which you can be denied access.


Despite being ahead of the times, either through bad luck or a genuinely shoddy QA process, Basis unfortunately lapsed on the most important factor in wearables...safety. Shortly after the company was acquired by Intel, Basis released the Peak, which boasted 30% brighter LEDs and faster sampling rates for optical heart-rate monitoring. This sounds great on paper but it was soon found that a small number of these devices were causing burns to consumers. While the B1 hadn't seen these issues, Intel decided to disband the operation, stepping away from the wearables scene. A lot of the technology was conducted within the Basis Cloud environment so with a discontinued product in the B1, it wasn't deemed worth the time and expense to keep the applications running and therefore all servers were shut down, effectively rendering Basis watches useless (seemingly). To save face, Intel offered refunds on a recall for both B1 & Peak watches.


I'd managed to get a used B1 from eBay in the UK when they came out initially and had always been generally impressed by the device and the web-application.


Not long after Intel's recall, fitness trackers became the target of sophisticated hacks as they became more popular. These exploits targeted most aspects of device functionality and even personal health data breaches have occurred. One of the most notable hacks was against Fitbit, where a team showed vulnerabilities across it's whole chain, you can find this from a DEF CON 27 presentation by Daniel Wegemer.


Resurrection

Inspired by some of the fitness device hacks and a massive drop in used Basis watch prices (average I spent on a few was around $20 each), I recently set out to restore a Basis watch to a useable level and try and extract raw health data.


Note that to do this hack you need a watch that has already been activated - if the watch is boxed etc then it is only good for spares and parts (not a bad idea to have these at hand though). So if you're buying one of these make sure it doesn't say something like 'setup.mybasis.com' when it's turned on - it should be showing time albeit wrong because the clock needs setting, which we can fix. I'd ask the seller to take a photo with the watch turned on, and I'd also ask that they demonstrate the heartrate LEDs light up when you touch the contacts on the back. If they can't show those 2 simple things I would move on. You also need to be careful not to hard reset these watches - if you delete the firmware it's game over for this approach :s


The more important parts of the hardware of both the B1 & and Peak are fairly well documented online, and getting data from these through directly connecting to UART is probably possible as there's plenty of info in datasheets on where these are going to be. The B1 uses an Amped bt23, and the Peak had a more common Nordic nRF based module. Both devices have additional processors that operate at low-power to collect sensor data. I didn't really want to get working at that level unless I needed to as I'm just interested in getting the watch working again rather than modifying/analysing the firmware etc and I'm crap at soldering anyway. So the method I looked to was reverse engineering the Android app to see whether I could extract the data I wanted that way and also get the watch working again.


The Android apps are no longer listed on the Google Play stores but legacy APKs are usually archived somewhere on the web so these were easy to source. I started with the B1 just because I already had the original app on my phone and therefore had some existing data cached from around 2016, which I figured might prove useful to have at hand. The B1 also had a companion PC/Mac app with a driver that allowed for syncing with a computer and upgrading firmware but I can't find the necessary software anywhere.


Once I decompiled the mybasis APK for the B1 and also reviewed the code using Jadx, it became clear that the developers had left a lot of information in the production version of the app that you wouldn't normally find. At the login page, if you used the username and password pair 'Jersey' 'Shore', you would get into a developer options section. This allows you to change the domain the app connects to for the API and a whole host of other debugging options that aided reverse engineering. There was also a folder called 'fake web-data' that had example cached outputs from API requests, this helped in understanding the response format.

From here the approach I took was to recreate the mybasis API but a very stripped down version of it that just gives the android app and phone all that it needed to login and start working. Where the original API hosted by Intel/Basis would review login requests against a database or check that you actually owned the watch you were trying to sync with - I just created static pages that gives the app approval no matter what you put in the fields. Using this approach, all that's needed is to use the app as you normally would and then analyse the HTTP requests in the log files for the app and/or use something like BurpSuite.


This workaround can likely be done without modifying the app at all but to make this easier I did make amendments to the APK in changing a few of the smali files which prepends my custom domain in the developer options with 'http://' rather than "https://api-", and this does 2 things: 1. it means I can use an IP address in that field and 2. I can use http rather than https. If I didn't do this change, I'd need to look at options like setting up a local DNS server to resolve the hostname to my webserver - not a massive job but if I can cut time I will.

Once I had all the relevant pieces of the web API in place, I finally had a working watch and the resultant 'pulsedata.dat' file! At this stage I needed to decode it, otherwise it's useless. The file that gets uploaded is zipped, and once decompressed you have a binary file with all the relevant data within. The method I used to decode this was to open the file in a hex-editor and scroll through it until I saw a repeating pattern in the ASCII text. Once I'd found the relevant blocks, I went through checking numbers and used trial and error to understand and parse the sequence.

I actually had an advantage in this part because someone had previously made an independent app for the basis B1 and had got some way into decoding the data, which they kindly shared: https://github.com/maneti/LibreBasis. There were a few gaps in the parsing but I managed to work those out and rewrote my own script for parsing the data into a CSV file. I also notice a slightly higher sample rate for some metrics on my watch vs whatever was used in LibreBasis, I'm using the Carbon Steel edition so either it's something intrinsic to this newer version of the B1 or it might be because of newer firmware.


Eventually what I get is 1 file with minute level data that has:

-60 heart rate samples

-12 skin temp samples

-30 galvanic skin response samples

-1 reading of what i think is possibly air temp

-90 accelerometer readings for each axis (270 readings)


Quite a lot of info! And provided it's not too noisy, you can track and chart sub-minute data fairly easily. You get a similar thing with the Basis Peak but not the same level of detail.


Below is a graph that shows an overnight period in Excel. You can see where I've fallen asleep with the drop in movement from the accelerometer and steadiness in heart rate. At a glance you can even make out sleep stages.

Eventually I can use this kind of info to create JavaScript charts of the data as I need it from either a web or mobile device. I could also:


-benchmark the readings against more accurate devices to understand offsets/calibrate

-develop a sleep-stage script and also refine it using comparisons against a brain sensing headband

-profile movements using the accelerometer to distinguish between things like walking, swimming, cycling etc tailored to me rather than broad algorithms.


Further, the data is held by me alone, I don't have to register anywhere or commit to any subscriptions to access or use the device.


This approach to getting the B1 working also applies to the Basis Peak with just one additional server file. The android app was clearly similar when I first looked at it but I was expecting to have to modify a few more things to get it working so this was a bonus!

I've uploaded the fake server files to GitHub along with example parser scripts in Python that exports the data to CSV & JSON.


GitHub Project:


Other useful links:

hardware overview


release notes for various firmeware




693 views0 comments

Recent Posts

See All

Comments


bottom of page