Welcome to Hell Developer
6 hours ago
- #debug mode
- #BLE protocol
- #reverse engineering
- A Wahoo ELEMNT Bolt v3 bike ride sync issue prompted reverse engineering.
- Decompiling the APK revealed an internal profile system with STD, BETA, ALPHA, DEV, and FACTORY modes.
- Retail devices use STD mode, but switching to DEV unlocks a debug menu.
- The profile is stored in SharedPreferences, requiring ALPHA+ profile for ADB access, creating a chicken-and-egg problem.
- BLE characteristic BOLT_CFG allows configuration writes without application-layer authentication, relying only on pairing.
- Reverse engineering showed a three-byte packet (0x01 0x42 0x03) to set the DEV profile.
- A Python script using bleak was written to send the packet, with challenges like notification subscription and bonding.
- After activation, a debug menu appeared with 'WELCOME TO HELL DEVELOPER' and features like config editing, GPS controls, and ADB access.
- The sync problem was ultimately due to the phone, not the cycling computer.