Hacker News new | past | comments | ask | show | jobs | submit login
Unbricking a $2k bike with a $10 Raspberry Pi (ptx2.net)
962 points by ptx2 6 days ago | hide | past | favorite | 226 comments





> A simple fix is to just use the previous power value if ever: the cadence is non-zero and the previous power is non-zero and the current power is zero. A slight improvement is to keep track of the slope and factor it in when calculating the predicted value.

Looks like somebody rediscovered the Kalman filter without realising it :)

I recall implementing one for an IoT device, to de-noise gas sensor readings a few years ago.

Pretty fun read. Makes me wish I could gather the courage and patience to get back into hacking on embedded stuff


That's horrible that Peloton was able to do this. Maybe there's more to the story, but it seems like the court allowed them to shut down a competitor for simply building a similar (relatively obvious) product?

In fact, the CEO of Peloton had the idea for Peloton... IN A FLYWHEEL CLASS. That's insane.


I've heard from a Flywheel customer who's been following the case closely that the discovery phase was very damning for Flywheel – blatant theft of Peloton's corporate documents, including things like proprietary operating details, internal financials, projections, & future plans, with direction & understanding of Flywheel management/investors, feeding directly into Flywheel's plans.

So it was bigger than just a patent case, and Flywheel, caught red-handed, had no choice but to settle to Peloton's satisfaction.


Peloton also engage in all manner of shady marketing, heavily astroturfing all purportedly “community” forums, and silencing criticism or negative comments.

I had one of their bikes, and sold it because the service was crap. I encourage people not to do business with this shady company.


Clicking through the Verge links it sounds like Peloton had a patent that Flywheel infringed on.

We'd need to do a lot more reading to have on opinion on that case.


These are the patents I assume:

https://patents.google.com/?inventor=john+foley&assignee=pel...

They are as absurdly simple as you would expect, so I assume Flywheel simply didn't want to/had the money to fight this. Like, here is the ultra-obscure "KETTLER World Tours" in 2018 having you race online against others on archived footage retrieved over the internet:

https://www.youtube.com/watch?v=7YfhyDrp5Yg


Is there enough prior art to bust the patent? I’d be interested in donating to the EFF specially to invalidate this patent.

https://en.wikipedia.org/wiki/Patent_Busting_Project


Here's the best article I could find on it: https://www.vice.com/en_us/article/qjdz7v/project-magnum-fly...

I agree that Peloton had a patent. My argument isn't a legal one (clearly, legally speaking, Peloton was in the right). I just think it sucks.


I think there's a solid argument that patents are generally harmful, especially patents of software or non-revolutionary product features, so I think you can form an opinion.

If we embraced copying a little more I think our society would be better off.


A person can have an opinion on patents that isn't specific to a particular patent or claim.

It is a classic example of "on the internet" patent,

The problem is not Peloton persay, the problem is the Patent office allowing these obvious "Thing in the real world -> On the internet" patents to pass right on through


It’s a shame that more exercise bikes don’t have open APIs. Zwift is an absolutely awesome way of keeping in shape if you like cycling, but the barrier to entry is that you need to own a bike and a bike trainer that are both pretty expensive. Maker projects like this one always make me happy, because it’s repurposing an old piece of equipment to function just as well as a new one. Next step would be adding smart controls to the resistance ;)

It's a $2k training bike. You could spend $1k and get a really nice brand new road bike and a smart trainer that controls resistance like a Wahoo Kickr Snap (or several others) for ~$500.

I just don't get why the Peloton thing is so popular when you can get a smart trainer and a bike you can actually take outside for sooo much cheaper. You could even sign up for Zwift and a Trainer Road subscription and come out waaay ahead of $50/month.

The protocols coming out of these things have become pretty much a standard as well. Get an ANT dongle for your computer and the data can be consumed from so many apps, even an open source project like Golden Cheetah. Or just read the data from a head unit that already supports it.


I have a ton of road bikes and a high-end smart trainer but I'm under no illusion that for someone not looking to ride outside ever, a purpose-made exercise bike is a vastly superior option. Even the smart trainer companies have figured this out and are making fully integrated exercise bikes.

One obvious reason is that no one cares what the exercise bike weighs and it will never be exposed to dirt or rain. That allows you to make a drivetrain that can trivially last past the useful life of the equipment without any maintenance ever. Meanwhile on the road bike you strapped to the trainer you have a chain, cassette and chainrings for no good reason - all of it ends up feeding into a variable resistance unit anyway!

Similarly putting a road bike you have used extensively on the trainer back on the street generally means doing a complete overhaul - you sweat salt water all over it and don't want your alloy handlebars to break in half because it corroded underneath the bar tape.

Ceterum censeo: we should focus on fixing the reasons that many people, particularly women, feel unsafe riding a real bike outside that they would rather stare at this screen going nowhere inside. Most of them without the mandatory two box fans blasting a hurricane their way, it makes me die inside just seeing that.


>> you sweat salt water all over it and don't want your alloy handlebars to break in half because it corroded underneath the bar tape.

Of all the ways to crash - mechanical failure, operator error, 3rd party - this is the one that keeps you up at night? We come from very different cycling worlds...


We come from very different cycling worlds

That doesn’t seem like a bad thing? Instead for cycling, it seems...like an inherent property I’d expect a cyclist to actually anticipate and empathize with.


I've had a handlebar snap in half while road riding and can assure you this concern is warranted.

It's not just dirt and rain. Inexperienced bicyclists have a very real chance of getting hit by a car. I'd pay $500 on my worst financial day to avoid that.

You can drop the word "Inexperienced". But hte idea of paying to avoid this risk is misplaced. You're also doing a completely different activity. Under you're logic you should also work from home and order in all your meals. YOLO doesn't mean "... so be extremely careful".

> Inexperienced bicyclists have a very real chance of getting hit by a car.

I have 3 friends that were hit by cars last year, 2 bikes and one e-scooter.

None of them were at fault.


>None of them were at fault. That doesn't make the injuries less severe

The laws of physics >>> laws of the road.

He with the most lugnuts wins.

The cemetaries are full of people who were "right".


There are two things at play, that have really cut into what roads I will ride on.

1) Distracted drivers. And it has no relation to age. I see old people using their phones, I see young people using their phones. This is number 1, by a huge margin, and it is just getting worse. I never use my phone, other than for navigation, while driving. Not even hands free. Leave a message.

2) Bicyclists that don't follow the rules of the road. Stupid young kids using both side of the road, and sidewalks, I sort of understand. We were all stupid young kids at some point in our lives. But there is no excuse for stupid adults. If you have a drivers license, you know the rules, they are not that hard. Where I live, more than two thirds of bicyclists ride to the left, against traffic. Lately, maybe as much as three quarters. My kids (young adults) all ride on the right, when they ride. They were taught that from day one. Does no one teach bicycling to their kids?

So I am out riding, trying to be aware of the roadway, blind spots, cars (worse, trucks on narrow roads), and as I crest a hill I meet another bicycle coming straight at me. WTF?


> I just don't get why the Peloton thing is so popular when you can get a smart trainer...

You're missing the point. It's not indoor cycling, it's more like at home spin class or soul cycle. The customer base is pretty different, and the experience is a lot of what they're looking and paying for.


Right. You can easily argue the Peloton bike isn't worth $2000, but of course the content costs more to produce than Zwift content. Whether you think that's worth it or not is up to you as a consumer.

[flagged]


If that’s true (which it isn’t for everyone) there’s still nothing wrong with that.

They buying a brand to make themselves feel cool. The quality of the product is irrelevant as long as it looks fancy.

That's probably not true given that a Peloton bike sits in your spare bedroom and noone you want to impress will ever see it.


> I just don't get why the Peloton thing is so popular when you can get a smart trainer and a bike you can actually take outside for sooo much cheaper. You could even sign up for Zwift and a Trainer Road subscription and come out waaay ahead of $50/month.

You'd be surprised how much twiddling and research you need to do to find a correctly sized bike and which smart trainer (elevation? resistance? etc?) to get something that will work for the average person. It's the same reason people go for iPhones or Macs or anything else that 'just works', the time cost for getting to where one can actually use it vs. just unpacking a box w/ a 'good enough' smart bike means that a shiny package like a Peloton will always be preferred for a large chunk of the population.


I train at home on a no-name steel frame I built up myself with spares scavenged or traded at a swap-meet, sitting on a second-hand (non-digital) Kurt Kinetic resistance unit, total build cost ~ $250, excl. my own labour and home workshop.

Honestly prefer training this way to the gamified Zwift experience, there's something deeply off-putting about gluing my eyes to a screen when I'm meant to be focusing on 4x5 intervals. I have a Wahoo Kickr; I hardly ever use it.

I didn't have any prior wrench experience, this was a project in part to gain some. All I had were some Youtube videos, a copy of Leonard Zinn's The Art of Road Bike Maintenance, and some basic tools. I did, however, already know my fitting dimensions.

The bikes I race on are what you'd expect though. More expensive than my car.


What I've noticed is that if you want to build a dedicated indoor trainer bike from used parts, there definitely is some good opportunity now to pick up previous generation stuff for cheap.

As serious road frame design is moving to disc brake and thru axle, something like a 12 year old all aluminum Cannondale or specialized road frame and fork set for QR skewers and 130mm rear should be pretty cheap. Then add basic all aluminum components for stem, bars, seatpost, etc.

I'd still expect to spend $125-200 on the saddle if I want exactly the same model to match my actual on-road bikes.


For this build I acquired (from eBay) a bargain-basement second-hand test saddle of the same model I use in competition. Well, it was the alloy-rail version rather than the carbon-rail version, but otherwise identical in form. My butt was happy with it, which is what matters.

Can confirm it was still the single most expensive component of the whole bike build, more than the frame, wheels, or groupset even.

Test saddles aren't supposed to be sold to the public; I believe it was a liquidation sale.


Is there a good guide one could follow?

The Park Tool “Big Blue Book” is very good. So is their archive of instructional articles and videos (https://www.parktool.com/blog/repair-help).

Since I built using mostly Shimano or Shimano-compatible groupset parts, their techdocs archive was a goldmine, particularly the dealer manuals and compatibility charts. The site navigation is horrendous but the information is essential.

I’d still recommend the Leonard Zinn but note the most recent edition is 2016, may have omissions for current wheels and groupsets.


Go to any half decent bike shop and say you'd like to spend that much on a bike/trainer and they will bend over backwards to make sure you get exactly what you want and need. They will very likely even throw in a custom fitting using all the special tools they have at their disposal.

Not sure what twiddling you are doing with resistance and elevation, smart trainers pick the resistance based on what the app tells it to do in real time.

By no means can a 'large' chunk of the population afford $2,500 up front plus $60/month.

With a real bike on a trainer some people might even decide to try riding outside, who knows...


People here really underestimate the cost of a decent road bike. If you don't have a bike already and want to only do indoor riding $2000k is best spend on an indoor bike not on a smart trainer + road bike. If you want a reasonable trainer you definitely want a direct drive, which rules out the snap so you are already in the territory of a wahoo kickr core or elite direto at about $700 and $1300 will give you the absolute bottom of the line in road bikes (not that one necessarily needs more for indoor riding). Then come the issues of maintaining the bike, generally the indoor environment is not really suited for road bikes. On top of that the quality of ride experience is going to be significantly worse. The noise from a bike on a trainer is much louder than an indoor bike.

Now that said, should you buy a peloton? Unless you're interested in indoor spinning classes don't. Get a tacx neobike, the wahoo kickr bike or the stages bike. They are much better bikes and allow you to use any of the many training platforms out there (zwift, rouvy...). If you're just interested in indoor spinning classes, just get yourself an indoor spinning bike without all the fancy electronics.

I've been riding competivily for a long time and when I moved to Northern Europe from Australia and needed to get myself a trainer for winter, it still made the most sense to get the tacx neobike despite already owning 2 roadbikes and a cyclocross bike.


> By no means can a 'large' chunk of the population afford $2,500 up front plus $60/month.

Where did you get $60/mo from? GP mentioned $50 which is also off base... A peloton sub is $13/mo. The only way you could pay $60/mo is if you’re financing the bike.


Peloton has 2 subscriptions available: one for just the app without the accompanying bike which is $13/mo, the other that accompanies the bike which is $40/mo.

I see huge numbers of folks on Peloton groups who have gotten into outdoor cycling as a result. It's actually a near-constant stream of folks on the FB groups asking for advice.

The Peloton is really a great bike, I seek them out whenever at gyms, hotels, etc.

The price isn't that bad of a deal for someone inside all the time wanting a great bike to workout and the classes.

Thankfully, I'm kinda a nomad so I haven't done it yet, though the past few months I've been stuck in one location and debated about it.

hard

Try to find one! They're fun and good. It's all fake motivation and such but it's really good if you follow the yellow brick road and do it 2-3 hours a day.


> You'd be surprised how much twiddling and research you need to do to find a correctly sized bike and which smart trainer

Yeah, I'm surprised. People come into a bike shop and come out with a reasonable bike unless they're really looking for something special. A Kickr stand and a bike which fits you "just works" in my experience. What exactly do you think an average person would need to do beyond that?


How did our parents survive with their stationary bikes in 1970?

They were used for a few months after Christmas and then left unused.

Road biker here. I used to go to Flywheel classes and have done some Peloton IRL in NYC. I also own a Wahoo Kickr and have a Zwift subscription.

I get the appeal of Peloton. First, Peloton is fun. Zwift is so freaking boring. I listen to murder mysteries while on Zwift because I think it's so darn boring. I only do it because I feel like it's a more effective workout. And cost wise, I already have a bike. Second, I know tons of people who don't ever want to bike outside. It's too dangerous or too much logistics.


The one thing that bothers me with ANT is that it's supposed to be an "open" protocol, but in reality it's this proprietary thing that Garmin has locked down. In my experience, there are a lot of hoops to jump through just to get a basic app set up (all of their example code appears to be ~5 years old).

It makes me wish there were an open, real-time, fitness data project that had more easily usable SDKs for these kinds of things (along the same lines as Golden Cheetah).


I bought a $300 magnetic resistance bike, cadence monitor ($20), and a heart rate monitor ($40). The Peloton subscription is $12/mo for the app which I use on my phone. The only thing I'm missing is 'resistance' and 'output', but for roughly $1600 in savings I'm fine with it.

The classes are fun and they also include other things like strength, yoga, running, etc. There is no way to get classes around me for $12/mo or even $12/session.


'really nice' road bikes don't start at $1k. More like $3k. $1000 doesn't buy much these days, from the perspective of a serious road cyclist it'll be some barely usable thing with Shimano sora or worse level components on it. And will weigh over 20 pounds.

Someone who knows what they're doing with road bike mechanic stuff can probably piece together a decent dedicated indoor trainer bike for $1000. Using a combination of used and new components.


I have a $150 bike for commuting, and it's fantastic. I don't worry about getting it stolen, and riding it is hard because it's heavy/has shitty components, which is exactly what I want from a bike.

Since my commuting distance is fixed, I want the ride to be as hard as possible, otherwise I don't train effectively enough. I should probably trade it for an even shittier one , to up the difficulty level.


I would be careful because better parts also mean better safety. I remember a few times where a crash would have happened if I didn't have my brake discs or on my old bike where the chain fell off and I almost lost my balance. Otherwise same, my commute was small too so I tried making it as hard as possible and sometimes also taking detours

> I would be careful because better parts also mean better safety.

This is certainly true, luckily my commute runs along a pedestrian waterfront, and I never go on the road, so I feel safe enough with it. Then again, I wouldn't ride on the road in Greece even with a $10k bike.


It really comes down to what your goals are.

Are you riding centuries on a regular basis? Yup, $3000.

Are you just out riding to get some fresh air, sunshine, and exercise? $500 is plenty.

It's heavy? I am only riding twenty miles. Oh, and it has inch and a quarter tires, with a wee bit of tread, and I cannot remember the last time I got a flat tire.

As I opened with, it all depends on your goals.


You don't need a $3000 bike for an indoor trainer. Everything that makes a road bike expensive is irrelevant or counterproductive in a trainer.

if you're willing to buy used you can get incredible road bikes for 1k. I just bought a used 2016 Giant Advanced SL2 for 1.2k. It was > 4k at the time it was purchased.

Because it was 111 degrees today.

I'm a frequent road and (less frequent) mountain cyclist, and I've got a Peloton (just did my 500th ride on it on Friday AM, in fact).

I've attempted to answer this question before for others, but honestly, I've only ridden zwift once, on someone else's setup, so I can't compare how "good" the experience is.

That said, despite my involvement in the cycling world, I still have no idea how to Zwift. I know I need a bike, a trainer, some kind of device to play the 'game' part, a display, and sensors. Presumably the smart trainer has power built in, but I don't know if I would want BT, or if I'd want ANT and then an ant dongle for my computer/tablet. I know the words Zwift, Watopia, Sufferfest, TrainerRoad, and about 37 others, but don't know the relationship between them. I don't how how the whole ecosystem fits together, what I download, who I pay, and from watching others struggle with it, it's pretty clear there's a non-0 learning curve.

I know for a fact that I COULD figure it out, but that doesn't mean it's for everyone, or all cyclists, or all cardio enthusiasts, or all people into spinning. From the cycling groups I'm in, whenever Zwift comes up, it seems like people are always discussing what components to get to work best together. I'm sure once you get the 'right' components it just works, but it sounds fairly fiddly for newbies.

I also hate riding a real bike indoors. When we had a mag trainer, my wife and I NEVER swapped the bikes out; she wanted me to do it, and so the 'wrong' bike was always on the trainer, and it always felt so damn fragile to me. I'd definitely want to use a dedicated bike for a smart trainer, not one I try to ride outside.

Another (admittedly minor) factor is size. I actually realized that I physically cannot fit a bike+smart trainer in the space our Peloton bike goes in our workout area (with a Peloton treadmill and Precor elliptical).

I'm pretty active in a handful of Peloton FB groups, and it definitely feels like there's a tendency for folks who use Peloton and ride outside to head towards Zwift for their indoor training, but there's also a significant percentage of people who went the other direction, or tried Zwift and didn't like it/found it boring/etc. The video game competition aspect of it looks like a lot of fun to me, but not enough to bother investing in a setup.

So, that's my 2 cents. While I didn't personally make the purchasing decision, I've made a lot of similar ones -- pay a bit extra for something that just works, where someone already did the research and made the decisions for you, and you don't need a new hobby or project to make it work. The same reason I use Apple devices, the same reason I bought a Synology instead of building my own NAS.


It may have been possible or the company to post the API publicly after Peloton shut them down without incurring any further legal liability. That would have been a responsible thing to do...and a way of getting back at Peloton.

Open apis pretty much ruin honest competition, leaderboards, live races, etc. People already game metrics on their pelotons to get top 10 in races, and I don’t think companies want to deal with that on a larger scale.

It’s a great idea, but I don’t think it’s always the right idea.


The issue of cheating is genuinely valid one, but so is being able to use the hardware with a variety of software. And in this case, are you sure open APIs are actually in conflict? "Open" doesn't have to mean "forgeable", wouldn't it be possible to have a fully open and documented bike API that also cryptographicly signed output? Software could choose to not care about the signature and just run off the API directly, or to require a signature from a specific set of manufacturer keys, or for that matter both (why not support both casual groups and competitive ones depending on what users want?). Obviously for hardcore competitive types it'd still come down to the security and gameability of the hardware itself, and even if it was fairly solid it'd still mostly be about discouraging lazy cheaters, since as far as home use goes nothing stops someone from attaching an electric motor or something if they really want to screw with things.

But I don't think full open APIs any software can use in this case precludes getting as much security as is possible to get out of the software/electronics side of things. And full open APIs would be super useful for longevity, variety of use, etc.


Hidden electric motors have been used to cheat in real pro cycling. If they can’t always catch it there Peleton etc. have no chance.

I guess at least that makes it realistic.


Just some random theorizing here for fun, this is getting off topic of the cool hack:

>Hidden electric motors have been used to cheat in real pro cycling. If they can’t always catch it there Peleton etc. have no chance.

Though this is getting off topic, I'm not sure I agree with you. It's not necessary to always catch something in a situation like this after all, as with video games it is more about keeping down the rate, and permabans on discovery with retroactive stat updates may also discourage by raising the risk even if one might get away with any single instance. There is also the fact that stakes are just plain lower, things like Zwift are mostly about fun, getting into shape, and competitions to the extent that competition helps some people with A & B. It's not like there are massive cash prizes and sponsorships and so forth on the line in the same way the pro sports has. So lesser reactions could still work.

And the purely electronic world does have some additional potential tools, if we want to theorize about if a given community really got concerned about cheating. While as this example shows right now the needed data is very minimal, it's not as if an open API couldn't have a lot of biometrics, resulting in major data sets that could be kept around indefinitely. Which obviously has major privacy implications too, but purely from a cheating angle I suspect it'd be a challenge to get everything right vs sufficiently powerful ML analysis on a data set like that from millions.

I mean, at the end of the day the fact is that a human being assisted by an electric motor just isn't thermodynamically the same system. With sufficient resolution (possibly not feasible on real roads, but quite possible for a contained standalone system) the energy budgets and how they interact with human physiology just won't add up right.

Now I personally am not a serious bike rider at all, just casual for exploration of the countryside on my own, and while I have a bunch of family members who are they're all out on roads and aren't into the tech side as much. So I honestly don't have any idea what level of privacy/creep tradeoff people would accept in data collection vs cheating and any other benefits (better personalized AI training suggestions? maybe?). Still though, it's an interesting cat and mouse game, and I'm not sure I'd bet on the mice if the cats have enough data collection, memory and computing power on their side.

All of which not merely could but should even more be open, so that people can see exactly what is going out and have full control over it.


> There is also the fact that stakes are just plain lower, things like Zwift are mostly about fun, getting into shape, and competitions to the extent that competition helps some people with A & B. It's not like there are massive cash prizes and sponsorships and so forth on the line in the same way the pro sports has.

There's have been at least 2 deaths related to use of Strava and probably many unreported near misses, all to have your name at the top of a list on a system you have to pay to use [1]. Cheating is widespread in any online game that has a decent audience, often for no discernable benefit. Humans are not rational, especially when it comes to competition.

[1] https://www.velonews.com/news/road/family-sues-strava-over-d...


what gave it away? I'd guess the back of the cyclist's t-shirt looking like a solar panel would be a good telltale sign (such a solar panel would produce probably ~50W under France's summer sun).

They used lipo cells hidden inside the frame of the battery, the heat output of the batteries lit up on an inferred camera.

https://www.schneier.com/blog/archives/2016/04/cheating_in_b...


Disconnect the pedals, attach electric motor, bam: cryptographically-signed leaderboard cheating.

>Disconnect the pedals, attach electric motor, bam: cryptographically-signed leaderboard cheating.

...thanks for repeating what I wrote in the fifth sentence, I guess? You could have at least mentioned steroids or something which I didn't cover which would also be easy to use there. But the fact is that like so many things level of effort required matters. Some people will try to cheat anything at any level, either for the rewards or even for the meta challenge of cheating itself. But when talking Big Numbers, millions of people using something, it can still be a big difference if it requires significant effort to cheat vs something trivial, and crypto signed data does raise other active response options too. Even in the electric motor example, is the electric motor output identical in cadence and so on to a human? Does the cheater use it the same way every time? Because if not, that may show up and they can be banned and leader boards recalculated. And cheaters could try to respond in turn, but having to try to hide things via physical systems would be trickier then pure software.

And at any rate, I was taking the poster's concern I was responding to as a given. My point was that even then, I don't think that open APIs are in conflict with doing as well as can be done from the electronics side. It's fine to also say "well, I just don't care about cheating and/or our group would socially moderate it" which I also tried to mention, merely signing an open API wouldn't get in the way of that either. It'd just be an extra open data point to use or not use as a given community wished.


Holding on to the back of a truck would be cheating.

Self reporting only works so far. Leaderboards should be connected to in person events with judges/rules if accurancy is important.

At a previous workplace that showed similiar stats the focus was on personal breakthroughs and personal goals. Leaderboards existed within small groups who met up in person and rode together.


Is anything stopping someone from doing that with the Peloton hardware? I could absolutely motorize my pedaling if I wanted to (I wouldn’t even need to touch the API!) but it would defeat the entire purpose of buying the bike in the first place: exercise.

Usually when you want to cheat in virtual races you simply claim to be 20 kg lighter than you actually are. No need for a protocol hack or motors.

Not really relevant though, since that's true whether the API is open or not.

Not sure I follow your argument, if people are already cheating how would an open API be any different/worse?

Closed systems are unhackable or cheat proof?

I don’t think so


It's even better than that—closed systems are hackable and vulnerable to cheating, and it's in their peddler's (as opposed to pedallers' …) interest to make sure that you don't know about the vulnerabilities of which they are aware.

Is your dwelling impossible to break in to? I don't think so.

I also think it doesn't have to be.


Your dwelling's locks also have an open API (well, HPI) - most commonly, you stick a funnily twisted bit of metal into it, and then turn it until it unlocks.

There are many things that make regular locks effective at preventing unauthorised entry to your house. Ability to access the lock is not one of them, and neither is knowledge about its principle of operations.


This whole article showed how to hack a closed system. Closed APIs clearly don't prevent cheating and that's not why they exist.

Who cares? It's an exercise bike.

If the high score is what you want you can play a video game.


This is the reason I bought a Keiser bike instead of a Peloton, it has a simple display that works with Bluetooth sensors (I use my watch to record my sessions). I use the Peloton app in an iPad (I could pair the bike with the iPad app, but don't).

The bikes are about the same price, but the Keiser screen is a simple LCD display that's much cheaper to replace if it gets broken and is fully usuable without a subscription.

Plus, I think the bike looks better.

https://www.keiser.com


I did the same and my Keiser M3i has been fantastic. Their GitHub repos are current and their lead developer actually answers implementation questions: https://github.com/KeiserCorp

When I'm considering buying a smart device that I'd be uncomfortable throwing away if/when the company ceases support, I ask them beforehand: Is there an open API and/or SDK? Does code or protocol escrow exist? This saved me from buying a smart watch and a smart ring. The manufacturers seemed healthy at the time but were bankrupt or acqui-hired and shut down within a year.


Hmmm. Both of you are getting me very close to pulling the trigger on the M3i. Just so I’m clear, you have to buy the “M Series Converter” bluetooth device as well so it can connect to 3rd party apps, correct? Or I could just record an Indoor Cycling workout manually on my Apple Watch, right?

Someone else answered your question, but I’d add that I previously owned a Sunny SF-B1002 “dumb” belt drive spin bike for about $350 and it worked great. It’s 90% as good for much less money. I only upgraded because I use it a lot and wanted a couple M3 features (infinite frame geometry adjustment and numbered/repeatable resistance control), or I’d still use the Sunny.

I had to get the converter to sync with my (Garmin) watch, so I imagine that you'll need it to pair with apps. It wasn't really clear whether I'd need the converter or not, but turns out that I did -- I figured I'd return it if I didn't need it.

I haven't actually tried pairing it to my iPad or other devices.


Thanks for the info!

Mentioned some of this in another comment:

"It's a $2k training bike. You could spend $1k and get a really nice brand new road bike and a smart trainer that controls resistance like a Wahoo Kickr Snap (or several others) for ~$500."

That being said the M3i seems to be one of the more flexible options if you are gonna go the stationary bike route.


$1K would get a decent road bike, but not really one I'd consider "really nice".

I have a really nice road bike, and a decent steel framed commute bike. I've used both on a trainer, but it's not the same feel as a spinning bike, particularly when standing up and cranking hard on the pedals.

A good spinning bike will last a decade or more with little maintenance, but you'll be changing tires often on the road bike trainer as well as all of the other maintenance that comes with a bicycle.

You can get a good workout on a bike+trainer and if that's all your budget (or space) allows, it's a good option, just don't expect it to be a spinning bike.


Products like this make me furious.

Selling a product whose interface/API/whatever is deliberately obfuscated so that the manufacturer also has a monopoly on a subscription service or an app for said product is blatantly anti-consumer, anti-competitive, anti-environment, and should be illegal.

Fuck Peloton. Fuck Flywheel. Fuck all the proprietary IoT companies.

And apparently fuck me for having the gall to want to control my air conditioner from my computer rather than GE Android app #12 that has God-knows-what baked in and that's going to be abandoned in two years anyway.

Nobody should ever feel like they have to throw out an otherwise functional refrigerator-sized appliance because of software obsolescence.

I am absolutely willing to die on this hill. We need a GDPR-sized hammer to fix this.


> Fuck Peloton. Fuck Flywheel. Fuck all the proprietary IoT companies.

And not just in the IoT field. Pretty much every company that could use their closed software/firmware/designs plus lawyers to enforce their right to render a product useless or obsolete, or simply becoming the only authorized to repair it then refuse the repair, so the user must buy a newer one, will eventually do that if allowed by the law.

John Deere has been really hostile to their customers, for example. https://www.vice.com/en_us/article/xykkkd/why-american-farme...


Don't forget Apple. They absolutely hate customers servicing the hardware they bought and paid for, and they fight it with both technology and lawyers.

Remember that awesome time when Apple disabled phones, because they had a 3rd party home button installed? Absolute scumbags.


I mean, it sure seems like a scumbag move, until you understand the full reasoning behind enforcing encrypted keys for each piece of security hardware. Which I believe was to close a security loophole.

To my memory the bricking of phones was a bug related to not handling the non-matching key condition correctly. But I believe they fixed that bug quickly?


John deere only made sense to me when I found out bill gates as it's largest shareholder

The legislation will probably originate somewhere there. At some point world should realize that software sales are not different from hardware sales.

Its a pretty good hill to die on. Everything IOT should be forced to communicate over transparent and self-documenting protocols so a. anyone can write an app to control said device and b.[0] Alexa/Cortana/Siri can query to set up a voice control interface.

[0] Maybe in the future when their capabilities get a bit better, but the gist is every device should respond to a 'hello' ping with a list of commands and NLP'able descriptions such that for an air conditioner 'alexa set temp 67 degrees F' just works.


This kind of response is a big part of why I have given up building commercial IoT products for now. It's great to want to have some super abstract high level self discovering protocol, but when you actually start to build on it it really hampers the product.

If you want to build a smart light switch you are trying to get the response time very low and worry about things like syncing behavior around the network. Doing these things ends up being very domain specific and you do creative engineering to make it happen. These are very different than the requirements for say a vacuum cleaner.

Then we have standards that come out like Bluetooth mesh or HomeKit that say this is exactly how a light switch should work. Great, except your light switch has this cool feature that Philips did not think of in the committee meeting and now you are forcing it in and your product once again suffers.

These standards all suck, some small percentage of your customers want custom access (rightfully so), and a large percentage are comparing you on price and experience. The outcome is a closed off product. With maybe a cloud API.

Like I said this is why I don't want to work on these products anymore. You cannot win.


> Then we have standards that come out like Bluetooth mesh or HomeKit that say this is exactly how a light switch should work. Great, except your light switch has this cool feature that Philips did not think of in the committee meeting and now you are forcing it in and your product once again suffers.

This seems like it could be solved by a meta-standardizzation: a standardized extensibility model. So the light bulb supports "on", "off", and "dim", and the vaccuum supports "begin cleaning", "return to charging base" and "open dust cup lid", but both support a "Get model-specific register and function list" command, yielding something like WSDL.

Maybe Philips bulbs activate their RGB disco seizure mode with Model Specific Function 82, and GE bulbs have colour temperature control on Model Specific Function 74, but so long as the bigger, smarter device controlling both can query this and package it up for users, it works fine. And when your new vaccuum has "knit new cat out of collected cat hair" they can define it as MSF 74 if they want, so long as the catalog is accurate.


This vaguely sounds like MIDI to me

Or CSS extensions

Or SNMP MIBS

You don’t have to follow a standard to not use an obfuscated API.

Following a standard is great but extending beyond that for your own features or using a variation is still fine if the API is accessible by users.


A good model for this is the HID protocol for "human interface devices". This supports keyboards, mice, joysticks, game controllers, etc. over USB. It's simple enough to be used by very basic devices, and descriptive enough to extend to most control-like devices.

Most home automation stuff doesn't have that big a command vocabulary.


I completely understand and sympathise with this sentiment, as I'm sure many others will.

It's one things to want standards, but when it's still an emerging field, with so much different functionality, it's an impossible task.

Any poster who advocates standardization at this stage would probably be wise in reading about the early computing days, when you had so many different standards, before it crystallized behind IBM MS-DOS. Or even HTML, where would we be today if MS had listened to "standards" and not released XMLHttpRequest/MSXML library.

No ajax, no modern web.

This is a perfectly normal, and perhaps desired, period of experimentation where standards will just hold the industry back.


Standards are convenient, but a lot of issues would be resolved if products were publicly documented. To my knowledge PostScript was never standardized and PDF has been standardized for about half of its history, yet they were both fairly well documented by the vendor. Contrast that to other popular document formats, or this bike, which had to be reverse engineered. Yes, documenting implementations adds overhead that inhibits the rate of progress. On the other hand, not documenting implementations are usually inhibits progress as well since it is all about short term gains.

You have a valid point about velocity being held back by standards. But you don’t do yourself any favors, IMHO, pointing to the modern web as an example. If anything, the modern web is the perfect cautionary tale. Walled gardens, app churn, bloated apps. No way to use part of a service without all the crap that comes with it.

The modern web could stand to let off the gas.


Are walled gardens and app churn really the fault of AJAX requests, though?

For that matter, would removing AJAX and modern JS have fixed anything, or would people have routed around the problem? Any alternate web I can imagine just ends up with everyone using Flash/Shockwave/Silverlight/Java applets, which are even worse. A handful of diehards stay on plain HTML, just like they do today, while everyone else moves to gigantic ad-ridden behemoths.


Walled gardens aren’t the result of Ajax, no. They’re the result of insufficient or missing standards (or at least lack of standards enforcement).

How many times do you encounter a website that doesn’t support your OAuth provider of choice? So you keep 2 or 3 around, and oh this site only does their own password based auth, OK I’ll use my password manager to make a one-off for this site.

Keep in mind, JS itself was developed by one browser vendor (Netscape IIRC) because there was a lack of a standard for interactivity on the web. These tools arise out of need, but because of capitalism the players creating the tools don’t work together. They stand to benefit if they can “win” and starve the others until the other solutions die, so that’s what they hope to do. It’s anti-consumer.

I don’t know what the answer is. Maybe it should be illegal for apps not to allow certain levels of interoperability and freedom to migrate. Hence a previous poster’s term, “GDPR-sized hammer”.


It's also interesting to consider how standardization can similarly maintain an industry dominated by larger players, trying to establish their moat through regulatory capture.

Sort of a duality to how lack of standards propels innovation in the nascent days of a technological field.

Not saying there shouldn't standards in general; simply that we should be cognizant of market forces using standardization efforts as offensive tactics.


> I completely understand and sympathise with this sentiment, as I'm sure many others will.

I don't. He's basically admitting his engineers are incapable of reading relatively short, well-written spec documents.

This stuff is standardized. BLE is extremely easy to use, both on a device and in an application. BLE makes it possible to create self-documenting devices that any application could use. Device manufacturers are going out of their way to prevent that from happening.


We wrote a Bluetooth mesh product before there was Bluetooth mesh standard. Don't call me lazy for not publishing a short spec when the actual Bluetooth spec is over 100 pages. BLE is "easy" managing a mesh network with transactions , droped packets, authentication, 100s of settings across different products is not. Instead we focused on the product we were trying to sell and things people actually bought based on like Alexa and Google support. We had lots of internal docs that heavily documented things including things that would damage the performance of the network and experiments that failed in practice.

I don't think it should be a protocol so much as 'english-ish'. So not a framework which defines a lightbulb (and every other IOT), but a defining human/NLP readable language so a human/alexa can have a conversation with an arbitrary device[0]. Trying to be rigid in definition for the scope of all IoT is madness[1], and imo this is where the future of the NLP AI is: acting as a fuzzy intermediary between people and 'smart' devices to save users and devs both from that madness.

[0] >send 10.10.10.143 'what are you'

>> "A light bulb serial number ######"

> 'list commands'

>> on() | off() | color(int red, int green, int blue) | strobe(frequency)

>help color

>>"""description of color function"""

etc.

Where there isn't a predefinition for say 'strobe' specced anywhere, or 'light bulb' for that matter, but a person or reasonably intelligent AI can work it out from context. There does need to be a bit of a framework and around 'what are you' and 'list commands' for this to work.

I hope I've explained this well, but it doesn't seem far off for an AI to credibly facilitate the bulk of human-smart device interaction with a little bit of help breaking the ice.

[1] As you mentioned, scoping even a light switch without feature creep is a challenge.


You'd want any interface like this to only be accessible over JTAG/serial in order to help prevent bad actors from recruiting the devices for Mirai-style botnets. Additionally, DNN NLP AI really isn't possible on these devices.

The ESP8266 microchip is very popular for use with consumer IoT, because it includes not only a microprocessor with full TCP/IP software stack included, but also WiFi hardware that's compatible with most consumer WiFi systems, all on a 5mm x 5mm x 1mm IC. However, it doesn't even have enough computation power to implement 802.11x WiFi certificate authentication for standard enterprise WiFi environments. There's no hope for implementing an NLP DNN AI on chips like this. You'd "need" to upgrade from a $2 microchip to a $100 IoT Edge AI chip like Coral or Jetson, and now each of your $30 IoT light switches would cost $130 instead and consume much more power.

You could instead have a pretty standard telnet access with 'help' functions like most *nix programs have, but enabling any kind of telnet/SSH is often a big security risk with IoT devices.


You don't want any devices accessible over the normal internet. Set up a Tor Hidden Service, require some authentication at the bastion host to your internal network and you're good to go.

https://youtu.be/j2yT-0rmgDA


I've worked in the same space. This is bullshit crocodile tears. All of the device control protocols have systems for creating custom features. BLE is particularly easy to use, though it's really not that different from older specs like ZWave and ZigBee.

BLE mesh is difficult to do at high performance across multiple platforms and we did it years before there was a spec. Would I use the spec now? Probably. Would I have waited 3 years for the spec to come out? No.

At the time you could lock up Android devices just by sending too many beacons and require users to factory reset there network settings.

When people say Bluetooth is easy I assume they have not done much more than GATT connections and a simple beacon.


Do you know what's the fix for this? Open source. And letting people flash their own firmware.

Years ago, there was Jini (Apache River now). It never gained much traction. But I always liked the idea of interoprable home devices announcing themselves on my network. "Hi, I'm a mass storage device. If anyone's got data they need storing, send it my way!"

HomeKit is probably the closest thing at the moment as, while it's a proprietary protocol, it's already been mostly-reverse-engineered enough to have open-source HomeKit controllers for most devices, as well as open-source bridges from non-HomeKit devices to HomeKit protocols.

Home Assistant[0] is a great tool to act as this bridge. It can act as a HomeKit device, so anything it knows about can be exposed to Apple devices via the Home app. It also has integrations to talk to virtually anything, or you can build your own IoT devices with ESPHome[1].

[0] https://home-assistant.io/

[1] https://esphome.io/


So much this - ESPHome is incredible. The next amazing bit is how good a system you can cook up with some low cost ESP8266 or ESP32 chips and a few sensors. I’ve been looking for ages for a decent thermometer that connects to Home Assistant. All were expensive and required all sorts of contortions to get into HA. A week or two ago I bought some US$6 chips and a few US$3 sensors and they had me there in short order. I have no electronics background and very little coding experience.

If you want to take this kind of thing to the next level, check out Node-RED. It's a visual programming environment that's well-suited for home automation.

One of my most-used automation setups is a dust collection fat near the cat litter boxes. The basic idea is to turn the fan off, if it's on, when the cats approach, then turn it on five minutes after they leave and turn it off ten minutes later. The cats are detected using a PIR sensor hooked to an ESP8266 running ESPHome. I've also got an automation which will turn the fan on and ignore the PIR sensor for ten minutes so that I can clean the litter without breathing in a bunch of dust - this part is kicked off via an input_boolean that's exposed to HomeKit, so I can tell Siri to turn it on and it triggers a whole bunch of work.


The main thing that prevents me from DIY IoT is worry about fire hazard. Is there a guide out there for picking right components (e.g. are Sonoff devices solid enough) and assembling them in a way they could be safely plugged to mains, or used to switch mains power? Alternatively, are there guides on how to build battery-powered IoT? I'd be fine powering stuff around home from rechargable AAs if I had a clue on how to build IoT devices like that (IANAEE).

Yeah, I would not suggest DIY'ing anything that's directly connected to mains power unless you are super sure you know what you are doing. That's a really good way to cause you problems with your homeowner's insurance if you have a fire and it could be against your local building codes.

That said, there are devices out there that can be used on mains power that are UL certified. I have a ton of Z-Wave [0] switches and relays for various things all talking to Home Assistant. Z-Wave is an open [1] (or soon to be open) mesh networking communications protocol that is pretty widely used and supported, so you're not locked into a single vendor.

For low-power stuff, I'm a bit more willing to experiment, but not on mains power. But I am also not an EE. :P

[0] https://en.wikipedia.org/wiki/Z-Wave

[1] https://www.theverge.com/2019/12/19/21029661/zwave-open-stan...


For powering my ESP32/ESP8266 stuff, I use "trustworthy" USB power supplies (e.g., stuff from a brick-and-mortar store, or leftover iPhone adapters, not random Aliexpress adapters) and use short USB cables to connect them. Costco usually has some kind of appropriate adapter for a reasonable price.

For controlling 110V loads, I've found that the Ikea TRÅDFRI outlets work well. If you stay within the TRÅDFRI ecosystem, you need a "steering device" such as a switch or remote to pair them to the gateway, but if you're willing to step outside that ecosystem Zigbee adapters like the ConBee II can talk to the outlets directly (I'm in the process of migrating my Ikea gear to this). The Home Assistant TRÅDFRI component works well.


I use USB chargers/hubs for anything I build myself, and Sonoff plugs (even better if they're the kind you don't need to splice into wires) for anything that needs to control mains. This approach has worked excellently so far.

Hit me up if you need any advice!


So far my chips are all sensors powered off USB. Adding relays is next level and I haven't done that. I've relied on smart plugs that are wall-wart style. However I want to refill the boiler automatically on an old La Cimbali Junior and when I find an ultrasound sensor that will penetrate my espresso machine's boiler and detect a low water level (risking element burn out) I likely will though. I've tried a Hall sensor and one ultrasound sensor and neither work. I think I need an ultrasound sensor designed for fuel tanks or similar.

A quick look at the manual suggests that there's a light that tells you when it needs to be filled with water. It might be easier to just trace that back and piggy back off of whatever sensor it already has.

It may be too small for an ultrasonic sensor to work well. The ultrasonic sensors I've used are all basically blind to anything closer than 5-10cm.


This is a really good suggestion - my trust in that light is currently zero as I can’t get it to trigger reliably.

Solving that issue is a rather more obvious way forward. Wood, trees etc.


If your goal is just to fill the reservoir automatically from a plumbed-in water source, without monitoring/logging water levels, a small float valve like this[0] might be a good answer too. I don't know how big the reservoir in your machine is, nor do I know if this particular valve is food-safe.

You should definitely fix that light though. That sensor may also be part of a safety cutoff to prevent burning out the element.

[0] https://www.amazon.ca/Kerick-Valve-MA252-Float-Adjustable/dp... This was from a quick search, I know nothing about this particular valve.


Thanks. I’m going to get that light fixed and I think it is the best way of monitoring the water level.

The hard part with checking the water level is that the boiler is pressurised and very hot, which is going to be hard in any sensor.


You probably don’t need an ultrasound sensor or anything fancy for detecting water levels. Get a couple of strips of conductive metal which isn’t going to rust, then stick them down either side of the water tank, and finally hook the top of those strips into an ESP8266 or similar. When water level is above the required point the water will complete the circuit, and when it drops below the circuit will be broken.

Thanks for the idea.

There are two water levels that could be monitored, the stainless reservoir and the brass boiler. Despite the metal I think it would still work for the reservoir, because this seems to be how new models work.

It’s the boiler I mainly want to monitor however, and it is very hot and is pressurised.


Will it do so even after going through whatever filtering scheme you're using? I was under the impression that clean water is a bad conductor.

I had no idea about that, but some cursory Googling seems to indicate this property is only really true of fully purified water - either via distillation or turning it into steam first. I suspect that all but the most impressive water filters are still going to give you conductive water, but regardless it’s an easy thing to test.

Xiaomi makes a $10 BLE temperature and humidity sensor. You don’t have to use their proprietary app, there’s an open source MQTT bridge available. It also has a display and runs for months from an AAA cell, which anything esp8266 based won’t.

Thanks - I have tried to track one down here in New Zealand and found it hard. You are quite right that ESP8266s won't run long on battery.

They won’t run long on battery if you try to run them constantly. This is why they support deep sleep, which allows you to instruct it to shutdown until an interrupt is fired by either the real-time clock, or some other input. Typical behaviour for a device like a temperature sensor is to wake up, report the temperature, and then go back to sleep either for a set duration or until a significant change in temperature is reported by some lower power components.

Thank you - I’ve been playing with this and it’s really neat. It’s an amusing workflow in ESPHome as you have to work out when the device is awake to run an OTA update.

Home Assistant may be my favorite open source project. The community is great and incredibly active too.

I have been really happy with a HomeBridge and HomeKit setup. The only downside is the eventual hardware: for various boring reasons I was forced into getting Lutron smart light switches, and they require a hub. That hub has a Telnet connection that Home Assistant uses and it’s super flakey.

I just wish there was more truly open hardware out there.


Could you make a regular old float sensor work?

HomeKit protocol is open and there are extensive documentation available.

Web. A self documenting protocol is it runs a webserver that accepts simple form requests.

"But web tech is insecure!"

If they can't secure a form post, what hope do they have of securing a proprietary api?

Yes, home appliances running webservers would have downsides for management, but that's where routers could add value. It would be trivial for a router to scan port 80 of every device on your network and present a page to pick your devices. That's something I'd even use an app for.

"Port 80? But what about encryption you complete monster!"

How the hell is that cert going to work? Even if they had some magical way to store a cert on the device securely, surely they're going to screw up keeping it up-to-date, or do you want your "it's MY device! Mine!" to depend on an external provider for security?

Just make sure the devices can run on some kind of VPN.

Router can keep them on a VPN and run a proxy with proper SSL for outsiders. Then you only need one device in your network secured to modern standards, all your IoT run in the router's IoT sandbox and all access to them is through a proper SSL-encrypted proxy portal.

There. It would be possible to make that layman-friendly infrastructure. Router detects you connecting to LAN device over port 80 and says "hey, this looks insecure, do you want to move this device to the secure sandbox? You can access all IoT devices securely through my app! Y/N/OMG this is awful never ask me again!"


My condo building has these fancy new Technogym "MyRun" cardio machines which are basically regular workout machines with giant iPads on them. So now instead of turning them on and starting a workout I must wait 3 1/2 minutes for the touchscreen to boot every morning and every other week theres a failed software update causing the machine to shut down mid workout to restart the software in an endless loop. Or it just won't turn on due to the software on/off switch not working and we have to call the technician. It's unbelievably bad. Unless you actually care about connecting your workout to an app (i dont) a prehistoric cheap workout machine from 20 years ago has a better experience and is actually maintainable

>GE app #12 that's going to be abandoned in two years anyway

Not merely abandoned, but abandoned with gaping security flaws, no other way to update the device, and an always-on internet connection. We really have not thought this IOT stuff through.


Or, maybe the whole impetus behind the free software movement isn't wacko bullshit after all...

We had a solution and everyone pissed on it because the misinformed and perhaps intellectually lazy lawyers and leaders and yes even engineers convinced everyone that the GPL was unfit for a capitalist society.

“Was” is admittedly unfair because free software is not actually dead. It’s just popularly dead. If this type of crap actually outrages you, it’s not GDPR that we need (it makes no sense if you think about it, too), it’s smarter consumers and more courageous engineers/leaders. Go speak with your feet and use free software products. And help breath life into a culture that has been wounded by greed.


At the risk of repeating the "Stallman was right" meme, Stallman really was right about this stuff. The more I work in and with tech, the more I'm appreciating GNU/FSF philosophy.

Some time ago I finally understood what's the point of GPL vs. just Open Source - the former is written with end users in mind, not developers. And unfortunately, these days not only developers aren't end users, they're very often working against end users.


Yep. Permissive licenses (MIT et al) maximize freedom for developers. Copyleft licenses place sometimes-frustrating restrictions on developers in order to guarantee more freedom for end users. I like to compare it to laws against slavery. Yes, they impose restrictions on would-be owners, but society is freer as a result.

or any abuse of power imbalances.


> Yes, they impose restrictions on would-be owners, but society is freer as a result.

I'm still going to prefer MIT but this is probably the best rhetoric I've seen in favor of copyleft.


Convinced who, exactly?

Free software isn't illegal. You can run Linux and not buy IoT/IoS junk. Yes, you might have to decline Netflix and Disney.

The only place consumers are screwed is when they get stuck with monopolists like John Deere -- and no one got "convinced" there, just screwed.


Have you ever actually had a discussion about building and running a business around the free software model where you GPL all your software and charge for services? It just doesn't compute with most people who consider themselves leaders in the software industry. Stallman is just a crazy whacko and his license unfit for serious business. That's the summary of the stance I've encountered most of the time.

I'm simply saying people don't take the free software movement seriously and if you as consumer advocates and developers get frustrated by this fact you don't need to invent a "GDPR for software interoperability" you just need to advocate for software that protects consumers. And you need to do so even in the face of uneducated and uncultured business leaders, which takes courage.


Which part of the GPL being focused on end users don't you understand?

The GPL was not created to help businesses, it was created to help end users, which for the most part means people with the know-how to understand software and improve on it or extend it for themselves.


We need a free hardware movement.

Hardware is, in fact, exactly how the free software movement was born. Stallman couldn't service his Xerox copier due to proprietary software and license restrictions. Sound familiar? It has always been about combatting the artificial control companies have individually and collectively to dictate how users interact with hardware they own due to proprietary unfree software.

Inevitably the long-term solution is going to be more layers of abstraction. Web application firewalls for every wifi device in your router, for example, or operating systems maintained by cloud vendors (for “edge devices”). If always transmitting connectivity isn’t required, maybe HomeKit-style app-based (offline or app-based updating) devices that use other devices as repeaters which can then be reverse engineered from their apps (largely illegally in many countries). I don’t think we’ll see open specs unless Apple or Google or government make a significant push, or a future large-scale chipset manufacturer uses open source as a way to both get customers and maintain long-term support for their chips. But we know how well GPL works with most hardware (poorly, unusably, etc.)

What worries me is not layers of abstraction, but layers of control. Who owns that WAF? Who owns the apps?

And if it's not user that owns it in practical (control) sense, then I hate it already and personally won't buy it.


> And apparently fuck me for having the gall to want to control my air conditioner from my computer rather than GE Android app #12 that has God-knows-what baked in and that's going to be abandoned in two years anyway.

My aircon is infrared based so I bought a $20 infrared emitter, recorded all the button signals from the remote control and plugged it into HomeKit. Now I can voicecontrol/Remote control my antique aircon better than current models that still don’t support HomeKit

Bonus points: I put the emitter in line with both aircon and TV and use the same device to control both


> app #12 that has God-knows-what baked in and that's going to be abandoned in two years anyway.

It was a revelation putting a Pihole on the network and making a firewall rule that forced any non-Pihole port 53 traffic back to the Pihole. Samsung and Google make a lot of connections to home.


HTTPS is great for users, but I'm annoyed that it will let companies get around this sort of thing. I want to control the traffic on my network.

That's why the combination of DoH and certificate pinning worries me - individually they're sound security technologies, but together, they're a nice package to disenfranchise end users with respect to networked devices they own.

One of the top reasons for DoH with cert pinning was to prevent DNS ad blocking with pihole on e.g. chromecasts

It has to be fixed through regulation. The free market does not support long term, expensive solutions, such as APIs.

If you provide the bike with a public API, it’s going to cost more. You now need to actually test the API works, instead of simply testing the bike works, end-to-end, with your own software.

A stable API with supported version changes and backwards compatibility is a much more challenging engineering prospect.

Forever ‘twas this. Maybe they can start by using something like an automotive CAN bus.


Is it really that different than the razors-and-blades, inkjet printers, games consoles, or electric toothbrush business model? Or even the new cars and service model [wherein more money is made in the service bays than on the showroom floor].

I wasn't around on this planet when razors-and-blades model was first invented, but it wouldn't surprise me if people raised objections back then.

To me, the general model of selling/giving away a device that serves only to lock the customers into buying overpriced consumables is ethically questionable. I find it exploitative, dishonest, wasteful and anti-competitive. Such business model requires the corrupting the law to create completely artificial constraints, to make it illegal for competitors to offer said consumables, in order to prevent competitive pressure from pushing the price of consumables down to where it should be[0].

I can't give a detailed and coherent argument for why I feel that way, not just yet - part of the reason I comment in IoT/DRM/another-product-turned-into-bullshit-service threads is to try and discover that argument through discussion. But it really feels wrong, compared to a hypothetical reality where both the devices and their consumables were properly priced closer to the marginal cost of production, which can happen only if people can freely build on top of platforms.

--

[0] - And if I'm listing negative adjectives, I might add parasitic - in the sense that if you imagine business models as organisms, this one took over host society's legal system to ensure it could to outcompete more straightforward (honest) ones.


I don't think you need to expand so much on the reason why you're opposed to this business model, it's all understood and well-documented. The usual argument against this sentiment is that it's difficult to establish clear legislation on it. See the very similar debates on planned obsolescence and right to repair.

> Such business model requires the corrupting the law to create completely artificial constraints

So what? As long as no such laws exist that's fine, and a corrupt country will get bigger problems anyway. The problem is that it's not true since constructors can increasingly rely on complexity: reverse-engineering is getting more and more complex (see recent iPhones).


I just return stuff.

I bought a segway mini years ago, only to find out you had to download an app before you could ride it.

Same with with a DJI mavic quadcopter.. you could not just turn it on and fly it with the included RC remote controller - it would just say "see app" or some nonsense.

both got sent back. Seemed a little silly at the moment (I just got this cool new thing -- cave.. cave..) but I'm way better off.

(turns out the mavic sends details of EVERYTHING to lots of sites willy-nilly)


The scariest thing IMO is that this strategy seems to work for the seller. (Besides John Deere oweners and the HN crowd) How many consumers are protesting this kind of nonsense? I would bet most are dazzled by the prospect of some "futuristic" product feature.

To me, this stuff actually devalues the product. It has the potential to be useful but the way it is being used is to deny the buyer full ownership and reserve additional rights for the seller.


The bike is not even close to being bricked. You can use it without the app, there are multiple replacement apps; both a free version from the same vendor, a equvalent subscription from the new owner and some other third party apps.

Otherwise yes, agree that subscription dependent IoT needs regulation.


One issue with open interfaces for these kinds of applications is BT-LE itself. It is nominally designed as open standard for transferring exactly this kind of data, but it cannot do anything else than SNMP-like get/put/trap on some attribute, so everybody ends up designing their own proprietary L4 TCP-like protocol on top of attribute writes and reads to accomplish anything interesting.

Most "smart" devices don't need anything beyond attributes, heck, some of them (thermometers and the like) could just fit all the data into a beacon advertisement!

Manufacturers often do really silly things like encoding all the data into one custom attribute:

https://github.com/open-homeautomation/miflora/blob/31e59bdb...

All of this easily could've been done with standardized attributes but fuck interoperability lol.

> it cannot do anything else than SNMP-like get/put/trap on some attribute

It can do whatever you want. Nobody is forcing you to use ATT, you can speak anything over L2CAP.


This twitter account is well aligned to this sentiment, proof included: https://twitter.com/internetofshit

>And apparently fuck me for having the gall to want to control my air conditioner from my computer rather than GE Android app #12 that has God-knows-what baked in and that's going to be abandoned in two years anyway.

Do you have IR controller for your AC ? If so you could get one of those smart plugs that you can control remotely (zigbee, wifi service, whatever) and it will communicate with your AC via IR, you plug it in to the AC socket and then plug AC into it.


I'm looking into mini splits for an apartment and project room I'm building in my shop. I really like the Mitsubishi ones partly because they have a documented port to connect to them and people have already written code and schematics. Unfortunately, they are twice the price of the cheap ones that only have a proprietary wifi dongle that I'd have to reverse engineer myself.

Get the Mitsubishi Super Inverter. Not because of the wifi (mine does not have that option), but because it's a really good product.

I have one running for the last 6 years and I always say that it was the best purchase of an electrical appliance I ever made.

Super quiet also, my model is around 19dB inside and the outside unit is also quiet.


And to think I‘m used to make fun of RMS for complaining about how he wanted to run his own software on his microwave.

Agreed. Right to repair, which I believe includes software should become law. I have a pile of bricked stuff, mostly electronics that I can't use (hello Pebble Watch). I hesitate to buy "connected" products unless they are open (e.g. Z-wave switches), never proprietary stuff!

Just wait until you here about this company called Tesla that is paving the way for “your car is an IoT subscription”. Oh yeah and this company called John Deere with their subscription model for their DMCA protected tractor that you “own”.

I might even take it a step further and say no product should be rendered unusable without an Internet connection unless the Internet is an absolute requirement of the product’s basic function. I.e even IoT devices ought to be able to be air-gapped and on their own closed network (unless, for instance, it’s a clock or something and relies specifically on things like weather/traffic APIs). And even in cases where there is a legitimate product feature that requires an internet connection, not having one should NOT render the other parts of that product unusable.

trying to dig into the root of this frustration, i think it mostly stems from the misalignment for how we expect the internet to behave (open, accessible, all the other fun Tim BL stuff, etc). it’s extremely unfortunate that companies like peloton, john deere, skydio, on some level DJI, and others as we cross software into the real world haven’t kept up with those expectations. huge loss, and concerning behavior as the internet starts to expand further IRL.

> I am absolutely willing to die on this hill. We need a GDPR-sized hammer to fix this.

Any thoughts on a labelling system? Like, "re-flashable open source firmware", "cannot be remotely bricked", "API-spec and code examples included" stuck on the side of the box.

I'm surprised some hardware hacker supply company, like adafruit/sparkfun hasn't gotten on this yet.



Hey, we both know the answer - you don't need fancy app to be fit on your bike. Neither for making sense from your aircon.

Just like the wink hub. They recently switched from free always to we now need 60 bucks a year from you. Talk about bait and switch.

I agree with your points, but in this case it was not obfuscated at all and as the article shows, not really difficult to figure out. Furthermore, this knowledge can now be shared with others.

As long as RE is legal (and even when it isn't...), people will figure things out.

We need a GDPR-sized hammer to fix this.

AFAIK, RE for interoperability (which this is absolutely an instance of) has always been and is likely to remain legal in the EU.


As pointed out upthread, we’re increasingly seeing devices that never get reversed.

Even many of the really popular ones take years to hack these days, because the mitigations keep getting stronger.


I would like to see a "Right to Repair" for software.

Any FOSS or Commons Clause software fits the bill.

Or are you saying you would like to see Right to repair legislation for software? Me too, but it won't happen.


The latter

What does the GDPR-sized solution look like?

Maybe "every IoT vendor must put their source code in escrow and when they go out of business the source code becomes GPL"? Of course they could just escrow incomplete software with parts just being sourceless blobs and no-one would have verified it is complete by the time they go out of business. It also doesn't work when they buy proprietary software bits from other companies.


Generally yeah, fuck'em all. There are however cases when playing with the device using 3rd party software could lead to bypassing safety features and if people got hurt who is to answer?

"Freedom is not worth having if it doesn't include the freedom to make mistakes."

The person who bypassed safety features, or insurance coverage.

Awesome project. I wish more smart devices offered a “run it locally on a Pi if you’re paranoid or a control freak.” I avoid IoT devices in general because I have no idea where the data is being stored, if it’s stored securely, or if it’s being sold. I prefer to manage this all myself.

>I wish more smart devices offered a “run it locally on a Pi if you’re paranoid or a control freak.”

Wouldn't that defeat the purpose of the "smart device" (from the manufacturer's point of view)? The business model often seems to be locking you in to a subscription (rent seeking) or selling your personal information (surveillance capitalism).


Just wanted to plug repair.org who is working to protect actions like this (I have no connection to the org). You can join as an individual member to support their mission financially:

https://repair.org/individual-supporter-membership


This is a great reverse engineering project.

What it points out to me, painfully, yet again, is that cool stuff can actually do everything its bought to do without a "monthly service fee." And yet here we are.


It's interesting to see the discussion here focusing mainly on "open from the producer/manufacturer" side, when what I think is the really important point here is that "opening from the consumer/user" side can be easy and empowering: companies and services will come and go, but your ability to take control effectively depends only on your willingness to discover and explore.

I avoid a lot of "smart" products in general, but feel comfortable with working on the equipment I do have --- whether it's maintenance, repair, or modification --- and I think that's the most important thing to keep in mind; to not be scared of treating things as anything other than mysterious black boxes. It seems that a lot of people treat "reverse engineering" as some equally mysterious and imposing idea, when it's really just about problem solving or figuring out how something works.

Also, I don't think the RPi is necessary here; the bike is a Bluetooth device, so any computer with a Bluetooth interface can receive its data and process it. I'm not an RF expert, but rebroadcasting BT seems like it would create more interference.


> Also, I don't think the RPi is necessary here; the bike is a Bluetooth device, so any computer with a Bluetooth interface can receive its data and process it. I'm not an RF expert, but rebroadcasting BT seems like it would create more interference.

The rebroadcasting is done because the goal was to get the data into a proprietary piece of software that expects data to come in over Bluetooth.

And rebroadcasting will actually be just fine on the air medium because right after receiving is exactly the time when the bike won't send another message.

The RPi is complete overkill of course, a tiny $3 nRF52 module could do that job just fine.


> your ability to take control effectively depends only on your willingness to discover and explore.

This should be the limiting factor, and this is often the case when a product was designed sensibly and the interface just wasn't documented. Reverse engineering a device like this is relatively straightforward.

But more often, companies deliberately obfuscate, encrypt, or booby-trap their interfaces in order to actively prevent reverse engineering, and this is the reason for the frustration you're seeing in the other comments.


> your ability to take control effectively depends only on your willingness to discover and explore.

Lots of folks have additional constraints of time due to family/other responsibilities etc. I can afford to spend an hour or two if the API is open from the manufacturer's side to write a script or setup a simple service; I definitely cannot afford to spend time on packet sniffing or such low-level reverse-engineering.


> First, the node binary needs permission to advertise Bluetooth services:

> sudo setcap cap_net_raw+eip /usr/local/bin/node

Use AmbientCapabilities= in the unit file instead.


Drat, I was hoping this would also have a recipe for unlocking/reinitializing the attached Android-based tablet, on some of these bikes. Then it could run other biking apps - or just provide reading/music while riding. (Maybe even: it could do the BLE translation?)

The community hasn't figured out how to root the tablet, yet, but there are some hints as to the manufacturer/boot-launch-software – https://www.reddit.com/r/FlywheelAnywhere/comments/gexqte/ha... – if anyone has any ideas or is interested in a challenge.


I'm trying to create an Android recovery for a peloton, which is similar https://github.com/Goayandi/mediatek_mt8176_development/issu...

Was it really "bricked"

No; this is hyperbole, and cheapens the meaning of the word bricked. It's core function still worked perfectly. The app no longer works. The app was always a subscription service. There was an offer to swap (for free) with another bike, which continues to let you pay to another subscription service for similar or better functionality.

I'm all for hacking your gadgets, and open APIs, but let's get a sense of perspective.


"I reverse engineered the data feed protocol on my spinner" would have made me click.

Reading into this - flywheel apparently stole patented ideas from peloton including streaming on demand exercise classes? And that's why their service is shutting down? How is that supposed to be a protectable/patentable concept? That sounds like some first class patent trolling at face value.

It wasn’t just patent infringement — they stole corporate documents and assets from Peloton Levandowski-style. There are other companies doing exercise streaming like Mirror which haven’t had to shut down so I don’t think this is some kind of massive patent roadblock for the industry.

If the bike doesn't take you anywhere when you pedal it, it's still a brick.

There are other machines, like rowing machines, for which an open solution is hard to incentivise, since the machine, the app, and the sensors will all come from a single vendor.

I'm a little surprised, however, that Peloton, and Peloton-alikes ever happened because cyclists have training devices with open interfaces: Bikes, mounted on smart trainers that have standardized wireless links and protocols, connected to a choice of apps.

All it takes is taking the rear wheel off a bike. Or not even that for the most basic trainers, which clamp the rear axle and provide resistance to the rear tire. A fascinating case of a market segmentation that is less susceptible to being breached than one might think.


I have one of those Tacx trainers where you just put your bike in. It's a hassle. You need to use their own quick release to hold the bike in place. The cord with the gear shifter (which sets the resistance) is always somewhere where it's annoying the rider and the shifting control itself doesn't fit on all handle bars. It's also really noisy.

I have been tempted very often to just buy one of these ready to use training bikes because of the frustration of: put some yoga mat cut-outs underneath the Tacx to suppress the vibration of the spinning weight, get the bike from the cellar, exchange the quick release, store the old one somewhere where it's not getting lost, put the bike in place by its rear wheel, place the front wheel in a fixed position, get a fan to put in front of the bike trainer, mount the gear shifter, which clumsily hangs on the handle bar because my handle bar is too big. (It's a standard road bike handlebar)

Did I mention this thing was really loud?

I'm also sometimes worried about the fixed pressure on my carbon frame but I think that's actually unreasonable.


But they are quite cheap and they fold away. The next tier up 'wheel-off' trainers are much quieter. But you've still got all that faff (add chain oil to the mix when taking the rear wheel off) of getting the bike upstairs, the wheel off, mat down (for the sweat), positition the fan etc. But I don't have a load of space so a dedicated exercise bike is a complete no.

By the way, clip the resistance switcher on the top of your front wheel rather than your handle bars. Fits well there and is out of the way but still reachable.


This is the kind of article I love to see on HN. Someone had an issue with a product and solved it using clever technical skills and deep dives.

There are standard BLE GATT attributes for reporting power output, cadence, etc. from indoor bikes (and tons of other standards for other fitness appliances, smart scales, blood sugar measurement devices, etc.). If the vendor had used these standard attributes there won’t be any need for reverse engineering their protocol.

Moral of the story: choose appliances that support standard protocols.


Some interesting info here. I have a Garmin speed sensor and a “dumb” mag trainer (CycleOps Mag). Given the trainers known resistance curve, I was thinking about trying to come up with a script to approximate power based on speed.

Basically I want a home brew alternative for Zwift and TrainerRoad virtual power.


That would be a cool project. Do you already know the resistance curve, or you're just saying SOMEONE knows it? I'd worry that it would be impacted by heat, but perhaps not significantly.

I've got a Peloton, have a Stages power crank on my road bike, and previously had Favero Assioma power meter pedals (highly recommended product BTW). I ran the pedals on the Peloton for a few rides to get a feeling for how close the calibration was. (surprisingly close, in my case).


Saris (now owner of cycle ops) has an approximate graph on their blog. It’s probably not very accurate, but I could probably get close enough by taking some “known” points, some approximations and applying some math to the problem.

The other option is to see if I can dig into the zwift or trainer road code. Both of those applications support “virtual power” for this specific trainer. Which is another way of saying that SOMEONE knows it. I’m sure that Saris actually shared the exact curve with Zwift and Trainer Road, but I’m not sure they’d share it with me.


The 2k exercise bike aside, this is a brilliant article. I love reading stuff like this and wish I had the smarts/knowledge to do this sort of thing.

Wow, I love expensive equipment that can’t work once the company goes out of business. If you want to have a subscription based hardware device the hardware should be free.

You left out step 3 on your ToDo list: 3) Spoof the data to the social media apps and make yourself into a super-human athlete!

(Probably best done with a different account.)


An escalator can never break: it can only become stairs. You should never see an Escalator Temporarily Out Of Order sign, just Escalator Temporarily Stairs. Sorry for the convenience.

Mitch Hedberg


They can fail quite spectacularly: https://www.youtube.com/watch?v=o1SjQfwLieU

Sometimes they eat people too :(

Somebody has no sense of humor...

We have a much shorter expression in my mother tongue, Turkish: we call stairs "merdiven" and escalators "yürüyen merdiven", so "Escalator Temporarily Stairs" becomes "yürümeyen merdiven".

Imagine inventing the wheel and expecting that in the distant future, the wheel itself would stop working because of a stupid reason like this.

Why would a bicycle need a subscription service?

I'm fairly open-minded, but sometimes a product comes along and blows me away with how preposterous its central pitch is.

And then I discover there is actually a market for it, and I am further dismayed... And amazed at the robustness of Say's Law.

Anyway, this bike and the whole associated product is preposterous.


> a $2k bike

Maybe that's your problem right there. Get a simple bike, leave the house (ok, I know there's Corona, I didn't say congregate), find someplace planar, and cycle in the real world.

In Amsterdam, a decent used bike will cost you the equivalent of 80 USD, maybe less.


Amsterdam also has a large public cycling culture, with a public infrastructure to support public cycling

It also has a climate geared more towards outdoor cycling.

Not everyone has one or both of those factors, making indoor cycling more reliable, safer, and more enjoyable


If he's using such a training bike with the intent of using a service such as Zwift, I'd expect the author to already have a decent road bike and that the training bike is more of bad weather, winter and easy access to fitness workouts without having to deal with traffic.

But even if he doesn't have a bike yet, he most likely would ride a road bike and you don't that for bucks.

I agree though, riding bikes is extremely underrated, no matter where you live.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: