Zwift Steering (Sterzo) pwned

I seldom, if ever have used this word but I feel it’s important to really emphasize what happened here. So here is the order of what I saw leading up to the release of this hack.

1.Zwift announces steering via gyro/magnetometer (unclear) on phones that you strap to your handle bars.
1.I tried relentlessly to do this BUT Futureworks was Invite ONLY
2.Elite announces the Sterzo, the “dumb” version of the product that will be coming out.
1.Several forum posts indicated that people didn’t understand there was no electronics in it and felt cheated
3.Zwift/Elite announces Sterzo Smart as the only way to activate steering now. Marketed under the Futureworks banner which has previously been invite only. It’s a proprietary protocol which is about as dumb as making a triangular wheel. Sure it might sort of roll, but round ones are better and have existed for years (BLE Human Interface Devices — “HID”)
4.I contacted support of Zwift asking how I get the steering icon, they did not give a clear answer after several emails. Eventually I just bought it from them to have someone to point blame at. Later I found in a form that it will show IF and ONLY IF you have an actual Sterzo – concerning as how would it do that?
5.Receive my Sterzo. Not only is it proprietary. It doesn’t work (sort of). It won’t transmit steering angle
6.BUT…. open Zwift the steering icon shows up and it says ACTIVATING
7.Wireshark BLE sniffing
8.Reverse engineer startup protocol
9.Brute force gather handshake codes (7 days, 65535 codes)
10.Add analog input and port to newer SDK for nrf52 series chips Andy Lee’s code from github
11.Physically open Sterzo to find out what is inside
12.Connect to programmer
13.Find out firmware isn’t locked, and read it back as proof of concept
14.Find out which magnet orientation sensor they are using.

PHEW. Got that? it’s not that much work, but some of it would have taken me longer but luckily Andy helped me out on this. He did the simulator for Linux and the first pass on the BLE code. I mainly had to port to newer SDK some libraries, make file, config file stuff and write a badly written adc library.

I knew going into this it would be proprietary and I have espoused my views publicly that that was stupid. Like “I don’t know bluetooth” level stupid in terms of technical. So it must have been driven by marketing, contracts, etc. The pencil pushers did it is the only answer. But they crossed the line. Garmin did it too.

So the Garmin thing. I had a few smart trainers plugged in and every time I would start up up my new Garmin Edge 530 it would say do you want to connect to a trainer. It was annoying. One was paired and one was not, but the one that was not it would always ask. EVERY. SINGLE. TIME.. The second trainer was needed for something else and the Edge 530 had ruined several tests I was conducting because not only does it see it IT TALKS TO IT WITHOUT TELLING YOU. However, after back and forth with Garmin several times without help,  I figured out independently  that if the activity profile has the RIDE TYPE as INDOOR, it will search for smart trainers without permission. In fact I pointed out to Garmin that their beta’s acknowledge this AND THEY REFUSED TO ACCEPT THAT IT DID. Once I figured it out, I said this is the response they should have given me – and they refused to accept it was a problem still. Even when their Beta firmware spells out it’s working to fix that annoyance and I had a fix.

So I made a new indoor profile, it’s ride type is cyclocross and GPS is off and now it does what I want. No more Garmin doing whatever they please.

So how does that relate to Zwift. Well, if you give Zwift access to your BLE you figure you must hit scan for it to scan for a new sensor. But it added the steering icon. How? Well it was already scanning, but not only that it appeared to connect to the sensor to confirm it was a Sterzo then disconnect. This is hard to replicate now for certain (because I now permanently have the steering icon), but see the advertising packets don’t have enough info to fully define that it’s a Sterzo so it had to connect to find out if the device had the characteristics necessary ALL BEFORE it showed the steering icon.

It’s an analogy but this is like using a webcam. You might give a piece of software like skype or zoom access to your webcam, but what about when it’s in the background. Is it taking pictures of you? Well with Zwift the answer is yes. It’s using your BLE and making a fake shame of having to manually connect because it already knows those sensors. Why are you scanning for stuff you have been already scanning for without telling me?

So this was what kicked off the the pwning. See if there was no handshake and it just showed the steering icon I’d have reverse engineered it, made a 10 minute video and been done, but that’s not the case. They made it hard, they did nefarious things, and well that means I needed to push it harder. I needed all those codes and I wanted to make a show of pulling it’s heart out – reading back it’s firmware. I have no use for it, I just wanted to show I can.

So watch me exploit the Sterzo and with the help of Andy, the BLE wizard, we make out own! Enjoy.