Orbea Rise free all the data via ANT+

[mitea]

Hi there

As most of you might know the orbea rise offers only limited ant+ access to some garmin devices (which imo as a Wahoo user sucks ). However there might be a way to change that.

The Shimano EP8 also have a regular bluetooth connection that is used for communication with the shimano apps. Lot's of data is transferred via this connection such as speed, cadence, battery%, support level, power and so on.

As I'm a professional software developer my idea is to develop a small dongle that aggregates all data that's available via bluetooth and make it accessible via regular ANT+ connection/profiles. So any Ant+ capable device will be able to access and record that data!

Big problem at the moment is that I don't own a Rise. I think I will buy one if I developed that dongle.I already sniffed the bluetooth connection on a rental bike but it seems that shimano is using their own proprietary bluetooth services and characteristics.

First challenge would be to decipher the data that is transferred via this services and characteristics.

The development of such a dongle later won't be a big problem as this will be just a doing for me.

So my question to you all:

Is there anybody who is interested in that project and willing to help me decipher the data protocol of shimano?

Maybe anybody there who already used nrf connect and wireshark once? Or even better some hacker/hobbiest here who already deciphered the protocol and is willing to share his/her knowledge with me regarding that?

Looking forward to hear from you!

Edit:

Orbea Rise Shimano EP8 BLE Services overview

Nordic UART Service (6e400001-b5a3-f393-e0a9-e50e24dcca9e)
- RX Characteristic [R W] (6e400002-b5a3-f393-e0a9-e50e24dcca9e)
- TX Characteristic [N R] (6e400003-b5a3-f393-e0a9-e50e24dcca9e)


Unknown Service (000018ff-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [I SW W] (00002af3-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [R] (00002af4-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [W] (00002af5-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [R] (00002af6-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [R W] (00002af7-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [R W] (00002af8-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [N] (00002af9-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [W WNR] (00002afa-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [N] (00002afb-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [W WNR] (00002afc-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [N] (00002afd-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [W] (00002afe-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [W] (00002aff-5348-494d-414e-4f5f424c4500)

Unknown Service (000018fe-1212-efde-1523-785feabcd123)
- Unknown Characteristic [R] (00002ae2-1212-efde-1523-785feabcd123)
- Unknown Characteristic [R] (00002ae3-1212-efde-1523-785feabcd123)
--> MAC Address emtb/emtbDelegate.mc at 4667c43fee062969f598ad3a3d960ded9aaaf304 · markdotai/emtb

Battery Service (0x180F)
- Battery Level [N R] (0x2A19)
Client Characteristic Configuration (0x2902)

Unknown Service (000018ef-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [I R] (00002ac0-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [N] (00002ac1-5348-494d-414e-4f5f424c4500)
--> Modes emtb/emtbDelegate.mc at 4667c43fee062969f598ad3a3d960ded9aaaf304 · markdotai/emtb
- Unknown Characteristic (00002ac2-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [I R] (00002ac3-5348-494d-414e-4f5f424c4500)
- Unknown Characteristic [I W] (00002ac4-5348-494d-414e-4f5f424c4500)

 

[LeeS69]

Must admit it's annoying they seem to have sided with Garmin, I binned my Garmin and went Wahoo a few years ago and it's miles better! Speed and cadence would be very nice to have

 

[BeBiker]

As I'm a professional software developer my idea is to develop a small dongle that aggregates all data that's available via bluetooth and make it accessible via regular ANT+ connection/profiles. So any Ant+ capable device will be able to access and record that data!

I have the same profile, and had the same idea.

A few downsides is that developing a similar interface from scratch easyly brings 10K in salary when done for an employer, and regular updates to keep compatibility with the Bosch/Shimano undocumented and unplanned updates can become a challenge.

And if then suddenly Bosch/Shimano sees the light and stops refusing it to integrate the 5$ dollar Ant+ module in the bike,...

.

 

[mark.ai]

Hi there

As most of you might know the orbea rise offers only limited ant+ access to some garmin devices (which imo as a Wahoo user sucks ). However there might be a way to change that.

The Shimano EP8 also have a regular bluetooth connection that is used for communication with the shimano apps. Lot's of data is transferred via this connection such as speed, cadence, battery%, support level, power and so on.

As I'm a professional software developer my idea is to develop a small dongle that aggregates all data that's available via bluetooth and make it accessible via regular ANT+ connection/profiles. So any Ant+ capable device will be able to access and record that data!

Big problem at the moment is that I don't own a Rise. I think I will buy one if I developed that dongle.I already sniffed the bluetooth connection on a rental bike but it seems that shimano is using their own proprietary bluetooth services and characteristics.

First challenge would be to decipher the data that is transferred via this services and characteristics.

The development of such a dongle later won't be a big problem as this will be just a doing for me.

So my question to you all:

Is there anybody who is interested in that project and willing to help me decipher the data protocol of shimano?

Maybe anybody there who already used nrf connect and wireshark once? Or even better some hacker/hobbiest here who already deciphered the protocol and is willing to share his/her knowledge with me regarding that?

Looking forward to hear from you!

The source files in one of my GitHub projects contain some info on the BLE format used by Shimano STEPS, if it’s useful: GitHub - markdotai/emtb: A data field allowing Garmin watches to show information about a Shimano STEPS e-bike.
Feel free to ask me any questions on it.

Can your Wahoo connect to BLE directly or only ANT+?

 

[mitea]

I have the same profile, and had the same idea.

A few downsides is that developing a similar interface from scratch easyly costs 10K in salary when done for an employer,
and regular updates to keep compatibility with the Bosch/Shimano undocumented and unplanned updates can become a challenge.

And if then suddenly Bosch/Shimano sees the light and stops refusing it to integrate the 5$ dollar Ant+ module in the bike,...

.

Yeah maintainig the codebase will be another topic to solve. But I don't see it as a reason not to do it.

Developing fw costs will be free as I will (and maybe other volunteers) will do it.

Hardware costs should be also very low since I think we might use something like
Adafruits Bluefruit Feather

Adafruit Feather nRF52840 Express

The Adafruit Feather nRF52840 Express is the new Feather family member with Bluetooth Low Energy and native USB support featuring the nRF52840! It's our take on an ...

www.adafruit.com

I have experience with the nrf chips and bluetooth. They are also ANT+ capable. Question is if they can run both stacks at the same time.

And I mean in the end if they start to integrate other devices via ANT+ then I'm also fine. It should serve the biker in the end. Even if this project was the tipping point. I think they already use a proprietary ANT+ Profile for garmins. Or are they connected via bluetooth?

Do you have a Rise and experience with wireshark?

 

[mitea]

The source files in one of my GitHub projects contain some info on the BLE format used by Shimano STEPS, if it’s useful: GitHub - markdotai/emtb: A data field allowing Garmin watches to show information about a Shimano STEPS e-bike.
Feel free to ask me any questions on it.

Can your Wahoo connect to BLE directly or only ANT+?

Great stuff i have to check that in detail later. Thanks so far.

Wahoo supporzs both. However the problem is that Shimano doesn't use the standard bluetooth services such as

CyclingSpeedCyclingCadence

https://www.google.com/url?sa=t&sou...cQFnoECBUQAQ&usg=AOvVaw3sNo_ZlGJvMqJhXJ3JnQ5i

[/URL]

Instead they are using a handful of proprietary Services. Not sure if this is only the case for the EP8 RS as used in the Orbea Rise.

 

[BeBiker]

Yeah maintainig the codebase will be another topic to solve. But I don't see it as a reason not to do it.

Developing fw costs will be free as I will (and maybe other volunteers) will do it.

Hardware costs should be also very low since I think we might use something like
Adafruits Bluefruit Feather

Adafruit Feather nRF52840 Express

The Adafruit Feather nRF52840 Express is the new Feather family member with Bluetooth Low Energy and native USB support featuring the nRF52840! It's our take on an ...

www.adafruit.com

I have experience with the nrf chips and bluetooth. They are also ANT+ capable. Question is if they can run both stacks at the same time.

And I mean in the end if they start to integrate other devices via ANT+ then I'm also fine. It should serve the biker in the end. Even if this project was the tipping point. I think they already use a proprietary ANT+ Profile for garmins. Or are they connected via bluetooth?

Do you have a Rise and experience with wireshark?

Yes, hardware costs can be kept low.
Wireshark is the first step into this field, I can't imagine anyone calling himself experienced, and not knowing this.

I don't know if bluetooth is the right connection strategy to grab the data from the bike, I would use the CAN that provides the data to the display on my Bosch Cube, the chance to be sessionless and stateless is higher.

What does the Orbeo Rise Shimano use between motor and display ?

 

[mitea]

The source files in one of my GitHub projects contain some info on the BLE format used by Shimano STEPS, if it’s useful: GitHub - markdotai/emtb: A data field allowing Garmin watches to show information about a Shimano STEPS e-bike.
Feel free to ask me any questions on it.

Can your Wahoo connect to BLE directly or only ANT+?

Checked your code. This is some great help and starting point.

How did you find out which service characteristic contains the mode?

Did you simply reverse engineer using a sniffer and changing modes and check which byte switches? Or what was your approach?

 

[mitea]

Yes, hardware costs can be kept low.
Wireshark is the first step into this field, I can't imagine anyone calling himself experienced, and not knowing this.

I don't know if bluetooth is the right connection strategy to grab the data from the bike, I would use the CAN that provides the data to the display on my Bosch Cube, the chance to be sessionless and stateless is higher.

What does the Orbeo Rise Shimano use between motor and display ?

Idea using bluetooth came for two reason.

First: I thought they are using standard services such as CSCP which would be very easy to use and forward via ANT+ using LEV Profile or similar

Second: Using bluetooth no hardware changes on the bike are necessary. It should be very easy to for everyone to use and install. Not sure how Shimano handles the warranty if they see some cables soldered on the CAN bus. And it saves some weight not using additional cables

The idea is to mount the dongle somewhere inside the carbon frame. However for powersupply maybe some cable and soldering might be necessary anyway. Alternatively a small Lipo battery would also do the job. But then the dongle has to be placed somewhere you can turn it on off and replace the battery. But with the power supply directly from the bike then on off switch is basically the on off switch of the bike.

Nevertheless CAN Bus could also be a possibility. But even here somebody with a bike needs to sniff and decipher the data

 

[BeBiker]

I understand your approach. If the service under bluetooth is really straightforward,...why not.

On the Bosch there is an Accessory 12v port to power it, I'm sure the Shimano has something similar.

 

[mark.ai]

Did you simply reverse engineer using a sniffer and changing modes and check which byte switches? Or what was your approach?

Yes, exactly what you say, above

The E7000, EP8, and EW-EN100 all seem to broadcast the same Bluetooth services. Whereas the E8000 display has a different format (which Shimano seem to have tried and then dropped for future devices.)

 

[mitea]

Yes, exactly what you say, above

The E7000, EP8, and EW-EN100 all seem to broadcast the same Bluetooth services. Whereas the E8000 display has a different format (which Shimano seem to have tried and then dropped for future devices.)

I assume you have a Rise. are you interested in doing even more reverse engineering ?

 

[mark.ai]

I assume you have a Rise. are you interested in doing even more reverse engineering ?

I do have a Rise, but unfortunately not really interested currently, sorry - I just don't have the time now! The app I used initially (LightBlue) probably doesn't have any more information it can give about the services used. For the main chunks of data I had to write a custom app each time, and upload it to my watch, and then display info on the watch screen - it was very laborious and slow

Any Shimano e-bike will work just as well (it doesn't have to be a Rise) - so long as it doesn't have an E8000 display - since all the displays/junctions are swappable on all the bikes.

 

[mitea]

ok I understand. just for the next time you are doing some reverse engineering of ble you could have used nrf connect for that nRF Connect for Mobile - Apps on Google Play

it shows you all the services and characteristics. the app can subscribe to characteristics that notify and gets updates in real time every time a notification is sent via ble. so you would basically see in the app directly how the byte payload of a characteristic changing after some manipulation on the bike.