A broken Wahoo ELEMNT Bolt v3 sync led to reverse engineering its BLE protocol and unlocking a hidden dev mode with 3 bytes.
Key Takeaways
Decompiling the com.wahoofitness.bolt APK via jadx revealed CruxAppProfileType: retail ships as STD (0), DEV (3) unlocks a debug menu.
The BOLT_CFG BLE characteristic has zero application-layer auth – no HMAC, nonce, or challenge-response; security relies only on BLE pairing.
Sending 0x01 0x42 0x03 over BLE (SEND_PREFS, config code 66, value 3) flips the device to DEV profile after reboot.
DEV mode enables ADB access, a web server on port 8080 with file browsing and GPS injection, plus a “CrashMe” button and nuclear factory reset.
The original sync bug was on the phone, not the Bolt – discovered only after the full reverse engineering detour.
Hacker News Comment Review
Commenters flagged a classic debugging bias: effort concentrates near complex, poorly understood subsystems even when the actual fault is elsewhere – an inverse streetlight effect.
The punchline (phone was the culprit all along) landed as intended; no technical disputes raised against the BLE findings.
Notable Comments
@kjhughes: Names the pattern precisely – “inverse streetlight effect” – where complexity proximity pulls debugging effort away from the real fault.
