A few months ago I wrote about how Echelon firmware updates were breaking compatibility with QZ. Devices were still connecting, Bluetooth looked fine, but no real data was coming through anymore. Power, cadence, speed everything that matters was gone.
This wasn’t random. Something had clearly changed in the initialization phase.
So I started digging.
The first step was understanding what the official Echelon app was doing differently. That meant capturing traffic, replaying sequences, isolating writes, and figuring out which parts actually mattered and which ones were just noise.
It quickly became obvious that the bike wasn’t “broken” at all. It was just waiting.
Waiting for something very specific.
An unlock.
At that point, there are two ways to proceed. You can try to fully reverse engineer the protocol and replicate everything the app does… or you can take a step back and look for a simpler angle.
The key insight was this: I don’t need to recreate the unlock logic if I can just get the unlock itself.
So instead of talking directly to the bike, I inverted the setup.
I made QZ behave like the bike.
Then I let the official Echelon app connect to it.
Now the roles are flipped: instead of trying to imitate the app, I let the app reveal exactly what it sends during initialization. The unlock code comes out naturally, because that’s what the app is designed to do.
QZ captures it, forwards it to the real bike, and that’s it, the device is unlocked and starts streaming data again.
No guessing. No brute force. No incomplete emulation.
After all the reverse engineering work, the final solution was just placing myself in the middle of the conversation and letting the system expose its own secret.
Power, cadence, speed everything comes back immediately, because the bike is now in the exact state it expects.
What looked like a closed system wasn’t really closed.
It just assumed no one would think to sit between the app and the hardware.
It’s now in beta on version 2.21, send me an email to roberto.viola83@gmail.com if you need more information.