Reverse engineering the Tacx Bushido

TheĀ Bushido is a top of the range turbo trainer from Tacx. It consists of a brake unit based around an alternator which is linked to a head unit mounted on the handlebars using the ANT protocol. The head unit can be used alone, or linked to a PC using the ANT wireless protocol. From the PC the user can design training programs and log data such as the rider power output, heart rate, cadence etc.

Unfortunately the PC software is expensive, runs only on Windows and crashes frequently. This led Will and I to reverse engineer the protocol allowing full control over the turbo trainer without using the Tacx software. More details will follow shortly, but for now we have documented the protocol here.

Update 24/10/12: We have almost completely documented the brake to the computer protocol (see link to the wiki above) using a “man in the middle” approach developed by Will. It appears that the brake sends back much more data to the head unit than is actually made available to the user. A graph showing the data sent back from the brake is shown below. Whilst we’ve identified which values correspond to those displayed on the head unit, we’re still trying to figure out what some of the other quantities are. We’ve uploaded an example log of brake only communication here, and the data from the graph below here, if you are interested in helping.

Key:

A: Related to power somehow?

B: Power (confirmed)

C: Very similar to A, left/right version of?

D:Roller speed (rps) of brake? Note: Assuming roller radius of 30mm, at a speed of 30kmph the roller rotates at 45rps, which is in good agreement with this assumption.

E: Unknown

F: Unknown

G: Actual wheel speed (confirmed) – note wheel speed displayed on head unit is computed from power. Actual wheel speed is used to calculate distance.

H: Cadence (confirmed)

I: Pedalling balance (confirmed) – affects bar at bottom of head unit

L: Some sort of counter: Doesn’t affect distance on head unit. Resets when pedalling is stopped.

M: Brake temperature?

24 thoughts on “Reverse engineering the Tacx Bushido

  1. Pyt

    I own the Tacx Genius, do you know if the brake unit protocol is the same as the Bushido?
    I’d be happy to give you a hand if you need some help.

    Reply
  2. Liversedge

    Awesome work — let me know if I can help .. happy to code up support in GoldenCheetah once you’ve done the reverse engineering magic. This is very very cool :)

    Mark

    liversedge gmail com

    Reply
  3. Pyt

    @Will

    Hi Will, I messed around with my Genius and your code, Python is a bit new for me so I did my own thing in C#. I’m having trouble connecting to the Genius head unit & brake though. I’m successfully using AntWare to connect to a heart rate monitor strap, but I can’t connect to either the brake or head unit using a frequency value of 60 and a period of 4096 (as found in bushido.py). I’m wondering how you found the frequency and period for the Bushido, did you try random value or did you have a specific methodology?

    Reply
  4. Pyt

    @Will

    Ok I seem to have an issue with the device type id, Antware does not let me put a value of 213 (0xD5). I get the following error message:

    —————————
    Set Channel ID Failure
    —————————
    Bad Channel ID Parameters: Device type can not be greater than 127
    —————————
    OK
    —————————

    Any idea?

    Reply
  5. Will

    @Pyt

    Checking the ant protocol, I believe the actual device type id is contained within the first 7 bits of that number (bits 0 to 6), the 8th bit is a pairing request flag. Try with a device type id of 85 and the pairing checkbox ticked (for 0xd5).

    Reply
  6. Will

    @Pyt

    What are your other settings?

    Network key: 00-00-00-00-00-00-00-00
    Channel settings: Slave (no other options highlighted)
    device id: 0
    device type: 85
    transmission type: 1
    pairing flag checked

    channel period: 8hz
    radio freq. : 2460mhz

    (auto open)

    Otherwise, it has me stumped. If you have Tacx Training Software you could initialise a connection and sniff USB packets to/from the ant stick.

    Edit: Also, make sure the search timeouts are sufficiently large so that the channel isn’t automatically closed before you turn on the interface/brake.

    Reply
  7. Will

    Looks good to me, but…. They seem to have changed the device type to 0×55 and 0×53 for the interface and brake respectively (no pairing flag anymore). The device # seems to be the last 4 digits of the respective devices serial number. Don’t forget you can use wildcards (zeros) for device type/ device # though.

    It may be worth opening a channel in continuous scanning mode with that radio frequency.

    Reply
  8. Pyt

    You are the best! After I used last 4-digit as the device # it’s working. It also works when I set it to back to 0, which is weird because i’m 99.9% sure I tried that config before, maybe you need to connect to the device once using the ID…

    Here’s what I get, XX byte seems random.

    Waking up the headunit I receive this:
    Received BROADCAST_DATA_0x4E :: 4e, 00-00-00-F0-0F-0F-0F-6F-FA

    Pressing the middle/selection button:
    Received BROADCAST_DATA_0x4E :: 4e, 00-00-00-10-XX-00-00-00-00

    Pressing the right arrow:
    Received BROADCAST_DATA_0x4E :: 4e, 00-00-00-01-XX-00-00-00-00

    Pressing the bottom arrow:
    Received BROADCAST_DATA_0x4E :: 4e, 00-00-00-02-XX-00-00-00-00

    Pressing the left arrow:
    Received BROADCAST_DATA_0x4E :: 4e, 00-00-00-04-XX-00-00-00-00

    Pressing the top arrow:
    Received BROADCAST_DATA_0x4E :: 4e, 00-00-00-08-XX-00-00-00-00

    I don’t have the brake with me at the moment, I’ll do more tests when I get home.

    Reply
  9. Pyt

    Actually waking up the unit did not send “4e, 00-00-00-F0-0F-0F-0F-6F-FA” on subsequent tries, I’m not too sure what that is, maybe the serial # of the head unit?

    Reply
  10. Doug Post author

    Nice! Post up some logs of the connection between the head unit and the PC once you’ve got the brake connected!

    Reply
  11. Pyt

    Ok, so I’m trying to capture the signal from the pc, I have 2 laptops with an Ant+ stick in each one. One of them is running the Tacx software, the other is running Antware to listen for any devices on 2460 Mhz and 8Hz.
    I get signals from the brake and the head unit not problem, but I don’t get anything from the PC, are the settings similar (RF, Period)?

    Reply
  12. Will

    I may be wrong, but I think ANT filters out replies intended for another master before they are transmitted to the host.

    If you figure out which device (if not both) talks to the PC running Tacx, you can use an ant stick to pair with that device before it pairs with the pc. You then forward on on any messages received, to the PC and any replies, from the PC, to the device. This allows you to log all traffic coming through that node.

    I ended up receiving on one usb ant stick and transmitting on another, as there were lots of channel collisions using two channels on one stick (It may have worked but I went for the safe option).

    Reply
  13. Pyt

    Hi, sorry about the extended silence, in order to forward the messages from the pc to the device I would have to be able to communicate with the stick on the pc with the Tacx software, unfortunately I don’t seem to be able to do so. I’ve tried starting the Tacx software without any devices turned on and running Antware on a second laptop to log messages sent from the stick but I don’t receive anything, I guess it’s not using the same frequency and period…

    Reply
  14. Will

    @Pyt

    The computer running TTS is set up as a slave, so has to receive packets in order to transmit. If you set up an ant master which spoofs the device type of the brake/interface, TTS should pair with that device instead of the real brake/interface. You would then need to send it a recognised packet to get it to respond.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>