Echelon fitness firmware lockout

QZ & cross-platform compatibility

QZ (qdomyos-zwift) was created in September 2020 by Italian software engineer Roberto Viola.^[1] The application functions as a Bluetooth bridge that intercepts proprietary communications from closed fitness devices & translates them into standard protocols compatible with other mainstream fitness platforms.

For almost five years, QZ maintained compatibility with Echelon devices. Viola notes that the app "helped Echelon sell tens of thousands of bikes" by making them compatible with multiple training platforms. Viola also personally recommended the Echelon as the "best indoor bike on the market."^[2] Prior to the incident, Echelon's official marketing materials explicitly promoted third-party compatibility. Their FAQ stated devices were designed to give users "the flexibility to use your favorite devices" & specifically mentions "third party apps you can use as well."^[3]

Echelon's business model

Echelon Fitness markets connected fitness equipment ranging from $500 entry-level models to $2,495 premium bikes. The company operates a subscription service priced between $29.99-$39.99 monthly or $399.99-$699.99 annually for access to live & on-demand fitness content.^[3]

In July 2025, Echelon pushed a firmware update that implemented a server-based authentication system. The new system requires devices to:

• Connect to Echelon's servers during startup
• Receive a temporary, rotating unlock key for device operation
• Maintain internet connectivity for basic functionality
• Block all third-party Bluetooth communications without server validation^[2]

According to Viola's technical analysis, the update is "non-reversible" - once installed, users cannot downgrade to previous firmware versions.^[2]

Technical implementation

The firmware creates a boot-time server handshake requirement before any functionality is enabled. Devices send authentication requests to Echelon servers, which respond with rotating unlock keys. Without successful validation, devices become completely non-functional, including for basic manual workouts.^[2]

The system specifically targets third-party apps through Bluetooth access control that only activates after server authentication. This hardware-level lockout cannot be bypassed through software means, effectively transforming ownership into a subscription-based permission model.^[2]

Impact on third-party applications

The firmware update completely blocks QZ & similar third-party applications from communicating with Echelon devices. This affects not only advanced features like automatic resistance control, but also prevents basic manual workouts without internet connectivity & server approval.^[2]

Financial losses

Users who purchased Echelon devices specifically for third-party compatibility are affected:

• Hardware investments ranging from $500 to $2,495 for devices
• Subscription costs of $29.99-$39.99 monthly to regain functionality
• Loss of free or alternative platform access previously enabled by QZ^[2]

One affected UK user commented:

"This is infuriating. I paid £1,199 for a bike in 2020, & a further £399 for 2 years of classes, so surely what I choose to do with the hardware I purchased outright is none of their business!"^[2]

Elimination of offline functionality

The update removes all offline workout capabilities, requiring constant internet connectivity for any device operation. Users report being unable to perform basic manual workouts without server validation.^[2]

Press release

On July 29, 2025, Echelon issued a press release announcing the implementation of "comprehensive security enhancements" including jailbreak detection mechanisms to prevent unauthorized access to their equipment.^[5] The company specifically targeted QZ developer Roberto Viola, describing him as a "bad actor" who "attempts to bypass Echelon's fitness ecosystem" by charging users $6.99 for access to unauthorized connections.

Echelon announced they are "actively reviewing legal action under the Digital Millennium Copyright Act (DMCA) and other applicable laws" against third-party applications. The company stated that customers using applications like QZ would have their warranties voided for violating terms of service and "compromising the secure operation" of products.

CEO Lou Lentine framed the issue as protecting American intellectual property from "foreign individuals and entities," stating:

"There are a few bad actors in the global marketplace who are constantly trying to shortcut the investments made by Echelon and other American companies—through fraud, copying, and stealing."

Concurrent with blocking third-party access, Echelon announced a new "Authorized Partnership Program" for companies seeking approved connections to their equipment. The program offers access to official APIs and developer support, though no timeline or application process was provided.

Echelon repositioned their offerings around two tiers:

• Freestyle Mode - Described as "no charge" but requires internet connectivity for "secure sign-in authentication"
• Premium Streaming Plans - Subscription plans starting at $19.99 monthly for access to classes and features

The press release did not address the removal of offline functionality or the impact on existing customers who had purchased devices with advertised third-party compatibility.

After the initial publicisation of the story, Louis Rossmann released a $20,000 bounty^[6] for anyone who could create a method to bypass the restrictions placed on Echelon bikes. In August, the winner of the bounty was announced,^[7] however the solution used to claim the bounty was not released. Louis Rossmann stated that the reason for not releasing was the impact of a US law (17 U.S. Code § 1201), which prevents the sharing of methods used to bypass a technological measure designed to manage access to a product.^[8]

Immediate actions

The following reccomendations for affected users were made by Roberto Viola:

• avoid all firmware updates & disable automatic updates
• delete Echelon app to prevent forced updates
• make sure tablets can't access internet independently
• document current functionality for potential claims^[2]

If it prompts you to install a firmware update on reboot, you may avoid this by rebooting the bike again, then, in WiFi settings at the first opportunity, entering a custom SSID and leaving it blank. For some reason, this appears to be the only way to get it to switch from an existing connection. You will need to enter your actual WiFi details again on the member login screen.

• Roberto Viola's detailed technical analysis
• QZ (qdomyos-zwift) GitHub repository
• GitHub Issue #1752 - Echelon connection problems
• iFIT Class Action Settlement Information