Echelon fitness firmware lockout

A July 2025 firmware update pushed by Echelon Fitness retroactively blocked third-party fitness applications from connecting to their devices. The update affected users of QZ (qdomyos-zwift), an open-source bridging application that enables cross-platform compatibility with fitness platforms like Zwift, Peloton Digital, & others.

Background

QZ & cross-platform compatibility

QZ (qdomyos-zwift) was created in September 2020 by Italian software engineer Roberto Viola.^[1] The application functions as a Bluetooth bridge that intercepts proprietary communications from closed fitness devices & translates them into standard protocols compatible with other mainstream fitness platforms.

For almost five years, QZ maintained compatibility with Echelon devices. Viola notes that the app "helped Echelon sell tens of thousands of bikes" by making them compatible with multiple training platforms. Viola also personally recommended the Echelon as the "best indoor bike on the market."^[2] Prior to the incident, Echelon's official marketing materials explicitly promoted third-party compatibility. Their FAQ stated devices were designed to give users "the flexibility to use your favorite devices" & specifically mentions "third party apps you can use as well."^[3]

Echelon's business model

Echelon Fitness markets connected fitness equipment ranging from $500 entry-level models to $2,495 premium bikes. The company operates a subscription service priced between $29.99-$39.99 monthly or $399.99-$699.99 annually for access to live & on-demand fitness content.^[3]

July 2025 firmware update

In July 2025, Echelon pushed a firmware update that implemented a server-based authentication system. The new system requires devices to:

• Connect to Echelon's servers during startup
• Receive a temporary, rotating unlock key for device operation
• Maintain internet connectivity for basic functionality
• Block all third-party Bluetooth communications without server validation^[2]

According to Viola's technical analysis, the update is "non-reversible" - once installed, users cannot downgrade to previous firmware versions.^[2]

Technical implementation

The firmware creates a boot-time server handshake requirement before any functionality is enabled. Devices send authentication requests to Echelon servers, which respond with rotating unlock keys. Without successful validation, devices become completely non-functional, including for basic manual workouts.^[2]

The system specifically targets third-party apps through Bluetooth access control that only activates after server authentication. This hardware-level lockout cannot be bypassed through software means, effectively transforming ownership into a subscription-based permission model.^[2]

Impact on third-party applications

The firmware update completely blocks QZ & similar third-party applications from communicating with Echelon devices. This affects not only advanced features like automatic resistance control, but also prevents basic manual workouts without internet connectivity & server approval.^[2]

Consumer impact

Financial losses

Users who purchased Echelon devices specifically for third-party compatibility are affected:

• Hardware investments ranging from $500 to $2,495 for devices
• Subscription costs of $29.99-$39.99 monthly to regain functionality
• Loss of free or alternative platform access previously enabled by QZ^[2]

One affected UK user commented:

"This is infuriating. I paid £1,199 for a bike in 2020, & a further £399 for 2 years of classes, so surely what I choose to do with the hardware I purchased outright is none of their business!"^[2]

Elimination of offline functionality

The update removes all offline workout capabilities, requiring constant internet connectivity for any device operation. Users report being unable to perform basic manual workouts without server validation.^[2]

Echelon's response

Echelon has not issued public statements regarding the July 2025 firmware update or its impact on third-party compatibility.^[2][5]

Multiple media outlets, including Ars Technica, TechDirt, Slashdot, WebProNews, and 404 Media, have contacted Echelon for comment but have not received responses.^[6]

The company's Terms of Service reserves rights to "modify the Services" without specific advance notification requirements.^[7]

FULU Foundation bounty

After the initial publicisation of the story, Louis Rossmann released a $20,000 bounty^[8] for anyone who could bypass the restrictions placed on Echelon bikes. In August, the winner of the bounty was announced,^[9] however the solution used to claim the bounty was not released. Louis Rossmann stated that the reason for not releasing was the impact of a US law (17 U.S. Code § 1201), which prevents the sharing of methods used to bypass a technological measure designed to manage access to a product.^[10]

Consumer recourse

Immediate actions

The following reccomendations for affected users were made by Roberto Viola:

• avoid all firmware updates & disable automatic updates
• delete Echelon app to prevent forced updates
• make sure tablets can't access internet independently
• document current functionality for potential claims^[2]

If it prompts you to install a firmware update on reboot, you may avoid this by rebooting the bike again, then, in WiFi settings at the first opportunity, entering a custom SSID and leaving it blank. For some reason, this appears to be the only way to get it to switch from an existing connection. You will need to enter your actual WiFi details again on the member login screen.

References

External Links

• Roberto Viola's detailed technical analysis
• QZ (qdomyos-zwift) GitHub repository
• GitHub Issue #1752 - Echelon connection problems
• iFIT Class Action Settlement Information