24 Hour Fitness, like most gyms, lets you sign in with a QR code -- this QR code is generated in their iOS app and is only valid for a few minutes.
I wanted to see if I could create a QR code without using the application.
QR Code format
The QR code format looks like this:
MBR01234567|1673568280102|4248F3FA-FDEE-478E-B23E-22C3286B2FA8
Member ID
The first part is your 8-digit member ID. This ID is assigned when you sign up for a membership.
Timestamp
The next part is a timestamp:
Using any epoch converter, we can see when this QR code was generated:
β Unknown ID β
The next part is where things get tricky - I don't know what this field actually is. It looks like it can be either some kind of hash or ID, but for what?
Format
This field consists of 32 hexadecimal digits, with 4 hyphens, for a total length of 36. The segment lengths are 8, 4, 4, 4, and 12.
Variation?
I checked this field across 10 days of QR codes, and it was the same every time. So if it does change, it's on an interval of larger than 10 days (maybe every month?), or, it doesn't change.
Hash?
Since the data portion is 32 characters long, and an MD5sum is also 32 characters long, my first idea was that it was an MD5sum of some kind. But, that begs the question, of what?
I tested the MD5sum of my membership ID and that didn't work, which makes sense, carrying both the membership ID and it's MD5sum wouldn't make much sense.
I also tried the MD5sum of my date of my birth, which didn't work.
Device identification?
My first thought was that this field somehow identifies the current device that you're using. This would mean that if you installed the 24 hour fitness app on another device and used that to generate a QR code, the devices would have different ID fields. I unfortunately don't have a second device to test that hypothesis with.
If this field is used for device identification, it begs the question of, how is the application able to uniquely identify your device?
For iOS at least, there's a specific UDID field.
However, my device UDID didn't match any part of this field, which rules out that possibility.
Top comments (0)