Engineer Benjamen Lim has been laborious at work saving quite a few smartwatches from the scrapheap — by reverse engineering them to the purpose of having the ability to set up a personalized firmware.
“A while in the past, I used to be assigned a consignment of good watches with geolocating capabilities that had been being mothballed after a trial,” Lim explains of the origin of the {hardware} thus focused. “I used to be decided to search out some use for them and thus started my journey of reverse engineering a smartwatch! The watches as delivered had been bare-bones and had a single web page of directions on the way to cost and use them. Every field contained a single charger and a watch. There have been no READMEs, web sites, or developer portals.”
Once you’ve been handed a consignment of scrapped smartwatches, it is time to escape the debugging instruments. (📷: Benjamen Lim)
The watches weren’t precisely cutting-edge: a monochrome show with a capacitive layer acts as a single-button enter, with a heart-rate sensor on the rear and an inner accelerometer offering well being and exercise knowledge respectively. Inner investigation of 1 watch — a damaging course of, because of the waterproof housing — revealed a Nordic nRF52832 Bluetooth system-on-chip, an Espressif ESP8285 Wi-Fi microcontroller, and a SIMCom mobile transceiver with International Navigation Satellite tv for pc System (GNSS) capabilities.
“From the structure,” Lim explains, “the nRF52832 was the gadget’s primary IC [Integrated Circuit], and used the Wi-Fi chip to scan for native Wi-Fi Entry Factors (APs). The nRF52832 additionally communicated with the SIMCom gadget over UART and issued instructions to speak with the cellular community. Realizing that, I targeted my efforts on I used to be in search of any UART or uncovered programming pins on the nRF52832, because it was primary IC and people connections are generally used to work together with the microcontroller.”
Lim gained entry to JTAG pins, dumped the firmware, and set about patching it for communication to a server below his management. (📷: Benjamen Lim)
Lim found that the chip’s JTAG pins had been linked to copper contacts on the skin of the housing, designed to mate with a bundled charging dock. The dock then linked these to the information strains on a micro-USB port — that means Lim might acquire entry to JTAG debugging with out destroying a watch just by splicing a USB cable and connecting it to an unmodified dock.
“Whereas having the ability to observe the debug output was very helpful, nevertheless, as there was no enter configured for the RTT module, so there was no solution to ship instructions to the watch,” Lim notes. “Nonetheless, the output confirmed my earlier assumptions about how the watch was linked internally. After just a few exploratory makes an attempt at sending instructions over JLink, I made a decision to check out the firmware. With my JLink hooked up, I used to be in a position to dump the firmware utilizing nrfjprog with the –readcode and –readram flags.”
As soon as patched, the firmware may very well be flashed on any of the watches to hyperlink it to Lim’s server. (📷: Benjamen Lim)
With a dump of the firmware in-hand, Lim fired up the Ghidra reverse engineering device, decompiling it to find the place the firmware saved an IP tackle, which he assumed corresponded to the distant server gathering knowledge from every watch. By modifying this within the firmware, Lim was in a position to create a patched model that may talk with the server of his selection — flashing it again to the unprotected watches and receiving their knowledge in return.
The total venture write-up is offered on Lim’s Medium weblog.