Engineer Benjamen Lim has been laborious at work saving plenty of smartwatches from the scrapheap — by reverse engineering them to the purpose of having the ability to set up a custom-made firmware.
“A while in the past, I used to be assigned a consignment of sensible watches with geolocating capabilities that had been being mothballed after a trial,” Lim explains of the origin of the {hardware} thus focused. “I used to be decided to search out some use for them and thus started my journey of reverse engineering a smartwatch! The watches as delivered had been bare-bones and had a single web page of directions on methods to cost and use them. Every field contained a single charger and a watch. There have been no READMEs, web sites, or developer portals.”
Once you’ve been handed a consignment of scrapped smartwatches, it is time to escape the debugging instruments. (📷: Benjamen Lim)
The watches weren’t precisely cutting-edge: a monochrome show with a capacitive layer acts as a single-button enter, with a heart-rate sensor on the rear and an inside accelerometer offering well being and exercise information respectively. Inner investigation of 1 watch — a damaging course of, due to the waterproof housing — revealed a Nordic nRF52832 Bluetooth system-on-chip, an Espressif ESP8285 Wi-Fi microcontroller, and a SIMCom mobile transceiver with World Navigation Satellite tv for pc System (GNSS) capabilities.
“From the format,” Lim explains, “the nRF52832 was the gadget’s most important IC [Integrated Circuit], and used the Wi-Fi chip to scan for native Wi-Fi Entry Factors (APs). The nRF52832 additionally communicated with the SIMCom gadget over UART and issued instructions to speak with the cellular community. Understanding that, I centered my efforts on I used to be on the lookout for any UART or uncovered programming pins on the nRF52832, because it was most important IC and people connections are generally used to work together with the microcontroller.”
Lim gained entry to JTAG pins, dumped the firmware, and set about patching it for communication to a server beneath his management. (📷: Benjamen Lim)
Lim found that the chip’s JTAG pins had been linked to copper contacts on the skin of the housing, designed to mate with a bundled charging dock. The dock then linked these to the info strains on a micro-USB port — that means Lim may achieve entry to JTAG debugging with out destroying a watch just by splicing a USB cable and connecting it to an unmodified dock.
“Whereas having the ability to observe the debug output was very helpful, nevertheless, as there was no enter configured for the RTT module, so there was no technique to ship instructions to the watch,” Lim notes. “Nonetheless, the output confirmed my earlier assumptions about how the watch was linked internally. After a number of exploratory makes an attempt at sending instructions over JLink, I made a decision to check out the firmware. With my JLink hooked up, I used to be in a position to dump the firmware utilizing nrfjprog with the –readcode and –readram flags.”
As soon as patched, the firmware could possibly be flashed on any of the watches to hyperlink it to Lim’s server. (📷: Benjamen Lim)
With a dump of the firmware in-hand, Lim fired up the Ghidra reverse engineering instrument, decompiling it to find the place the firmware saved an IP tackle, which he assumed corresponded to the distant server amassing information from every watch. By modifying this within the firmware, Lim was in a position to create a patched model that might talk with the server of his alternative — flashing it again to the unprotected watches and receiving their information in return.
The complete venture write-up is offered on Lim’s Medium weblog.