Benjamen Lim Saves Some Smartwatches From the Scrapheap with a Little Reverse Engineering

Engineer Benjamen Lim has been onerous at work saving a lot of smartwatches from the scrapheap — by reverse engineering them to the purpose of with the ability to set up a custom-made firmware.

“A while in the past, I used to be assigned a consignment of good watches with geolocating capabilities that have been being mothballed after a trial,” Lim explains of the origin of the {hardware} thus focused. “I used to be decided to seek out some use for them and thus started my journey of reverse engineering a smartwatch! The watches as delivered have been bare-bones and had a single web page of directions on easy methods to cost and use them. Every field contained a single charger and a watch. There have been no READMEs, web sites, or developer portals.”

The watches weren’t precisely cutting-edge: a monochrome show with a capacitive layer acts as a single-button enter, with a heart-rate sensor on the rear and an inner accelerometer offering well being and exercise knowledge respectively. Inner investigation of 1 watch — a damaging course of, because of the waterproof housing — revealed a Nordic nRF52832 Bluetooth system-on-chip, an Espressif ESP8285 Wi-Fi microcontroller, and a SIMCom mobile transceiver with World Navigation Satellite tv for pc System (GNSS) capabilities.

“From the structure,” Lim explains, “the nRF52832 was the machine’s essential IC [Integrated Circuit], and used the Wi-Fi chip to scan for native Wi-Fi Entry Factors (APs). The nRF52832 additionally communicated with the SIMCom machine over UART and issued instructions to speak with the cellular community. Understanding that, I targeted my efforts on I used to be on the lookout for any UART or uncovered programming pins on the nRF52832, because it was essential IC and people connections are generally used to work together with the microcontroller.”

Lim found that the chip’s JTAG pins have been related to copper contacts on the surface of the housing, designed to mate with a bundled charging dock. The dock then related these to the information traces on a micro-USB port — which means Lim might acquire entry to JTAG debugging with out destroying a watch just by splicing a USB cable and connecting it to an unmodified dock.

“Whereas with the ability to observe the debug output was very helpful, nevertheless, as there was no enter configured for the RTT module, so there was no approach to ship instructions to the watch,” Lim notes. “Nonetheless, the output confirmed my earlier assumptions about how the watch was related internally. After just a few exploratory makes an attempt at sending instructions over JLink, I made a decision to check out the firmware. With my JLink connected, I used to be capable of dump the firmware utilizing nrfjprog with the –readcode and –readram flags.”

With a dump of the firmware in-hand, Lim fired up the Ghidra reverse engineering device, decompiling it to find the place the firmware saved an IP deal with, which he assumed corresponded to the distant server gathering knowledge from every watch. By modifying this within the firmware, Lim was capable of create a patched model that may talk with the server of his alternative — flashing it again to the unprotected watches and receiving their knowledge in return.

The total challenge write-up is offered on Lim’s Medium weblog.