Dumping U8Plus Smartwatch ROM Via Vibration Motor

[Lee] continues with his exploration of the U8Plus (a cheap smartwatch). He hasn’t got it all cracked, yet, but he did manage to get a dump of the device’s ROM using an unusual method. At first, [Lee] thought that the JTAG interface (or, at least, the pins presumed to be the JTAG interface) would be a good way to explore the device. However, none of the people experimenting with the device have managed to get it to work.

Instead, [Lee] went through the serial bootloader and dumped the flash memory. He found out, though, that the bootloader refused to read the ROM area. It would, however, load and run a program. Unfortunately, no one has found how to access the UART device directly, but they have found how to drive the vibration motor.

[Lee] took off the vibration motor and used it as an output port for a simple program to dump the ROM. An Arduino picked up the data at a low baud rate and produced an output file. This should allow more understanding of how to drive the watch hardware.

We covered the initial teardown of this watch earlier this year. Of course, if you don’t want to reverse engineer a smartwatch, you could always build your own.

Cheap Smartwatch Teardown

A proper smartwatch can cost quite a bit of money. However, there are some cheap Bluetooth-connected watches that offer basic functions like show your incoming calls, dial numbers and display the state of your phone battery. Not much, but these watches often sell for under $20, so you shouldn’t expect too much.

Because they’re so cheap, [Lee] bought one of these (a U8Plus) and within an hour he had the case opened up and his camera ready. As you might expect, the biggest piece within was the rechargeable battery. A MediaTek MT6261 system on a chip provides the smart part of the watch.

Continue reading “Cheap Smartwatch Teardown”