[Lee] continues with his exploration of the U8Plus (a cheap smartwatch). He hasn’t got it all cracked, yet, but he did manage to get a dump of the device’s ROM using an unusual method. At first, [Lee] thought that the JTAG interface (or, at least, the pins presumed to be the JTAG interface) would be a good way to explore the device. However, none of the people experimenting with the device have managed to get it to work.
Instead, [Lee] went through the serial bootloader and dumped the flash memory. He found out, though, that the bootloader refused to read the ROM area. It would, however, load and run a program. Unfortunately, no one has found how to access the UART device directly, but they have found how to drive the vibration motor.
[Lee] took off the vibration motor and used it as an output port for a simple program to dump the ROM. An Arduino picked up the data at a low baud rate and produced an output file. This should allow more understanding of how to drive the watch hardware.
We covered the initial teardown of this watch earlier this year. Of course, if you don’t want to reverse engineer a smartwatch, you could always build your own.
Very clever.
Indeed
I was thinking, bzzzz bz bz bzzz bzzz bz bzzz bz bz
is it wrong that I’m a little disappointed that this wasn’t the case?
Me too!
Same here, would have been so much cooler. But still dam smart.
Hardcore would be hooking a mic/piezo up to the buzzer. Decode the audio back into the bitstream.
But yeah: any GPIO is a serial port with the right software…
Sorry, I should of taken a short video of it running though the first few bytes, before I removed the motor – that’s just what it was like :)
Second only to the over-clock…glitch..execute with GameBoy.
They dumped Canon camera firmware for CHDK reverse engineering in a similar way – using a LED
Basically any GPIO does it. Did they have access to the LED signal or died they capture the LED optically?
One way it was done was watching a LED feeding it into a sound card for analysis. http://chdk.wikia.com/wiki/Obtaining_a_firmware_dump
I wrote a Pebble app once that displayed ROM data in hex on the screen. I was too lazy to do image processing text recognition so that went nowhere.
Just display it as one pixel representing one bit (black/white), then use the Pebble developer tools’ screenshot feature. No OCR needed, just read the value of every pixel!
China culture needs to change to a “share freely” culture. these devices would utterly destroy the big guys markets if the source code and API details for the hardware were released freely.
They want to sell devices, selling millions more because some hackers out there wrote a better firmware is a huge advantage.
I don’t see your point. The hacker market is small. Someone writing better firmware only improves the product if the manufacturer includes it in their product, or if the buyer is willing to load that firmware into the hardware they just bought. All the Chinese need to do is sell something of equal or better functionality (even if lower quality) at a lower price for the mass market.
Documentation and hosting costs money. Their goal is to be as cheap as possible.
Awesome idea though. I just don’t think it’s economically feasible for them (yet).
Just drop this here…
http://www.bunniestudios.com/blog/?page_id=3107
Bunnie explains how IP and documentation works in China. It’s sort of a loose network of people doing each other favours. It’s why these super-cheap watches and phones are possible. Bunnie’s making an effort to try bridge it with the West.
I do not think that “[Lee] took off the vibration motor and used it as an output port”, ‘it’ presumably referring to the motor itself. Is this why HaD is looking to hire new writers?
You nailed it Rodney, good job.
I thought I was going to see some Interstellar watch decoding.
Neat. Reminds me of those “good old days” (not really) of loading programs and data from wonky cassette tapes.
Kinda, well, exactly, reminds me of when someone dumped an iPod’s firmware via the clickwheel speaker.
Built a little recording studio, took something like 20 hours to dump the thing.
Was years back now, here’s the best article I can find.
http://www.zdnet.com/article/linux-for-ipod-cracked-thanks-to-the-click-wheel/
Heh. he mentioned it in the article, silly me.