Over the past years, fitness trackers have gone from fairly unobtrusive bands that relied mostly on smartphone apps for interaction to essentially being fashion statements and smart watches, with large screens and impressive specs. The Xiaomi Mi Band 8 is no exception, with a zippy MCU and a 1.62″ AMOLED screen that just asks for some serious rick-rolling. This was a challenge which [Aaron Christophel] was all too happy to accept, resulting in some reverse-engineering and flashing of custom firmware onto one of these marvels of modern wearable technology.
The Mi Band 8 is built around an Ambiq Apollo4 Blue Lite MCU which features a Cortex-M4 core for applications, along with a Bluetooth LE radio and a lot of SRAM and Flash. This naturally implies an SWD interface for programming, which was mostly a matter of reverse-engineering the PCB to find the locations for these signals and realizing that the original firmware disables the SWD interface on boot. Unfortunately the Ambiq SDK requires you to create an account, but you can get the basics from [Aaron]’s GitHub project. It appears that for BLE you do need the full SDK, and OTA updates feature a signing check, so physical access is required.
So far the display, touchscreen and light sensor are working, with the remaining peripherals just a matter of time. With a list price of around $64 for one of these fitness bands with a 192 x 490 touch-enabled AMOLED display and a variety of health-related sensors, they’d seem to be a fun toy to hack, especially when found on sale or used.
Cool man! Cannot wait to see it completely hacked.
When this is done, for the price this will probably be one of the most bang-for-your-buck smart watches that wouldn’t harvest your personal data. Excited to see where this goes!
I’m curious what personal data can be obtained from a smart watch that has such potential for ill intent that you’d actually care if it’s harvested?
You have the question backwards:
Why is your personal information so valuable that all the companies are harvesting it?
The bare fact that the companies think it is valuable enough to retain should make you shy about sahring it with them. Whatever their plans are, they do not have your interests at heart.
Retaining your data gives them profit or advantage. Why should you give it to them for free?
——
This tendency to let companies know everything about your life is disturbing.
I know people who were spied on everyday of their lives in East Germany, during the communist days. Privacy is a valuable right.
I cannot understand why people voluntarily deliver all the details of their lives to some multinational company and consider it to be fine.
Apart from it just being private and none of their business? That kind of data can tell you more than you’d suspect, though laws may limit it to an extent. If nothing else it can be used to make incredibly manipulative advertisements. Of course, as women have been telling everyone for awhile, there’s some data that can be a very direct problem if it’s shared, especially in certain jurisdictions.
But even “just” advertisements could be a lot worse than we’re used to – build a very complete profile of a person, see their reactions to things in real time, know when they’re in a receptive mood, and if you have no limits on what you do because it’s just “the algorithm” doing it, then while it sounds far-fetched it’s theoretically possible to do a lot. You can try and figure out someone’s weaknesses and tempt them while offering products or drugs to fix their problem. Say someone’s worried about being overweight or out of shape, which you can guess because you know they’re jogging regularly but they’re struggling when they do it. Or you can get it from other parts of their marketing profile from someone else, whatever. You’ll know when they miss a regular jog, you can guilt trip them. When they seem like they’re about to go somewhere to eat, you can try and tempt them to eat too much. At some point you advertise a weight loss pill or program, maybe. Or the same with other weaknesses – alcoholism, gambling… Make a problem and sell a solution, and make money both ways. Heck, the state of being pregnant is one where you can advertise to someone and their family for the next 20 years, and either they or their kid may be an easy mark.
Apart from marketing, you can turn around and sell your information to insurers and lenders if you’re somewhere that there’s no rules against it, because there’s definitely an incentive to know who’s got a condition, who’s a higher or lower risk for other reasons, who can be tempted to open too many credit cards and milked for all they’re worth without going completely bankrupt… Most of that you don’t need one of these devices for, but it makes it hard to avoid if you wear one and they’re good at processing the data. Which isn’t always guaranteed, but the idea is to remove the option.
But can it run DOOM?
Without platformIO support, it’s just too much work.
I really don’t like that ever MCU has it’s own SDK with weird quirks
Maybe we can finally have a health watch that is about health versus selling your personal information!
The invasion of privacy is worse than you think. I have seen internet stories about hackers using your GPS location services on some fitness devices to literally follow you to your house or vehicle and rob you. One idiot even posted a map of his jogging route on Facebook for the whole world to see and was murdered for his wallet and high end Samsung phone.
What is thet? “please contact after-sales service”
So we’d have to open the Mi Band to flash the firmware, even when we have a fully working custom firmware, right?