If something has a “smart” in its name, you know that it’s talking to someone else, and the topic of conversation is probably you. You may or may not like that, but that’s part of the deal when you buy these things. But with some smarts of your own, you might be able to make that widget talk to you rather than about you.
Such an opportunity presented itself to [Benjamen Lim] when a bunch of brand X smartwatches came his way. Without any documentation to guide him, [Benjamen] started with an inspection, which revealed a screen of debug info that included a mysterious IP address and port. Tearing one of the watches apart — a significant advantage to having multiple units to work with — revealed little other than an nRF52832 microcontroller along with WiFi and cellular chips. But the luckiest find was JTAG pins connected to pads on the watch face that mate with its charging cradle. That meant talking to the chip was only a spliced USB cable away.
Once he could connect to the watch, [Benjamen] was able to dump the firmware and fire up Ghidra. He decided to focus on the IP address the watch seemed fixated on, reasoning that it might be the address of an update server, and that patching the firmware with a different address could be handy. He couldn’t find the IP as a string in the firmware, but he did manage to find a sprintf-like format string for IP addresses, which led him to a likely memory location. Sure enough, the IP and port were right there, so he wrote a script to change the address to a server he had the keys for and flashed the watch.
So the score stands at [Benjamen] 1, smartwatch 0. It’s not clear what the goal of all this was, but we’d love to see if he comes up with something cool for these widgets. Even if there’s nothing else, it was a cool lesson in reverse engineering.
[Benjamen] 1, [Sauron] 0
“ If something has a “smart” in its name, you know that it’s talking to someone else, and the topic of conversation is probably you.”
QFT! That can go down with the S in IoT standing for security.
Well, I had to web search that acronym…
https://acronyms.thefreedictionary.com/QFT
Acronym Definition
QFT Quantum Field Theory
QFT Question Formulation Technique (student education)
QFT Quantitative Feedback Theory
QFT Quoted For Truth (website; slang)
QFT Qualcomm Flarion Technologies (telecommunications; San Diego, CA)
QFT Qualified Funeral Trust
QFT Quantum Fourier Transform
QFT Quality Family Time
QFT Quality Face Time
QFT Quantitative Fluorescence Technique
QFT Quest For Tech, Inc.
QFT Quit Freaking Talking (polite form)
QFTQuite Freaking True (polite form)
I was wondering too. I think I’ll go for the last one! 🙄
It’s actually “Quoted For Truth.” Mainly because, you know, there’s a quote right above it…
Xexun brand watch – https://www.alibaba.com/product-detail/Xexun-Professional-Prisoners-Criminal-GPS-Tracker_1600103448365.html can be found here – https://github.com/no-body-in-particular/CTracker full product documentation here. And if you ask the manufacturer nicely they will just provide you with a debugging cable in the first place.
I found that too. Interesting that they are used for prisoner tracking. Presumably, not prisoners with tags for computer-related crime! :-)
Electronic neck braces work much better in that particular use case. Even seen one documentary about those.
I refuse to use these until they have a standard interface. And no a link to a MEGA download that uses servers in China just to change backgrounds on my wristwatch is stupid. I bought one Lenovo Chinesium watch and never activated it due to these shenanigans.
Until Android natively supports smart watches (And no, Samsung Gear doesn’t count. I un-installed that countless times when I was using Galaxy Buds.
I have no use for extra layers that provide dubious functionality at increased complexity and reduced privacy. See also 1GB motherboard RGB utilities and ‘gaming mice’ with 600MB drivers and an internet connection required to change settings).
Keep hacking the smart watches, maybe I can have one some day!
Does a WearOS (Android) watch not count?