Smartwatch Snitches On Itself And Enables Reverse Engineering

If something has a “smart” in its name, you know that it’s talking to someone else, and the topic of conversation is probably you. You may or may not like that, but that’s part of the deal when you buy these things. But with some smarts of your own, you might be able to make that widget talk to you rather than about you.

Such an opportunity presented itself to [Benjamen Lim] when a bunch of brand X smartwatches came his way. Without any documentation to guide him, [Benjamen] started with an inspection, which revealed a screen of debug info that included a mysterious IP address and port. Tearing one of the watches apart — a significant advantage to having multiple units to work with — revealed little other than an nRF52832 microcontroller along with WiFi and cellular chips. But the luckiest find was JTAG pins connected to pads on the watch face that mate with its charging cradle. That meant talking to the chip was only a spliced USB cable away.

Once he could connect to the watch, [Benjamen] was able to dump the firmware and fire up Ghidra. He decided to focus on the IP address the watch seemed fixated on, reasoning that it might be the address of an update server, and that patching the firmware with a different address could be handy. He couldn’t find the IP as a string in the firmware, but he did manage to find a sprintf-like format string for IP addresses, which led him to a likely memory location. Sure enough, the IP and port were right there, so he wrote a script to change the address to a server he had the keys for and flashed the watch.

So the score stands at [Benjamen] 1, smartwatch 0. It’s not clear what the goal of all this was, but we’d love to see if he comes up with something cool for these widgets. Even if there’s nothing else, it was a cool lesson in reverse engineering.

10 thoughts on “Smartwatch Snitches On Itself And Enables Reverse Engineering

  1. “ If something has a “smart” in its name, you know that it’s talking to someone else, and the topic of conversation is probably you.”

    QFT! That can go down with the S in IoT standing for security.

    1. Well, I had to web search that acronym…

      Acronym Definition
      QFT Quantum Field Theory
      QFT Question Formulation Technique (student education)
      QFT Quantitative Feedback Theory
      QFT Quoted For Truth (website; slang)
      QFT Qualcomm Flarion Technologies (telecommunications; San Diego, CA)
      QFT Qualified Funeral Trust
      QFT Quantum Fourier Transform
      QFT Quality Family Time
      QFT Quality Face Time
      QFT Quantitative Fluorescence Technique
      QFT Quest For Tech, Inc.
      QFT Quit Freaking Talking (polite form)
      QFTQuite Freaking True (polite form)

  2. I refuse to use these until they have a standard interface. And no a link to a MEGA download that uses servers in China just to change backgrounds on my wristwatch is stupid. I bought one Lenovo Chinesium watch and never activated it due to these shenanigans.

    Until Android natively supports smart watches (And no, Samsung Gear doesn’t count. I un-installed that countless times when I was using Galaxy Buds.

    I have no use for extra layers that provide dubious functionality at increased complexity and reduced privacy. See also 1GB motherboard RGB utilities and ‘gaming mice’ with 600MB drivers and an internet connection required to change settings).

    Keep hacking the smart watches, maybe I can have one some day!

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.