nRF52832

15 Articles

Reverse-Engineering SKS Airspy Tire Pressure Sensors For Custom Firmware

February 25, 2025 by 17 Comments

Although a somewhat common feature on cars these days, tire pressure sensors (TPS) are also useful on bicycles. The SKS Airspy range of TPS products is one such example, which enables remote monitoring of the air pressure either to a special smartphone app (SKS MYBIKE) or to a Garmin device. Of course, proprietary solutions like this require reverse-engineering to liberate the hardware from nasty proprietary firmware limitations, which is exactly what [bitmeal] did with a custom firmware project.

Rather than the proprietary and closed communication protocol, the goal was to use the open ANT+ sensor instead, specifically the (non-certified) TPS profile which is supported by a range of cycling computers. Before this could happen the Airspy TPS hardware had to be first reverse-engineered so that new firmware could be developed and flashed. These devices use the nRF52832 IC, meaning that development tools are freely available. Flashing the custom firmware requires gaining access to the SWD interface, which will very likely void the warranty on a $160 – 240 device.

The SWD programmer is then attached to the 1.27 mm spaced SWD holes per the instructions on the GitHub page. After flashing the provided .hex file you can then connect to the TPS as an ANT+ device, but instructions are also provided for developing your own firmware.

Smartwatch Snitches On Itself And Enables Reverse Engineering

July 4, 2024 by 10 Comments

If something has a “smart” in its name, you know that it’s talking to someone else, and the topic of conversation is probably you. You may or may not like that, but that’s part of the deal when you buy these things. But with some smarts of your own, you might be able to make that widget talk to you rather than about you.

Such an opportunity presented itself to [Benjamen Lim] when a bunch of brand X smartwatches came his way. Without any documentation to guide him, [Benjamen] started with an inspection, which revealed a screen of debug info that included a mysterious IP address and port. Tearing one of the watches apart — a significant advantage to having multiple units to work with — revealed little other than an nRF52832 microcontroller along with WiFi and cellular chips. But the luckiest find was JTAG pins connected to pads on the watch face that mate with its charging cradle. That meant talking to the chip was only a spliced USB cable away.

Once he could connect to the watch, [Benjamen] was able to dump the firmware and fire up Ghidra. He decided to focus on the IP address the watch seemed fixated on, reasoning that it might be the address of an update server, and that patching the firmware with a different address could be handy. He couldn’t find the IP as a string in the firmware, but he did manage to find a sprintf-like format string for IP addresses, which led him to a likely memory location. Sure enough, the IP and port were right there, so he wrote a script to change the address to a server he had the keys for and flashed the watch.

So the score stands at [Benjamen] 1, smartwatch 0. It’s not clear what the goal of all this was, but we’d love to see if he comes up with something cool for these widgets. Even if there’s nothing else, it was a cool lesson in reverse engineering.

A clock with an e-paper display in a 3D-printed case

Low Power Challenge: E-Paper Shelf Label Becomes Ultra-Frugal Clock

February 24, 2023 by 12 Comments

Over the past two decades, e-paper has evolved from an exotic and expensive display technology to something cheap enough to be used for supermarket price tags. While such electronic shelf labels are now easy to find, actually re-using them is often tricky due to a lack of documentation. Luckily, [Aaron Christophel] has managed to reverse engineer many types of shelf labels, and he’s demonstrated the results by turning one into an ultra-low-power clock called Triink. It’s based on a 128×296 pixel e-ink display paired with an nRF52832 BlueTooth Low-Energy SoC and uses just 65 micro-amperes on average: low enough to keep it running for more than a year on a single battery charge.

A PCB for an e-ink clock
Power on the left, e-ink on the right: the custom PCB is clever and compact, too

The clock is housed in an enclosure that’s simple but effective: a 3D-printed triangular prism with a slot for the screen and space for the 18650 lithium battery. One side can be opened to access the internal components, although that’s really only needed to charge the battery. You can see how cleverly everything snaps together in the video embedded below. Continue reading “Low Power Challenge: E-Paper Shelf Label Becomes Ultra-Frugal Clock”

Apple AirTag Spills Its Secrets

May 10, 2021 by 17 Comments

The Apple AirTag is a $29 Bluetooth beacon that sticks onto your stuff and helps you locate it when lost. It’s more than just a beeper though, the idea is that it can be silently spotted by any iDevice — almost like a crowd-sourced mesh network — and its owner alerted of its position wherever they are in the world.

There are so many questions about its privacy implications despite Apple’s reassurances, so naturally it has been of great interest to those who research such things. First among those working on it to gain control of its nRF52832 microcontroller is [Stacksmashing], who used a glitching technique whereby the chip’s internal power supply is interrupted with precise timing, to bypass the internally enabled protection of its debug port. The firmware has been dumped, and of course a tag has been repurposed for the far more worthwhile application of Rickrolling Bluetooth snoopers.

The idea of a global network of every iDevice helping reunite owners with their lost possessions is on the face of it a very interesting one, and Apple are at great pains on the AirTag product page to reassure customers about the system’s security. On one hand this work opens up the AirTag as a slightly expensive way to get an nRF microcontroller for other applications, but the real value will come as the firmware is analysed to see how at the tag itself works.

[Stacksmashing] has appeared on these pages many times before, often in the context of Nintendo hardware. Just one piece of work is the guide to opening up a Nintendo Game and Watch.

Bluetooth Development Board Goes The Distance

June 15, 2020 by 13 Comments

Have you ever come across an interesting chip or component that you wanted to experiment with, only to find that there doesn’t seem to be a development board for it? Spinning up your own board is a lot easier today than it has been in the past, but it’s still a bit of a hassle to do it just for your own personal use. This is why [Nikolaj Andersson Nielsen] has decided to release RFCat, his custom long-range Bluetooth development board, onto the community.

The board is based around a module from MeshTek that’s essentially an amplified version of the Nordic nRF52832. According to [Nikolaj], this gives the module 30 times the transmit power of the base model chip.

RFCat is compatible with the Arduino IDE and uses the Adafruit nRF52 bootloader, making it easy to write your own code to take advantage of all this new-found power. Primarily you’d be programming the board over USB-C, but it also supports Serial Wire Debug (SWD) and over-the-air updates that can be triggered with a physical push button on the device.

If you want to get an RFCat of your own, it’s available on Tindie now. The amplified modules were originally intended for building Bluetooth mesh networks, but we’re sure there are other interesting applications out there just waiting to be discovered.

Continue reading “Bluetooth Development Board Goes The Distance”

Cheap Smartwatch Hacking, To Run Your Own Code

May 2, 2020 by 39 Comments

[Aaron Christophel] has been busy, he picked up a P8 smartwatch of the type that many of you will no doubt have seen. They cost almost nothing and do almost… nothing. In all fairness, they do connect to your phone using Bluetooth LE courtesy of a chip from Nordic (the NRF52832), and they can do several simple tasks. But they don’t run applications in the way an Android or Apple watch does. [Aaron] wants to run his own applications, so his YouTube channel has a lot of information about hacking the P8 and other watches with similar chips. In one video you can watch below, he demonstrates how he’s written support for Arduino programming to the devices. What we were really excited about was the second video below where he shows his Android app that can flash the devices via Bluetooth. That means you can potentially hack these devices without opening them up.

The app that normally runs these watches is called Da Fit, so [Aaron] called his utility DaFlasher. This is all early stuff so we expect some coaxing to get everything working, but it has great promise.

Continue reading “Cheap Smartwatch Hacking, To Run Your Own Code”

Pavlok Gets A Literally Shocking Teardown

February 2, 2020 by 36 Comments

Apparently, there is a wrist-mounted device that delivers electric shocks to the wearer when it receives the appropriate command over Bluetooth. No, it’s not part of some kind of house arrest program. If you can believe it, the gadget is actually intended to help break bad habits or wake up exceptionally deep sleepers. We don’t know which of those problems [Becky Stern] has, but we’re glad to see she decided to take hers apart before the 21st century self-flagellation started.

Called the Pavlok and available for $180 USD from various online retailers, the device looks like a chunky fitness tracker. But in place of the screen that would show you how many steps you’ve taken or your current heart rate, there’s a lighting bolt button that you can press when you want to shock yourself. With the smartphone application, you can control the device remotely with a handy desktop widget that allows you to select the intensity of the shock. No, we aren’t making any of this up. Check out the video after the break to see it in action.

When [Becky] tried to take the Pavlok apart, she found that it was nearly impossible to handle it without inadvertently triggering a shock. So until she could get the case open and physically disconnect the battery, all she could do was turn the intensity down in the application and work through the occasional jolts from the device. We can only hope that more devices don’t adopt a similar sense of self-preservation.

Once inside she found mainly the same kind of hardware you’d expect in a standard, non-masochistic, fitness wearable. There’s a nRF52832 Bluetooth SoC, a MMA8451Q accelerometer, a PCF85063A I2C RTC, and a FXAS21002C gyroscope. What you’re somewhat less likely to find inside your FitBit however is the LPR6235 coupled inductor and beefy capacitors which are used to build up a high-voltage charge from the standard 3.7 V LiPo battery.

We’ve been very interested in the recent projects which are creating custom firmwares for commercially available fitness wearables, as it could be an express route to a hacker-friendly smartwatch. While the Pavlok has some compelling hardware, and the programming header [Becky] identified looks interesting, we don’t like the idea of being one misplaced if statement away from riding the lightning.

Continue reading “Pavlok Gets A Literally Shocking Teardown”