Smartwatch Snitches On Itself And Enables Reverse Engineering

If something has a “smart” in its name, you know that it’s talking to someone else, and the topic of conversation is probably you. You may or may not like that, but that’s part of the deal when you buy these things. But with some smarts of your own, you might be able to make that widget talk to you rather than about you.

Such an opportunity presented itself to [Benjamen Lim] when a bunch of brand X smartwatches came his way. Without any documentation to guide him, [Benjamen] started with an inspection, which revealed a screen of debug info that included a mysterious IP address and port. Tearing one of the watches apart — a significant advantage to having multiple units to work with — revealed little other than an nRF52832 microcontroller along with WiFi and cellular chips. But the luckiest find was JTAG pins connected to pads on the watch face that mate with its charging cradle. That meant talking to the chip was only a spliced USB cable away.

Once he could connect to the watch, [Benjamen] was able to dump the firmware and fire up Ghidra. He decided to focus on the IP address the watch seemed fixated on, reasoning that it might be the address of an update server, and that patching the firmware with a different address could be handy. He couldn’t find the IP as a string in the firmware, but he did manage to find a sprintf-like format string for IP addresses, which led him to a likely memory location. Sure enough, the IP and port were right there, so he wrote a script to change the address to a server he had the keys for and flashed the watch.

So the score stands at [Benjamen] 1, smartwatch 0. It’s not clear what the goal of all this was, but we’d love to see if he comes up with something cool for these widgets. Even if there’s nothing else, it was a cool lesson in reverse engineering.

A clock with an e-paper display in a 3D-printed case

Low Power Challenge: E-Paper Shelf Label Becomes Ultra-Frugal Clock

Over the past two decades, e-paper has evolved from an exotic and expensive display technology to something cheap enough to be used for supermarket price tags. While such electronic shelf labels are now easy to find, actually re-using them is often tricky due to a lack of documentation. Luckily, [Aaron Christophel] has managed to reverse engineer many types of shelf labels, and he’s demonstrated the results by turning one into an ultra-low-power clock called Triink. It’s based on a 128×296 pixel e-ink display paired with an nRF52832 BlueTooth Low-Energy SoC and uses just 65 micro-amperes on average: low enough to keep it running for more than a year on a single battery charge.

A PCB for an e-ink clock
Power on the left, e-ink on the right: the custom PCB is clever and compact, too

The clock is housed in an enclosure that’s simple but effective: a 3D-printed triangular prism with a slot for the screen and space for the 18650 lithium battery. One side can be opened to access the internal components, although that’s really only needed to charge the battery. You can see how cleverly everything snaps together in the video embedded below. Continue reading “Low Power Challenge: E-Paper Shelf Label Becomes Ultra-Frugal Clock”

Apple AirTag Spills Its Secrets

The Apple AirTag is a $29 Bluetooth beacon that sticks onto your stuff and helps you locate it when lost. It’s more than just a beeper though, the idea is that it can be silently spotted by any iDevice — almost like a crowd-sourced mesh network — and its owner alerted of its position wherever they are in the world.

There are so many questions about its privacy implications despite Apple’s reassurances, so naturally it has been of great interest to those who research such things. First among those working on it to gain control of its nRF52832 microcontroller is [Stacksmashing], who used a glitching technique whereby the chip’s internal power supply is interrupted with precise timing, to bypass the internally enabled protection of its debug port. The firmware has been dumped, and of course a tag has been repurposed for the far more worthwhile application of Rickrolling Bluetooth snoopers.

The idea of a global network of every iDevice helping reunite owners with their lost possessions is on the face of it a very interesting one, and Apple are at great pains on the AirTag product page to reassure customers about the system’s security. On one hand this work opens up the AirTag as a slightly expensive way to get an nRF microcontroller for other applications, but the real value will come as the firmware is analysed to see how at the tag itself works.

[Stacksmashing] has appeared on these pages many times before, often in the context of Nintendo hardware. Just one piece of work is the guide to opening up a Nintendo Game and Watch.

Bluetooth Development Board Goes The Distance

Have you ever come across an interesting chip or component that you wanted to experiment with, only to find that there doesn’t seem to be a development board for it? Spinning up your own board is a lot easier today than it has been in the past, but it’s still a bit of a hassle to do it just for your own personal use. This is why [Nikolaj Andersson Nielsen] has decided to release RFCat, his custom long-range Bluetooth development board, onto the community.

The board is based around a module from MeshTek that’s essentially an amplified version of the Nordic nRF52832. According to [Nikolaj], this gives the module 30 times the transmit power of the base model chip.

RFCat is compatible with the Arduino IDE and uses the Adafruit nRF52 bootloader, making it easy to write your own code to take advantage of all this new-found power. Primarily you’d be programming the board over USB-C, but it also supports Serial Wire Debug (SWD) and over-the-air updates that can be triggered with a physical push button on the device.

If you want to get an RFCat of your own, it’s available on Tindie now. The amplified modules were originally intended for building Bluetooth mesh networks, but we’re sure there are other interesting applications out there just waiting to be discovered.

Continue reading “Bluetooth Development Board Goes The Distance”

Cheap Smartwatch Hacking, To Run Your Own Code

[Aaron Christophel] has been busy, he picked up a P8 smartwatch of the type that many of you will no doubt have seen. They cost almost nothing and do almost… nothing. In all fairness, they do connect to your phone using Bluetooth LE courtesy of a chip from Nordic (the NRF52832), and they can do several simple tasks. But they don’t run applications in the way an Android or Apple watch does. [Aaron] wants to run his own applications, so his YouTube channel has a lot of information about hacking the P8 and other watches with similar chips. In one video you can watch below, he demonstrates how he’s written support for Arduino programming to the devices. What we were really excited about was the second video below where he shows his Android app that can flash the devices via Bluetooth. That means you can potentially hack these devices without opening them up.

The app that normally runs these watches is called Da Fit, so [Aaron] called his utility DaFlasher. This is all early stuff so we expect some coaxing to get everything working, but it has great promise.

Continue reading “Cheap Smartwatch Hacking, To Run Your Own Code”

Pavlok Gets A Literally Shocking Teardown

Apparently, there is a wrist-mounted device that delivers electric shocks to the wearer when it receives the appropriate command over Bluetooth. No, it’s not part of some kind of house arrest program. If you can believe it, the gadget is actually intended to help break bad habits or wake up exceptionally deep sleepers. We don’t know which of those problems [Becky Stern] has, but we’re glad to see she decided to take hers apart before the 21st century self-flagellation started.

Called the Pavlok and available for $180 USD from various online retailers, the device looks like a chunky fitness tracker. But in place of the screen that would show you how many steps you’ve taken or your current heart rate, there’s a lighting bolt button that you can press when you want to shock yourself. With the smartphone application, you can control the device remotely with a handy desktop widget that allows you to select the intensity of the shock. No, we aren’t making any of this up. Check out the video after the break to see it in action.

When [Becky] tried to take the Pavlok apart, she found that it was nearly impossible to handle it without inadvertently triggering a shock. So until she could get the case open and physically disconnect the battery, all she could do was turn the intensity down in the application and work through the occasional jolts from the device. We can only hope that more devices don’t adopt a similar sense of self-preservation.

Once inside she found mainly the same kind of hardware you’d expect in a standard, non-masochistic, fitness wearable. There’s a nRF52832 Bluetooth SoC, a MMA8451Q accelerometer, a PCF85063A I2C RTC, and a FXAS21002C gyroscope. What you’re somewhat less likely to find inside your FitBit however is the LPR6235 coupled inductor and beefy capacitors which are used to build up a high-voltage charge from the standard 3.7 V LiPo battery.

We’ve been very interested in the recent projects which are creating custom firmwares for commercially available fitness wearables, as it could be an express route to a hacker-friendly smartwatch. While the Pavlok has some compelling hardware, and the programming header [Becky] identified looks interesting, we don’t like the idea of being one misplaced if statement away from riding the lightning.

Continue reading “Pavlok Gets A Literally Shocking Teardown”

SMA-Q2 Smart Watch Is Completely Hackable

The search for the ultimate hacker’s smart watch probably won’t end any time soon. [emeryth] has nominated another possible candidate in the form of the SMA-Q2, and has made a lot of progress in making it accessible.

Also known as the SMA-TIME, the watch is based around the popular NRF52832 Bluetooth SoC, with a colour memory LCD, accelerometer, and a heart rate sensor on the back. The main feature that makes it so easy to hack is the stock bootloader on the NRF52832 that works with generic Nordic upload tool, making firmware upgrades a breeze via a smart phone. Unfortunately the bootloader itself is locked, so it must be completely wiped to gain debugging access. The hardware configuration has also been well reverse engineered with all the details available.

Custom main board with a NRF52840 module

[emeryth] has most of the basic features working with his custom firmware, although it’s still in the early stages. He designed a new watch face that includes weather updates and basic audio controls. The 3-bit display’s power consumption has also been reduced by only refreshing the necessary parts. The heart rate sensor outputs the raw waveforms, and it’s pretty accurate after a bit of FFT and filtering magic. Built-in tap and tilt detection is available on the accelerometer, which works well, but strangely doesn’t appear to have been used in the stock firmware.

Unfortunately the original enclosure design that used screws was dropped for glued version. It’s still possible to open without breaking anything, just a bit more difficult. [emeryth] Another hardware hacker named [BigCorvus] has even designed a completely new open-source main board with a NRF52840 module and heart rate sensor on a small flex PCB, with everything up on GitHub.

We really hope the community takes a liking to this watch, and look forward to seeing some awesome hacking. This is an excellent addition to the list of candidates for the perfect hacker’s smart watch that [Lewin Day] has already investigated . We also see a lot of DIY smart watches including one with a beautiful wood-filled 3D printed housing and another with LED matrix display.