Benjamen Lim Saves Some Smartwatches From the Scrapheap with a Little Reverse Engineering
By dumping and patching the firmware, Lim has breathed new life into health-tracking smartwatches originally destined for the bin.
Engineer Benjamen Lim has been hard at work saving a number of smartwatches from the scrapheap — by reverse engineering them to the point of being able to install a customized firmware.
"Some time ago, I was assigned a consignment of smart watches with geolocating capabilities that were being mothballed after a trial," Lim explains of the origin of the hardware thus targeted. "I was determined to find some use for them and thus began my journey of reverse engineering a smartwatch! The watches as delivered were bare-bones and had a single page of instructions on how to charge and use them. Each box contained a single charger and a watch. There were no READMEs, websites, or developer portals."
The watches weren't exactly cutting-edge: a monochrome display with a capacitive layer acts as a single-button input, with a heart-rate sensor on the rear and an internal accelerometer providing health and activity data respectively. Internal investigation of one watch — a destructive process, thanks to the waterproof housing — revealed a Nordic nRF52832 Bluetooth system-on-chip, an Espressif ESP8285 Wi-Fi microcontroller, and a SIMCom cellular transceiver with Global Navigation Satellite System (GNSS) capabilities.
"From the layout," Lim explains, "the nRF52832 was the device's main IC [Integrated Circuit], and used the Wi-Fi chip to scan for local Wi-Fi Access Points (APs). The nRF52832 also communicated with the SIMCom device over UART and issued commands to communicate with the mobile network. Knowing that, I focused my efforts on I was looking for any UART or exposed programming pins on the nRF52832, as it was main IC and those connections are commonly used to interact with the microcontroller."
Lim discovered that the chip's JTAG pins were connected to copper contacts on the outside of the housing, designed to mate with a bundled charging dock. The dock then connected these to the data lines on a micro-USB port — meaning Lim could gain access to JTAG debugging without destroying a watch simply by splicing a USB cable and connecting it to an unmodified dock.
"While being able to observe the debug output was very useful, however, as there was no input configured for the RTT module, so there was no way to send commands to the watch," Lim notes. "However, the output confirmed my earlier assumptions about how the watch was connected internally. After a few exploratory attempts at sending commands over JLink, I decided to take a look at the firmware. With my JLink attached, I was able to dump the firmware using nrfjprog with the --readcode and --readram flags."
With a dump of the firmware in-hand, Lim fired up the Ghidra reverse engineering tool, decompiling it to discover where the firmware stored an IP address, which he assumed corresponded to the remote server collecting data from each watch. By modifying this in the firmware, Lim was able to create a patched version that would communicate with the server of his choice — flashing it back to the unprotected watches and receiving their data in return.
The full project write-up is available on Lim's Medium blog.