Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,738,152 Members 54,163 Now Online
XDA Developers Android and Mobile Development Forum

Smartwatch 2 firmware hacking

Tip us?
Xtreme_FIRMWARE's Avatar
Junior Member - OP
Thanks Meter 11
Posts: 23
Join Date: Jun 2014
Originally Posted by lukasz2367 View Post
Already anyone ever tried it http ://
Basically lists what we have already found out.
(Last edited by bot47; 30th June 2014 at 12:32 PM.)
Thanks Meter 5
Posts: 36
Join Date: Mar 2011
Location: Wuppertal
My progress:

SmartWatch 2 uses a variant of STM32F43xxx (Datasheet) On page 84, figure 19, you can see the memory mapping. It tells you that eMMC is accessible from 0x0 to 0x1fffff, so
Select Code
dfu-util -U eMMC.dmp --alt 1 --intf 0 -s 0x0:0x200000
It holds the A-Firmware (currently at 1.0.A.4.11).

You can also read that 0x80000000 - 0x81fffff is Internal Flash, so
Select Code
dfu-util -U internal.dmp --alt 0 --intf 0 -s 0x08000000:0x200000
It holds the B-Firmware (currently at 1.0.B.4.154). It seems to be major parts of the userland. Also, it seems to have "MHIB" as magic. (Might be something like Main Human Interface Binary? Just guessing).

Of course you have to change --intf appropriately for your setup. Actually --alt is not necessary as --alt 0 seems to be mapped to --alt 1. Nevertheless dfu-util needs to know where to read from.

eMMC is advertised as 512 MiB, but only the first 2 MiB are mapped at boot time, so no chance to dump it via DFU mode.

While some pages are marked as non-readable, trying to read from 0x81FFFFF seems to crash DFU mode and makes it exit it.

Looking at the SmartWatch 2 license agreement Sony tells us about used open source tools. Interesting parts are Miniz and FatFs. Actually the fat.bin file in the SmartWatch-APK is compressed using Miniz. Have a look at Miniz's example3.c. It can decompress it. After that you can mount it using a loop-device. It shows up as a weird set of CID files, I'm currently investigating them. They have a header starting with the file's name and contain their length at 0xC. I'm quite sure this actually is the payload length and marks the end of the header.

If you use
Select Code
binwalk -D 'jpeg.*:jpg' -D 'png.*:png' dump.full
you will end up with large files. They can be shortened and for the PNGs, I wrote a short C-program to cut them. If you want it, tell me.

fat.bin has to be written somewhere into eMMC after the first 2 MiB. This is also where I suspect settings to go into as dumpable eMMC and Internal Flash as changes to settings didn't reflect in them.
The Following User Says Thank You to bot47 For This Useful Post: [ Click to Expand ]
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes