SmartWatch 2 uses a variant of STM32F43xxx (Datasheet
) On page 84, figure 19, you can see the memory mapping. It tells you that eMMC is accessible from 0x0 to 0x1fffff, so
dfu-util -U eMMC.dmp --alt 1 --intf 0 -s 0x0:0x200000
It holds the A-Firmware (currently at 1.0.A.4.11).
You can also read that 0x80000000 - 0x81fffff is Internal Flash, so
dfu-util -U internal.dmp --alt 0 --intf 0 -s 0x08000000:0x200000
It holds the B-Firmware (currently at 1.0.B.4.154). It seems to be major parts of the userland. Also, it seems to have "MHIB" as magic. (Might be something like Main Human Interface Binary? Just guessing).
Of course you have to change --intf appropriately for your setup. Actually --alt is not necessary as --alt 0 seems to be mapped to --alt 1. Nevertheless dfu-util needs to know where to read from.
eMMC is advertised as 512 MiB, but only the first 2 MiB are mapped at boot time, so no chance to dump it via DFU mode.
While some pages are marked as non-readable, trying to read from 0x81FFFFF seems to crash DFU mode and makes it exit it.
Looking at the SmartWatch 2 license agreement Sony tells us about used open source tools. Interesting parts are Miniz
. Actually the fat.bin file in the SmartWatch-APK is compressed using Miniz. Have a look at Miniz's example3.c. It can decompress it. After that you can mount it using a loop-device. It shows up as a weird set of CID files, I'm currently investigating them. They have a header starting with the file's name and contain their length at 0xC. I'm quite sure this actually is the payload length and marks the end of the header.
If you use
binwalk -D 'jpeg.*:jpg' -D 'png.*:png' dump.full
you will end up with large files. They can be shortened and for the PNGs, I wrote a short C-program to cut them. If you want it, tell me.
fat.bin has to be written somewhere into eMMC after the first 2 MiB. This is also where I suspect settings to go into as dumpable eMMC and Internal Flash as changes to settings didn't reflect in them.