Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,811,145 Members 45,669 Now Online
XDA Developers Android and Mobile Development Forum

Smartwatch 2 firmware hacking

Tip us?
 
Xtreme_FIRMWARE
Old
#41  
Xtreme_FIRMWARE's Avatar
Junior Member - OP
Thanks Meter 11
Posts: 24
Join Date: Jun 2014
Quote:
Originally Posted by lukasz2367 View Post
Already anyone ever tried it http ://lunarius.fe80.eu/blog/smartwatch2-first-steps.html
Basically lists what we have already found out.
 
bot47
Old
(Last edited by bot47; 30th June 2014 at 12:32 PM.)
#42  
Member
Thanks Meter 6
Posts: 36
Join Date: Mar 2011
Location: Wuppertal
My progress:

SmartWatch 2 uses a variant of STM32F43xxx (Datasheet) On page 84, figure 19, you can see the memory mapping. It tells you that eMMC is accessible from 0x0 to 0x1fffff, so
Code:
dfu-util -U eMMC.dmp --alt 1 --intf 0 -s 0x0:0x200000
It holds the A-Firmware (currently at 1.0.A.4.11).

You can also read that 0x80000000 - 0x81fffff is Internal Flash, so
Code:
dfu-util -U internal.dmp --alt 0 --intf 0 -s 0x08000000:0x200000
It holds the B-Firmware (currently at 1.0.B.4.154). It seems to be major parts of the userland. Also, it seems to have "MHIB" as magic. (Might be something like Main Human Interface Binary? Just guessing).

Of course you have to change --intf appropriately for your setup. Actually --alt is not necessary as --alt 0 seems to be mapped to --alt 1. Nevertheless dfu-util needs to know where to read from.

eMMC is advertised as 512 MiB, but only the first 2 MiB are mapped at boot time, so no chance to dump it via DFU mode.

While some pages are marked as non-readable, trying to read from 0x81FFFFF seems to crash DFU mode and makes it exit it.


Looking at the SmartWatch 2 license agreement Sony tells us about used open source tools. Interesting parts are Miniz and FatFs. Actually the fat.bin file in the SmartWatch-APK is compressed using Miniz. Have a look at Miniz's example3.c. It can decompress it. After that you can mount it using a loop-device. It shows up as a weird set of CID files, I'm currently investigating them. They have a header starting with the file's name and contain their length at 0xC. I'm quite sure this actually is the payload length and marks the end of the header.

If you use
Code:
binwalk -D 'jpeg.*:jpg' -D 'png.*:png' dump.full
you will end up with large files. They can be shortened and for the PNGs, I wrote a short C-program to cut them. If you want it, tell me.

fat.bin has to be written somewhere into eMMC after the first 2 MiB. This is also where I suspect settings to go into as dumpable eMMC and Internal Flash as changes to settings didn't reflect in them.
The Following 2 Users Say Thank You to bot47 For This Useful Post: [ Click to Expand ]
 
Xtreme_FIRMWARE
Old
#43  
Xtreme_FIRMWARE's Avatar
Junior Member - OP
Thanks Meter 11
Posts: 24
Join Date: Jun 2014
Sorry been busy any way to edit these png and reflash
Sent from my C1505 using XDA Free mobile app
 
JustPlayingHard
Old
#44  
JustPlayingHard's Avatar
Senior Member
Thanks Meter 257
Posts: 756
Join Date: Jul 2013
Location: Coventry
Quote:
Originally Posted by Xtreme_FIRMWARE View Post
Sorry been busy any way to edit these png and reflash
Sent from my C1505 using XDA Free mobile app
Man this SmartWatch 2 modding looks awesome . Hope we can have custom icons soon


[ My Devices ]

 
Some Cheap Phone -> HTC Desire HD -> HTC Sensation XL -> Sony Xperia Z -> Sony Xperia Z1



[ My Work ]


 
Lightning Speed - HTC Sensation XL
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes