Post Reply

Smartwatch 2 firmware hacking

29th June 2014, 02:17 PM   |  #41  
Xtreme_FIRMWARE's Avatar
OP Junior Member
Thanks Meter: 12
 
24 posts
Join Date:Joined: Jun 2014
More
Quote:
Originally Posted by lukasz2367

Already anyone ever tried it http ://lunarius.fe80.eu/blog/smartwatch2-first-steps.html

Basically lists what we have already found out.
30th June 2014, 12:17 PM   |  #42  
Member
Flag Wuppertal
Thanks Meter: 6
 
36 posts
Join Date:Joined: Mar 2011
More
My progress:

SmartWatch 2 uses a variant of STM32F43xxx (Datasheet) On page 84, figure 19, you can see the memory mapping. It tells you that eMMC is accessible from 0x0 to 0x1fffff, so
Code:
dfu-util -U eMMC.dmp --alt 1 --intf 0 -s 0x0:0x200000
It holds the A-Firmware (currently at 1.0.A.4.11).

You can also read that 0x80000000 - 0x81fffff is Internal Flash, so
Code:
dfu-util -U internal.dmp --alt 0 --intf 0 -s 0x08000000:0x200000
It holds the B-Firmware (currently at 1.0.B.4.154). It seems to be major parts of the userland. Also, it seems to have "MHIB" as magic. (Might be something like Main Human Interface Binary? Just guessing).

Of course you have to change --intf appropriately for your setup. Actually --alt is not necessary as --alt 0 seems to be mapped to --alt 1. Nevertheless dfu-util needs to know where to read from.

eMMC is advertised as 512 MiB, but only the first 2 MiB are mapped at boot time, so no chance to dump it via DFU mode.

While some pages are marked as non-readable, trying to read from 0x81FFFFF seems to crash DFU mode and makes it exit it.


Looking at the SmartWatch 2 license agreement Sony tells us about used open source tools. Interesting parts are Miniz and FatFs. Actually the fat.bin file in the SmartWatch-APK is compressed using Miniz. Have a look at Miniz's example3.c. It can decompress it. After that you can mount it using a loop-device. It shows up as a weird set of CID files, I'm currently investigating them. They have a header starting with the file's name and contain their length at 0xC. I'm quite sure this actually is the payload length and marks the end of the header.

If you use
Code:
binwalk -D 'jpeg.*:jpg' -D 'png.*:png' dump.full
you will end up with large files. They can be shortened and for the PNGs, I wrote a short C-program to cut them. If you want it, tell me.

fat.bin has to be written somewhere into eMMC after the first 2 MiB. This is also where I suspect settings to go into as dumpable eMMC and Internal Flash as changes to settings didn't reflect in them.
Last edited by bot47; 30th June 2014 at 12:32 PM.
The Following 2 Users Say Thank You to bot47 For This Useful Post: [ View ]
30th August 2014, 10:24 PM   |  #43  
Xtreme_FIRMWARE's Avatar
OP Junior Member
Thanks Meter: 12
 
24 posts
Join Date:Joined: Jun 2014
More
Sorry been busy any way to edit these png and reflash
Sent from my C1505 using XDA Free mobile app
3rd September 2014, 08:24 PM   |  #44  
JustPlayingHard's Avatar
Senior Member
Flag Coventry
Thanks Meter: 263
 
776 posts
Join Date:Joined: Jul 2013
More
Quote:
Originally Posted by Xtreme_FIRMWARE

Sorry been busy any way to edit these png and reflash
Sent from my C1505 using XDA Free mobile app

Man this SmartWatch 2 modding looks awesome . Hope we can have custom icons soon
28th September 2014, 08:00 PM   |  #45  
Junior Member
Thanks Meter: 6
 
5 posts
Join Date:Joined: Jul 2013
Donate to Me
More
Possibility reverse engineer bootloader using STM32F42 Discovery board
I got stm32f42 discovery board (www <dot> st <dot> com/web/catalog/tools/FM116/SC959/SS1532/LN1848/PF259090 (sorry, I cannot post link yet..)) from ebay. I uploaded smartwatch ROM dump on it and run it. After few second, I halted it and checked program counter. It says it is running on 0x08000000 - 0x080FFFFF. It means smartwatch bootloader is finished doing some initialization on this board and successfully jumped into main firmware code.
Since we cannot attach JTAG on smartwatch without removing sealed front touchscreen, I think it allows dynamic analysis using OpenOCD and some gdb client which specialized in reverse engineering (I'm still finding suitable gdb client. Does anyone know suitable gdb client for this purpose?) to discover possible memory remapping during booting, etc.
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Sony Smartwatch by ThreadRank