Post Reply

Smartwatch 2 firmware hacking

OP Xtreme_FIRMWARE

29th June 2014, 02:17 PM   |  #41  
Xtreme_FIRMWARE's Avatar
OP Member
Thanks Meter: 21
 
32 posts
Join Date:Joined: Jun 2014
More
Quote:
Originally Posted by lukasz2367

Already anyone ever tried it http ://lunarius.fe80.eu/blog/smartwatch2-first-steps.html

Basically lists what we have already found out.
30th June 2014, 12:17 PM   |  #42  
Member
Flag Wuppertal
Thanks Meter: 7
 
36 posts
Join Date:Joined: Mar 2011
More
My progress:

SmartWatch 2 uses a variant of STM32F43xxx (Datasheet) On page 84, figure 19, you can see the memory mapping. It tells you that eMMC is accessible from 0x0 to 0x1fffff, so
Code:
dfu-util -U eMMC.dmp --alt 1 --intf 0 -s 0x0:0x200000
It holds the A-Firmware (currently at 1.0.A.4.11).

You can also read that 0x80000000 - 0x81fffff is Internal Flash, so
Code:
dfu-util -U internal.dmp --alt 0 --intf 0 -s 0x08000000:0x200000
It holds the B-Firmware (currently at 1.0.B.4.154). It seems to be major parts of the userland. Also, it seems to have "MHIB" as magic. (Might be something like Main Human Interface Binary? Just guessing).

Of course you have to change --intf appropriately for your setup. Actually --alt is not necessary as --alt 0 seems to be mapped to --alt 1. Nevertheless dfu-util needs to know where to read from.

eMMC is advertised as 512 MiB, but only the first 2 MiB are mapped at boot time, so no chance to dump it via DFU mode.

While some pages are marked as non-readable, trying to read from 0x81FFFFF seems to crash DFU mode and makes it exit it.


Looking at the SmartWatch 2 license agreement Sony tells us about used open source tools. Interesting parts are Miniz and FatFs. Actually the fat.bin file in the SmartWatch-APK is compressed using Miniz. Have a look at Miniz's example3.c. It can decompress it. After that you can mount it using a loop-device. It shows up as a weird set of CID files, I'm currently investigating them. They have a header starting with the file's name and contain their length at 0xC. I'm quite sure this actually is the payload length and marks the end of the header.

If you use
Code:
binwalk -D 'jpeg.*:jpg' -D 'png.*:png' dump.full
you will end up with large files. They can be shortened and for the PNGs, I wrote a short C-program to cut them. If you want it, tell me.

fat.bin has to be written somewhere into eMMC after the first 2 MiB. This is also where I suspect settings to go into as dumpable eMMC and Internal Flash as changes to settings didn't reflect in them.
Last edited by bot47; 30th June 2014 at 12:32 PM.
The Following 3 Users Say Thank You to bot47 For This Useful Post: [ View ]
30th August 2014, 10:24 PM   |  #43  
Xtreme_FIRMWARE's Avatar
OP Member
Thanks Meter: 21
 
32 posts
Join Date:Joined: Jun 2014
More
Sorry been busy any way to edit these png and reflash
Sent from my C1505 using XDA Free mobile app
3rd September 2014, 08:24 PM   |  #44  
JustPlayingHard's Avatar
Senior Member
Flag Coventry
Thanks Meter: 281
 
868 posts
Join Date:Joined: Jul 2013
More
Quote:
Originally Posted by Xtreme_FIRMWARE

Sorry been busy any way to edit these png and reflash
Sent from my C1505 using XDA Free mobile app

Man this SmartWatch 2 modding looks awesome . Hope we can have custom icons soon
28th September 2014, 08:00 PM   |  #45  
Junior Member
Thanks Meter: 7
 
5 posts
Join Date:Joined: Jul 2013
Donate to Me
More
Possibility reverse engineer bootloader using STM32F42 Discovery board
I got stm32f42 discovery board (www <dot> st <dot> com/web/catalog/tools/FM116/SC959/SS1532/LN1848/PF259090 (sorry, I cannot post link yet..)) from ebay. I uploaded smartwatch ROM dump on it and run it. After few second, I halted it and checked program counter. It says it is running on 0x08000000 - 0x080FFFFF. It means smartwatch bootloader is finished doing some initialization on this board and successfully jumped into main firmware code.
Since we cannot attach JTAG on smartwatch without removing sealed front touchscreen, I think it allows dynamic analysis using OpenOCD and some gdb client which specialized in reverse engineering (I'm still finding suitable gdb client. Does anyone know suitable gdb client for this purpose?) to discover possible memory remapping during booting, etc.
The Following User Says Thank You to maneulyori For This Useful Post: [ View ]
16th October 2014, 11:20 PM   |  #46  
Xtreme_FIRMWARE's Avatar
OP Member
Thanks Meter: 21
 
32 posts
Join Date:Joined: Jun 2014
More
Quote:
Originally Posted by maneulyori

I got stm32f42 discovery board (www <dot> st <dot> com/web/catalog/tools/FM116/SC959/SS1532/LN1848/PF259090 (sorry, I cannot post link yet..)) from ebay. I uploaded smartwatch ROM dump on it and run it. After few second, I halted it and checked program counter. It says it is running on 0x08000000 - 0x080FFFFF. It means smartwatch bootloader is finished doing some initialization on this board and successfully jumped into main firmware code.
Since we cannot attach JTAG on smartwatch without removing sealed front touchscreen, I think it allows dynamic analysis using OpenOCD and some gdb client which specialized in reverse engineering (I'm still finding suitable gdb client. Does anyone know suitable gdb client for this purpose?) to discover possible memory remapping during booting, etc.

Thanks. Getting close now. I dont have any to mind right now. But I will tell you if I see anything.
16th October 2014, 11:31 PM   |  #47  
Xtreme_FIRMWARE's Avatar
OP Member
Thanks Meter: 21
 
32 posts
Join Date:Joined: Jun 2014
More
Phone what is planned
Basically when we finish and we have found a way to edit source aswell as resources we need to find out how the smartwatch 2 app communicates with the device. So when completed we can have modified firmwares with normal end-user functions. Such as it still having a companion app ect. But this is not our concentration at present. This only what we might do in the future.
The Following User Says Thank You to Xtreme_FIRMWARE For This Useful Post: [ View ]
Yesterday, 04:34 PM   |  #48  
Xtreme_FIRMWARE's Avatar
OP Member
Thanks Meter: 21
 
32 posts
Join Date:Joined: Jun 2014
More
Maybe this? Taken from arduino github for sw2
https://docs.google.com/file/d/0B6T0...p=docslist_api
Sent from my LG-V500 using XDA Free mobile app

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Sony Smartwatch by ThreadRank