Smartwatch 2 firmware hacking

Search This thread
By:
Advanced…
R

RedDragonTaff

Member
May 12, 2010
8
11
hansitogo said:
I reanimated 2 SW2 with the download of the 3 system files from /res/raw in com.sonymobile.smartconnect.smartwatch2.apk
(before black screen from flashing system for SW1)
commands:
dfu-util -c 1 -i 0 -a 0 -s 0x08000000 -D bl.bin
dfu-util -c 1 -i 0 -a 0 -s 0x08040000 -D asw.bin
dfu-util -c 1 -i 0 -a 1 -s 0x01 -D fat.bin
Click to expand...
Click to collapse

For my SmartWatch 2, the first 2 steps run fine, but step three doesn't progress at all using the bl.bin, asw.bin, fat.bin I extracted from the apk. Here's the verbose console log from my failed step 3:

$ sudo ./dfu-util -c 1 -i 0 -a 0 -s 0x01 -D ../../SW2_unpack/res/raw/fat.bin -v
dfu-util 0.7

Copyright 2005-2008 Weston Schmidt, Harald Welte and OpenMoko Inc.
Copyright 2010-2012 Tormod Volden and Stefan Schmidt
This program is Free Software and has ABSOLUTELY NO WARRANTY
Please report bugs to dfu-util@lists.gnumonks.org

Opening DFU capable USB device... ID 0fce:f0fa
Run-time device DFU version 011a
Found DFU: [0fce:f0fa] devnum=0, cfg=1, intf=0, alt=0, name="@Internal Flash /0x08000000/03*016Kg,01*016Kg,01*064Kg,07*128Kg,03*016Kg,01*016Kg,01*064Kg,07*128Kg"
Claiming USB DFU Interface...
Setting Alternate Setting #0 ...
Determining device status: state = dfuIDLE, status = 0
dfuIDLE, continuing
DFU mode device DFU version 011a
Device returned transfer size 2048
No valid DFU suffix signature
Warning: File has no DFU suffix
DfuSe interface name: "Internal Flash "
Memory segment at 0x08000000 3 x 16384 = 49152 (rew)
Memory segment at 0x0800c000 1 x 16384 = 16384 (rew)
Memory segment at 0x08010000 1 x 65536 = 65536 (rew)
Memory segment at 0x08020000 7 x 131072 = 917504 (rew)
Memory segment at 0x08100000 3 x 16384 = 49152 (rew)
Memory segment at 0x0810c000 1 x 16384 = 16384 (rew)
Memory segment at 0x08110000 1 x 65536 = 65536 (rew)
Memory segment at 0x08120000 7 x 131072 = 917504 (rew)
Downloading to address = 0x00000001, size = 557300
Error: Last page at 0x000880f4 is not writeable


Did anyone successfully perform step 3 yet? If so can I grab you set of these 3 files to flash please?

Thanks

AL
 
R

RedDragonTaff

Member
May 12, 2010
8
11
RedDragonTaff said:
For my SmartWatch 2, the first 2 steps run fine, but step three doesn't progress at all using the bl.bin, asw.bin, fat.bin I extracted from the apk. Here's the verbose console log from my failed step 3:

$ sudo ./dfu-util -c 1 -i 0 -a 0 -s 0x01 -D ../../SW2_unpack/res/raw/fat.bin -v
dfu-util 0.7

Copyright 2005-2008 Weston Schmidt, Harald Welte and OpenMoko Inc.
Copyright 2010-2012 Tormod Volden and Stefan Schmidt
This program is Free Software and has ABSOLUTELY NO WARRANTY
Please report bugs to dfu-util@lists.gnumonks.org

Opening DFU capable USB device... ID 0fce:f0fa
Run-time device DFU version 011a
Found DFU: [0fce:f0fa] devnum=0, cfg=1, intf=0, alt=0, name="@Internal Flash /0x08000000/03*016Kg,01*016Kg,01*064Kg,07*128Kg,03*016Kg,01*016Kg,01*064Kg,07*128Kg"
Claiming USB DFU Interface...
Setting Alternate Setting #0 ...
Determining device status: state = dfuIDLE, status = 0
dfuIDLE, continuing
DFU mode device DFU version 011a
Device returned transfer size 2048
No valid DFU suffix signature
Warning: File has no DFU suffix
DfuSe interface name: "Internal Flash "
Memory segment at 0x08000000 3 x 16384 = 49152 (rew)
Memory segment at 0x0800c000 1 x 16384 = 16384 (rew)
Memory segment at 0x08010000 1 x 65536 = 65536 (rew)
Memory segment at 0x08020000 7 x 131072 = 917504 (rew)
Memory segment at 0x08100000 3 x 16384 = 49152 (rew)
Memory segment at 0x0810c000 1 x 16384 = 16384 (rew)
Memory segment at 0x08110000 1 x 65536 = 65536 (rew)
Memory segment at 0x08120000 7 x 131072 = 917504 (rew)
Downloading to address = 0x00000001, size = 557300
Error: Last page at 0x000880f4 is not writeable


Did anyone successfully perform step 3 yet? If so can I grab you set of these 3 files to flash please?

Thanks

AL
Click to expand...
Click to collapse


Sorry typo, should have used:
$ sudo ./dfu-util -c 1 -i 0 -a 1 -s 0x01 -D ../../SW2_unpack/res/raw/fat.bin -v

This flashes the eMMC partition. Now the watch boots without showing the FlashFS, but instead I see a progress bar and as it almost reaches the end the watch reboots and the cycle starts again. Endless progress bar reaching almost 100% and reboot, <repeat>.

Does anyone else see this?

AL
 
N

nokodanox

New member
Feb 19, 2017
1
0
Hi everyone!
Sorry for re-open this thread but, I have a Flash FS problem with my SmartWatch 2.
I tried everything about using the DFU for Downloading the 3 .bin files. And I'm having troubles with the last one (fat.bin) while trying to write on the "eMMC" with this command:

dfu-util -c 1 -i 0 -a 1 -s 0x01 -D fat.bin -v

I can run successfully this two commands but I'm stuck now with the last step:

dfu-util -c 1 -i 0 -a 0 -s 0x08000000 -D bl.bin
dfu-util -c 1 -i 0 -a 0 -s 0x08040000 -D asw.bin

This is what I get.

"Opening DFU capable USB device... ID 0fce:f0fa
Run-time device DFU version 011a
Found DFU: [0fce:f0fa] devnum=0, cfg=1, intf=0, alt=1, name="@eMMC /0x00000000/01*512Mg"
Claiming USB DFU Interface...
Setting Alternate Setting #1 ...
Determining device status: state = dfuIDLE, status = 0
dfuIDLE, continuing
DFU mode device DFU version 011a
Device returned transfer size 2048
No valid DFU suffix signature
Warning: File has no DFU suffix
DfuSe interface name: "eMMC "
Memory segment at 0x00000000 1 x 536870912 = 536870912 (rew)
Downloading to address = 0x00000001, size = 557300
Download from image offset 00000000 to memory 00000001-00000800, size 2048
Poll timeout 0 ms
Error during download get_status
Failed to write whole chunk: -7 of 2048 bytes"


Hope someone could help me unbrick this Smartwatch, If anyone could help me doing it, I would like to send a small gift via PayPal.
Thank you so much, waiting for your answers...
 
H

heartofgearz

Member
Feb 7, 2016
5
1
hey, im getting the same error as yours.."Failed to write whole chunk: -7 of 2048 bytes" when writing the fat.bin file, did you fix yours?
 
You must log in or register to reply here.

Similar threads

K
[APP] Watchify for SmartWatch 2
Replies
235
Views
79K
D
dersie
J
adding watch faces on the Sony Smartwatch 2
Replies
118
Views
79K
TonyTurboII
TonyTurboII
J
Accessories for Sony SmartWatch 2
Replies
104
Views
63K
A
AmantisAsoko
K
[APP] Quick Reply Whatsapp and SMS for Sony SmartWatch 2 [Updated 20/04/2014]
Replies
144
Views
67K
D
dudongwtf
S
Smartwatch 2 problems
Replies
72
Views
42K
N
n_boy86

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 8
    Xtreme_FIRMWARE
    Xtreme_FIRMWARE
    Sorry if this is stupid or something but I have the smartwatch 2 firmware dump file (dumped using dfu-util's upload utility (-u)) from messing around trying to get into the dfu. I succeeded. I don't know if I am allowed to upload the file so I won't yet.

    So is there any linux/ubuntu based software I can use to decompile or to edit resources such as icons, images ect.?

    If you would like to obtain the file I am talking about use the open smartwatch (1) project. similar way applies:

    1. Have dfu-util installed

    2. remove smartwatch 2 from power (miniusb plug)

    3. plug in usb end that goes into computer but NOT miniusb.

    4. my way to enter the dfu is to plug in the miniusb end and then hold power a split-second after you should see a blank screen but sony does not come up. let go of power.

    5. you are now in dfu mode. Note: there will probably be no green bar at bottom of screen.

    The command I used to dump the firmware was (I am on ubuntu-linux) dfu-util -a 0 -U -s 0x08000000

    UPDATE: Find dump files at post #10
    View
    5
    Xtreme_FIRMWARE
    Xtreme_FIRMWARE
    I am working on reverse engineering the dump while also reverse engineering the protocol used for fota updates to try and get the full dfu file!!!!!!

    Sent from my C1505 using XDA Free mobile app
    View
    5
    Xtreme_FIRMWARE
    Xtreme_FIRMWARE
    The Dump

    This is the internal memory(soldered sdcard) and firmware dumps I made just in case anybody couldn't get them to examine.
    They are attached to this post

    If you use these in any other thread please credit me.

    the password (just in case) is: xtreme_firmware

    Hope this is useful! :good: :good:
    View
    4
    D
    Deleted member 3843930
    My progress:

    SmartWatch 2 uses a variant of STM32F43xxx (Datasheet) On page 84, figure 19, you can see the memory mapping. It tells you that eMMC is accessible from 0x0 to 0x1fffff, so
    Code: 
    dfu-util -U eMMC.dmp --alt 1 --intf 0 -s 0x0:0x200000
    It holds the A-Firmware (currently at 1.0.A.4.11).

    You can also read that 0x80000000 - 0x81fffff is Internal Flash, so
    Code: 
    dfu-util -U internal.dmp --alt 0 --intf 0 -s 0x08000000:0x200000
    It holds the B-Firmware (currently at 1.0.B.4.154). It seems to be major parts of the userland. Also, it seems to have "MHIB" as magic. (Might be something like Main Human Interface Binary? Just guessing).

    Of course you have to change --intf appropriately for your setup. Actually --alt is not necessary as --alt 0 seems to be mapped to --alt 1. Nevertheless dfu-util needs to know where to read from.

    eMMC is advertised as 512 MiB, but only the first 2 MiB are mapped at boot time, so no chance to dump it via DFU mode.

    While some pages are marked as non-readable, trying to read from 0x81FFFFF seems to crash DFU mode and makes it exit it.


    Looking at the SmartWatch 2 license agreement Sony tells us about used open source tools. Interesting parts are Miniz and FatFs. Actually the fat.bin file in the SmartWatch-APK is compressed using Miniz. Have a look at Miniz's example3.c. It can decompress it. After that you can mount it using a loop-device. It shows up as a weird set of CID files, I'm currently investigating them. They have a header starting with the file's name and contain their length at 0xC. I'm quite sure this actually is the payload length and marks the end of the header.

    If you use
    Code: 
    binwalk -D 'jpeg.*:jpg' -D 'png.*:png' dump.full
    you will end up with large files. They can be shortened and for the PNGs, I wrote a short C-program to cut them. If you want it, tell me.

    fat.bin has to be written somewhere into eMMC after the first 2 MiB. This is also where I suspect settings to go into as dumpable eMMC and Internal Flash as changes to settings didn't reflect in them.
    View
    3
    M
    maneulyori
    binwalk result of firmware dump.

    This is binwalk result of my sony smartwatch dump. (Using Sony smartwatch firmware bundled on Sony's Smartwatch 2 v1.4.54 app.)

    attachment.php


    From the entropy analysis, I noticed it is divided two section by zero-filled area. (Low entropy section in result) The first section is bootloader (bl.bin) and second one is watch main firmware. (asw.bin)

    While playing with dfu-util and old firmware file, I found mixed firmware ( 1.3.17 bootloader and 1.4.54 firmware ) boots well. It seems we can use sony bootloader to load hacked firmware.

    And sony firmware image seems to be always starts with 12-byte binary sequence starts with "MHIB". In 1.3.17, it is 4D 48 49 42 CC A4 08 00 D0 1A E8 F4. In 1.4.64, it is 4D 48 49 42 00 78 09 00 93 A0 48 66
    I guess this difference contains something version-related information in its header.

    **Edit
    the firmware (asw.bin) is located at 0x08040000. (in dump file, 0x00040000)

    And, it seems lots of its resources located in tail of dump. As seen on analysis result, it finds *lots* of png files. I guess that small images are stock icons on watch.


    p.s. Sorry for my poor English skill.
    View

New posts