Smartwatch 2 firmware hacking
- Thread starter Xtreme_FIRMWARE
- Start date
D
Deleted member 3843930
Guest
My progress:
SmartWatch 2 uses a variant of STM32F43xxx (Datasheet) On page 84, figure 19, you can see the memory mapping. It tells you that eMMC is accessible from 0x0 to 0x1fffff, so
It holds the A-Firmware (currently at 1.0.A.4.11).
You can also read that 0x80000000 - 0x81fffff is Internal Flash, so
It holds the B-Firmware (currently at 1.0.B.4.154). It seems to be major parts of the userland. Also, it seems to have "MHIB" as magic. (Might be something like Main Human Interface Binary? Just guessing).
Of course you have to change --intf appropriately for your setup. Actually --alt is not necessary as --alt 0 seems to be mapped to --alt 1. Nevertheless dfu-util needs to know where to read from.
eMMC is advertised as 512 MiB, but only the first 2 MiB are mapped at boot time, so no chance to dump it via DFU mode.
While some pages are marked as non-readable, trying to read from 0x81FFFFF seems to crash DFU mode and makes it exit it.
Looking at the SmartWatch 2 license agreement Sony tells us about used open source tools. Interesting parts are Miniz and FatFs. Actually the fat.bin file in the SmartWatch-APK is compressed using Miniz. Have a look at Miniz's example3.c. It can decompress it. After that you can mount it using a loop-device. It shows up as a weird set of CID files, I'm currently investigating them. They have a header starting with the file's name and contain their length at 0xC. I'm quite sure this actually is the payload length and marks the end of the header.
If you use
you will end up with large files. They can be shortened and for the PNGs, I wrote a short C-program to cut them. If you want it, tell me.
fat.bin has to be written somewhere into eMMC after the first 2 MiB. This is also where I suspect settings to go into as dumpable eMMC and Internal Flash as changes to settings didn't reflect in them.
SmartWatch 2 uses a variant of STM32F43xxx (Datasheet) On page 84, figure 19, you can see the memory mapping. It tells you that eMMC is accessible from 0x0 to 0x1fffff, so
Code:
dfu-util -U eMMC.dmp --alt 1 --intf 0 -s 0x0:0x200000You can also read that 0x80000000 - 0x81fffff is Internal Flash, so
Code:
dfu-util -U internal.dmp --alt 0 --intf 0 -s 0x08000000:0x200000Of course you have to change --intf appropriately for your setup. Actually --alt is not necessary as --alt 0 seems to be mapped to --alt 1. Nevertheless dfu-util needs to know where to read from.
eMMC is advertised as 512 MiB, but only the first 2 MiB are mapped at boot time, so no chance to dump it via DFU mode.
While some pages are marked as non-readable, trying to read from 0x81FFFFF seems to crash DFU mode and makes it exit it.
Looking at the SmartWatch 2 license agreement Sony tells us about used open source tools. Interesting parts are Miniz and FatFs. Actually the fat.bin file in the SmartWatch-APK is compressed using Miniz. Have a look at Miniz's example3.c. It can decompress it. After that you can mount it using a loop-device. It shows up as a weird set of CID files, I'm currently investigating them. They have a header starting with the file's name and contain their length at 0xC. I'm quite sure this actually is the payload length and marks the end of the header.
If you use
Code:
binwalk -D 'jpeg.*:jpg' -D 'png.*:png' dump.fullfat.bin has to be written somewhere into eMMC after the first 2 MiB. This is also where I suspect settings to go into as dumpable eMMC and Internal Flash as changes to settings didn't reflect in them.
Last edited by a moderator:
Sorry been busy any way to edit these png and reflash
Sent from my C1505 using XDA Free mobile app
Sent from my C1505 using XDA Free mobile app
Man this SmartWatch 2 modding looks awesome
. Hope we can have custom icons soonPossibility reverse engineer bootloader using STM32F42 Discovery board
I got stm32f42 discovery board (www <dot> st <dot> com/web/catalog/tools/FM116/SC959/SS1532/LN1848/PF259090 (sorry, I cannot post link yet..)) from ebay. I uploaded smartwatch ROM dump on it and run it. After few second, I halted it and checked program counter. It says it is running on 0x08000000 - 0x080FFFFF. It means smartwatch bootloader is finished doing some initialization on this board and successfully jumped into main firmware code.
Since we cannot attach JTAG on smartwatch without removing sealed front touchscreen, I think it allows dynamic analysis using OpenOCD and some gdb client which specialized in reverse engineering (I'm still finding suitable gdb client. Does anyone know suitable gdb client for this purpose?) to discover possible memory remapping during booting, etc.
I got stm32f42 discovery board (www <dot> st <dot> com/web/catalog/tools/FM116/SC959/SS1532/LN1848/PF259090 (sorry, I cannot post link yet..)) from ebay. I uploaded smartwatch ROM dump on it and run it. After few second, I halted it and checked program counter. It says it is running on 0x08000000 - 0x080FFFFF. It means smartwatch bootloader is finished doing some initialization on this board and successfully jumped into main firmware code.
Since we cannot attach JTAG on smartwatch without removing sealed front touchscreen, I think it allows dynamic analysis using OpenOCD and some gdb client which specialized in reverse engineering (I'm still finding suitable gdb client. Does anyone know suitable gdb client for this purpose?) to discover possible memory remapping during booting, etc.
Thanks. Getting close now. I dont have any to mind right now. But I will tell you if I see anything.
what is planned
Basically when we finish and we have found a way to edit source aswell as resources we need to find out how the smartwatch 2 app communicates with the device. So when completed we can have modified firmwares with normal end-user functions. Such as it still having a companion app ect. But this is not our concentration at present. This only what we might do in the future.
Basically when we finish and we have found a way to edit source aswell as resources we need to find out how the smartwatch 2 app communicates with the device. So when completed we can have modified firmwares with normal end-user functions. Such as it still having a companion app ect. But this is not our concentration at present. This only what we might do in the future.
Maybe this? Taken from arduino github for sw2
https://docs.google.com/file/d/0B6T0DsBnCmMDUDZJdVpJaUJGR1U/edit?usp=docslist_api
Sent from my LG-V500 using XDA Free mobile app
https://docs.google.com/file/d/0B6T0DsBnCmMDUDZJdVpJaUJGR1U/edit?usp=docslist_api
Sent from my LG-V500 using XDA Free mobile app
I guess sony still somewhat supporting smartwatch 2?http://developer.sonymobile.com/2014/10/29/smartwatch-2-api-documentation-now-available-online/
Somewhat yes. but only through liveware apps. Not through firmware. I am hoping that by the time the smartwatch 2 is 'Officially' unlocked to developers that we will have some sort of way to edit code and recompile or just resources and work from there.
Me too! Just got my smartwatch 2 yesterday and i love it!
Its a great platform. But with custom firmwares the community could get involved and give it even more features, and of course when sony give up on it and end support. community updates will still be rolled out. I need more input and help from other members to get this worked through, but so far we have come a long way and are almost at basic customization.
If you could in any way fully extract the dumps somehow (maybe binwalk) or find a way to get nodded resources back onto the device without it resetting back that would be great. But if you can't that's fine
Linux? Yep. Just do in a terminal
Sudo apt-get dfu-util
Sudo apt-get binwalk
Assuming you already have done apt-get update.
To enter dfu mode plug cable into computer, then when the watch is off plug in the cable to watch and quickly hold power for 2sec. Screen will stay blank even with cable in this is supposed to happen.
Dfu-util (root) should work now. Any more help refer to other posts in this thread. Binwalk can extract somehow...
Sudo apt-get dfu-util
Sudo apt-get binwalk
Assuming you already have done apt-get update.
To enter dfu mode plug cable into computer, then when the watch is off plug in the cable to watch and quickly hold power for 2sec. Screen will stay blank even with cable in this is supposed to happen.
Dfu-util (root) should work now. Any more help refer to other posts in this thread. Binwalk can extract somehow...
Social group made.
Anyone on this thread will be invited to the Smartwatch 2 Advanced Development Team
Social group. Where things like devbuilds and tests can be done without the public thread.
Anyone on this thread will be invited to the Smartwatch 2 Advanced Development Team
Social group. Where things like devbuilds and tests can be done without the public thread.
Sadly. I don't have a Linux machine on meAnyone on this thread will be invited to the Smartwatch 2 Advanced Development Team
Social group. Where things like devbuilds and tests can be done without the public thread.
Use a virtual machine like virtualboxSadly. I don't have a Linux machine on me
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
8Sorry if this is stupid or something but I have the smartwatch 2 firmware dump file (dumped using dfu-util's upload utility (-u)) from messing around trying to get into the dfu. I succeeded. I don't know if I am allowed to upload the file so I won't yet.
So is there any linux/ubuntu based software I can use to decompile or to edit resources such as icons, images ect.?
If you would like to obtain the file I am talking about use the open smartwatch (1) project. similar way applies:
1. Have dfu-util installed
2. remove smartwatch 2 from power (miniusb plug)
3. plug in usb end that goes into computer but NOT miniusb.
4. my way to enter the dfu is to plug in the miniusb end and then hold power a split-second after you should see a blank screen but sony does not come up. let go of power.
5. you are now in dfu mode. Note: there will probably be no green bar at bottom of screen.
The command I used to dump the firmware was (I am on ubuntu-linux) dfu-util -a 0 -U -s 0x08000000
UPDATE: Find dump files at post #105I am working on reverse engineering the dump while also reverse engineering the protocol used for fota updates to try and get the full dfu file!!!!!!
Sent from my C1505 using XDA Free mobile app5The Dump
This is the internal memory(soldered sdcard) and firmware dumps I made just in case anybody couldn't get them to examine.
They are attached to this post
If you use these in any other thread please credit me.
the password (just in case) is: xtreme_firmware
Hope this is useful! :good: :good:4DDeleted member 3843930My progress:
SmartWatch 2 uses a variant of STM32F43xxx (Datasheet) On page 84, figure 19, you can see the memory mapping. It tells you that eMMC is accessible from 0x0 to 0x1fffff, so
It holds the A-Firmware (currently at 1.0.A.4.11).Code:dfu-util -U eMMC.dmp --alt 1 --intf 0 -s 0x0:0x200000
You can also read that 0x80000000 - 0x81fffff is Internal Flash, so
It holds the B-Firmware (currently at 1.0.B.4.154). It seems to be major parts of the userland. Also, it seems to have "MHIB" as magic. (Might be something like Main Human Interface Binary? Just guessing).Code:dfu-util -U internal.dmp --alt 0 --intf 0 -s 0x08000000:0x200000
Of course you have to change --intf appropriately for your setup. Actually --alt is not necessary as --alt 0 seems to be mapped to --alt 1. Nevertheless dfu-util needs to know where to read from.
eMMC is advertised as 512 MiB, but only the first 2 MiB are mapped at boot time, so no chance to dump it via DFU mode.
While some pages are marked as non-readable, trying to read from 0x81FFFFF seems to crash DFU mode and makes it exit it.
Looking at the SmartWatch 2 license agreement Sony tells us about used open source tools. Interesting parts are Miniz and FatFs. Actually the fat.bin file in the SmartWatch-APK is compressed using Miniz. Have a look at Miniz's example3.c. It can decompress it. After that you can mount it using a loop-device. It shows up as a weird set of CID files, I'm currently investigating them. They have a header starting with the file's name and contain their length at 0xC. I'm quite sure this actually is the payload length and marks the end of the header.
If you useyou will end up with large files. They can be shortened and for the PNGs, I wrote a short C-program to cut them. If you want it, tell me.Code:binwalk -D 'jpeg.*:jpg' -D 'png.*:png' dump.full
fat.bin has to be written somewhere into eMMC after the first 2 MiB. This is also where I suspect settings to go into as dumpable eMMC and Internal Flash as changes to settings didn't reflect in them.3binwalk result of firmware dump.
This is binwalk result of my sony smartwatch dump. (Using Sony smartwatch firmware bundled on Sony's Smartwatch 2 v1.4.54 app.)
From the entropy analysis, I noticed it is divided two section by zero-filled area. (Low entropy section in result) The first section is bootloader (bl.bin) and second one is watch main firmware. (asw.bin)
While playing with dfu-util and old firmware file, I found mixed firmware ( 1.3.17 bootloader and 1.4.54 firmware ) boots well. It seems we can use sony bootloader to load hacked firmware.
And sony firmware image seems to be always starts with 12-byte binary sequence starts with "MHIB". In 1.3.17, it is 4D 48 49 42 CC A4 08 00 D0 1A E8 F4. In 1.4.64, it is 4D 48 49 42 00 78 09 00 93 A0 48 66
I guess this difference contains something version-related information in its header.
**Edit
the firmware (asw.bin) is located at 0x08040000. (in dump file, 0x00040000)
And, it seems lots of its resources located in tail of dump. As seen on analysis result, it finds *lots* of png files. I guess that small images are stock icons on watch.
p.s. Sorry for my poor English skill.
