Smartwatch 2 firmware hacking

Search This thread
By:
Advanced…
B

BatRoger

New member
Oct 26, 2014
3
0
Eldorado do Sul
My SW2 died

Xtreme_FIRMWARE said:
Somewhat yes. but only through liveware apps. Not through firmware. I am hoping that by the time the smartwatch 2 is 'Officially' unlocked to developers that we will have some sort of way to edit code and recompile or just resources and work from there.
Click to expand...
Click to collapse

Folks, I know this is out of topic question but my SW2 died after the update. It seems to be in DFU mode "forever". Even with that "15 seconds pressing the button" thing and nothing happens.

But my PC recognize the SW2 when I plug the USB cable.

Is there some fix to this issue? I have the dfu-util and I will try to reload the original firmware... what do you think? But I can not find the SW2 orignal dfu file.

Some guidance will be appreciate. :D

Thanks!
 
finalgravity525

finalgravity525

Senior Member
Jul 7, 2012
58
7
BatRoger said:
Folks, I know this is out of topic question but my SW2 died after the update. It seems to be in DFU mode "forever". Even with that "15 seconds pressing the button" thing and nothing happens.

But my PC recognize the SW2 when I plug the USB cable.

Is there some fix to this issue? I have the dfu-util and I will try to reload the original firmware... what do you think? But I can not find the SW2 orignal dfu file.

Some guidance will be appreciate. :D

Thanks!
Click to expand...
Click to collapse

Same here, I hope someone knows how to reflash or reupgrade the sw2 or just to reset using a smartphones so that it can install again the sw2 app.

Sorry for my bad english :(
 
R

reednoel4u

Senior Member
Jan 3, 2013
73
1
Vung Tau
RedDragonTaff said:
Hey all,

Anyone look at the com.sonymobile.smartconnect.smartwatch2.apk, these files in the apk look sort of interesting:

res/raw/asw.bin 607KB -- Firmware?
res/raw/bl.bin 31KB -- BootLoader?
res/raw/fat.bin 545KB -- FlashFS?

Not really sure if these can be useful in the quest to get a working firmware together. I wish we had a memory map of this thing.


AL
Click to expand...
Click to collapse

@Xtreme_FIRMWARE
My SW2 was bricked, please help me to re install firmware for it.
My laptop using win8, 64 bit
Waiting for your support with many thanks
 
R

reednoel4u

Senior Member
Jan 3, 2013
73
1
Vung Tau
Xtreme_FIRMWARE said:
Ok, great! lets focus on getting into the filesystem which stores resources, for simple resource hacks (battery icon, ect.) then work our way up to the full firmware.

So at the end of this post you will find the firmware, just incase someones not got a decompiled version of the host apk.
Click to expand...
Click to collapse
Pls help me, how to flash this file to sw2? I just know windows system
 
R

reednoel4u

Senior Member
Jan 3, 2013
73
1
Vung Tau
BatRoger said:
Folks, I know this is out of topic question but my SW2 died after the update. It seems to be in DFU mode "forever". Even with that "15 seconds pressing the button" thing and nothing happens.

But my PC recognize the SW2 when I plug the USB cable.

Is there some fix to this issue? I have the dfu-util and I will try to reload the original firmware... what do you think? But I can not find the SW2 orignal dfu file.

Some guidance will be appreciate. :D

Thanks!
Click to expand...
Click to collapse

Me too,
I waiting for @Xtreme_FIRMWARE all time of day, but him not online yet.
 
B

bl00dy

Member
Aug 14, 2013
43
10
finalgravity525 said:
So this is for Smartwatch 2 sw2 device. Do you know how to flash this to our sw2 ? My sw2 right now is a half dead. So my only option is to reflash with working firmware. Thanks mate :)
Click to expand...
Click to collapse

this is somewhere else in the forums, but i'm lazy...
http://developer.sonymobile.com/ser...-to-flash-alternative-firmware-to-smartwatch/
also if you're not on nix, you can search for 'man' pages of programs, dfu-util has a few commands.

you want to 'download' (-D, as if you're the device).
this thread has people posting what they did to extract (upload) their dfu, you just replace -U with -D
i'm not exactly sure the memory adderss but it was something someone used in this forum, probably 0x8000* and 0x100* - or you can try without addresses and see what happens (i would do that last though)
 
  • Like
Reactions: finalgravity525 and reednoel4u
finalgravity525

finalgravity525

Senior Member
Jul 7, 2012
58
7
If only someone can post a specific steps to reflash this dfu files or bins to our sw2. :) I don't really have an idea to what addresses should I download the bins. :confused::confused: The .dfu file that Sir Bloody attached cannot be downloaded to our sw2 ,because dfu-util only supports dfuse upto 1.1a and sw2 is on a higher version. So only the parts/bins can be specifically downloaded to sw2 I think. :confused: Sorry for my bad english.
 
Ry Chy®

Ry Chy®

Senior Member
Jan 2, 2012
207
65
49
Xiaomi 11T Pro
finalgravity525 said:
If only someone can post a specific steps to reflash this dfu files or bins to our sw2. :) I don't really have an idea to what addresses should I download the bins. :confused::confused: The .dfu file that Sir Bloody attached cannot be downloaded to our sw2 ,because dfu-util only supports dfuse upto 1.1a and sw2 is on a higher version. So only the parts/bins can be specifically downloaded to sw2 I think. :confused: Sorry for my bad english.
Click to expand...
Click to collapse

+1
 
  • Like
Reactions: dape16
kokesh

kokesh

Senior Member
Jul 20, 2010
1,169
486
Xiaomi Mi 9
Anyone notices the following text in asw.bin?

Code: 
Turning  off  [B]Lifelog  [/B]activity  tracking  will  change  your  Smart  wake  up  alarms  to  regular 
alarms.u000du000aContinue  to  turn  off  [B]Lifelog[/B]?  You  can  select  up  to  three  watch  faces  to  swipe
  between  when  the  screen  is  lit.  Deselect  a  watch  face  before  selecting  another  one  At  least  one  
watch  face  must  be  selected  Lifelog  activity  tracking  may  increase  SmartWatch  2  battery  consumption.
  Open  [B]Lifelog  [/B]Steps  Walking  Sleeping  Create  bookmark  Bookmark  created  Deep  sleep  Light  
sleep  Awake  Please  log  in  to  Lifelog  on  your  phone  or  tablet.  Goal  reached!  Running  You  have  now 
 slept  <Number_%02u:%02u>  hours  and  reached  your  daily  sleeping  goal.  You  have  now  walked  <Number_%02u:%02u>  hours  and  reached  your  daily  walking  goal.  You  have  now  run  
<Number_%02u:%02u>  hours  and  reached  your  daily  running  goal.  You  have  now  walked  
<Number_%u>  steps  and  reached  your  daily  steps  goal.


Hmm....
 
XperianPro

XperianPro

Senior Member
Nov 19, 2010
2,253
868
Mars
I managed to decompile asw.bin and bl.bin to assembler code,changes can be mode and uploaded back to smartwatch again. Also smartwatch has ability to reboot itself to bootloader mode ( I guess this is bl.bin for? ),then it unlocks rest of emmc memory and proceeds to write to it.
 
  • Like
Reactions: Foo Bar, JustPlayingHard and vrl13
D0MINO

D0MINO

Senior Member
Jan 14, 2011
230
32
I'm guessing there has been no progress on this and any hacking of the SW2 is dead.

Shame, as I got this for free and frankly, I find it rather useless and don't know what the point of it is! If I was able to load something more useful on it rather than it basically being an overpriced notification device it might make me use it!
 
E

energyaxel

New member
Feb 3, 2010
1
0
hi !
I need your help !
my SW2 doesn't load, only SONY logo, load line, and reboot.... ;(
I download to sw2 files
dfu-util -c 1 -i 0 -a 0 -D memdump.raw -s 0x08000000
dfu-util -c 1 -i 0 -a 0 -D asw.bin -s 0x08040000
dfu-util -c 1 -i 0 -a 1 -D fat.bin -s 0x00000001

SW2 not work...
maybe i need to download bl.bin but i dont now adress 0x0****
and i have eMMC.dmp and internal.dmp files... how to flash it.
tnx !
 
matin0611

matin0611

Senior Member
Nov 18, 2013
81
17
Hi

I have question

Is there anyway to make compass work again on sony smartwatch 2? With some hacking maybe? Because this app (compass for smartwatch 2) seems work on smartwatch 2 but sony remove magnetic sensor support

Sent from my GT-I9300 using XDA Free mobile app
 
H

hansitogo

Member
Jul 10, 2014
9
1
energyaxel said:
hi !
I need your help !
my SW2 doesn't load, only SONY logo, load line, and reboot.... ;(
I download to sw2 files
dfu-util -c 1 -i 0 -a 0 -D memdump.raw -s 0x08000000
dfu-util -c 1 -i 0 -a 0 -D asw.bin -s 0x08040000
dfu-util -c 1 -i 0 -a 1 -D fat.bin -s 0x00000001

tnx !
Click to expand...
Click to collapse

I reanimated 2 SW2 with the download of the 3 system files from /res/raw in com.sonymobile.smartconnect.smartwatch2.apk
(before black screen from flashing system for SW1)
commands:
dfu-util -c 1 -i 0 -a 0 -s 0x08000000 -D bl.bin
dfu-util -c 1 -i 0 -a 0 -s 0x08040000 -D asw.bin
dfu-util -c 1 -i 0 -a 1 -s 0x01 -D fat.bin
 
  • Like
Reactions: Foo Bar
P

pimikiel

Senior Member
Feb 15, 2014
54
5
Hi.
I get managed to flash files to internal memory, but flashing last one (the important one for me) on to eMMC i got an "Error during download get_status" then watch goes into weird dfu-unreadable mode until i restart it.

Can this thing means that my eMMC memory is unsolidered, or damaged?

I was swimming with my watch, and as soon as I realised that it's dead I took it of. At home I fried it under a lightbulb, which was a little too close, trying to dry it out. Glass cracked into a webshape and display turned partly white. I replaces a glass and display, having one less damaged. But watch remained dead. When trying to run it again after a week or two it displays Flash FS message which brought me here.
 
Last edited:
You must log in or register to reply here.

Similar threads

K
[APP] Watchify for SmartWatch 2
Replies
235
Views
79K
D
dersie
J
adding watch faces on the Sony Smartwatch 2
Replies
118
Views
79K
TonyTurboII
TonyTurboII
J
Accessories for Sony SmartWatch 2
Replies
104
Views
63K
A
AmantisAsoko
K
[APP] Quick Reply Whatsapp and SMS for Sony SmartWatch 2 [Updated 20/04/2014]
Replies
144
Views
67K
D
dudongwtf
S
Smartwatch 2 problems
Replies
72
Views
42K
N
n_boy86

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 8
    Xtreme_FIRMWARE
    Xtreme_FIRMWARE
    Sorry if this is stupid or something but I have the smartwatch 2 firmware dump file (dumped using dfu-util's upload utility (-u)) from messing around trying to get into the dfu. I succeeded. I don't know if I am allowed to upload the file so I won't yet.

    So is there any linux/ubuntu based software I can use to decompile or to edit resources such as icons, images ect.?

    If you would like to obtain the file I am talking about use the open smartwatch (1) project. similar way applies:

    1. Have dfu-util installed

    2. remove smartwatch 2 from power (miniusb plug)

    3. plug in usb end that goes into computer but NOT miniusb.

    4. my way to enter the dfu is to plug in the miniusb end and then hold power a split-second after you should see a blank screen but sony does not come up. let go of power.

    5. you are now in dfu mode. Note: there will probably be no green bar at bottom of screen.

    The command I used to dump the firmware was (I am on ubuntu-linux) dfu-util -a 0 -U -s 0x08000000

    UPDATE: Find dump files at post #10
    View
    5
    Xtreme_FIRMWARE
    Xtreme_FIRMWARE
    I am working on reverse engineering the dump while also reverse engineering the protocol used for fota updates to try and get the full dfu file!!!!!!

    Sent from my C1505 using XDA Free mobile app
    View
    5
    Xtreme_FIRMWARE
    Xtreme_FIRMWARE
    The Dump

    This is the internal memory(soldered sdcard) and firmware dumps I made just in case anybody couldn't get them to examine.
    They are attached to this post

    If you use these in any other thread please credit me.

    the password (just in case) is: xtreme_firmware

    Hope this is useful! :good: :good:
    View
    4
    D
    Deleted member 3843930
    My progress:

    SmartWatch 2 uses a variant of STM32F43xxx (Datasheet) On page 84, figure 19, you can see the memory mapping. It tells you that eMMC is accessible from 0x0 to 0x1fffff, so
    Code: 
    dfu-util -U eMMC.dmp --alt 1 --intf 0 -s 0x0:0x200000
    It holds the A-Firmware (currently at 1.0.A.4.11).

    You can also read that 0x80000000 - 0x81fffff is Internal Flash, so
    Code: 
    dfu-util -U internal.dmp --alt 0 --intf 0 -s 0x08000000:0x200000
    It holds the B-Firmware (currently at 1.0.B.4.154). It seems to be major parts of the userland. Also, it seems to have "MHIB" as magic. (Might be something like Main Human Interface Binary? Just guessing).

    Of course you have to change --intf appropriately for your setup. Actually --alt is not necessary as --alt 0 seems to be mapped to --alt 1. Nevertheless dfu-util needs to know where to read from.

    eMMC is advertised as 512 MiB, but only the first 2 MiB are mapped at boot time, so no chance to dump it via DFU mode.

    While some pages are marked as non-readable, trying to read from 0x81FFFFF seems to crash DFU mode and makes it exit it.


    Looking at the SmartWatch 2 license agreement Sony tells us about used open source tools. Interesting parts are Miniz and FatFs. Actually the fat.bin file in the SmartWatch-APK is compressed using Miniz. Have a look at Miniz's example3.c. It can decompress it. After that you can mount it using a loop-device. It shows up as a weird set of CID files, I'm currently investigating them. They have a header starting with the file's name and contain their length at 0xC. I'm quite sure this actually is the payload length and marks the end of the header.

    If you use
    Code: 
    binwalk -D 'jpeg.*:jpg' -D 'png.*:png' dump.full
    you will end up with large files. They can be shortened and for the PNGs, I wrote a short C-program to cut them. If you want it, tell me.

    fat.bin has to be written somewhere into eMMC after the first 2 MiB. This is also where I suspect settings to go into as dumpable eMMC and Internal Flash as changes to settings didn't reflect in them.
    View
    3
    M
    maneulyori
    binwalk result of firmware dump.

    This is binwalk result of my sony smartwatch dump. (Using Sony smartwatch firmware bundled on Sony's Smartwatch 2 v1.4.54 app.)

    attachment.php


    From the entropy analysis, I noticed it is divided two section by zero-filled area. (Low entropy section in result) The first section is bootloader (bl.bin) and second one is watch main firmware. (asw.bin)

    While playing with dfu-util and old firmware file, I found mixed firmware ( 1.3.17 bootloader and 1.4.54 firmware ) boots well. It seems we can use sony bootloader to load hacked firmware.

    And sony firmware image seems to be always starts with 12-byte binary sequence starts with "MHIB". In 1.3.17, it is 4D 48 49 42 CC A4 08 00 D0 1A E8 F4. In 1.4.64, it is 4D 48 49 42 00 78 09 00 93 A0 48 66
    I guess this difference contains something version-related information in its header.

    **Edit
    the firmware (asw.bin) is located at 0x08040000. (in dump file, 0x00040000)

    And, it seems lots of its resources located in tail of dump. As seen on analysis result, it finds *lots* of png files. I guess that small images are stock icons on watch.


    p.s. Sorry for my poor English skill.
    View

New posts