Smart Watch Lobotomy

hi hi thanks for coming to my talk for those of you who can't read it's called Smartwatch lobotomy um taking a cheap Smartwatch and making it do what I want for those who don't know I am I'm Dale uh I work my day job is I'm a senior software developer at a company called structure it we build software for structured markets and stuff like that but in all honesty my hobby is and in my free time I take things apart occasionally if they go back together not always um I jokingly refer to myself as a jack of all trades serial skill collector and you'll see what I mean in a sec and a high functioning hoarder I'm not sure about

the high functioning part but I'm definitely a hoarder so this is the goal when I started all this it was um grab a watch and get it running my code that was how this started things never go according to plan so it's now become make the cheap watch do what I want by any means necessary I mean how hard can it be started about four months ago maybe longer and you'll see so this is the cheap watch it's called a Focus fit Pro y68 it's also called the Smartwatch y68 it's also called the smart Fitness tracker y68 you'll notice a pattern the D20 y68 Smartwatch the y68 macaron color Smartwatch the y68 smartwatch and then my personal favorite the yitz

68 Smartwatch and trust me after four months that's what I wanted to do with them um the watch cost between 100 and 200 Rand or about two to four McDonald's Big Mac burgers for those of you who don't speak Rands um they're available locally on takealot these all appear to be the same watch I haven't bought all of them it gets expensive at the moment or at least during Black Friday they started off at 159 Rand to watch you'll notice in pattern year they go 199 299 then it goes 355.99 and 6.99 you can't see it scratched out says 999 red obviously it's take a lot they're probably always cost 6.99 or 650 the week before

they went on special but this is as far as I can tell the same Swatch you can also buy it on AliExpress and places like that for somewhere between about three and six dollars if you buy enough of them you can get the price down to about two dollars um I can't convince my wife to let me buy 2 000 smart watches I'm also not sure what I'm gonna do with all of them um always remember when doing this thing two years one and one is none whoa it was fun okay let's get back there quick so uh buy Six don't tell my wife don't worry they weren't that expensive honey so what happens is the first one I

bought was about 199 Rand the second one worked out about 150 Rand from takealot then one day only had this deal where you could get two for 150 Rand and then they had another deal lower later where you could get two for 200 Rand um I kept buying them it was a good idea uh no plan ever survives first contact with the Enemy or cheap electronics I killed three of them so far there's probably going to be more but it's the price you pay for a good B science talk this is the clean specs um you'll see what I mean so uh it's a 1.3 inch IPS screen it's a little LCD screen they claim it's IP67 waterproof

the chipset is this H whatever is s battery capacity is 150 milliamp hours they claim it's got a heart rate detection at standby is 10 days and takes two hours to charge playing around that's the actual specs yes it does have a screen honestly I wouldn't wash my I wouldn't even wash my hands with wearing one in these watches I'm not sure I'd take it close to the bathroom I wouldn't drink a cup of coffee wearing one of these watches they are not waterproof they are not anything it's a couple of bits of plastic clipped together if you're going to read on takealot you'll notice that some of the specs for this watch include a aluminum anodized housing no there's

no metal where's ever came near this watch um the chipset is actually a TLS r8323 which was a surprise when I bought the watch thinking it had the other chipset because that one is partially easily hackable this one not so much the battery capacity varies I've had these watches open the printing on the actual battery varies between different watches that claim to be the same model I don't know so um one of the brands was ntec any Tech something like that and the one watch had 100 milliamp hour battery the other one had 150 milliamp hour battery that's from the same thing same box everything else heart rates just remember the little X we'll come to that

standby time it varies if you happen to have paired it with a cell phone then the the standby time drops drastically it also it depends if you happen to be wearing the watch the it also varies a lot if you put it into your draw and don't touch it or leave it on a desk you might get three hours again it depends on which one of the watch I have six of them one of them makes four days one of them barely lasts 30 minutes the charging time I think they're correct I haven't timed it but it seems to be about two hours I don't trust these things I'm not going to leave it on charge overnight

um so it's available in Many Colors I don't have the pink one that one sold out incredibly quickly that's also because the pink one is 20 Rand cheaper than the other watches the most expensive model is the middle one which they claim is white but it actually is is black plastic spray painted silver and comes with a white watch band um charging on this thing is interesting you pull off the the the the the the watch band actually Clips onto the watch You Yank It Off and then it exposes that thing that connector you shove into a USB socket now you know you always get USB the wrong way around the first you know it

takes three tries to get it the right way around this one's even worse because you can put it in the right wrong way around and your watch just won't pick it won't start charging if it's completely flat you won't know it's not charging because it doesn't do anything until about half an hour into the charging process um you can only charge it if you have an extension because it won't fit inside of most laptops and computers because it can't go far enough into the USB slot to make decent contact and even once you do get it in some of the watches are slightly like Slimmer which means that they don't make proper contact when you

bump them they stop charging there's a like I say I want to throw it out the window the actual Hardware this is just the info screen on the watch itself there is the model number you'll see there's no mention of y68 it's the [Music] lt716g some of the watches I have don't have the G I don't know what GE stands for the software version yeah the Bluetooth name is lt716 the next string there is part of the MAC address this becomes really useful when you have a lot of them on your desk and you're not sure which one you're busy poking at and I have no idea what those numbers mean one day we'll figure them

out that's the outside of the watch and um the on the left hand side you'll note that's the front on the other side of the underside of it that's got the heart rate sensor opening this watch is pretty easy all you need is a flat sludgee thing and you just pop the plastic cover off if you want to do it without marking anything I suggest your prying tool be plastic any of those cheap kits you can buy from you know take a lot wherever for 50 bucks it comes with the prying tool those work great to be honest I can care and just grab whatever was on my desk and pride the thing off there's no gaskets there's no proper

ceiling there's no nothing and that's why I say if water gets into this it's the end so on the left there on the top photo you can see the screen sort of wedged off to the side that's the only part of the electronics you have to be really delicate with I killed my first Smartwatch by ripping off the screen by accident and once their Cable's torn there's not much you can do that's the inside it's got a vibration motor which you can see it was that round silver disc below that is the battery otherwise known as The Spicy pillow below those stuck in place with double-sided tape is a heart rate sensor they claim uh on the left is the back of

the PCB this is there's the special Flex PCB that holds the heart rate sensor on the board itself it's got some interesting test points now if you're not used to taking things apart test points are um they're little places where generally they will probe the device to figure out what it's doing they use them during manufacturing for programming they use it to debug them and things like that so these are the kind of things you look at if you're going to reverse engineer something or hack on advice you go and find them because generally they they're interesting signals um this is just the PCB you can see the component size we're getting to that now

so Hardware reverse engineering this is my hobby I enjoy taking things apart and like I say I enjoy reverse engineering basically it's educated guesswork don't listen all it is is you're taking a bunch of guesses occasionally you'll guess right most of the time you guess wrong doesn't matter next time around you'll get better if you want to get good at this take lots of things apart you can if you can't afford to take things apart or you don't have space or you've run out of space uh YouTube just putting tear down put in anything like that and you can watch other people take things apart that you would never be get access to everything from missile

guidance systems to Russian computers to bits of soyuz capsule to Apollo guidance computers and there's much postmodern people than I explaining in great detail how they work the more you do this the more you'll recognize things and that's how reverse engineering works it's pattern recognition you see something and you go oh I've seen that before I know how that works or I have no idea what that thing is you figure it out later you store it in the back of your head and six months time when you see it again you now know so identifying components on a PCB is relatively easy anything with three legs less it's not important the reason I say that is you need more

than three legs because you've got power which is two two legs the third leg is not enough to get anything interesting in and out of the chip so don't worry about three legs or less once you to figure out what the parts do just Google them Bing them Duck Duck Go them if you still can't find them look on AliExpress or Alibaba just taobao you just use the Google Translate all you're looking for is some vague idea of what the thing is once you know you can move on and guess the other parts for those of you who don't know Baidu is a Chinese search engine again Google translate you'll find things there that aren't anywhere else and that's

partially because China don't like the rest of the internet so they have their own little private one and Baidu is quite a nice way into that world like I say Google Translates and you'll be fine so identifying components this is the fun bit that's the PCB as you can see I've highlighted all the various bits and pieces these are all the three-legged components so these are all the uninteresting things um there's a smt SMD transistor the red one the orange one is also transistor or mosfet technically it doesn't matter you can think of these things as switchy things it really it's not going to matter for the greater in the greatest scheme of things the last

one is a voltage regulator basically that powers things um now we get on to the interesting bits so yeah we have the first one is the blue thing that the top that's a linear charge controller it manages the battery now the only reason I say this is gets interesting is because you're going to need to know this if you want to power the device if you want to check the battery levels and all this kind of thing the yellow thing is a touch controller this device is really wacky it's only got one specific spot that you have to magically get your finger to align with to touch there's no touch screen there's none of that there's a tiny little

circle at the bottom of the screen and you have to carefully line your finger up and when you touch it that is a touch the other option you have is hold your finger there for slightly longer and that's the longer touch those are the only inputs on this device and um I say finger but it will also work anything else that triggers capacitive touch so the amount of times that you've sneezed near the thing and it suddenly decided I'm clicking tap touch thing five times and you on the wrong screen the last one I'm guessing I can't find any documentation about this it's kind of hard when you only got four letters to guess what the thing is

but based on what this watch does I'm guessing it's an accelerometer or inertial measurement unit or something vaguely like that basically this watch counts steps so it needs some way to count steps I couldn't find anything else that looked like step counting things so I'm guessing that's what it is it also happens to correspond to other accelerometer chips I'm pretty good I'm pretty sure that's a good guess then the most important part of this thing is that chip this is a t-link TS tlsr8232 that is the heart of this thing it's a system on chip it handles all the Bluetooth and it basically controls everything this is the other PCB C the heart rate sensor

so on this PCB there's three things two green LEDs and it's a resistor and I guess the giveaway here is the tag the messaging the slot screen on the actual board notes it says lt716 LED 0603 FPC means flexible PCB normally no heart rate sensor but maybe they're doing something magical maybe we've discovered that LEDs now can act as heart rate sensors I mean it's possible you know no dance and but I'm pretty sure that explains why my desk has a heart rate of 70 beats per minute um yeah this thing has no heart rate sensor it's completely fake and it's pretty common a lot of these cheap ones have fake heart rate sensors they look

the same as my Huawei or Samsung or an Apple iPhone they're all blink license fast it looks like a proper sensor it's not it's just a bunch of LEDs and you'll quickly realize this put one on after climbing stairs and it says your heart rate is 68 beats per minute um or it will say your O2 levels are 99 all the time consistently the best one is it's got at the bottom there that is your blood pressure now for those of you who don't know you can't actually take blood pressure through heart rate sensor there's glass of there's a whole paper about why you can't but basically it comes down to that's just guess I have

high blood pressure so I know that when I put it on the values are way out of whack and it was the first hint that there's something questionable about this device but hey it's a hundred and fifty onto the test points these are all the interesting things so normally when you're hacking a router or something big with that runs Android or Linux or something like that on then you're looking for the serial ports on this device serial means nothing those points are just happen to be wired into the serial pins of the chip but you can't actually do anything with them I did check there's nothing coming out of them the BT one is just a link to the

antenna I'm guessing that's for some sort of testing the v-bus one that I've put their bus voltage that's actually the USB charge positive I figured out a while back the interesting points on the other side there's the T12 T15 that's just that the single touch point um there's a 3.3 volt that's just a voltage there's a DAT pin which I have no idea what it does I can't make it do anything and then there's SWS which it turns out is a debugger interface so this is the actual chip this is sort of a block diagram of how it works and there's a couple of versions of this particular one t-link is kind of interesting it turns out that

the chips are in all kinds of devices I happen to take a Gamepad a couple of days ago apart and in there is a chip made by totally different company and it turns out they license their technology from t-link um the chip has 16k of ram 512k of flash this particular one in the watch runs at 24 megahertz it's got a proprietary debug protocol because of course and it's instruction set that claims proprietary it's a tc32 it turns out it's essentially a clone of a 16-bit arm nine thumb instruction set with a few tweaks because you can't just clone things automatically you've got to add something um so the Sy debug interface this is what got me interested in this

particular watch um yes I do occasionally buy cheap electronics and take them apart so it's a proprietary interface there is a programmer available it's only 400 Grand I am very very tempted to buy it the problem is the shipping to South Africa is over 750 Rand so it gets pretty expensive for you know a toy or potentially a b side to talk if I do get this into Defcon maybe I'll buy one who knows there is an open source Syed debugger there's a Russian guy called Victor who on GitHub has released a open source programmer he's got a whole lot of details on it it's not exactly for this particular chip but people have said it

works and then there's another guy or another person Raphael who wrote a bunch of scripts that talks to their program and makes your life easier so this is more or less what you have to do you take your blue pearl bulge which is a stm32 Dev board you load his fancy software onto that you wire a couple of wires onto the board you run the python script and everything talks so there I'm busy wiring it all up clean workbench and you run it and then it crashes now at this point I'd already submitted to be science so I started panicking um and yeah so it turns out it doesn't work the reason it doesn't work is

there's no reset pin for those of you who don't know what a reset but does it's the same as on your desktop machine if you hold down reset your computer is on but not on what reset does is holds the CPU in a state where it's ready with all the power and everything else but it's not executing any instructions then the minute you let go the reset button the computer suddenly bursts into life and the CPU starts executing instructions when you want to try and program a microcontroller like this one you need the same thing you need to put it in this powered on state where it's sitting idle and then as soon as it

Powers up you Hammer the SWS pin in this case and you say quick quick stop what you're doing and do what I want you to do without the reset pin you have to do this other ways you have to either toggle the power which is a bit sketchy because things stay on but aren't on and all this kind of stuff or you have to find some other way to glitch it into running this thing tried this quite a bit I couldn't get it right the other thing is the SWS pins also used to control the hot monitor LEDs so you have to disconnect the hot monitor board there's still a whole lot of components since writing these slides

I've discovered that there's a trace you can cut and you can tack a wire on and it seems to be a little bit better but basically the combination seems to mean I can't rely and be Pro program this particular watch which kind of sucks but then when these kind of things happen you take a little bit of a detour so let's talk about some Vikings for those of you don't know Bluetooth is named after a Viking um and in this space it's called blo Bluetooth low energy on this particular watch Bluetooth is sketchy at best it often just won't show up it won't connect it will tell you it's connected but not do anything if you flick through the screens really

fast and like I say sneeze on the watch so Taps the button it will connect for a little while the official app solves this by caching and queuing that's all they do they just cache everything so half the time the values you're looking at in the app don't actually match the watch and often when it finally connected suddenly it just hammers the poor watch with a whole lot of commands that you clicked so if you've got a bunch of notifications and your watch hasn't gone off and then all of a sudden it you know rings for the last 10 minutes while the key all the notification notifications catch up so when you want to explore Bluetooth

low Energy Services there's a great app for Android I believe it's available for iPhone called NRF connect if you haven't used this app it's awesome it's made by Nordic it's actually for the Nordic chips but you can run it on it will connect to any bluetooth app yay standards so this what's here is the various Bluetooth Services provided by The Watch now there are standards within ble so device information and Battery Service are normally uh consistent across the various devices and the other ones are just added on from manufacturer to manufacturer um so what I'm going to do is we'll quickly look at the battery service one it's pretty easy you expand the little thing in the app and you say download

and then it gives you the battery level so you'll see on there it says 100 at that time this battery was fully charged but you can also do it using get tool so basically the what I've got on the screen here is a bunch of Landings commands unfortunately there's no get tool for Windows those of you on Mac OS there is for Mac OS Mac OS Max are special and Bluetooth on them is extra special because Apple apple or privacy Advocates which means that you don't get Mac addresses you get funny uuid things and it just makes everything miserable but it's okay I can't afford new Macs so will stick to Linux if you run Gat tool it will connect to

the watch it'll pull down the um battery value as you can see there all that's information is the same as in the app it's just not as pretty you can do the same for the device information screen you can connect to it via the app you can say give me your information you'll see there there's the version firmware revision number and if you do it through the get tool you'll get a spring of hex values you convert those to ASCII and you'll see there's v03757 that's very nice but kind of boring so there's now we get to the interesting bits so software reverse engineering I don't know how many of you guys have done this kind of thing

um this is a lot of fun you get your your Android software so in my case I just Googled the official app called fit Pro grab the first APK I found where you find it what which one it is doesn't matter too much you just need a newish one um and then you install this program for those of you who don't know it's a Java a APK D compiler um so all I have to do is take my Android app dump it into this and I get Java code out it's one of the things that makes decompiling or messing with Android apps a lot of fun and really really easy you can do some of the things on.net and

that but all the the interpret will not interpret the these one languages like this with a bytecode that use bytecode this works quite well with the actual jedx tool has come a long way since the last time I used it you can click around and find all the stuff and do fine using and all the things you used to in your common IDE all in there one Java app if you do need lots of memory though this particular APK is about 100 Megs depending on which version you got and when you see all the code in there you suddenly realize why they've the app itself talks to pretty much every social media known to man including all the

Chinese ones they've got strange code to talk to both AWS S3 along with I think it's the Baidu one but a similar object storage thing in there there's a whole lot of other code in there and it's Java it's you know so we'll we'll start off simple this is the Android app you'll note I've highlighted the find function what this does is if you tap it your watch will vibrate so that you can find it and in 10 minutes time when the message actually gets through um so what you do is you go into jadex and you find where this happens in the code this is where like I say you if you've done Java app development at any

point this becomes easy to figure out what's going on if you haven't go buy yet another udemy course and spend five minutes learning it's something about about Android apps so this is on the fragment which is part of the screen that shows up you'll see there's a line that I've highlighted there which is command pool right like I say everything's a queue and it's this get send find me value and Chinese there I think says find the phone or find device or something like that so what you do is you go dig through that so the top is the get set find me value that then passes through to switch protocol switch protocol then builds up

this string of on the string array of bytes so like I say it's really easy to figure out what's going on you can then work backwards from there and you can say well this is the byte string that's been sent to my device the interesting bit there that negative 51 just means you take it and subtract it from 255 256 one of the two and you'll get a value out Java is weird and I think it might just be the decompiling but I noticed this is done all over in this particular app um once you've done that you now need to figure out how it writes it so again you look at this you say well okay we'll go

look at what makes command pool right work all it does is it adds a write command to a command pool and looking at that the sort of gut reaction as well okay so it's a generic ad command command method so what is Right char so you're going to look up what right shires and right Char is a characteristic what that means in the Boe world is that's basically the end point that you're going to write your stuff to it's normally along uuid when you're writing over Bluetooth you need to translate the uuid to an actual handle which is a text value so you go dig through you get your uuid and you put all this together so now

what I have is I have the Stringer bytes that needs to do something and along with that I have where to send it so they will put something together quick this is just some quick code to do all the various manipulations of the bytes because I'm lazy and then it just prints it out as a string if you're curious all the code is available on GitHub so at the bottom there there's a bunch of strings there's a bunch of bytes you push those bytes through so first thing you need to do is find a device on Linux HCI tool Le scan will do it that will find the device you then take that you have to find the

handle for that particular uuid so you can run this child description that brings up all the uuids and then through there you'll wait through until you find the handle like I say you can also just use an RF connect to find it's way easier but yeah meaning we needed more slides so finally you put it all together and you get a command line like this and then well then you run it and this is what happens oh it works now this took me about two months three months to get to this point I know and this this talk is there's a lot of dead ends that aren't showing up this is not you know five minutes of messing

around but cool we're getting somewhere okay some notifications now I'm not gonna walk you through how notifications work I have put up some code that will generate a valid notification strings there's also a blog post that explains all of the stuff in much more detail but basically if you go there you can get the code so what that does will come back with a long string of bytes you pass these bytes because of the way Bluetooth low energy works in this particular case it can only be 20 bytes long so you have to split it into two rights and you send them and then this will happen eventually now trust me I don't have a Serial on my

phone this device wasn't connected to my phone so you can send messages from anyone any number to this device the fun thing is it supports WhatsApp and SMS QQ WeChat Facebook LinkedIn Skype and a whole lot of other protocols that will show up so you can pretend to be anyone and send it your watch a notification anyone knows this anything odd hmm now yes um no Authentication no keys didn't even have to pay with the device yeah so security was clearly an afterthought when they built this thing the system on chip does support AES encryption but no they couldn't be bothered the SDK has examples of only exposing certain things once you paired with the

device yeah that wasn't done either um the only actual security they implemented was that the watch will only connect with one other device but the Bluetooth connection is so terrible that it will probably lose its connection just while you're walking around so if you happen to walk near someone else assuming you're really lucky in your device connects to it you can just send them notifications if it is actually a pretty good strong connection all you have to do is put a human body between the watch and the device so if they have it paired with a cell phone the Bluetooth is terrible enough that it won't go through a person so if you are one of those people who wear a watch on

your left hand but put your cell phone in your right pocket your cell phone and your watch will never communicate while you're just standing around you have to bring them together in some way um it even gets better than that there was a project I can't pronounce I think it's swine tooth we'll just go with that they did a research project where they looked at Bluetooth across a whole lot of devices and it turns out the t-link is in that list so these are the two CVS that are listed I do like the fact that you know or possibly control the devices function by establishing an encryption connection with xero I think the ltk is a long-term

key um the other one is a buffer overflow attack after reading these I suddenly realized why my watch crashes a lot when I was poking at it with random values and when I mean crash I mean lock up dead the only way to get this revive it was rip the battery off and put it back in and this is probably why it the sdks that have these things is all of them and they did release a patch to their SDK but the patch is an additional file it's not a new version of the SDK so you download the SDK and then you have to apply their patch because it's separate I'm pretty sure no one ever

applies that patch so I'm pretty sure that all of these things have similar vulnerabilities I mean this is fine right that's fine okay so now we'll get on to another interesting thing the watch supports OTA upgrades for those of you don't know that's over the air so let's go look at that so back into the Android code go poke around and I found this line Builder dot add header authorization those of you who do anything with the web hopefully will recognize that constant.token could they have oh yes they did there is the bearer token in the code oh and it doesn't expire either so um you can take the bearer token and you can query their API

so let's there's the how the builds the API string I've got all those values so let's plug them all in and run it and you get nothing back now my friend Ross sitting in Frontier he had a poke at this API when I showed in this much much later I should have shown you earlier he poked at the API and he actually managed to get some binary images off of it I so there's work still to be done but like I said it's there but we'll go a little bit further how does OTA upgrade work there's a spot OTA let's go look at that so start OTA sends something to an endpoint hmm okay let's go look cool

and there's a passer so the parser takes your binary image breaks it up into a whole lot of blocks tacks the CRC on the end taxi index on the front and that's it the send OTA prepare command no that just sends a few bytes to an endpoint there's other commands so there's start OTA there's a send end OTA which includes the checksum and uh that's about it so okay let's do the same as last time let's go look at our OTA characteristic so we'll dig through that we'll get a uuid we've got the commands now we know that OTA prepare and we know what the start command is and we know there's an end with a checksum

so let's try it what could go wrong yeah so you take Gat tool again because I feel like it do all the backwards working so you can get a handle for the particular characteristic and we're going to write the start OTA command to it and see what happens the device suddenly changes name it also goes black so at this point the device is called t-link remote which isn't lt716 anymore okay that's cool yeah it turns out you can't get out of OTA mode once you're in it didn't know that so this one got added to the pile of bricked watches and again no authentication no keys didn't even have to pay and it gets worse no validation checks

that means that in a room like this and this is why there's no live demo if I get the MAC address wrong I can brick a watch just from standing yeah Lovely isn't it okay it's fine so let's talk about the firmware again t-link offer a free SDK very kindly there's a whole lot of questionable GPL violations in this but we won't go into those they also have an ID based on Eclipse all of this only runs on Windows there is a free tc32 compiler based off of GCC but they've never released the code but there's a compiler at least and Raphael has packaged it all together into a Docker image if you don't run

Windows and to be honest the docker image is much nicer than trying to fight with the eclipse so we know enough about device and the hardware to write something it would be easy to toggle a gpio for example on blinking LED I could start guessing the SBI bus commands to write to the LCD problem is that there's no reliable way to upload the firmware to the device so options of experimentation become very very limited so we know we can upload something via OTA update why not try uploading an OTA enabled firmware image and we can use one of the example apps and if it works then we have a starting point so let's do this so we'll build

this 5136 remote ble which is in there SDK the reason I'm choosing this particular one is because it's got according to the code it's got over-the-air updates enabled um and I can switch off all of the stuff it's for building a ble remote control but you can just turn off all the Matrix keyboard stuff and things like that so cool I'll make a small change to the code just so that I know my code's loaded so we'll just change what the name of the device is to my name and we'll build it gives us a bin file and then what I did was I took the pausing code out of the Android app stuck it in

to a Java app put all the missing bits and pieces around that and then made it so that it would split out get tool command lights literally just printer console copy paste stick in sh file please so here we have we go and get the handle again for OTA updates we have our script I've cut it in half because it's 400 and something lines but this should do an update right so we'll run the script and then yeah the device vanished so at this point I'm very very sure I've bricked the device again no keys No firmware checks no validation not even proper checksums oh no signed firmware updates either this is all just poking random values at

the device um so at this point I kind of give up um I have spent three months poking at a device and I have found all kinds of scary things and I have a bunch of them dead so I can't program it anymore over Bluetooth I don't have a working SWS debugger and I have three working watches left um so obviously I'm not going to constantly try it over the air updates but there will be more to come like I say sharing this project with Ross I found out I got some binary images what this means is that in theory I can decompile them and poke those um it's not obviously it's a weird no one's heard of proprietary

architecture so gidra doesn't support it but someone has hacked some support in on gedra and it does kind of work so you can at least get disassemblies you won't get actual code that pod hasn't been finished yet which means that in theory I could take the firmware apart and poke at it the other nice thing is that means that I might be able to patch the firmware the way the OTA update works you pass it an index of the bytes that you want to over that you uploading but it also means that you can upload a patch because you can say only update bytes these few bytes say bytes 20 to 40 and leave the

rest alone which means that if I have a working if I have a firmware image I can then patch the binary and put my own features into it which means that I could make a watch that does something magical when I send it a particular command or maybe a watch that when it sees another watch it sends its firmware across to that watch which means that that watch could then send its firmware to another watch which means that at some point someone's going to come and say Hey listen why did you go and brick 20 watches um like I say there are documents for the SWS protocol and they were leaked at some point if you go and search in

Google you will find you can find them they are open source projects that do talk it so I could try and fix whatever's broken with that and or I could just go give in spend the money buy the official programmer and that's my talk for those of you wondering or want more information on all the things that didn't make it into this talk that's my website it's got a Blog article that I wrote while doing all this I'm terribly sorry it's 6 000 and something words it's really long but maybe you'll find something interesting it's also got links to all the tools and all the code it's also got all of the other things that I found along the way that might be

interesting also people information Bluetooth guides on reverse engineering Bluetooth if you are interested in that kind of thing Auto fruit has a whole series of blog posts all about reverse engineering Bluetooth they're really well written they're really dumbed down they're perfect for people like me and yeah at some point in the future I will I promise revive my Dead collection of watches I spent 600 Rand on them I need to bring them make them do at least something and that's my talk if anyone's got any questions please

so it's lunch time so what I would suggest is finding him downstairs rather because we have to be back here at one yes no no I'm not getting between hackers and food please go find your lunch