Hacking Smart Bracelet Wristband

Hacking Smart Bracelet Wristband

I saw on local store that there is some cheap Smart Bracelet to buy with BTLE.

So I decided to do some research about it.

It was iDo 003, and after some articles online I have found one that was cool to try.

Hot-Sale-Health-Bracelet-Smart-Bluetooth-Bracelet_2

http://forum.espruino.com/conversations/280747/

I have lots of idea what can I do with it if I manage to hack it.

I carefully read comments, and find out that there is no backup for flash, and I decided to give it a try to get backup.

I bought it and start the struggle.

On ebay I have orders Mini ST-Link V2 stlink Emulator Downloader

1

Programmer was not arriving and bracelet was ready for hacking, so I decided to try raspberry pi for programmer.

I fallowed this guide to setup rasp as SWD programmer.

https://learn.adafruit.com/programming-microcontrollers-using-openocd-on-raspberry-pi/compiling-openocd

College Dobrica told me that it is probably protected and I will need to apply some patch for openocd.

https://devzone.nordicsemi.com/question/78890/programming-nrf52-with-openocd/

I had some problems with compiling but managed to get it after a while.

At first I have tried programmer with STM32

1

 

and that worked

I have tried to get and put firmware, and that worked to

After tests I have connected bracelet ant tried to get firmware

2

but there was no luck firmware was filled with all 0000000000

So it was true protection is enabled, but that was not the end I decided to get bit deeper, and after a bit of research I have find great article about a security flow on this chip so I decided to try that.

http://blog.includesecurity.com/2015/11/NordicSemi-ARM-SoC-Firmware-dumping-technique.html

On the bottom of page there is ruby script that I have run for a couple of minutes (about 30) and break script to check hex dump

3

That looked like some firmware dump, but it was so slow so I decided to left it over night to do the job.

 

4 5

In the morning I have found that script has failed with some message, and openocd could not connect to target.

I have tried to remove battery, and power device from rasp, but nothing is helping I have only message.

Error: Could not initialize the debug port

And bracelet is not powering up :)

6

Now I have a bit of firmware and a bit of a really nice firmware (if it is real one :)), bit of experience  with hardware hacking, and lots of fun …

7

 

Leave a Reply