Safety researchers have efficiently extracted firmware from a funds smartwatch by bringing again a 20-year-old assault technique initially used to steal information from community gadgets.
The approach, often known as “Blinkenlights,” was tailored to work with trendy TFT screens as an alternative of conventional LED indicators.
Quarkslab analysts bought an affordable smartwatch for roughly €12 from a neighborhood retailer and found it contained faux well being sensors that would not measure blood strain or observe sleep exercise.
The system used a JieLi AC6958C6 system-on-chip and communicated over Bluetooth Low Vitality, which initially appeared like a promising avenue for firmware extraction.
After analyzing the smartwatch, researchers recognized a dial parser vulnerability that did not correctly test offset boundaries.
This safety flaw allowed them to use an out-of-bounds learn situation, forcing the system to show arbitrary reminiscence content material instantly on the display.
Quarkslab analysts famous this weak point after reverse-engineering the customized dial add course of and discovering that the firmware parser didn’t validate picture offsets pointing exterior the dial’s binary information.
Smartwatch’s major system-on-chip (Supply – Quarkslab)
The researchers tried a number of extraction strategies earlier than deciding on the Blinkenlights strategy.
They first explored JieLi’s over-the-air replace characteristic however discovered it solely supported firmware uploads, not downloads.
The authentication mechanism used Bluetooth’s E1 legacy operate with hardcoded values, which researchers efficiently replicated. Nevertheless, this path proved unsuccessful for firmware extraction.
Fashionable Blinkenlights Implementation
The staff developed a customized {hardware} setup utilizing a Raspberry Pi Pico overclocked to 200 MHz to seize information despatched from the smartwatch‘s major SoC to the NV3030B display controller.
The display used a 25 MHz clock to transmit pixel information in RGB565 format, requiring high-speed sampling to seize the knowledge precisely.
Researchers soldered 0.1mm diameter wires to the display connector and used the Pico’s Programmable Enter/Output (PIO) characteristic to pattern information bits on rising clock edges.
Bluetooth’s legacy authentication mechanism based mostly on E1 (Supply – Quarkslab)
The PIO program was designed with solely two directions to keep up effectivity on the excessive sampling charge.
The captured information was saved within the Pico’s 145,000-byte buffer earlier than being transmitted to a number laptop through USB serial port.
To set off the firmware dump, researchers crafted malicious customized dials with manipulated offset values that precipitated the smartwatch to learn and show reminiscence contents past the dial’s supposed information area.
The extraction course of concerned producing a number of customized dials, every concentrating on completely different reminiscence addresses.
A particular header containing synchronization phrases (0xa5a5a5a5) and magic bytes (0xdeadbeef) was embedded in every dial to determine captured information blocks and confirm alignment.
Python scripts have been developed to automate dial era, information assortment, and firmware reconstruction from particular person reminiscence slices.
This analysis exhibits how outdated assault strategies stay efficient towards trendy embedded gadgets when mixed with inventive exploitation strategies.
A budget {hardware} strategy, costing virtually nothing past a Raspberry Pi Pico, proved extra sensible than costly logic analyzers for this particular utility.
Observe us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most popular Supply in Google.
