Wednesday, 14 March 2018

Hacking through my brandless Chinese Smartwatch

Recently, my cousin gave me a smartwatch he had got from his friend who went to China (to order smartwatches for their company staffs) and he got some sample smartwatches being manufactured.
So I got one of those sample smartwatches (which doesn't even have a brand name on it).

As usual, my hobby of hacking things struck me up and thought of looking into the modifiable stuffs in it. It seem to have an Android wear-like firmware (maybe a minimalistic one)

I thought of starting by accessing it via ADB (similar to that of Android phones), but it didn't have that feature. I connected the smartwatch to Compuer via USB. It showed me two modes: Mass Storage Mode & COM Port. (ADB didn't work on any of those modes; lol yes it's obvious)

Since it had a COM Port, I realized serial communication is possible with the flash in the SoC, and thought how to start finding ways to start with, or atleast find out a few details of the smartwatch.

Then I thought like what if there are secret codes from where I can get information, just like all mobile phones.

So I opened up the dialer and entered the standard secret code to see IMEI: *#06#
And kaboom! It worked. So I googled "Chinese Smarwatch secret codes"and came across this page:
LIST OF DZ09 SMARTWATCH SECRET CODES

I saw a few secret codes there.
Initially, I tried: *#00000000#

It returned 4 options like this "Game Center, SSC Info, QQ, WeChat".

I clicked 'SSC Info', and it returned the following details:


MTK Soft Ver:0x1303
MTK HW Ver:Unknown
Ver:0x74
UsrId:0
Os:MTK60D
OsVern:
Model:QW_MJW_M10_MB_V
Company:F066
Width:0,Height:0
MaxRam:645120
Kbd:0
TouchScreen:1
Cap:0x40010
Macro:
FAE: liujun
Build Date: 20180108
Build Time: 2018/01/08 21:03


From this information, I thought maybe I can search something like "MTK60D FAE: liujun" to find about the smartwatch or related devices.

It took me to this link: DZ09 Smartwatch - XDA Forums

I saw a smartwatch there, similar to mine (but not the same).
It seems that there are local MTK-based Chinese Smartwatches (as of the time of writing) which are clones of a smartwatch called DZ-09, and the clones might be using the MTK processor MT6261DA.

(Also, though the boot logo of the smartwatch reads 'Android', it does not run on Android OS; it runs Nucleus RTOS it seems, Mediatek's proprietary OS ;) )

A guy over there had suggested to try the secret code to know more details about the smartwatch: *#8375#
I tried it and it returned:


[VERSION]
QW_MJW_M10_MB_V2.1_COB_CST016SE_GMSA_A1_EU_IPS_20180108
[BRANCH]: 11CW1352MP GPLUS61A_11C_NX9
BUILD: BUILD_NO
SERIAL#:
[BUILD TIME] 2018/01/08 21:03
[MRE VERSION] 3100
HAL_VERNO: 


Then I decided to flash firmwares from my computer onto the smartwatch. So I had to take backup of the current FW first. There was also a thread which helps in backing up the firmware.
Universal ReadBack Extractor for MTK feature watchphones

It uses a tool like the famous MTK's SP Flash tool to create the readback file which generates the ROM's configuration. I followed the instructions there, and I had to choose an appropriate scatter_config. There was a link to a collection of firmwares, from there, I had to choose any random firmware, and try them out one by one to see which one matches my device's config. I chose a FW of a device running 6261D, named '-XDA DZ09 mtk6261 from AerogamingHD.rar' (just a random try), and loaded the scatter_config from that FW into the tool and generated the readback file from the NOR flash.
Using that readback file, I was able to dump the entire firmware in my device by using another tool in the same thread.

Now that I have a backup of my stock FW, I can try other firmwares too from similar devices, so even if I brick or something goes wrong, I can flash it back 😀
(It reminds me of my days years ago (probably 8 years ago, much before Android became famous), flashing Symbian CFWs on my Nokia 5230 S60v5 device and running around bricking it xD )

Will try out new firmwares on my smartwatch and update the experience in this thread soon.

Edit:
Found another secret code to enter Engineer mode: *#993646633# 
But doesn't seem to provide much options.😭

And also, it seems the 4MiB flash ROM has its partitions in some compressed format. I thought it could it could be squashfs and checked, but it's not :( It uses some proprietary compression algorithm.

I also found many other secret codes from the ROM file that I dumped (by using HexEditor) as suggested in the article above.

Edit 2:
I flashed multiple firmwares on it, none of them seemed to work completely.
Touch screen was not working with most FWs. It worked with a few FWs, but the screen was inverted and the colors were inverted.

I've asked a question to an experienced guy about how things work, waiting for a reply.

15 comments:

  1. You should only try Firmwares that state "IPS" in the rom name / Rom signature. i can confirm its a MTK6261D ROM, and seems to be built for a IPS screen. TO extract images and sounds you can use that software: (google mtk_6261D_reader-writter ) watch a youtube video how to use it.

    ReplyDelete
  2. Thanks Rudiger :)
    I tried searching for the tool you mentioned: 'mtk_6261D_reader-writer.jar', but I can't seem to find it anywhere. All I can see is people talking about it, nowhere the links.

    I can't search in 4PDA because it's in Russian, even if I manage to find, I'm unable to download. I'm not able to register in 4pda.ru since even the captcha is in Russian.

    And thanks for pointing me to try firmwares for IPS. I didn't know 'IPS' in the ROM name means IPS screen. Will try them :)

    ReplyDelete
  3. Hi,

    1. No, most of the firmwares I tried didn't work completely. Some important things were missing like Touch not working, inverted display, inverted colors, etc.

    2. Yes, I was able to restore that stock firmware dump. In fact, every time I was trying different firmwares of other devices, I used that backup only to get back my watch to working state. Restore can be done with the same Flash tool, which was used to dump readback file.

    ReplyDelete
  4. https://forum.xda-developers.com/attachment.php?attachmentid=4202752&d=1499294298

    the java tool to extract images etc of your firmware ...

    ReplyDelete
  5. Wow, seems cool.
    But not sure how far it's applicable for MT6261D.
    Have to experiment with things and find out :)

    Thanks for sharing mate. Let me know if you do something interesting based on that ;)

    ReplyDelete
  6. hello
    Gokul NC, do you have your backup watch, I have the same problem, and a bad backup
    thank

    ReplyDelete
    Replies
    1. Check my attachment in the bottom of this link:
      https://forum.xda-developers.com/showpost.php?s=1a8a029e8e44cd3404fe0628dca07a30&p=75897698&postcount=523

      Delete
  7. Amigo Goku Nc você ainda tem a ROM que vc fez o backup eu estou precisando por favor me ajude

    ReplyDelete
  8. How can I solve my sim card emergency issue on my a1 smart watch

    ReplyDelete
  9. Hi friend, do you have the mtk60d firmware yet? I have a problem, I would like you to help me please

    ReplyDelete
  10. There is a way / posibility to have display ALWAYS ON, and not only a specific time, for example 15 sec, 30 sec, 1 min etc...? Thank you!

    ReplyDelete
  11. This is really fantastic website list and I have bookmark you site to come again and again. Thank you so much for sharing this with us.
    best perfume for men under 1000
    treadmills under $300
    best treadmills under 2000
    best washer dryer combo in India

    ReplyDelete
  12. C'est un poste merveilleux. J'ai acquis une grande connaissance d'ici.
    Merci d'avoir partagé
    smart watch tunisie

    ReplyDelete