U8 Smartwatch Hacking 101

14-1-2016

Woops, your so fast, I dint finished my page yet, but hey, here are some of my notes already.
But I also have some files from various forums collected. Hope you like some of them, their over at MEga
its over 500MB already, some random firmwarez, tools, and SDK(dunno if that works)https://mega.nz/#F!wNIRQLoA!451_fegqNOpbFYvT4hhTGw

 2017 update, not much done yet neyound what is posted here, but mega link is fixed now ;)

Opensource?

It has come to my attension that "Bunnie" Huang (original Xbox hacker, maker of the Novema) has some projects arround the MediaTek MT6260 used in some watches
His 31C3 Talk was about Fernly/Fernvale, a attempt to make a opensource platform for the (nominally) Closed-Source MT6260 SoC
http://www.kosagi.com/w/index.php?title=Fernvale_Main_Page
Very intresting and Im taking a look at it. https://events.ccc.de/congress/2014/Fahrplan/events/6156.html
There is a forum aswell, and I registered there. maybe ill stick there for a while: http://www.kosagi.com/forums/viewtopic.php?id=82Contents of this page:
Firmware tips and tricks
     Firmware backup
     Firmware update
     Firmware "hack"
"Hidden" watch codes
My personal notes, for your reading pleasure
Some of my sources

Firmware tips and tricks

Lets divide this tips and tricks in 3 mayor parts, and hope we all have some basic computer knowledge.

Backup your watch firmware


Get the SP_Flash Tool pakage from somegwhere, it will have a Flash_tool.exe program
Run Flash_tool.exe
Open the "Read Back" tab

Click on the address line2x
- save as -
give name of the dump (ROM_0 or ROM_DB for example)
and then specify the length 0x00400000. (some examples tell 0x0100000 would be the FULL rom)

press OK
Make sure your watch is OFF
connect the cable to the computer
wait for the start of charging
click READ in the flash program on the PC
Immediately reconnect to see the VCOM usb (instead of the storage device)
it should read firmware dump .


This whole time, the watch is OFF, not standby, OFF. you can make sure, that if you connect it to your PC, it shows the battery charging full screen and your computer may tell you it detected new hardware.
Some people advice to wait 2 seconds after pressing read in the programm to connect your watch. The DB file 4Mb
++
Back to Firmware tips and tricks    Back to the top

update your watch firmware


Hack your watch firmware


source: http://forum.xda-developers.com/showthread.php?p=59204629#post59204629
http://4pda.ru/forum/index.php?showtopic=572608&st=760#entry35668955
Back to the top

"hidden" codes

Back to the top

All codes should be entered in the phonedial app in the watch
some should be typed without bleutooth connected, but when I tried, none worked.
So when I am conneted, some worked, or displayed an error. So please try on your own risk and hope they help you

This is based on a post on the XDA forum: forum.xda-developers.com showpost 61786701 post 160
Back to the top

Notes

SH08_MB_V2.0 on the board under the speaker and MEDITEK ARM MT 6260DA chip.

I have :
MT6261DA ???_v?.? 201?.??.??
FT52350 (Others: FT6236GMA)

No flash, someone has a " Winbond W25Q32BV" :P

MT6261MA costs 5 euro
MT6261DA costs 3.5 euro
The MediaTek MT6261MA is a baseband processor found in the Lenovo X2-T0.

M28 MT6260 Firmware V009

-----------------------------------
The watch uses Nucleus RTOS , IT has a Size = 0x00400000 (4MB/32Mb) norflash.
If you go into engineering mode on your watch it will tell you that it has MRE.
MRE stands for (MAUI Runtime Environment)
MTK its self offers mre app development SDK
The apps are written in C
http://developer.mediatek.com/mre/en
https://web.archive.org/web/20150630....mediatek.com/

Bootloader

-------------
\components\src\bl_Secure_v5.c
\components\src\SSS_secure_shared_v5.c
hal\system\bootloader\src\pmic_adpt_bl.c
hal\system\bootloader\src\bl_Main.c
hal\system\bootloader\src\bl_FTL.c

Firmware

--------------
SF_BOOT
(bootloader again?)
~~~ Welcome to MTK Bootloader %s (since 2005) ~~~
**===================================================**
Bootloader dead end(%d,%d)
starts at 0x50000 M28KHRFN1_PCB01_gsm_MT6260_S00.M28_KHR_FN1_V009.bin
MTK_ROMINFO_v09.M28KHRFN1_PCB01_GSM_MT6260_S00.M28_KHR_FN1_V009.BIN
M28_KHR.FN1.V009

hal\system\emi\src\emi.c
Supported Boot mode: ALL....Boot mode: ..o.ðFUE.FACTORY.NORMAL..USB.UNKNOWN
sss\components\src\SSS_secure_shared_common.c
ddload.c

RunboX5-W (Connected)
BT WATCH
FAT545~1LOG
FileSys ......€.T.ø..........T...€.)..{ENO NAME FAT12
FOCAL...FT5206..UNKNOWN
MEDIATEK FLASH DISK
ISO8859-1
ISO8859-1
OVIPHONE60M_11B_gsm.11BW1308MP

Flashing:

+++++++++++++++++++++++++++++++++++++++++++++++++++++
Put the controller AdjuntoMTKUSBdriver_v1.0948.0.zip File ( 222.97 KB )
Run Flash_tool.exe AdjuntoFlashTool_v5.1308.00.zip File (6.92 MB) Read Back tab , Click on the address line 2x - save as - give name of the dump , and then specify the length 0x00400000 .
All off the clock , connect the cable to the computer , wait for the start of charging and click reread the program on the PC. Immediately reconnect to see usb and should be read firmware dump .
The DB file 4Mb
++
source: http://forum.xda-developers.com/showthread.php?p=59204629#post59204629
http://4pda.ru/forum/index.php?showtopic=572608&st=760#entry35668955

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Tools:

fw_splitter
Put ROM_0 image in a folder with the utility and run run.bat.
You can get more info about this device and some ROMs in russian forum 4pda.ru/forum/index.php?showtopic=572608&st=3360

Backup a ROM:
Please, be careful here's backup firmware to China clone SmartWatch U8 through SP Flash Tool. . .

1. bookmark - "ReadBack"
2. ADD
3. Double click N/A
4. Save ass ROM_0
5. Lenght: (manually enter) 0x00400000
6. click button ReadBack
7. Connect off watches

Finally, the saved file zip and upload here.
thanx


(Use the fw_splitter you back from your backup ROM_0 create whole again firmare)
-------------------------------


MTKUSBdriver_v1.0948.0.zip
FlashTool_v5.1308.00.zip
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=

MT6261MH.zip

----------------------------
[Version]
BaseBand chip version=MT6261
ECO version=
DSP firmware version=2000.00.00
DSP patch version=1.0
Software version=MAUI.11C.W13.52.MP.V5
Hardware version=EIDOLON61D_BT_11C_HW
Melody version=Unknown
----------------------------

SDK

=+++==================================================
Operating Systems:
Windows XP
Windows Vista

Compilers:
ARM Development Suit V1.2 (ADS 1.2)
RealView Development Suit V3.1 (RVDS 3.1)
GCC (Click here to download, or click here to start downloding directly)

C/C++ Developmenr Tools:
Microsoft Visual Studio 2008 Express Editor
Microsoft Visual Studio 2008 Professional EditorBack to the top