Espruino on your watch!

@Gordon How did this end up? I'm thinking of buying one:

http://www.ebay.com/itm/Health-Wristband­-Sport-Fitness-Tracker-Sleep-Monitor-Blu­etooth-Band-Smart-Watch-/371953861653?

anything I should know before flashing it? :)

Well, it works, but it hasn't had enough work put into it to be super useful. There's a branch in GitHub where I built the OLED driver into C code which should free up some more space for JS, but it's untested.

However I don't think the watch you posted is the right one - if you look at the first few posts you'll see the watch I had has the display smaller and running in the opposite direction.

If it's an nRF51-based watch then I'm sure you could get it going, but you'd have to follow the pretty arduous route I took of trying to trace out exactly which pin goes where for the display.

What'd be amazing i if someone could find an nRF52-based watch. I'm not sure if they exist, but if they do they'd have bags more RAM and flash available for useful/fun stuff.

Ok thanks for that tip! Rereading the thread, I see that you ordered a watch that was originally probably made by these guys:

https://ido-smart.en.alibaba.com/

I'll do some research.

Speaking of an nRF52 based watch -- I noticed there was alot of interest in a wearable Espruino in this thread-- maybe an opportunity for you after puck.js? ;)

hfc

Yes, I think that's them. The model was the DO003 - looking on alibaba there are still loads for sale.

@MaBe has actually done a great watch-mountable case for Puck.js: https://www.thingiverse.com/thing:209557­2

With one of the dark silicone cases and a small OLED screen you could probably come up with something quite neat. I've been quite tempted to try.

Puck.js was quite a reach for me with two separate moulded cases - I think it'd be a step too far trying to make a whole watch! Having said that I did try and talk to the watch manufacturers at the time I was hacking it - I think if I got a big enough order I could convince them to install custom firmware (or at the very least give me the encryption key for their bootloader), so that could definitely be an option.

I think it'd still be a matter of reverse engineering though - they didn't want to give me any schematics :)

I just saw this: http://www.rogerclark.net/new-nrf52832-b­ased-smart-watch-available/

An nRF52832-based watch would actually let you do some very exciting stuff! Looks like the "ID107 Plus" is available for around the £30 mark in the UK at the moment (it's different from the non-"Plus" version though!).

I don't see any details on that page about the OLED and pinout, but hopefully once they're known we'll be able to get Espruino on it!

Still looks like it might be hard to do firmware updates without opening the case though :(

Interesting! I actually contacted the sellers of the ID107 and had a similar experience to the gentleman that was writing the post above. They told me I had to order some large quantity, and tried to sell me new watches that were not the same. So dead end there.

There are some on ebay --- and I'm moving and these things take forever to arrive. But I'm encouraged that people are really into modding this little platform. The more I think about it the more I'd really love to have espruino on a watch like that.

Anyways keep us informed of any tinkering -- I'll be watching with interest for sure. I won't be able to work on anything for a few weeks anyways until after I've finished moving.

Just to add - @micooke has been compiling information on all these nRF5x based watches here: https://github.com/micooke/arduino-nRF5-­smartwatches

He's working on Arduino IDE support, but there's also a table of pinouts which would be amazingly useful for anyone looking to port Espruino.

FWIW this bracelet I got https://www.gearbest.com/smart-watches/p­p_009557274002.html is reported by nRF Connect as made by Nordic Semiconductor so it may be good hacking target? Looks like it is this one http://www.globalsources.com/gsol/I/Smar­t-bracelet/p/sm/1160255861.htm

Otherwise it is usable bracelet with average/poor fitness app DroiHealth but everything works and battery life is good. I charged it when I got it last week on Wednesday and it still reports %62 of battery today after wearing it almost every day/night. The app has firmware update option over bluetooth but sadly it is up to date so currently there is no firmware update available.

2 Attachments

As I understand it, what you see over Bluetooth is completely configurable so just because it reports itself as Nordic doesn't mean it actually is - but it's a very good start, especially as that link you posted mentions nRF52832 explicitly.

Do you have a link to the latest firmware? I've love to find one of these watches that comes with an unlocked bootloader, as cracking them open to flash them is a pain - it requires extra hardware, fine soldering, and there's a reasonable risk of breakage.

No I don't have the firmware. And sadly the DroiHealth android app is obfuscated so cannot be decompiled easily to see how the firmware is downloaded. But I'll try more.

BTW as for the firmware I had better success with another similar bracelet I got randomly from aliexpress at the same time. It looks exactly like this one http://www.globalsources.com/gsol/I/Smar­t-bracelet/p/sm/1161181278.htm#116118127­8 and the android app is called YOHO sports The app can be easily decompiled so it can be seen how it communicates with the bracelet all the service guids and structures are there. Also when I first connected it and tried firmware update, it downloaded something and updated the device successfully via bluetooth. I now see the code and it connects to alibaba oss cloud storage with all the firmware files supported by the app. The storage has structure of different folders for different device models/displays/chips like HSD_0.96 BOE_0.96 DY_0.42 MC3631 MC3413W HRS3300 each having separate firmware. Unfortunately the MCU is not made by Nordic but possibly by mCube I got the device for $9.79 but for some reason that aliexpress seller raised the price to $17.48 now! https://www.aliexpress.com/item/ID115-PL­US-HR-Smart-Bracelet-2-Replace-Straps-Sp­orts-Wristband-Fitness-Tracker-Heart-Rat­e-Monitor-Pedometer/32878474822.html however other sellers still sell it in ~$10 price range. The battery life is worse. I used it far less and already had to charge it again after few days. The features are very similar and I can't decide which one I like more.

I'd say the 'ID' branded watches are a good start as that's what was used for this initial thread - and I've seen a few other nRF52-based watches by them too.

For nRF52, if you can get hold of the firmware binary we can at least check and see if it's encrypted. If it is we could hope that it's encrypted with the sample key that comes with Nordic's SDK - but if it isn't we're probably out of luck :(

Even if the app is obfuscated, could just monitor the network to see what files are downloaded (and we could hope it's not over HTTPS).

I got earlier V2 Droihealth apk, it is not so obfuscated so most code is present and it looks like is support (mostly?) Nordic based devices since the firmware update code uses DFUService classes from Nordic. Howewer that older version does not suport I9 device. Also I found the device is sold with Lynwo I9 name so this gives some interesting google hits.

As for firmware my device shows version V3.11, it can be seen on different youtube videos that versions V3.06 and V3.12 are available https://youtu.be/Sm2Nqy8hT_0?t=31


https://youtu.be/3pZ1ieWn6Nk?t=55

yet the app does not offer me update from 3.11 to 3.12 :-( I will check the traffic but guess it will be https.

As for the ID brand, that's why I got the ID115 one but sadly the one I got is not Nordic based.

What may explain why firmware update of i9 does not work is that it is most probably not Nordic based after all. While trying to put it to DFU mode and searching for services and guids I noticed it is quite different from what it should look like. I found one service F000FFC0-0451-4000-B000-00000000000 with two characterictics Img Identify, Img Block and google found this https://e2e.ti.com/support/wireless_conn­ectivity/bluetooth_low_energy/f/538/t/61­8391?CC2541-OTA-which-advertisement-char­acteristic-to-send-OTA-message-to-
So most probably the device is CC2541 based. This is bit of a letdown since I don't like 8051 very much and from specs it looks like there is only 8KB SRAM. OTOH the device is still hackable and TI provides tools and documentation. But it does not look like good espruino target after all.

So this is similar to what @ColinP already described previously in this thread "This device uses the Nordic Bluetooth service UUID and shares an app even though it doesn't have a Nordic chip in."

EDIT: As for TI and tools - it is much worse, the compiler is $2000 IAR Workbench, looks like there is no other option https://e2e.ti.com/support/wireless_conn­ectivity/bluetooth_low_energy/f/538/p/18­2785/715834#715834
however this is promising https://sourceforge.net/p/sdcc/mailman/m­essage/33226999/

That's a shame - it's really hard to find stuff that actually contains it. However looking on eBay there are a few smartwatches that explicitly mention nRF52832 (eg this one looks great).

But it's a bit of a minefield - even if I get one and it does have a nRF52 inside, next week that advert will probably be gone and nobody will be able to find one of them again.

So I got third bracelet. This one is ID115HR clone with BW OLED screen. It was cheap and quality was pretty bad - it had some dirt under screen, OLED was misaligned so few rows of pixel were not seen at all. And also the heart rate sensor produced similar random values between 60-90 no matter if I wear it or just point it to empty space. Also when moved it turned screen randomly on and quickly off. So I got full refund, then opened it to clean the dirt and try to align the display. I also checked the chip markings of course and it is Realtek 8762AG. So yet another one. I found some datasheet with register descriptions and memory map and even some development board with SDK download. However my board have strange set of points I wonder which ones are for debugger?

1 Attachment

Interesting... could be TX and RX (if it's a serial bootloader?). Trying to port Espruino to a new architecture and the watch at the same time is going to be quite painful though I imagine!

Just a heads up - if anyone wants Nordic bracelet with BW oled screen there is N52832 based one currently on sale here https://www.gearbest.com/smart-watches/p­p_1232618.html?wid=1433363

My photo with front glass removed https://pasteboard.co/HMcXmdl.jpg is matching the board
photo on FCC site https://fccid.io/png.php?id=3414019&page­=2 so the other side most probably looks like this https://fccid.io/png.php?id=3414019&page­=3 :-)

For more details see my findings here https://gitter.im/nRF51822-Arduino-Mbed-­smart-watch/Lobby?at=5be3fbf36b9822140df­92510

I've yet to try SWD test points with blackmagic probe tonight but if it works it is sure thing :-)

And BTW if you don't like heart rate sensor and the wristband/usb charging type, there is almost identical one - Lenovo HX06 which is a bit different, however it is more expensive even when on sale and it is not on sale so often https://www.gearbest.com/smart-watches/p­p_1830584.html?wid=1433363 This HX06 one has FCC ID https://fccid.io/2AEMN-D16 according to photos in user reviews.

Just to let you know that I managed to attach gdb over SWD and backed up the firmware and created github repository https://github.com/fanoush/ds-d6 with the files and some basic info. I'll try to build micropython or espruino whichever will be easier to build for bare nrf52832_512k_64k I guess it may be easier/faster to scan and test various buses and hw attached to it interactively than writing/building/flashing C code.

It uses S132 v2.0 Softdevice so I hope when linking and flashing to 0x1c000 it will start up and I won't break anything. DFU bootloader is probably starting at 0x78000

Nice - it's great that the testpoints are so easy to get at.

I'd just try writing an existing Expruino MDBT42Q hex file to it and see if you have any luck.

I guess it may be easier/faster to scan and test various buses and hw attached to it interactively

Yes, at least that's what I found.

There's a good chance the OLED on there is http://www.espruino.com/SSD1306 - so you could play around with different pins to see if you have any luck.

Personally I'd say: take a nice sharp photo of the PCB, ideally from both sides. You can then start marking it up and trying to figure out where all the wires go since it's probably just a 2-sided board - there will only be a few wires to the OLED and they'll probably go direct, so they should be pretty easy to figure out.

There are actually a huge variety of nRF52 watches around at the moment... I bought one of these to take a look at: https://www.gearbest.com/smart-watches/p­p_009453646821.html

It just unscrews, there's an nRF52 and a GPS chip as well! It is a bit chunky though.

I'd just try writing an existing Expruino MDBT42Q hex file to it and see if you have any luck.

This will probably overwrite soft device and bootloader?
At first I wanted to only rewrite user app space as I don't understand yet how the boot loader + soft device + app works regarding reset vectors and startup and link dependencies. Curent bootloader does OTA update over BLE so I guess it is dependent on 2.0 soft device? so I should either overwrite just the app or everything including bootloader? And then I also need to modify UICR vectors so it boots properly after power up if the bootloader start at different address? Can I link espruino to SD 132 2.0 (id 0x81) or is is just too old? According to table here it means I need to link SDK 11. Can I update just soft device from 2.0.0 to latest 2.x which is 2.0.1 (id 0x88) and will existing bootloader still work? You see it is just too many questions so I'd better start just with reflashing the user app :-) I think I do have backup of whole flash so most probably nothing can go wrong and I can revert everything back but I'd still try in smaller steps if possible.

Yeah, you'll struggle building Espruino for SDK11. Since you've backed up all of flash I'm pretty sure you're fine though - you could always back up UICR as well I think.

It depends how much you think your time is worth I guess. You could spend the next 3 weeks messing around with SDK11 in case you brick a $15 watch, or you could just overwrite everything and see what happens :)

Yes, you're right. I already tried and mostly failed. Updating soft device to 2.0.1 worked fine and original app works with such minor upgrade. However my app flashed to 0x1c000 linked to soft device 2.0.1 does not start, it reboots to DFU/bootloder. Later I found this https://infocenter.nordicsemi.com/index.­jsp?topic=%2Fcom.nordic.infocenter.sdk51­.v10.0.0%2Fexamples_ble_dfu.html "Note that if you program a DFU bootloader on the device, you must use this bootloader to install the application. Programming the application with other tools will not update the bootloader settings, which means that the application might not start. Erase the device if you do not want to use the DFU bootloader anymore." so it looks indeed tricky.

However I already tried to restore from backup and it works (except maybe UICR area, will try that one too) so I am now confident enough to clear everything. So I'll try newer easier stuff first.

Still, to allow updating current watch firmware over bluetooth, I should figure out how the update with existing bootloader and soft device works. I don't want to open second watch. Hopefully with such old soft device the DFU update procedure is not signed.

And btw it is currently $8 watch at gearbest :-)

Just to let you know that I rebuilt Espruino from source, started from MDBT42Q board but removed LEDs etc and changed usart pins, flashed the result from gdb and now I have Espruino with serial console on usb data pins for further exploring :-) Also bluetooth works of course, console was default on bluetooth so I had to do Serial1.setConsole(false) over BLE connection first.

I figured out the pins first by dumping hw registers for USART,TWI,SPI in gdb, currently I know there is TWI2 scl 13 sda 14 ,SPI2 master sck 5 mosi 6 miso -1 (display?) and UART rx 22, tx 23. Time to go to sleep.

Anyway, I like that the USB data pins are connected, so one has two gpios or console without taking it apart. Not bad for $8 watch :-)

I figured out the pins first by dumping hw registers for USART,TWI,SPI in gdb

Nice - that's a really neat way of reverse engineering it :)

Yes, I never used SWD debugging before. Just recently I discovered that blackmagic probe firmware is available for bluepill - $1.67 STM32 board I had in drawer, so this was first time I used it. It is cool to stop existing firmware in any point and see HW registers. I did it both in DFU bootloader (serial enabled, i2c not) and app (serial not enabled but i2c yes) and with display on and off, charging/not charging - one can find a lot of basic stuff with that :-) I saw in datasheet section about the MWU — Memory watch unit. I wonder if it could be used to trace writes to peripherials at runtime with stock firmware still running?

Also I wonder how long the battery will last with espruino flashed and bt enabled (and console on serial). It did last over night but I don't see how much battery is left.