Espruino on your watch!

Posted on
Page
of 10
First Prev
/ 10
Next
  • That's fantastic - thanks!

    Just a quick update - I now have some ID205 watches here and I'm working on an Espruino build that can be flashed by the factory. Reverse engineering is a slow painful process as the watch is glued together and they're using a 4 layer board with BGA packages. However I am getting there - we now have the two buttons, LCD and vibration motor going. With a bit of work that'll be good enough to port the bootloader.

  • Good news, thanks for update. Previously I did not find FCC ID page but it looks like it is this one https://fccid.io/2AHFT226 , the User Manual says ID205 - but as you already got it opened this is no help.

    And if you are reverse engineering by examining the board traces and would also want firmware, then this link points to ID205 veryfit pro OTA download zip (public http link to their servers). depends what is easier but one can get e.g. display initialization code etc. Recently I have used ghidra decompiler and got a bit familar with it and it is sometimes quite helpful. It even tries to show you C code and sometimes it is more readable than assembly (and sometimes not).

  • Aaargh, it's currently 35$ at banggood hate u all :)
    Looks like there are 4 pins on the back of the watch. Can you flash new firmware without opening it? But honestly should just wait for you to do the work, already have too many half-done projects...

  • Can you flash new firmware without opening it?

    No, the firmware is signed. You can do it with all other nrf52832 devices from that company because they use SDK11 however this is 52840 chip so with that one they moved to later SDK => signed firware. More info 2 pages back in this topic.

  • Thanks - that firmware image might be handy. I'm doing ok for the moment but there might be a few things that are needed at a later date (like HRM/touch/etc).

    edit: definitely going to need it for touch I think :) The touch controller has its own CPU so I'll need to dump the firmware for it so it can be re-uploaded on fresh watches.

    But please don't buy the ID205 in the hope that you can flash it. It's got a metal and gorilla glass front that is glued shut and is almost impossible to get into. I've basically destroyed two watches trying to get into them now.

  • wanted to use E.enableWatchdog, because it's pretty hard to reset the watch if something goes wrong.

    Just a big warning related to watchdog. I just managed to brick HX03W while doing upload from Espruino WebIDE. The default is calling reset() before upload, which is normally sane thing to do but it interacts with watchdog in unfortunate way. reset() clears your watchdog pinging routine but not the watchdog itself as it is not real CPU reset and then starts upload. If upload does not finish in time you get watchdog reboot in the middle of upload. For me this causes my HX03W to not start properly now.

    I see nothing in serial console and bluetooth device can be seen but cannot be connected to UART service. So now I need to open it or wait until battery dies and then try to hold the button while powering on. Hopefully it will skip loading the partially saved code.

    So just beware it is not that easy with the watchdog. One safe way to upload is first clear code via require("Storage").erase(".bootcde") and then call reset() manually, then wait for watchdog reboot and only then upload new code. Or run everything in RAM until code is finished and stable.

  • Ouch.
    One thing you may try: try to put it into bootloader mode with the DSD6 app. Absolutely no idea whether that clears the watchdog, or what might happen, but may work. Probably wait for you watchdog timeout, before trying to reflash, so it doesn't restart the watch while flashing, and bricks it even more :)

  • There is no way to switch to (stock Desay) bootloader now as the switch needs espruino console working. Holding button at startup time after battery dies might help but it may take weeks :-) Anyway, I have couple of other devices to bri^H^H^Hhack and also more HX03W ones will arive from that banggood sale so I will wait until battery dies in this one just to see what happens.

    EDIT: maybe I can hammer it with some bluetooth packets constantly so it will die much sooner?

  • Oh after some time it recovered. I left it alone and after few hours I tried to connect and it still failed and serial console was dead but suddenly - in nrfconnect I tried directly write RX characteristics and it suddenly echoed the data into TX. I sent string E.reboot() and after some time I checked serial console and saw

    Uncaught SyntaxError: Got EOF expected '}'
     at line 2 col 6493
    ...?[255] ?[255] ?[255] ?[255] ?[255] ?[255] ?[255] ?[255] ?[255] ?[255] ?[255] ?[255] ?[255] ?[255] ?[255] ?[255] ?[255] ?[255] ?[255] ?[255] ?[255]]
    

    So either it rebooted or not and printed this. Then I tried

    s=require("Storage");s.read(".bootcde")
    ="Modules.addCached" ... "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xF­F\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
    > console.log(btoa(s.read(".bootcde")))
    

    and copied the base64 string to computer and decoded back into binary and there is beginning of the program and the rest of file is 0xff. first 0x400 bytes in sensible code and rest until 0x1b66 is all 0xff.

    I will try to copy this to opened DS-D6 I can recover and see what the file does after reboot. Maybe it takes time for the interpreter to handle such long line of 0xff bytes , i.e no end of line and strange 0xff 'tokens'?

    Anyway, I erased storage in HX03W and it is fine now.

    EDIT: when looking at the partial code it even looks like it is not the latest version, I think I had the watchdog setup code on the beginning that later caused this mishap so this looks like flash page of some older code. And BTW when webide uploaded the code, I think the progress bar went to end normally so there was not any feedback that anything went wrong. It happily progressed while the watch was already rebooted. I'm not sure but think it was over serial so that may explain since there is no echo(?) so data is just pushed without any check(?).

  • Thanks - I guess it'd make sense to stop the watchdog inside jshReset (or ensure that 'auto' watchdog stayed working) to avoid this sort of problem?

    Come to think of it, should auto watchdog cause Espruino to automatically wake up in time to kick the watchdog? It'd seem sensible.

    I wouldn't have thought Espruino would get 'stuck' executing code since it should break out with an exception when it hits the first 0xff - but you may have been unlucky in that the part of the code that was saved may have enabled watchdog, but then the bit that actually kicked it didn't get loaded?

  • I guess it'd make sense to stop the watchdog inside jshReset (or ensure that 'auto' watchdog stayed working) to avoid this sort of problem?

    I guess you can't disable watchdog without doing reboot which is the point of having reset() call (so it works e.g. over BLE connection without disconnecting). So if upload could find that manual watchdog mode is enabled, then switch to automatic mode (if possible) or just refuse upload. Or at leasrt disable 'reset before upload', or .... it is complicated due to different upload modes (to ram vs to storage). I guess upload to storage does not need reset before upload checkbox enabled. It just writes .bootcde and then could reset after upload an load it. Reset before upload makes more sense with upload to RAM since it is full and stuff is otherwise modified in place (?).
    BTW, I find all those settings for code upload scattered over all other IDE setings hard to manage as I want to change them often. Would prefer the 'send to espruino' button pop up small dialog (maybe only when holding the button longer?) with just few options : reset before upload,save on send mode, set time and maybe minify yes/no. Sometime I would even only check 'set time' without any code upload.

    Come to think of it, should auto watchdog cause Espruino to automatically wake up in time to kick the watchdog? It'd seem sensible.

    Well, yes but the empty setInterval workaround solves it too, depend how much work and code it is.

    I wouldn't have thought Espruino would get 'stuck' executing code since it should break out with an exception when it hits the first 0xff

    Yes sounds strange. I don't know what is was, just that both serial and NUS console was not available after that watchdog reboot. The device was still advertising but web ide could no connect. So after trying it for few minutes I left it alone and tried later.

    but you may have been unlucky in that the part of the code that was saved may have enabled watchdog, but then the bit that actually kicked it didn't get loaded?

    It was like this:
    I uploaded code with first two lines added like this

    E.enableWatchdog(6, false);
    var wdint=setInterval(function(){if(!BTN1.re­ad())E.kickWatchdog();},1000);
    

    and then my other code. This worked fine and after testing it and doing some changes in IDE I wanted upload another version with changes. And unfortunately I had 'Reset before Send' setting enabled. So it called reset() and then started upload which was longer that 6 seconds.

    And so my guess is that it rebooted with inconsistent storage with half of code and rest of 0xff and additionally after reboot and running through this, the serial console was further flooded with the rest of uploaded code.

  • I've just pushed some watchdog changes - in auto mode it now resets it automatically, and if you reset() the auto kicking carries on. But that won't help you here because it's going to get rid of your setInterval anyway.

    Best bet is to save the code to .boot0 - that should be executed regardless of whether the watch was reset or not: http://www.espruino.com/Saving

  • Oh, so I can have both? Two lines of watchdog pinging in .boot0 and rest in .bootcde? And the IDE will not clear the other one at upload? That would be best. Will try. Thanks.
    EDIT:
    It works, I saved just watchdog setup and kicking code into .boot1 and it gets run together with main code, IDE does not touch it and uploading works also with reset before upload! Also as a bonus when I hold button for 6 seconds it reboots and does not start .bootcde because I still hold the button at boot time. So the code is not automatically started which is what is best when there is some bug that needs watchdog reset. All this still without your recent changes.
    Your changes however fix the auto mode that could cause similar unexpected isssues after reset()

  • Oh, so I can have both?

    That's right, yeah :) Glad it's working!

  • Hi! Quick question - while I've been working hard on the ID205 reverse engineering (and the nRF52840 is obviously nicer to have), I've had a lot of interest in watches with GPS and I'm coming back to the No.1 F5 and F7 watches as they're packed full of features.

    I just found a link to a firmware updater for it (which is actually just an APK file) and looked inside and found firmware that references SDK 7/8/9. That feels super old to me, but do you think it's a possibility that's what they're using?

    If so I guess OTA firmware updates could be a realistic option and I could just reflash the watches here?

  • I don't remember seeing these ones, which android app it uses?
    In that case it is probably nrf51? The QFAC with 32KB is used in many of them with such older SDK.

  • I'm struggling to find out where I put the watch itself now (I have far too many kicking around!) but the advert is https://uk.gearbest.com/smart-watches/pp­_009850783162.html - it's definitely nrf52.

    The firmware/updater was linked from http://www.chinawatchs.com/no-1-f5-how-t­o-manually-update-the-firmware/ - I imagine it just has a bunch of old files in there, but the big firmware file (which I imagine is the actual watch firmware) mentions SDK9.

    either way, if the firmware updater is that hacky then there's a good chance DFU is unsigned :)

  • I checked dfu_g095ca_v1.66.15.apk\res\raw\ from http://www.chinawatchs.com/no-1-f5-how-t­o-manually-update-the-firmware/ part And this one is the latest NO.1 F7 firmware.
    and many zip and hex files there use S110 soft device so it is nrf51, the only nrf52 firmware seems to be inside dfu_g095ca_v1.66.15.apk\res\raw\hplus_we­chat_fw.zip and inside is something named PCA10040 which is the SDK kit (and that one is SDK11, unsigned).

  • Thanks!

    I just found the watch amongst! Even outside of DFU mode it advertises "00001530-1212-efde-1523-785feabcd123" which I'm pretty sure is the old DFU as the new one seems to have 16 bit UUIDs?

    Maybe the firmware updater downloads the file then? I'm pretty convinced it is NRF52 - it says nRF52 everywhere I look and surely you'd have to be a bit crazy to add GPS to an NRF51? I took the watch to bits a while ago and sadly I can't read the chip number because it's scribbled over, but nothing I can see points to it not being an nRF52.

  • I can't read the chip number

    Can an SWD programmmer read the chip id? :) If you already took it apart

  • Thanks! I was struggling to find a proper list of UUIDs for each one.

    Don't know if it's helpful for you as a lot of stuff is still likely to change, but there's https://github.com/espruino/Espruino/tre­e/ID205 online now.

    • Bootloader that outputs reset reason on display and also sets up a watchdog so you can't brick a phone by uploading the wrong firmware (LCD support is still very hacky)
    • jswrap_id205 code which enables watchdog and does a reset if 2 buttons are held down at the same time for 10 seconds

    I guess some of these are features that might make sense to be pulled out into something more general for other watches?

  • Can someone please tell me how to get Espruino running on HX03W?

  • @MaBe yes, Ok, you are the first one to specifically ask for HX03W so I didn't bother yet to upload something specific for HX03w but it is not a problem

    • the easiest at first is to flash just SDK11 based espruino build while keeping bootloader and softdevice intact (later it is possible to upgrade both bootloader and softdevice)

    • there is no difference in Espruino build between different nrf52 devices except the bluetooth name which you can change from Espruino, so even now you can use latest firmware for DS-D6 from https://github.com/fanoush/ds-d6/tree/ma­ster/espruino/DFU I think the best would be to make generic build where the device name is Espruino instead of DS-D6, DS-D9, HX03W

    • easiest is to use D6Flasher from Android phone, you can watch the video there - it is exactly the same with HX03W as with DS-D6. Otherwise you could also use usb to serial adapter and nrfutils as described here

    • espruino code to get HX03W display working - simple clock application demo (work in progress) is here

    So basically you can start now with DS-D6 files - it is relatively easy. I will make up to date SDK11 based Espruino build for DS-D6 and possibly another generic one (was on vacation last 2 weeks).

    You can also rebuild it from source for SDK11 yourself, follow this

    What is currently missing for HX03W is package of patched bootloader which is then able to update to newer bootloader and softdevice (like there is for DS-D6) so you can use SDK12 based Espruino build without any patches. It is easy to make one but I just didn't bother yet as SDK11 based espruino build is mostly the same.

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview
About

Espruino on your watch!

Posted by Avatar for Gordon @Gordon

Actions