Another experiment on nRF51822 fitness band

Posted on
  • This topic is moved from here

    I am inspired by one of the topic but very very old (4 years) to flash espruino on cheap fitness tracker.

    Goals are:
    1 - Hack something.
    3 - Get know how about nrf software, SDK, softdevice, application etc.
    2 - To learn the flashing process using DFU and SWD programmer (ST-Link v2, J-link ) or OpenOCD with raspberry pi.
    3 - To have some fun

    Since I already have a microbit so I think that fitness tracker is sharing the same SOC as the mBit.

    I found one ebay listing for such fitness tracker using nRF51822 32 KB ram 256 KB flash. Ordered and yet to arrive.

    I googled for more information available in the advertisement and found that I may be a clone on V07 SPORT BP Heart Rate Tracker. Searching on the same on FCCID found this.

    So assuming this is the same as in the image, I can open the tracker with just 4 screws, so no cut & open.

    I can see 5 pads in a line, center of the PBC. Last 2 are SCLK and SWD. So this would be the SWD pads where my programmer will connect.

    I am still not clear about the display type and controller.. Serial (SPI/I2C/) or Parallel (8 or may be 16??)

    I will post more updates soon.

    Abhinav

  • I have received my fitness band today. Surprisingly it is exactly same as in FCC.IO

    Highlight

    1. Open with 4 screws on back, so no need to cut open. Supper!!
    2. nRF51822 QFACA1 (256 KB ROM, 32 KB flash). Very Cool!!
    3. SCLK and SWD are clear visible and can be solder easy.



    Nest step to get the original firmware out from the watch and flash eprrunio likely.

    Here are the tear down images:

    https://drive.google.com/drive/folders/1­yusvIWzOt6pknkncByfNGnd0HALn4JGg?usp=sha­ring

  • @fanoush

    I have got further information about my fitness band posted above.

    I have a raspberry pi zero w in hand so planning to use openocd for flashing.

    H band is the application that is used for as mobile app for this band.

    NrfConnext says this device does not support Nordic dfu mode.

    Please suggest what else I have to know before start custom flashing?

    And from where I should start? Like use an old version (number) of Espruino or build my own with modified board.py file?

    Frankly speaking, I have no idea where to start...

    Just to inform that the device is exactly same as (http://www.wo-smart.com/p-56.html) discussed in gitter lobby
    https://gitter.im/nRF51822-Arduino-Mbed-­smart-watch/Lobby?at=5ce354b883ae782aeea­29be5

  • Wow, great. I didn't believe you would get the real thing for such price.

    If you already opened it and get SWD working then you don't need to get older espruino and mess with DFU and existing firmware unless you bought more than one and want to update next one without taking apart. For SWD just build the latest and flash it like it would be microbit.

    As for building you may start from NRF51822DK board which also has 32KB. So just copy this board file to something else and comment out buttons, LEDs and serial mapping and build it.

    Before flashing something else you may try to backup whole flash and UICR space via openocd, see e.g. this, you basically run 'flash banks' to verify the memory is seen and then save banks 0 and 1 via 'flash read_bank 0 flash.bin' and 'flash read_bank 1 uicr.bin'. If it fails the flash may be protected and the backup is harder but possible (see e.g. this).

    Also still with the default firmware you may try to find out some firmware version and model number somewhere in the menu on the device or h-band app. Or even check for firmware update via the h-band app. With such model number I could try to match the firmware from their update web servers if you can't make backup via SWD or firmware update in the app won't work or won't leave the firmware somewhere on the phone after update.

    Firmware is useful for decompiling to figure out e.g. LCD SPI pinout or HR sensor. Otherwise you would need to trace pins on the board.

    EDIT:
    As for firmware model number, I see in FCC photos that something is also on the board itself, I don't see that part on your photos. The firmware files are named like VPH_10_00071300_151.zip or VPH_11_00110600_152.zip. The suffix 151 or 152 is unique h-band app model number but there are more zips for same VPH_XX, e.g. VPH 10 has both _151 and _104 which may mean different board or just different firmware branding of same board.

  • Hi @fanoush,

    Thanks for the firmware information as edit. I just upgraded the tracker from version 00.07.11 to 00.07.13.

    As for firmware model number, I see in FCC photos that something is also on the board itself, I don't see that part on your photos

    Yes it is there, hidden behind the flex cable, with the same details.

    After upgrade if searched the firmware file in mobile and found a hband.zip file.

    Zip has 3 files

    1. manifest.json
    2. VPH_10_00071300_151.bin
    3. VPH_10_00071300_151.dat

    This confirms your statement about firmware.

    manifest.json

    {
        "manifest": {
            "application": {
                "bin_file": "VPH_10_00071300_151.bin",
                "dat_file": "VPH_10_00071300_151.dat",
                "init_packet_data": {
                    "application_version": 255,
                    "device_revision": 1,
                    "device_type": 1,
                    "firmware_crc16": 38123,
                    "softdevice_req": [
                        65534
                    ]
                }
            },
            "dfu_version": 0.5
        }
    }
    

    I don't know if this is a good news for me or not.

    So when I have the firmware, how to extract the details like pin info, display etc.

    What should I do as a next step?

    I am really really sorry for asking such a novice questions.

    Regards,
    Abhinav

  • OK, so you did firmware update, great. That means there is a bootloader for doing DFU for sure (some devices are not upgradable so may not have the bootloader at all). And the device code is 151. Did you see some picture on OLED screen while doing the upgrade? That would mean the botloader is customized with display code and is definitely worth backing up - the update zip is just application, not backup of whole flash memory so if you erase the flash completely and want to restore it later you will be missing bootloader code and UICR settings.

    I think you should first get SWD working with openocd and try to backup existing flash if possible. if the device is not protected you may even try to let it run default firmware and pause it in the middle of something and see various HW registers to see how it is configured (i2c,spi, GPIO pin configuration), see example for nrf52 here. To me it was easier than decompiling whole app. Also if the bootloader is customized with display code it is also a bit easier task as it is smaller.

    I am really really sorry for asking such a novice questions.

    Well, yes, while it is not that hard it is not novice level so you can't avoid learning a lot of things, which is hopefully the point. I'd start with Nordic documentation about nrf51
    https://infocenter.nordicsemi.com/topic/­struct_nrf51/struct/nrf51.html?cp=5 and some older SDK that still supports nrf51 like SDK11 od SDK12. As for the nrf51 reference manual it looks like it is only a pdf, for nrf52 they made it also html based which is easier to read.

  • Hi @fanoush

    Thanks. I will try SWD using pi zero w and take pin connections help from this post .

    Did you see some picture on OLED screen while doing the upgrade?

    Unfortunately while upgrading I totally missed display notifications so I don’t know. But I have ordered couple of more units so I will check when I will get those in a day or two.

    the update zip is just application, not backup of whole flash memory

    So that means the zip will not give me any information about GPIO, display controller etc? And I need to have backup from the flash?

    Just curious-

    What is the difference between application, firmware, soft device and boot loader in the context of nRF5x devices?

    I also found the this github repo . Do you already know about this? If this can help to get more information from the bin file.

    Another thing, where I can find cfg file for nrf51?

    Regards
    Abhinav

  • So that means the zip will not give me any information about GPIO, display controller etc?

    No, it does not mean that. The application must use all the hardware to work so all the code is there somewhere., it may be just harder to find it. That repo is interesting but mainly targeted to IDA Pro decompiler which is paid. For decompiling I use Ghidra or in very simple cases objdump from binutils like described e.g. here (the comments and C code in decompiled code is added by me)

    What is the difference between application, firmware, soft device and boot loader in the context of nRF5x devices?

    https://infocenter.nordicsemi.com/topic/­com.nordic.infocenter.s130.sds/dita/soft­devices/s130/mbr_bootloader/bootloader.h­tml?cp=5_7_2_0_11_1

  • Hi @fanoush

    The recent update is I tried to decompile the bin file from the zip using Ghidra for ARM Cortex setting.

    All the output is complete puzzle for me and I don’t know what should I look for.

    I am waiting for my amazon order for usb microscope so that I can take high res images for pin tracing as a backup options.

    I faced some issue while installing OpenOCD as few of the sub modules are not getting installed. Flaky repo.or.cz is not responding.

    So I directly install the package in my Pi.

    Will try to make a dump and halt-reset.

    if the device is not protected you may even try to let it run default firmware and pause it in the middle of something and see various HW registers to see how it is configured (i2c,spi, GPIO pin configuration)

    So you have any suggestions what specific think I should look for?

    Worth to mention that I will try very first time this.

  • @fanoush,

    I have installed OpenOCD. running but with error

    pi@raspberrypi:~/opencd $ sudo openocd -f interface/raspberrypi-native.cfg -c "transport select swd; set WORKAREASIZE 0" -f target/nrf51.cfg
    Open On-Chip Debugger 0.10.0
    Licensed under GNU GPL v2
    For bug reports, read
    	http://openocd.org/doc/doxygen/bugs.html­
    BCM2835 GPIO nums: swclk = 25, swdio = 24
    0
    cortex_m reset_config sysresetreq
    adapter speed: 1000 kHz
    Info : BCM2835 GPIO JTAG/SWD bitbang driver
    Info : SWD only mode enabled (specify tck, tms, tdi and tdo gpios to add JTAG mode)
    Info : clock speed 1006 kHz
    Info : SWD DPIDR 0x013f9150
    Error: Could not initialize the debug port
    
    
    

    Another attempt:

    pi@raspberrypi:~/opencd $ sudo openocd -f r1.cfg
    Open On-Chip Debugger 0.10.0
    Licensed under GNU GPL v2
    For bug reports, read
    	http://openocd.org/doc/doxygen/bugs.html­
    BCM2835 GPIO nums: swclk = 25, swdio = 24
    BCM2835 GPIO nums: swclk = 25, swdio = 24
    cortex_m reset_config sysresetreq
    adapter speed: 1000 kHz
    none separate
    adapter_nsrst_delay: 100
    adapter_nsrst_assert_width: 100
    Info : BCM2835 GPIO JTAG/SWD bitbang driver
    Info : SWD only mode enabled (specify tck, tms, tdi and tdo gpios to add JTAG mode)
    Info : clock speed 1006 kHz
    Info : SWD DPIDR 0x00bdc150
    Error: Could not initialize the debug port
        TargetName         Type       Endian TapName            State       
    --  ------------------ ---------- ------ ------------------ ------------
     0* nrf51.cpu          cortex_m   little nrf51.cpu          unknown
    Info : SWD DPIDR 0x00000007
    Error: Could not initialize the debug port
    Error: Target not examined, reset NOT asserted!
    in procedure 'reset' called at file "r1.cfg", line 17
    in procedure 'ocd_bouncer'
    
    

    My config file is [r1.cfg]

    source [find interface/raspberrypi-native.cfg]
    transport select swd
    
    bcm2835gpio_swd_nums 25 24
    [#bcm2835gpio_srst_num](http://forum.esp­ruino.com/search/?q=%23bcm2835gpio_srst_­num) 18
    
    set CHIPNAME nrf51
    source [find target/nrf51.cfg]
    
    reset_config srst_nogate
    
    adapter_nsrst_delay 100
    adapter_nsrst_assert_width 100
    
    init
    targets
    reset
    reset halt
    poll
    

    Any advice?

  • @fanoush

    So here I come back to one point, if I can flash Espruino (older version) to nRF 51822 based fitness band.

    In my previous attempt to perform RE on tracker I destroyed SWD CLK test pad because of over heated soldering iron. No no more hardware hacking. So I started looking H Band Android application.

    I found very interesting things from the android app .

    It uses battery service and characteristics to communicate with firmware for most of the commands like setting alarms, entering in DFU mode. Yes it enters in the DFU mode by issuing codes to firmware and FW starts the DFU services. I successfully entered in DFU mode and exits after timeout using nodeJS code.

    I also observed in android app how app is sending dfu packets to device. The code using Nordic android library for DFU and seems does not use the secure dfu classes, although library does have the secure dfu class. More analysis will confirm this.

    So the questions are.

    1- Does it means that Bootloader is not a Nordic one and customised?
    2- assuming that original firmware is built using SDK 11 and not encrypted /no secure dfu, can I flash Espruino (version???) via OTA DFU? I can create flashing tool on android by taking help of existing hband app and D6 flasher app.

    3- Since I cannot do flash dump and only have original firmware, is there anything that can be to to get useful information?

    Abhinav

  • can I flash Espruino (version???) via OTA DFU?

    In theory, yes. However in reality the Espruino firmware is too big to fit on an nRF51822 alongside the bootloader.

    Honestly, if you're serious about getting something usable working, I'd look at getting a cheap nRF52832 based fitness tracker that has enough room for a full-featured Espruino - @fanoush had found some great ones in the $10-$15 range

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview
About

Another experiment on nRF51822 fitness band

Posted by Avatar for Abhigkar @Abhigkar

Actions