Security researchers have successfully revived a 20-year-old attack method, known as “Blinkenlights,” to extract firmware from a low-cost smartwatch. This technique, originally used for network devices, was adapted to exploit the screen pixels of modern TFT displays, demonstrating an innovative approach to hardware security analysis. The discovery highlights potential vulnerabilities in budget wearable devices.
The research, conducted by Quarkslab analysts, involved purchasing an inexpensive smartwatch for approximately €12 (€13). Upon investigation, the device was found to contain non-functional novelty health sensors, unable to accurately measure blood pressure or track sleep. The smartwatch utilized a JieLi AC6958C6 system-on-chip and communicated via Bluetooth Low Energy, presenting an initial avenue for security evaluation.
Modern Blinkenlights Implementation for Smartwatch Firmware Extraction
The breakthrough came after the researchers identified a dial parser vulnerability within the smartwatch’s firmware. This flaw allowed for an out-of-bounds read condition, enabling the device to display arbitrary memory content directly on its screen. This weakness was discovered during the reverse-engineering of the custom dial upload process, where it was noted that the firmware parser did not validate image offsets, allowing them to point outside the allocated binary data for the dial.
Initial attempts at firmware extraction explored other methods. The researchers investigated the JieLi over-the-air update feature, but it was found to support only firmware uploads, not downloads. The Bluetooth authentication mechanism, based on the E1 legacy function with hardcoded values, was successfully replicated, but this path did not lead to the desired firmware extraction.
The successful strategy involved a modern implementation of the Blinkenlights technique. A custom hardware setup was developed using a Raspberry Pi Pico, overclocked to 200 MHz. This setup was used to capture data transmitted from the smartwatch’s main SoC to its NV3030B screen controller. The TFT screen operated at a 25 MHz clock speed, transmitting pixel data in RGB565 format, necessitating high-speed sampling for accurate data capture.
To achieve this, researchers soldered extremely fine wires (0.1mm diameter) to the screen connector. They then utilized the Raspberry Pi Pico’s Programmable Input/Output (PIO) feature to sample data bits synchronized with the rising clock edges. The PIO program was designed for maximum efficiency, using only two instructions to maintain the high sampling rate required.
The captured data was buffered in the Pico’s 145,000-byte memory before being sent to a host computer via a USB serial port. To trigger the firmware dump, the team crafted malicious custom dials. These dials contained manipulated offset values that deliberately caused the smartwatch to read and display memory contents beyond the intended scope of the dial’s data region.
The extraction process was iterative, requiring the generation of multiple custom dials. Each dial was designed to target different memory addresses. To aid in data processing and verification, a special header was embedded in each dial. This header included synchronization words (0xa5a5a5a5) and magic bytes (0xdeadbeef) to identify individual data blocks and ensure proper alignment.
Python scripts were developed to automate the entire process, from generating the custom dials and collecting the captured data to reconstructing the complete firmware from the individual memory slices. This research underscores how older attack methodologies, when creatively applied, can remain relevant and effective against contemporary embedded systems. The low-cost hardware approach, requiring minimal expense beyond the Raspberry Pi Pico, proved to be a more practical and accessible method for this specific type of analysis compared to more expensive logic analyzers.
The findings suggest that even budget-friendly smartwatches may harbor vulnerabilities that allow for the extraction of sensitive firmware data through unconventional means. Further investigation into the security of similar low-cost wearable devices is warranted to understand the broader implications of such attack vectors.