Hacking the WatchPat One

[hvegh]

I have one, would be interesting if we could reuse the hardware, I can imagine you have probably moved on from the project by now. Your repo is the only one I have found so far, maybe you have some tips and tricks to share. Would be much obliged.

So far if I understand correctly these are the components:

• U1: Nordic nRF52832 mcu
  • Arm® Cortex™-M4 CPU with floating point unit running at 64 MHz
  • Bluetooth-5.2
  • Info on glitching this thing https://github.com/atc1441/ESP32_nRF52_SWD
• U2: Serial NOR Flash MT25QL128ABA8E12-0SIT 128Mb
• U11: ST LIS3DH - MEMS 3-axis accelerometer
• U12: AFE4404 Ultra-Small, Integrated AFE for Wearable, Optical, Heart-Rate Monitoring and Bio-Sensing
• Oximeter, 7-pins finger sensor (probably an SFH7050 hooked up to U12)
• Chest sensor, 3-pins
• 2 leds
• Optional foorprint for an LCD.

Possible routes to take:

1. Assume the firmware is locked maybe glitch the hardware in order to download the original fw. Seems complex, requires a fair amount of automation and reverse engineering.

2. Since the hardware is relatively simple, and the bootloader might be locked. Maybe it might be possible to reset the device and reflash with new code. Gradualy the IO might be understood and we can make those devices reusable. Seems less complex, if there is an easy way to reset the device for reprogramming.

3. Just figure out how the sensors work, and reuse with a different mini MCU board for example. I would imagine the amount of hacking would be mimimal. Might be the most simple solution if 2 is to difficult.

Anyway I have forked a branch on https://github.com/hvegh/watchpat-vfi if anyone wants to participate or has anything to share about this device...

[hvegh]

FCC site: https://fcc.report/FCC-ID/2APUBWPONE

BTW this product is Israëli, just so you know. If you are not comfortable with that you might want to use a different supplier if that option is available

Maybe an additional reason more we need an open source version, where does your data go?

[joegrand]

1. Assume the firmware is locked maybe glitch the hardware in order to download the original fw. Seems complex, requires a fair amount of automation and reverse engineering.

The chip is indeed locked, but this code will allow you to glitch and extract the firmware if you wanted to go this route. I'd happily share it, but don't want to risk any copyright/DMCA/legal action for doing so.

I believe the Serial NOR Flash contains some encrypted or encoded form of the user log data.

Here are some related Twitter posts about this from when I did the work in 2022:

https://twitter.com/joegrand/status/1478875220991639553 https://twitter.com/joegrand/status/1478153693543350272 https://twitter.com/joegrand/status/1478878275988381697

[hvegh]

Thanks for the additional info! The ESP glitching method sounds interesting.