Info & tools for reverse engineering the M6 smart fitness band

Related tags

Miscellaneous m6-reveng
Overview

m6-reveng

This repo contains information and tools for reverse engineering the $7 M6 smart fitness band. M6 smart fitness band box

Hardware

M6 hardware M6 hardware The SoC (system-on-a-chip) is a Telink TLSR8232.

  • Datasheet
  • 32-bit proprietary MCU
    • Closed ture, not a lot of resources about it
    • 24 MHz clock speed
  • 16kB of SRAM
  • 512kB of flash
  • 32kHz oscillator for low power mode
  • SWS (Single Wire Slave) interface for debugging and programming

Pin map

Description SoC pin number SoC pin label Comments
Display SPI MOSI 29 ANA_B<4> SPI master -> slave data
Display SPI Clock 31 ANA_C<5> SPI clock
Display SPI RS (D/C#) 32 ANA_C<6> Data select. Low means command, 1 means data
Display SPI CS# 03 ANA_A<1> SPI chip select, active low
Display RST 02 ANA_A<0> Reset pin, active low
LEDK 04 ANA_A<2> Display LED backlight cathode. Connected to a driver NPN transistor's base

The Setup

The Telink TLSR82xx series SoCs are debugged and programmed using the closed SWS (Single Wire Slave, or SWire) protocol. pvvx did a fantastic job reverse engineering this protocol and creating an alternative programmer based on the STM32 Blue Pill board. The TlsrTools project contains both the STM32 software (SWireSTM32) and a Windows GUI application for controlling the STM32 board.

The TlsrTools project was developed for the TLSR826x. I originally introduced changes to this project, but later I realized our TLSR8232 chip uses the same SWS protocol. This means we can simply flash this precompiled binary to our STM32 and use it as the middleman for debugging the M6.

Setup

I did not use the Windows GUI application, and instead wrote my own Python script (tlrs82-debugger-client.py) that connects to and controlls the STM32 via USB. The commands and timings are tailored for the TLSR8232 SoC, but should be easily adaptable for other TLSR82xx chips.

Reading the chip ID

Register 0x007e is a special register in the TLSR that contains the chip identification. This is a good way to verify that everything is working as expected.

$ python tlsr82-debugger-client.py --serial-port /dev/cu.usbmodem6D8E448E55511 get_soc_id
Found and set suitable SWS speed: 7
SOC ID: 0x5316

Dumping the RAM

$ python tlsr82-debugger-client.py --serial-port /dev/cu.usbmodem6D8E448E55511 dump_ram ram.bin
Found and set suitable SWS speed: 7
Dumping ram to ram.bin...
0x0000 00.00%
0x0100 00.39%
...
0xfe00 99.22%
0xff00 99.61%
Writing 65536 bytes to ram.bin

Dumping the flash

$ python tlsr82-debugger-client.py --serial-port /dev/cu.usbmodem6D8E448E55511 dump_flash flash.bin
Found and set suitable SWS speed: 7
Dumping flash to flash.bin...
CPU stop.
CSN high.
0x000000 00.00%
0x000100 00.05%
0x000200 00.10
...
0x07cd00 99.85%
0x07ce00 99.90%
0x07cf00 99.95%
Writing 512000 bytes to flash.bin
You might also like...
Calido - Open Smart Thermostat and Smart Home Controller. Built on a Thingy:91 (nRF9160).
Calido - Open Smart Thermostat and Smart Home Controller. Built on a Thingy:91 (nRF9160).

Calido - Open Smart Thermostat and Smart Home Controller based on a Nordic Semiconductor Thingy:91 Project can be found here (Electromaker.io). A Make

ticccco 3 Jun 25, 2022
ContactGot is an offline desktop app, where clients can leave their info, while an administrator can manage which information they need to gather on certain projects.
ContactGot is an offline desktop app, where clients can leave their info, while an administrator can manage which information they need to gather on certain projects.

ContactGot Contents Description How to use Requirements Engineering Installation Documentation Design Architecture Demonstration 1. Description During

Elizaveta 15 Sep 17, 2022
The given files contains a coded algorithm for a program of "OMR Evaluation" With negative marking below are brief info regarding its feature

OMR-Evalution The given files contains a coded algorithm for a program of "OMR Evaluation" With negative marking below are brief info regarding its fe

Harsh Shrivastava 5 Oct 16, 2022
Suckless-tools - My fork of suckless tools.

suckless-tools Here is my fork of suckless tools. I didn't include tabbed, i was using but not actively. I am using xfce4-terminal instead of st. Beca

null 2 Jan 7, 2022
The Vulkan Profiles Tools are a collection of tools delivered with the Vulkan SDK for Vulkan application developers to leverage Vulkan Profiles while developing a Vulkan application
The Vulkan Profiles Tools are a collection of tools delivered with the Vulkan SDK for Vulkan application developers to leverage Vulkan Profiles while developing a Vulkan application

Copyright © 2021-2022 LunarG, Inc. Vulkan Profiles Tools (BETA) The Vulkan Profiles Tools are a collection of tools delivered with the Vulkan SDK for

The Khronos Group 73 Dec 25, 2022
🏢 An operating system that combine the desire of UNIX utopia from the 1970s with modern technology and engineering
🏢 An operating system that combine the desire of UNIX utopia from the 1970s with modern technology and engineering

Striking modernist shapes and bold use of modern C are the hallmarks of BRUTAL. BRUTAL combine the desire of UNIX utopia from the 1970s with modern te

Brutal 924 Dec 27, 2022
© 2022 Twitter Early Career Engineering Coding Challenge
© 2022 Twitter Early Career Engineering Coding Challenge

2022 Twitter Early Career Engineering Coding Challenge This is a timed test. Please make sure you are not interrupted during the test, as the timer ca

Ricky Chuang 8 Oct 24, 2022
Final project for the Programming I subject of the Computer Engineering Degree.

2048 Final project for the Programming I subject of the Computer Engineering Degree. 1. Introduction 2048 is a puzzle game for one player. Its main go

André Rato 1 Oct 28, 2021
Code for an air hockey table for an engineering project.

Project: Air Hockey Table Code for an air hockey table. Step 1: Installation Step 2: Assemble the circuit Assemble the circuit following the diagram l

William Rice 3 Jan 21, 2022
Comments
  • Unable to find a suitable SPI speed

    Unable to find a suitable SPI speed

    Not an issue, just a question:

    Hello, interested by your work, I've ordered a M6 smart band to work with it.

    I've (seems) correctly flashed the BluePill and soldered the three wire to the m6 band (GND, SWS, and RST), but the "tlsr82-debugger-client.py" program does not able to find the M6 band.

    
python3 tlsr82-debugger-client.py --serial-port /dev/ttyACM0 get_soc_id
Trying speed 2
Trying speed 3
Trying speed 4
Trying speed 5
Trying speed 6
Trying speed 7
Trying speed 8
Trying speed 9
....
many attempts later
...
Trying speed 108
Trying speed 109
Trying speed 110
Trying speed 111
Trying speed 112
Trying speed 113
Trying speed 114
Trying speed 115
Trying speed 116
Trying speed 117
Trying speed 118
Trying speed 119
Trying speed 120
Trying speed 121
Trying speed 122
Trying speed 123
Trying speed 124
Trying speed 125
Trying speed 126
Traceback (most recent call last):
  File "~/m6-reveng/tlsr82-debugger-client/tlsr82-debugger-client.py", line 401, in <module>
    main()
  File "~/m6-reveng/tlsr82-debugger-client/tlsr82-debugger-client.py", line 397, in main
    args.func(args)
  File "~/m6-reveng/tlsr82-debugger-client/tlsr82-debugger-client.py", line 349, in get_soc_id_main
    init_soc(args.sws_speed)
  File "~/m6-reveng/tlsr82-debugger-client/tlsr82-debugger-client.py", line 267, in init_soc
    find_suitable_sws_speed()
  File "~/m6-reveng/tlsr82-debugger-client/tlsr82-debugger-client.py", line 109, in find_suitable_sws_speed
    raise RuntimeError("Unable to find a suitable SPI speed")
RuntimeError: Unable to find a suitable SPI speed

    Any tips? the only different that i've found in my m6 band, it's that there are no a the capacitor on the RST pin....

    postimg.cc/G85BzphC

    opened by user-e 2
Owner
null
GitHub
Powerful automated tool for reverse engineering Unity IL2CPP binaries

Powerful automated tool for reverse engineering Unity IL2CPP binaries

Katy 2.1k Jan 7, 2023
Resources gathered for reverse engineering the FNIRSI-1013D scope

# FNIRSI-1013D-Hack Resources gathered for reverse engineering the FNIRSI-1013D scope As part of what is on EEVBLOG, resources for the reverse engine

null 75 Dec 25, 2022
A lightweight ARM reverse engineering tool.

eydis A lightweight (basic and slow) ARM reverse engineering tool. I. Requierements macOS/Linux, Basics compiling tools, The SQLite3 + readline framew

Yui Aioi 18 Aug 15, 2022
The purpose of these streams is to be educational and entertaining for viewers to learn about systems architecture, reverse engineering, software security, etc., and NOT to encourage nor endorse malicious game hacking.

Memestream This repository holds the code that I develop during my live game "modding" ?? sessions. When I stream, I like to speedrun making a success

Stephen Tong 28 Jul 6, 2022
🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.

Plants vs. Zombies Online Battle This project has two original repositories: https://github.com/czs108/Plants-vs.-Zombies-Online-Battle https://github

Liugw 71 Oct 14, 2021
Reverse engineering the V831 npu

v831-npu Reverse engineering the V831 Neural Network Accelerator (NNA) Hardware is primarily based off NVIDIA Deep Learning Accelerator(NVDLA) archite

Jasbir 79 Jan 7, 2023
Reverse engineering / documenting the SSC (qcom Snapdragon Sensor Core) or SLPI.

QRTR / QMI sensor daemon Device setup (pmos) Install deps sudo apk add alpine-sdk sshfs eudev-dev qrtr-dev Mount build dir First on host setup USB net

Caleb Connolly 12 Jul 26, 2022
Reverse engineering Genshin Impact anticheat to study how anticheats work on the Windows operating system.

mhyprot2 - Reverse engineering Genshin Impact anticheat for study 1. Demonstration video 2. Screenshots 2.1 Panel 3. Future updates and questions As I

João Vitor 57 Nov 16, 2022
OverRide - Binary Exploitation and Reverse-Engineering (from assembly into C)

OverRide Explore disassembly, binary exploitation & reverse-engineering through 10 little challenges. In the folder for each level you will find: flag

Anya Schukin 69 Sep 22, 2022
Cutter is a free and open-source reverse engineering platform powered by rizin

Cutter is a free and open-source reverse engineering platform powered by rizin. It aims at being an advanced and customizable reverse engineering platform while keeping the user experience in mind. Cutter is created by reverse engineers for reverse engineers.

Rizin Organization 12.4k Jan 1, 2023