Info & tools for reverse engineering the M6 smart fitness band

Overview

m6-reveng

This repo contains information and tools for reverse engineering the $7 M6 smart fitness band. M6 smart fitness band box

Hardware

M6 hardware M6 hardware The SoC (system-on-a-chip) is a Telink TLSR8232.

  • Datasheet
  • 32-bit proprietary MCU
    • Closed ture, not a lot of resources about it
    • 24 MHz clock speed
  • 16kB of SRAM
  • 512kB of flash
  • 32kHz oscillator for low power mode
  • SWS (Single Wire Slave) interface for debugging and programming

Pin map

Description SoC pin number SoC pin label Comments
Display SPI MOSI 29 ANA_B<4> SPI master -> slave data
Display SPI Clock 31 ANA_C<5> SPI clock
Display SPI RS (D/C#) 32 ANA_C<6> Data select. Low means command, 1 means data
Display SPI CS# 03 ANA_A<1> SPI chip select, active low
Display RST 02 ANA_A<0> Reset pin, active low
LEDK 04 ANA_A<2> Display LED backlight cathode. Connected to a driver NPN transistor's base

The Setup

The Telink TLSR82xx series SoCs are debugged and programmed using the closed SWS (Single Wire Slave, or SWire) protocol. pvvx did a fantastic job reverse engineering this protocol and creating an alternative programmer based on the STM32 Blue Pill board. The TlsrTools project contains both the STM32 software (SWireSTM32) and a Windows GUI application for controlling the STM32 board.

The TlsrTools project was developed for the TLSR826x. I originally introduced changes to this project, but later I realized our TLSR8232 chip uses the same SWS protocol. This means we can simply flash this precompiled binary to our STM32 and use it as the middleman for debugging the M6.

Setup

I did not use the Windows GUI application, and instead wrote my own Python script (tlrs82-debugger-client.py) that connects to and controlls the STM32 via USB. The commands and timings are tailored for the TLSR8232 SoC, but should be easily adaptable for other TLSR82xx chips.

Reading the chip ID

Register 0x007e is a special register in the TLSR that contains the chip identification. This is a good way to verify that everything is working as expected.

$ python tlsr82-debugger-client.py --serial-port /dev/cu.usbmodem6D8E448E55511 get_soc_id
Found and set suitable SWS speed: 7
SOC ID: 0x5316

Dumping the RAM

$ python tlsr82-debugger-client.py --serial-port /dev/cu.usbmodem6D8E448E55511 dump_ram ram.bin
Found and set suitable SWS speed: 7
Dumping ram to ram.bin...
0x0000 00.00%
0x0100 00.39%
...
0xfe00 99.22%
0xff00 99.61%
Writing 65536 bytes to ram.bin

Dumping the flash

$ python tlsr82-debugger-client.py --serial-port /dev/cu.usbmodem6D8E448E55511 dump_flash flash.bin
Found and set suitable SWS speed: 7
Dumping flash to flash.bin...
CPU stop.
CSN high.
0x000000 00.00%
0x000100 00.05%
0x000200 00.10
...
0x07cd00 99.85%
0x07ce00 99.90%
0x07cf00 99.95%
Writing 512000 bytes to flash.bin
You might also like...
Calido - Open Smart Thermostat and Smart Home Controller. Built on a Thingy:91 (nRF9160).
Calido - Open Smart Thermostat and Smart Home Controller. Built on a Thingy:91 (nRF9160).

Calido - Open Smart Thermostat and Smart Home Controller based on a Nordic Semiconductor Thingy:91 Project can be found here (Electromaker.io). A Make

ContactGot is an offline desktop app, where clients can leave their info, while an administrator can manage which information they need to gather on certain projects.
ContactGot is an offline desktop app, where clients can leave their info, while an administrator can manage which information they need to gather on certain projects.

ContactGot Contents Description How to use Requirements Engineering Installation Documentation Design Architecture Demonstration 1. Description During

The given files contains a coded algorithm for a program of "OMR Evaluation" With negative marking below are brief info regarding its feature

OMR-Evalution The given files contains a coded algorithm for a program of "OMR Evaluation" With negative marking below are brief info regarding its fe

Suckless-tools - My fork of suckless tools.

suckless-tools Here is my fork of suckless tools. I didn't include tabbed, i was using but not actively. I am using xfce4-terminal instead of st. Beca

The Vulkan Profiles Tools are a collection of tools delivered with the Vulkan SDK for Vulkan application developers to leverage Vulkan Profiles while developing a Vulkan application
The Vulkan Profiles Tools are a collection of tools delivered with the Vulkan SDK for Vulkan application developers to leverage Vulkan Profiles while developing a Vulkan application

Copyright © 2021-2022 LunarG, Inc. Vulkan Profiles Tools (BETA) The Vulkan Profiles Tools are a collection of tools delivered with the Vulkan SDK for

🏢 An operating system that combine the desire of UNIX utopia from the 1970s with modern technology and engineering
🏢 An operating system that combine the desire of UNIX utopia from the 1970s with modern technology and engineering

Striking modernist shapes and bold use of modern C are the hallmarks of BRUTAL. BRUTAL combine the desire of UNIX utopia from the 1970s with modern te

Beacon.dll reverse
Beacon.dll reverse

beacon实现 最近闲来无事,正好WBGIII大佬逆向了beacon,我觉得站在巨人的肩膀上干事情比较快,索性就拿着beacon分析了一波,这次patch修源码,让其适配64位还是学到了不少东西的。 具体链接 https://github.com/WBGlIl/Beacon_re 建议先下载一份源

Fully reverse engineered source code of a pasted valorant spoofer called archine.

Archine Valorant Spoofer Fully reverse engineered source code of a pasted valorant spoofer called archine. Please do not buy archine spoofer, the owne

Reverse engineered source code of the engineowning cheat for cod9 (tags, ignore. Fortnite cheat, engineowning, engineowning cracked, cheat cracked, cod cracked cheat, cod cheat source)

engineowning-cod9 Reverse engineered source code of the engineowning cheat for cod9 Cracked by CODEX notinjector = C:\Windows\Release\ .exe drSYS = C:

Comments
  • Unable to find a suitable SPI speed

    Unable to find a suitable SPI speed

    Not an issue, just a question:

    Hello, interested by your work, I've ordered a M6 smart band to work with it.

    I've (seems) correctly flashed the BluePill and soldered the three wire to the m6 band (GND, SWS, and RST), but the "tlsr82-debugger-client.py" program does not able to find the M6 band.

    
    python3 tlsr82-debugger-client.py --serial-port /dev/ttyACM0 get_soc_id
    Trying speed 2
    Trying speed 3
    Trying speed 4
    Trying speed 5
    Trying speed 6
    Trying speed 7
    Trying speed 8
    Trying speed 9
    ....
    many attempts later
    ...
    Trying speed 108
    Trying speed 109
    Trying speed 110
    Trying speed 111
    Trying speed 112
    Trying speed 113
    Trying speed 114
    Trying speed 115
    Trying speed 116
    Trying speed 117
    Trying speed 118
    Trying speed 119
    Trying speed 120
    Trying speed 121
    Trying speed 122
    Trying speed 123
    Trying speed 124
    Trying speed 125
    Trying speed 126
    Traceback (most recent call last):
      File "~/m6-reveng/tlsr82-debugger-client/tlsr82-debugger-client.py", line 401, in <module>
        main()
      File "~/m6-reveng/tlsr82-debugger-client/tlsr82-debugger-client.py", line 397, in main
        args.func(args)
      File "~/m6-reveng/tlsr82-debugger-client/tlsr82-debugger-client.py", line 349, in get_soc_id_main
        init_soc(args.sws_speed)
      File "~/m6-reveng/tlsr82-debugger-client/tlsr82-debugger-client.py", line 267, in init_soc
        find_suitable_sws_speed()
      File "~/m6-reveng/tlsr82-debugger-client/tlsr82-debugger-client.py", line 109, in find_suitable_sws_speed
        raise RuntimeError("Unable to find a suitable SPI speed")
    RuntimeError: Unable to find a suitable SPI speed
    

    Any tips? the only different that i've found in my m6 band, it's that there are no a the capacitor on the RST pin....

    postimg.cc/G85BzphC

    opened by user-e 2
Owner
null
Powerful automated tool for reverse engineering Unity IL2CPP binaries

Powerful automated tool for reverse engineering Unity IL2CPP binaries

Katy 2.1k Jan 7, 2023
Resources gathered for reverse engineering the FNIRSI-1013D scope

# FNIRSI-1013D-Hack Resources gathered for reverse engineering the FNIRSI-1013D scope As part of what is on EEVBLOG, resources for the reverse engine

null 75 Dec 25, 2022
A lightweight ARM reverse engineering tool.

eydis A lightweight (basic and slow) ARM reverse engineering tool. I. Requierements macOS/Linux, Basics compiling tools, The SQLite3 + readline framew

Yui Aioi 18 Aug 15, 2022
The purpose of these streams is to be educational and entertaining for viewers to learn about systems architecture, reverse engineering, software security, etc., and NOT to encourage nor endorse malicious game hacking.

Memestream This repository holds the code that I develop during my live game "modding" ?? sessions. When I stream, I like to speedrun making a success

Stephen Tong 28 Jul 6, 2022
🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.

Plants vs. Zombies Online Battle This project has two original repositories: https://github.com/czs108/Plants-vs.-Zombies-Online-Battle https://github

Liugw 71 Oct 14, 2021
Reverse engineering the V831 npu

v831-npu Reverse engineering the V831 Neural Network Accelerator (NNA) Hardware is primarily based off NVIDIA Deep Learning Accelerator(NVDLA) archite

Jasbir 79 Jan 7, 2023
Reverse engineering / documenting the SSC (qcom Snapdragon Sensor Core) or SLPI.

QRTR / QMI sensor daemon Device setup (pmos) Install deps sudo apk add alpine-sdk sshfs eudev-dev qrtr-dev Mount build dir First on host setup USB net

Caleb Connolly 12 Jul 26, 2022
Reverse engineering Genshin Impact anticheat to study how anticheats work on the Windows operating system.

mhyprot2 - Reverse engineering Genshin Impact anticheat for study 1. Demonstration video 2. Screenshots 2.1 Panel 3. Future updates and questions As I

João Vitor 57 Nov 16, 2022
OverRide - Binary Exploitation and Reverse-Engineering (from assembly into C)

OverRide Explore disassembly, binary exploitation & reverse-engineering through 10 little challenges. In the folder for each level you will find: flag

Anya Schukin 69 Sep 22, 2022
Cutter is a free and open-source reverse engineering platform powered by rizin

Cutter is a free and open-source reverse engineering platform powered by rizin. It aims at being an advanced and customizable reverse engineering platform while keeping the user experience in mind. Cutter is created by reverse engineers for reverse engineers.

Rizin Organization 12.4k Jan 1, 2023