I spent some time this weekend looking into another cheap smart watch. This ones sells for $17 on AliExpress 
There is no product name in the box & the marketing pics are a little misleading. The display is not even round, but just a square of 240x240 pixels. It's just glued to the middle of the dial
Inside there's the mysterious HS6620 system-on-a-chip. It's an ARM Cortex-M3 with 128KB of RAM. We can also see an external 1MB SPI flash chip in there
As far as I can tell, all the info around this SoC is private. This includes the SDK, internal details, memory map. I couldn't find much, except a high level 30-page datasheet. It does look to draw a lot of inspiration from Nordic's nRF52 series
I naively assumed the SCL & SD pads on the back were SWD programming ports and wasted many hours trying to talk to them 🤦♂️
So I looked at the pinout in the datasheet and followed the real SWDCLK and SWDIO pins, beginning from the SoC
It turns out they arrive neatly at these little through holes. I soldered four wires there and hooked it up to my JLink
Success! We can now inspect its memory. For example, we can read the first 32 bytes at address 0x0
And we can dump the whole 128KB of RAM to a file
Next I turned to the SPI flash. My original idea was to desolder it and use another microcontroller to talk to it via... well, SPI
But here's where things take an interesting turn. Searching for HS6620 on GitHub yields very few results, but among them are someone's dotfiles, and they contain a set of Python extensions for talking to HS6620 through gdb! 🤯 Here it is: github.com/fengyichui/.do…
I don't know where this comes from, but it seems part of the workflow of someone that has great, non-public info about working with these chips.
What I find most amazing is that in there there's a way to talk to the SPI flash through the CPU itself. The HS662X.GDB.FLM file in that repo seems to be a little firmware that acts as the middleman between gdb <-> CPU <-> SPI flash.
So when gdb starts, it loads this little firmware to the SoC's RAM and now gdb has a very convenient read/write access to flash. This is where this firmware is loaded up: github.com/fengyichui/.do…
So I got these gdb scripts, modified them a little for macOS and lo and behold... It actually works flawlessly as far as I can tell!
If we compare the RAM and flash dumps, we can see where the program starts in flash - at 0x3000
If you've made it this far, I put all the info & dumps in github.com/rbaron/HS6620D…
Thanks for reading! 🤓
Thanks for reading! 🤓
• • •
Missing some Tweet in this thread? You can try to
force a refresh
