tomtom-hacking
tomtom-hacking copied to clipboard
lgrangeia
ttwatch -r 0x00013000 does not create crashfile
Hi,
I've managed to crash the watch by uploading the payload, but i'm not sure which baseaddress I should input as parameter for dump_script.py
After crashing the watch, the command 'ttwatch -r 0x00013000' in the script gives "unable to read file" and the python script crashes.
What am I doing wrong?
Hi,
You are likely doing everything right. New versions of the firmware no longer produce a crash log file. You should try to downgrade to a vulnerable firmware version. Em 19/05/2016 3:08 da tarde, "Calimerorulez" [email protected] escreveu:
Hi,
I've managed to crash the watch by uploading the payload, but i'm not sure which baseaddress I should input as parameter for dump_script.py
After crashing the watch, the command 'ttwatch -r 0x00013000' in the script gives "unable to read file" and the python script crashes.
What am I doing wrong?
— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub https://github.com/lgrangeia/tomtom-hacking/issues/3
Ok, thank you for your reply. Sadly, as far as I am able to try, I'm not able to downgrade to a lower version.
I downloaded the 1.8.42 firmware files, but the watch does not flash them, when offered by the ttwatch linux tool.
Interesting... It should. When did you buy your watch? and what was the original version of the firmware you had when you bought it?
Also, send me the commands you're using to load the firmware into the watch please.
Regards,
LG
Hi Luis,
Finally an update... I managed to downgrade the firmware of my Runner from 1.8.52 to 1.8.42 by tricking ttwatch to fetch the old firmware files from my local webserver.
But now I'm stuck. The watch crashes after selecting the German language after using "python dump_script.py dodump.s 0x00400000".
But no crash file :(
Hey Calimerorulez,
did you flash all the files of 1.8.42 or just some of them?
To answer my own question. I did flash only these files in the end:
0x000000F0
0x00810000
0x00810001
0x00810002
0x00810003
0x00810004
0x00810005
0x00810008
0x00810009
0x0081000A
0x0081000B
0x0081000C
0x0081000D
0x0081000E
0x0081000F
I'm kinda late for the party but just wanted to point out that the watch still produces crashfiles in 0x00013000, it's just not possible to make the watch crash by modifying the language files (at least not in the same way) anymore.
File 0x00013000 on my spark cardio music watch contain two crash reports on this format:
CRASHSTART timestamp,28-02-2017 15:46:37 sw_version,1.3.255 r0,0x00000000 r1,0x00000001 r2,0x00000000 r3,0x00000001 r13,0x0042e509 r14,0x004ec19d r15,0x00000000 psr,0x00000000 bfar,0x00000000 cfsr,0x00020000 hfsr,0x40000000 dfsr,0x00000000 afsr,0x00000000 batt_v,4310 batt_p,0098 batt_rem,257270 jenkbuildid,jenkins-oslo-innsbruck-rcl 12 12 p4branch,RCL p4cl,2563981 jenknode,sports-autobuild-02 CRASHEND
DEBUGBUF: 3560, 43% FSERR[1] File_DeleteConfig Line:919 FSERR[1] File_Delete Line:977 MW TASK STACK CHECKING - Highwater values Task: " Timer_Task", id: 0, stack size: 2048, use: 616, 30% Task: " compass_mgr", id: 3, stack size: 2048, use: 912, 44% Task: " data_logger", id: 4, stack size: 3072, use: 1456, 47% Task: " location mgr", id: 6, stack size: 3584, use: 1992, 55% Task: " usb_mgr", id: 7, stack size: 2048, use: 152, 7% Task: " ohr_mgr", id: 8, stack size: 3584, use: 1208, 33% Task: " ohr_afe", id: 9, stack size: 1600, use: 96, 6% Task: " dbg_mgr", id: 10, stack size: 1024, use: 208, 20% Task: " pwr_mgr", id: 11, stack size: 2256, use: 1464, 64% Task: " hci_tx", id: 13, stack size: 1536, use: 592, 38% Task: " hci_rx", id: 14, stack size: 3072, use: 1792, 58% Task: " bcm_audio_mgr", id: 15, stack size: 1024, use: 192, 18% Task: " gnss_reader", id: 5, stack size: 4096, use: 328, 8% Task: " GNSS_service", id: 16, stack size: 4096, use: 1360, 33% Task: " mems_mgr", id: 17, stack size: 1536, use: 1152, 75% Task: " baro_mgr", id: 18, stack size: 1536, use: 256, 16% Task: " sensor_mgr", id: 19, stack size: 2560, use: 776, 30% Task: "sensor_mgr_sync", id: 20, stack size: 1024, use: 320, 31% Task: " step_mgr", id: 21, stack size: 1024, use: 784, 76% Task: " bt_mgr", id: 22, stack size: 4096, use: 1936, 47% Task: " mock_mgr", id: 23, stack size: 1536, use: 928, 60% Task: " display", id: 12, stack size: 1024, use: 368, 35% Task: " ui_prod_mgr", id: 24, stack size: 1024, use: 200, 19% Task: " Audio_ADM", id: 25, stack size: 1024, use: 88, 8% Task: " Audio_MDM", id: 26, stack size: 3584, use: 168, 4% Task: " Audio_AVM", id: 27, stack size: 1536, use: 184, 11% Task: " Audio_AM", id: 28, stack size: 1792, use: 176, 9% Total mw stack utilisation: reserved 58384, used 19704, 33% Application stack utilisation: reserved 8192, used 3720, 45%
If think these crashes were produced (unintentionally) by putting badly formatted playlists on the watch, so another attack point for the music watches might be by modifying the playlist files on the watch.
Hello @Grimler91,
Thank you so much for this! I confess I didn't play much with this in the past couple of years, but this post made me want to go back to it :)
I also own a Spark now, maybe I'll get back to hacking it :)
Can you post the badly formatted playlists here? Alternatively DM me on twitter (@lgrangeia).
Cheers!
LG
@lgrangeia, thank you for writing the blog posts, it has been a very interested read and made me want to learn assembly! :)
I had large audio files and specified a song-duration that was way shorter than the actual duration. Trying to change playlist while having an activity paused then (sometimes) freezes the watch and results in these crashes. Maybe it's just due to the songs being long and not really a badly configured playlist. It's not really as well controlled and easy to reproduce as the crashes from manipulating the language files, unfortunately.
Anyways, good to know that the watch still save crashlogs to the same place.
I'll continue to tinker with my watch and keep you posted on any success :)