Reviving ‘Blinkenlights’: Extracting Smartwatch Firmware via Screen Pixels
In a groundbreaking study, security researchers have resurrected a two-decade-old technique known as Blinkenlights to extract firmware from a budget smartwatch. Originally employed to siphon data from network devices, this method has been ingeniously adapted to interface with modern Thin-Film Transistor (TFT) screens, demonstrating the enduring relevance of legacy attack strategies in contemporary cybersecurity landscapes.
Discovery of the Vulnerable Smartwatch
Analysts at Quarkslab procured an inexpensive smartwatch, priced at approximately €12, from a local retailer. Upon examination, they uncovered that the device was equipped with counterfeit health sensors incapable of accurately measuring blood pressure or monitoring sleep patterns. The smartwatch was powered by a JieLi AC6958C6 system-on-chip (SoC) and utilized Bluetooth Low Energy (BLE) for communication, initially presenting a potential avenue for firmware extraction.
Identifying the Dial Parser Vulnerability
Delving deeper, the researchers identified a critical vulnerability within the smartwatch’s dial parser. This flaw stemmed from inadequate validation of offset boundaries, leading to an out-of-bounds read condition. By exploiting this weakness, the team was able to coerce the device into displaying arbitrary memory content directly on its screen. This discovery was made after reverse-engineering the custom dial upload process and noting that the firmware parser failed to validate image offsets pointing beyond the dial’s binary data.
Exploring Alternative Extraction Methods
Before resorting to the Blinkenlights technique, the researchers explored several other methods to extract the firmware:
1. Over-the-Air (OTA) Update Feature: The team investigated JieLi’s OTA update functionality but found it only supported firmware uploads, not downloads, rendering this approach ineffective for extraction purposes.
2. Bluetooth Authentication Mechanism: The smartwatch employed Bluetooth’s E1 legacy function with hardcoded values for authentication. Although the researchers successfully replicated this mechanism, it did not facilitate firmware extraction.
Implementing the Modern Blinkenlights Technique
Faced with these challenges, the team turned to the Blinkenlights method, adapting it for modern hardware. They developed a custom hardware setup featuring a Raspberry Pi Pico, overclocked to 200 MHz, to capture data transmitted from the smartwatch’s main SoC to the NV3030B screen controller. The screen operated with a 25 MHz clock, transmitting pixel data in RGB565 format, necessitating high-speed sampling for accurate data capture.
Technical Execution
To implement this technique, the researchers:
– Hardware Configuration: Soldered 0.1mm diameter wires to the screen connector, enabling the Raspberry Pi Pico to interface directly with the screen’s data transmission lines.
– Data Sampling: Utilized the Pico’s Programmable Input/Output (PIO) feature to sample data bits on rising clock edges. The PIO program was optimized with only two instructions to maintain efficiency at the high sampling rate.
– Data Storage and Transmission: Captured data was stored in the Pico’s 145,000-byte buffer before being transmitted to a host computer via a USB serial port for further analysis.
Triggering the Firmware Dump
To initiate the firmware extraction, the researchers crafted malicious custom dials with manipulated offset values. These dials caused the smartwatch to read and display memory contents beyond the dial’s intended data region. The extraction process involved generating multiple custom dials, each targeting different memory addresses.
Data Reconstruction
To ensure accurate data reconstruction:
– Synchronization and Alignment: Each custom dial included a special header containing synchronization words (0xa5a5a5a5) and magic bytes (0xdeadbeef) to identify captured data blocks and verify alignment.
– Automation: Python scripts were developed to automate the generation of custom dials, data collection, and the reconstruction of firmware from individual memory slices.
Implications and Significance
This research underscores the persistent efficacy of legacy attack techniques when creatively applied to modern embedded devices. The cost-effective hardware approach, utilizing a Raspberry Pi Pico, proved more practical than expensive logic analyzers for this specific application. It highlights the necessity for robust security measures in embedded systems, especially as attackers continue to adapt and repurpose older methods to exploit contemporary vulnerabilities.
Conclusion
The revival of the Blinkenlights technique serves as a stark reminder of the evolving nature of cybersecurity threats. It emphasizes the importance of continuous vigilance and innovation in security practices to safeguard against both new and resurrected attack methodologies.
