I have some more terrible smart watches these are the expensive ones these come in boxes these showed up while I was doing the previous video they're more of the same class of device except slightly more expensive this one was $4 this one was 6 and2 so let's take a look and start with the cheap one on the top we see it as a watchmart it is a sweat proof it is sports gear it has a heart rate sensor a step sensor a blood pressure sensor and a reminder to be sedentary I suspect all of those are lies the image here is in fact deceptive it looks like it's an oldfashioned LCD but it's not it's got a TFT similar to the LT 716 which for comparison is here on the back we have underneath the annoying stickers the product specifications where it says that the chip GPU is an arm 32 cortex m0 that I'm pretty sure is a lie it has 64 MB of ROM Ram that I also think is a lie and a 240x 240 display that one might be correct correct we'll have to see down here is a list of features I suspect that under the sticker it all says yes weather alarm messaging Etc Bluetooth music remote notifications all the usual stuff that will be no doubt very cheaply and shily implemented in fact I have opened this up to charge it and I took a look and that is exactly what it is I also looked up the barcode here and there are no matches so let's open it up what did you get well this way up inside the plastic box we have a user manual which is in fact exactly the same user manual that came with the LT 716 we have the watch itself that is an engagingly chunky plastic thing until you notice that engagingly chunky buttons on the side are in fact molded into the plastic and are not part of it likewise the Torx bolts that apparently hold it together are also you know molded in I do wonder how you get it open you get two halves of the watch band and you get a bit of plastic the way it's supposed to work is that you plug these in to form the watch band and then you can put it on your wrist you charge it by plugging this amazing USB connector into USB like this and it comes to life and the first thing you notice as an actual human is that despite the fact that it's got a round screen and in fact the AliExpress listing showed a nice round image the screen is square this thing is an absolute fingerprint magnet but I can actually see in the camera viewfinder you can see the square screen here okay how does it work it's not a touchscreen it works just like the LT 716 there's a capactive sensor here and you oh wow with it lined up for the camera I can't actually see the screen at all that's okay I'm just going to have to stare at the camera viewfinder which might might make this a bit incoherent luckily there's only one control so you get your watch face you can step through various things it works just the same as the LT 716 except with more terrible Graphics let me find the the more page sleep sensor weather camera looking for reset QR code to get fit Pro and the about page and this is interesting because it looks just like the about page on this the version number is slightly different this is an LF sorry LP 715 rather than LT 716 but it is clearly the same software stack which means it's probably the same Hardware inside let me find the here you go the heart rate sensor this Bond's always entertaining yep it's a blinking green light and just like the LT 716 it lies one thing that is surprisingly hard to get on camera but you should be able to see is that the screen on this one is noticeably lower resolution than the little screen on the LT 716 when it stays on before I open it up you know it has to be done okay let's try and open this thing up now there is a seam that runs around here so I'm assuming if I stick a spudger in and leave something will happen I have not opened this this is the very first time so your guess is as good as mine what will be inside uh let's try this out come on I don't want to chew it up too badly yeah it looks like there a Clips at the corners there you go what's inside this thing the case is as expected it's exactly the same as the LT 716 case here we have a screen a little metal thing for the capacitive contact oh oh yes I must have somehow set it to a different watch face that's the one shown on the box what watch faces are there whe the camera looking for reset interesting the LT 716 the theme menu was on the watch face long press ah long press toggles between themes and yeah it's only got the two okay I assume that this leav us up I think it's stuck down yes it is o I don't want to do that uh that was actually splitting the the back of the screen off the diffuser try that I don't think this screen is very well made there we go oh doesn't that look familiar yeah it is not the same PCB that was in the LT 716 but it is closely related the position of these pads is different I don't know what TM and N are test and enable on this side most of the interesting stuff is under the sticky pad that held the screen down well that is the sticky stuff removed revealing some more pads and a model name which is LP 715 version 1.3 what I don't see is an S SWS pad let's try and take this thing out I had to take a photo to get a good look at the chip but it seems it is not a tlsr thing it's a phy 60822 something or other which is interesting so maybe it's not binary compatible with the LT 716 inside the case we have a vibrator unit a bigger and probably cheaper one than the LT 716 and the usual tiny little battery which is unlabeled okay let's put it back together again oh that's that's interesting okay it's working now right anyway okay let's take a look at this one again it is unbranded it just says Smartwatch and on this side it has even less information it is black and it is made in China nothing else what do you get well you'll immediately notice that the manual is bigger okay let's take a look at the hardware you get a USB charging cradle a watchband and the thing itself now this is interesting it is noticeably better made than the others it's still plastic possibly plastic possibly plastic but it is much heavier and much more solid the top probably isn't glass but it feels like it it has a knob on the side but no other obvious controls and however unlike the other one if I push the button push the button it's supposed to be charged there we go this has a touchcreen however if you look at the icons and the font it is very clearly the same software stack as the other one so let me walk you through the menu items uh you press the button to turn it on you tap once to get to the menu and you swipe up and down now if you go to dialer this is an actual phone dialer and this shows it really really is a touchcreen and it feels like a capacitative one it's actually not bad it's got the usual selection of stupid sports stuff the usual weather stuff just like the other one the usual stupid music player although this being a touchcreen is at least much easier to use one if you go to more about we get a very similar looking about page revealing that this is an ly 737 so it's clearly the same family of device as the other two we have a Seri thing there that does nothing a backlight thing oh this let you change the screen time out which is nice Facebook and Twitter none of which do anything QR code if you swipe left and right on the main screen this changes between the watch faces this is the default one which is kind of terrible then there's this one which is kind of terrible there's this one which is also kind of terrible and there's this I don't know why this exists moving on before it haunts my dreams we have this which is also terrible but is at least something you can live with if you like analog dials and then you're back to here if you swipe up you get to a quick menu which lets you go to the dialer a thing which I don't know what it is phone book a menu to let you change the menu style of which there are several this is one does this remind you of anything it would work better if it was slightly higher frame rate but they are clearly trying quite hard to copy a certain well-known Smartwatch vendor user interface now I need to figure out how to get it back again there we go style two is this one style three is simple icons put that back to two music player step counter the fact that this is saying zero steps makes me think it might not be completely fake and quick button to the QR code and that's about all the features this thing has oh uh one very important thing I have demonstrated the heart rate sensor yes it's more flashing green lights and despite the nice art it does not display a graph of your heart rate and it just makes up all the numbers one thing which doesn't do anything is the dial I'm not sure if it's just not hooked up to anything or whether it doesn't actually you know operate as a rotating dial but the only way to find that out is to open it up look at all that stuff this is a complex thing and look you actually have a l cabled battery says it's 200 milliamp that's the ribbon cable to the screen which I notice is not plugged in all the way but the screen does seem to work this will be the connector to the capacitive touchcreen I don't know what this is for it could well be the fake heart rate sensor that's the vibrator that could be the C CPU but I think it's more likely the CPU was on the bottom if so this makes this thing substantially more complicated if it actually has two chips on it there even got a screw fasting the PCB in and there's an unpopulated thing here that I can't quite make out from my angle this is the button and yes it's a very simple tactile button that does not go around let's see if I can get that PCB out and have the thing still work afterwards it is all fraud cuz this thing is live yes this cable is for the fake heart rate sensor and also the button there's a thing here I think this could have an actual microphone oh and there's a another screw under there this metal thing that's underneath is stuck down you know what I think this metal thing is the vibrator and I think that is a microphone and that thing around there is a speaker I think this has actual voice capabilities what I don't see here is any kind of CPU so that tiny chip on the other side must be the CPU okay I don't think I'm going to get anywhere if I take this apart further other than breaking things um I could pull it out on for breakout board but I don't want to do that at this point so I am going to try and put this back together again so here it is thankfully still working now this is potentially quite a nice device loudspeaker microphone an actual touch screen the viewing angle of the screen is bad but it functions it's reasonably well made it's got a decent sized battery I need to find out what CPU this thing has I didn't get a good look at it during the tear down so I think I actually actually a bit premature about sticking the screen back on and I'm going to take it off again and put this under the microscope so here are those two chips I was looking at a CST 8160 and a whatever that is there's a unpopulated thing here and opposite it is this unpopulated thing here that I spotted earlier I think these are for buttons or knobs the actual knob this is just a simple tactile switch on this little daugh board you can see the flex cable there only has like two wires so I think think that what these are for that one and that one are for quadrature encoder turnable knobs load a different firmware package onto the same board put it in a different case and you get a much more upmarket device here's the dodgy connector to the screen but I'm not going to touch it because it does seem to work but I am going to spin it around disorienting and fold the screen out of the way because under it is another chip a YC 11133 eq1 1528 next to it there's a clock Crystal at 24 MHz so I think this is the CPU that makes this a 3 CPU device which is pretty highend for these cheap smart watches it's also worth noting this is the battery that the battery does seem to have a actual overvoltage protection circuit which is nice I was unable to tell whether the little batteries and the watches had one or not I went and looked up some data sheets let's start with the cheap watch because I kind of owe it an apology because it really is a arm cortex m0 it's actually quite a nice one this chip has 64k of RAM a variable amount of Flash the one I've got has half a megabyte a onboard ROM which contains the Bluetooth stack and a lot of other useful utilities and a bootloader which if I find it allows you to reflash it from a Serial Port so you don't need to fiddle about with J tag and S swd debugging which by the way it also has this is quite a decent chip it's got the usual million different features such as SPI i s t uart analog and digital audio input and you can use the pwm functionality which I can find it here it is to do audio output it's also got keyboard support although of course this particular watch only has a single button so this is kind of wasted and you know no microphone or loudspeaker looking at the io pins we have a pin here marked test mode which is probably the TM pin that we saw on the PCB and I suspect that the others are wired to various other programming pins however I don't know what test mode actually does the documentation here doesn't mention it the bottom four pins seem to be used for both JTAG and arm style s swd although here they are labeled sdw but that's nice because even without using the bootloader this means that I should be able to just plug in one of my cheap knockoff arm debuggers and make it work the chip is made by five plus a Chinese company out of Shanghai which I've actually been to they have a relatively flashy looking website from which you can download the SDK except the website is largely broken and there are no download links if you go to the Chinese version there is an entry in this table which you also cannot download plus the various links to things like the ecosystem don't work support doesn't work at least that's a Wiki and so on luckily there is a copy of the SDK which has been dumped onto GitHub it only works with Keel but I have found someone who's managed to Port most of it to GCC the problem is the SDK itself if I find a file is full of lawyer bombs this is confidential you are not allowed to use this unless you're deploying it in one of these devices which all makes it complicated to work with for open source software and of course just to make life more complicated because a large proportion of the software stack is actually on ROM then just linking a simple binary blob and running it isn't going to work you need to be aware of all the memory locations that the ROM codee's going to use so that your application doesn't step on it for I'm poking around at the examples it looks like let me find one uh let me find a simple one let just go to button Source main this initializes your application and you notice that this is just calling operating system functions your actual application is a a driven thing which is called into by the operating system in fact that's not doing anything here we go yeah it's using callbacks rather than a simple event Loop but the other example I looked at does use a event Loop but all in all I think this is fairly straightforward to work with the toye Internet of Things platform supports it and in fact there is quite a lot of useful information about how to do stuff like flashing and so on a lot of this pinout stuff is specific to this particular development board which unfortunately is not the device I have but this does reference things like where is it this screenshot is for a tool called five plus kit that actually does the flashing via the uart it seems to work the usual way in that you reset the board the boot loader runs this tool pings the bootloader before it has a chance to run your application and then it can just control everything actually finding a copy of five plus kit is left as an exercise for the reader let's move on to the other watch starting with the smallest the 9 212 I have no idea what it is I haven't been able to find any information there just isn't enough written on the top of the chip it's probably something really boring like a audio amplifier the middle-sized one however is a capacitance chip it runs the touch screen and it is honestly not that interesting moving on the CPU is a Yi chip YC 11133 there's not a lot of information on these but it's another Arm based blle system on a chip this one is interesting because it's actually dual core the other core is a quote risk core unquote which means it's probably some proprietary thing which handles all the protocol layer of stuff like the other chip it's also got a 96k of ROM plus some dedicated Ram so it basically runs its own operating system and does all your Bluetooth stack stuff I assume this one the application processor calls it to get stuff done which is great like the other chip it means that your Bluetooth stack doesn't have to take up valuable application space and the fact that this one has its own Ram is even better this one has slightly less Ram 56k plus a cache of 16k for the flash emulation via SPI which is fairly powerful the course for this kind of thing this one also supports PS Ram as well as USB stuff and an SD card interface which is interesting normally just hook those up to the SBI bus unfortunately that's where the good news ends this is basically everything I managed to find on it which is not a lot in order to get at any more information and the SDK and stuff like that you have to sign up to Y Chip's developer program program which I have or at least I've sent them an email and I don't honestly expect them to answer but we'll see unlike the other chip this one does not seem to have s swd or J tag or at least it's not mentioned here it does have this IC pin which I can't highlight let me find the actual pin out list this one which is the debug Port it looks like it's a proprietary singlewire debug system which is a bit of a shame however chances are this is wild speculation that whatever OS the data processor is running probably acts as a Bootloader for the arm so it may be possible to use this to flash the rest of the system but there's no information here here on that comparing the two systems the second watch is clearly better made and more sophisticated I mean it's got a touchcreen and the CPU in it this one is more powerful strictly the application processor on this only has 56k where the other one had 64 but it's not having to share that with the Bluetooth stack because in this one the Bluetooth stack runs in the data processor which has its own dedicated r however the other watch seems to be much simpler and easier to work with and has useful test pads for doing useful things with so I think that one might be a better candidate for hacking either way I was totally expecting both of these watches to just use exactly the same Hardware as in the original LT 716 that is the telink proprietary tc32 CPU which they're not these are both excellent small processors there's a lot of stuff you can do with these 56k is tons of memory for running micropython the other one you get 48k after the operating system has taken its cut this is enough that you'd probably be able to run the Bluetooth stack so you'd end up with a proper micropython powered Bluetooth SmartWatch which is very cool now I I was going to leave it there and improvise some kind of conclusion however I had to take this thing apart to get the microscope shot of the chip in the last shot and while doing so I accidentally broke it the flex connector where it joins the PCB is no longer making good contact it's a little hard to demonstrate but if I squeeze here there we go the screen lights up if I don't put pressure on the flex connector then it doesn't light up let me of course it actually tries to turn the screen off a bit you see it's flickering it's not making good contact and it's been getting gradually worse it used to be that if I squeezed it and pressed the button it would actually produce an image but it doesn't anymore what will have happened is that there's an edge there which hinges like that but it's not really supposed to and I bet that where the solder meets the flex connector that's crack is no longer making good contact I'm sure this is fixable if I knew how but I don't which basically means that this device is now useless as a watch because the screen won't work however this does open up a interesting possibility if I take the screen off completely it becomes much easier to reverse engineer I wasn't actually planning on doing this because I wanted this to be a quick short video but let's give it a try and see what happens and that's where it all disappointingly Peters out because I have got nothing useful from this board desoldering the screen was easy enough it just took a little bit of work with the hot air gun and it came right off from there I was able to sold wires onto the various test pads and then I hooked it all up to another of my Surplus pcbs here unfortunately the next step which was beeping out which pad was connected to which pin of the CPU was both incredibly difficult because the circuitry on this thing is much smaller than on the LT 716 there should be b-roll footage here showing what I was trying to work with but the PIN assignment just doesn't really make any sense the RX and TX lines are not connected to the bootloaders art they are connected to a couple of random gpios the bootloader uart itself the TX and RX lines are bridged together and connected to en here which doesn't really make any sense and renders them useless for bootloader purposes TM is connected to the test mode line so that's something and I have discovered that if I raise this High the system doesn't start up but yeah I have no idea what's going on here the one interesting thing I found is that if I pull the power and restart it from cold this light this green one goes on for a few seconds that's the heart rate sensor it goes on dimly I checked this with the oscilloscope and it is actually being set to a low voltage rather than there being some kind of Serial data on that pin this is most likely to be bootloader related either the bootloader is deliberately setting that PIN to that state for some reason of its own and then the firmware resets it when it starts up a few seconds later or the pin happens to be initialized to some random value on Startup and the bootload is not touching it either way it does suggest that the bootloader runs for a couple of seconds before the rest of the system starts up which is interesting but yeah this board's a bit of a dead loss editor me here it took me five takes to do that last bit and on the only take which worked I once again forgot to mention pvx who has done a lot of work in reverse engineering these devices in particular one of the things I pulled from ppv X's GitHub repository is a python tool which is capable of talking to the bootloader on phy 6222 devices and upload to and download from The Flash just on the off chance that I had managed to Mis probe everything I did hook it up and see if I could make it do anything which it didn't but it did show one issue which is that just like with the LT 716 the tooling here wanted access to the reset line and what you're looking at is microscope footage of me attempting to solder a wire to the very very tiny component which gives access to the reset line I failed so anyway thank you to pvx for doing all this work I wish I had discovered that stuff earlier and now let's move on to the improvised conclusion so conclusion time in this video and the last one I have looked at these three watches turn that screen back on over here we have the LT 716 this is an interesting Oddity of a device which I have managed to flash with a corupted fer image which is why it's showing garbage but it does still work this is mainly interesting because of its weird CPU as a watch it's pretty much useless because of the small battery and the single button it is potentially interesting as a repurposed other device but the 16k of RAM is extremely limiting over here we've got the lp 715 this is just the empty shell because the rest of it is stuck to my PCB over there this is a much more powerful device and if it could be repurposed this would be genuinely useful as a watch it's crippled by having just one button the small battery is also a big problem this could very easily be repurposed this the ly 737 this is nice this is got decently made Hardware it's got a better CPU it's got a touchcreen it's got microphone and speaker this would would actually make a decent watch the bigger battery is a huge Improvement I charged this yesterday I have to have it plugged into a power supply now because it doesn't work anymore this I charged about a week ago it's still working however I've been focusing and trying to repurpose these things by modifying them attaching stuff to the debug Port so that they can be reflashed of these three Watchers I've succeeded with one I failed with another and I haven't even tried with this one modifying them is just hard if these are going to be repurposed clearly thing to do is to find a way to reflash them via Bluetooth over the air so that you can reprogram them without needing to open the case at all that would be ideal this will require significant reverse engineering luckily these all use the same application fit Pro so it's very likely that they use the same flash mechanism for overthe a reprogramming I have found information from somebody who has attempted to reverse engineer this this was based on one of these LT 716ers they got as far as bricking the device less than helpful but does at least demonstrate that they managed to program something I think it's highly plausible that with a bit of work the protocol could be reverse engineered the rest of the way to allow these things to be reflashed completely developing a flash image that is capable of being reflashed over the air using the Bluetooth stack will be work it will require interacting with the sdks of these Watchers I've got the SDK for this one I've got the SDK for this one I have not been able to get the SDK for this one but they're all different I was completely expecting these to all be the same Hardware inside they are not clearly the cheap and nasty Smartwatch scene is much more diverse than I was expecting anyway I am not intending to do any of that at least not just yet I am going to put all this lot away and go and work on something else because I am sick of these by now still I hope these made for interesting and potentially entertaining videos there is so much useful CPU power locked away in these incredibly cheap little devices it would be great to figure out something cool to do with them this one in particular this could be an actual watch so calling it there as always I hope you enjoy this video and please let me know what you think in the comments and I would say that I'm now going to get some rest but I have to start video editing goodbye bye
2024-07-10