TomTom GPS smartwatch hacking

Here is some very interesting reading related to the obvious buzzword of the year, The Internet of ThingsThis article series I was tipped to take a look is about embedded firmware hacking and reverse engineering of an IoT device, a TomTom Runner GPS Smartwatch.

Hacking Smartwatches – the TomTom Runner, part 1 article introduces the device and gives a detailed overview of its inner workings.

Hacking Smartwatches – the TomTom Runner, part 2 shows that we can  execute arbitrary code inside our watch, but we’re still pretty much in the dark

Hacking Smartwatches – the TomTom Runner, part 3 (final) contains the rest of the details. It is possible to do runtime debugging of the dumped bootloader, including QEMU+ IDA configuration, and creating a runnable ELF binary to debug natively in ARM systems with GDB.

This series of posts will focuses on  reverse engineering of embedded systems. It will show how TomTom Runner GPS Smartwatch was hacked without physical tampering: a memory corruption vulnerability exploitable via USB and it was used gain access to its encrypted firmware. Slidedecks of this work is also available here. There is also a github repository where to find the scripts and other tools / notes used in this research.

Here’s some main details what we know bout the device:

  • It’s an ARM device running an ATmel MCU with a Cortex-M4 processor;
  • Its firmware is distributed encrypted
  • It has a 4 Megabyte EEPROM which contains a filesystem with interesting stuff,
  • Most of the USB protocol has been reversed

 

The list of the tools used in this research is long (and could be useful for other applications as well):

Binwalk (Firmware Analysis Tool) http://binwalk.org/
Bluetooth LE app for TomTom Runner/MultiSport GPS watch https://github.com/dlenski/ttblue

Linux TomTom GPS Watch Utilities https://github.com/ryanbinns/ttwatch
Wireshark (Network protocol analyzer) https://www.wireshark.org/
USBPcap (USB Packet capture for Windows)  http://desowin.org/usbpcap/
VBinDiff (Visual Binary Diff) https://www.cjmweb.net/vbindiff/

Search engine for FCC site (web app)  https://fcc.io/

Hexinator (advertised as World’s finest Hex Editor) https://hexinator.com/

Linux system with an ARM cross compiler toolkit (no cross compiler needed on an ARM machine, such as a Raspberry Pi 2):

as (the portable GNU assembler) https://sourceware.org/binutils/docs/as/
objdump (display information from object files) https://sourceware.org/binutils/docs/binutils/objdump.html
ld (the GNU linker) https://sourceware.org/binutils/docs/ld/

python programming language https://www.python.org/

ent (a pseudorandom number sequence test program, calculates entropy and other metrics) http://www.fourmilab.ch/random/

IDA (Interactive DisAssembler) https://www.hex-rays.com/

Other debuggers and front ends:

Insight (a graphical user interface to GDB) https://www.sourceware.org/insight/
DDD (GNU DDD is a graphical front-end for command-line debuggers) https://www.gnu.org/software/ddd/
GDB (the GNU project debugger) https://www.gnu.org/software/gdb/

QEMU (a generic and open source machine emulator and virtualizer) http://wiki.qemu.org/

0 Comments

Be the first to post a comment.

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*