Security researchers have successfully extracted firmware from a budget smartwatch by bringing back a 20-year-old attack method originally used to steal data from network devices.
The technique, known as “Blinkenlights,” was adapted to work with modern TFT screens instead of traditional LED indicators.
Quarkslab analysts purchased a cheap smartwatch for approximately €12 from a local store and discovered it contained fake health sensors that could not measure blood pressure or track sleep activity.
The device used a JieLi AC6958C6 system-on-chip and communicated over Bluetooth Low Energy, which initially seemed like a promising avenue for firmware extraction.
After analyzing the smartwatch, researchers identified a dial parser vulnerability that failed to properly check offset boundaries.
This security flaw allowed them to exploit an out-of-bounds read condition, forcing the device to display arbitrary memory content directly on the screen.
Quarkslab analysts noted this weakness after reverse-engineering the custom dial upload process and discovering that the firmware parser did not validate image offsets pointing outside the dial’s binary data.
.webp "Researchers Revive 2000s 'Blinkenlights' Technique to Dump Smartwatch Firmware via Screen Pixels 3")
The researchers attempted multiple extraction methods before settling on the Blinkenlights approach.
They first explored JieLi’s over-the-air update feature but found it only supported firmware uploads, not downloads.
The authentication mechanism used Bluetooth’s E1 legacy function with hardcoded values, which researchers successfully replicated. However, this path proved unsuccessful for firmware extraction.
Modern Blinkenlights Implementation
The team developed a custom hardware setup using a Raspberry Pi Pico overclocked to 200 MHz to capture data sent from the smartwatch‘s main SoC to the NV3030B screen controller.
The screen used a 25 MHz clock to transmit pixel data in RGB565 format, requiring high-speed sampling to capture the information accurately.
Researchers soldered 0.1mm diameter wires to the screen connector and used the Pico’s Programmable Input/Output (PIO) feature to sample data bits on rising clock edges.
.webp "Researchers Revive 2000s 'Blinkenlights' Technique to Dump Smartwatch Firmware via Screen Pixels 4")
The PIO program was designed with only two instructions to maintain efficiency at the high sampling rate.
The captured data was stored in the Pico’s 145,000-byte buffer before being transmitted to a host computer via USB serial port.
To trigger the firmware dump, researchers crafted malicious custom dials with manipulated offset values that caused the smartwatch to read and display memory contents beyond the dial’s intended data region.
The extraction process involved generating multiple custom dials, each targeting different memory addresses.
A special header containing synchronization words (0xa5a5a5a5) and magic bytes (0xdeadbeef) was embedded in each dial to identify captured data blocks and verify alignment.
Python scripts were developed to automate dial generation, data collection, and firmware reconstruction from individual memory slices.
This research shows how outdated attack techniques remain effective against modern embedded devices when combined with creative exploitation methods.
The cheap hardware approach, costing almost nothing beyond a Raspberry Pi Pico, proved more practical than expensive logic analyzers for this specific application.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
