Info & tools for reverse engineering the M6 smart fitness band

Last update: Dec 26, 2022

Related tags

Third-party APIs Wrappers m6-reveng

Overview

m6-reveng

This repo contains information and tools for reverse engineering the $7 M6 smart fitness band.

Hardware

The SoC (system-on-a-chip) is a Telink TLSR8232.

Datasheet
32-bit proprietary MCU
- Closed ture, not a lot of resources about it
- 24 MHz clock speed
16kB of SRAM
512kB of flash
32kHz oscillator for low power mode
SWS (Single Wire Slave) interface for debugging and programming

The Setup

The Telink TLSR82xx series SoCs are debugged and programmed using the closed SWS (Single Wire Slave, or SWire) protocol. pvvx did a fantastic job reverse engineering this protocol and creating an alternative programmer based on the STM32 Blue Pill board. The TlsrTools project contains both the STM32 software (SWireSTM32) and a Windows GUI application for controlling the STM32 board.

The TlsrTools project was developed for the TLSR826x. I originally introduced changes to this project, but later I realized our TLSR8232 chip uses the same SWS protocol. This means we can simply flash this precompiled binary to our STM32 and use it as the middleman for debugging the M6.

I did not use the Windows GUI application, and instead wrote my own Python script (tlrs82-debugger-client.py) that connects to and controlls the STM32 via USB. The commands and timings are tailored for the TLSR8232 SoC, but should be easily adaptable for other TLSR82xx chips.

Reading the chip ID

Register 0x007e is a special register in the TLSR that contains the chip identification. This is a good way to verify that everything is working as expected.

$ python tlsr82-debugger-client.py --serial-port /dev/cu.usbmodem6D8E448E55511 get_soc_id
Found and set suitable SWS speed: 7
SOC ID: 0x5316

Dumping the RAM

$ python tlsr82-debugger-client.py --serial-port /dev/cu.usbmodem6D8E448E55511 dump_ram ram.bin
Found and set suitable SWS speed: 7
Dumping ram to ram.bin...
0x0000 00.00%
0x0100 00.39%
...
0xfe00 99.22%
0xff00 99.61%
Writing 65536 bytes to ram.bin

Dumping the flash

$ python tlsr82-debugger-client.py --serial-port /dev/cu.usbmodem6D8E448E55511 dump_flash flash.bin
Found and set suitable SWS speed: 7
Dumping flash to flash.bin...
CPU stop.
CSN high.
0x000000 00.00%
0x000100 00.05%
0x000200 00.10
...
0x07cd00 99.85%
0x07ce00 99.90%
0x07cf00 99.95%
Writing 512000 bytes to flash.bin

Python3 library that can retrieve Chrome-based browser's saved login info.

Passax EDUCATIONAL PURPOSES ONLY Python3 library that can retrieve Chrome-based browser's saved login info. Requirements secretstorage~=3.3.1 pywin32=

1 Jan 25, 2022

Coronavirus whatsapp chatbot to give real time info on covid

Covy Developed a coronavirus whatsapp chatbot which gives case counts in a particular district, city, state or country. It also predicts future cases

0 Oct 3, 2021

A python api to get info on covid-19

2 Sep 18, 2022

A module to get data about anime characters, news, info, lyrics and more.

Animec A module to get data about anime characters, news, info, lyrics and more. The module scrapes myanimelist to parse requested data. If you wish t

31 Aug 31, 2022

Pogodasbot - Telegram bot sending channel weather info

1 Dec 15, 2022

Telegram Bot Repo Capable of fetching the following Info via Anilist API inspired from AniFluid and Nepgear

Telegram Bot Repo Capable of fetching the following Info via Anilist API inspired from AniFluid and Nepgear Anime Airing Manga Character Scheduled Top

2 Apr 1, 2022

A Telegram Most Powerful Media Info Bot.

Media Info Bot Support 🚑 Demo For The Bot -Test Our Bot By Clicking The Button Below Deploy To Heroku 🗳 Press the Deploy Button to Get Your Own Bot.

5 May 16, 2022

Bootstrapping your personal Web3 info hub from more than 500 RSS Feeds.

RSS Aggregator for Web3 (or 🥩 RAW for short) Bootstrapping your personal Web3 info hub from more than 500 RSS Feeds. What is RSS or Reader Services?

1.8k Dec 29, 2022

This is a repository for the Duke University Cloud Computing course project on Serveless Data Engineering Pipeline. For this project, I recreated the below pipeline.

AWS Data Engineering Pipeline This is a repository for the Duke University Cloud Computing course project on Serverless Data Engineering Pipeline. For

15 Jul 28, 2021

Comments

Unable to find a suitable SPI speed

Not an issue, just a question:

Hello, interested by your work, I've ordered a M6 smart band to work with it.

I've (seems) correctly flashed the BluePill and soldered the three wire to the m6 band (GND, SWS, and RST), but the "tlsr82-debugger-client.py" program does not able to find the M6 band.


python3 tlsr82-debugger-client.py --serial-port /dev/ttyACM0 get_soc_id
Trying speed 2
Trying speed 3
Trying speed 4
Trying speed 5
Trying speed 6
Trying speed 7
Trying speed 8
Trying speed 9
....
many attempts later
...
Trying speed 108
Trying speed 109
Trying speed 110
Trying speed 111
Trying speed 112
Trying speed 113
Trying speed 114
Trying speed 115
Trying speed 116
Trying speed 117
Trying speed 118
Trying speed 119
Trying speed 120
Trying speed 121
Trying speed 122
Trying speed 123
Trying speed 124
Trying speed 125
Trying speed 126
Traceback (most recent call last):
  File "~/m6-reveng/tlsr82-debugger-client/tlsr82-debugger-client.py", line 401, in <module>
    main()
  File "~/m6-reveng/tlsr82-debugger-client/tlsr82-debugger-client.py", line 397, in main
    args.func(args)
  File "~/m6-reveng/tlsr82-debugger-client/tlsr82-debugger-client.py", line 349, in get_soc_id_main
    init_soc(args.sws_speed)
  File "~/m6-reveng/tlsr82-debugger-client/tlsr82-debugger-client.py", line 267, in init_soc
    find_suitable_sws_speed()
  File "~/m6-reveng/tlsr82-debugger-client/tlsr82-debugger-client.py", line 109, in find_suitable_sws_speed
    raise RuntimeError("Unable to find a suitable SPI speed")
RuntimeError: Unable to find a suitable SPI speed

Any tips? the only different that i've found in my m6 band, it's that there are no a the capacitor on the RST pin....

postimg.cc/G85BzphC

opened by user-e 2