a half-assed FW dump of the CMF watch pro 2
here you can find:
- the original firmware.bin (firmware directly flashed to the watch)
- the dumped firmware.bin (extracted using
./extract.py) the folder namedit was 700mbextracted, which contains all the files extracted from the dumped firmware
i'd like to thank u/IndependenceSmall902 for finding the firmware.bin for the watch in the first place (https://www.reddit.com/r/CMFTech/comments/1eylsuo/finally_got_the_ota_url_of_wtch_pro_2/)
<<<<<<< HEAD
extract.py │ recompile.py
│ │ │
▼ │ opens │ .xzs
extract .xz files ◄────────┤
from original bin │ ▼
│ │ recompile into
▼ │ one single bin
decompile using │ ▼
binwalk+carver │ flash(?)
=======
pull all assets (videos, images, gifs)- pull fonts
find/make a good file carver
- .bin is filled with LZMA archives, each split by .xz's magic number (
0xfd377a585a00) - each LZMA archive usually ends in
00 00 00 00 04 59 5A(ascii.....YZ), commonly followed by4C 5A 4D 41(ascii for 'LZMA') info.xmlis an XML file to identify versions, checksums, board names, and some other stuffinfo.xmlbegan at hex address0x00000400in the original firmware file- from
0x0to0x00000083there's ASCII text, probably indcating firmware version and target board version - from
0x00000200to0x000002BFthere's some weird ASCII text, don't know what that's for - binwalk LOVES ballooning the fuck out of the .bin file, extract was 700mb, mostly of repeated letters
if someone knows why please let me knowneed to use a file carver, duh
- has uart (uart0, uart1, uart2)
uses FAT32 as it's filesystemstill somewhat unknown, likely SDFSuses FatFS, so yes it's fat32runs off of FreeRTOSuses Zephyr (https://github.com/zephyrproject-rtos/zephyr) maybe you can recompile new firmware using this?uses cortex M4 coreunknown at the momentCPU is likely 'Airoha AG3352' (no datasheet?)MCU is actions technology ATS3089C (no datasheet)- seems to have a UART command line, so UART pads are likely present
- uses LVGL
being worked on, need to order/get a donor watch