It looks like the same company who make the ID107 HR have brought out a new product called and ID107 Plus, which uses the better nRF52832 MCU
I ordered 2 of these from AliExpress and they arrived a few days ago. However at the moment I can’t work out the best way to open the device to look inside.
I’ve also contacted the company via an Alibaba PM to confirm if this is one of their products, or whether some other company are using the same model numbering system to pass their product of as being like the ID107 HR etc
https://ido-smart.en.alibaba.com/?spm=a2700.8304367.0.0.jP93J4
Externally the watch has the usual rubber strap
But the main functional part of the watch is designed to be removed for charging
And features a USB connector at one end (sorry for the focus on this photo , but you can clearly see the USB connector 😉 )
Fortunately Curt White ( https://github.com/curtpw ) has sent me some photos of an ID107 Plus he has managed to take apart, and also some information about the internal connections.
Firstly the USB is only connected to power and ground, so is only usable for charging. I suppose it could be modified so that the SWD connections, for programming where wired to the normal USB D+ and D- but this appears to be a difficult modification to make
The watch seems to have the nRF52832 MCU as well as :-
KX022 accelerometer
Si1143 optical sensor for HR
Azoteq IQS263
Macronix MX25L series USON package SPI flash
Curt informs me that he thinks the MCU pins used for these are as follows
#define KX022_SCL 5
#define KX022_SDA 3
#define KX022_INT 6
#define KX022_ADDR 4
#define KX022_NCS 7
#define MX25_SO 27
#define MX25_CE 28
#define MX25_SCK 30
#define MX25_SI 31
#define SI1143_SCL 18
#define SI1143_SDA 10
#define SI1143_INT 8
#define SI1143_LED 9
But I have not verified this myself
Here are the photos Curt sent me
I before taking my watch apart (or breaking it apart), I have looked at the Bluetooth Services which are advertised by this device, and it only advertises 1 primary service with UUID 0x0AF0 . This is a unregistered 16 bit UUID,i.e Its not a service ID which has been registered with Bluetooth.org
Within this service there are 4 characteristics
0x0AF6 – read / write
0x0AF7 – read / notify
0x0AF8 – read / notify
0x0AF9 – read / write
All of these characteristics read as 0x00 but I have not tried writing to them.
Ideally one of these would be a DFU service in disguise, but at the moment its not possible to know if that’s the case, or possibly whether writing to one of these services would cause the device to go into DFU upload mode.
I have asked the manufacturer via an Alibaba PM, to ask whether the device is updatable via DFU, and hopefully they will get back to me with more information (assuming they do make this device)
If the manufacturer is not willing to give any information, one option is simply to compile a test application onto a nRF52832 dev board (I have the Nordic dev board as well as several nRF52832 based module boards), which advertises the same services, and then run the iOS or Android app, and see what comms occur e.g. what does the App send and what does it get back.
I’ve also got a rooted Android phone, (running Lineage OS), so I can also install the VeryFit app that communicates with this device and copy the file back onto my PC and decompile it.
I may be able to do the same thing on iOS as I have an old / rooted iPad; but it only runs iOS 6, which may not be compatible with the VeryFit app
Its early days for customising this device but it does show a lot of promise, and if DFU could be used to upload firmware, it would make it very practical to use.
Update.
I got a response from the manufacturer confirming that they do make the ID107HR Plus and that it uses the nRF52, however they don’t really understand my question. I asked whether it is possible to upload via DFU, but they think that I want them to write custom firmware.
And that the minimum order quantity for this is 50,000 units !!!
I have now asked if they have phased out the nRF52
I’ve also asked them if there is any way they can pre-flash just a DFU service (I didnt tell them what the firmware does as I don’t think their sales person understands) e.g. if we but 100 units and pay a premium for each item.
I suspect they don’t want to get involved in such small things, but I may as well ask
krasi gichev
Regarding reverse engineering the protocol – with nrf51 board (dev kit, waveshare kit) one could build a BTLE sniffer. There is a firmware from Nordic that needs to be loaded on the nrf. The kit gets connected to the PC over UART. There is also an app that receives sniffed packets and converts them to Wireshark format for easy decoding.
This way I have monitored the traffic between an Android phone and Xiaomi Mi Band 2.
Roger Clark
I have looked in their VeryFit Pro Android app and I can see what commands it sends to trigger the watch into DFU mode, and I did try to upload some replacement firmware, but it bricked the watch and I had to cut it open.
When I have more time I will try this again on another, brand new watch, but I don’t have time to do this at the moment as I’ll need to carefully test any replacement firmware on the watch I have cut open, before I try it again on a unopened watch
George Hahn
Any luck getting DFU on the watch? I’m about to order some to test with – the only question is how many I’ll need to test out and prove DFU. Is it possible to restore the original firmware using a hardware programmer?
Cheers,
George
Roger Clark
No.
I have not managed to DFU to the watch and still have a usable watch.
I tried it and it bricked the watch. I had to cut the watch open and connect to the SWD pins to erase it.
No. You can’t restore the original firmware no one except the manufacturer has the original firmware file
All you can currently do with this watch is cut it open and attach the SWD connections and then upload your own firmware onto it.
i.e you would need to write your own firmware
Currently I do not any spare time to investigate this watch and further, or to write custom firmware for it.
classix
{
“firmwareInfo”:
..
..
.. hacked data was here
..
..
..
..
}
Roger Clark
I already had the information about the application download. However I can’t post hacked information to this forum for legal reasons as its hosted in the USA and the forum would receive a DCMA which would blacklist me.
Your XML does have links to the application, but not the softdevice or the bootloader.
The ID107HR Plus seems to use a non-standard memory layout for the bootloader etc, so although you can replace the application you are likely to run into problems because the of memory layout.
I tried replacing the Application and the Bootloader in one hit via DFU, and this bricked the watch, until I cut it open and erased the flash via SWD
Other people have tried replacing the whole of the firmware (SD + Application + Bootloader) and they had the same problem and their watches became bricked until they cut them open and erased the flash via SWD
acassis
Oh, this post respond my last question. I will buy one to test. It should be nice if you record a video trying to open it. I think this model should be harder to open than ID100HR. BTW, do you have Linkedin? I searched for Roger Clark from Melbourne Australia but the user picture is different.
Roger Clark
I think, the trick to opening the 107Hr Plus is to insert the knife directly down into the front of the display, about 1mm from the edge, where the touch screen plastic overlay is glued to the outer body of the watch.
I made the mistake of going in through the side, and this makes a complete mess of the watch.
I also tried using my solder reflow tool set to its lowest setting of 100 deg, to loosen the glue, but the touch screen will melt and deform at 100 deg, so you need to be careful if you try to use heat while you open the watch
Re: LinkedIn.
I deleted my account a few years ago, as I was constantly spammed by agencies contacting me about projects for which I had I didn’t have the necessary skillset.
So I ended up deleting my account.
I still get emails from agencies who have 10+ year old versions of my resume, for projects using technologies I’ve not worked on for at least 5 years, but there’s not a lot I can do about that.
I can’t really see the value of LinkedIn, or Facebook, as I already have this blog and a YouTube channel, multiple active GitHub repos, and run http://www.stm32duino.com etc
acassis
Hi Roger, I ordered the ID107 Plus, but I think it will delay about 2 months to arrive here. Unfortunately the Post Service of my country is really slow. Hmm, maybe if you put Kapton tape over the display the heat will hit only the rubber around it. There is a company that ported NuttX for nRF52, I contacted these guys and they promised to help contribute the port to mainline. I want to port NuttX for ID107 Plus, it will be a nice hack!
Roger Clark
Cool
Its a nice device.
I’m sure sooner or later someone will figure out how to update the firmware etc via DFU, but unfortunately I don’t have the time or budget to do this.
Lynda Jones
I bought this smart watch and downloaded the App for Android. Unfortunately I cannot bind the watch with my Samsung phone or pair it either. I followed the instructions carefully, made sure Bluetooth was on. Can you help please.
Roger Clark
Possibly your watch is faulty.
My interest is not in the normal operation, and I normally remove the original firmware as soon as I receive the watch, so I have never paired my phone with any of these
acassis
Hi Roger, I ordered my ID107 in September 2017 but only today it was delivered here in my home (thanks Brazilian Postal Office AKA: Correios !!! ). So, just to confirm: I should open it over the top of touchscreen “glass” about 1mm from the edge, right?
But if I damage do touchscreen? I will try to use a very thin knife (blade) to do that. What should be the right place to start lifting the touchscreen glass? From the upper/top (near the USB plug) or from down/bottom (near the circle drawn) ?
Roger Clark
If you look carefully, at the front of the watch, you can see that the middle of the front is a separate (transparent) piece of plastic.
You can feel the line between with with your finger nail.
Using a sharp knife along this line, is probably the best way to open the watch, but the front is glued down, so you need to be very careful.
Also the front contains 3 touch screen sensors, so you need to be careful not to damage them.
I tried to cut from the side about 1mm below the front of the watch, but the plastic is quite thick, and its not the best way.
Its not easy with this watch.
acassis
Hi Roger, I tried to follow this approach, but the glue under the glass is too strong. Then I decided to cut the border of the plastic to reach the glass. See the pictures here: https://www.flickr.com/photos/79703543@N00/ Fortunately I didn’t damage the touchscreen. I started removing it from bottom (near the circle icon), but it is better to start from the top because the touchscreen connector is at the bottom. See it working after the tear-down: https://www.youtube.com/watch?v=b2mHwBczIRs
Roger Clark
OK.
I cut in from the side but I know some people managed to open it from the top. Perhaps it depends how much glue was used in each watch
Tim
Hi Roger,
first of all thank you for this blog post 🙂 I’m still new to this topic and haven’t read everything yet, so please be forgiving if you already know about this. There are several apps for Android by Nordic for tinkering around with their chips (that are also good for general Blueooth debugging). One of them “nRF Connect for Mobile” offers the option to directly flash something onto the chip via DFU with the options: Bootloader, Soft Device, Distribution Package and Application as well as a button labeled info that explains some technical details about DFU. (Today I received my first of those chinese fitness trackers, an X9 Pro). If haven’t tried anything of those features yet. I did some screenshots, that I would like to send you in case you need them.
Thank you for your time
Tim
Link to the app: https://play.google.com/store/apps/details?id=no.nordicsemi.android.mcp
Roger Clark
Thanks Tim
I am aware of Nordics Apps.
I also use an app on iOS called LightBlue
Although DFU is good if you want to update a device that is already deployed in the field, its not the best tool to upload while developing, because its slow, and you also need to manually put the file on your phone or tablet and then manually upload etc etc
Connecting directly via SWD using the BlackMagic probe or JLink or any other SWD programmer / debugger is the best upload method when developing