Hardware Teardown

There are 3 non standard screws in the case. If you don't have tools like me. You can scratch of coating, add some flux and add a drop of very hot solder quickly so you don't melt plastic underneath. Then you can solder a pin header to unscrew it easily. You can clean solder and cut a slot for further assemble and disassemble.

There isn't a lot parts in side. I haven't investigated much but I think there is a PMIC, a SPI flash and DA14580.

The good thing is all SPI flash pins are exposed. You can even cut the trace to isolate it. This makes it easy to dump the firmware from this flash chip.

I suppose the encryption can be hacked by static analysis or move the firmware to a dev board for debugging.

Discussions

bettse wrote 10/01/2016 at 18:32

I sacrificed my device and removed the negative terminal to see what was below. I damaged it more than I would have liked, but found another test pad, and more traces: https://imgur.com/a/O31Kz

Are you sure? yes | no

SCDoc wrote 10/09/2016 at 14:23

Thanks for the sacrifice. I am attempting to map the pins of the processor to the board to we can hopefully tap into the SWD JTAG pins to allow debugging.

http://imgur.com/a/Hi4hw

Are you sure? yes | no

bettse wrote 09/29/2016 at 03:12

I opened my case and found the same chips, but for the 'A1 HFG 5DP' and 'D166B' slightly different markings, 'A1 HNG 5BJ' and 'D165M'. I'm assuming they're unimportant differences, but worth documenting. https://imgur.com/a/GfljG

Are you sure? yes | no