Rooting Australia's #1 Kids Smartwatch

Protecting Australian children by replicating Nordic security research

Feb 26

I watched a man send a child to North Korea, I wanted to do the same.

At a recent CCC security conference researchers reviewed a Nordic locked down child's smartwatch and spoofed GPS to have the "child" appear to "parents" as being located in Pyongyang. Could I do the same for Australian children?

Sure enough Spacetalk are an Australian manufacturer that produce Australia's #1 kid's smartwatch^[1] - and as we all know, Australia is small and security maturity is... eh.

After some Facebook Marketplace lowballing I find their first model^[2] new in box for $50. This is super handy because any hardening they did in V2 or through an OTA update won't be a problem for me. Sure enough it booted, so what was the attack surface?

4x pogo pins on the back of the watch, terminating in USB via the charging dock

How am I Going to Crack into this Thing?

The watch had 4 pins on the back which nicely matched the charging dock that fed to a USB C cable. I figured this'd be JTAG or even a straight up USB data connection, but with no adb devices or MTP clients I figured maybe only the power pins are soldered, as it was charging over USB.

It had some very stripped down in-house dev'd apps but nothing that would let me pop a file browser or anything. There were no WIFI options, only mobile data, and as I couldn't MITM it to prevent OTA updates I didn't want to connect it.

Looking at settings > about it was clearly a custom android build, and so natually I smashed the build number to unlock developer settings - no luck. I mashed even more and interestingly the "phone number" field opened a password entry screen. Rattling off defaults of 0000, 1234, last 4 digits of the build number, IMEI etc. didn't let me in, and given it was an uncapped text field there was no assurance it was even a 4 digit pin.

With no USB keyboard emulation possible I was considering having my 3d printer with a stylus incrementally try pins but that was a problem for another day and I called it a night.

Watch Whispers "Hello" in the Dead of Night

Few days later I give it another crack and it wouldn't turn on; ah must've drained the battery, let me give her some charge. Plug her in and my Windows Device Manager window in the background flashed twice. That's odd, it wasn't booted, does it open a fastboot interface temporarily?

Digging through the logs it turns out it opens an MTK (i.e. MediaTek - the chip SoC manufacturer) Preloader interface for 2 seconds because closing itself off. Well well well! If we can dump the flash, we can probably push custom images and reverse engineer the password function.

After hours and hours of faffing around with Windows and USB drivers I caved and created a linux live USB to run off an old laptop. With mtkclient I managed to glean:

That it was an MT6379 chip
SLA: Secure link authentication was disabled (the boot ROM allows flashing) 🤤
SBC: Secure boot chain was disabled (unsigned firmware can be flashed) 🤤
DAA: Download agent authentication was disabled (I don't need leaked vendor firmware to talk to the chip) 🤤

Brain Dumping Partitions

The gorgeous trifecta, I've essentially got full control of this hardware. So I dump the partition table and use that to dump various system, boot, recovery etc. partitions. With those saved, even if an OTA update hits or I push bad images across, I'm only soft bricking and can flash it back to factory settings.

Opening a Backdoor with a Sledgehammer

There was no guarantee that the developer menu would allow me to enable ADB or become root so it was time to backdoor the images and PoC that I could unpack, repack, flash and boot without anything throwing a fit. This first required unlocking the bootloader, which would have been easy with fastboot, IF I had a volume up button to select Confirm...

Ah well, nothing mtkclient forcing an unlock couldn't fix^[3].

Cracking open system.img I pop some simple debug draws into init.rc's on early-init as a visual indicator to see if my backdoor worked. Using mtkclient again I reboot the watch to fastboot mode within the 2 second window, flash my custom image and boot.

Success, I've never been so chuffed to see ugly debug draws.

The Sledgehammer is only so Sharp

What I failed to mention is I also changed the build string from ST2-4G-1_20210407 to INDYWASHERE as a deeper indicator I've got access to override core android settings but puzzlingly this didn't reflect. Scratching my head I find system.img has a recovery-from-boot.p file with a cron job to overwrite recovery on boot. Bastards, flushing my custom changes every boot.

Whelp, mv recovery-from-boot.p recovery-from-boot.plzno made quick work of that, and there's my custom build string! Glad I found that, because I wouldn't want anything to get in the way once I start flashing custom images forcing ADB to be open on boot.

Something got in the way of me flashing custom images forcing ADB on boot.

No matter how many prop.defaults and init.rcs I was editing on different images, or commenting out the manufacturer's ro.sys.usb.charging.only=yes properties I tried, I could not pop ADB. I figured it was some kernel build flag, so I start byte editing hex strings, but there must be some checksum because that only caused bootlooping.

Here I am bashing my head against the wall... Hang on... I'm so focused on writing when I should be reading. We have the image dumps. I can see what's behind that password function.

Cosplaying as a Spacetalk Engineer

So I find com.allmytribe.settings.apk and throw it into JADX-GUI. When you type the wrong password you get an Incorrect Password toast, so searching for that should get me close to the password calculation function and aha! It's doing all sorts of fancy crypto with the IMEI and calculating the password.

Wasting no time, or brain cells, I throw all the functions and salts into Gemini to give me a python decryptor that accepts my IMEI and spits out a password. I punch that into my watch and BOOM: a USB debugging option that throws the watch into MTP+ADB mode.

Yeah I never would have guessed that 6 digit password.

Earning the Watch's (ADB) Trust

Oh young padawan, you should have learnt by now it's never that easy. My shell was unauthorised, modern android doesn't let any client have shell access, you've got to give it permission.

Normally this is a "do you want to trust this computer" popup on your phone, but with this custom UI... I never get that window - we're going to have to force it in software.

In the same way my ADB options were being overridden, so was my ro.adb.secure=0 that drops the authorisation security. I could be in trouble here 😮.

But further digging through the images led to boot.img's init.rc's early-init containing restorecon /adb_keys. Sure enough, dumping my PC's ADB fingerprint into /adb_keys in boot.img let me have an ADB shell yewwwwwwwww!

Giving the Watch a SUrprise

Hard part's done, flash su and you're root - easy right?

HAHAHA; no.

Thus ensues more days of helplessly attempting: adb root; scouring for architecturally correct su binaries; statically compiling variants for myself; overriding file system properties on it to make SELinux happy; manually porting a TWRP image to suit my device; pushing busybox and using setguid / setuid to elevate only to get kicked in the balls by SELinux; ^{forcing the watch's build variant into engineering mode to see if that has more lax kernel flags; backdooring boot system services that run as root; looking at the engineering mode APK for hidden intents to escalate...}

On and on and on only for me to wake up to the fact that this is a dated Android device, I have ADB, I have boot.img... can't I just patch Magisk in?

So I ADB install Magisk, ADB push boot.img, and open Magisk with ADB (the custom launcher didn't list the app that I could just click on). In the retina 360x320 menu I hit "Select and patch a file" and... oh there's no installed file browser. ADB installing a file browser, I select the boot.img, patch it with Magisk, pull the patched image back over ADB, boot to fastboot, flash it, boot, ADB shell, su and... 🥁🥁🥁

ROOT!

While I would have loved for this adventure to be "use well-known password 2323 to enable ADB" from the original presentation, we got this instead. Believe it or not this was the short version - my desperate raw research notes are here: ^[4]

Now that I'm ADB root on the watch and ADB root on a parallel phone, we can start digging into the watch and client app's communications - and see if we can't start sending Australian children to Pyongyang. Let's call this part 1 😏👉👉

[4]

Vomit inbound:

``` Tailing USB logs, MTK bootloader on plug in Go to find SP Flash tool, scared of malware, ignore Install mtkclient and MediaTek VCOM USB Drivers dodging more malware mtkclient suffers: Preloader - [LIB]: Status: Handshake failed, retrying... Try a million flags, install UsbDk Try a million flags, install zadig to switch drivers (pyautogui to automate clicking), error Reboot in Driver signature enforcement disabled still error Brick driver, use pnputil to delete Reinstall mediatek drivers in driver signature mode Windows recovery mode Manually add device to device manager, true device spawns parallel anyway More mtkclient issues Provide COM port to mtkclient directly, get new errors Finally get: Port - Device detected :) Port - Handshake successful. Though no gpt table Wait for battery to drain Finally get chip information: CPU: MT6739/MT6731/MT8765() SBC enabled: False, SLA enabled: False, DAA enabled: Fals A million flags, try gui, no luck Run SP Flash tool, find generic MT6739 scatter file Dump parition table with SP flash tool! Create specific scatter file Dump main partitions

Try mount userdata parition, find that it's FDE'd by android Brick it trying to probs with mtktoolit, open up and pull battery Userdata dump is partial because it drops out of brom after 3 min so do byte math to download two halves and combine them Start crawling system.img and see prop.defaults with charge_only = true in boot Realise chasing decryption of userdata is useless if it's a fresh watch install... Attempt to find TWRP image to boot from, none for this device magiskboot unpack boot image and override usb read only and other attributes try to fastboot reboot with mtkclient, unsuccessful try to fastboot reboot with android utils pro, see driver is from 2014 scour for more modern mtk bootloader driver fastboot entered!

can't fastboot devices, see fastboot driver is cooked find google driver and install manually fastboot getvars: (bootloader) unlocked: no (bootloader) secure: yes (Verified Boot (dm-verity) is active) Go to python3 mtk da seccfg unlock, can't because no volume up button to select "yes" Try to boot custom boot.img anyway: FAILED (remote: 'not allowed in locked state') Try to unlock with mtkclient, more driver issues Prep ubuntu live disk, boot, mtkclient has different error 1 upvote git issue with matching symptoms says to use older mtkclient works INSTANTLY - _ - Bootloader unlocked!

Appears to boot withc ustom boot.img, not adb drivers seen Attmpt to patch kernel of other TWRP img, dies then boots like normal Boot into factory mode rather than recovery and find Chinese debug menu that makes the watch battery critically hot Add su binary and adjust more prop.default flags to boot.img, flash but boot back to fastboot Only editing the build ID to see it in dev settings booted but no effect system img indicates system-as-root: default.prop -> system/etc/prop.default Suspect adbd is throwing byte alignment around and img doens't boot Find boot parition is limited to 24mb and after repack with adbd becomes 37mb Realise I'm double packing kernel Flash aligned shrunk img and watch doesn't turn on despite battery replugs Force it to fastboot after battery replug, reflash known good paritions Try a blank repack to ensure booting and pipeline works Suspect prop.default visual debug draw is being overridden in order of precendence, try via init.rc, boots but no visual Add it to early-init of boot.img instead: setprop debug.layout true setprop debug.hwui.profile visual_lines SUCCESS!

ADBd and build ID aren't being respected, take a step back and analyse order of precedence in boot, system and recovery All sorts of prop.default, init.rc on boot; on early-init etc. not working Try automated twrptgen to create fitting TWRP image Add custom adbd services to init.rc of recovery and boot no good Using magiskboot to unpack system.img, segfaults Realise system.img is a ext4 img not a fancy android binary packed one, just mount it Edit all conflicting usb entries across init.rc and prop.defaults across 3 images and flashing, still overriden - kernel hardcoded perhaps? Debug draws to system.img prop.default in isolation works Find system.img has large recovery-from-boot.p, find this has a boot script to override custom recoverys, rename to .old and custom build ID now reflects! Figure USB is almost certainly harded to kernal, realise I've got source for the developer utility and can reverse password function Get mtkdebug apk, decompile with JADX-GUI, find password functions Give salt, IMEI and comparison functions to gemini to create a python script that takes IMEI and spits out engineering code hacker voice MTP connects but adb says device unauthorised See if there's a deeply nested engineering setting to open adb to all, nope See if I can get into Android developer settings, menu item keeps crashing? find boot.img's init.rc's early-init has: restorecon /adb_keys Add /adb_keys with PC adb fingerprint to boot.img disk Get ADB shell!!! (user context)

Force feed su binary into images - wrong architecture Force feed su binary into images - dynamically linked, need static Can't find su binary for arch and static, end up using busybox Force feed busybox into images and fight perm issues Swap it with xbin/tcpdump and refuses to run Figure SELinux, set custom system_file attrib, is now trusted but this busybox binary has no su but has setuid and setguid Attempt to give self 0:0 perms: setuidgid: setgroups: Operation not permitted Figure selinux again, go to set it to permissive in 3x images: androidboot.selinux=permissive Can't - again figure hardcoded kernel flag Try trick it with custom init.rc service Try elevate euid to uid 0 with runcon , nope logcat says custom service refused because init can't run system_file files Change spawn context of service, still dies Try to backdoor exisisting uevent_wrapper service, bootloops Try to backdoor system.img init/atcid.rc nope Suspect hardcoded as buildvariant=user rather than userdebug or eng Adjust 3x image prop.default and init.rc to force userdebug build, boot but has no GUI (internal panics?), has adb active with confirmed buildvariant, but still selinux Adjust 3x image prop.default and init.rc to force eng build, boot but has no GUI (internal panics?), has adb active with confirmed buildvariant, but still selinux Try to hexedit brick selinux string in kernel file, bootloops Try to find hidden engineering apk that maybe let's me disable selinux, nope Try to patch system.img with offline magiskboot CLI tools, all sorts of dependancy issues (python 2 yuck) Screw it, do it on device, flash magisk apk via adb, can't select system.img as no file picker installed on device adb install basic file picker, patch system.img, pull patched system.img over adb, flash, boot ROOT ADB!

setenforce 0 selinux set to permissive! ```