atc1441

Basic Manual for DaFit Fitness Tracker firmware update protocol, works for nearly any nRF52832 tracker from Company DaFit

The minimum size of update file is 0x10000(can be filled with garbage to get to size) and the maximum size is 0x2F000
the update will first get stored onto the external flash at position 0x3D1000 by the stock firmware(not by the bootloader)
the size of the update will get stored at 0x3D0000 on external flash with 4 bytes uint32_t

when bootloader gets activated it will copy the update from external flash to 0x23000 of the nRF52 internal flash.


Connect to device,

atc1441

+ SDCC\bin\sdcpp.exe -nostdinc -Wall -std=c11 -I"/" -D"FREQ_SYS=48000000" -obj-ext=.rel -D__SDCC_CHAR_UNSIGNED -D__SDCC_MODEL_LARGE -D__SDCC_FLOAT_REENT -D__SDCC=3_9_3 -D__SDCC_VERSION_MAJOR=3 -D__SDCC_VERSION_MINOR=9 -D__SDCC_VERSION_PATCH=3 -DSDCC=393 -D__SDCC_REVISION=11345 -D__SDCC_mcs51 -D__STDC_NO_COMPLEX__=1 -D__STDC_NO_THREADS__=1 -D__STDC_NO_ATOMICS__=1 -D__STDC_NO_VLA__=1 -D__STDC_ISO_10646__=201409L -D__STDC_UTF_16__=1 -D__STDC_UTF_32__=1 -isystem "SDCC\bin\..\include\mcs51" -isystem "SDCC\bin\..\include"  "main.c"
+ SDCC\bin\sdas8051.exe -plosgffw "main.rel" "main".asm
+ SDCC\bin\sdcpp.exe -nostdinc -Wall -std=c11 -I"/" -D"FREQ_SYS=48000000" -obj-ext=.rel -D__SDCC_CHAR_UNSIGNED -D__SDCC_MODEL_LARGE -D__SDCC_FLOAT_REENT -D__SDCC=3_9_3 -D__SDCC_VERSION_MAJOR=3 -D__SDCC_VERSION_MINOR=9 -D__SDCC_VERSION_PATCH=3 -DSDCC=393 -D__SDCC_REVISION=11345 -D__SDCC_mcs51 -D__STDC_NO_COMPLEX__=1 -D__STDC_NO_THREADS__=1 -D__STDC_NO_ATOMICS__=1 -D__STDC_NO_VLA__=1 -D__STDC_ISO_10646__=201409L -D__STDC_UTF_16__=1 -D

atc1441

#include <Adafruit_GFX.h>
#include <Adafruit_ST7735.h>

#define TFT_CS       8
#define TFT_RST       7
#define TFT_DC        6

#define TFT_MOSI 2 
#define TFT_SCLK 3

atc1441

 in Setup()
 
 
 memset(img, 0, sizeof(img));



  int d, e;

  for (d = 0; d <= 16; d++) {

atc1441

/*
 * Test Code For Hoverboard with this firmware:
 * https://github.com/p-h-a-i-l/hoverboard-firmware-hack
 * 
 * Connect the PPM Receiver Data Pin to Arduino Pin 3
 * And set the Amount of channels of the PPM Receiver.
 * this code uses the Arduino Hardware serial.
 * 
 */

atc1441

#include <SPI.h>
#include <stdint.h>
#include <BLEPeripheral.h>
#include <Adafruit_GFX.h>
#include <nrf_nvic.h>//interrupt controller stuff
#include <nrf_sdm.h>
#include <nrf_soc.h>
#include <WInterrupts.h>
#include <Adafruit_SSD1306.h>
#include <TimeLib.h>

atc1441

#include <SPI.h>
#include <stdint.h>
#include <BLEPeripheral.h>
#include <Adafruit_GFX.h>
#include <nrf_nvic.h>//interrupt controller stuff
#include <nrf_sdm.h>
#include <nrf_soc.h>
#include <WInterrupts.h>
#include <Adafruit_SSD1306.h>
#include <TimeLib.h>

atc1441

int __fastcall ShouldTheDisplayTurnOn(signed int a1, signed int a2, signed int a3)
{
  signed int v3; // r5
  signed int v4; // r6
  signed int v5; // r7
  int result; // r0
  int v7; // r3

  v3 = a1;
  v4 = a2;

atc1441

  //Mode 3
  do
  {
    answer = ReadRegister(0xC);
    counter++;
  }
  while ( answer != 0x55 && counter < 10 );
  sendToRegister(0x18, 0);//CNTL1 Standby Mode
  delay(10);
  sendToRegister(0x1B, 2);//ODCNTL 50HZ Outputrate

atc1441

#!/usr/bin/env python
# 
# IDA Script to add new Segments
# Memory Map of Nordic NRF52832

from idautils import *
from idc import *
from idaapi import *