Hacking a UART where there never was before

The Omron RS8 met several of our design requirements, small, battery operated, quiet and entirely wrist mounted. So no heavy base unit. With the initial attack vector expected to be the NFC interface the case was opened and warranty voided. Thankfully the PCB was not too complicated, although populated on both sides the dual layer design made circuit tracing easy.

Hacking a UART where there never was before

Working through the ICs on the top of the PCB and searching for data sheets showed the main IC to be something somewhat obscure and difficult to source information for. A Similar scenario again for the NFC chip, little available information in data sheets or examples on the web. Reviewing the product documentation gave the impression the NFC interface was designed to upload logs and not stream real time data. The rear side of the PCB however held promise. A separate IC was used to drive the segmented LCD display built into the housing, the BU9795A. Whilst still an obscure component a data sheet was available and it listed an SPI interface with a nice clear protocol.

Bring on the bus pirate!

With a USB microscope and the data sheet for the LCD driver the traces for MOSI, SCK and CS were traced and bodge wires connected. A quick confirmation with the scope to observe traffic and it is time to connect the bus pirate.

For more detail: Hacking a UART where there never was before

About The Author