Samsung provides a management application named SamSung Gearfit Manager to manage all essential function on their watch such as: Firmware upgrading, connection, application managing,…. Therefore, at the first step, we need to understand firmware upgrading procedure by reversing APK file structure. Many common exist tools can be found effortlessly such as: Virtuous Ten Studio, IDA…..
In investigation process, we discovered a strange directory called “firmware” which contained firmware files packed under bin format. These files are used to update Gearfit firmware directly via Gearfit Manager application. In addition, we found plenty of classes liked to these files.
Subsequently, we continued finding whether using checksum function to update smartwatch firmware or not. Fortunately, checksum funcion was available in “UpdateInfo” class.
GearFit’s checksum is Adler32 and it implemented in normal standard support in Android. As the code shown, checksum function only create Adler32 checksum value on buffer byte after reading from firmware file. Consequently, it only ensures integrity while transferring. Based on this vulnerability, we perform modification attack on stored firmware files without concerning about checksum value.The final step is re-pack Gearfit Manager APK file with modified firmware and update this firmware to GearFit smartwatch.