├── FirmwareUpdate.bin
├── README.md
├── FirmwareParser.py
└── FirmwarePatch.py


/FirmwareUpdate.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/b0n0n/MS-fitnessband-jailbreak/HEAD/FirmwareUpdate.bin


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # MS-fitnessband-jailbreak
2 | simple scripts to parse and patch Microsoft fitness band firmware update file 
3 | [Blog post](https://garden.sparrow.zone/Jailbreaking+the+Microsoft+fitness+band)
4 | 


--------------------------------------------------------------------------------
/FirmwareParser.py:
--------------------------------------------------------------------------------
 1 | from struct import pack, unpack
 2 | 
 3 | def ParseAll(msfile):
 4 |     data = open(msfile, "r+").read()
 5 |     offset = 0
 6 |     magic, = unpack("<H", data[offset:offset+2])
 7 |     print "Offset: 0x%08X\tMagic number: 0x%02X" % (offset, magic)
 8 |     offset += 2
 9 | 
10 |     unknown, = unpack("<B", data[offset:offset+1])
11 |     print "Offset: 0x%08X\tUnkown byte: 0x%01X" % (offset, unknown)
12 |     offset += 1
13 | 
14 |     flag, = unpack("<I", data[offset:offset+4])
15 |     print "Offset: 0x%08X\tUnkown flag: 0x%08X" % (offset, flag),
16 |     print "(looks like GPIO port output speed)"
17 |     offset += 4
18 | 
19 |     print "Offset: 0x%08X\tZero padding" % offset
20 |     offset += 8
21 | 
22 |     sections, = unpack("<I", data[offset:offset+4])
23 |     print "Offset: 0x%08X\tTotal number of sections: 0x%08X" % (offset, sections)
24 |     offset += 4
25 |     
26 |     fwsize, = unpack("<I", data[offset:offset+4])
27 |     print "Offset: 0x%08X\tFirmware size: 0x%08X" % (offset, fwsize)
28 |     offset += 4
29 | 
30 |     maincrc, = unpack("<I", data[offset:offset+4])
31 |     print "Offset: 0x%08X\tCRC of whole firmware: 0x%08X" % (offset, maincrc)
32 |     offset += 4
33 | 
34 |     print "Section table:"
35 |     for i in range(sections):
36 |         section = data[offset:offset+10]
37 |         type, secoffset, secsize = unpack("<HII", section)
38 |         print "Offset 0x%08X\tsection type 0x%04X:" % (offset, type)
39 |         print "\tSection offset 0x%08X, size 0x%08X [ends at 0x%08X]" %\
40 |             (secoffset, secsize, secoffset+secsize)
41 | 
42 |         if type == 0xC002:
43 |             print "\t*** Section has different header format ***"
44 |             offset += 10
45 |             continue
46 | 
47 |         section_data = data[secoffset:secoffset+secsize]
48 |         vnum1, vnum2 = unpack("<II", section_data[4:4+8])
49 |         num1, num2, num3 = unpack("<HHI", section_data[4:4+8])
50 |         size2, _, checksum = unpack("<III", section_data[0x10:0x10+12])
51 |         print "\tOffset: 0x%08X\tVersion number: 0x%08X.0x%08X" % (4, vnum1, vnum2),
52 |         print "(shown as %d.%d.%d)" % (num2, num1, num3)
53 |         print "\tOffset: 0x%08X\tSection size: 0x%08X" % (0x10, size2)
54 |         print "\tOffset: 0x%08X\tSection CRC: 0x%08X" % (0x18, checksum)
55 | 
56 |         # with open("section-%04X.bin" % type, "w+") as f:
57 |         #     f.write(section_data)
58 |         offset += 10
59 |                         
60 | ParseAll("FirmwareUpdate.bin")
61 | 


--------------------------------------------------------------------------------
/FirmwarePatch.py:
--------------------------------------------------------------------------------
  1 | from binascii import crc32
  2 | from struct import pack, unpack
  3 | import os
  4 | import re
  5 | 
  6 | def VersionNumPatch(data, orig_version):
  7 |         '''
  8 |         patch the orig_version number to a bigger one, make sure the orig_version
  9 |         number is the one on your fitness band!
 10 |         '''
 11 |         sections = unpack("<I", data[15:15+4])[0]
 12 |         ptr = 27
 13 |         
 14 |         print "[+]Patching version number..."
 15 |         for i in range(sections):
 16 |                 section = data[ptr:ptr+10]
 17 |                 type, offset, size = unpack("<HII", section)
 18 |                 if type == 0xc002:
 19 |                         print "\tUnknown header type C002 ignored..."
 20 |                         ptr+=10
 21 |                         continue
 22 |                 section_data = data[offset:offset+size]
 23 | 
 24 |                 num1, num2, num3 = orig_version.split(".")
 25 |                 new_version = (int(num1)<<16) + (int(num2)+1)
 26 |                 section_data = section_data[:4] + pack("<I", new_version) + \
 27 |                                section_data[8:]
 28 |                 data = data[:offset] + section_data + data[offset+size:]
 29 |                 
 30 |                 vnum1, vnum2 = unpack("<II", section_data[4:4+8])
 31 |                 print "\tNew version number: %x.%x" % (vnum1, vnum2)
 32 | 
 33 |                 ptr+=10
 34 |                 
 35 |         return data
 36 |                           
 37 | def TextPad(string):
 38 |         '''
 39 |         pad system string
 40 |         '''
 41 |         padded = ""
 42 |         for i in string:
 43 |                 padded += i+"\x00"
 44 |         return padded
 45 |         
 46 | def ChkMainCrc(filename):
 47 |         '''
 48 |         check main CRC
 49 |         '''
 50 |         data = open(filename,'rb').read()
 51 | 
 52 |         for i in range(0, len(data)-4):
 53 | 	        # these 4 bytes are the CRC embedded in the FirmwareUpdate.bin
 54 | 	        block = data[i:i+4]
 55 | 
 56 | 	        # calculate CRC for the rest of the data (replace the 4 bytes with 0's)
 57 | 	        c = (crc32(data[:i] + "\0"*4 + data[i+4:],0xFFFFFFFF)^0xFFFFFFFF) & 0xffffffff
 58 | 
 59 | 	        if pack("<I", c) in block:
 60 | 		        print "Found at offset dec=%d hex=%08X" % (i,i)
 61 | 		        print "CRC=%08X" % c
 62 | 		        break
 63 | 
 64 | def ChkSectCrc(filename):
 65 |         '''
 66 |         check section CRCs
 67 |         '''
 68 |         data = open(filename, 'rb').read()
 69 | 
 70 |         sections = unpack("<I", data[15:15+4])[0]
 71 |         print sections, "sections"
 72 | 
 73 |         ptr = 27
 74 | 
 75 |         for i in range(sections):
 76 |                 section = data[ptr:ptr+10]
 77 |                 print "%08X" % (ptr + 10)
 78 |                 type, offset, size = unpack("<HII", section)
 79 |                 print "0x%04X: at offset 0x%08X, size 0x%08X [ends at 0x%08X]" %\
 80 |                         (type, offset, size, offset+size)
 81 | 
 82 |                 section_data = data[offset:offset+size]
 83 |                 size2, _, checksum = unpack("<III", section_data[16:16+12])
 84 |                 if size2 == size:
 85 |                         vnum1, vnum2, vnum3 = unpack("<HHH", section_data[4:4+6])
 86 |                         print "\tVersion number: %d.%d.%d" % (vnum1, vnum2, vnum3)
 87 |                         vnum1, vnum2 = unpack("<II", section_data[4:4+8])
 88 |                         print "\tVersion number: %d.%d" % (vnum1, vnum2)
 89 |                         
 90 | 
 91 |                         c = (crc32(section_data[:24] + "\0"*4 + section_data[28:], \
 92 |                                    0xFFFFFFFF)^0xFFFFFFFF) & 0xffffffff
 93 | 
 94 |                         if c == checksum:
 95 |                                 print "\tSection size:0x%08X, checked crc:0x%08X" % (size2, checksum)
 96 |                         else:
 97 |                                 print "\tCrc corrupted!"
 98 |                 else:
 99 |                         print "\t*** Section has different header format ***"
100 | 
101 |                 ptr += 10
102 | 
103 | def CalSectCrc(data):
104 |         sections = unpack("<I", data[15:15+4])[0]
105 |         ptr = 27
106 |         
107 |         print "[+]Patching section CRC..."
108 |         for i in range(sections):
109 |                 section = data[ptr:ptr+10]
110 |                 type, offset, size = unpack("<HII", section)
111 |                 # print "0x%04X: at offset 0x%08X, size 0x%08X [ends at 0x%08X]" %\
112 |                 #         (type, offset, size, offset+size)
113 |                 if type == 0xc002:
114 |                         print "\tUnknown header type C002 ignored..."
115 |                         ptr+=10
116 |                         continue
117 |                 section_data = data[offset:offset+size]
118 |                 c = (crc32(section_data[:24] + "\0"*4 + section_data[28:], \
119 |                            0xFFFFFFFF)^0xFFFFFFFF) & 0xffffffff
120 |                 print "\tCalculated crc: %s" % ("0x%08X" % c)
121 |                 
122 |                 section_data = section_data[:24] + pack("<I", c) + section_data[28:]
123 |                 data = data[:offset] + section_data + data[offset+size:]
124 | 
125 |                 ptr+=10
126 |                 
127 |         return data
128 |                           
129 | def CalMainCrc(data):
130 |         '''
131 |         recalculate main CRC
132 |         '''
133 |         
134 |         c = (crc32(data[:23] + "\0"*4 + data[27:], 0xFFFFFFFF)^0xFFFFFFFF) & 0xffffffff        
135 |         data = data[:23] + pack("<I", c) + data[27:]
136 |         print "[+]Patching main crc: %s" % ("0x%08X" % c)
137 | 
138 |         return data
139 | 
140 | def SearchPatch(data, string, patch_string):
141 |         '''
142 |         simple string searching and patching
143 |         '''
144 |         assert len(string) == len(patch_string)
145 |         length = len(string)
146 |         index = data.find(string)
147 |         while index > 0:
148 |                 print "[+]Found string %s at %s" % (repr(string), hex(index))
149 |                 data = data[:index] + patch_string + data[index+length:]
150 |                 print "[+]Patched with '%s'" % repr(patch_string)
151 |                 index = data.find(string)
152 |         return data
153 |         
154 |         
155 | def Patch(filename):
156 | 
157 |         f = open(filename, 'r+')
158 |         Patched = f.read()
159 | 
160 |         Patched = VersionNumPatch(Patched, "10.6.3304")
161 | 
162 |         text1 = TextPad("No new texts, check back in a few.") #patch the empty text string for test
163 |         text2 = TextPad("pwned by ------------- mongo&b0n0n")
164 |         Patched = SearchPatch(Patched, text1, text2)
165 |         
166 |         Patched = CalSectCrc(Patched) # recalculate the section CRCs
167 |         Patched = CalMainCrc(Patched) # recalculate the main CRC
168 | 
169 |         with open('FirmwareUpdate.Patch', 'w+') as f:
170 |                 f.write(Patched)
171 | 
172 | Patch("FirmwareUpdate.bin")
173 | # ChkMainCrc("FirmwareUpdate.Patch")
174 | # ChkSectCrc("FirmwareUpdate.Patch")
175 | 
176 | 
177 | 


--------------------------------------------------------------------------------