Firmware Updates

Downloads json information on firmware from http://pebblefw.s3.amazonaws.com/pebble/%1/%2/latest.json.

Parameter %1 is one of:

• unknown
• ev1
• ev2
• ev2_3
• ev2_4
• bigboard

Note that only ev2_4 and bigboard seems to work currently. EV 2.4 is the currently shipping version (along with hacker special version) - Bigboard is the original large test version.

Parameter %2 is one of:

• nightly
• beta
• release

ev2_4 has nightly as well as release, and bigboard only has release.

Json format

The json for each firmware has two entries. One for recovery and one for normal. An example for the release firmware for ev2_4 is shown below:

{

   "recovery": {
       "url": "https://pebblefw.s3.amazonaws.com/pebble/ev2_4/release/pbz/recovery_ev2_4_v1.5.2.pbz",
       "timestamp": 1356919500,
       "notes": "Official Recovery Firmware",
       "friendlyVersion": "v1.5.2",
       "sha-256": "1ca285d65d80b48b90bab85c5f9e54c907414adffa6f1168beec8aac5d6f32a2"
   },
   "normal": {
       "url": "https://pebblefw.s3.amazonaws.com/pebble/ev2_4/release/pbz/normal_ev2_4_v1.7.1.pbz",
       "timestamp": 1358897692,
       "notes": "Pebble OS v1.7.1",
       "friendlyVersion": "v1.7.1",
       "sha-256": "8cd22fbb9a5f2e3637c44c6de44ab2e0c470b431d00536a3ac284e5e4fc3a0d7"
   }

}

Known Firmware Versions

These are firmware versions posted to the nightly at various times. The url that is being checked is: http://pebblefw.s3.amazonaws.com/pebble/ev2_4/nightly/latest.json

• Jan 23rd - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/release/pbz/normal_ev2_4_v1.7.1.pbz
• Feb 11th - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/release/pbz/normal_ev2_4_v1.8.1.pbz
• Feb 17th - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/nightly/pbz/normal_ev2_4_v1.8.1-68-g7bd09e2.pbz
• Feb 20th - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/nightly/pbz/normal_ev2_4_v1.8.1-77-gacc793d.pbz
• Feb 21st - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/nightly/pbz/normal_ev2_4_v1.8.1-87-ga627942.pbz
• Feb 22nd - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/nightly/pbz/normal_ev2_4_v1.8.1-89-g4905c42.pbz
• Feb 23rd - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/nightly/pbz/normal_ev2_4_v1.8.1-93-g7fa1955.pbz
• Feb 28th - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/nightly/pbz/normal_ev2_4_v1.8.1-152-g18ee0eb.pbz
• Mar 6th - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/nightly/pbz/normal_ev2_4_v1.8.2-190-geb63c67.pbz
• Mar 8th - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/nightly/pbz/normal_ev2_4_v1.8.2-205-g12c6f2e.pbz
• Mar 12th - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/nightly/pbz/normal_ev2_4_v1.8.2-215-g91c2b18.pbz
• Mar 13th (1) - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/nightly/pbz/normal_ev2_4_v1.8.2-224-g9ffcc04.pbz
• Mar 13th (2) - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/nightly/pbz/normal_ev2_4_v1.8.2-232-gd0a8b37.pbz
• Mar 14th - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/nightly/pbz/normal_ev2_4_v1.8.2-249-g82c3d1f.pbz
• Mar 18th - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/release/pbz/normal_ev2_4_v1.9.0.pbz
• Mar 26th - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/release/pbz/normal_ev2_4_v1.9.1.pbz
• April 12th - https://pebblefw.s3.amazonaws.com/pebble/ev2_4/release/pbz/normal_ev2_4_v1.10.0.pbz V1.10 Firmware Analysis

PBZ updates

Each pbz file is simply a zip file containing zero or one system_resources.pbpack, a manifest.json and tintin_fw.bin. The tintin_fw.bin is a raw binary that the pebble runs directly. (placed at 0x0 on the flash memory).

The system_resources.pbpack is a proprietary file format specifically for the pebble. At this point, I'm unsure whether the app reads it or the pebble reads it. The file contains a number of images and fonts used by the pebble, such as watchface icons or the first-run screen.

I haven't quite nailed down the format yet, but what I have is here (all offsets are inclusive):

The resource entries starts at 0x1c and consists of the following four fields (offsets are from start of each entry segment):

The file contains three different types of data:

• "png": Bitmaps containing images. See Resource Image Format.
• "png-trans": Some other kind of bitmap. Appears to be using the same Resource Image Format, but with some changes. Every png-trans image appears to be listed twice in the resource list.
• "font": A font file. See Resource Font Format.

Now you can extracting resources using pebble-firmware-utils

Tintin firmware file

The tintin_fw.bin is a 'raw' binary for the STM32F205 cpu in a fairly standard Cortex M-3 format. It should be noted that there is a custom bootloader at the primary entry point of the CPU. At present time, we do not have a dump of this bootloader, but we know that it loads the tintin_fw.bin at the address 0x8010000, after which the reset vector table is pointed at this address, the stackpointer is setup and the PC register is loaded with the entry point.

In practice this means it has a structure similar to the following (each element is one unsigned integer, e.g. 4 bytes):

Disassembling the file

Some minor notes on disassembling.

• Binary needs to be set to load at 0x8010000
• CPU should be set to thumb/thumb2-only, with the ARMv7-M architechture.
• The code starts at the entry point as described above.
• In the 1.8 firmware, the code explicitly loads the SP address into the SP register.
• If loaded like this in a suitable disassembler, string references are correct and code disassembles nicely.
• Once loaded, it can benefitial to look for accesses to specific memory mapped registers (UART, I2C, SPI etc)

Device Connections to STM32F205 cpu

The accelerometer appears to be connected to I2C1.