 So a show of hands who here has suffered a scrum meeting? Be honest there's no shame in it like a scrum meeting Okay, so in a scrum meeting you're supposed to say what you did the day before and what you're doing that day and Then you're supposed to wait for another hour as like round robin goes around and then you've wasted the first hour of your day and you've got nothing done and I had this fortune of doing these every morning first thing every day of the work week For several months and it really really took a toll on my soul Because you know when you when you're talking about doing work instead of doing the work it gets really frustrating, right? so I Decided that I didn't want to do that anymore And so I stopped doing that and instead I made this and I hope that you like it This is a clone of the Casio 3208 watch module called the good watch It's completely open source and open hardware. Everything is available on github It's a replacement board that fits within the original Casio watch So you can have like a watch that it's good to wear that has like the right Metals and materials and all that stuff is comfortable has years of battery life. So we're not talking a smartwatch here and At the same time there's room for additional features So not only is this programmed in C and you can have a reverse polish notation calculator Instead of the algebraic one that it came with but you can also do really crazy stuff like a disassembler for it Or you can add extra hardware. So this includes 70 centimeter amateur radio The next revision runs from 300 megahertz to 1 gigahertz Using the watch band itself as a random wire antenna So you can receive radio signals and you can transmit them and you can use it to help reverse engineer other devices Without having to bring out a full software to find radio without having to pull out your laptop and without having to To run the expensive power hungry and heavy tools Because as you're wandering around here if you have a Laptop bag and you've got your radios and you've got your antennas like the weight of all of that can add up So wouldn't it be nice to just have your entire Tool kit on your wrist whenever you might need it in a way that you can forget about it the rest of the time So I'm not the first to make a Replacement board for a wristwatch and I'm not the first to play with this radio chip. So As far as background goes Is this thing called the Pluto watch which is a replacement for the Casio f91 w this watch is famous because there is Like a moral panic over them being used in an improvised explosive devices where the the alarm ringer would set off an explosion prompting even like like TSA warnings about, you know giving extra Extra attention to people wearing the Casio f91 the the Pluto watch Also uses an MSP 430 related to the one that I'm using but they add a men's compass to it. So in addition to Running your own code on the watch you can also tell which way is north just by swinging your wrist around About ten years ago Ti came out with the chronus development kit Which uses the same CPU that I use The chronus had a number of problems with it though. It's really heavy and it's really bulky So you've got a fixed watch band that's uncomfortable in the summer your wrist will fill up with sweat and it doesn't have A full keypad so you need to go through awkward like menu rings in order to reach anything that you like There's also the Faraday RF kit Which again uses the chip con 430 chip that I'm using They had a power amplifier for the 900 megahertz band So you can just buy one of these things and have a half watt transceiver That's compatible with the wristwatch They're firmware and their hardware are also open source although Little to no code is shared between them in my watch And then of course a few years back at Torcon Michael Osbon and I did a lecture called real men carry pink pagers It's me on the left and Mike on the right And we reverse engineered these pink children's text messaging toys in order to make a spectrum analyzer a garage door opener reflexive jammer for apco p25 The the radio in these things is not a software to find radio like it's not very good for reverse engineering a signal But after you understand what that signal is it's an excellent radio for talking to it or for making receiver or a transmitter And then there's the RF cat running on the yardstick one hardware This is by by Atlas and Michael Osbon and those those folks this is a nice little tool that allowed you to write your radio definitions in Python on your own workstation While receiving from the real antenna with the real radio the register settings for the RF cat are compatible with my watch So you can prototype a receiver in Python on the hardware That's easy to prototype for and then move that definition to run inside of the watch as a radio application That you can keep with you at all times so When you have an existing watch and you want to replace it you first need to understand What goes where and why so the good watch 10? left out the radio and Was my prototype to to figure out that the LCD layout was correct that the The keypad layout was correct. I began by using a micrometer a vernier caliper to measure That all of the dimensions of the PCB so first I need to know like how wide it is how tall it is where the screw holes are And I draw this out on paper and then recreated it in the CAD software And I did this for the front of the board for the back of the board And then I made my own board that matched those dimensions So every keypad pin has to be in the same place every LCD pin has to be in the same place Into this board I placed the chip con 430 f6137. This is the the CPU of my device You can also use the 6147 which is Related chip that's more modern But each of these has 32 kilobytes of flash it has four kilobytes of SRAM It has a built-in LCD driver and a built-in Radio and a bootload of ROM that allows you to flash it over a serial port And all of this comes for free inside of the chip so that I could build the entire watch around a single chip and a couple of support components It's important to keep it to as few devices as possible because the chip packaging takes a lot of surface area on the board And also a lot of vertical height so I wanted to have room for another chip To have a separate radio and CPU they really had to be the same device and similarly I Don't have room for an external LCD controller So I had to find a part that contained both the CPU and the LCD controller and the radio in a single component in order to fit everything And that got me a Watch with a working display with working keypad inputs I initially bootstrapped it by building a watch that has these little blue fly wires coming out of it for reflashing This also allows me to read back the D message log from the watch And I use this for all of my software development so that as I'm developing the code I'm doing it on a tethered watch where temporarily I have no power concerns and where I get full logging on the Left is my recreation of the board the good watch 10 on the right is the original board from From Casio and you can see that even though the components are in different places all of the pads are in identical locations Because I'm less concerned about the the cost of the individual PCB. I was able to do silver coating To prevent oxidization. You'll know that the the copper has sort of dimmed down over the years in the original And instead of an epoxy blob I I use a QFN chip I drafted this in key cad So there are no licensing requirements to be able to edit the PCB or to manufacture your own You can grab the files from the website Send it off to China and receive your own package of 200 boards They cost under a dollar a piece if you're doing a quantity above 100 But having the board is only part of it you also need to know which pins do what so the the black bar here that is blocking some of the The pins on the far west of the LCD Those pins are called commons and a common is connected to very many segment pins And you can think of this as like a row and column for a driver And you have very few rows in very many columns and then they're wired up to to fit the individual pixels of the LCD display so these are the commons and these are the segments and I recovered these by using sticky tape Or the little sticky notes right you take a razor blade and you chop off the end of it And then by sticking this on to the PCB you can selectively introduce a failure in a single pin of the LCD I had to do this because I don't quite have enough LCD pins on my chip to drive all of the Pins of the physical LCD hardware So I needed to find which pins I could block off while keeping every digit of the display legible To figure out which pin does what you just introduced failure in a whole bunch of them at a time So with the the black bar there covering the far west pin. I now know that a Quarter of the LCD pixels will refuse to light and if I move that just one over then a different quarter Failed to light up and a little bit further and different quarter failed to light up and so on and Whenever you cover up a pin that knocks out a quarter of the pixels You're covering a common pin and whenever you cover a pin that knocks out One two three or four of the pixels then you're covering up a segment pin And this is how you figure out how to wire it to the chip You don't actually care about which pixel is connected to which pair yet because you can figure out the rest of that by software So instead of running through and tapping each and every one of these and measuring which Pixels go out at which time Which would take forever? Instead, I just wired it up in software lit up all of the pixels and then selectively turn them dim and then For each dim one. I was able to come up with its address, which is which common meets which segment and That way I was able to write the LCD driver After my hardware prototypes arrived So that they didn't block each other As far as the software went MSP430 Chips are well supported by GCC and a complete development tool chain is available inside of most standard Linux distributions So in Debian you can build this firmware either in stable or in testing just by installing the compiler and Building it. You don't need any external packages or external package sources the And then the actual programming happens through a serial port so these little Test probes that are connected to the sides Those are connected to the pins that allow me to force the chip into its bootloader mode And then the bootloader appears as a serial port with documented commands and a Python script can Check the model number erase flash load in the programming reboot It can also dump a copy of RAM so that I can do core boots I can do core dumps from a running watch in order to load a real RAM image into my debugger to see what particular variables were or I Can dump the D message log so when I run printf There's no room on the LCD to cover like the the full kernel log So instead printf just writes to a memory buffer and by dumping that memory buffer out I can use printf debugging to see what went wrong The keypads are implemented by rows and columns again And whenever you push a button it connects that row to that column So if we push the the upper left button, which is a seven that will connect pin two dot two To pin two dot three and the two will be bridged and there'll be a circuit between them So what we do is we set all of the rows To be input pins and all of the commons to be output pins and the inputs we pull Lightly low and the outputs we pull strongly high and when they connect The inputs will jump high and that tells us which column touched which row by then cycling all of the other pins off and again we implement this as a table in which the high nibble of each byte is the the scan code and the low level of each the low nibble of each byte is the actual ASCII character So that the driver can return the ASCII character the key that's being pressed rather than the the scan code So that your source code can remain readable power management matters a lot if you're building something that has to run on a 1.6 millimeter thin coin cell battery for years if I have to Replace the battery every day or if I have to recharge the watch every day It'll become too much trouble and I'll stop wearing the watch and then I won't really have a wearable So the main CPU has a variable clock rate and CMOS chips when they're digital The waste just a little bit of energy when the transistors flip So if you have a gate when that gate transitions Then a little bit of energy is lost and after the transition and before the transition It's almost perfectly static. It leaks very very little energy so the power consumption is almost linear with the clock speed and A watch doesn't really have to do that much when it's idling. It only needs to display the time So I can run the entire CPU at 32 kilohertz Until momentarily I need more speed and then I'm able to jump it up to 1 megahertz and Then my idle CPU draw can be as small as five microamps. I implemented a reverse polish notation calculator So like the old Hewlett-Packard calculators whenever you enter a number it pushes it onto the stack Whenever you hit an operator it pops the last two values off the stack and pushes the result This allows the calculator to be written quickly and with very small source code new functions can be added There's a timer Each of these Applications is written as like a small little module of C code so you can fork any application to add new pieces to it There are bugs though because when you implement something like this the the documentation says that it's supposed to work a certain way and then you actually get it running and False occur you might have forgotten to check for an error message or there could be a mistake in the documentation You need a way to debug this so that you can work out all of these kinks and then have a stable platform so one of the applications that I wrote was a hex editor and The hex editor allows me to view all of the CPUs memory and it shows a room for eight hexadecimal Nibbles on the screen so the left four digits are the address and the right four are the value I Had two of the prototypes of this watch and I was in Budapest and I had no tools with which to work on them Except for what I could borrow from a friendly hacker space So the the watch on the left is Keeping accurate time and the watch on the right is losing an entire minute every day And I needed to figure out why So I used the hex editor to check the error flags of the real-time clock Value and they all looked good and then I checked the crystal and I was able to find that the low-frequency crystal had faulted and That when the low-frequency crystal falls on this chip it defaults to a software backup and the software backup was wasting a ton of power And inaccurately keeping the time I was able to debug this without opening the case or Or any of that just by using the hex editor As long as you have a hex editor you might as well add a disassembler So you can disassemble the firmware of the watch on the watch itself and then reverse engineer it with pen and paper It has a power-on self-test so every time I've been able to identify like a faulting condition I add a check for that to a routine that runs through and checks all of them at startup and all of them if you press the number seven This allows me to recognize things like clock faults or things like leaving the radio on That can sabotage the power consumption because if a minor bug were to leave anything powered up that oughtn't be That could wipe the battery out in a day or two and the watch will die Then we need a radio because there's no point in having a fancy watch with a disassembler if it doesn't also give you like a really cool tool on the side To add a radio to the non-radio version I needed to add a crystal It's a 26 megahertz crystal that provides the timing needed for the phase lock loops and the other analog pieces of the radio And I also needed a filter chain Without the filter chain when you transmit you would also transmit on harmonic frequencies Because the digital chip can produce a square wave, but not very well a sine wave so the original radio models are restricted to The band between 430 and 435 megahertz because of a bandpass filter The upcoming version extends this to support the full range of the chip by using a low-pass filter Above the 900 megahertz band, so you will transmit harmonics if you transmit in the lower frequencies This causes no trouble for reception. I Needed an antenna, so this little green wire here on the back actually connects the watch band as a random wire antenna So that the watch band is the antenna for all reception and transmission This is not a very good antenna, but it is more than good enough in tests We were able to transmit Morse code across four city blocks in West Philadelphia received indoors now Radio software also has to be carefully considered if you're building your first watch from my design You'll get the digital parts working before you have the radio properly wired up, so it needs to gracefully downgrade right when you When the watch powers up if it's unable to start that 26 megahertz radio Crystal if it can't fire that up it assumes that it's not populated and then it disables all radio features Or if you need a model that you can wear inside of a skiff you can just not populate that component And then you have a non-radio watch It was also very important to have a way to quickly prototype radio functions separately from the GUI For those purposes the watch can be assembled with a built-on chip antenna outside of a wristwatch and Then all of the firmware can be communicated with over a serial port so that you can ask it to receive packets or transmit packets And in this way you can prototype any new protocol entirely in software as a desktop Python application without having to involve the The GUI of the watch so you don't need to push the teeny little buttons to try the thing when you're trying to get it to work For the very first time There's also a code plugs There's a text file that lists all of the frequencies that you might use and then you can use this text file to add your own channels or own Things that you're interested in To tune between them in the tuner application Radio power management also matters a lot I told you before that with the radio off the CPU Consumes five microamps at 32 kilohertz at 160 microamps at one megahertz Just receiving not transmitting takes 15,000 microamps Transmitting can cost up to twice that although for a shorter period of time because you can shut the radio off after your transmission completes This is a ton of power by comparison It's for this reason that I can't really write like set it and forget it pager application Right the the watch can't be idly listening because idly listening costs a ton of power Transmitting is a lot easier because it's only using energy for the time that you pushed on the button So we have a Morse code mode where you can push the the side of the watch as a Morse code key And then send that to any single sideband receiver within range So here we have yes you eight one seven and we had this set up at a bar and then My buddy took the watch four blocks from the bar and was saying hello in Morse code and we accurately received it You can also send more complicated packets. This is gmsk transmission that we use as like a fast data rate packet format for the dumping larger files, so One of our contributors is working on dumping the d-message log over the radio So that in debugging we can just ask the watch to flush its logs out and then have Desktop nearby with a receiver to catch those logs and record them This could also be used for automated real-world power management So like if I want to record the battery of a watch dying over a long period of time Then I can put a reduced capacity battery into a watch and set it to transmit its voltage every night at midnight and get a nice Little graph of the voltage falling over time now This is great for talking to like abstract things But in addition to abstract things you also want to talk to specific things right so I bought a relay controller all of these cheap relay controllers seem to use They seem to use like the The same protocol of sending either a wide burst for one and a short burst for zero or the other way around I call this the The eights and ease code because if you debug it if you receive it with accurate timing and you assume that they're a nibble wide Then the long ones become ease like one one one zero and the short ones become eights or one zero zero zero You can reverse engineer these using universal radio hacker Connected to any SDR, and then it takes a recording and allows you to zoom in and out on the signal You can change the thresholds you can change the encoding You're basically just trying to measure the width of one short bit. So here I have a short bit selected and then once you know that width you're able to Program your own radio transmitter to mimic the signal which you copy out as a packet in hexadecimal So the results of that will be this set of Register values which are compatible with the RF cat So you can take anything that's been reverse engineered to talk to an RF cat and you can then port it over to the watch You also need the packets themselves. So here we have four strings broken apart into eight lines and These are for the ABC and D buttons of the of the transmitter and then at the end of it you have Like a working signal that you can send You can also Send this between devices, right? So like here I'm transmitting as Morse code to my handheld radio the Kenwood d74 or you can use it for Receiving on the reverse engineering end. So There's cute little black radio on the left that's like a bit thicker But almost as small as my watch you can buy these online from China and they arrive and They just call them walkie-talkies and they don't tell you what frequencies they use and they're not externally programmable But it'd be really handy to know what frequency it's on because if no one else is using it Maybe that'd be cool. Fio, or maybe you want to move it over so the watch in the middle is running a frequency counter application that tells me that the the transmitting frequency is 450 megahertz and The Kenwood on the right has found that it's actually 450.05 megahertz. This is really close, right? We're off by 50 kilohertz and all the time of trying to guess what the frequency would be of having to Set up a waterfall and a softer to find radio all of that can be skipped just by asking the wrist watch What frequency the transmitter next to it is running? I use this at B-Sides Knoxville and In order to figure out what the frequency of the two-way radios they were using was So that then I could call the staff on their own radios having reverse engineered their frequencies without Using a desktop or a software to find radio or a laptop or anything heavy The only tools that I use to reverse engineering this were my watch and my handheld You can also hit other items. So like this is a Doorbell that I've reversed engineered to be remote controlled by my wrist watch and I can be sitting on the couch at home and just reach over I knock the thing off and it it ding-dongs, you know There's so many things that can be done with this platform once the the basic problems of power management and Radio access is solved and all of those have been solved in this project We have clean C source code that is well commented and well documented the wiki explains how individual applications were written The development environment is simple enough that you can now sit down and write a feature in the afternoon Last Friday I implemented shabbos mode for this So you can actually turn off the keypad and the side button and have no buttons you might accidentally press that would change even a single transistor until the Recess button on the side is pressed to exit the mode You can reverse engineer Radio protocols and port them over so any on-off keyed To FSK or for FSK transmitter or receiver can be re-implemented on this platform First and quickly prototyped Python and then re-implemented in standalone C Isn't that nifty? Okay code is available on github the source code is available as well The third revision of the watch has will be arriving on Monday, which adds Additional frequencies for the 900 megahertz band and the 300 megahertz band And have at it Thank you kindly This is Ruger. He's a very good dog Another round for Ruger, please So I've finished with plenty of time to spare. Do we have any questions? Yes Yeah, yeah Okay, so I have no plans to manufacture this but the license allows it if seed studio or anyone wants to Manufacture this they have my blessing. I made this is a hobby project because I thought it would be cool I really enjoy designing electronics and building them at home But I do not enjoy dealing with the hassles of manufacturing Like if you want me to do that, you really have to pay me for they So but no there there are no preassembled boards available so far If you can find a student who's good with soldering or has the microscope eyes and the study hands you might also try Like fixing equipment problems like if you have brighter lights or if you have a better vice or maybe you need the More coffee or less whiskey or or those sorts of things the soldering on this is rather difficult. It's 0201 which American not metric it's not that bad, but it is two mils long and one mil wide for some of the smaller components You will need very bright lights and steady hands and solder paste or a flux pen Do not use lead-free solder. That's a communist conspiracy Any other questions? Oh, yes, sorry the the software for now you should just be running everything from the get master the Software is back for compatible with every hardware release. So it We've not broken hardware compatibility at all yet the The new boards that arrive Monday add Better ground plane stitching so the battery ought to work even as it gets lower So the the life will increase and then the revision after that adds the the wider radio bands And that requires a different set of components. Yes So the question is what battery lifetimes do I get with my typical usage? And the answer is that it varies by what I'm doing and by Whether there are any hardware faults So for example, I mis-soldered the resistor in one of my units and then whenever I send a radio transmission The radio transmission would be really squeaky quiet and the battery life would just drop off of a cliff For Units which do not have physical faults. I'm getting battery life on the order of the two or three years. I think They're they no longer die from old age when I have them die It's because of a software bug or because I screwed up somewhere And the software bugs are becoming fewer and further between so Right. Thank you kindly