MPUless Pebble

Joshua Wise edited this page Dec 19, 2016 · 4 revisions

It might come in handy to run your Pebble with the MPU (Memory Protection Unit) turned off. The MPU normally protects user apps and watchfaces from corrupting the system's memory, or doing other bad things (like messing with peripherals ... or flash memory). For instance, you might want to read peripheral control registers, to figure out how peripherals are programmed, if you're reverse engineering -- and you might not want to hack the firmware each time for that, and you might want to do that in userspace. So, here is a Pebble firmware that has been hacked to disable the MPU... enjoy.


The MPU, by the way, is a standard Cortex-M3 Optional Memory Protection Unit, which lives at 0xE000_ED9x. You can read more about it at . The crux of it is that the MPU control register lives at 0xE000_ED94, and it's turned on by writing some bits to it.

Pre-hacked firmwares

If you'd just like to write user apps and you don't care about hacking your own firmware to do this, then no problem, grab the following:

First, install the mputest app on your watch, and do a pebble logs. Launch the mputest app; nothing should happen, but you should get something like:

[23:20:08] mputest.c:5> ok, here we go: can we prod at system RAM?
[23:20:08] ault_handling.c:97> App fault! {1bef8118-5c29-481f-a41a-3f74bab14803} PC: 0xd4 LR: 0xd5
Program Counter (PC)    : 0xd4       /Users/joshua/pebble-dev/mputest/build/../src/c/mputest.c:6
Link Register (LR)      : 0xd5       /Users/joshua/pebble-dev/mputest/build/../src/c/mputest.c:6

That's good news; it means that the MPU is turned on, and the Pebble has killed the app that's tried to go scribbling all over memory.

Next, install the hacked firmware -- download the .pbz, and open it with a file explorer of choice on your phone with the Pebble app, and then hit the 'yes, I know this could be malicious' button. Your Pebble should give you one progress bar, then say 'complete', and then should reboot to a "pebble" screen with another progress bar. Go into Settings, System, Information, and confirm that you have a -nompu firmware. Then, do another pebble logs, and launch the mputest app; you should get something like:

[23:41:10] mputest.c:5> ok, here we go: can we prod at system RAM?
[23:41:10] mputest.c:6> 0x20000000 = 20000018
[23:41:10] mputest.c:9> 0x20000000 is *now* 00000000

(Don't worry, it puts it back after it's done)

If so, you now have an MPU-free Pebble. Congratulations!


To hack a firmware to un-MPU it:

  • Unzip the firmware into a new directory: mkdir Pebble-4.3-nompu-snowy_dvt; cd Pebble-4.3-nompu-snowy_dvt; unzip ../Pebble-4.3-snowy_dvt.pbz
  • Load the tintin_fw.bin into a hex editor; change 'v4.3' at the end to 'v4.3-nompu'.
  • Load the firmware into your disassembler of choice (I used Hopper), and look for a reference to the MPU address (search by hex string 90 ED 00 E0). Find the xref to code. You'll find a load-modify-store pattern of something like ldr rn, =0xE000ED90; ldr rm, [rn, #4]; orr rm, rm, #5; str rm, [rn, #4].
    • More info on loading into a disassembler elsewhere in this wiki.
    • We'll NOP out the orr; the instruction encoding of the orr in snowy and bobby firmware is 43 f0 05 03, which we'll change to nop; nop, or 00 bf 00 bf. Do not just search for 43 f0 05 03 in your hex editor -- there are lots of those around! Choose the correct one.
  • Save it.
  • Grab MarSoft/pebble-firmware-utils: git clone
  • Pack up the new firmware: from the directory that you unzipped your firmware into, do something like ../../pebble-firmware-utils/ ../Pebble-4.3-nompu-snowy_dvt.pbz (changing paths appropriately).
    • Make sure to get all the "new stuff" in there: zip ../Pebble-4.3-nompu-snowy_dvt.pbz js_tooling.js
  • Upload your firmware for a model that you don't own to the web without testing it, and get someone else to install it on their watch.