Fitbit Data Recovery
Recovering data directly from a Fitbit without syncing the watch to a phone
A UK police force tasked us to recover the data from a Fitbit ALTA HR watch. The normal process of reading data from these devices is straightforward: simply sync the Fitbit with a mobile phone app. However, the syncing process alters the data on the Fitbit. As the watch was evidence in a major incident, the requirement was for Data Clinic to read the data directly from the watch, avoiding the syncing process and thus preserving the original data.
The data on Fitbit ALTA HR watches is held on a Cortex M4 chip, and a teardown of the device reveals that there are also JTAG ports on the Fitbit mainboard which are obfuscated by Fitbit and also 3 levels of security called RDP (Read Out Protection). These act as deterrents to those trying to reverse engineer the watch.
Rather than using JTAG, we gained access to the Fitbit data by using Serial Wire Debug techniques and hooked into several data lines to dump the data from the watch.
Successfully doing this allowed data from the Fitbit’s memory chip (the Cortex M4) to be dumped to an image file which could then be interrogated using forensics software. Also this method of data extraction allowed the syncing process to be used as the raw watch data had already been downloaded to an image file and could therefore be written back to the watch if necessary.
We believe this is ‘First’ ie. it’s never been achieved successfully anywhere in the UK before.
More About SWD and Data Recovery
Serial Wire Debug (SWD) is a 2-pin (SWDIO/SWCLK) electrical alternative JTAG interface that has the same JTAG protocol on top. SWD uses an ARM CPU standard bi-directional wire protocol, defined in the ARM Debug Interface v5. This enables the debugger to become another AMBA bus master for access to system memory and peripheral or debug registers.
The Debug Access Port (DAP) is split into two main control units. The Debug Port (DP) and the Access Port (AP), and the physical connection to the debugger is part of the DP. The DAP supports two types of access, Debug Port (DP) accesses and Access Port (AP) accesses. External device to communicate directly with Serial Wire Debug Port (SW-DP) over SWDIO/SCLK pins. And SW-DP in turn can access one or several Access Ports (APs) the give access to the rest of the system. The MEM-AP is important AP which provide a way to access all memory and peripheral registers residing on the internal AHB/APB buses.
