Patching Pulse Oximeter Firmware
10 days ago
- #firmware-patching
- #pulse-oximeter
- #reverse-engineering
- The article discusses reverse-engineering a Beurer PO 80 pulse oximeter, a consumer-grade medical device.
- The author initially used Ghidra to decompile the SpO2 Assistant software to understand the USB HID protocol but switched to dynamic analysis with a protocol sniffer.
- A Python tool was developed to fetch pulse and SpO2 data from the device.
- The device was disassembled, revealing a GigaDevice GD32F350RBT6 microcontroller and other components like a serial flash memory chip and an accelerometer.
- The author bypassed the microcontroller's flash readout protection using a known hardware vulnerability, which required bricking the original chip.
- After replacing the microcontroller with the correct model, the author patched the firmware to disable low-level protection and deep-sleep mode.
- The display functionality was reverse-engineered, and a method to draw custom images on the display was demonstrated using GDB scripts.
- Future work could involve exploiting potential vulnerabilities in the USB HID protocol or porting Doom to the device.