{"id":17880356,"url":"https://github.com/brainstorm/treadmill-re","last_synced_at":"2025-03-22T07:31:33.809Z","repository":{"id":159286592,"uuid":"634400309","full_name":"brainstorm/treadmill-re","owner":"brainstorm","description":"Reverse engineering a dumpster dive threadmill","archived":false,"fork":false,"pushed_at":"2024-11-16T10:38:14.000Z","size":53303,"stargazers_count":5,"open_issues_count":1,"forks_count":1,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-19T05:31:23.976Z","etag":null,"topics":["hardware","reverse-engineering","stm8","stm8s"],"latest_commit_sha":null,"homepage":"","language":"Assembly","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/brainstorm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-04-30T01:49:54.000Z","updated_at":"2025-01-23T11:25:57.000Z","dependencies_parsed_at":null,"dependency_job_id":"e32ad739-94a8-4fa7-b599-2b2b7d5b8218","html_url":"https://github.com/brainstorm/treadmill-re","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brainstorm%2Ftreadmill-re","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brainstorm%2Ftreadmill-re/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brainstorm%2Ftreadmill-re/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brainstorm%2Ftreadmill-re/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/brainstorm","download_url":"https://codeload.github.com/brainstorm/treadmill-re/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244925147,"owners_count":20532873,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hardware","reverse-engineering","stm8","stm8s"],"created_at":"2024-10-28T12:14:16.675Z","updated_at":"2025-03-22T07:31:28.797Z","avatar_url":"https://github.com/brainstorm.png","language":"Assembly","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Threadmill RE\n\nThis threadmill I found on the trash has two boards, let's call them: display and control. Both have STM8S ICs performing different functions. \n\nThe display board, other than displaying numbers on the display (via discrete SMD LEDs), has a [proprietary 2.4GHz radio module][pmicro_web] which supposedly communicated with **a remote control that was not present at the dumping site (street) :/** ... thus, we have a reason to reverse, fix and having this working again for desk workouts :)\n\n![threadmill](./img/threadmill.jpeg)\n\n## Dumping firmware\n\nDumping firmware is (luckily) very straightforward because there's no ROP (Read Out Protection), so there's [no need to glitch the target][stm8_glitch]. Current OpenOCD 0.12.x from Homebrew fails to connect to the target, [perhaps it's just outdated][openocd_fail]:\n\n```shell\nopenocd -f interface/stlink-dap.cfg -f target/stm8s105.cfg -c \"init\" -c \"reset halt\"\n```\n\nFortunately, [stm8flash][stm8flash] does the job just fine out of the box.\n\n### Display board\n\nSee actual file dumps under `display` folder in this repository. All interesting sections can be dumped with stm8flash successfully from its [`STM8S005K6T6C`][stm8s005k6t6c]:\n\n```shell\n% ./stm8flash -c stlinkv2 -p stm8s005k6 -s flash -r flash.bin\nDetermine FLASH area\nSTLink: v2, JTAG: v29, SWIM: v7, VID: 8304, PID: 4837\nDue to its file extension (or lack thereof), \"flash.bin\" is considered as RAW BINARY format!\nReading 32768 bytes at 0x8000... OK\nBytes received: 32768\n\n% ./stm8flash -c stlinkv2 -p stm8s005k6 -s eeprom -r eeprom.bin\nDetermine EEPROM area\nSTLink: v2, JTAG: v29, SWIM: v7, VID: 8304, PID: 4837\nDue to its file extension (or lack thereof), \"eeprom.bin\" is considered as RAW BINARY format!\nReading 128 bytes at 0x4000... OK\nBytes received: 128\n\n% ./stm8flash -c stlinkv2 -p stm8s005k6 -s ram -r ram.bin\nDetermine RAM area\nSTLink: v2, JTAG: v29, SWIM: v7, VID: 8304, PID: 4837\nDue to its file extension (or lack thereof), \"ram.bin\" is considered as RAW BINARY format!\nReading 2048 bytes at 0x0... OK\nBytes received: 2048\n```\n\n### Control/motor board\n\nDitto for the control board, which has a smaller cousin, the [`STM8S003F3P6`][stm8s003f3p6] microcontroller:\n\n```shell\n% ./stm8flash -c stlinkv2 -p stm8s003f3 -s flash -r flash.bin\nDetermine FLASH area\nSTLink: v2, JTAG: v29, SWIM: v7, VID: 8304, PID: 4837\nDue to its file extension (or lack thereof), \"flash.bin\" is considered as RAW BINARY format!\nReading 8192 bytes at 0x8000... OK\nBytes received: 8192\n\n% ./stm8flash -c stlinkv2 -p stm8s003f3 -s eeprom -r eeprom.bin\nDetermine EEPROM area\nSTLink: v2, JTAG: v29, SWIM: v7, VID: 8304, PID: 4837\nDue to its file extension (or lack thereof), \"eeprom.bin\" is considered as RAW BINARY format!\nReading 128 bytes at 0x4000... OK\nBytes received: 128\n\n% ./stm8flash -c stlinkv2 -p stm8s003f3 -s ram -r ram.bin\nDetermine RAM area\nSTLink: v2, JTAG: v29, SWIM: v7, VID: 8304, PID: 4837\nDue to its file extension (or lack thereof), \"ram.bin\" is considered as RAW BINARY format!\nReading 1024 bytes at 0x0... OK\nBytes received: 1024\n```\n\n## Analysis with radare2\n\nFrom the top level directory:\n\n```sh\n./r2/anal.sh [display|control]\n```\n\nDepending on which PCB's firmware you want to explore.\n\n[boot_attacks]: https://github.com/janvdherrewegen/bootl-attacks\n[pmicro_web]: https://pmicro.com.cn/en/mcurf_/21.html\n[stm8_glitch]: https://hackaday.com/2020/07/04/the-cheap-way-to-glitch-an-stm8-microcontroller/\n[stm8flash]: https://github.com/vdudouyt/stm8flash\n[openocd_fail]: https://github.com/hbendalibraham/stm8_started/issues/1#issuecomment-758252539\n[stm8s003f3p6]: https://www.st.com/en/microcontrollers-microprocessors/stm8s003f3.html\n[stm8s005k6t6c]: https://www.st.com/en/microcontrollers-microprocessors/stm8s005k6.html\n[stm8i2c_cool_writeup]: https://gist.github.com/TG9541/5c3405320794d91ef8129734a4bfc880\n[stm8_glitch_555]: https://hackaday.io/project/183537-dumping-firmware-with-a-555\n[stm8_getting_started]: https://github.com/hbendalibraham/stm8_started\n[stm8_svd]: https://github.com/gicking/STM8_headers/blob/master/SVD/STM8S003F3.svd\n[stm8_emulator]: https://github.com/mikechambers84/STM8-Emulator\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrainstorm%2Ftreadmill-re","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbrainstorm%2Ftreadmill-re","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrainstorm%2Ftreadmill-re/lists"}