The article Links through to how the original iPod was ROM dumped which I found interesting.

https://web.archive.org/web/20070126061215/http://ipodlinux....

Awesome, side channels for the win. That said, I'm really surprised that JTAG couldn't read out the ROM, in theory that is how you would program it. And given that you couldn't program it, if instead of a minimal USB driver you wrote a program that read a 16 bit word at a time from ROM and stored it in a static variable you should be able to use the JTAG data watch function to stream out the words as you read them.

> That said, I'm really surprised that JTAG couldn't read out the ROM, in theory that is how you would program it.

I'm no embedded expert, but I would assume some devices let you write to them and upload new code using the JTAG interface, but still prevent you from reading if the author have signalled that he wants his code protected.

Quick DDGing seems to suggest this is indeed a vendor/chip-specific capability:

https://duckduckgo.com/?q=jtag+read+protection&t=ffsb

JTAG is pretty much only to test physical pins in production, everything else it does is just vendor extensions on top.

Most chips allow you to disable JTAG completely or prevent reading out the program, only erase it.

CHDK project [1] early on used to dump flashes of Canon cameras through their LEDs [2].

[1]: http://chdk.wikia.com/wiki/CHDK

[2]: http://chdk.wikia.com/wiki/Obtaining_a_firmware_dump#Hardwar...

The MT6261 is actually a full feature-phone SoC (includes a GSM modem); a bit odd to see it in a smartwatch with no actual phone functionality.

This is basically a form of PWM. https://en.wikipedia.org/wiki/Pulse-width_modulation#Telecom...

The mediatek chipsets are the only thing out there if you need a lot of ram with reasonable power consumption for cheap.

This is a delightful hack and was nicely written up- I love reading such articles. The URL is pretty great too :)

(thanks :) )