Android Application Analysis - deuill/vector-watch-hacking GitHub Wiki

This page contains information on analyzing the Android application for Vector Watches, including any results as well as steps on how to replicate those results on your own.

Getting the APK

Easiest route is downloading the APK via an online provider such as APKPure.

Alternatively, it is possible to download the APK directly from the device, provided you have enabled USB debugging and have adb installed:

adb pull $(adb shell pm path com.vectorwatch.android | cut -d: -f2 | tr -d '\r') com.vectorwatch.android.apk

Should write a file named com.vectorwatch.android.apk in the current folder.

De-obfuscating/Reverse-Engineering the APK

It's possible to open or extract the APK as a ZIP file, however the results will most likely be rather underwhelming. Obtaining any kind of salient information requires that we de-obfuscate and de-compile the package and source code therein. Two applications make this possible:

  • Apktool - De-obfuscates assets and decomposes code into Davlik byte-code, a slightly more readable form of assembly.
  • Jadx - Creates .java source files from byte-code. Essentially allows us to get more readable results from APK files, which may however be less complete or accurate than the original byte-code.

The idea is that we can decode the APK file downloaded with both tools in order to get both accurate results and the convenience of reading through readable source code (as readable as Java can get). The process is simple:

apktool decode -o VectorWatch.apktool VectorWatch_v2.0.1_apkpure.com.apk
jadx -d VectorWatch.jadx VectorWatch_v2.0.1_apkpure.com.apk

You should get two folders, VectorWatch.apktool and VectorWatch.jadx. You can combine these into one folder once you verify the results.

Next Steps

Fortunately, the APK contains bootloader and kernel binaries for both Luna and Meridian watches (called VECTOR_ROUND_(BOOT|KERNEL) and VECTOR_SQUARE_(BOOT|KERNEL), respectively). Apart from being in Base64 format, these are unfortunately compressed or encrypted, and cannot be de-compiled directly.

Two solutions arise:

  • Assume that decompression/decryption happens in the app itself, and find out how to replicate locally.
  • Find the repository for online updates and hope those aren't compressed or encrypted.

Otherwise, we'll have to reverse-engineer the format and find out how to process without using the watch itself.