Unauthorized Access to Wireless Anker Prime Power Bank Through Bluetooth Channel
The world of smart devices has expanded to include power banks, and one such example is the Anker Prime Bluetooth-enabled 27650mAh model. While these devices offer features like real-time stats, smart charging, and even a 'find my power bank' feature, they also raise concerns about potential firmware hacking.
The power bank's internal components include a GD32F303 MCU, a Telink TLSR8253 BLE IC, and a ST7789 LCD. These components enable a range of functionalities, but they also make the device a target for hacking beyond basic battery management system (BMS) features.
Earlier firmware versions (before 1.6.2) of the power bank could be overwritten more easily, but from version 1.6.2 onwards, firmware updates are signed and require a valid signature to install, making unauthorized firmware replacement difficult without exploiting vulnerabilities.
Aaron Christophel, a security researcher, has taken it upon himself to reverse-engineer the communication protocol between the power bank and the Anker app. He has also provided an alternative to the Anker app on the project page. His efforts have revealed that the BLE communication protocol with the official Anker app has been reverse-engineered and open-source alternatives exist, allowing control and data monitoring without the official app.
However, hacking the firmware to add custom functionality beyond battery management (e.g., UPS features, enhanced charging protocols) requires significant hardware reverse engineering, working around cryptographic protections, and a deep understanding of embedded ARM firmware and BLE stacks. Resources including GitHub projects and community videos provide valuable starting points, but any modification carries risk of bricking the device or creating unsafe battery conditions.
One potential exploit could involve hacking the BLE and mobile app features to enable UPS-like functionality, but this would require bypassing cryptographic signature checks and potentially compromising vital battery safety features.
Opening the device is no easy task, as the power bank’s plastic case is tightly sealed and difficult to open without damage. Once opened, the firmware for both MCUs can be dumped from the external flash storage that keeps the firmware update files, although the bootloader itself is protected and stored internally. Despite signature checks for OTA updates, the external flash can potentially be overwritten in parts by exploiting unchecked size variables in the update process.
In conclusion, while hacking the Anker Prime smart power bank is possible, it requires a high level of technical expertise and carries significant risks. Users should be cautious when considering such modifications, as they could potentially disable vital battery safety functions, leading to dangerous conditions.
- Smart-home devices, such as the Anker Prime Bluetooth-enabled power bank, although equipped with features like real-time stats and smart charging, also attract concern due to the potential for hacking, even extending beyond basic battery management system (BMS) features, as seen in the power bank's internal components like the GD32F303 MCU and Telink TLSR8253 BLE IC.
- Despite the challenges involved in opening the Anker Prime smart power bank, such as its tightly sealed plastic case, the potential for firmware hacking remains, as demonstrated by the possibility of exploiting unchecked size variables in the update process to overwrite the external flash storage that keeps the firmware update files, enabling custom functionalities like UPS features or enhanced charging protocols, but also potentially disabling vital battery safety functions, leading to dangerous conditions.
