Patching Pulse Oximeter Firmware

Summary

Recently, I came across relatively cheap medical devices: consumer-grade pulse oximeters. These devices clip onto your finger and shine a light through it. By analyzing the light transmitted through your finger, the device can infer your pulse and blood oxygen saturation. In this project, I specifically looked at the Beurer PO 80. This is a German-engineered medical device (according to the box) for less than $100 at reputable resellers. It has a USB port for connecting to a PC to view pulse and SpO2 in real-time and to download previously recorded data. PC Software These pulse oximeters are compatible with the free “SpO2 Assistant” software. This software seems to support a variety of different pulse oximeter models. It plots pulse and SpO2 data in real time, allows for exporting recorded data, and lets you configure some basic settings of the pulse oximeter like patient name (no idea why this would be necessary) or the current date and time. SpO2 Assistant software connects to the pulse oximeter via USB. First, I unpacked the SpO2 Assistant software and loaded it into Ghidra. My initial plan was to reverse-engineer the custom USB HID protocol that the Beurer PO 80 seems to use. Quickly, I stumbled upon embedded strings and a logo that makes me question the “German engineering” claim. But to be fair, the software was technically not part of the pulse oximeter itself. Embedded Chinese logo and strings in the SpO2 Assistant software. I soon realized that static decompilation is probably not the most effective way to understand the USB HID protocol. Instead, I connected the pulse oximeter and used a protocol sniffer to eavesdrop on the communication between device and PC software. With this dynamic analysis method and some trial-and-error, I was able to partly reverse-engineer the protocol. I wrote a Python tool that can initialize and fetch pulse and SpO2 data from the Beurer PO 80. Device Teardown As a next step, I took the pulse oximeter apart. It disassembles nice...