tl;dr: I bought a "for parts" spare of my watch (a Garmin Forerunner 245 Music) so I could tear it apart, identify the components inside, and document the results for others. In the process I found that 1. recent models of lower-tier Garmin watches are even harder to tear apart than previous models (which were already glued together) and 2. the electronics inside are 99% the same as more expensive tiers of Garmin watches. Identified components and their datasheets are available on my iFixit writeup.
I have a Garmin Forerunner 245 Music smartwatch (aka fr245m) that I'm using as a platform to practice some security research skills with the goal of eventually gaining arbitrary code execution (native code, not the discount Java that Garmin provides for writing watch apps). When I originally started on this project, I found an awesome article describing the process of finding memory corruption bugs in the virtual machine for apps on the fr235. Unfortunately for me, the size of the binary blobs I was pulling out of fr245m firmware updates (more about this process in future blog posts) did not match the internal flash or SRAM size of the author's expected processor (which they got from this teardown of the fr735xt). This seemed to indicate a change in platform from the fr235/fr735xt to the fr245m, so I went searching for teardowns of the fr245m. While I found some screen replacement videos on youtube and the FCC-ID listing does have internal photos, they're all sufficiently grainy/dim that not all of the components can be identified.
Knowing all the processors (and having their datasheets) isn't strictly necessary to reverse engineer the firmware blobs, but it would be helpful and I figured performing a teardown would be a fun way to contribute to iFixit anyways. After a couple weeks of camping the "for parts" page of ebay, I had a broken fr245m ordered from Lithuania for $50. Word on the street is the Forerunner 255 is coming soon released (after which the price for fr245m's should drop), but until then the "for parts" page is probably the cheapest option.
Eventually one broken watch arrived and I got to work. While I expected the internal components to be different from the fr735xt, I thought the teardown process would be similar. However, when I actually went to open the fr245m up I realized the watch face is structured differently and it probably wouldn't be as easy to reach the glue, or really any spot to pry the screen off. In the end I just cut the watch open.
With the help of some teardown videos for models similar to the fr735xt and my opened fr245m I could see why the fr245m is harder to open than the fr735xt. I felt like words and static pictures wouldn't do the explanation justice so I went to craft some 3D models. I started with OpenSCAD, but colors only work in preview mode (which itself is jank) so I found and switched to JSCAD. In addition to fixing the colors, I really like that I was able to add a slider so people can see how the watch face and watch body press together.
The Forerunner 735XT was released on May 11th, 2016, and the Forerunner 245 Music was released on April 30th, 2019 (source), so sometime between those dates Garmin modified the glue and watch face construction. As you can see in the 3D models, the new design has a U-shaped channel which goes all the way around the perimeter of the watch body that makes it harder to reach the glue both for prying and for softening via heating from the outside. I doubt the purpose of this change was to inhibit repairability; rather, I think the goal was likely to increase the reliability of the watch's waterproof rating (5 ATM, if you were curious).
Anyways, I managed to get the watch open and take pictures of the tiny components with my roommate's camera and macro lense setup. With the help of google and the discord for my university's electronics club (thanks Matt!), I was able to identify all of the major components. I ran out of time to do anything further during the semester, but last week I went back through and took better pictures of the teardown process and published it to iFixit.
Probably the most interesting result of my teardown is the comparison to teardowns of the Fenix series (5+ Sapphire, 6X Pro). The Fenix series are considered higher-end watches with more features, and teardowns for them are more abundant because the Fenix's aren't glued together but just use torx screws and an o-ring instead. Apart from differences for NFC/sensors/increased storage, ALL of the major components seem to be the exact same, including the ARM processors. While the pessimistic view is that Garmin could offer more software features on the lower-end watches but doesn't to increase their profits, the optimistic view is that sharing the development platform means cheaper watches get all the bugfixes that more expensive watches do (whereas they otherwise might be left to wither). Regardless, this surprise means I might be able to have some fun experimenting with Fenix features on the Forerunner 245 Music if I eventually get arbitrary code execution.
In the end I was successful in finding the processor datasheet for each binary blob that I have from the firmware upgrades. I'm looking forward to continuing to reverse the firmware enough to get my surroundings, find some bugs, get code execution, and hopefully end up with some cool blog posts or a conference talk as a result.
Disclaimer: While I did intern at Garmin for a summer, none of the information shared in this article comes from that experience.