COREDUMP #006: Pebble's Code is Free: 3 Former Pebble Engineers Discuss Why It's Important (PT. 2/2)

00:00 Episode Teasers & Welcome

01:22 Why Pebble’s Firmware Was Open (and Unsigned)

05:01 The Security Tradeoffs That Enabled Speed

11:00 The OTA Bug That Could Have Bricked Everything

15:26 Hacking Our Way Out with BLE Stack Overflow

17:47 Lessons Learned: Test Automation & Static Analysis

26:30 How Pebble Built a Developer Ecosystem

29:56 CloudPebble, Watchface Generator & Developer Tools

42:55 Backporting Pebble 3.0 to Legacy Hardware

49:02 The Bootloader Rewrite & Other Wild Optimizations

53:31 Simulators, Robot Arms & Debugging in CI

56:40 Firmware Signing, Anti-Rollback & Secure Updates
1:06:10 Coding in Rust? What We’d Do Differently Today
1:08:28 Where to Start with Open Source Pebble Development

In today’s Coredump Session, the team reunites to unpack the behind-the-scenes lessons from their time building firmware at Pebble. This episode dives into the risks, decisions, and sheer grit behind a near-disastrous OTA update—and the ingenious hack that saved a million smartwatches. It’s a candid look at the intersection of rapid development, firmware stability, and real-world consequences.

Key Takeaways:

• Pebble’s open approach to developer access often came at the cost of security best practices, reflecting early startup trade-offs.
• A critical OTA update bug almost bricked Pebble devices—but the team recovered using a clever BLE-based stack hack.
• Lack of formal security measures at the time (e.g., unsigned firmware) unintentionally enabled recovery from a serious update failure.
• Static analysis and test automation became top priorities following the OTA scare to prevent repeat incidents.
• The story reveals how firmware constraints (like code size and inline functions) can lead to high-stakes bugs.
• Investing in robust release processes—including version-to-version OTA testing—proved vital.
• Real security risks included impersonation on e-commerce platforms and potential ransom via malicious OTA compromise.
• The importance of "hiring your hackers" was humorously noted as a de facto security strategy.

Join the Interrupt Slack: https://interrupt-slack.herokuapp.com/

Listen to the Podcast: https://pod.link/1804647817/episode/13eead48f2ee89c86fedbebbd771f335)

Follow Memfault

• ⁠⁠LinkedIn⁠⁠:https://www.linkedin.com/company/memfault
• [Bluesky⁠⁠:https://bsky.app/profile/memfault.com
• Twitter⁠⁠:https://twitter.com/memfault

Other ways to listen:

Apple Podcasts: https://podcasts.apple.com/us/podcast/coredump-sessions/id1804647817

iHeartRadio: https://www.iheart.com/podcast/269-coredump-sessions-271043539/

Amazon Music: https://music.amazon.com/podcasts/a5a780d4-7f14-4ed8-bda6-dd1aa4e98479/coredump-sessions

GoodPods:https://goodpods.com/podcasts/coredump-sessions-668730)

Castbox:https://castbox.fm/vh/6534689)

Visit our website: https://www.memfault.com/