By Anvil Secure On February 25, 2026 0 Comments By Luigi Fragale Garmin smartwatches have quietly evolved into powerful embedded platforms. Beneath the fitness metrics, navigation features, and custom watch faces lie a proprietary Garmin Virtual Machine which executes third-party applications compiled from Garmin’s Monkey C language. These applications are normally distributed through the Connect IQ Store where .prg binaries are installed directly on the device. For reverse engineers, those .prg files present several challenges, such as lack of documented format, custom virtual machine, and no native support in mainstream reverse-engineering tools. In the previous Anvil research project , our Director of Research, Tao Sauvage, identified several vulnerabilities while going through Garmin VM opcodes and internal routines. His research allowed insights into the Garmin VM internal details, opening rooms for further studies. During a Hammercon Capture The Flag event , a reverse engineering challenge involving a Garmin watch application (PRG) served as the spark that initiated the development of a new tool. We are introducing a Ghidra processor definition and loader for Garmin watch applications , designed to analyze Garmin PRG binaries inside Ghidra with structured headers, disassembly, decompilation, and meaningful symbols. Check it out! Put the GhidraGarminApp to Work in the 2025 HammerCon CTF At Anvil, we like to turn one-off challenges into reusable tooling. To make the above tool release more hands-on, we’re also publishing the original 2025 HammerCon CTF challenge so you can take the GhidraGarminApp for a spin right away. 👉 Download the original 2025 HammerCon Garmin CTF file here: Garmax.zip Think you’ve found the flag? Send it to ctf@anvilsecure.com and tell us how you got there 😊 Garmin Connect IQ Applications: What Are We Analyzing? Garmin’s Connect IQ platform allows developers to create applications that run directly on wearable devices and other Garmin hardware. These applications fall into several categories: Watch Faces - custom home screens Data Fields - additional metrics during activities Widgets - glanceable information views Watch Apps - full standalone applications Device Apps - applications for Edge, Marine, and other devices All of these are written in Monkey C , compiled using the Connect IQ SDK, and distributed to devices as .prg binaries. Currently, the Ghidra extension supports only Garmin Watch Applications; other types were not fully tested. State of Art In his previous research , Tao Sauvage released a Kaitai structure file allowing parsing and understanding of Garmin PRG binary. Kaitai Struct is an excellent tool for describing and parsing binary formats, and it does an amazing job understanding the high-level layout of Garmin PRG files. However, format parsing alone does not translate into a usable reverse-engineering workflow. It lacks reference, context, functions, renaming and annotations, and makes reverse engineering tedious and time-consuming. This is where Ghidra fundamentally changes the equation. By defining a processor, instruction semantics, and a format-aware loader, Ghidra turns static layout knowledge into executable understanding by outlining: Instruction decoding and disassembly Control-flow and cross-reference generation Decompilation into higher-level logic Data types that are directly referenced by code A navigable program graph rather than a parsed file A Garmin VM Processor Definition for Ghidra To make Ghidra understand Garmin watch applications, this project introduces a new processor definition representing the Garmin virtual machine used by PRG binaries. Ghidra allows the creation of new processor using the SLEIGH specification language . This makes it possible to describe, instruction encodings, operand formats, registers, calling conventions, memory alignment, and instruction semantics useful during de-compilation. This processor definition allows Ghidra to correctly disassemble Garmin bytecode, associate opcodes with meaningful operations, and enable decompilation using the SLEIGH-defined semantics. While all opcodes are handled, not all of them are 100% semantically correct in SLEIGH language. However, a decent level of semantics exist to allow real decompilation , even if the output is sometimes imperfect. <? xml version= "1.0" encoding= "UTF-8" ?> <!-- See Relax specification: Ghidra/Framework/SoftwareModeling/data/languages/language_definitions.rxg --> < language_definitions > <!-- Uncomment the following to make the language available in Ghidra --> < language processor = "skel" endian = "big" size = "32" variant = "default" version = "1.0" slafile = "garminvm.sla" processorspec = "garminvm.pspec" id = "GarminVM:BE:32:default" > < description > Garming Virtual Machine </ description > < compiler name = "default" spec = "garminvm.cspec" id = "default" /> </ language > </ language_definitions > The SLEIGH definition can be found in the SLASPEC folder...