We can see three variants of dns requests - sg.flow.m5stack.com, flow.m5stack.com, 553b30325177.ngrok.io

This microcontroller (actually ESP32 smartwatch) was made by m5stack, it's programmable, and supports remote code execution, if you know the token.

ESP32 connects with server using MQTT proto, and you can spoof the token of device using mitm.

If you follow the link flow.m5stack.com, you will see, that is's quite easy to send remote command to smartwatch.

But you cannot the any output of lcd screen, this ray bad guy uses gnrok as a proxy to collect information about device.

Next step he tries to delete data on the smart watch and write "HACKED" on the lcd screen.