Computing > Embedded Computing

Modifying BT Speaker firmware

(1/5) > >>

Hello everyone. Hopefully this is the appropriate place to ask for help  :D

Long story short, i've extracted the firmware from a chinese bluetooth speaker, because i want to modify the terrible chinese speaker voice prompts, along with the bluetooth name of the speaker.

It's a tiny speaker, and before i go into depth, here's some background information:
- The MCU/Main proccessing unit is a 'Anyka AK1052', which should be based on ARM architecture.
- The bluetooth/FM Chip is a: RDA/RDK 5876
- The firmware is stored on an eeprom: GD25Q16B

After doing extensive research on a lot of chinese websites i've found the manufacturer behind the firmware and speaker circuit/MCU. Apparently it's a custom firmware/operating system that's running on the board, which they call 'Spotlight10/Spotlight10C'.

- Analyzing the firmware dump, it's possible to find some different directoy entries (BOOT, PROFILE, PROG, VOICE).
- Running binwalk on the firmware dump, i'm not able to find any signatures.
- Running the 'file' command on the firmware dump it interestingly comes up with the following: Apple DiskCopy 4.2 image , 3359642880 bytes, 0x2000 tag size, GCR CLV ssdd (400k), 0x0 format
- The bluetooth speaker name can be found near the end of the firmware dump (BQ-615PRO) - Possibly it's just a matter of replacing the name here, to solve that.

I've not been able to come any further with this project, so hopefully someone can help me, extract and or replace the chinese speaker voice. It would be awesome also to somehow be able to extract the whole operating system/firmware, just for the learning experience, however my main interest is really to replace the chinese speaker voice and sounds.

I've attached the firmware dump and an entropy of the firmware dump. Thanks!  :)


Seems ambitious!

I found the following text at offset 0xE2BB0 in the firmware file ... 

"This doesn't look like a Speex file.....Speex header too small.."

So i'm guessing the voice samples are compressed with the Speex codec, i'll find the speex documentation and see if I can find the actual voice samples.

Can you try changing the speaker name and reflash the eeprom?  If the speaker still works then we can assume that the firmware is not CRC checked (or similar) this means that you should be able to replace the voice samples too.

SilveSolder: Certainly! However i've been succesful with these weird projects before, and even managed to change boot logo on my chinese headunit for my car. Took a lot of help, and even months. LOL.

neil555: I thought about doing that, just to make sure i wasn't gonna run into those kinda issues, but with experience from multiple other chinese bluetooth speakers, and a chinese headunit, i've never had any issues with checksums or weird encoding. Even AllWinner closed-source firmware doesn't use any of that stuff. But still certainly is a possibility.

Good find with the Speex codec! There's also a lot of mp3 file names, but how they're stored boggles me. Maybe it has something to do with the Speex codec.

--- Code: ---Offset(h) 00       04       08       0C

000A03D0  C4938B00 626C7565 746F6F74 685F636E  Ä“‹.bluetooth_cn
000A03E0  2E6D7033 00636861 7267656F 6B5F636E  .mp3.chargeok_cn
000A03F0  2E6D7033 00636861 7267696E 672E6D70
000A0400  3300636F 6E6E6563 7465645F 636E2E6D  3.connected_cn.m
000A0410  70330064 695F636E 2E6D7033 0064755F  p3.di_cn.mp3.du_
000A0420  636E2E6D 70330065 69676874 4D487A2E  cn.mp3.eightMHz.
000A0430  6D703300 65696768 745F636E 2E6D7033  mp3.eight_cn.mp3
000A0440  00666169 6C2E6D70 33006669 76654D48  .fail.mp3.fiveMH
000A0450  7A2E6D70 33006669 76655F63 6E2E6D70
000A0460  3300666D 5F636E2E 6D703300 666F7572  3.fm_cn.mp3.four
000A0470  4D487A2E 6D703300 666F7572 5F636E2E  MHz.mp3.four_cn.
000A0480  6D703300 6C696E65 696E5F63 6E2E6D70
000A0490  33006C69 6E655F63 6E2E6D70 33006C6F  3.line_cn.mp3.lo
000A04A0  7374636F 6E6E6563 74696F6E 5F636E2E  stconnection_cn.
000A04B0  6D703300 6C6F7770 6F776572 5F636E2E  mp3.lowpower_cn.
000A04C0  6D703300 4D487A2E 6D703300 6D696372  mp3.MHz.mp3.micr
000A04D0  65632E6D 7033006E 696E654D 487A2E6D  ec.mp3.nineMHz.m
000A04E0  7033006E 696E655F 636E2E6D 7033006F  p3.nine_cn.mp3.o
000A04F0  6B2E6D70 33006F6E 654D487A 2E6D7033  k.mp3.oneMHz.mp3
000A0500  006F6E65 5F636E2E 6D703300 70616972  .one_cn.mp3.pair
000A0510  696E672E 6D703300 706F696E 745F636E  ing.mp3.point_cn
000A0520  2E6D7033 00726563 6F72642E 6D703300  .mp3.record.mp3.
000A0530  73657665 6E4D487A 2E6D7033 00736576  sevenMHz.mp3.sev
000A0540  656E5F63 6E2E6D70 33007369 784D487A  en_cn.mp3.sixMHz
000A0550  2E6D7033 00736978 5F636E2E 6D703300  .mp3.six_cn.mp3.
000A0560  74636172 645F636E 2E6D7033 00746872  tcard_cn.mp3.thr
000A0570  65654D48 7A2E6D70 33007468 7265655F  eeMHz.mp3.three_
000A0580  636E2E6D 70330074 776F4D48 7A2E6D70
000A0590  33007477 6F5F636E 2E6D7033 00756469  3.two_cn.mp3.udi
000A05A0  736B5F63 6E2E6D70 33007570 64617465  sk_cn.mp3.update
000A05B0  5F636E2E 6D703300 7A65726F 4D487A2E  _cn.mp3.zeroMHz.
000A05C0  6D703300 7A65726F 5F636E2E 6D703300  mp3.zero_cn.mp3.
--- End code ---


Interesting with the head unit!  - I don't want to divert the thread, but I also have a head unit in my car where I'd like to change the wallpaper background...  maybe not a totally unrealistic project with enough detective work?  :D

I'll be following this and see how you get on, it is definitely going to take some special leaps!


[0] Message Index

[#] Next page

There was an error while thanking
Go to full version