Author Topic: Modifying BT Speaker firmware  (Read 5456 times)

0 Members and 1 Guest are viewing this topic.

Offline Crawlie69Topic starter

  • Contributor
  • Posts: 27
  • Country: dk
Modifying BT Speaker firmware
« on: May 22, 2021, 10:21:42 am »
Hello everyone. Hopefully this is the appropriate place to ask for help  :D

Long story short, i've extracted the firmware from a chinese bluetooth speaker, because i want to modify the terrible chinese speaker voice prompts, along with the bluetooth name of the speaker.

It's a tiny speaker, and before i go into depth, here's some background information:
- The MCU/Main proccessing unit is a 'Anyka AK1052', which should be based on ARM architecture.
- The bluetooth/FM Chip is a: RDA/RDK 5876
- The firmware is stored on an eeprom: GD25Q16B

After doing extensive research on a lot of chinese websites i've found the manufacturer behind the firmware and speaker circuit/MCU. Apparently it's a custom firmware/operating system that's running on the board, which they call 'Spotlight10/Spotlight10C'.


- Analyzing the firmware dump, it's possible to find some different directoy entries (BOOT, PROFILE, PROG, VOICE).
- Running binwalk on the firmware dump, i'm not able to find any signatures.
- Running the 'file' command on the firmware dump it interestingly comes up with the following: Apple DiskCopy 4.2 image , 3359642880 bytes, 0x2000 tag size, GCR CLV ssdd (400k), 0x0 format
- The bluetooth speaker name can be found near the end of the firmware dump (BQ-615PRO) - Possibly it's just a matter of replacing the name here, to solve that.

I've not been able to come any further with this project, so hopefully someone can help me, extract and or replace the chinese speaker voice. It would be awesome also to somehow be able to extract the whole operating system/firmware, just for the learning experience, however my main interest is really to replace the chinese speaker voice and sounds.

I've attached the firmware dump and an entropy of the firmware dump. Thanks!  :)
 

Offline SilverSolder

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Modifying BT Speaker firmware
« Reply #1 on: May 22, 2021, 06:13:23 pm »

Seems ambitious!
 

Offline neil555

  • Contributor
  • Posts: 40
  • Country: gb
Re: Modifying BT Speaker firmware
« Reply #2 on: May 22, 2021, 09:02:39 pm »
I found the following text at offset 0xE2BB0 in the firmware file ... 

"This doesn't look like a Speex file.....Speex header too small.."

So i'm guessing the voice samples are compressed with the Speex codec, i'll find the speex documentation and see if I can find the actual voice samples.

Can you try changing the speaker name and reflash the eeprom?  If the speaker still works then we can assume that the firmware is not CRC checked (or similar) this means that you should be able to replace the voice samples too.
« Last Edit: May 22, 2021, 09:04:57 pm by neil555 »
 
The following users thanked this post: Crawlie69

Offline Crawlie69Topic starter

  • Contributor
  • Posts: 27
  • Country: dk
Re: Modifying BT Speaker firmware
« Reply #3 on: May 23, 2021, 08:07:52 am »
SilveSolder: Certainly! However i've been succesful with these weird projects before, and even managed to change boot logo on my chinese headunit for my car. Took a lot of help, and even months. LOL.

neil555: I thought about doing that, just to make sure i wasn't gonna run into those kinda issues, but with experience from multiple other chinese bluetooth speakers, and a chinese headunit, i've never had any issues with checksums or weird encoding. Even AllWinner closed-source firmware doesn't use any of that stuff. But still certainly is a possibility.

Good find with the Speex codec! There's also a lot of mp3 file names, but how they're stored boggles me. Maybe it has something to do with the Speex codec.

Code: [Select]
Offset(h) 00       04       08       0C

000A03D0  C4938B00 626C7565 746F6F74 685F636E  Ä“‹.bluetooth_cn
000A03E0  2E6D7033 00636861 7267656F 6B5F636E  .mp3.chargeok_cn
000A03F0  2E6D7033 00636861 7267696E 672E6D70  .mp3.charging.mp
000A0400  3300636F 6E6E6563 7465645F 636E2E6D  3.connected_cn.m
000A0410  70330064 695F636E 2E6D7033 0064755F  p3.di_cn.mp3.du_
000A0420  636E2E6D 70330065 69676874 4D487A2E  cn.mp3.eightMHz.
000A0430  6D703300 65696768 745F636E 2E6D7033  mp3.eight_cn.mp3
000A0440  00666169 6C2E6D70 33006669 76654D48  .fail.mp3.fiveMH
000A0450  7A2E6D70 33006669 76655F63 6E2E6D70  z.mp3.five_cn.mp
000A0460  3300666D 5F636E2E 6D703300 666F7572  3.fm_cn.mp3.four
000A0470  4D487A2E 6D703300 666F7572 5F636E2E  MHz.mp3.four_cn.
000A0480  6D703300 6C696E65 696E5F63 6E2E6D70  mp3.linein_cn.mp
000A0490  33006C69 6E655F63 6E2E6D70 33006C6F  3.line_cn.mp3.lo
000A04A0  7374636F 6E6E6563 74696F6E 5F636E2E  stconnection_cn.
000A04B0  6D703300 6C6F7770 6F776572 5F636E2E  mp3.lowpower_cn.
000A04C0  6D703300 4D487A2E 6D703300 6D696372  mp3.MHz.mp3.micr
000A04D0  65632E6D 7033006E 696E654D 487A2E6D  ec.mp3.nineMHz.m
000A04E0  7033006E 696E655F 636E2E6D 7033006F  p3.nine_cn.mp3.o
000A04F0  6B2E6D70 33006F6E 654D487A 2E6D7033  k.mp3.oneMHz.mp3
000A0500  006F6E65 5F636E2E 6D703300 70616972  .one_cn.mp3.pair
000A0510  696E672E 6D703300 706F696E 745F636E  ing.mp3.point_cn
000A0520  2E6D7033 00726563 6F72642E 6D703300  .mp3.record.mp3.
000A0530  73657665 6E4D487A 2E6D7033 00736576  sevenMHz.mp3.sev
000A0540  656E5F63 6E2E6D70 33007369 784D487A  en_cn.mp3.sixMHz
000A0550  2E6D7033 00736978 5F636E2E 6D703300  .mp3.six_cn.mp3.
000A0560  74636172 645F636E 2E6D7033 00746872  tcard_cn.mp3.thr
000A0570  65654D48 7A2E6D70 33007468 7265655F  eeMHz.mp3.three_
000A0580  636E2E6D 70330074 776F4D48 7A2E6D70  cn.mp3.twoMHz.mp
000A0590  33007477 6F5F636E 2E6D7033 00756469  3.two_cn.mp3.udi
000A05A0  736B5F63 6E2E6D70 33007570 64617465  sk_cn.mp3.update
000A05B0  5F636E2E 6D703300 7A65726F 4D487A2E  _cn.mp3.zeroMHz.
000A05C0  6D703300 7A65726F 5F636E2E 6D703300  mp3.zero_cn.mp3.
 

Offline SilverSolder

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Modifying BT Speaker firmware
« Reply #4 on: May 23, 2021, 10:49:11 am »

Interesting with the head unit!  - I don't want to divert the thread, but I also have a head unit in my car where I'd like to change the wallpaper background...  maybe not a totally unrealistic project with enough detective work?  :D

I'll be following this and see how you get on, it is definitely going to take some special leaps!
 

Offline Crawlie69Topic starter

  • Contributor
  • Posts: 27
  • Country: dk
Re: Modifying BT Speaker firmware
« Reply #5 on: May 23, 2021, 11:01:37 am »
I never actually had any experience with eeproms or firmwares - Hell i barely knew linux, and thought 'It can't be that hard'. I was totally wrong - Extracted the eeprom from the headunit and found loads of interesting stuff browsing around with a hex editor. Thats also where i learned to use binwalk, because i thought i would be able to just find the boot logo that way. Turned out it was a much bigger process. A really nice australian guy, had already written a whole program to extract the filesystem which was a MINFS filesystem (pretty rare, and not really much documentation out there about it) but even after extracting the filesystem, the BMP's were compressed in a very weird manner which we really couldnt figure out. Took a long time to make a custom BMP with similar compression, and merge it into the firmware.

I'll happily do a write up for you, explaining in depth how we did it, but i'd really recommend you identify all the particular components of your headunit, along with extracting the firmware, and then analyze it as best as you can. After all your work, you should post your results, and them i'm sure some nice people can help you in the right direction  :D

- It's a really fun project, and honestly so rewarding everytime i start my car. Especially because a lot of people on different forums told me it wasn't possible  ;D
 

Offline SilverSolder

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Modifying BT Speaker firmware
« Reply #6 on: May 23, 2021, 11:12:04 am »
Anything is possible if you get stubborn enough, and spend enough time on it.   It is obviously not economically viable, but as a hobby - is it really worse than stamp collecting or train spotting, LOL!  :D    This seems similar to solving a very large and complicated puzzle...
 

Offline Crawlie69Topic starter

  • Contributor
  • Posts: 27
  • Country: dk
Re: Modifying BT Speaker firmware
« Reply #7 on: May 23, 2021, 11:26:00 am »
Anything is possible if you get stubborn enough, and spend enough time on it.   It is obviously not economically viable, but as a hobby - is it really worse than stamp collecting or train spotting, LOL!  :D    This seems similar to solving a very large and complicated puzzle...

Yup! Some would call it a rabbit hole LOL  :D  - But honestly, i also found it really interesting and to be a great learning experience. I learned a lot about firmwares, filesystems, eproms, compression, etc. But i also learned a lot about the manufacturing process, and the reasons behind different hardware and firmware choices, etc. Really happy i did it, even though it took way too much time LOL.

Even though these projects, as you've stated, arent economically viable, i think the reverese engineering puzzle is very valuable teaches you a lot about massproduction, and some of the choices the developers have to make in terms of both hardware and firmware...... And then i'm certainly too stubborn to give up on these 'stupid' projects, that most wouldn't even bother messing around with  :-DD


 
The following users thanked this post: SilverSolder

Offline Crawlie69Topic starter

  • Contributor
  • Posts: 27
  • Country: dk
Re: Modifying BT Speaker firmware
« Reply #8 on: May 23, 2021, 02:49:11 pm »
Can you try changing the speaker name and reflash the eeprom?  If the speaker still works then we can assume that the firmware is not CRC checked (or similar) this means that you should be able to replace the voice samples too.

Hi again. I've replaced the speaker name succesfully - Everything worked out great, so im really stoked about that. If i'm able to replace those voice prompts then, it'll make for a great board to use for a custom speaker project. I'm actually doing this for a family member, so it would be awesome to get done  :D
 

Offline neil555

  • Contributor
  • Posts: 40
  • Country: gb
Re: Modifying BT Speaker firmware
« Reply #9 on: May 23, 2021, 08:04:57 pm »
I had a look through the firmware dump and can't find any valid speex encoded data, there's something at offset 0x58468 which has an "OggS" header but i couldn't decode it with the speex decoder app.

I'm guessing that this device can play speex files from SD card and also maybe record too (assuming the device has a microphone) though no doubt this firmware is used in many other devices.

As for the voice samples they could be encoded with speex but stored in flash with no headers but given this thing can also play MP3/WMA/Flac/G711 etc then they could have used ay of them.

How many seconds of audio are present in the device? I'm assuming "The bluetooth device is ready to pair" and "The bluetooth device is connected sucessfully" (based on a few devices i have) knowing how much audio there is may help to locate it.

 

Offline Crawlie69Topic starter

  • Contributor
  • Posts: 27
  • Country: dk
Re: Modifying BT Speaker firmware
« Reply #10 on: May 24, 2021, 07:06:34 pm »
Well i wouldn't be able to tell you exactly how many seconds of audio that's present, but it is the pretty standard format as you've already named. With the help of the Australian guy, i've got the extracted files along with the offsets and sizes (mp3files_2.txt) :D I've attached them below. Then it's just a matter of figuring out how the files are encoded then i suppose.
 

Offline Crawlie69Topic starter

  • Contributor
  • Posts: 27
  • Country: dk
Re: Modifying BT Speaker firmware
« Reply #11 on: May 26, 2021, 02:51:10 pm »
Quote
The firmware might be based on Anyka's Spotlight10 BaseLine and Media Development Kit which uses ARM Development Suite (ADS) Version 1.2 for AK10 MCUs.
- Quote from some random site i strolled upon. Perhaps it's possible to use the 'ARM Development Suite' to disassemble the firmware?
 

Offline neil555

  • Contributor
  • Posts: 40
  • Country: gb
Re: Modifying BT Speaker firmware
« Reply #12 on: May 26, 2021, 10:02:44 pm »
I had a look at those "mp3's" but they are definitely not mp3's, I compared the data with quite a few other formats (msadpcm, speex, mp4, 8 bit alaw and ulaw) and it's not any of those either.

I *think* it's some sort of ADPCM variant which stores the data in packets.  The packet size seems to be 74 bytes (If you view the files in a hex editor with the width set to 74 bytes per line then each line starts with 0x9c 0x31 0x21, presumably some sort of header)

I also attached a visualization of the bluetooth_cn file visualized as 8 bit greyscale data with a modulo of 74 bytes

Hopefully someone might recognize the format, i'll keep digging when i get some time

 
« Last Edit: May 26, 2021, 10:12:35 pm by neil555 »
 
The following users thanked this post: Crawlie69

Offline Crawlie69Topic starter

  • Contributor
  • Posts: 27
  • Country: dk
Re: Modifying BT Speaker firmware
« Reply #13 on: May 27, 2021, 11:46:41 am »
Nice work Neil. Thank you  :D
 

Offline neil555

  • Contributor
  • Posts: 40
  • Country: gb
Re: Modifying BT Speaker firmware
« Reply #14 on: May 27, 2021, 05:11:50 pm »
I finally tracked down the format ...

The data is stored in Bluetooth SBC format (which is indeed ADPCM)

To decode the files you can use sbcdec (install the sbc-tools package in Linux), So far I haven't found a Windows version of these tools.
You can use sbcenc to encode new data and sbcinfo will give you information on the file (sample rate etc).

Note sbcdec decodes the file into .snd format.

If you ensure that your new samples are the same length (or shorter) than the originals then you should be able to replace the original data in the firmware (also if your new samples are shorter then pad with 0's to the original length).  If your new samples are longer then you will also need to patch the offset table.

Hope this helps  :)
« Last Edit: May 27, 2021, 06:00:54 pm by neil555 »
 
The following users thanked this post: SilverSolder, fzabkar, Crawlie69

Offline Crawlie69Topic starter

  • Contributor
  • Posts: 27
  • Country: dk
Re: Modifying BT Speaker firmware
« Reply #15 on: May 27, 2021, 07:32:05 pm »
Wow neil! I'm really amazed at your work. Incredible how you solved the problem so fast! Multiple very competent people i've spoken with has not been able to identify the format of the files.

Thank you very, very much! I really appreciate it.

I will give an update once i've succesfully replaced some of audio. Again - Thank you so much!! :-+  ;D
 

Offline Crawlie69Topic starter

  • Contributor
  • Posts: 27
  • Country: dk
Re: Modifying BT Speaker firmware
« Reply #16 on: May 28, 2021, 01:49:49 pm »
Hey Neil - Can you run me through an example of using sbcdec? No matter what or how i try, it seems like it wants me to specify an output file, and even if i then make an empty file and use the -f command i cannot make it work.  :D
 

Offline Crawlie69Topic starter

  • Contributor
  • Posts: 27
  • Country: dk
Re: Modifying BT Speaker firmware
« Reply #17 on: May 28, 2021, 01:59:44 pm »
Got it working. Oddly enough i had to decode them as following: sudo sbcdec -f bluetooth_cn_decoded bluetooth_cn

Bluetooth_cn being the file i want to decode, and bluetooth_cn_decoded being the output file. Seems like it has worked though as the output file is larger in volume, and i'm actually able to play the sound.


Looking at sbcenc is even more confusing though. I tried encoding one of the decoded files, but haven't been succesful though.  ;D
 

Offline neil555

  • Contributor
  • Posts: 40
  • Country: gb
Re: Modifying BT Speaker firmware
« Reply #18 on: May 29, 2021, 05:39:05 pm »
Hmmm, dunno why you needed to use sudo to run sbcdec, i was using linux mint and it just worked!

To decode a file ...

sbcdec -f outfile.snd infile.sbc  (or infile.mp3 if using the extracted files from the firmware)

To re-encode the files after decoding ....

sbcenc -v -s 8 -B 16 -b 33 infile.snd >outfile.sbc


The files produced when decoding or used for encoding are in .snd format (16 bit big endian PCM), Cooledit (windows) can load and save in this format however Audacity can't.  If using Audacity then i would recommend converting the .snd files into .wav (to play the decoded files) and converting from .wav to .snd (for encoding)

To install sox ...

sudo apt-get install sox

To convert from .wav to .snd ...

sox infile.wav outfile.snd

To convert from .snd to .wav ...

sox infile.snd outfile.wav


 
 
The following users thanked this post: Crawlie69

Online fzabkar

  • Super Contributor
  • ***
  • Posts: 2221
  • Country: au
Re: Modifying BT Speaker firmware
« Reply #19 on: May 29, 2021, 08:03:38 pm »
There is an "official" Windows encoder/decoder tool which converts between WAV (RIFF) and SBC formats (found by "HaQue" in a related thread).

https://files.catbox.moe/29l4kd.zip
https://habr.com/en/post/456182/

This command decodes all the ".mp3" files in the current directory and saves them as WAV files in the Decoded subdirectory:

Code: [Select]
for %i in (*.mp3) do sbc_decoder -v -oDecoded\%i.wav %i
The "-v" switch (verbose) is optional.

Sample output:

Code: [Select]
SBC Decoder LIB Version 1.5
Copyright (c) 2002  Philips Consumer Electronics, ASA Labs

sbc_info: pos: 0 fs: 16000 blk_len:  16 mode: 0 channels: 1 snr: 0 bands: 8 pool: 33
bitpool =     33
frmlen  =     74 bytes
bitrate =  74.00 kbps
Decoded frames: 99

Code: [Select]
9.4.4.1 Reference SBC Encoder Version 1.5
Usage:
sbc_encoder [-jsv] [-lblk_len] [-nsubbands] [-p] [-rrate] [-ooutputfile] inputfile
[-s] use the stereo mode for stereo signals
[-v] verbose mode
[-j] enables the use of joint coding for stereo signals
[-lblk_len] blk_len specifies the APCM block length, out of [4,8,12,16]
[-nsubbands] subbands specifies the number of subbands, out of [4,8]
[-p] a simple psycho acoustic model is used (preferred)
[-rrate] specifies the bit rate in bps
[-ooutputfile] specifies the name of the bitstream output file inputfile specifies the audio input file, the major audio formats are supported
Example:
sbc_encoder -j -n8 -l16 –p –r279000 -ofile.sbc file.wav

Code: [Select]
9.4.4.2 Reference SBC Decoder Version 1.5
Usage:
sbc_decoder [-v] [-ooutputfile] [-pstartpos] inputfile
[-v] verbose mode
[-pstartpos] startpos specifies the byte offset to start with decoding
[-ooutputfile] specifies the name of the audio output file inputfile specifies the name of the bitstream input file
Example:
sbc_decoder -ofile.sbc_dec file.sbc
« Last Edit: May 29, 2021, 08:09:26 pm by fzabkar »
 
The following users thanked this post: neil555, Crawlie69

Offline Crawlie69Topic starter

  • Contributor
  • Posts: 27
  • Country: dk
Re: Modifying BT Speaker firmware
« Reply #20 on: May 30, 2021, 05:13:17 pm »
Brilliant stuff from everyone - And hi again fzabkar LOL  ;)

Thanks!!  :-+
 

Offline eti

  • Super Contributor
  • ***
  • !
  • Posts: 1801
  • Country: gb
  • MOD: a.k.a Unlokia, glossywhite, iamwhoiam etc
Re: Modifying BT Speaker firmware
« Reply #21 on: June 03, 2021, 03:42:53 am »
Do you know exactly HOW long I've wanted to do exactly what you're doing, to my various BT earbuds and headphones? Years. I thank you profusely for igniting my curiosity in retrying. :))
 

Offline Crawlie69Topic starter

  • Contributor
  • Posts: 27
  • Country: dk
Re: Modifying BT Speaker firmware
« Reply #22 on: June 09, 2021, 09:20:14 pm »
Sorry - I never saw your message! I'm glad to hear i've inspired you! It's oddly satisfying changing those small bothering names and sounds on bluetooth speakers and headsets. Lol! :D
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf