All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 47 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 4th, 2021, 17:57 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
Good news... I used baidu to search around for chinese sources, where i heard these SDK's were being passed around. Found a chinese website, and had to go through a LOT of pain to register, but i found 2 SDK's, for different versions of the 1052/1052C MCU. :mrgreen: :mrgreen:


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 4th, 2021, 18:50 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
Can you upload the SDKs somewhere where we don't have to suffer the same pain?

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 8th, 2021, 11:06 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
Well i was actually wrong i think. Not really sure if it's the SDK - Seems more like it's some burning tool for the manufacturers to use. There's 2 versions. The newest one is the one for the MCU that's in my speaker. Password for the configuration part of the software is 'Anyka'.

However i guess theres some way of reverse engineering this tool, as it seems like it uses bin files from the 'Update_Files' Folder.

I've uploaded it here, and will send you a private message with the password for the archive, since i don't know if i should be uploading this for everyone to download lol. (Guess this is insider software, which shouldn't really be shared, in respect to the company?.. - Tell me if im wrong lol) :D


Attachments:
Tool.rar [3.74 MiB]
Downloaded 438 times
Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 8th, 2021, 15:07 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
I see a VOICE.bin file with MP3s, but I can't see anything that would help us to create this custom format.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 8th, 2021, 15:18 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
Nope, unfortunately. The person who uploaded these programs seems to be a person within the company, so I’ve tried contacting them and told them my intentions. Maybe they’ll help me, but who knows.


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 10th, 2021, 15:27 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
This is a data recovery forum. I think you would be better off posting this question to electronics forums like eevblog.com or badcaps.net. There are probably dedicated hacking forums, but I don't participate in those, so I can't suggest any.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 10th, 2021, 15:29 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
You're probably right. Although this forum has given me help i haven't been able to find anywhere else on the internet with my weird projects haha!


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 23rd, 2021, 8:03 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
I'm just gonna put this here, in case anyone is gonna stroll upon this forum post. So it seems like the mp3 files are encoded/compressed with something called 'Speex'. There's documentation about this codec on their website (Speex.org).

A person on another forum noticed references to this codec in the firmware file atleast, so certainly is a very possible solution :D


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 23rd, 2021, 20:08 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
I have extracted all the MP3 files. The included text file identifies the absolute offset and size of each MP3 file.


Attachments:
Green_BT_mp3_files.7z [908.72 KiB]
Downloaded 370 times

_________________
A backup a day keeps DR away.
Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 24th, 2021, 6:03 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
fzabkar wrote:
I have extracted all the MP3 files. The included text file identifies the absolute offset and size of each MP3 file.


That is just awesome. None of the people i've written with, have been able to decode the mp3's. What exactly did you download from the website, in order to decode them succesfully. And hey - Thanks again fzabkar :D Awesome work as always :D


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 24th, 2021, 14:44 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
I haven't decoded anything. I have just extracted the encoded files. None will play in VLC.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 24th, 2021, 15:01 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
That makes sense. Well thank you no matter what! Makes it easy for me to replace them. I'll have to do some more researching on decoding and encoding the files then :D


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 24th, 2021, 22:22 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
all you need is likely at the Speex page, if it is indeed using this codec.

https://www.speex.org/software/
"An Encoder written in Delphi"

Delphi is pretty easy to code.

or there is C sample code https://speex.org/docs/manual/speex-manual/node13.html

you may be able to use some of the features in a supported player as well to encode. I see Cool Edit, I think I remember that from "back in the day"


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 25th, 2021, 0:13 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
I encoded an .mp3 and the output in HEX editor looks nothing like the supplied BT files. Also the decode.exe outputs that it is not a Speex file.

So the BT speaker has a Anyka MCU?

I don't know if this helps further in any way:
http://www.anyka.com/en/productInfo.aspx?id=94
Quote:
The solution is based on AK1052/AK1161 and Spotlight Micro RAM System. The applications, controller and Bluetooth protocol stack run in one system, which is stable, reliable, fully functional and with good expansibility.




The solution is compatible with various Bluetooth cell phones and Bluetooth devices through actual connection test. Anyka can provide Bluetooth modules with BQB authentication. Customers' products can be listed on EPL free of test and charge, which is cost-effective and time-efficient.




The solution has excellent sound quality comparable with that of the professional audio players. With good audio decoding capability enhanced by ARM 9, the solution supports various audio formats such as MP3, WMA, APE, FLAC, OGG and WAV.


Possible the speex encoded files are further encoded with a XOR key? the view in HxD looks differrent, as I would expect a few 00's in the header and at the end of the file

finally: https://www.zixinhualang.com/productinfobc58-2.html?id=78 may or may not add something to this quest.

based on the above, you may be able to disassemble the firmware knowing the actual processor to plug into the disassembler


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 25th, 2021, 0:28 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
last two lines in above post I think is a red herring, as likely pertains to the AK10L, not 1052, sorry


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 25th, 2021, 1:00 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
I have extracted and attached the voice MP3s in one of the updates. Unfortunately they are all Chinese.


Attachments:
Update_Files_V50101.7z [337.6 KiB]
Downloaded 364 times

_________________
A backup a day keeps DR away.
Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 25th, 2021, 4:39 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
HaQue wrote:
I encoded an .mp3 and the output in HEX editor looks nothing like the supplied BT files. Also the decode.exe outputs that it is not a Speex file.

So the BT speaker has a Anyka MCU?

I don't know if this helps further in any way:
http://www.anyka.com/en/productInfo.aspx?id=94
Quote:
The solution is based on AK1052/AK1161 and Spotlight Micro RAM System. The applications, controller and Bluetooth protocol stack run in one system, which is stable, reliable, fully functional and with good expansibility.




The solution is compatible with various Bluetooth cell phones and Bluetooth devices through actual connection test. Anyka can provide Bluetooth modules with BQB authentication. Customers' products can be listed on EPL free of test and charge, which is cost-effective and time-efficient.




The solution has excellent sound quality comparable with that of the professional audio players. With good audio decoding capability enhanced by ARM 9, the solution supports various audio formats such as MP3, WMA, APE, FLAC, OGG and WAV.


Possible the speex encoded files are further encoded with a XOR key? the view in HxD looks differrent, as I would expect a few 00's in the header and at the end of the file

finally: https://www.zixinhualang.com/productinfobc58-2.html?id=78 may or may not add something to this quest.

based on the above, you may be able to disassemble the firmware knowing the actual processor to plug into the disassembler


Hi - Unfortunately i wasn't able to decode any of the files either. Seems like they're either further encoded, or then another codec might be used. It's funny how there's very few dependencies present like speex in the firmware. Either i've yet to find them, or then they're also encoded/compressed in some manner - Every codec, compression, etc. should be present somehow right? For the operating system to run it must have the needed dependencies stored, so i guess the big problem here is figuring out how it is stored?

- And regarding the other page you've linked with the arm architecture - It is very possible that this actually applies for the AK1052, although i have 0 experience with disassemblers, and only tried using one once, where i wasn't succesful :D


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 25th, 2021, 4:41 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
fzabkar wrote:
I have extracted and attached the voice MP3s in one of the updates. Unfortunately they are all Chinese.


Seems like the MP3s are identical to the ones from the firmware dump though right? Perhaps i should try and go through one of the update files with a translator and see if anything interesting pops up... :D


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 25th, 2021, 9:26 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
I should have read the first page of post through before posting today, sorry for the likely confusing nature and subjects that have already been gone over! trying to do too many things at once at work today, and also trying to install all the dependencies for binwalk in windows Linux on a new PC. and failing so far.

an idea I had was to look at the firmware, try and decompile some code and look for any procedures around the file IO that include XOR.

seems like a strange step to XOR them as well, but as this guy that did a nice job hacking an IP camera found out, Chinese devs like to go their own way at times!
https://lucasteske.dev/2019/06/reverse-engineering-cheap-chinese-vrcam-protocol/
Quote:
After all of that I have no clue what would make someone create such horrible protocol for a commercial product. Why not just follow standards? The AK3918 SDK has a RTSP example which a nice configuration page. What the HELL was the developer was thinking when doing that? Obfuscating stuff? I’m pretty sure he failed in that too.


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 25th, 2021, 10:08 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
It's all good. No worries. Always good to clear things up :D
Regarding your whole binwalk situation - I had too much trouble getting it running on Windows, so in the end i just set up a virtual machine running a linux distro, with binwalk already preconfigured - Perhaps you should do that too :D

Regarding the firmware - Yeah. I neither understand why it has to be this complicated, when it's just a small speaker solution, but perhaps it's just my very limited knowledge about reverse engineering that makes this seem complicated. LOL.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 47 posts ]  Go to page Previous  1, 2, 3  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Gregory, westcoast and 32 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group