All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 47 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: Bluetooth speaker eeprom
PostPosted: April 27th, 2021, 16:52 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
Hi guys. :mrgreen:
I've recently had succes with extracting the eeprom of a bluetooth speaker, and then using binwalk to find .MP3 signatures, which i then extracted and eventually replaced.

The purpose: To replace the irritating chinese speaker voice, with custom audio for the audio notifications that happens when one boots the speaker, connects a bluetooth device, etc...

This was succesful, and my brother is very happy that his speaker doesn't have the terrible chinese speaker voice anymore!

Another family member asked me if i could do the same for their chinese bluetooth speaker - And this time around there is no MP3 signatures - I've tried multiple other signatures, and found 3 .wav signatures, but unfortunately they don't contain any audio.

I can't even determine what kind of filesystem it contains, but it is pretty interesting. I'm suspecting that much of the firmware is compressed, but i don't know.

Hopefully some of you can help me on the right path. All i wish is to find the audio files containing the voice notifications. Thanks in advance! :D

(I've attached the dump below)


Attachments:
Green_BT_Eeprom.7z [905.93 KiB]
Downloaded 508 times
Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 27th, 2021, 18:32 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
I found 41 .mp3 file names:

Code:
Offset(h) 00       04       08       0C

000A03D0  C4938B00 626C7565 746F6F74 685F636E  Ä“‹.bluetooth_cn
000A03E0  2E6D7033 00636861 7267656F 6B5F636E  .mp3.chargeok_cn
000A03F0  2E6D7033 00636861 7267696E 672E6D70  .mp3.charging.mp
000A0400  3300636F 6E6E6563 7465645F 636E2E6D  3.connected_cn.m
000A0410  70330064 695F636E 2E6D7033 0064755F  p3.di_cn.mp3.du_
000A0420  636E2E6D 70330065 69676874 4D487A2E  cn.mp3.eightMHz.
000A0430  6D703300 65696768 745F636E 2E6D7033  mp3.eight_cn.mp3
000A0440  00666169 6C2E6D70 33006669 76654D48  .fail.mp3.fiveMH
000A0450  7A2E6D70 33006669 76655F63 6E2E6D70  z.mp3.five_cn.mp
000A0460  3300666D 5F636E2E 6D703300 666F7572  3.fm_cn.mp3.four
000A0470  4D487A2E 6D703300 666F7572 5F636E2E  MHz.mp3.four_cn.
000A0480  6D703300 6C696E65 696E5F63 6E2E6D70  mp3.linein_cn.mp
000A0490  33006C69 6E655F63 6E2E6D70 33006C6F  3.line_cn.mp3.lo
000A04A0  7374636F 6E6E6563 74696F6E 5F636E2E  stconnection_cn.
000A04B0  6D703300 6C6F7770 6F776572 5F636E2E  mp3.lowpower_cn.
000A04C0  6D703300 4D487A2E 6D703300 6D696372  mp3.MHz.mp3.micr
000A04D0  65632E6D 7033006E 696E654D 487A2E6D  ec.mp3.nineMHz.m
000A04E0  7033006E 696E655F 636E2E6D 7033006F  p3.nine_cn.mp3.o
000A04F0  6B2E6D70 33006F6E 654D487A 2E6D7033  k.mp3.oneMHz.mp3
000A0500  006F6E65 5F636E2E 6D703300 70616972  .one_cn.mp3.pair
000A0510  696E672E 6D703300 706F696E 745F636E  ing.mp3.point_cn
000A0520  2E6D7033 00726563 6F72642E 6D703300  .mp3.record.mp3.
000A0530  73657665 6E4D487A 2E6D7033 00736576  sevenMHz.mp3.sev
000A0540  656E5F63 6E2E6D70 33007369 784D487A  en_cn.mp3.sixMHz
000A0550  2E6D7033 00736978 5F636E2E 6D703300  .mp3.six_cn.mp3.
000A0560  74636172 645F636E 2E6D7033 00746872  tcard_cn.mp3.thr
000A0570  65654D48 7A2E6D70 33007468 7265655F  eeMHz.mp3.three_
000A0580  636E2E6D 70330074 776F4D48 7A2E6D70  cn.mp3.twoMHz.mp
000A0590  33007477 6F5F636E 2E6D7033 00756469  3.two_cn.mp3.udi
000A05A0  736B5F63 6E2E6D70 33007570 64617465  sk_cn.mp3.update
000A05B0  5F636E2E 6D703300 7A65726F 4D487A2E  _cn.mp3.zeroMHz.
000A05C0  6D703300 7A65726F 5F636E2E 6D703300  mp3.zero_cn.mp3.

They are preceded by a table with 41 entries:

Code:
Offset(h) 00       04       08       0C

000A0140  05000000 00000000 00000000 FE610000
000A0150  D4918B00 01000000 00620000 DA550000
000A0160  E5918B00 02000000 00B80000 E4270000
000A0170  F5918B00 03000000 00E00000 BC700000
000A0180  02928B00 04000000 00510100 F8150000
000A0190  13928B00 05000000 00670100 703E0000
000A01A0  1D928B00 06000000 00A60100 6E310000
000A01B0  27928B00 07000000 00D80100 F8150000
000A01C0  34928B00 08000000 00EE0100 E4270000
000A01D0  41928B00 09000000 00160200 6E310000
000A01E0  4A928B00 0A000000 00480200 381F0000
000A01F0  56928B00 0B000000 00680200 A0290000
000A0200  62928B00 0C000000 00920200 6E310000
000A0210  6C928B00 0D000000 00C40200 92180000
000A0220  78928B00 0E000000 00DD0200 60450000
000A0230  84928B00 0F000000 00230300 9E8B0000
000A0240  92928B00 10000000 00AF0300 0C4E0000
000A0250  9E928B00 11000000 00FE0300 D2210000
000A0260  B4928B00 12000000 00200400 F8150000
000A0270  C4928B00 13000000 00360400 FC2F0000
000A0280  CC928B00 14000000 00660400 96320000
000A0290  D7928B00 15000000 00990400 5E130000
000A02A0  E3928B00 16000000 00AD0400 6A170000
000A02B0  EF928B00 17000000 00C50400 FC2F0000
000A02C0  F6928B00 18000000 00F50400 F8150000
000A02D0  01938B00 19000000 000B0500 0E5B0000
000A02E0  0C938B00 1A000000 00670500 C4100000
000A02F0  18938B00 1B000000 00780500 365C0000
000A0300  25938B00 1C000000 00D50500 96320000
000A0310  30938B00 1D000000 00080600 9E1C0000
000A0320  3D938B00 1E000000 00250600 96320000
000A0330  4A938B00 1F000000 00580600 92180000
000A0340  55938B00 20000000 00710600 EA4E0000
000A0350  60938B00 21000000 00C00600 D42E0000
000A0360  6D938B00 22000000 00EF0600 041A0000
000A0370  7A938B00 23000000 000A0700 FC2F0000
000A0380  87938B00 24000000 003A0700 D0140000
000A0390  92938B00 25000000 004F0700 8E230000
000A03A0  9D938B00 26000000 00730700 96320000
000A03B0  AA938B00 27000000 00A60700 30350000
000A03C0  B8938B00 28000000 00DC0700 9E1C0000

The second column appears to be a sequential file number - 0x00 -> 0x28.

The third column is a byte offset, and the last column is the size in bytes for that .mp3 file.

Therefore, ISTM that you need to find a block of data that matches the offsets and sizes in the table.

I think that the MP3 data are stored at offset 0xE5600 in the ROM. That's logical offset 0 in the table.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 27th, 2021, 18:55 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
Each file consists of fixed records with a size of 0x4A bytes. The first 3 bytes of each record appear to be 0x9C, 0x31 and 0x21, but I'm not certain whether this is consistently the case.

There is no header or footer.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 27th, 2021, 19:51 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
This appears to be a directory or table which identifies 4 blocks of code/data:

Code:
Offset(h) 00       04       08       0C       10       14       18       1C

00010100  04000000 48530D00 00000000 02010000 FFFFFFFF 50524F47 00AFC076 C1284000  ....HS..........ÿÿÿÿPROG.¯ÀvÁ(@.
00010120  65000000 00F90700 00000000 560E0000 FFFFFFFF 564F4943 4500C076 C1284000  e....ù......V...ÿÿÿÿVOICE.ÀvÁ(@.
00010140  50524F47 CC160200 00000000 4F160000 FFFFFFFF 636F6465 70616765 00AFC076  PROGÌ.......O...ÿÿÿÿcodepage.¯Àv
00010160  CEAFC076 00000100 00000000 66180000 FFFFFFFF 50524F46 494C4500 CEAFC076  ίÀv........f...ÿÿÿÿPROFILE.ίÀv
00010180  C1284000                                                                 Á(@.

The second block is "VOICE" and appears to be located at offset 0xE5600 with a size of 0x7F900 bytes.

The leading dword appears to be the number of code/data sections (4).

Code:
name        offset      size
--------    --------    -------
PROG        0x10200     0xD5348
VOICE       0xE5600     0x7F900
codepage    0x164F00    0x216CC
PROFILE     0x186600    0x10000

The "junk" characters (CE AF C0 76 C1 28 40 00) appear to be stuff that was in RAM when the table was written, so they don't appear to be valid metadata. ICBW, though.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 28th, 2021, 6:56 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
nice work in 3 Hrs Franc!


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 28th, 2021, 7:06 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
Hello again fzabkar :D
You are truly a genius at analyzing these firmware dumps - I think i'm gonna have to read through your replies a couple of times to understand them though :mrgreen:

Thank you!!


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 28th, 2021, 15:50 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
File numbers and their corresponding file names

Code:
00      bluetooth_cn.mp3
01      chargeok_cn.mp3
02      charging.mp3
03      connected_cn.mp3
04      di_cn.mp3
05      du_cn.mp3
06      eightMHz.mp3
07      eight_cn.mp3
08      fail.mp3
09      fiveMHz.mp3
0A      five_cn.mp3
0B      fm_cn.mp3
0C      fourMHz.mp3
0D      four_cn.mp3
0E      linein_cn.mp3
0F      line_cn.mp3
10      lostconnection_cn.mp3
11      lowpower_cn.mp3
12      MHz.mp3
13      micrec.mp3
14      nineMHz.mp3
15      nine_cn.mp3
16      ok.mp3
17      oneMHz.mp3
18      one_cn.mp3
19      pairing.mp3
1A      point_cn.mp3
1B      record.mp3
1C      sevenMHz.mp3
1D      seven_cn.mp3
1E      sixMHz.mp3
1F      six_cn.mp3
20      tcard_cn.mp3
21      threeMHz.mp3
22      three_cn.mp3
23      twoMHz.mp3
24      two_cn.mp3
25      udisk_cn.mp3
26      update_cn.mp3
27      zeroMHz.mp3
28      zero_cn.mp3

For example, "fiveMHz.mp3" is file number 0x09. We now consult the table, which tells us that this file has a size of 0x316E bytes and is located at relative offset 0x21600. Adding the base offset of 0xE5600 to the relative offset gives us an absolute offset of 0x106C00. We can now carve the file.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 28th, 2021, 15:58 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
Here is the MP3 file structure:

https://en.wikipedia.org/wiki/MP3#File_structure
https://upload.wikimedia.org/wikipedia/commons/0/01/Mp3filestructure.svg

MP3 files consist of frames, with each frame having a 4-byte header and a payload of data. Each header starts with an MP3 Sync Word which consists of 12 bits (3 nibbles) -- 0xFFF.

I'm thinking that the Bluetooth MP3s may be encrypted, possibly with an XOR key. Each encrypted frame appears to consist of a 4-byte header and a 70-byte payload.

@Crawlie69, would it be possible to see the EEPROM from that other BT speaker? Perhaps that will give us a clue, assuming that nobody has any better ideas?

_________________
A backup a day keeps DR away.


Last edited by fzabkar on April 28th, 2021, 16:04, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 28th, 2021, 16:02 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
Thank you! I am gonna give it a go carving out some of the files, and then eventually work on replacing them! :D


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 28th, 2021, 16:05 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
Crawlie69 wrote:
Thank you! I am gonna give it a go carving out some of the files, and then eventually work on replacing them! :D

Can you show us the other BT EEPROM?

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 28th, 2021, 16:06 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
Oh and yes i can provide the eeprom from the other speaker. I've attached it below - Was much more straightforward extracting :D


Attachments:
Blue_BT_Eeprom.7z [267.96 KiB]
Downloaded 490 times
Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 28th, 2021, 16:13 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
Oh and by the way, i literally just searched for the raw mp3 signature (ID3) using binwalk. Got all the offsets, and then extracted from the first offset till the end of the file. That way it was easy for me to identify the different mp3 files. Extracted the files i needed, edited them and filled the edited files with zeros to match the original file size. Then it was just a matter of merging it into the firmware, which i've know unfortunately deleted, but we put in some JBL sounds.


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 28th, 2021, 16:37 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
The 56kbps frames in your JBL MP3 files have a consistent header, 0xFF 0xF2 0x79 0x44. The frame size is 252 bytes.

It is looking like your other MP3s are encrypted.

BTW, I used DMDE's raw file scan feature to locate all the MP3s and then "recover" them in one hit. It only took a few minutes. I don't how long your binwalk method would take.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 28th, 2021, 17:08 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
Cool! I never have used anything else than binwalk, but yeah it gets pretty tedious - And regarding the encrypted MP3s. Why would they encrypt those? You wrote earlier about some XOR key. Is it a complicated manner to decrypt these files? Seems like they overcomplicated the filesystem to me, but i guess i don't really understand their business practices.

EDIT:

Just tried DMDE's full scan feature, and i certainly see your point. Was indeed very fast!


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 28th, 2021, 17:16 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
Crawlie69 wrote:
Just tried DMDE's full scan feature, and i certainly see your point. Was indeed very fast!

For this particular case I unchecked every file type except MP3.

I'm not sure, but one downside of DMDE may be that it looks for files on sector boundaries.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 28th, 2021, 17:26 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
Your "fiveMHz.mp3" file looks like this in HxD (freeware hex editor):

Code:
Offset(h) 00   02   04   06   08   0A   0C   0E   10   12   14   16   18   1A   1C   1E   20   22   24   26   28   2A   2C   2E   30   32   34   36   38   3A   3C   3E   40   42   44   46   48

00000000  9C31 2114 0000 0000 7BBB BBBB BDDD DDDD DEEE EEEE EF77 7777 77BB BBBB BBDD DDDD DDEE EEEE EEF7 7777 777B BBBB BBBD DDDD DDDE EEEE EEEF 7777 7777 BBBB BBBB DDDD DDDD EEEE EEEE F777 7777
0000004A  9C31 2114 0000 0000 7BBB BBBB BDDD DDDD DEEE EEEE EF77 7777 77BB BBBB BBDD DDDD DDEE EEEE EEF7 7777 777B BBBB BB9C CCCC CDC0 E666 E6E0 7333 7330 399B 9998 1CDC CCCC 0E6E 66E6 0777 7377
00000094  9C31 21E7 3444 1000 6EFD EBD7 BB7E FDEA DBBF 7AF5 EDDF BF7E F6EF DEBD 5B77 EEDE BDDB F7EF DEDD DBB8 2B8E FD8B B7BB 773D FAD9 BF7E DE71 E3DD 9376 F0D6 A91A 3927 5DEE 9BD8 F0D6 5CD9 BC3B
000000DE  9C31 2107 8999 8600 84FB AF7B BF7A 17BD DEBE FBDE F160 89EF 682F B8E7 C3B8 1B7B DE1B F03D ECD9 D763 0794 EAAE 8BC3 76C7 B5D8 BB03 62FA A9E2 2E5A 501A 7651 EA87 6CE3 7BF3 466C 4092 E870
00000128  9C31 212C BAA9 A900 A718 508C B84A B9C9 5ABF 3B19 1061 7E6F 76AF 9D18 3C38 25AB 5A33 EC39 D10E 07B3 2664 DC4F 8C30 8DDD 319B D10A 6B06 2AEE EC5C F367 73DB 5E0A A60E 6BE1 3D72 C90E B077
00000172  9C31 216A A9CC A900 2F31 CFBB CF49 722D 1B53 96D3 489E DBD4 7585 41D6 1DF6 48D4 2E12 1586 EA7D 31BB 1856 585F 3AB0 72F1 4662 2A57 D310 18EB EF47 4C7D F545 16BA D9ED E35E 89C3 2571 556A
000001BC  9C31 212D A8AB A900 C289 AC7D 503A AA64 E696 B528 CEE4 8CF0 C76A B338 A436 3093 5DD3 3021 D2F9 F8A3 4599 06F5 5CE2 8AF9 3D30 3526 1F51 D122 0F51 D576 9838 F1AF 32E1 EBD9 AE11 7190 3136
00000206  9C31 2191 DAAB BA00 9262 E726 D841 EAA5 A2E8 F4A4 EB0D 9ED9 3337 A6D4 8AE3 2123 2A4A 291C E532 F849 AF84 6AD8 9650 D193 9D6A 4D72 910E 929B 8D33 661E 5279 FBDF 61B6 0DD0 54A1 3ADA D9AD
....

I select 74 bytes per row, and visible columns "hex".

Edit: I'm now wondering whether this format is 3 header bytes plus 71 data bytes per frame???

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 28th, 2021, 18:44 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
Certainly very mysterious MP3 files :D


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 29th, 2021, 7:59 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
I read about XOR a long time ago, and this is the way I remember interpreting it:

The reason for XOR in memory chips was a process called "Whitening". a XOR key, or algorithm to use to XOR data on a chip, will spread the data out on a chip to stop long repetitions of "0" or "1", or more technically, cells set as such (charged or uncharged). having long strings of one or the other makes it easier for bits to flip, and can overcome the ability of ECC to correct them all (corrupting data).

Pretty easy and "cheap" in regards to CPU, as most instruction sets would have a XOR instruction I would think. Small XOR keys can be looped and not take too much to implement in even the smallest system.

A similar reason for encryption, encryption is not always for security. BTW, XOR is not encryption, it is encoding.


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: April 29th, 2021, 10:06 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
Interesting - I can see why there is other reasons than safety regarding encoding or encrypting, but it just baffles me that a cheap chinese speaker has any of this. :D


Top
 Profile  
 
 Post subject: Re: Bluetooth speaker eeprom
PostPosted: May 1st, 2021, 9:11 
Offline

Joined: April 14th, 2021, 6:37
Posts: 44
Location: Denmark
Alright so i found the manufacturer behind the firmware..

http://www.anyka.com/en/productInfo.aspx?id=100

Quote:
The new generation TF card Bluetooth speaker solution

Anyka’s new reliable, all-function and easy-extended TF card Bluetooth speaker solution is based on AK1052C MCU and Spotlight10C ultra-low-memory operating system. This brand new solution adopts the architecture of daughter board and mother board to provide customers reference designs. By this architecture, all customers may create function-rich Bluetooth speakers in short time with minimum design efforts and cost-effective EBOM.




To bring convenience to customers, a total product development Kit(PDK), which includes a hardware development kit(HDK), a software development kit(SDK) and a tools kit(production and test tools like Bluetooth functional test tool), is available with the solution.


This is a quote from their website. Guess i need their SDK to mess around with the filesystem then?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 47 posts ]  Go to page 1, 2, 3  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 24 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group