| HDD GURU FORUMS http://forum.hddguru.com/ |
|
| Bluetooth speaker eeprom http://forum.hddguru.com/viewtopic.php?f=10&t=41250 |
Page 2 of 3 |
| Author: | Crawlie69 [ May 4th, 2021, 17:57 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
Good news... I used baidu to search around for chinese sources, where i heard these SDK's were being passed around. Found a chinese website, and had to go through a LOT of pain to register, but i found 2 SDK's, for different versions of the 1052/1052C MCU. 
|
|
| Author: | fzabkar [ May 4th, 2021, 18:50 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
Can you upload the SDKs somewhere where we don't have to suffer the same pain? |
|
| Author: | Crawlie69 [ May 8th, 2021, 11:06 ] | ||
| Post subject: | Re: Bluetooth speaker eeprom | ||
Well i was actually wrong i think. Not really sure if it's the SDK - Seems more like it's some burning tool for the manufacturers to use. There's 2 versions. The newest one is the one for the MCU that's in my speaker. Password for the configuration part of the software is 'Anyka'. However i guess theres some way of reverse engineering this tool, as it seems like it uses bin files from the 'Update_Files' Folder. I've uploaded it here, and will send you a private message with the password for the archive, since i don't know if i should be uploading this for everyone to download lol. (Guess this is insider software, which shouldn't really be shared, in respect to the company?.. - Tell me if im wrong lol) 
|
|||
| Author: | fzabkar [ May 8th, 2021, 15:07 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
I see a VOICE.bin file with MP3s, but I can't see anything that would help us to create this custom format. |
|
| Author: | Crawlie69 [ May 8th, 2021, 15:18 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
Nope, unfortunately. The person who uploaded these programs seems to be a person within the company, so I’ve tried contacting them and told them my intentions. Maybe they’ll help me, but who knows. |
|
| Author: | fzabkar [ May 10th, 2021, 15:27 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
This is a data recovery forum. I think you would be better off posting this question to electronics forums like eevblog.com or badcaps.net. There are probably dedicated hacking forums, but I don't participate in those, so I can't suggest any. |
|
| Author: | Crawlie69 [ May 10th, 2021, 15:29 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
You're probably right. Although this forum has given me help i haven't been able to find anywhere else on the internet with my weird projects haha! |
|
| Author: | Crawlie69 [ May 23rd, 2021, 8:03 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
I'm just gonna put this here, in case anyone is gonna stroll upon this forum post. So it seems like the mp3 files are encoded/compressed with something called 'Speex'. There's documentation about this codec on their website (Speex.org). A person on another forum noticed references to this codec in the firmware file atleast, so certainly is a very possible solution
|
|
| Author: | fzabkar [ May 23rd, 2021, 20:08 ] | ||
| Post subject: | Re: Bluetooth speaker eeprom | ||
I have extracted all the MP3 files. The included text file identifies the absolute offset and size of each MP3 file.
|
|||
| Author: | Crawlie69 [ May 24th, 2021, 6:03 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
fzabkar wrote: I have extracted all the MP3 files. The included text file identifies the absolute offset and size of each MP3 file. That is just awesome. None of the people i've written with, have been able to decode the mp3's. What exactly did you download from the website, in order to decode them succesfully. And hey - Thanks again fzabkar Awesome work as always
|
|
| Author: | fzabkar [ May 24th, 2021, 14:44 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
I haven't decoded anything. I have just extracted the encoded files. None will play in VLC. |
|
| Author: | Crawlie69 [ May 24th, 2021, 15:01 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
That makes sense. Well thank you no matter what! Makes it easy for me to replace them. I'll have to do some more researching on decoding and encoding the files then
|
|
| Author: | HaQue [ May 24th, 2021, 22:22 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
all you need is likely at the Speex page, if it is indeed using this codec. https://www.speex.org/software/ "An Encoder written in Delphi" Delphi is pretty easy to code. or there is C sample code https://speex.org/docs/manual/speex-manual/node13.html you may be able to use some of the features in a supported player as well to encode. I see Cool Edit, I think I remember that from "back in the day" |
|
| Author: | HaQue [ May 25th, 2021, 0:13 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
I encoded an .mp3 and the output in HEX editor looks nothing like the supplied BT files. Also the decode.exe outputs that it is not a Speex file. So the BT speaker has a Anyka MCU? I don't know if this helps further in any way: http://www.anyka.com/en/productInfo.aspx?id=94 Quote: The solution is based on AK1052/AK1161 and Spotlight Micro RAM System. The applications, controller and Bluetooth protocol stack run in one system, which is stable, reliable, fully functional and with good expansibility. The solution is compatible with various Bluetooth cell phones and Bluetooth devices through actual connection test. Anyka can provide Bluetooth modules with BQB authentication. Customers' products can be listed on EPL free of test and charge, which is cost-effective and time-efficient. The solution has excellent sound quality comparable with that of the professional audio players. With good audio decoding capability enhanced by ARM 9, the solution supports various audio formats such as MP3, WMA, APE, FLAC, OGG and WAV. Possible the speex encoded files are further encoded with a XOR key? the view in HxD looks differrent, as I would expect a few 00's in the header and at the end of the file finally: https://www.zixinhualang.com/productinfobc58-2.html?id=78 may or may not add something to this quest. based on the above, you may be able to disassemble the firmware knowing the actual processor to plug into the disassembler |
|
| Author: | HaQue [ May 25th, 2021, 0:28 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
last two lines in above post I think is a red herring, as likely pertains to the AK10L, not 1052, sorry |
|
| Author: | fzabkar [ May 25th, 2021, 1:00 ] | ||
| Post subject: | Re: Bluetooth speaker eeprom | ||
I have extracted and attached the voice MP3s in one of the updates. Unfortunately they are all Chinese.
|
|||
| Author: | Crawlie69 [ May 25th, 2021, 4:39 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
HaQue wrote: I encoded an .mp3 and the output in HEX editor looks nothing like the supplied BT files. Also the decode.exe outputs that it is not a Speex file. So the BT speaker has a Anyka MCU? I don't know if this helps further in any way: http://www.anyka.com/en/productInfo.aspx?id=94 Quote: The solution is based on AK1052/AK1161 and Spotlight Micro RAM System. The applications, controller and Bluetooth protocol stack run in one system, which is stable, reliable, fully functional and with good expansibility. The solution is compatible with various Bluetooth cell phones and Bluetooth devices through actual connection test. Anyka can provide Bluetooth modules with BQB authentication. Customers' products can be listed on EPL free of test and charge, which is cost-effective and time-efficient. The solution has excellent sound quality comparable with that of the professional audio players. With good audio decoding capability enhanced by ARM 9, the solution supports various audio formats such as MP3, WMA, APE, FLAC, OGG and WAV. Possible the speex encoded files are further encoded with a XOR key? the view in HxD looks differrent, as I would expect a few 00's in the header and at the end of the file finally: https://www.zixinhualang.com/productinfobc58-2.html?id=78 may or may not add something to this quest. based on the above, you may be able to disassemble the firmware knowing the actual processor to plug into the disassembler Hi - Unfortunately i wasn't able to decode any of the files either. Seems like they're either further encoded, or then another codec might be used. It's funny how there's very few dependencies present like speex in the firmware. Either i've yet to find them, or then they're also encoded/compressed in some manner - Every codec, compression, etc. should be present somehow right? For the operating system to run it must have the needed dependencies stored, so i guess the big problem here is figuring out how it is stored? - And regarding the other page you've linked with the arm architecture - It is very possible that this actually applies for the AK1052, although i have 0 experience with disassemblers, and only tried using one once, where i wasn't succesful
|
|
| Author: | Crawlie69 [ May 25th, 2021, 4:41 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
fzabkar wrote: I have extracted and attached the voice MP3s in one of the updates. Unfortunately they are all Chinese. Seems like the MP3s are identical to the ones from the firmware dump though right? Perhaps i should try and go through one of the update files with a translator and see if anything interesting pops up...
|
|
| Author: | HaQue [ May 25th, 2021, 9:26 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
I should have read the first page of post through before posting today, sorry for the likely confusing nature and subjects that have already been gone over! trying to do too many things at once at work today, and also trying to install all the dependencies for binwalk in windows Linux on a new PC. and failing so far. an idea I had was to look at the firmware, try and decompile some code and look for any procedures around the file IO that include XOR. seems like a strange step to XOR them as well, but as this guy that did a nice job hacking an IP camera found out, Chinese devs like to go their own way at times! https://lucasteske.dev/2019/06/reverse-engineering-cheap-chinese-vrcam-protocol/ Quote: After all of that I have no clue what would make someone create such horrible protocol for a commercial product. Why not just follow standards? The AK3918 SDK has a RTSP example which a nice configuration page. What the HELL was the developer was thinking when doing that? Obfuscating stuff? I’m pretty sure he failed in that too.
|
|
| Author: | Crawlie69 [ May 25th, 2021, 10:08 ] |
| Post subject: | Re: Bluetooth speaker eeprom |
It's all good. No worries. Always good to clear things up Regarding your whole binwalk situation - I had too much trouble getting it running on Windows, so in the end i just set up a virtual machine running a linux distro, with binwalk already preconfigured - Perhaps you should do that too Regarding the firmware - Yeah. I neither understand why it has to be this complicated, when it's just a small speaker solution, but perhaps it's just my very limited knowledge about reverse engineering that makes this seem complicated. LOL. |
|
| Page 2 of 3 | All times are UTC - 5 hours [ DST ] |
| Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |
|
