View topic - Bluetooth speaker flash dump

Main » Forums home » Flash storage, SSD

All times are UTC - 5 hours [ DST ]

Bluetooth speaker flash dump

Page 1 of 1

[ 7 posts ]

Print view

Previous topic | Next topic

Author

Message

spiel

Post subject: Bluetooth speaker flash dump

Posted: September 12th, 2022, 9:00

Joined: September 12th, 2022, 8:51
Posts: 2
Location: London

Hi,
I've dumped the Flash of a Bluetooth system I have in my car. I'd like to replace some of the default sounds, so I run binwalk - but there's no known files in the dump. However I can see bytes RIFFWAVE at a certain location, and when extracting the data from said location to the end, I end up with a file containing all sounds that the system has (I think). I can also see the string LAME3.93 repeated many times; my understanding is that it points to MP3 format used.

My questions are:
- How can I detect file format and names of sound files in the dump?
- How can I replace them?

The dump is attached; had to change extension to txt.

Thanks

Attachments:

wefatech_spi_flash.txt [2 MiB]
Downloaded 143 times

Top

fzabkar

Post subject: Re: Bluetooth speaker flash dump

Posted: September 12th, 2022, 15:04

Joined: September 8th, 2009, 18:21
Posts: 15525
Location: Australia

There is a table of sound clips at offset 0x100000.

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B

000FFFFC              4D 56 55 42 89 DB 00 00      MVUB‰Û..
00100008  53 4E 55 4D 30 FD 0B 10 00 68 0A 00  SNUM0ý...h..
          ^^ -----------                                      <-- name of sound #1 = NUM0
number of sound clips = 0x53 (83 dec)

00100014  00 59 59 44 4B 65 16 10 00 D6 1F 00  .YYDKe...Ö..
00100020  00 -----------                                      <-- name of sound #2 = YYDK

Code:

          name     offset   size      name
          -------- -------- --------  ----
00000000  4E554D30 FD0B1000 680A0000  NUM0ý...h...
0000000C  5959444B 65161000 D61F0000  YYDKe...Ö...
00000018  59594742 3B361000 001E0000  YYGB;6......
00000024  5959515A 3B541000 3E2A0000  YYQZ;T..>*..
00000030  58594D4C 797E1000 0F210000  XYMLy~...!..
0000003C  44515848 889F1000 1F240000  DQXHˆŸ...$..
00000048  51425848 A7C31000 BC240000  QBXH§Ã..¼$..
00000054  4B534C59 63E81000 AC210000  KSLYcè..¬!..
00000060  4C594243 0F0A1100 AC210000  LYBC....¬!..
0000006C  4C594246 BB2B1100 D61F0000  LYBF»+..Ö...
00000078  53434C59 914B1100 E6220000  SCLY‘K..æ"..
00000084  59505352 776E1100 0F210000  YPSRwn...!..
00000090  59504246 868F1100 49220000  YPBF†...I"..
0000009C  43204246 CFB11100 C61C0000  C BFÏ±..Æ...
000000A8  53594D53 95CE1100 E6220000  SYMS•Î..æ"..
000000B4  53205953 7BF11100 001E0000  S YS{ñ......
000000C0  58205953 7B0F1200 9C1E0000  X YS{...œ...
000000CC  5A202054 172E1200 E0170000  Z  T....à...
000000D8  5420205A F7451200 E0170000  T  Z÷E..à...
000000E4  4858544A D75D1200 59250000  HXTJ×]..Y%..
000000F0  48584144 30831200 631D0000  HXAD0ƒ..c...
000000FC  48584445 93A01200 001E0000  HXDE“ ......
00000108  5953544A 93BE1200 82230000  YSTJ“¾..‚#..
00000114  59534144 15E21200 2A1C0000  YSAD.â..*...
00000120  59534445 3FFE1200 2A1C0000  YSDE?þ..*...
0000012C  4759544A 691A1300 49220000  GYTJi...I"..
00000138  47594144 B23C1300 531A0000  GYAD²<..S...
00000144  47594445 05571300 F01A0000  GYDE.W..ð...
00000150  4459544A F5711300 0F210000  DYTJõq...!..
0000015C  44594144 04931300 1A190000  DYAD.“......
00000168  44594445 1EAC1300 B7190000  DYDE.¬..·...
00000174  4854444B D5C51300 E6220000  HTDKÕÅ..æ"..
00000180  48544742 BBE81300 0F210000  HTGB»è...!..
0000018C  5A204459 CA091400 F01A0000  Z DYÊ...ð...
00000198  43202044 BA241400 A7160000  C  Dº$..§...
000001A4  42544D53 613B1400 0F210000  BTMSa;...!..
000001B0  42544C4A 705C1400 0F210000  BTLJp\...!..
000001BC  4254444B 7F7D1400 73200000  BTDK.}..s ..
000001C8  4449414E F29D1400 4E0F0000  DIANò...N...
000001D4  5A574D53 40AD1400 AC210000  ZWMS@...¬!..
000001E0  59574D53 ECCE1400 73200000  YWMSìÎ..s ..
000001EC  53504F50 5FEF1400 531A0000  SPOP_ï..S...
000001F8  5350434C B2091500 001E0000  SPCL².......
00000204  434F4353 B2271500 2A3A0000  COCS²'..*:..
00000210  4E584644 DC611500 C61C0000  NXFDÜa..Æ...
0000021C  52455031 A27E1500 2A1C0000  REP1¢~..*...
00000228  5250414C CC9A1500 7D180000  RPALÌš..}...
00000234  53545245 49B31500 391F0000  STREI³..9...
00000240  53415245 82D21500 8D1B0000  SARE‚Ò......
0000024C  5245504C 0FEE1500 1F240000  REPL.î...$..
00000258  44455245 2E121600 001E0000  DERE........
00000264  4C494E45 2E301600 D1140000  LINE.0..Ñ...
00000270  55445042 FF441600 E6220000  UDPBÿD..æ"..
0000027C  43445042 E5671600 0F210000  CDPBåg...!..
00000288  52444D44 F4881600 8D1B0000  RDMDôˆ......
00000294  5052534F 81A41600 001E0000  PRSO.¤......
000002A0  4E45534E 81C21600 531A0000  NESN.Â..S...
000002AC  50415553 D4DC1600 3E0C0000  PAUSÔÜ..>...
000002B8  53544F50 12E91600 B10E0000  STOP.é..±...
000002C4  45435245 C3F71600 D61F0000  ECREÃ÷..Ö...
000002D0  4543504C 99171700 F01A0000  ECPL™...ð...
000002DC  45435244 89321700 C61C0000  ECRD‰2..Æ...
000002E8  444C5245 4F4F1700 49220000  DLREOO..I"..
000002F4  444C504C 98711700 F01A0000  DLPL˜q..ð...
00000300  444C5244 888C1700 001E0000  DLRDˆŒ......
0000030C  54525245 88AA1700 E6220000  TRREˆª..æ"..
00000318  5452504C 6ECD1700 2A1C0000  TRPLnÍ..*...
00000324  54525244 98E91700 9C1E0000  TRRD˜é..œ...
00000330  42415245 34081800 73200000  BARE4...s ..
0000033C  4241504C A7281800 B7190000  BAPL§(..·...
00000348  42415244 5E421800 631D0000  BARD^B..c...
00000354  4D494F50 C15F1800 9C1E0000  MIOPÁ_..œ...
00000360  4D49434C 5D7E1800 E6220000  MICL]~..æ"..
0000036C  53554241 43A11800 1A190000  SUBAC¡......
00000378  4D454E55 5DBA1800 780D0000  MENU]º..x...
00000384  42544D44 D5C71800 391F0000  BTMDÕÇ..9...
00000390  4254434E 0EE71800 1F240000  BTCN.ç...$..
0000039C  4254444E 2D0B1900 3E2A0000  BTDN-...>*..
000003A8  504F4954 6B351900 88100000  POITk5..ˆ...
000003B4  434E4D44 F3451900 C61C0000  CNMDóE..Æ...
000003C0  454E4D44 B9621900 2A1C0000  ENMD¹b..*...
000003CC  4D524E47 E37E1900 4A0E0100  MRNGã~..J...
000003D8  50484F4E 2D8D1A00 E3CD0000  PHON-...ãÍ..

All numbers are little-endian (hexadecimal). If you need me to write a tool to extract the sound clips, let me know.

_________________
A backup a day keeps DR away.

Top

fzabkar

Post subject: Re: Bluetooth speaker flash dump

Posted: September 12th, 2022, 15:19

Joined: September 8th, 2009, 18:21
Posts: 15525
Location: Australia

(This is a better forum to post this type of question:
https://www.eevblog.com/forum/embedded-computing/)

There is another table at offset 0x75B34.

Code:

          number   name                   name
          -------- -----------------      --------
00000000  00000000 4E554D30 5A45524F  ....NUM0ZERO
0000000C  01000000 4E554D31 4F4E4520  ....NUM1ONE 
00000018  02000000 4E554D32 54574F20  ....NUM2TWO 
00000024  03000000 4E554D33 54485245  ....NUM3THRE
00000030  04000000 4E554D34 464F5552  ....NUM4FOUR
0000003C  05000000 4E554D35 46495645  ....NUM5FIVE
00000048  06000000 4E554D36 53495820  ....NUM6SIX 
00000054  07000000 4E554D37 5345564E  ....NUM7SEVN
00000060  08000000 4E554D38 45494754  ....NUM8EIGT
0000006C  09000000 4E554D39 4E494E45  ....NUM9NINE
00000078  0A000000 4A494135 504C5335  ....JIA5PLS5
00000084  0B000000 5959444B 53504F50  ....YYDKSPOP
00000090  0C000000 59594742 5350434C  ....YYGBSPCL
0000009C  0D000000 5959515A 434F4353  ....YYQZCOCS
000000A8  0E000000 58594D4C 4E584644  ....XYMLNXFD
000000B4  0F000000 44515848 52455031  ....DQXHREP1
000000C0  10000000 51425848 5250414C  ....QBXHRPAL
000000CC  11000000 4B534C59 53545245  ....KSLYSTRE
000000D8  12000000 4C594243 53415245  ....LYBCSARE
000000E4  13000000 4C594246 5245504C  ....LYBFREPL
000000F0  14000000 53434C59 44455245  ....SCLYDERE
000000FC  15000000 59505352 4C494E45  ....YPSRLINE
00000108  16000000 59504246 55445042  ....YPBFUDPB
00000114  17000000 43204246 43445042  ....C BFCDPB
00000120  18000000 53594D53 52444D44  ....SYMSRDMD
0000012C  19000000 53205953 5052534F  ....S YSPRSO
00000138  1A000000 58205953 4E45534E  ....X YSNESN
00000144  1B000000 5A202054 50415553  ....Z  TPAUS
00000150  1C000000 5420205A 53544F50  ....T  ZSTOP
0000015C  1D000000 4858544A 45435245  ....HXTJECRE
00000168  1E000000 48584144 4543504C  ....HXADECPL
00000174  1F000000 48584445 45435244  ....HXDEECRD
00000180  20000000 5953544A 444C5245   ...YSTJDLRE
0000018C  21000000 59534144 444C504C  !...YSADDLPL
00000198  22000000 59534445 444C5244  "...YSDEDLRD
000001A4  23000000 4759544A 54525245  #...GYTJTRRE
000001B0  24000000 47594144 5452504C  $...GYADTRPL
000001BC  25000000 47594445 54525244  %...GYDETRRD
000001C8  26000000 4459544A 42415245  &...DYTJBARE
000001D4  27000000 44594144 4241504C  '...DYADBAPL
000001E0  28000000 44594445 42415244  (...DYDEBARD
000001EC  29000000 4854444B 4D494F50  )...HTDKMIOP
000001F8  2A000000 48544742 4D49434C  *...HTGBMICL
00000204  2B000000 45515A52 464C4154  +...EQZRFLAT
00000210  2E000000 45514744 434C4153  ....EQGDCLAS
0000021C  2D000000 45514C58 504F5020  -...EQLXPOP 
00000228  2C000000 45515947 524F434B  ,...EQYGROCK
00000234  30000000 45514A53 4A415A5A  0...EQJSJAZZ
00000240  2F000000 45515248 534F4654  /...EQRHSOFT
0000024C  31000000 5A204459 53554241  1...Z DYSUBA
00000258  32000000 43202044 4D454E55  2...C  DMENU
00000264  33000000 42544D53 42544D44  3...BTMSBTMD
00000270  34000000 42544C4A 4254434E  4...BTLJBTCN
0000027C  35000000 4254444B 4254444E  5...BTDKBTDN
00000288  36000000 4449414E 504F4954  6...DIANPOIT
00000294  37000000 5A574D53 454E4D44  7...ZWMSENMD
000002A0  38000000 534B4D53 55414D44  8...SKMSUAMD
000002AC  39000000 59582054 41524D44  9...YX TARMD
000002B8  3A000000 42202046 504C4159  :...B  FPLAY
000002C4  3B000000 4B20204A 46202046  ;...K  JF  F
000002D0  3C000000 4B202054 46202042  <...K  TF  B
000002DC  3D000000 5A48485A 4D20485A  =...ZHHZM HZ
000002E8  3E000000 4D4C5848 52504644  >...MLXHRPFD
000002F4  3F000000 4C4C4246 494E5452  ?...LLBFINTR
00000300  40000000 534A4246 52414E44  @...SJBFRAND
0000030C  41000000 5A445354 41545343  A...ZDSTATSC
00000318  42000000 53594454 50525354  B...SYDTPRST
00000324  43000000 58594454 4E585354  C...XYDTNXST
00000330  44000000 5949474A 50574F46  D...YIGJPWOF
0000033C  45000000 4754594C 4755564C  E...GTYLGUVL
00000348  46000000 53535A48 53454152  F...SSZHSEAR
00000354  47000000 4A59444B 4D554F4E  G...JYDKMUON
00000360  48000000 4A594742 4D554F46  H...JYGBMUOF
0000036C  49000000 4854594C 4D49564C  I...HTYLMIVL
00000378  4A000000 5A48594C 4D41564C  J...ZHYLMAVL
00000384  4B000000 48544D4B 4D4D4F50  K...HTMKMMOP
00000390  4C000000 48544D47 4D4D434C  L...HTMGMMCL
0000039C  4D000000 4854594B 4D464F50  M...HTYKMFOP
000003A8  4E000000 48545947 4D46434C  N...HTYGMFCL
000003B4  4F000000 4420204B 4F50454E  O...D  KOPEN
000003C0  50000000 47202042 434C4F53  P...G  BCLOS
000003CC  51000000 444C4449 4C505752  Q...DLDILPWR
000003D8  52000000 5A5A4344 43484147  R...ZZCDCHAG
000003E4  53000000 444C594D 46554C4C  S...DLYMFULL
000003F0  54000000 44445044 57545041  T...DDPDWTPA
000003FC  55000000 53204849 5420454E  U...S HIT EN
00000408  56000000 42204149 48445244  V...B AIHDRD
00000414  57000000 48544352 4D43494E  W...HTCRMCIN
00000420  58000000 48544243 4D434F55  X...HTBCMCOU
0000042C  59000000 57555348 46494654  Y...WUSHFIFT
00000438  5A000000 59494241 4F484444  Z...YIBAOHDD
00000444  5B000000 59425753 4F484646  [...YBWSOHFF
00000450  5C000000 4C424149 54484444  \...LBAITHDD
0000045C  5D000000 4D524E47 4D524E47  ]...MRNGMRNG
00000468  5E000000 50484F4E 50484F4E  ^...PHONPHON

_________________
A backup a day keeps DR away.

Top

fzabkar

Post subject: Re: Bluetooth speaker flash dump

Posted: September 12th, 2022, 16:13

Joined: September 8th, 2009, 18:21
Posts: 15525
Location: Australia

fzabkar wrote:

There is another table at offset 0x75B34.

Code:

          number   name                   name
          -------- -----------------      --------
00000078  0A000000 4A494135 504C5335  ....JIA5PLS5  <-- first 4 characters is name of Chinese language sound clip (JIA5), last four is English equivalent (PLS5)
00000084  0B000000 5959444B 53504F50  ....YYDKSPOP
00000090  0C000000 59594742 5350434C  ....YYGBSPCL

_________________
A backup a day keeps DR away.

Top

fzabkar

Post subject: Re: Bluetooth speaker flash dump

Posted: September 13th, 2022, 2:11

Joined: September 8th, 2009, 18:21
Posts: 15525
Location: Australia

Attached are your sound clips.

The ClipList.txt file contains the Name, Offset, Size and Header information for each file. All but the last two files are LAME file types, while the last two files are MP3s. All files are playable with the VLC media player.

When you are adding your own sound clip, paste it into the free area at the end of the flash, then amend the offset and size dwords in the table so that they point to the new file. Hopefully there is no checksum. If there is a checksum, the firmware will probably throw a fatal error and refuse to load.

Attachments:

SoundClips.7z [526.77 KiB]
Downloaded 144 times

_________________
A backup a day keeps DR away.

Top

spiel

Post subject: Re: Bluetooth speaker flash dump

Posted: September 13th, 2022, 9:51

Joined: September 12th, 2022, 8:51
Posts: 2
Location: London

Hey fzabkar, that's an awesome job! I was able to figure out the table at 0x100000 as I found it by eyeballing the binary really hard for a long time. Could you share some info on how did you find the table, and general advise on the process?

Your suggestion for adding the new file in the empty space and then adjusting the offset in the table is great. Honestly what I was going to do is completely replace one of the sound files, but by doing what you're suggesting I can try adding a longer/shorter audio file.

Many thanks again

Top

fzabkar

Post subject: Re: Bluetooth speaker flash dump

Posted: September 13th, 2022, 11:52

Joined: September 8th, 2009, 18:21
Posts: 15525
Location: Australia

spiel wrote:

I was able to figure out the table at 0x100000 as I found it by eyeballing the binary ...

That's basically what I did. I always look for patterns in the data.

BTW, does your device have a graphical interface?

You might like to try different audio formats if LAME proves to be a challenge. I suspect that the firmware may recognise additional codecs and file types.

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0000A700  4D 50 33 5F 44 45 43 4F 44 45 52 00 49 C7 02 00  MP3_DECODER.IÇ..
0000A710  5D C8 02 00 A1 CA 02 00 A5 CA 02 00 BB CA 02 00  ]È..¡Ê..¥Ê..»Ê..
0000A720  57 4D 41 5F 44 45 43 4F 44 45 52 00 19 D7 02 00  WMA_DECODER..×..
0000A730  1B D7 02 00 4B D8 02 00 4F D8 02 00 61 D8 02 00  .×..KØ..OØ..aØ..
0000A740  53 42 43 5F 44 45 43 4F 44 45 52 00 B9 DA 02 00  SBC_DECODER.¹Ú..
0000A750  BB DA 02 00 FD DC 02 00 01 DD 02 00 13 DD 02 00  »Ú..ýÜ...Ý...Ý..
0000A760  57 41 56 5F 44 45 43 4F 44 45 52 00 9F F1 02 00  WAV_DECODER.Ÿñ..
0000A770  0F F2 02 00 39 F3 02 00 3D F3 02 00 4F F3 02 00  .ò..9ó..=ó..Oó..
0000A780  46 4C 41 43 5F 44 45 43 4F 44 45 52 00 00 00 00  FLAC_DECODER....
0000A790  F7 F8 02 00 87 F5 02 00 AF FA 02 00 B3 FA 02 00  ÷ø..‡õ..¯ú..³ú..
0000A7A0  C5 FA 02 00 41 41 43 5F 44 45 43 4F 44 45 52 00  Åú..AAC_DECODER.
0000A7B0  B5 FC 02 00 B7 FC 02 00 11 01 03 00 15 01 03 00  µü..·ü..........
0000A7C0  27 01 03 00 41 49 46 5F 44 45 43 4F 44 45 52     '...AIF_DECODER

_________________
A backup a day keeps DR away.

Top

Page 1 of 1

[ 7 posts ]

Main » Forums home » Flash storage, SSD

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 22 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum