Electronics, Firmware, Reverse engineering, Software

Hacking Bluetooth speaker/FM radio firmware

I have a little Bluetooth speaker/FM radio in my kitchen. This speaker is not perfect but nice for its price.
Except for few annoying things regarding sound notifications. I decided to “fix” that issues. Here I’m showing how it was done.
A little bit of reverse engineering was involved.

The first problem it was really annoying and loud turn-on notification. It sounds like some SMS notification. There is no way to disable or volume down this “greeting”.

 

The second problem is also a sound notification. It’s battery low-level notifications. The speaker interrupts music with loud phone-like beeping.

Let’s open this thing.

A quite simple single-board construction. It’s very interesting what’s on the PCB. I pulled the board and tried to identify all components.

The main processor is marked as “AE8U278”. It’s a quite interesting IC that contains Bluetooth radio, FM tuner, ADC, MP3 decoder, and some CPU core.
Unfortunately, I can’t find anything about this chip.

SC2313LD is a clone of the TDA7313 audio processor. This I2C-controller chip regulates sound volume, Tone, and do signals commutation. It’s a typical solution, nothing interesting.

It’s good to see here an SPI NOR memory chip. 25D40 is a 4M-bit 3.3 Volts chip. I can read and program this chip with my TL866 programmer and minipro software.

The SPI flash was identified as “Berg Microelectronics” BG25Q40A. But logo mismatches, probably it’s also a clone. Anyway, this chip is still can be read and programmed properly.

$ minipro -p "BG25Q40A@SOIC8" -r sven_firmware.bin
Found TL866CS 03.2.86 (0x256)
Reading Code... 4.89Sec OK

Now it’s time to explore this sven_firmware.bin flash image. The best friend of reverse-engineering is binwalk.

$ binwalk sven_firmware.bin

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------

And nothing. It looks like binwalk can’t find any valid signature. Then I decided that those sounds are stored in some simple known format.

Let’s try to find a WAV signature:

WAV:
$ binwalk sven_firmware.bin -e --dd=".*" --raw="RIFF"
$

No results. MP3?

$ binwalk sven_firmware.bin -e --dd=".*" --raw="ID3"

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
217088 0x35000 Raw signature (ID3)
254464 0x3E200 Raw signature (ID3)
258560 0x3F200 Raw signature (ID3)
269824 0x41E00 Raw signature (ID3)
273920 0x42E00 Raw signature (ID3)
278016 0x43E00 Raw signature (ID3)
282112 0x44E00 Raw signature (ID3)
285184 0x45A00 Raw signature (ID3)
288768 0x46800 Raw signature (ID3)
293376 0x47A00 Raw signature (ID3)
296960 0x48800 Raw signature (ID3)
300544 0x49600 Raw signature (ID3)
304640 0x4A600 Raw signature (ID3)
308736 0x4B600 Raw signature (ID3)
311808 0x4C200 Raw signature (ID3)
315392 0x4D000 Raw signature (ID3)
317952 0x4DA00 Raw signature (ID3)
348160 0x55000 Raw signature (ID3)
379904 0x5CC00 Raw signature (ID3)
384000 0x5DC00 Raw signature (ID3)

20 files were extracted. All files are identified as MP3.

$ ls _sven_firmware.bin.extracted/
35000 3E200 3F200 41E00 42E00 43E00 44E00 45A00 46800 47A00 48800 49600 4A600 4B600 4C200 4D000 4DA00 55000 5CC00 5DC00

$ file _sven_firmware.bin.extracted/35000 
_sven_firmware.bin.extracted/35000: Audio file with ID3 version 2.3.0, contains:MPEG ADTS, layer III, v2, 32 kbps, 16 kHz, Monaural

$ file _sven_firmware.bin.extracted/41E00
_sven_firmware.bin.extracted/41E00: Audio file with ID3 version 2.3.0, contains:MPEG ADTS, layer III, v2, 32 kbps, 16 kHz, Monaural

I tried to play those files. Most of them are playable MP3s but sound a little bit messy and distorted. It looks like different tracks were mixed up during extraction.

Then I extracted all the data from the offset 217088 up to the end of the file. The file size is 524288, so the count is 307200

$ dd if=sven_firmware.bin of=big.mp3 bs=1 skip=217088 count=307200

The resulting big.mp3 file contains multiple MP3 headers and audio samples but in the correct order.
This file can be opened with an Audacity sound editor. Now it’s very easy to listen and identify all fragments. I found that the turn-on notification is the very first chunk. Also, I found the low-battery sound.

Now required sample can be extracted and replaced.

217088 is the sample header position from the binwalk output above.
37376 is the sample length (the difference between the next and current sample positions).

dd if=sven_firmware.bin of=1.mp3 bs=1 skip=217088 count=37376

It’s important to keep the original data format and total data size. 37376 bytes, 32Kbps sample rate, mono:

$ file 1.mp3 
1.mp3: Audio file with ID3 version 2.3.0, contains:MPEG ADTS, layer III, v2, 32 kbps, 16 kHz, Monaural

I decided to edit the original sound and make it less loud. In Audacity, it can be done with Effect/Amplify Negative amplification drops the volume down.

The modified track should be exported as MP3 with corresponding params.

The resulting file is smaller than the original for 10554 bytes. The new file is 26822; the original was 37376.

Missed bytes can be filled with zeros. We need to mine 10554 zero bytes:

$ dd if=/dev/zero of=10554_bytes.bin bs=1 count=10554
10554+0 records in
10554+0 records out
10554 bytes (11 kB, 10 KiB) copied, 0,0154512 s, 683 kB/s

Now concatenate modified MP3 and zeros chunk:

cat 1.mp3 10554_bytes.bin >1_new.mp3

And finally, replace the binary section with new data:

dd conv=notrunc if=1_new.mp3 of=sven_firmware.bin bs=1 seek=217088

Write the file back to the SPI flash:

minipro -p "BG25Q40A@SOIC8" -w sven_firmware.bin

A quick test shows that everything is working, and the turn-on sound is less annoying now.

In the same manner, I modified the “battery” sound. I decided to replace the original “beep” with a cat “meow” (why not?).

 

Now I’m happy with my radio 🙂

Thanks for reading!

Tagged , , , , ,

2 thoughts on “Hacking Bluetooth speaker/FM radio firmware

  1. After one week searching finally found the solution but i have no experience with this kind of fixing, so how can i connect to the speaker board and do the same changings? That woman’s voice is very loud!

    1. Hello. It depends on your hardware. Typically you need to find an SPI chip and dump the firmware with all data.
      Does your speaker is similar to mine?

Leave a Reply to mehmet Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.