A little bit of reverse engineering was involved.
The first problem is annoying and loud turn-on notifications. It sounds like some SMS notification. There is no way to disable or volume down this “greeting”.
The second problem is also a sound notification. The speaker interrupts music with loud phone-like beeping. Its low-level battery notifications.
Let’s open this thing.
A relatively simple single-board construction. I pulled the board and tried to identify all components.
The central processor is marked as “AE8U278”. It’s an interesting IC containing Bluetooth radio, FM tuner, ADC, MP3 decoder, and the CPU core.
Unfortunately, I can’t find anything about this chip.
SC2313LD is a clone of the TDA7313 audio processor.
This I2C-controlled chip regulates sound Volume, Tone, and signals commutation.
It’s a typical solution, nothing interesting.
It’s good to see here an SPI NOR memory chip. 25D40 is a 4M-bit 3.3V chip. I can read and program this chip with my TL866 programmer and minipro software.
The SPI flash identifies as “Berg Microelectronics” BG25Q40A. But logo mismatches, probably it’s also a clone. Anyway, this chip is still can be read and programmed correctly.
$ minipro -p "BG25Q40A@SOIC8" -r sven_firmware.bin Found TL866CS 03.2.86 (0x256) Reading Code... 4.89Sec OK
Now it’s time to explore this sven_firmware.bin flash image. The best friend of any researcher is binwalk.
$ binwalk sven_firmware.bin DECIMAL HEXADECIMAL DESCRIPTION --------------------------------------------------------------------------------
And nothing. It looks like binwalk couldn’t find any valid signature. Then I thought that those sounds were stored in some simple known format.
Let’s try to find a WAV signature:
WAV: $ binwalk sven_firmware.bin -e --dd=".*" --raw="RIFF" $
No results. MP3?
$ binwalk sven_firmware.bin -e --dd=".*" --raw="ID3" DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 217088 0x35000 Raw signature (ID3) 254464 0x3E200 Raw signature (ID3) 258560 0x3F200 Raw signature (ID3) 269824 0x41E00 Raw signature (ID3) 273920 0x42E00 Raw signature (ID3) 278016 0x43E00 Raw signature (ID3) 282112 0x44E00 Raw signature (ID3) 285184 0x45A00 Raw signature (ID3) 288768 0x46800 Raw signature (ID3) 293376 0x47A00 Raw signature (ID3) 296960 0x48800 Raw signature (ID3) 300544 0x49600 Raw signature (ID3) 304640 0x4A600 Raw signature (ID3) 308736 0x4B600 Raw signature (ID3) 311808 0x4C200 Raw signature (ID3) 315392 0x4D000 Raw signature (ID3) 317952 0x4DA00 Raw signature (ID3) 348160 0x55000 Raw signature (ID3) 379904 0x5CC00 Raw signature (ID3) 384000 0x5DC00 Raw signature (ID3)
20 files were extracted. All files are identified as MP3.
$ ls _sven_firmware.bin.extracted/ 35000 3E200 3F200 41E00 42E00 43E00 44E00 45A00 46800 47A00 48800 49600 4A600 4B600 4C200 4D000 4DA00 55000 5CC00 5DC00 $ file _sven_firmware.bin.extracted/35000 _sven_firmware.bin.extracted/35000: Audio file with ID3 version 2.3.0, contains:MPEG ADTS, layer III, v2, 32 kbps, 16 kHz, Monaural $ file _sven_firmware.bin.extracted/41E00 _sven_firmware.bin.extracted/41E00: Audio file with ID3 version 2.3.0, contains:MPEG ADTS, layer III, v2, 32 kbps, 16 kHz, Monaural
I tried to play those files. Most of them are playable MP3s but sound a little bit messy and distorted. It looks like different tracks were mixed up during extraction.
Then I extracted all the data from the offset 217088 up to the end of the file. The file size is 524288, so the count is 307200
$ dd if=sven_firmware.bin of=big.mp3 bs=1 skip=217088 count=307200
The resulting big.mp3 file contains multiple MP3 headers and audio samples in the correct order.
The mp3 file can be opened with an Audacity sound editor. Now it’s very easy to listen and identify all fragments. I found that the turn-on notification is the very first chunk. Also, I found the low-battery sound.
Now the required sample can be extracted and replaced.
217088 is the sample header position from the binwalk output above.
37376 is the sample length (the difference between the following and current sample positions).
dd if=sven_firmware.bin of=1.mp3 bs=1 skip=217088 count=37376
It’s important to keep the original data format and total data size. 37376 bytes, 32Kbps sample rate, mono:
$ file 1.mp3 1.mp3: Audio file with ID3 version 2.3.0, contains:MPEG ADTS, layer III, v2, 32 kbps, 16 kHz, Monaural
I decided to edit the original sound and make it less loud. In Audacity, it can be done with Effect/Amplify Negative amplification drops the volume down.
The modified track should be exported as MP3 with corresponding parameters.
The resulting file is smaller than the original by 10554 bytes. The new file is 26822; the original was 37376.
Missed bytes can be filled with zeros. We need to mine 10554 zero bytes:
$ dd if=/dev/zero of=10554_bytes.bin bs=1 count=10554 10554+0 records in 10554+0 records out 10554 bytes (11 kB, 10 KiB) copied, 0,0154512 s, 683 kB/s
Now concatenate modified MP3 and zeros chunk:
cat 1.mp3 10554_bytes.bin >1_new.mp3
And finally, replace the binary section with new data:
dd conv=notrunc if=1_new.mp3 of=sven_firmware.bin bs=1 seek=217088
Write the file back to the SPI flash:
minipro -p "BG25Q40A@SOIC8" -w sven_firmware.bin
A quick test shows that everything is working, and the turn-on sound is less annoying now.
In the same manner, I modified the “battery” sound. I decided to replace the original “beep” with a cat “meow” (why not?).
Now I’m happy with my radio 🙂
Thanks for reading!
After one week searching finally found the solution but i have no experience with this kind of fixing, so how can i connect to the speaker board and do the same changings? That woman’s voice is very loud!
Hello. It depends on your hardware. Typically you need to find an SPI chip and dump the firmware with all data.
Does your speaker is similar to mine?
Does she have a British accent and says BLUETOOTH MODE ON! or something like that?
Nope. It has a Chinese-accent woman’s voice that reads numbers. That’s it.
I have the same speaker but under a different name
the charging board (cant charge no matter what)is kinda fucked and i dont know the problemn… for now ive sodered a boost converter and a lithium charger to it to make it work but its kinda annoying
I was wondering if you ever had the same problem
or if you know where to start
I don’t have such problems.
also i was wondering how you arranged the radio wire inside cause idk how to put it back inside
ive wrapped it around inside the handle but its not good at picking up a good signal that way
Yeah. This antenna is sucks. I have plans to replace it with a normal telescopic antenna.
Great work figuring out how the announcements were stored, and better still changing and re-storing them in the chip ! Just wondering if minipro is the only way to do this ? Its quite expensive.
You can use any SPI NOR programmer. Like this one: https://www.amazon.com/Programmer-CH341A-Burner-EEPROM-Writer/dp/B081VKFT1X/ref=sr_1_7?crid=1R56Y01CEKAJQ&keywords=SPI+Flash+Programmer&qid=1664754999&qu=eyJxc2MiOiIzLjI2IiwicXNhIjoiMi41NSIsInFzcCI6IjEuODgifQ%3D%3D&sprefix=spi+flash+programmer%2Caps%2C168&sr=8-7
Just make sure that programmer voltage matches flash voltage (3.3 or 1.8V).
I’m kind of new to this sort of thing, could you message me on Discord and maybe give me an in-depth explanation? I have a T48 (newer model TL866) and the speaker I wish to modify, but I’ve never messed with this before. I mess around with software more often than hardware, so I THINK I can do this on my own, but there are some grey areas where I am afraid I will mess something up. My discord is Jacqueb#9802
olá, na minha região as caixas de som são chinesas, não contem o chip EEPROM (SPI NOR flash) para a aleitura, o firmware está dentro do chip MCU bluetooth do fabricante: http://www.chenbingdom.com
o chip para qual estou a analizar é o jl ac20bp que não tem datasheet no fabricante, imagino por ser antigo ou algo parecido, porém no fabricante contem chip mais novos do mesmo seguimento exemplo: AC6969A2 datasheet:http://www.chenbingdom.com/uploadfile/202141411355096441.pdf
traduzindo o datasheet, existe uma parte onde descreve “Pontos de gravação reservados para programação” mas não se parece com a leitura de de chip EEPROM, estou com dificuldade em identificar como fazer a leitura e escrita destes modelos de chip, qualquer ajuda seria de grande valia!