Fairbuds XL Firmware Source Code

Hello,

I was wondering if there are any plans to make the source code for the Fairbuds XL firmware available.

There are some small customisations that I’d like to make to the firmware, so they would suit my needs better.

Also, has anybody on this forum tried to reverse engineer the firmware?

I’ve had a look at the v90.bin, but 8085 isn’t my strong suit, and even though it would be a fun challenge to hack the firmware, getting to the point where I’d be able to build and flash it would be a lot of effort, which I wouldn’t have to duplicate if the firmware is available already.

Can you share the v90.bin file you have? I also want to have a look myself.

I haven’t found the direct link to Fairphone’s server yet (I imagine it’s an open download) but I’ve found the v90.bin in the Android App’s cache folder: /data/data/com.fairphone.android.fairbudsapp/cache/

Warning: This is for educational use only. I’m just a stranger on the internet! Don’t run proprietary code that you don’t know and trust.

Download v90.zip: Bitwarden Send

Here are the hashes of the v90.bin (extracted zip):

md5sum:    4bd35fb7691e9a15def822009d7142a9  v90.bin
sha256sum: 5b9016c4d795570c124c28d2394f06c0173437b8f2103c4d2bb6b6b67d2af297  v90.bin
sha512sum: 43ce2426e19156f99f0e5380f2543f45ad1acea6d5f5eafe98fedab493aa3c957c6373c56b9807fad33fa465f728e45eca67e2b0e211a1a335c334815eeeb777  v90.bin

Yep, that’s where I got it from, too. I’ve compared the sha256 with mine, they match.

This is the output from running binwalk on the v90.bin:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
544192        0x84DC0         SHA256 hash constants, little endian
1097884       0x10C09C        gzip compressed data, maximum compression, has original file name: "config_definition", last modified: 1970-01-01 00:00:00 (null date)
1708388       0x1A1164        SHA256 hash constants, little endian
1709124       0x1A1444        AES S-Box
1709380       0x1A1544        AES Inverse S-Box

This may suggest that the firmware is encrypted with AES.
Anyways, trying to extract it with binwalk -e v90.bin results in a config file called config_definition being extracted. It seems to contain, as the name suggests, configuration (in xml).

$ head _v90.bin.extracted/config_definition 
<?xml version="1.0" encoding="utf-8"?>
<ConfigSet 
    SwVariant="Headset-Gaming" 
    HwVariant="QCC3034-AA_DEV-BRD-R2-AA" >

    <DefineGroup >
        <DefineBlockList >
            <enum 
                value="33" 
                key="A2DP Config" />

A slightly more aggresive invocation of binwalk (binwalk --dd=".*" v90.bin) results in more files:

$ stat -c "%s %n" -- _v90.bin.extracted/*
4436 _v90.bin.extracted/1A1164
3700 _v90.bin.extracted/1A1444
3444 _v90.bin.extracted/1A1544
1168632 _v90.bin.extracted/84DC0
450560 _v90.bin.extracted/config_definition
614940 _v90.bin.extracted/config_definition-0

Running strings on the 1A* and the 84DC0 files produces output like you see below, which to me suggests that these files are not encrypted, and may contain firmware code:

vRQ>
8STs
LwH'
rwfs
fs_open : %s
fs_read : %d, %p, %d
fs_write : %d, %p, %d

I tried to load these files into Ghidra, but it couldn’t make sense of it.

Anyways, I opened up the headphones took a picture of the board. One of the chips says “CM6542”, which may mean that it’s this https://www.cmedia.com.tw/applications/headset/CM6542

There’s another, smaller chip that says “32F016 NRW5K”. Searching for that led me nowhere.

The product feature section on the CM6542 page says “Embedded 8051 MCU with internal 512KB flash”, which may mean that the firmware is written in 8051 assembly. That has led me to discover this tool GitHub - 8051Enthusiast/at51: Applications for reverse engineering architecture 8051 firmware, which I ran on the extracted files, with no success.
If you’re curious, this is the output from running the tool. For at51 stat 84DC0 | gnuplot -p -e "plot '-' with lines" I get this rather inconclusive looking plot.

For at51 base 84DC0 I get this:

Index by likeliness:
	1: -0x7bd0 with 345
	2: -0x7bd4 with 342
	3: -0x7bd6 with 324

But, negative indices don’t really make sense to me. For the other files, the output looks similar.
In conclusion, I’m not yet sure if this really is 8051. I’m also not sure if the files were extracted correctly.

The format seems to be very similar to the format of the OTA firmware I got for my LG tone Free earbuds, and seems compatible with this script for Bose headphones (After removing the parse header function that seems specific to bose stuff)
Maybe there is some kind of standard-ish format used or this type of application?

The script gives you 7 partition files and a footer but I haven’t gotten anything from them in ghidra yet either.

a0d0d48f4ad7ee3f8184a1ba467341c74ee4dffc137452ce75d005d29bd02a39  footer.dat
20da90e68257cdb6245e3623b91a4bb9fb175009d6f2220230de1d39f0a51f3d  part_0.dat
8db4b546f62c063eb0f60bfcfdfdcbd1f294b4e42c20084fb3fe1e529ae720f6  part_1.dat
795c4f55a2580eca10fff50967ac5ac938f085f24c444682318f7f8208c552dc  part_4.dat
7e483bc4d5be02874e520fcf9a810ee95d30510e7fd2fffb727d67ae96414885  part_5.dat
1ce214a570f0858fdec098788e907b4cd1fcefb8f179aa23d9165c193418188f  part_6.dat
1fa960605fa5f93617566436752deb70c200c56d9eeb7fe6c955d51cadd1591e  part_7.dat
e5f7a8235533edf3ce0cb84de806c5e9d6c4b63716b7e9d88791fa08e50e3afc  part_9.dat

EDIT: Well apparently I am just an idiot and didn’t look at the ressources of the project…
The format of the firmware seems to be the OTAU format from qcom → https://developer.qualcomm.com/qfile/34081/csr102x_otau_overview.pdf

Given that the format is a qualcom format (The overview in my last message is not exactly the same, it looks like it was for a version 2 (?) and ours looks like a version (?) 5) maybe the unknown chip is a qualcom chip, and they are not just randomly using qualcom’s format without any reason
Also it would explain why it’s hard to find anything on the chip since qualcom has a tendency to bury datasheets…
It would be ver nice if somebody from fairphone could shed some light on all this. But I assume they might not be able to share the schematics and source code because they don’t own all of it ? (Based on the video about the design of the faibuds XL it would surprise me)

That’s very interesting.
I decompiled the Fairphone app and observed that the firmware update is managed by something called GAIA (the package name is com.qualcomm.qti.libraries.gaia), which appears to be, well, a firmware managing library from Qualcomm. This matches your observation.

I would supect that if the Fairbuds XL firmware is a customized version of a generic Qualcomm firmware. That would probably mean that Fairphone is not in a position to open up the source code. They might not even be allowed to talk about any of this (this is pure speculation on my part, I have no idea what the terms look like). Although it would be nice to have a statement like “sorry folks, we can’t release the firmware becaues (parts of) it was licensed from Qualcomm”.

I haven’t found the direct link to Fairphone’s server yet

After decompiling the app I noticed that they just ship the binary with the APK. (after un-archiving, it’s in fairbudsapp/res/raw/v90.bin). So, there’s no server to fetch it from. That also means that they need to update the app through the play store to update the firmware.

I found a bit of research on GAIA here: Bluetooth GAIA protocol

GAIA is the “Generic Application Interface Architecture”, which was originally thought up by Cambridge Silicon Radio and is now owned by Qualcomm. There is no public specification available; you apparently have to sign a NDA to get it.

It is possible that it was always proprietary, but Qualcomm has a history of buying up stuff and locking away the documentation for it, so I’ll go ahead and blame them again !

I would like to do a bit of reverse engineering on the firmware when I get some time, I hope they haven’t bothered signing the firmware and that we can just flash our own moded version at some point (but I am not expecting it to be that easy ¯⁠\⁠_⁠(⁠ツ⁠)⁠_⁠/⁠¯)

If I find anything interesting I’ll happily share it here