I was wondering if there are any plans to make the source code for the Fairbuds XL firmware available.
There are some small customisations that I’d like to make to the firmware, so they would suit my needs better.
Also, has anybody on this forum tried to reverse engineer the firmware?
I’ve had a look at the v90.bin, but 8085 isn’t my strong suit, and even though it would be a fun challenge to hack the firmware, getting to the point where I’d be able to build and flash it would be a lot of effort, which I wouldn’t have to duplicate if the firmware is available already.
I haven’t found the direct link to Fairphone’s server yet (I imagine it’s an open download) but I’ve found the v90.bin in the Android App’s cache folder: /data/data/com.fairphone.android.fairbudsapp/cache/
Warning: This is for educational use only. I’m just a stranger on the internet! Don’t run proprietary code that you don’t know and trust.
This is the output from running binwalk on the v90.bin:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
544192 0x84DC0 SHA256 hash constants, little endian
1097884 0x10C09C gzip compressed data, maximum compression, has original file name: "config_definition", last modified: 1970-01-01 00:00:00 (null date)
1708388 0x1A1164 SHA256 hash constants, little endian
1709124 0x1A1444 AES S-Box
1709380 0x1A1544 AES Inverse S-Box
This may suggest that the firmware is encrypted with AES.
Anyways, trying to extract it with binwalk -e v90.bin results in a config file called config_definition being extracted. It seems to contain, as the name suggests, configuration (in xml).
Running strings on the 1A* and the 84DC0 files produces output like you see below, which to me suggests that these files are not encrypted, and may contain firmware code:
There’s another, smaller chip that says “32F016 NRW5K”. Searching for that led me nowhere.
The product feature section on the CM6542 page says “Embedded 8051 MCU with internal 512KB flash”, which may mean that the firmware is written in 8051 assembly. That has led me to discover this tool GitHub - 8051Enthusiast/at51: Applications for reverse engineering architecture 8051 firmware, which I ran on the extracted files, with no success.
If you’re curious, this is the output from running the tool. For at51 stat 84DC0 | gnuplot -p -e "plot '-' with lines" I get this rather inconclusive looking plot.
For at51 base 84DC0 I get this:
Index by likeliness:
1: -0x7bd0 with 345
2: -0x7bd4 with 342
3: -0x7bd6 with 324
But, negative indices don’t really make sense to me. For the other files, the output looks similar.
In conclusion, I’m not yet sure if this really is 8051. I’m also not sure if the files were extracted correctly.
The format seems to be very similar to the format of the OTA firmware I got for my LG tone Free earbuds, and seems compatible with this script for Bose headphones (After removing the parse header function that seems specific to bose stuff)
Maybe there is some kind of standard-ish format used or this type of application?
The script gives you 7 partition files and a footer but I haven’t gotten anything from them in ghidra yet either.
Given that the format is a qualcom format (The overview in my last message is not exactly the same, it looks like it was for a version 2 (?) and ours looks like a version (?) 5) maybe the unknown chip is a qualcom chip, and they are not just randomly using qualcom’s format without any reason
Also it would explain why it’s hard to find anything on the chip since qualcom has a tendency to bury datasheets…
It would be ver nice if somebody from fairphone could shed some light on all this. But I assume they might not be able to share the schematics and source code because they don’t own all of it ? (Based on the video about the design of the faibuds XL it would surprise me)
That’s very interesting.
I decompiled the Fairphone app and observed that the firmware update is managed by something called GAIA (the package name is com.qualcomm.qti.libraries.gaia), which appears to be, well, a firmware managing library from Qualcomm. This matches your observation.
I would supect that if the Fairbuds XL firmware is a customized version of a generic Qualcomm firmware. That would probably mean that Fairphone is not in a position to open up the source code. They might not even be allowed to talk about any of this (this is pure speculation on my part, I have no idea what the terms look like). Although it would be nice to have a statement like “sorry folks, we can’t release the firmware becaues (parts of) it was licensed from Qualcomm”.
I haven’t found the direct link to Fairphone’s server yet
After decompiling the app I noticed that they just ship the binary with the APK. (after un-archiving, it’s in fairbudsapp/res/raw/v90.bin). So, there’s no server to fetch it from. That also means that they need to update the app through the play store to update the firmware.
GAIA is the “Generic Application Interface Architecture”, which was originally thought up by Cambridge Silicon Radio and is now owned by Qualcomm. There is no public specification available; you apparently have to sign a NDA to get it.
It is possible that it was always proprietary, but Qualcomm has a history of buying up stuff and locking away the documentation for it, so I’ll go ahead and blame them again !
I would like to do a bit of reverse engineering on the firmware when I get some time, I hope they haven’t bothered signing the firmware and that we can just flash our own moded version at some point (but I am not expecting it to be that easy ¯\_(ツ)_/¯)
If I find anything interesting I’ll happily share it here