Custom Voicepacks #35
Comments
|
Hi, I'm really glad that you like it! Are you sure that new sound files are UPLOADED to the headphones when a language is selected, and that they're not already stored on them and then merely selected by the command? If it's the latter, then you'll have to bypass their signature checks (if they exist) and install your own firmware somehow. It'll make for a very interesting research project, but it'll obviously take much more time :)
At first I tried to record the data and understand it that way, but I faced some difficulties with extracting the RFCOMM data from the L2CAP sniffs that Android provides (probably would've been easier to use Frida), so I just analyzed everything statically. I think that it could be done with a bit more effort, and then we could answer the question posed in the beginning of this comment.
I just took the app, decompiled all of it using jadx, deleted some external packages that weren't related, and then got to work. They used ProGuard, so most of the names were stripped, but other stuff like enum names and (of course) system lib calls are still fully visible. Unfortunately I can't publish or otherwise share the annotated code with you - I don't want to get in trouble.
I think that the chance of bricking the device (unless the firmware is replaced) is very low, but it's always a possibility. Please update me :D |
|
This is something I personally also wanted, because I don't like the low battery warnings that stop the audio for 3 seconds :) I suppose the firmware is updated or the language pack is sent or something like that, because it takes a long time before it is done, so it probably isn't some variable that you can change to select a different language. And since I can't seem to find any audio files that contain those languages in the apk, it seems like it is downloaded from a server. |
|
Because of the delay and the size estimate for all languages I guessed it's not just a variable either. @semvis123 Great to hear that someone else is also interested (and annoyed) in this topic. I will probably not go the way of decompiling it - I tried it for other projects and failed most of the time with that. If I find time I would try to sniff the bt and wifi connection first and hope to get an idea of how it works there first... Cheers |
|
Just got the url for the bin file that will be uploaded to the headset (don't think that I'm able to legally share the url lol), I used Mitmproxy to get it. It seems like the bin file is just a mp3, you can listen to it and you will hear the spoken words, the file is language specific, so it contains only that language you chose. There are empty noticeable start and end markers for each sound (opened the file with a hex editor), including mp3 metadata?, so I suppose that you should be able to change the sound lengths. I'm not sure how to modify such a file, but in theory it should be possible I guess. *edit just noticed that the file starts with a list of mp3 filenames |
|
@semvis123 Awesome, so sounds like changing the sounds should be very easy. At this point making it a separate tool that mitms the file request would probably be WAY easier than figuring out the bluetooth commands and the actual encoding. Btw random question @KastB , do you know if the newest firmware for the XM3s still has the ANC issues? |
|
@Plutoberth unfortunatelly I can't really tell. I got my headphones very recently and never experienced the 2.0 firmware so I have no comparison. Downgrade does seem possible only for 4.1 and I already have 4.5.2. |
|
hmm seems like the bin file is a otau file, but I don't think that creating those files is made public. Looks pretty difficult to create such a file manually (at least for me😅). |
|
From those document it seems that no encryption/signature is natively included at least |
|
@semvis123 I tried mitmproxy but all I can see are connectivitychecks of google. |
I had to install a root certificate, by going to You should be able to see many requests after installing the certificate correctly, for example on each menu that you open in the sonyheadphones app it sends a log to Sony😬 |
|
For me, there was certificate pinning active in the sony app. apk-mitm can mitigate this, but otherwise there is no traffic visible for mitmproxy... |
|
Just analyzed it and it looks like it's just a bunch of MP3s. Could be pretty easy, unless you want to make the voice clips longer. I still want to figure out how the file is sent to the headphones - requiring each user to run apk-mitm, mitm the transfer, and replace the file is a bit of a hassle. Maybe the OTAU thing is a good start. |
|
Any progress on that? |
No, maybe when some time frees up for me in a few months. |
|
Guys, hoe can i see these otau(mp3) files inside earphone after connecting it to pc? |
|
Noone I guess. It should be in the network stream when you would wiretap the app. |
|
@Plutoberth I would cross the atlantic to remove the annoying low battery warning. I will f do it. I will grap the decompiler and fix that ****. |
If you get the bin, rename it to MP3 and run on ffmpeg to convert the MP3 to WAV it converts and you can hear everything. I am trying to know find the position of the frames. |
|
Managed to mute a beep in one of the mp3's (power off sound). |
|
Also managed to shorten the mp3's (I tried the bluetooth connected and power_on sounds this time), I just replaced the remaining bytes with zeros to keep the mp3 chunk at the same length. |
|
@semvis123 do you need help to implement it inside MacOS app? I'm really interested in resolving this issue! |
|
@sashkyn I currently don't have time to work on this project. Implementing this feature would also be quite a challenge. It requires the updating protocol to be reverse engineered. |
|
I'd also like to replace/remove sounds in the WH-1000XM4 firmware, but seems like its update files are compressed or encrypted now. https://info.update.sony.net/HP002/MDRID294300/contents/0007/UPG_2.5.0_20210413_enc.bin Seems like all newer Sony headphones use this new format. Did anybody try to reverse engineer and decompress/decrypt it? |
|
These guys also tried tinkering |
Hi,
first of all: great work, I love this project.
Secondly: Would it be possible to support custom voice packs?
You can change the language in the app and the new sound files are then uploaded to the headphones.
Could we mimic this process and provide our own files?
The primary reason for me would be a shorter startup time (Why bother me with a "power - on", I would just use a very short empty file here cause I'm always late and every second counts ;) ) and shorter breaks in a meeting (I know I can completely turn off the output, but for know I don't know the battery state then).
Did you record the data from the bluetooth connection to reverse engineer this protocol?
Can you give hints on how to start?
Do you think there is the risk of bricking the device?
The text was updated successfully, but these errors were encountered: