Hacking Dollar-Store Bluetooth Devices (The Kindness of Strangers) part 1

Ah, the dollar store – risky condoms, something labelled as mustard, and every permutation of pastey-looking, thin-plastic discharge courtesy of third-world prisons factories all line the utilitarian wire-shelves; How do our capitalist overlords tolerate such thrift?  Just how much nausea-ketchup must one purchase to turn a profit at $1/bottle?  I don’t even care to know, because I’m too busy ogling the most modern dollar store trinket yet(?); this Bluetooth camera shutter!

 

2iw7srr

 

This things works right out of the box – but that’s boring, because that’s what we expected it to do (actually, I didn’t even expect it to do that.)  I decided to take this thing to SkullSpace (my local hackerspace) to see what makes this zany device tick –  this three-dollar chunk of plastic that wirelessly talks to my cell phone!?

20160904_183253See those two lines coming from the large chip to the small chip?  Yup, thats an I2C bus!  Googling the part number (RDA5871 ) reveals that the larger chip is a bluetooth IC with an integrated ARM core, and the smaller one is ostensibly a configuration ROM.  After connecting our handy logic analyser and twiddling with the I2C settings, I was able to get a log of all the data being read from the smaller chip:

 

saleae_log (text file, output from Saelae logic)

 

Lo and behold, searching through the text file for the Bluetooth name – “AB Shutter”, we find it:

 

[…]

1.363279600000000,7,’161′,’0′,Read,ACK
1.363303200000000,7,’161′,’0′,Read,ACK
1.363327400000000,7,’161′,A,Read,ACK
1.363351000000000,7,’161′,B,Read,ACK
1.363374400000000,7,’161′,’ ‘,Read,ACK
1.363398600000000,7,’161’,S,Read,ACK
1.363422200000000,7,’161′,h,Read,ACK
1.363445800000000,7,’161′,u,Read,ACK
1.363470000000000,7,’161′,t,Read,ACK
1.363493400000000,7,’161′,t,Read,ACK
1.363517000000000,7,’161′,e,Read,ACK
1.363541200000000,7,’161′,r,Read,ACK
1.363564800000000,7,’161′,’ ‘,Read,ACK

[…]

Looks like we are reading the chip correctly!  I noticed the above block is one giant read (about 6.8kB) starting from ROM address 0x0228 – We see two writes to address 160, the data of which is 0x0228.  This is a typical I2C EEPROM “Start reading data from here” command.   The device then spits out consecutive bytes, starting from the supplied address, on every read.   I carved out the relevant 6.8k read manually, and used awk to extract the “read” column.  Then, I used this simple python script to convert the decimal “read data” output into a binary file (note – I had to change the csv data from ASCII to decimal in Saleae Logic):

test_out (Arbitrary extension, just binary data)

But what is this file?  Is it an ARM binary? I have no idea!  I was hopeful that the device was reading a full firmware image directly from the I2C ROM, but I cannot find any indication of such (yet).  I have tried looking at earlier reads in the I2C transactions to discern any kind of header information, but nothing was obvious – I’ve tried pointing the file command at it to determine it’s type via magic bytes, and I’ve also tried running it through various ARM dissemblers with no luck.

I did manage to find this defunct google code page regarding the RDA5871, and I am happy to report that the previous maintainer has replied to my random emails with some documentation on how to configure the device via ROM!  I am hopeful to get this pointed at the mystery file dump that I have.   The only hurdle is that the document is primarily in chinese, so stay tuned for when I wrangle together a translation –  for any of you willing to take a gander, here it is: rda5871_progguide