Ah, the dollar store – risky condoms, something labelled as mustard, and every permutation of pastey-looking, thin-plastic discharge courtesy of third-world prisons factories all line the utilitarian wire-shelves; How do our capitalist overlords tolerate such thrift? Just how much nausea-ketchup must one purchase to turn a profit at $1/bottle? I don’t even care to know, because I’m too busy ogling the most modern dollar store trinket yet(?); this Bluetooth camera shutter!
This things works right out of the box – but that’s boring, because that’s what we expected it to do (actually, I didn’t even expect it to do that.) I decided to take this thing to SkullSpace (my local hackerspace) to see what makes this zany device tick – this three-dollar chunk of plastic that wirelessly talks to my cell phone!?
See those two lines coming from the large chip to the small chip? Yup, thats an I2C bus! Googling the part number (RDA5871 ) reveals that the larger chip is a bluetooth IC with an integrated ARM core, and the smaller one is ostensibly a configuration ROM. After connecting our handy logic analyser and twiddling with the I2C settings, I was able to get a log of all the data being read from the smaller chip:
saleae_log (text file, output from Saelae logic)
Lo and behold, searching through the text file for the Bluetooth name – “AB Shutter”, we find it:
[…]
1.363279600000000,7,’161′,’0′,Read,ACK
1.363303200000000,7,’161′,’0′,Read,ACK
1.363327400000000,7,’161′,A,Read,ACK
1.363351000000000,7,’161′,B,Read,ACK
1.363374400000000,7,’161′,’ ‘,Read,ACK
1.363398600000000,7,’161’,S,Read,ACK
1.363422200000000,7,’161′,h,Read,ACK
1.363445800000000,7,’161′,u,Read,ACK
1.363470000000000,7,’161′,t,Read,ACK
1.363493400000000,7,’161′,t,Read,ACK
1.363517000000000,7,’161′,e,Read,ACK
1.363541200000000,7,’161′,r,Read,ACK
1.363564800000000,7,’161′,’ ‘,Read,ACK[…]
Looks like we are reading the chip correctly! I noticed the above block is one giant read (about 6.8kB) starting from ROM address 0x0228 – We see two writes to address 160, the data of which is 0x0228. This is a typical I2C EEPROM “Start reading data from here” command. The device then spits out consecutive bytes, starting from the supplied address, on every read. I carved out the relevant 6.8k read manually, and used awk to extract the “read” column. Then, I used this simple python script to convert the decimal “read data” output into a binary file (note – I had to change the csv data from ASCII to decimal in Saleae Logic):
test_out (Arbitrary extension, just binary data)
But what is this file? Is it an ARM binary? I have no idea! I was hopeful that the device was reading a full firmware image directly from the I2C ROM, but I cannot find any indication of such (yet). I have tried looking at earlier reads in the I2C transactions to discern any kind of header information, but nothing was obvious – I’ve tried pointing the file command at it to determine it’s type via magic bytes, and I’ve also tried running it through various ARM dissemblers with no luck.
I did manage to find this defunct google code page regarding the RDA5871, and I am happy to report that the previous maintainer has replied to my random emails with some documentation on how to configure the device via ROM! I am hopeful to get this pointed at the mystery file dump that I have. The only hurdle is that the document is primarily in chinese, so stay tuned for when I wrangle together a translation – for any of you willing to take a gander, here it is: rda5871_progguide