Close
0%
0%

Reverse-engineering JBL flip 4

That is, full teardown, analysis, and hacking.

deepsoicDeepSOIC
Following
Liked Like project

Just one more thing

To make the experience fit your profile, pick a username and tell us what interests you.

Pick an awesome username
hackaday.io/
Your profile's URL: hackaday.io/username. Max 25 alphanumeric characters.
Pick a few interests
Projects that share your interests
People that share your interests

We found and based on your interests.

Choose more interests.

OK, I'm done! Skip
Similar projects worth following
101.9k views
15 comments
51 followers
View Gallery
This is one of the most popular portable speakers on the planet… if not the most. It is quite bassy, good highs, excellent design and build quality, waterproof. While I have decided that I don’t quite like it while testing ones from my relatives and friends, I bought a refurbished one just to see how it ticks, can it be hacked, and can I use it as a source of components to build something DIY.

Teardown

I won’t explain. Just YouTube it if you’re having trouble.

There are a few gotchas on the way however.

One, mine has drivers with inverted aluminium domes. Aluminium is SOFT. Combine it all with a freshly undone screw that I’ve failed to catch, and we have dents in the dome. Oops! (see project gallery).

Phew, it was a small screw. Larger ones that hold the drivers will probably make it all the way through, be careful. Drivers from older revisions of Flip 4 seem to be plastic, much more impenetrable.

Another gotcha: it looks like the speakers are connected to PCB with connectors, but these are not connectors, you can’t undo them. The only way to get the pcb out is to desolder the wires from the drivers.

The pcb

Says “FLIP4_MAIN_PV2.0”.

Contains:

·        Bluetooth subboard, based on CSR8675 specialized SoC by Qualcomm. It looks like it is possible to reconfigure the firmware. I haven’t found a full datasheet for the chip yet, it’s all horribly proprietary =(

·        MX25U3235 15MB SPI flash on BT subboard. There is very little communication going on, makes me wonder what is it being used for.

·        Amplifier based on TPA3130 from TI. It’s a fairly powerful stereo class-D amp, capable of up to 15W per channel.

·        The amp is powered from a boost converter, that converts single Li-ion cell voltage to 5-11 V. The voltage is dynamically adjusted to match for signal level, probably for improving battery life at low loudness. Boost converter chip is probably MP9428 (says MPHM9428 on the IC itself). The chip looks very similar to MP3428A by Monolithic Power Systems. If that is the chip, it can go up to 22 V, and can potentially give this amplifier quite a power boost. So, JBL Flip 4 can be considered as a nice board that can be easily hacked into a high power amplifier powered by a single Li-ion cell.

·        A li-ion charger based on MP2637. Also can work as 5V boost converter, but this functionality is unused. Standby power is provided by a 3.3V LDO straight from Li-ion, and main power for peripherals is connected through a mosfet, and a bunch of other stuff.

·        An IO expander chip.

·        A bunch of opamps, with unclear purpose. I suspect, they are used as signal level detectors, to control the amp power supply.

The service manual for Flip 3 is available here: https://elektrotanya.com/jbl_flip_3_sm.pdf/download.html

I know I know, it’s not Flip4. But, it has full schematics, they are reasonably similar, and will help you trace out the pcb should you want to.

Drivers

Who knows what they are... probably something custom by JBL. They look very beefy. (see photos in project gallery)

I have measured their motor performance (BxL), got 3.0 newtons of thrust per amp of current. DC resistance is 3.52 Ω, so it’s 1.6 N rms thrust at 1 W input power. It’s an incredibly powerful motor for this small a speaker, which is obviously there to push some bass from a small enclosure. From this value, I can suggest a replacement driver – a very comparable one can be extracted from Blitzwolf BW-3 bluetooth speaker... If you can buy one – they appear to be obsolete, and no longer available.

Passive radiators

They are tuned to 65-71 Hz (the value I get depends on amplitude, not sure why).

DSP

The input-to-amplifier-output frequency response of this speaker is not flat. That is how they achieve that impressive bass – there is built-in...

Read more »

View all details

flip4 dsp remeasured.mdat

dsp frequency response (REW file)

mdat - 7.46 MB - 12/12/2018 at 20:02

Download

rck_16unified_fl_bt4.2_28csb1_1608111110_ble_encr128 2016-08-11.zip

This looks to be Flip4's firmware, that I dumped from the processor

x-zip-compressed - 3.94 MB - 11/21/2018 at 00:29

Download

jbl flip 4.xpv.wav

Waveform Audio File Format (WAV) - 5.06 MB - 11/17/2018 at 21:21

Download

jbl flip 4.psr

stock config of CSR8675 chip in JBP Flip 4

psr - 32.77 kB - 11/16/2018 at 17:18

Download

  • contribution from karl.potratz

    DeepSOIC09/22/2020 at 11:15 0 comments

    Thanks to @karl.potratz for some extra data.

    Software:

    User Configuration Data 51 (Device Colour)

    0001 = Black

    0002 = Red

    0003 = Blue

    0004 = Turquoise

    0005 = Grey

    0006 = White

    0007 = Red Base with Blue chequer crosses

    0008 = Camouflage

    0009 = Blue with Orange chequer stripes

    000a = Grey with Turquoise chequer triangles

    000b = Turquoise with Blue concentric square pattern

    000c = Black

    000d = Black

    000e = Black

    User Configuration Data 61 (Custom Device Name)

    004a 0042 004c 0020 0046 006c 0069 0070 0034 0020 0031 0032 0033 0034 0035 0036

    J B L F l i p 4 1 2 3 4 5 6

    16 Chars max. (this can also be set via the JBL app)

    Hardware:

    2 different hardware/housing versions are available:

    • New (from 2017?): Passive radiators are mounted via 5 screws, speaker grille has 3 round standoffs inside at the top. Flex print is open/visible.

    • Old (up to 2016?): Passive radiators are held by housing and can be twisted off. All flex print is covered in black foam. Rubber gasket mounted between Speakers and housing.

    Note: New and old speaker grilles and passive radiators cannot be interchanged!

    Flat cable (Flex print)

    • 1x FFC A 13 Pin 0.5mm pitch AWM (same side)

    • 1x FFC B 6 Pin 0.5mm pitch AWM (opposite sides)

  • Driver data

    DeepSOIC03/07/2019 at 23:22 0 comments

    Measured using REW, by analyzing the change of impedance-vs-frequency plot when adding a known mass (1.34 g) to the cone.

    Thiele-Small parameters
    fs 181.7 Hz
    Qms 5.902
    Qes 0.401
    Qts 0.375
    Fts 483.8
    Mms 1.18 g
    Cms 0.651 mm/N
    Rms 0.228 kg/s
    Vas 0.06 litres
    Bl 3.615 Tm
    Eta 0.09 %
    Lp (1W/1m) 81.67 dB
    Dd 3.22 cm
    Sd 8.1 cm^2

    Rdc = 3.85 Ohm

  • Got confused in amp powers

    DeepSOIC03/05/2019 at 20:29 0 comments

    When I downloaded TPA3130 datasheet, I saw power figures of 2x50 W, and thought "wow, that's some serious margin there". And even published it here. Today I suddenly realized while re-reading the datasheet, that the datasheet is a shared one for 3 ICs: TPA3116, TPA3118 and TPA3130. The difference between them is their power rating (specifically, overload current limit).

    The actual IC used here is only for 2x15 W. 

    Oops!

  • How to fix audio dropouts through aux

    DeepSOIC01/27/2019 at 22:58 8 comments

    The speaker has an annoying habit of blocking aux sound when the signal is very low, causing annoying dropouts when playing quiet passages, watching movies and talking over skype. 

    Guess what, the detection of audio signal is done in analog! so we can easily hack it, so that it thinks audio is always coming in.

    It's just a matter of shorting out Q12 transistor's collector to emitter.

    After doing this, I anticipated some problems with Bluetooth. There are, but they are minor. 

    + I can still connect to BT, and pair new devices. The speaker doesn't make pairing sounds, though.

    + whenever Bluetooth plays, aux input is inhibited automatically. As soon as BT audio stops, aux input works again.

    A nice hack! A better way would be to use jack to provide the signal whenever a cable is plugged in. It can be done, but requires desoldering the connector, and adding an additional connector to the board (or just permanently soldering a bunch of wires). But this easy one is good enough, IMO.

    I also notice, input stage of this audio detector circuit presents serious nonlinear load to the audio source. This may cause distortion if source impedance is high. So, consider removing 33-ohm resistors if you apply this hack.

  • Remeasured DSP responses to include Connect+ effect

    DeepSOIC12/12/2018 at 21:17 0 comments

    The old graph only included standard DSP:

    I remeasured it to include Connect+ button effect, and when DSP is off.

    This time, I was taking signal from output of an opamp. That is, right before DC-rejection capacitor at power amplifier input. So overall response is for (DC-rejection caps on aux input) + (ADC) + (DSP) + (DAC) + (another cap) + (balanced-to-single-ended-converter circuit), and does not include (yet another cap) + (power amplifier). 

    Additionally, I disabled boost converter that powers the amplifier, to reduce noise.

    I've also uploaded room-eq-wizard file to the project, so if you want to inspect it, go check it out in project files.

    Measuring aux-to-air frequency response remains in to-do list.

  • More setting hacks

    DeepSOIC11/30/2018 at 11:50 0 comments

    So, I have essentially scanned through just about all "User configuration data" keys of csr chip. I have not found anything that affects dsp. But I did find quite a bit of something. Here it goes.

    "user0" = "User configuration data 0" aka PSKEY_USR0

    "word0" = the index of word (16-bit value) of data in the key.

    "0400" = bitmask in hexadecimal notation. If followed by "->" means I tested that precise value.

    user0:
    word0:
       == 0010 bit -> startup sound
       == ffff -> boot-loop, self-resets to BEDF
       0400 bit set-> crash
    word3: startup volume
    word4: if >1aac -> boot loop (halfway through startup sound)

data6:
    word0:
        0001: always BT-pairing?

data7: 
    word1: change to 0011 -> no startup sound
    word6: crashy
        2000 -> crash
        1000 -> crash
        0100 -> crash
        0010 -> ok
        0040 -> ok
        00ff -> crash
    word9:
        dbd0 -> crash
        d000 -> crash
        0b00 -> crash
        00df -> crash
        0080 -> ok
        000f -> ok
data8:
    word9:
        >8bcf -> no sound
data13:
    word0: crashy
        0070->crash
        fb70->crash
user16:
    word9:
      6070 -> crash
      5070 -> ok
      logic unclear
    word10: similar to 9
    word11: other channel than word12? 
    word12:
      A060 if any of these set, boot loop with startup sound playing
      4000 : boosts volume
      001f : boosts volume, the more the value the more the boost
user20:
    word0:
        0001: exhibition mode
        0002: ?? maybe exhibition mode too?
user21: see user26
user26: similar to user21
    word0: crash if zero, otherwise no effect
    word2: if zero, next values are filled with what looks like random numbers

user30: sounds table, 3 words per entry
    word0: event number. 4001 = startup, 4002 = shutdown
    word1: sound number. 0000-0009 = digits; 000a = startup, 000b = shutdown, 000c = pairing, 000d = connected, e = bump, 000f = chord, 0010 = connect+, 0011 = cancel connect+
    word2: bit 0002 is enable/disable, the rest seem irrelevant
   
user37:
    word0: 0x0080 - clearing this bit inhibits aux input
user43:
    word2: changing value causes either boot loop, no sound, or nothing. Hard to understand
    word4: signed word, adjusts startup sound loudness (negative for less loud) (0100 is noticeable amount)


user49:
    word0, word1 always restore themselves

user51:(thanks @karl.potratz)
    device color
    0001 = Black
    0002 = Red
    0003 = Blue
    0004 = Turquoise
    0005 = Grey
    0006 =
    0007 = Red Base with Blue chequer crosses
    0008 = Camouflage
    0009 = Blue with Orange chequer stripes
    000a = Grey with Turquoise chequer triangles
    000b = Turquoise with Blue concentric square pattern
    000c = Black
    000d = Black
    000d = Black

user53:
    change to any value -> crash (tested word0 bit 0001, word2 bit 0001) 

user61: (thanks @karl.potratz)
    Custom Device Name. 16 Chars max. (this can also be set via the JBL app)
    004a 0042 004c 0020 0046 006c 0069 0070 0034 0020 0031 0032 0033 0034 0035 0036
       J    B    L         F    l    i    p    4         1    2    3    4    5    6

    Of course, this is still very far from complete. I didn't test all bit combinations for the values listed here, so the conclusion might be wrong. 

    I've written random values to all unknown data, while looking for clues. Dsp was never seriously affected. Even after isolating a lot of things that cause crashes, I was still observing crashes, boot loops, and overall strange behavior. At least one crash was an unlucky combination of at least two settings in different keys; hunting that stuff down is too time-consuming.

    As for "DSP configuration data" - I replaced it all with random values, three times, and it had no effect whatsoever. I'm afraid, it is simply not used at all. Other possibility might be that it checks some checksum on these settings, and reverts to default if checksum is not matched. But I doubt it, it's pointless... So my chances of disabling dsp are really slim at this point.

  • Sound table

    DeepSOIC11/20/2018 at 19:19 2 comments

    "User configuration data 30" (PSKEY_USR30)

    Contains this:

    476d 0000 3fff 476e 0001 3fff 476f 0002 3fff 4770 0003 3fff 4771 0004 3fff 4772 0005 3fff 4773 0006 3fff 4774 0007 3fff 4775 0008 3fff 4776 0009 3fff 4001 000a bfff 4002 000b bfff 4003 000c bfff 4742 000d bfff 4744 000e bfff 4116 000f bfff 4101 0010 bfff 411b 0011 bffe

    ... and appears to have this meaning: 

    // event id    sound number    flags 
     476d         0000          3fff  // "one"
     476e         0001          3fff  // ...
     476f         0002          3fff  // 
     4770         0003          3fff  //
     4771         0004          3fff  //
     4772         0005          3fff  // 
     4773         0006          3fff  //
     4774         0007          3fff  // 
     4775         0008          3fff  //
     4776         0009          3fff  // "nine"
     4001         000a          bfff  // power-on sound
     4002         000b          bfff  // power-off sound 
     4003         000c          bfff  // pairing sound
     4742         000d          bfff  // bluetooth connected
     4744         000e          bfff  // volume limit bump
     4116         000f          bfff  // some chord, dunno what
     4101         0010          bfff  // connect+ activate
     411b         0011          bffe  // connect+ deactivate

    By editing this table, I can reassign and disable sounds. 

    To disable a sound, set flags to zero. In particular, I've found that bitmask 0x0002 affects if the sound is played or not, the remaining bits don't seem to do anything.

    If you want to swap power-up and shut-down sounds, for example, change 000a into 000b and 000b into 000a.

    I'd consider it to be FIRST ACTUAL HACK! Yuppeeeee!

  • Analyzing the firmware... using Audacity =0

    DeepSOIC11/17/2018 at 22:04 1 comment

    I looked at the files I extracted from the chip - there are two files, one small and one large. It's a simple text file with hex numbers. So I glued then together with a quick py script to have a look:

    file_name = r"S:\somethingsomething\jbl flip 4.xpv"
with open(file_name, 'r') as x_file:
    with open(file_name + '.bin', 'wb') as b_file:
        for line in x_file:
            if len(line)<4:
                continue
            addr, str_hex_val = line.split(' ')
            b_file.write(bytearray([
                int(str_hex_val[2:4], 16),
                int(str_hex_val[0:2], 16)
            ]))

    First, I opened them in text editor, to see if there are some interesting strings. Not that I looked very thoroughly, but I only found "JBL Flip 4" string once, and nothing else. I was hoping for some debugging strings, to give me clues.

    Then, I decided to see, if the sounds are in that firmware, And yes they are:

    (WARNING: VIDEO IS VERY LOUD!)

    I loaded the binary file into audacity, and after some precision guesswork, picked the parameters: signed 16-bit pcm, big-endian, 1 channel, 16k sample rate.

  • Extracting firmware

    DeepSOIC11/17/2018 at 17:56 0 comments

    After no luck on changing DSP, I began trying other tools from bluesuite. BlueFlash came up.

    It has buttons that supposedly do what I need. But greyed out, it says "processor running". As soon as I clicked Stop Processor, it spew out an error, because the chip immediately loses power.

    Using same trick to force the power to the chip again, now I got lucky. I stopped the processor and dumped the firmware, and even verified it. You can find it in project files.

  • DSP not configurable?

    DeepSOIC11/17/2018 at 17:24 0 comments

    I have progressively erased all data in User DSP Configuration Data XX fields. The DSP still functions as before. So either, as I erase stuff, DSP reverts to built-in defaults, which match the stored values, or it simply ignores them altogether.

View all 15 project logs

  • 1
    How to disable startup sound

    This is dangerous hack,
    Changing wrong setting may BRICK YOUR FLIP4, and you'll have to get it serviced (reflashed) to make it work again. You can reflash it yourself, but it's tricky.

    Still with me? Let's dive.

  • 2
    Download and install CSR BlueSuite

    To download it officially, it looks like you have to buy csr development kit. It costs more than 1000 $. 

    Luckily, it has leaked.

    https://github.com/lorf/csr-spi-ftdi/issues/30
    https://drive.google.com/file/d/1ADdvH-hdZSPf3rA8kCM57U-xKHWnCIEp/view?usp=sharing

    Windows. May work on Wine, but I don't know.

  • 3
    Connect your JBL Flip 4 to PC with usb cable. Power it up.

View all 7 instructions

Enjoy this project?

Share

Discussions

Szymon wrote 06/19/2021 at 20:30 point

is possible way to change JBL FLIP 4 batter status LED color from white to purple ?

  Are you sure? yes | no

dan wrote 06/10/2021 at 15:10 point

hello, i have update the firmware of the jbl flip 4 from 3.2.0 to 4.0.0 and the sound quality has worst!

It's possible downgrade the firmware with the one uploaded by deepsoic "rck_16unified_fl_bt4.2_28csb1_1608111110_ble_encr128 2016-08-11.zip" i believe 3.2.0?

thank you.

  Are you sure? yes | no

Ulises Delgado wrote 02/10/2021 at 09:52 point

Excuse me... I need C505, C815 and C816 values...

Can someone to help me with that? 

If you have the schematic diagram I would like you share me it please

  Are you sure? yes | no

Lolo_35 wrote 11/04/2020 at 22:48 point

hey, id need some help, i basically ripped the contacts from the on/off ecc flat cable connector, i was wondering if someone knew how to turn on the speaker without using the button, like hot wiring it

  Are you sure? yes | no

simconti wrote 05/19/2020 at 22:00 point

Hi, you can extract an audio signal aux output?

Thanks

  Are you sure? yes | no

MuridSiluman wrote 03/23/2020 at 16:02 point

Hello my friend, i want to downgrade my Jbl Flip4 from 3.90 to 3.20 where i can find some information about it? 

  Are you sure? yes | no

alexandru-2016 wrote 01/07/2020 at 22:12 point

I also took one apart because the battery was dead. The battery has a small pcb, that connects to the wires going to the main pcb connector. Any ideea what the purpose of this small pcb is and what the white wire is for? I'm thinking it might be for undervoltage / shortcircuit protection, and white cable for temperature sensing maybe? I can't find anything about the serial numbers on the pcb. There's a 6 pin ic marked as r9g74, three hd8814 which seem to be mosfets and the pcb is marked as 1s2309c

  Are you sure? yes | no

MuridSiluman wrote 03/26/2020 at 03:39 point

That small pcb probably control max output voltage and ampere, if it has 3 wire. 1 red 1 black. And other one i think capacity sensing

CMIIW

  Are you sure? yes | no

rycko.ns wrote 05/15/2020 at 13:03 point

In the FLIP 3 specific battery, there is a 5 pin connector to the board. If you look at the schematic of FLIP 3, you can see that in fact are 3 outputs: 2 wires for negative; 2 wires for positive; and the one in the middle is a NTC sensor that works as thermal protection signal.

  Are you sure? yes | no

SamL98 wrote 10/30/2019 at 20:17 point

Very nice project and discussion. I think I have found an easier way to obtain the firmware however. Dumping the strings from the iOS JBLConnect app, we see that it references a url http://storage.harman.com/JBLConnectPlus/Flip4/Flip4_upgrade_index.xml. Viewing this xml file, it reveals a download link for the JBL Flip 4 firmware. It's funny, I'm trying to reverse engineer my JBL Flip3 but the full firmware doesn't seem to be available on this server, only an update.

  Are you sure? yes | no

rycko.ns wrote 05/15/2020 at 13:12 point

The link for the update mentioned: http://storage.harman.com/Flip3/Flip3_upgrade_index.xml

  Are you sure? yes | no

Marcin_Biskup wrote 10/29/2019 at 13:15 point

Hello, i have problem with my FLIP 4 , its power on only with the charger (battery is new) ... but it only power ON and nothing happen ... DFU mode works OK ... Some of You got solution  (no warranty)

  Are you sure? yes | no

e7p wrote 05/23/2019 at 18:35 point

There is a datasheet for the BCM MCU right here: https://supp.iczoom.com/images/public/20181122/1542855947673008220.pdf

  Are you sure? yes | no

Bodengriller wrote 05/22/2019 at 19:32 point

Many Thanx from me, too, to both of you! You did a very great job!

I also have a Charge 3 and was very worried about the connect+ Update.

I successfully flashed the FW3.4 Version from github-link above back to my Boxes. 

My Problem is, that it will brick if I change the Bluetooth-MAC by PSTool. You can flash the whole Image back to get the Box work again. But I wanna use 2 Boxes in Stereo-Mode with FW3.4 ... that's impossible if both boxes have the same MAC.

Do you have an idea, why it's impossible to change the MAC or do you even have a solution how to do it?

  Are you sure? yes | no

Zura wrote 03/30/2019 at 22:03 point

Nice process here! I looked here because I have a similair speaker, JBL Charge 3, almost same hardware, just different DC DC Booster and amplifier. TPA3118, and TPS61088 as boost converter. same bluetooth SoC.
I looked here to find some references, however your fw of the flip4 looks similair like the latest firmware of the JBL Charge 3 when added functionality Connect+. Though I wanted to downgrade to have lower latency on analog input, and the annoying low signal sounds!
I shared my fw files on my github : https://github.com/Dnstje/JBL-Charge-3-firmware
Still need to find to disable the bootup sounds, annoying af, the stock firmware is different.

  Are you sure? yes | no

Similar Projects

Low-cost card-sized musical instrument with touch keys
Project Owner Contributor

Canta-Cart

ayuAyu

Successfully adding external audio to the badge "on a breadboard" but then bricking it when adding it permanently.
Project Owner Contributor

Hacking the LayerOne 2017 badge for audio... #fail

toddTodd

The Retevis RT40 is a licence-free digital two-way handheld radio with lots of unused potential!
Project Owner Contributor

Retevis RT40 Reverse Engineering

0xcafeaffe0xCAFEAFFE

In the true spirit of Star Trek, this communicator badge is completely autonomous, while fitting in the form factor of an original badge
Project Owner Contributor

Star Trek Communicator Badge

joeJoe

Does this project spark your interest?

Become a member to follow this project and never miss any updates

By using our website and services, you expressly agree to the placement of our performance, functionality, and advertising cookies. Learn More

Yes, delete it Cancel

Report project as inappropriate

You are about to report the project "Reverse-engineering JBL flip 4", please tell us the reason.

Send message

Your application has been submitted.

Remove Member

Are you sure you want to remove yourself as a member for this project?

Project owner will be notified upon removal.