Reverse-engineering JBL flip 4

Today I got to investigating, what really happened. Found out that despite me forcing the main power to the chip, core voltage (1.8 V) was still coming on for a brief moment after pressing power button. So I tried forcing that core voltage, externally. That didn't change anything, the chip still won't SPI. Then, I continued probing around, and there were quite a lot of signals coming on and off during that brief moment. It was clear that the chip is not quite dead yet, maybe just sleeping.

I tried SPI-ing the chip during that brief power-on period, and got something. That made it clear the chip WAS WORKING, it was just immediately powering off.

Then, after a bit more probing, I came across the pin that detects if charger is connected... Aha! I recalled, there is that demo mode, where it wouldn't power on if charger is not connected. So I plugged it in, and EUREKA! it works!

So, now it became clear, that my semi-broken flex connector caused it to misinterpret the key combo I was doing, and I enabled demo mode instead.

How embarrassing!

OK, back to hacking!

There remains a question. How does one force the chip on, to re-flash it for example, if the firmware powers it off immediately.

Initially, I was trying to connect to the chip via SPI, using FT232RL, as described here:

https://github.com/lorf/csr-spi-ftdi

And I couldn't. it just kept saying "no chip".

USB connection was great, but there was a problem: if I change something that would make the firmware crash on startup, I wouldn't be able to recover it, as entering DFU mode requires a button combination to work. So I didn't want to dive into hacking the settings too much.

Connecting via SPI would solve that problem. So I kept pushing. I whipped out a scope, and quickly figured out that the pinout explained in the readme wasn't right. Eventually I reverse-engineered the correct pinout. And filed an issue to the tracker:

https://github.com/lorf/csr-spi-ftdi/issues/39

But now I have a working SPI connection, that doesn't require magic button combination. It just works.

And I dived in.

I started exploring, if the config of the chip changes while it's playing music. Yes, it does, a little bit.

And I connected the keyboard to switch the DSP off. Then started poking at keys, DSP didn't want to switch off, then it suddenly just powered down (and made its typical power-off sound). And that was the end of it.

Now, it won't power on anymore. The chip supply turns on for a split second when I press power button, and that's it.

I tried bypassing the mosfet to force the power to the chip. Unfortunately, it still doesn't boot, and worst of all, PSTool fails to communicate with the chip. It says "no chip". 

I have a bad feeling, that the firmware might have detected hacking, and decided to nuke itself, together with the chip itself. Or maybe I just blew it, as the connector for the keyboard was slightly damaged.

Anyway, RIP CSR8675. You are a horribly obscure masterpiece of super-proprietary engineering, I won't miss you.

Installed Universal Parameter Manager.

CSR8600 Release, v 2.3.137, Dec 11 2012 13:37:59

People say it only connects when running on windows 7 32-bits. It runs fine on Win10, but for me it doesn't connect to the speaker. 

"The transport remote cannot be opened.

Ensure that the device is connected and enabled."

It has a feature to load up a .csr file. I tried it, but the program crashes.

I tried generating .csr files with this tool. It creates files with data like this:

// PSKEY_DSP30 = CVC Configuration
&2276 = 2276 0000 0001 0000

 And if I try to dump this binary data into PSKEY_DSP30 field in PSTool, the tool warns me that the data length is unexpected, and offers to write it anyway. I didn't try forcing it, I feel like there is serious chance to brick the chip. I'm afraid that dsp will crash, and I won't be able to enable DFU mode on the speaker with button combination.

It just seems that the manager and the chip speak different languages. And it's unsurprising, since the manager is soooo ancient. So far, I had no luck getting something more recent.

Yay! First hack!

How-to:

* download and install CSR BlueSuite

* connect Flip4 with micro-usb

* press and hold Vol.Down + Play for 12 seconds or so. Flip4 detects as a usb device.

* launch PSTool.exe

* in popup, select USB, OK.

If no message pops up, you're in!

* In main menu, File->Dump, save current config to a file. This is a backup for a case you change something and can't change it back.

* in Filter box, type "local", and pick an entry that says something like  "local user-friendly name".

The value should read "JBL Flip 4".

* change value to your liking, click Set.

done. Now, disconnect usb, and … I don't know how to wake it up, the advertised combo Vol.Up + Vol.Down + Play didn't help. I had to unplug the battery.

UPDATE: hold power button for 14 seconds, it switches off. Then powers up as usual.