Close
0%
0%

Reverse-engineering JBL flip 4

That is, full teardown, analysis, and hacking.

Similar projects worth following
This is one of the most popular portable speakers on the planet… if not the most. It is quite bassy, good highs, excellent design and build quality, waterproof. While I have decided that I don’t quite like it while testing ones from my relatives and friends, I bought a refurbished one just to see how it ticks, can it be hacked, and can I use it as a source of components to build something DIY.

Teardown

I won’t explain. Just YouTube it if you’re having trouble.

There are a few gotchas on the way however.

One, mine has drivers with inverted aluminium domes. Aluminium is SOFT. Combine it all with a freshly undone screw that I’ve failed to catch, and we have dents in the dome. Oops! (see project gallery).

Phew, it was a small screw. Larger ones that hold the drivers will probably make it all the way through, be careful. Drivers from older revisions of Flip 4 seem to be plastic, much more impenetrable.

Another gotcha: it looks like the speakers are connected to PCB with connectors, but these are not connectors, you can’t undo them. The only way to get the pcb out is to desolder the wires from the drivers.

The pcb

Says “FLIP4_MAIN_PV2.0”.

Contains:

·        Bluetooth subboard, based on CSR8675 specialized SoC by Qualcomm. It looks like it is possible to reconfigure the firmware. I haven’t found a full datasheet for the chip yet, it’s all horribly proprietary =(

·        MX25U3235 15MB SPI flash on BT subboard. There is very little communication going on, makes me wonder what is it being used for.

·        Amplifier based on TPA3130 from TI. It’s a fairly powerful stereo class-D amp, capable of up to 15W per channel.

·        The amp is powered from a boost converter, that converts single Li-ion cell voltage to 5-11 V. The voltage is dynamically adjusted to match for signal level, probably for improving battery life at low loudness. Boost converter chip is probably MP9428 (says MPHM9428 on the IC itself). The chip looks very similar to MP3428A by Monolithic Power Systems. If that is the chip, it can go up to 22 V, and can potentially give this amplifier quite a power boost. So, JBL Flip 4 can be considered as a nice board that can be easily hacked into a high power amplifier powered by a single Li-ion cell.

·        A li-ion charger based on MP2637. Also can work as 5V boost converter, but this functionality is unused. Standby power is provided by a 3.3V LDO straight from Li-ion, and main power for peripherals is connected through a mosfet, and a bunch of other stuff.

·        An IO expander chip.

·        A bunch of opamps, with unclear purpose. I suspect, they are used as signal level detectors, to control the amp power supply.

The service manual for Flip 3 is available here: https://elektrotanya.com/jbl_flip_3_sm.pdf/download.html

I know I know, it’s not Flip4. But, it has full schematics, they are reasonably similar, and will help you trace out the pcb should you want to.

Drivers

Who knows what they are... probably something custom by JBL. They look very beefy. (see photos in project gallery)

I have measured their motor performance (BxL), got 3.0 newtons of thrust per amp of current. DC resistance is 3.52 Ω, so it’s 1.6 N rms thrust at 1 W input power. It’s an incredibly powerful motor for this small a speaker, which is obviously there to push some bass from a small enclosure. From this value, I can suggest a replacement driver – a very comparable one can be extracted from Blitzwolf BW-3 bluetooth speaker... If you can buy one – they appear to be obsolete, and no longer available.

Passive radiators

They are tuned to 65-71 Hz (the value I get depends on amplitude, not sure why).

DSP

The input-to-amplifier-output frequency response of this speaker is not flat. That is how they achieve that impressive bass – there is built-in...

Read more »

flip4 dsp remeasured.mdat

dsp frequency response (REW file)

mdat - 7.46 MB - 12/12/2018 at 20:02

Download

rck_16unified_fl_bt4.2_28csb1_1608111110_ble_encr128 2016-08-11.zip

This looks to be Flip4's firmware, that I dumped from the processor

x-zip-compressed - 3.94 MB - 11/21/2018 at 00:29

Download

Waveform Audio File Format (WAV) - 5.06 MB - 11/17/2018 at 21:21

Download

jbl flip 4.psr

stock config of CSR8675 chip in JBP Flip 4

psr - 32.77 kB - 11/16/2018 at 17:18

Download

  • Driver data

    DeepSOIC03/07/2019 at 23:22 0 comments

    Measured using REW, by analyzing the change of impedance-vs-frequency plot when adding a known mass (1.34 g) to the cone.

    Thiele-Small parameters
    fs 181.7 Hz
    Qms 5.902
    Qes 0.401
    Qts 0.375
    Fts 483.8
    Mms 1.18 g
    Cms 0.651 mm/N
    Rms 0.228 kg/s
    Vas 0.06 litres
    Bl 3.615 Tm
    Eta 0.09 %
    Lp (1W/1m) 81.67 dB
    Dd 3.22 cm
    Sd 8.1 cm^2

    Rdc = 3.85 Ohm

  • Got confused in amp powers

    DeepSOIC03/05/2019 at 20:29 0 comments

    When I downloaded TPA3130 datasheet, I saw power figures of 2x50 W, and thought "wow, that's some serious margin there". And even published it here. Today I suddenly realized while re-reading the datasheet, that the datasheet is a shared one for 3 ICs: TPA3116, TPA3118 and TPA3130. The difference between them is their power rating (specifically, overload current limit).

    The actual IC used here is only for 2x15 W. 

    Oops!

  • How to fix audio dropouts through aux

    DeepSOIC01/27/2019 at 22:58 3 comments

    The speaker has an annoying habit of blocking aux sound when the signal is very low, causing annoying dropouts when playing quiet passages, watching movies and talking over skype. 

    Guess what, the detection of audio signal is done in analog! so we can easily hack it, so that it thinks audio is always coming in.

    It's just a matter of shorting out Q12 transistor's collector to emitter.

    After doing this, I anticipated some problems with Bluetooth. There are, but they are minor. 

    + I can still connect to BT, and pair new devices. The speaker doesn't make pairing sounds, though.

    + whenever Bluetooth plays, aux input is inhibited automatically. As soon as BT audio stops, aux input works again.

    A nice hack! A better way would be to use jack to provide the signal whenever a cable is plugged in. It can be done, but requires desoldering the connector, and adding an additional connector to the board (or just permanently soldering a bunch of wires). But this easy one is good enough, IMO.

    I also notice, input stage of this audio detector circuit presents serious nonlinear load to the audio source. This may cause distortion if source impedance is high. So, consider removing 33-ohm resistors if you apply this hack.

  • Remeasured DSP responses to include Connect+ effect

    DeepSOIC12/12/2018 at 21:17 0 comments

    The old graph only included standard DSP:

    I remeasured it to include Connect+ button effect, and when DSP is off.

    This time, I was taking signal from output of an opamp. That is, right before DC-rejection capacitor at power amplifier input. So overall response is for (DC-rejection caps on aux input) + (ADC) + (DSP) + (DAC) + (another cap) + (balanced-to-single-ended-converter circuit), and does not include (yet another cap) + (power amplifier). 

    Additionally, I disabled boost converter that powers the amplifier, to reduce noise.

    I've also uploaded room-eq-wizard file to the project, so if you want to inspect it, go check it out in project files.

    Measuring aux-to-air frequency response remains in to-do list.

  • More setting hacks

    DeepSOIC11/30/2018 at 11:50 0 comments

    So, I have essentially scanned through just about all "User configuration data" keys of csr chip. I have not found anything that affects dsp. But I did find quite a bit of something. Here it goes.

    "user0" = "User configuration data 0" aka PSKEY_USR0

    "word0" = the index of word (16-bit value) of data in the key.

    "0400" = bitmask in hexadecimal notation. If followed by "->" means I tested that precise value.

    user0:
        word0:
           == 0010 bit -> startup sound
           == ffff -> boot-loop, self-resets to BEDF
           0400 bit set-> crash
        word3: startup volume
        word4: if >1aac -> boot loop (halfway through startup sound)
    
    data6:
        word0:
            0001: always BT-pairing?
    
    data7: 
        word1: change to 0011 -> no startup sound
        word6: crashy
            2000 -> crash
            1000 -> crash
            0100 -> crash
            0010 -> ok
            0040 -> ok
            00ff -> crash
        word9:
            dbd0 -> crash
            d000 -> crash
            0b00 -> crash
            00df -> crash
            0080 -> ok
            000f -> ok
    data8:
        word9:
            >8bcf -> no sound
    data13:
        word0: crashy
            0070->crash
            fb70->crash
    user16:
        word9:
          6070 -> crash
          5070 -> ok
          logic unclear
        word10: similar to 9
        word11: other channel than word12? 
        word12:
          A060 if any of these set, boot loop with startup sound playing
          4000 : boosts volume
          001f : boosts volume, the more the value the more the boost
    user20:
        word0:
            0003: if any bit set -> crash with deep powerdown, needs powerbutton tricks to reflash
    user21: see user26
    user26: similar to user21
        word0: crash if zero, otherwise no effect
        word2: if zero, next values are filled with what looks like random numbers
    
    user30: sounds table, 3 words per entry
        word0: event number. 4001 = startup, 4002 = shutdown
        word1: sound number. 0000-0009 = digits; 000a = startup, 000b = shutdown, 000c = pairing, 000d = connected, e = bump, 000f = chord, 0010 = connect+, 0011 = cancel connect+
        word2: bit 0002 is enable/disable, the rest seem irrelevant
       
    user37:
        word0: 0x0080 - clearing this bit inhibits aux input
    user43:
        word2: changing value causes either boot loop, no sound, or nothing. Hard to understand
        word4: signed word, adjusts startup sound loudness (negative for less loud) (0100 is noticeable amount)
    
    
    
    user49:
        word0, word1 always restore themselves
    user53:
        change to any value -> crash (tested word0 bit 0001, word2 bit 0001) 
    

    Of course, this is still very far from complete. I didn't test all bit combinations for the values listed here, so the conclusion might be wrong. 

    I've written random values to all unknown data, while looking for clues. Dsp was never seriously affected. Even after isolating a lot of things that cause crashes, I was still observing crashes, boot loops, and overall strange behavior. At least one crash was an unlucky combination of at least two settings in different keys; hunting that stuff down is too time-consuming.

    As for "DSP configuration data" - I replaced it all with random values, three times, and it had no effect whatsoever. I'm afraid, it is simply not used at all. Other possibility might be that it checks some checksum on these settings, and reverts to default if checksum is not matched. But I doubt it, it's pointless... So my chances of disabling dsp are really slim at this point.

  • Sound table

    DeepSOIC11/20/2018 at 19:19 2 comments

    "User configuration data 30" (PSKEY_USR30)

    Contains this:

    476d 0000 3fff 476e 0001 3fff 476f 0002 3fff 4770 0003 3fff 4771 0004 3fff 4772 0005 3fff 4773 0006 3fff 4774 0007 3fff 4775 0008 3fff 4776 0009 3fff 4001 000a bfff 4002 000b bfff 4003 000c bfff 4742 000d bfff 4744 000e bfff 4116 000f bfff 4101 0010 bfff 411b 0011 bffe

    ... and appears to have this meaning:

    // event id    sound number    flags 
         476d         0000          3fff  // "one"
         476e         0001          3fff  // ...
         476f         0002          3fff  // 
         4770         0003          3fff  //
         4771         0004          3fff  //
         4772         0005          3fff  // 
         4773         0006          3fff  //
         4774         0007          3fff  // 
         4775         0008          3fff  //
         4776         0009          3fff  // "nine"
         4001         000a          bfff  // power-on sound
         4002         000b          bfff  // power-off sound 
         4003         000c          bfff  // pairing sound
         4742         000d          bfff  // bluetooth connected
         4744         000e          bfff  // volume limit bump
         4116         000f          bfff  // some chord, dunno what
         4101         0010          bfff  // connect+ activate
         411b         0011          bffe  // connect+ deactivate

    By editing this table, I can reassign and disable sounds. 

    To disable a sound, set flags to zero. In particular, I've found that bitmask 0x0002 affects if the sound is played or not, the remaining bits don't seem to do anything.

    If you want to swap power-up and shut-down sounds, for example, change 000a into 000b and 000b into 000a.

    I'd consider it to be FIRST ACTUAL HACK! Yuppeeeee!

  • Analyzing the firmware... using Audacity =0

    DeepSOIC11/17/2018 at 22:04 0 comments

    I looked at the files I extracted from the chip - there are two files, one small and one large. It's a simple text file with hex numbers. So I glued then together with a quick py script to have a look:

    file_name = r"S:\somethingsomething\jbl flip 4.xpv"
    with open(file_name, 'r') as x_file:
        with open(file_name + '.bin', 'wb') as b_file:
            for line in x_file:
                if len(line)<4:
                    continue
                addr, str_hex_val = line.split(' ')
                b_file.write(bytearray([
                    int(str_hex_val[2:4], 16),
                    int(str_hex_val[0:2], 16)
                ]))
    
    
    

    First, I opened them in text editor, to see if there are some interesting strings. Not that I looked very thoroughly, but I only found "JBL Flip 4" string once, and nothing else. I was hoping for some debugging strings, to give me clues.

    Then, I decided to see, if the sounds are in that firmware, And yes they are:

    (WARNING: VIDEO IS VERY LOUD!)

    I loaded the binary file into audacity, and after some precision guesswork, picked the parameters: signed 16-bit pcm, big-endian, 1 channel, 16k sample rate.

  • Extracting firmware

    DeepSOIC11/17/2018 at 17:56 0 comments

    After no luck on changing DSP, I began trying other tools from bluesuite. BlueFlash came up.

    It has buttons that supposedly do what I need. But greyed out, it says "processor running". As soon as I clicked Stop Processor, it spew out an error, because the chip immediately loses power.

    Using same trick to force the power to the chip again, now I got lucky. I stopped the processor and dumped the firmware, and even verified it. You can find it in project files.

  • DSP not configurable?

    DeepSOIC11/17/2018 at 17:24 0 comments

    I have progressively erased all data in User DSP Configuration Data XX fields. The DSP still functions as before. So either, as I erase stuff, DSP reverts to built-in defaults, which match the stored values, or it simply ignores them altogether.

  • DOH! It's alive!

    DeepSOIC11/17/2018 at 15:15 0 comments

    Today I got to investigating, what really happened. Found out that despite me forcing the main power to the chip, core voltage (1.8 V) was still coming on for a brief moment after pressing power button. So I tried forcing that core voltage, externally. That didn't change anything, the chip still won't SPI. Then, I continued probing around, and there were quite a lot of signals coming on and off during that brief moment. It was clear that the chip is not quite dead yet, maybe just sleeping.

    I tried SPI-ing the chip during that brief power-on period, and got something. That made it clear the chip WAS WORKING, it was just immediately powering off.

    Then, after a bit more probing, I came across the pin that detects if charger is connected... Aha! I recalled, there is that demo mode, where it wouldn't power on if charger is not connected. So I plugged it in, and EUREKA! it works!

    So, now it became clear, that my semi-broken flex connector caused it to misinterpret the key combo I was doing, and I enabled demo mode instead.

    How embarrassing!

    OK, back to hacking!

    There remains a question. How does one force the chip on, to re-flash it for example, if the firmware powers it off immediately.

View all 14 project logs

  • 1
    How to disable startup sound

    This is dangerous hack,
    Changing wrong setting may BRICK YOUR FLIP4, and you'll have to get it serviced (reflashed) to make it work again. You can reflash it yourself, but it's tricky.

    Still with me? Let's dive.

  • 2
    Download and install CSR BlueSuite

    To download it officially, it looks like you have to buy csr development kit. It costs more than 1000 $. 

    Luckily, it has leaked.

    https://github.com/lorf/csr-spi-ftdi/issues/30
    https://drive.google.com/file/d/1ADdvH-hdZSPf3rA8kCM57U-xKHWnCIEp/view?usp=sharing

    Windows. May work on Wine, but I don't know.

  • 3
    Connect your JBL Flip 4 to PC with usb cable. Power it up.

View all 7 instructions

Enjoy this project?

Share

Discussions

e7p wrote 05/23/2019 at 18:35 point

There is a datasheet for the BCM MCU right here: https://supp.iczoom.com/images/public/20181122/1542855947673008220.pdf

  Are you sure? yes | no

Bodengriller wrote 05/22/2019 at 19:32 point

Many Thanx from me, too, to both of you! You did a very great job!

I also have a Charge 3 and was very worried about the connect+ Update.

I successfully flashed the FW3.4 Version from github-link above back to my Boxes. 

My Problem is, that it will brick if I change the Bluetooth-MAC by PSTool. You can flash the whole Image back to get the Box work again. But I wanna use 2 Boxes in Stereo-Mode with FW3.4 ... that's impossible if both boxes have the same MAC.

Do you have an idea, why it's impossible to change the MAC or do you even have a solution how to do it?

  Are you sure? yes | no

Zura wrote 03/30/2019 at 22:03 point

Nice process here! I looked here because I have a similair speaker, JBL Charge 3, almost same hardware, just different DC DC Booster and amplifier. TPA3118, and TPS61088 as boost converter. same bluetooth SoC.
I looked here to find some references, however your fw of the flip4 looks similair like the latest firmware of the JBL Charge 3 when added functionality Connect+. Though I wanted to downgrade to have lower latency on analog input, and the annoying low signal sounds!
I shared my fw files on my github : https://github.com/Dnstje/JBL-Charge-3-firmware
Still need to find to disable the bootup sounds, annoying af, the stock firmware is different.

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates