360° Speaker time clock removal Megawin MPC82 [Help]

[ESXi]

Hi,

So I brought two 360° Logitech speakers for cheap and they sound fine. I was planning to add the following to the speakers: a BMS, few good 18650 cells[4], buck converter[down] and a Bluetooth[a2dp] module to it which is really easy.

But the problem I am having now is;
There's a 4 Digit led display in the front of the speaker and on each power cycle when the mains or batteries are disconnected the time that was set during the startup using the volume knob is lost (it's not saved, its not a RTC, it has no backup battery) I also don't need the time on my speaker (Doh..).
So when powering up again I first need to set the time again using the volume knob before I can use the damn thing.

Hardware & my idea:
It has a Megawin MPC82L54AT2 8-bit processor, the display is connected with ISP. Basically the code in the firmware that runs at startup looks at the time and if it's 00:00 it prompts for user input first.
So is it possible to dump and edit this dump of the firmware and flash it again or is it a better idea to just get rid of this microchip and make something with a Arduino ?

The audio IC that this thing is using is a class-D TDA7491LP.
volume control can maybe be done by a Arduino using a voltage divider for 3v high/low and then hooking it up to pin 30, 31 on the TDA audio chip. There's 4 levels of audio gain 20dB 26dB 30dB 32dB, on the 4 ditgit LED screen I have the volume range from 0 to 40 so, maybe it uses this and some pre leveling before its shot in the TDA chip.

If you guys want high res pictures of the PCB, please let me know. I would like to modify this thing really bad..

[Prehistoricman]

Is it booting from external ROM? If so, then there's a good chance you can mod it with some knowledge of 8051 assembly
If not, you'd be looking at a complex attack to dump the contents of the internal memory. I've done such an attack, but I already knew what was inside the embedded ROM.

That's my understanding from a brief look at the datasheet. It seems there is an internal register that tells the chip where to boot from.

[ESXi]

Is it booting from external ROM? If so, then there's a good chance you can mod it with some knowledge of 8051 assembly
If not, you'd be looking at a complex attack to dump the......

Didn't think of that. Great details, will look at this tomorrow. I have not checked all components on the PCB, I just did a quick speculation from my point of view on it. Regarding the assambly. Well I know a little masm/fasm. Will look at it for sure. Finding it interesting, not only this topic. I like to poke around in assembly and working on op_code / byte code level (as a hobbyist).

Ps: last fix I attempted was reading a SMT/ATMEL(not sure again) eeprom and modifying the rom contents (car speedometer, because the speed gauge aka steppermotor was broken, I hate old liquid crystal displays with zebra lcd strips.. I do no more attempts at those bastards so yeah had to dump the rom mfd was 1992 only was able to dump the rom using a lib in arduino for the microwire protocol), not sure how reliable the dump was yet.

Obviously I'm noob but getter a better and better
while studying stuff in my fee time I mean on hardware & software stuff on this level.

[Prehistoricman]

I like to poke around in assembly and working on op_code / byte code level (as a hobbyist).

Yeah same. Modding embedded software is really fun and rewarding.

If you manage to get a dump, open it up with IDA (Interactive Disassembler). The free version should support Intel 8051.

[ESXi]

I like to poke around in assembly and working on op_code / byte code level (as a hobbyist).

Yeah same. Modding embedded software is really fun and rewarding.

If you manage to get a dump, open it up with IDA (Interactive Disassembler). The free version should support Intel 8051.

Yep. I do have the free version and the latest leaked one with disassemblers included I have played with it before many times, I used it to look at ipcamera firmware that I was able to dump after snooping up the http(s) traffic from it by using mitmproxy. I downloaded the latest bin and unpacked it with binwalk. In IDA I found out it used a custom version of rtsp server and upnp sdk (out dated). By sending a header that was beyond 303 chars the entire thing crashed (this wasn't a listed cve/bug), but found it by using a fuzzer with some extra rules added. This was one of the things, with ssl unpinning and mitmproxy I probably was able to let it install my modded firmware that doesn't connect up to tutk p2p cloud maybe even without unpinning because well.. Chinese ip camera's suck security wise.

[ESXi]

Is it booting from external ROM?

Can't seem to find a external rom on the board so getting the firmware is probably not a option

[Prehistoricman]

Is it booting from external ROM?

Can't seem to find a external rom on the board so getting the firmware is probably not a option

sad
If you care to think about how to construct an attack to dump the code, the MOVC instruction is your best bet.
Even if you got the code and edited it, you'd have some more fun re-programming it.

Why is there a need for getting past the time setup? Is it required to use the speakers?

[ESXi]

sad
If you care to think about how to construct an attack to dump the code, the MOVC instruction is your best bet.
Even if you got the code and edited it, you'd have some more fun re-programming it.

Why is there a need for getting past the time setup? Is it required to use the speakers?

Hm alright. Well the problem is when I power on the speaker it will prompt for time set, you have to first set the time in order to be able to use the speaker.
The PCB has two ways to be powered. 6x AA batteries (9 volt) and by a DC power supply 10 volt 1.3A. So the AA batteries are probably the "backup battery". Anyway I will look at it, maybe just maybe I'm able to pull this off, not sure. Also tried to listen on the serial port of the chip, but I think it has been disabled because only one char returns only when the MPC82 is turned on.

Edit;
I am a idiot.. I used avr ISP which is different compared to 8051 SPI, which has one extra pin SS (Serial mode Selector).

http://forum.arduino.cc/index.php?topic=237048.msg1703779#msg1703779

Meh, looked it up, the dongle is like 150 US dollars. Well, game over..