Goal: Send commands (voicing, volume, playback) to Libratone Zipp speaker from anything, not just the iOS/Android app. Request of documentation has been declined by Libratone.
Except I missed it, there’s no License document with used framework.
Idea: sniff the traffic between app & device to reverse engineering the thing.
TL;DR: Ubuntu cooked up frames as IPX.
Wireshark analysis on Ubuntu (any interface, Wi-Fi hotspot for speaker & Android device) gives IPX frames.
|1402||neutral volume - “V100”|
|2195||easy listening - “V101”|
Seems like a dead protocol, could be mis-interpreter by Wireshark (MAC info in header are wrong for example)
If wish to send from Windows, difficult after Win7.
It was not possible to get frames before, as most packet capture apps fakes VPN connection. This breaks Libratone app. On OnePlus device, it was possible to run
(! (dns || ssdp)) && (ip.dst == 192.168.178.129)
|1179||neutral volume - “V100”|| |
|1183||easy listening - “V101”|| |
- Two UDP streams, hitting port
7777(for V100/V101) and another on
Tried to replay UDP packet, with no success.
Guess I need to dig on the UDP protocol.
Idea: reverse engineering the code itself
Wanted to check used 3rd-party softwares by checking Licenses … not available.
Used this thread on StackOverflow to reverse engineer the APK to Java classes.
Exploration trace during dirty CTRL-F search - not sure where it’ll lead.
com.libratone in version 5.3.5. The JADX output is used as root directory.
ressources/assets/voicings/voicings.json: contain references to
voicingId, which has V100 and V101 like the one captured
setVoicing(Voicing.V100());is called when
setFactoryResetis called from
public void setVoicing(Voicing voicing)is defined in
public void sendMessageString(String str, int i)is called to send the V-value. This is also defined in
- It seems to call
public Handler connect(InetAddress inetAddress, Handler handler)
sources\com\libratone\p009v3\LibratoneApplication.javaindicate device port?
DEVICE_PORT = 50001;
3334 are found in
sources\com\libratone\p010 v3\luci\LUCIControl.java as
LUCI_CONTROL_PORT = 7777; and
LUCI_NOTIFY_RSK = 3334;.
LUCIControl.java seems to handle the real communication stuff
Goal: Have the system image to explore it.
The speaker can update itself, and this is started from main app or from web page (
This trigger a HTTP GET request on
On the 2020-05-27, this is answered by a
404 Not Found error code.