Warning: Doing this at your own risk.
If you never heard of SBC XQ, look this article before read.
This manual is based on this article by ValdikSS, Who first coined the concept of SBC XQ.
1. Introduce
Since our watches does not support aptx-HD or LDAC, No high qualtity bluetooth audio available. but SBC codec is quite flexible codec actually, You can easily mod the bluetooth stack to increase its bitrate and get high quality bluetooth audio. There is no real technical limit for this.
Bluetooth SBC profile consist of 7 numbers basically. They are Samplerates, Channel mode, Blocks in frame, Subbands, Allocation mode, Max Bitpool, Min Bitpool. It limits its bitrate by Max Bitpool, which is usually set to 53. and You can not go any further because It is also limitation of almost all bluetooth audio receivers.
But SBC codec also have some strange logic on it. This bitrate limit of Max Bitpool itself can be changed by other mode changes. Such as Channel mode and Subbands. An example, By changing channel mode from Joint stereo(which is default in most cases) to Dual channel mode, Your SBC bitrate limit will be almost doubled and You can adjust its bitrate by ‘lowering’ its Bitpool value.
In this case, Bitpool limit still not exceed “53”, You can bypass its bitrate limit and enjoy high quality(4~600 kbps around) bluetooth audio. Dual channel mode is not really ‘optimized’ mode if we compared it to Joint stereo and stereo. but If you can go this extreme bitrate, That kind of limitaion is meaningless. Various tests shows that It actually can go with aptx-HD qualtiy, or even further.
This is not new thing to audio communities and actually implemented to a lot of Android, MAC, linux devices. I’ll explain ‘HOW TO’ do this in this document specially for our precious full android watches.
2. Required
- Your watch must runs marshmallow or nougat.
- Your watch must be rooted.
3. Tools may needed
- Good root explorer for android. I suggest MiXplorer.
- ARM disassembler for windows(I’ll use IDA 7.0 Pro).
- ARM to HEX converter(I’m using this).
- Hex editor for windows.
- SBC Bitrate Calculator by ValdikSS(link here).
- Wireshark for windows.
4. Limitation
-
By trasmitter: There are various bluetooth stacks for android. but what I’m actullay able to mod are legacy broadcom(I found this stack from some Gingerbread devices), bluez(4.1 jellybean and below), bluedroid(4.2 jellybean to nougat), fluoride and modded fluoride stack by qualcomm(Oreo and Pie). Lollipop and below mediatek devices using blueangel stack which is dedicated stack for mtk devices. Currently, I’m not really moddable this stack. So, This manual is only for marshmallow and nougat mediatek watches. or which are NOT USING mtk chipset.
-
By receiver: Some bluetooth receiver just do not handle Dualchannel. In this case, Your audio will not played or begin crackling seriously. and most of TWS won’t go higher than 452kbps. Bare it mind.
5. HOW TO
First, Get “bluetooth.default.so” from "/system/lib/hw"
Back up it as default and store it somewhere safe place. You’ll edit a copy of it.
Second, Change bitrate limit of SBC stream.
Open the “bluetooth.default.so” file by IDA 7.0 pro and HEX Editor. Wait till load. Open “View → Open Sub View → Strings” from IDA. You’ll meet the window like this.
Search “non-edr”. Click it. Right click aNonEdrA2dpSink and look what functions refer this. You’ll see this window.
for marshmallow watches, There will be 2 sections. 1 sections for nougat watches. You must mod all of these.
There will be code like this. “MOV.W R4, #0x148” or “MOV.W R0, #0x148”. 0x148 is the bitrate limit and You want to change this. To do this, Open ARM to HEX converter and put the code on.
and change like this.
This is just limit of bitrate and We’ll edit Bitpool setting later. Thus You can put any value of above which you have planned. Go to hex edit and search original code(4FF4A474). Only one value will be matched. Change it to the code from latter screenshot(4FF49864) and save it. Your bitrate limit has been off now. Keep it mind that this is just an example and actual code can be vary.
Third, Change default SBC profile.
Search “20 01 10 04 01 35 02” for 44.1khz, “10 01 10 04 01 35 02” for 48khz from hex editor. There would be only one matched code for this.
0x20 : Samplerate 44.1 (You must not mod this)
0x01 : Channel mode Jointstereo
0x10 : Block Count 16 (You must not mod this)
0x04 : Sub Bands 8
0x01 : Allocation louness (You must not mod this)
0x35 : Max bitpool
0x02 : Min bitpool
Change channel mode Jointstereo(0x01) to DualChannel(0x04). And Max bitpool to preferred. to figure out what bitpool value matched to your preferred bitrate, You can use SBC Bitrate Calculator.
According to my test, There is no problem to being maximum (0x35=53=617.4 kbps). but I recommend max bitpool value (0x26=38=452.0 kbps). It’ll be much more stable and still perfoms close quality to aptx-HD.
Last, Check if it is actually working.
If modding done, Turn bluetooth off and put your file back to “/system/lib/hw/bluetooth.default.so”. Check file property setting is vaild and reboot. The changes should be applied at this point.
To check if it is actually working, You need to get bluetooth HCI log.
Turn off bluetooth → Go to develop setting and enable HCI log → Turn on bluetooth and connect to audio receiver → play music 10 sec around → turn off bluetooth → disable HCI log.
log file will be saved on “/sdcard/mtklog/btlog/btsnoop_hci.log”. Pull this file to your computer and open it by Wireshark.
- This is an original log from unmodified stack.
- Modified stack log should looks like this(In this screenshot, Bitpool limit is 52(606.4 kbps). If you followed manual as it is It must be 38(452.0 kbps).)
6. Additional
Here are some pre modded bluetooth stack which I’m currently using. Enjoy.
for LEMFO LEMX DMN_DM19_LEMX_20190522
for LEMFO LEM11 Z31-LEM11-V1.9
