Skip to content
Tech News
← Back to articles

Hacking your PC using your speaker without ever touching it

2026-06-03 | original
read original get USB Microphone with Noise Cancellation → more articles
Why This Matters

This discovery highlights critical security vulnerabilities in consumer audio devices, demonstrating how attackers within range can exploit firmware and protocol weaknesses to covertly spy or take control of devices without physical access. It underscores the importance of robust security measures in IoT and connected devices to protect user privacy and prevent malicious exploitation. For consumers and the industry, this serves as a reminder to prioritize security in device design and firmware management.

Key Takeaways

In my last post, I talked about reverse engineering my new Creative Sound Blaster Katana V2X's firmware.

What initially started as simply wanting to write a Linux tool for communicating with my speaker ended up with me discovering vulnerabilities which allow any attacker within a ~15M range of any Katana V2X to turn it into a covert spying tool and Rubber Ducky - all without ever having to pair with or physically touch the device.

As I explained in my previous post, the Katana V2X is a USB-connected PC sound bar. Being USB-connected, Creative has an app which allows you to change the settings of the speaker - the DSP, the LED configuration, the output source, and so on.

To do this, they use a custom protocol called CTP (short for Creative Transport Protocol would be my guess). Basically, it seems to be a fairly simple proprietary protocol for sending various commands and reading the responses to that. I won't go into much detail here, but if you're interested, I described how it works in my last post.

What's important to note, however, is that in order to do anything with CTP over USB, you first have to do challenge-response authentication with the device. The key is static and can be derived from the binaries that ship with the Creative App, and I'm unsure why this is even the case, but the speaker won't accept any commands until you've performed authentication. Fine.

Another thing that'll become important later is that firmware updates are also performed over CTP. That's how I initially got my hands on a firmware image - I sniffed the USB traffic using Wireshark and extracted the data from the captures.

The firmware container, which is also proprietary but is essentially a primitive Zip file, contains three parts that are of significant value.

First, there's FBOOT , which I previously presumed to be a bootloader (hence the name), but also contains a sort of recovery mode for the speaker. This recovery mode can be entered by holding down the SOURCE button while powering the device on, and allows you to recover from a bad state. This saved my device from being bricked many times, which I'm pretty grateful for.

The second part is FMAIN , which is the main firmware of the device. This runs when you boot the device "normally". While FBOOT implements a lot of the same functionality as FMAIN (they both handle CTP commands, for example), FMAIN is about ~6.5x larger than FBOOT .

Both FBOOT and FMAIN are based on a (fairly heavily-modified) version of FreeRTOS, as hinted by a string present in the binaries: /home/jieyi/mcuos2.5/kernel/freertos-8.2.3/ .

... continue reading

Explore topics: creative sound blaster katana v2x usb protocol reverse engineering firmware
Related:
Acer working to patch max severity zero-days in Wave 7 routers
California Assembly passes 3D printer bill that would criminalize bypassing mandated gun-blocking software
Apple rolling out new AirTag 2 firmware update
Apple rolling out new AirTag 2 firmware update [U]
A battery-powered Starlink Mini is likely on the way

© 2026 GoKawiil

About | Editorial Policy | Contact