This tool patches an USB-connected Creative Sound Blaster Katana V2X to remove CTP support over BLE.
This prevents attackers from being able to control the Katana V2X over Bluetooth and potentially flash malicious firmware, which would allow the attacker to also compromise the PC that the speaker is connected to via USB. More details about this attack can be found here: https://blog.nns.ee/2026/06/03/katana-badusb/.
The tool downloads a clean firmware file from Creative's servers, stores it in memory, verifies it's correct, applies the patch and flashes it to the device.
The tool has safeguards in place to prevent you from doing something that might brick your device. However, if it does happen to brick, you may reboot the device into recovery mode (hold both POWER and SOURCE while plugging in power) and try running the tool again.
Usage
- Ensure your device is plugged in to your machine via USB and that it's not currently in sleep mode (display is active).
- Simply run the tool (on Linux, you will need root/
sudo) and wait a few minutes.
If you're on Windows and get a "Permission denied" error, end the Creative.App process using Task Manager and retry. If that doesn't help, running the program as Administrator might work, although the tool shouldn't necessarily need it on Windows.
After around two minutes, your device should reboot and start flashing the firmware. If all goes well, it will reboot once more, this time using the patched firmware.
Download
- Windows: https://git.dog/xx/v2x-patcher/releases/download/latest/v2x-patcher_windows-x86_64.exe
- Linux: https://git.dog/xx/v2x-patcher/releases/download/latest/v2x-patcher_linux-x86_64 (be sure to run
chmod +xon the file afterwards to mark it executable)
For advanced users
The tool also supports a flag --mem-patches, which adds patches for a memory command handler. Flashing this firmware allows you to use v2x-ctl to read, write or execute arbitrary memory on the device. Regular users do not need this patch, this is for people who are interested in reverse engineering the device.
See --help for the full usage instructions.
Flashing clean firmware
If you would, for whatever reason, want to return to the vulnerable stock firmware, run the tool with the --no-bt-patch flag. This downloads the original firmware, applies no patches (unless --mem-patches is set) and flashes it on the device.