Meta Rayban Stories has lower-level settings to change via the View (Assistant app) for example

• enable Assistant
• change inner LED notification level
• change volume

Since the method for these settings are shared for other options defined in the firmware, it is possible to replace with a setting to change the duration of a video capture to longer than 30 seconds as advertised by Meta.

Hook the STLMcuSettingHandler function which sends commands via Int32 values and replace them with our own.

var writeSetting = ObjC.classes["STLMcuSettingHandler"]['- writeSetting:value:completion:']
Interceptor.attach(writeSetting.implementation, {
    onEnter: function(args) {
        args[2] = ptr(0x8004)
        args[3] = ptr(0xea60)
    }
});

Save as video-length.js and run the frida script with
frida -U View -l video-length.js

In View app settings under “System alerts” toggle one of the options e.g. the LED notification brightness

Instead of the options changed (UserLedAdaptiveBrightnessDisabled 0x8038 & UserLedManualBrightnessLevel 0x8037) VideoCaptureDurationMs 0x8004 will be changed

This was found in the firmware under StellaWifiService.apk

/system/priv-app/StellaWifiService/StellaWifiService/smali/stella/common/Uint32SettingsEnum.smali

.field public static final VideoCaptureDurationMs:I = 0x8004

The next time a Rayban Stories owner uses the video capture feature, the new default capture length will be 60 seconds.

Timeline

Nov 5, 2021 – Report sent
Nov 8, 2021 – Further investigation by Meta
Nov 25, 2021 – Patched by Meta
Dec 6, 2021 – $1500 Bounty awarded by Meta
Jan 14, 2022 – Disclosed (As we are patching things client-side, we ask you to please refrain from publicly posting about the bug until Jan 14th, which should give our users sufficient time for our hotfix to be pushed)