Let's Hack: Extracting Firmware from Amazon Echo Dot and Recovering User Data
ฝัง
- เผยแพร่เมื่อ 3 ม.ค. 2023
- Let's Hack the Amazon Echo!
In this new video format, I took a longer look at the Amazon Echo Dot (Generation 2) device I've worked on previously. This is an uncut video where I walk through my process when looking at a device and its filesystem. I ended up removing the eMCP chip and extracting the storage partitions on the device. I learned a lot from this process and look forward to poking around at this data more. If you take away anything from this video it is that you need to factory reset devices, if not destroy them, before they leave your possession... I'm sure there are some Android DFIR pros out there who can point me to interesting parts of the filesystem to look at in the future!
Feedback on this new video is welcomed!
eMMC reader I use:
www.ebay.com/itm/334442938179
🛠️ Stuff I Use 🛠️
🪛 Tools:
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4aaCOGt
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity #privacy #android #dfir - วิทยาศาสตร์และเทคโนโลยี
UPDATE: the storage partition also has API keys used for various amazon services that are associated with the previous user's account. (albeit probably expired)
Those are great for text to speech services;)
Sure dd stands for disk dump bro 👍
@@marcwilkinson2072 Disk destroyer is what I've always known it as
@@marcwilkinson2072 there's many claims to what dd stands for and while it doesn't exactly matter for modern purposes ("disk destroyer" is just as valid imo) but for historical purposes it's a fact (corroborated by Dennis Ritchie, original co-author of Unix) that dd was inspired and named after an old JCL statement for IBM S/360 computers called DD where it stands for "Data/set definition"
@@snooks5607 disk dump seems to resonate better with me in my personal opinion, as that's what the command does, it dumps the data to an image file, also it has write capabilities too, but I've never used the dd command to destroy a disk.
There's multiple root filesystems because that's how they do OS updates - they update one root filesystem, then the bootloader switches to it - if it fails to boot, it reverts back to the last known working state.
Typically any user data would be in its own partition - and you're right, it's an android based system. Amazon's fire products are android based.
Yeah I kind of came to that conclusion over the course of looking at this device.
It makes so much sense. Google has invested years of security work into android.
@@mattbrwn FreeNAS does it too, it's how we update switches and routers for the last few decades. We use it for immutable infrastructure in the cloud too.
Nix offers something like it, and there's a ZFS booter for linux that lets you replicate the same pattern but with snapshots
@@mattbrwn Also IIRC this isn't really an .. 'android' feature, more of your bootloader.
Fujitsu does the same with its iRMC (management board for Primergy servers). You have two slots, one is active (running) and you flash new firmware to the 2nd (inactive) one.
You can switch over manually or automatically ("use the slot with highest firmware version", "use the slot recently flashed", etc.).
These management boards are Linux-based too ususally.
This content is so useful. I'm a software engineer but I'm trying to learn more on the hardware side. Thank you so much for posting this content!
Amazing Matt, please keep uploading this kind of live sessions. I personally learn a lot from this kind of videos! Thanks a lot for your work! :)
21:30 silicone is a thermal insulator. It has very low thermal conductivity.
Great video. I learned a lot.
These are the type of videos I was looking for, Keep up the good work!
Matt the way you show the commands I love it thanks you, keep it up brother.
Insane content. Its truly inspiring to see you in action.
Matt, this is brilliant!! Thank you for sharing!
Love hacking but new to hardware on this scale. Learning a lot here thanks so much!
Incredibly well presented video. Thank you. I’ve been trying to understand how an IoT device that uses eMMC can be analysed, as I was only familiar with either simple 8-pin chips, or setups where the firmware could be downloaded without encryption.
Thanks for making this video. I would like to understand this information enough, to apply it to a 1st generation Echo Plus for the purpose of repurposing the hardware. I have always felt that the ~9" tall cylinder has impressive features: Microphones, lighted volume ring, top function buttons, and a pretty great sounding speaker setup. Do you think the main board could be repurposed, or that a newly designed board could be fitted while maintaining the functionality of the other components? I have a new 1st generation Echo Plus I'd be willing to send you. Also is that a Ravens hat your wearing? 👍Let me know.
Damn, that was damn interesting. Has been some time, since I watched a 1-hour video :D
Thanks for all the helpful explanations, I really learned some stuff.
I loved that you were like "let's find out together" when you didn't understand something instantly. This way, people like me can build up confidence when doing something like this alone.
Most TH-camrs act like they know anything, this way you get really unconfident as a viewer because you feel you ass a viewer are the only person who struggles with stuff on the first try :D
Thanks! Keep it up.
This was fantastic! Thanks for the great walkthrough. Let us know how it continues :)
thanks! this device was pretty interesting.
Really nice work Matt!
Thanks!
Do you ever do in-system programming (ISP) extractions?
Excited to see more :)
dd stands for copy and convert, but since cc (c compiler) was already in use, they went for dd
i have learned a lot hope you post more :) .
Hoping to do lots of new videos in 3023!
@@mattbrwn hope we dont have to wait that long. *eyeing the cryotank
id love to see more analysis of the google home mini.
The SSID or password could also be in some other flash/nvram storage that operates more like a k/v store, this is pretty common with some other devices, although this one has a lot of storage.
Likely that keychain apk would lead to more details.
when using the "dd" command; if you specify an appropriate blocksize (i.e. 'bs=4M' is reasonable for most flash storage), the "dd" command can finish much, much faster than if a less optimal blocksize (i.e. the default) was chosen
Also amazon products use a derivation of 'FireOS' which is a fork of android from a while back, kinda like how linux-mint is a fork of ubuntu
Matt, i stumbled upon your video after trying to solve the stuck red mute button and no ring light for my echo 4. I purchased as defective and unable to figure out the problem. Both do not reset and only light that turns on is red mute button at 2 different lighting levels. I'm guessing it's some type of firmware issue. Many others have the same problem and could you look at one in the used market? Follow up video would be awesome.
To reattach can you just use a solder mask and hope for the best or do you absolutely need to reball it?
19:57 WOW reballing. What equipment do you use?
Matt you are a genius 👏💯
No one is a genius in this field. I probably get imposter syndrome just as much as the next guy. Just keep learning!
It would be so cool to replace a memory chip with a bigger one and stuff it with lots of pirated mp3s, don't you think?
You could also change some scripts to start ssh server on startup and do other cool things to actually 0wn the device.
Maybe install a torrent client with a web-UI to control from your phone.
And after you patched it, you could go to the nearest guy repairing phones, he knows where or how to buy a special "mask" (a tiny board with lots of punched holes in it that strictly correspond the contacts on that chip) to apply on the chip and add little metallic balls in order to put it back on the board.
Restart, and you finally own it! 😀
P.S. Thanks for a great video! An instant sub from me!
start your comment with spoiler alert 🤣
Cool video, please keep it up.
Thanks, will do!
Interesting content i want more content about extracting firmware ,and i never know use linux os but very interesting ,maybe i will try linux os tomorrow thanks bro👍
Not sure if you've covered this already but what microscope are you using? Could you go over the tools you have in a future video. Thank you!!!
Louis rossman.
Yeah I will do some videos soon on that. I get a lot of stuff based on Louis Rossmann's recommendations.
apk files are generally use in android???
damn my xgecu t48 wont read that emmc :( that reader you used is really expensive too. anyone else found another way to read these? i've tried soldering it onto an sd breakout board but they are really difficult to reball and fit
Yeah unfortunately these readers are the best way to go. Sometimes the pads are available for ICP but not always
like the features, setup was difficult for some of my devices (August Door lock, th-cam.com/users/postUgkxhB5YOMNj04GuoAosExygP4cH-dKeb4aB Bose speaker)... but all switches and outlets (5), thermostat, tankless water heater. Unfortunately all I can do is turn on/off Bose. It doesn't support volume or changing channels, but I believe that is due to the particular speaker I have.... Worth getting if you already have other devices to use it with... I don't sit around and ask Alexa questions much so that doesn't really matter to me....
Would love to know your lab set up.
Грубые загрязнения хорошо счищается мягкой зубной щеткой.
Чип от флюса хорошо чистить обычной салфеткой смоченной изопропиловым спиртом.
That is REALLY great. Is there some way, we can exchange the extracted data, so people / others can work on Hacking the Bluetooth Firmware Update / Create alternative Firmware that does work without Amazon Stuff?
its illegal to share firmware dumps
@@gcm4312 hm ok. It would be cool to know, if there is some way to enable adb.
@@FlorianGT396 xda forums is your friend
If you rub a sharpie pen over the chip, it makes it 10x easier to read.
You're very brave just doing `cat` on files instead of xxd :)
For future readers, cat would not encode any escape characters in the contents of the files, which could lead the either corruption of state in your terminal emulator, or potentially worse
What devices should I look at in the future?
I want starlink dishy :p .
What about participating in John McMasters reverse engineering of the XGecu programmer?
@@DJChol wow didn't know about this project! I currently use the xgecu software in wine. I'll look into this project!
How about something that requires fault injection/voltage glitching. For example to bypass rdp protection on an stm32. Hooking up to a uart shell or a jtag/swd debugger or mounting a filesystem is only so interesting.
I have really been enjoying your videos they are all great! I would love to see you mess around with a DVR for cameras maybe one that is locked and see if you can unlock it? Could probably find one at a goodwill too!
You're not missing much without it ;p better off used for training purposes.
Heres to that hotplate reflow station though
yeah I've been wanting to get some BGA reball stencils and solder paste. This should be a good opportunity.
@@mattbrwn ebay is your friend:)
@@mattbrwn lookup theCarplayAiboxFriends
47:35 run `less` on the files in recover/log
edit: correction
Regarding "typing your password into youtube", why don't you just disable sudo prompting for passwords for users? by default there's a commented out entry in `visudo` that tells you how to do it.
haha yeah that's not a bad idea...
I'm trying to learn about writing firmware to cheap apple clone smartwatches and smartbands but I don't know where to look for tutorials on firmware development for mediatek chips and nrf chips.please guide 🙏
check out the PineTime watch!
www.pine64.org/pinetime/
wiki.pine64.org/wiki/PineTime
Its software and hardware is open source! You would be able to study the HW and SW for your own learning.
@@mattbrwni have seen the pinetime projectbut the hardware is not available easily in my country (India) please give me some course names which u followed
That just sounds like regular embedded firmware development. Find a development board with the same mcu that those cheap devices use, reverse engineer the spi/i2c pinouts for the peripherals, write and test your embedded firmware, and then flash it back onto the chip via jtag/swd assuming those cheap devices expose those debuggers
What sources or publications did you use?
@mattbrwn still waiting on the detail Matt.
dd means data destroyer ;)
Dude! I thought you have learned the leasson... sunshade hats are for gardening or for harvesting berries in the fields...
Still repairing the roof?
DFU= Direct Firmware Update
30:23 data definition
Block a or block b gotta flash both or itl wreck your day
There’s 36 pins that read that package
probably running FireOS which is a custom version of Android.
ahh ok that makes sense
how about writing this firmware on a new board i mean like cloning cos this one is now a mess
Runs on android
You have GOT to cut out the UHs and UMs. You seem smart, it will be hard but you can do it. Only reason I am not subscribing right now. Well, maybe I will and hope the UHs stop soon ;)
Sei il figlio piccolo di Jim Carrey in the mask??
Disk destroyer aka. "The dd cmd" that will wreck your day.....
Only use if you have a full backup...
dude you look like Jim Carrey
It's called DD because CC is already taken by the C Compiler. #trivia.
edit: you need to learn regexp, no need to run multiple commands when you can one-line it.
for i in `seq 1 13` ; do dd if=/dev/sdc$i of=sdc$i bs=1M ; done - no need for regex, just for loops will do.
Ah regex hell why doth thou taunt me
In the vehicle industry the us uses android, Europe uses android built on linux and russia uses linux
Tell me bro that ,without electronics know ledge u can't do all that
What?
Kidding, right? He demonstrated very basic electronics knowledge. Most of it was in a command line inside of linux unpacking binaries. The only electronics knowledge you need is identifying things like UART/the chips similar in the video. Literally doesn't go past that. Desoldering chips is easy. You point a hot air gun at them and you wait until they pop off.
You need far more linux knowledge for this stuff.
No hacking is not easy. Programming and dealing with software design and code in general is hard topic to grok when even a small amount of complexity is involved.
In 1974, the dd command appeared as part of Version 5 Unix. According to Dennis Ritchie, the name is an allusion to the DD statement found in IBM's Job Control Language (JCL), in which it is an abbreviation for "Data Definition".
en.wikipedia.org/wiki/Dd_(Unix)
Well done 👌👏
Share exported DATA for ALL
dufusvision
".dump" in sqlite3 is useful sometimes
TIL! This is perfect. thanks
Bro my 2nd gen echo dot is not working.after connect to the powet it says download an update and after a hour it light ring become purple and not working plz help me bro what i need to now?
🥲