-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
short the device #3
Comments
Don't worry, soldering isn't required! Have you already opened the echo? If so, you'll need to use something flat to pry off the RF cap covering the flash chip on the main board. Once you've done that, use a piece of aluminium foil or anything conductive and use it to short the contacts in the area I but the red box around to ground (the surrounding metal mounting for the RF lid is connected to ground). The script will then detect it once you plug it in with the short in place. You'll only have to do this part once unless you get an OTA update, you can then assemble it again. If you have any issues, please let me know! |
Thank you for the quick reply! What I did was connecting the bigger part left besides C52 with some ground (maybe just tried some invalid aluminium parts here) using a male-mal gpio pin cable and then attached the device to usb and started your tool. It idled with "Waiting for bootrom", so I guess my ground was invalid :) Thank you again for your friendly help! |
No problem! Just a thought, maybe try plugging in the usb after running the tool, it checks for new devices so it may be that although the OS had found the serial port, the script didn't because it was already attached. A jumper cable should work fine, all it does is shorts the power rails so that the chip can't be accessed so it boots into a fallback mode |
Thank you, the suggestion to leave the program running while fighting against my fat fingers was good :) After several attempts I had (mostly) success:
As there is no "backup" directory in pwd, I'll try to reproduce a successful handshake after having created it and report back :) |
creating a
no dice so far while trying to get another handshake to test if this is reproducible.
|
Sorry about that first error, that is now fixed (you'll have to clone the repo again). The crypto error happens quite often, it seems to be if the preloader manages to boot further than expected, you can safely ignore it and maybe try shorting the flash again if it happens. I'll try to add some error handling for that, I wasn't sure if it was just my device. Also the backup directory is my fault, I didn't notice that git had ignored it when pushing because it was empty, I'll add that too. |
Thank you for the quick bump! just re-tried with 2643210 and got pretty far:
not sure yet in which state the device is :) |
sorry for the noise... |
No problem, that is strange though. There should be some data at 0x363? It is used to say which slot the echo uses. Would you mind telling me the size of misc.bin? If it still doesn't work after retrying, try with the latest commit, it shouldn't make a difference but it's worth a try |
just retried with 45ee316, but no difference unfortunately. |
I am so sorry, I think I've found the issue and sorted it in commit 1f3ee6d , it seems that the length of the file to dump wasn't defined so it was defaulting to zero. I'm so sorry for all of these issues, whilst I have tested it I think I already had the files dumped from reverse engineering the device. |
Wow, that was quick! Thank you very much for your excellent support and work again! Just tried with latest commit and I can confirm the misc.bin issue is fixed (524800 bytes now) I stumbled over another error, though:
Please let me know if you need anything else :) |
That's interesting, would you please email the misc.bin file to me at dragon863.dev@gmail.com ? I would ask you to upload it here, but I'm not sure about copyright issues. It seems that the script is unable to verify which slot is being used, it will be possible to do this manually but I'd like to be able to determine why it isn't working |
That's all I need, thanks. It seems that the slot info is at a different offset on your echo, I'm not sure why that would be. Seeing as 8F is greater than 3E, it is safe for you to comment out lines 231 to 238 in |
thanks! My echo was sold as new and indeed it looked completely unused. maybe that's the reason(?). Now I get
I guess formatting should be fine, though:
|
I think I might know what is happening. You mentioned that your echo was in almost factory condition; older echo dots were shipped with FireOS 5 before they were updated to the newer FireOS 6, based on Android Jellybean rather than Lollipop. It is possible to root your device on this older software version, but if you want to use this tool it would be much easier if you could use the restore option in the CLI to rewrite the original preloader, and then ask Alexa to check for updates and try rooting again on FireOS 6. |
hmm, thanks for your analysis! I have to admit that I'm not too keen on setting up Alexa and/or depending on some amazon services even if it is temporarily. |
|
That's fine, I completely understand that. I've just fixed another error, the partition name wouldn't have .bin in it. Assuming your echo is on FireOS 6, you can potentially pull the latest changes and try again. Sorry for all the errors, I should've spotted them before, |
Thanks @viraniac , it seems we commented at the same time! |
thank you both! :) |
Sorry! Pushed now :) |
was worth a try, but unfortunately, it seems like my os is too old indeed - I also get this error
which likely can be fixed with
(so basically the |
with the bin suffix fixed I get:
(aborting here :)) |
Would you mind emailing the lk please? I'll be able to check what version it is and if the patch is safe in less than an hour |
Yeah the code seems to be hardcoded for two lk versions. So you have to either update or modify the code |
the just bought another used device on ebay and will keep on testing with that instead when it arrives :) |
To patch lk, all that needs to be done is find '10b5 c0b0 0021 4ff4' and replace it with '0120 7047 0021 4ff4'. Thats the only change needed. And thats version agnostic. works with both 5.x and 6.x firmwares so far. So if you can get your lk to dump, you can make that change manually and flash it again |
didn't you changed that to be lk_a.bin in the previous comment? Just making sure you are checking correct file |
makes sense. I haven't deleted that file yet, you can redownload from the previously shared link |
thanks, I kept a backup though :) just pulling
|
Interesting. So the version I suggested yesterday for the preloader for restoration is your actual version. Thats a nice coincidence :) |
before I paste the whole stdout, should I worry about publishing any possible device specific data returned by the grep? I guess the |
you can clean it up if you want and only share the urls.
Depends on how they end. the interesting bit is not domain name what comes after |
thanks for your patience :) here we go:
please let me know if you require anything else! edit: I thought you might have the urls already, because you already have the 5.5.5.4 url |
This seems new |
nice, I'll provide the same data for the other device, as soon as I have root access |
yay, I have a version from my 2nd new dot:
doesn't have any match though. |
what all strings you get that start with http:// or https:// ? |
I knew you asked this :)
|
might be interesting as well |
can you share the output of |
|
The dot is opened up on the bench with a piece of foil shorting out c52. |
@frostworx That sucks. I saw the preprod in the url and was hoping that is a developer device. @Billybangleballs no if you had it shorted correctly, it will not show blue light |
@frostworx how old is that firmware |
|
The oldest OTA I have is from Dec 2016, followed by one from July 2019. Its a shame we don't have url for this one. It would have been one of the oldest firmware |
just have seen this in dmesg: :)
|
Its still there in latest 6.5.6.0 image. So I guess they never disabled it |
Anyways I think we can close this. If anyone have any issues, they can start a new issue |
I think I've broken the dot, it doesn't work anymore, I shall have to go and check ebay for another one. |
@Billybangleballs did the rooting process got completed? Can you share the output of rooting process? Also have you tried booting using mtkclient like the readme asks you to do? |
[18:55:33] Waiting for bootrom So that is as far as I got. |
@Billybangleballs Just confirming that you are following proper steps
Exactly in that order. Please confirm that you are not plugging the echo dot first and then running the script. Also that capacitor and other surface mounted things besides it are extremely fragile and can be easily knocked off. So make you are not puting too much pressure when trying to short the capacitor |
@Billybangleballs, it would make sense if you opened a separate issue for that, as this one was closed. |
@frostworx I had the same idea about 12 hours ago ;) |
Hi there,
First of all, thanks for this promising project! :)
I bought an echo dot2 just to try it and it arrived earlier today.
Unfortunately, I have to admit that I'm a bit lost already with rooting the devices.
It could be opened up easily, but I'm not sure how to follow those instructions:
INFO: Please short the device as shown in the image at https://dragon863.github.io/blog/mainboard.jpg
My first guess to simply ground it somewhere while plugging it into usb was apparently wrong (would have been too easy :)) so I'm afraid I'll have to communicate through the tiny pins shown here:
https://forum.xda-developers.com/t/amazon-echo-dot-2-locked-hardware.3512349/#post-77059942
right?
The url to the "set of slides" below the picture is 404 btw, but the good old wayback machine has a copy:
https://web.archive.org/web/20190926005232/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498230402.pdf
Would be great if you had a pointer into the right direction on how to short the device
(still have (low) hopes that high precision soldering is not required :))
The text was updated successfully, but these errors were encountered: