short the device

[frostworx]

Hi there,
First of all, thanks for this promising project! :)

I bought an echo dot2 just to try it and it arrived earlier today.
Unfortunately, I have to admit that I'm a bit lost already with rooting the devices.
It could be opened up easily, but I'm not sure how to follow those instructions:

INFO: Please short the device as shown in the image at https://dragon863.github.io/blog/mainboard.jpg

My first guess to simply ground it somewhere while plugging it into usb was apparently wrong (would have been too easy :)) so I'm afraid I'll have to communicate through the tiny pins shown here:

https://forum.xda-developers.com/t/amazon-echo-dot-2-locked-hardware.3512349/#post-77059942

right?

The url to the "set of slides" below the picture is 404 btw, but the good old wayback machine has a copy:

https://web.archive.org/web/20190926005232/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498230402.pdf

Would be great if you had a pointer into the right direction on how to short the device
(still have (low) hopes that high precision soldering is not required :))

[Dragon863]

Don't worry, soldering isn't required! Have you already opened the echo? If so, you'll need to use something flat to pry off the RF cap covering the flash chip on the main board. Once you've done that, use a piece of aluminium foil or anything conductive and use it to short the contacts in the area I but the red box around to ground (the surrounding metal mounting for the RF lid is connected to ground). The script will then detect it once you plug it in with the short in place. You'll only have to do this part once unless you get an OTA update, you can then assemble it again. If you have any issues, please let me know!

[frostworx]

Thank you for the quick reply!
Yay, glad to hear soldering is not required :) \o/
Yes, I already opened the device and removed the RF cap, sorry for not having mentioned it earlier.

What I did was connecting the bigger part left besides C52 with some ground (maybe just tried some invalid aluminium parts here) using a male-mal gpio pin cable and then attached the device to usb and started your tool. It idled with "Waiting for bootrom", so I guess my ground was invalid :)
I'll report back when I have success (next try possibly not before tomorrow though).

Thank you again for your friendly help!

[Dragon863]

No problem! Just a thought, maybe try plugging in the usb after running the tool, it checks for new devices so it may be that although the OS had found the serial port, the script didn't because it was already attached. A jumper cable should work fine, all it does is shorts the power rails so that the chip can't be accessed so it boots into a fallback mode

[frostworx]

Thank you, the suggestion to leave the program running while fighting against my fat fingers was good :)

After several attempts I had (mostly) success:

[17:12:33] Waiting for bootrom
[17:12:49] Found port = /dev/ttyACM0
[17:12:49] Handshake
[17:12:49] Disable watchdog
[17:12:49] handshake success!

 * * * Remove the short and press Enter * * * 


[17:13:00] Init crypto engine
[17:13:00] Disable caches
[17:13:00] Disable bootrom range checks
[17:13:00] Load payload from brom-payload/build/payload.bin = 0x45C0 bytes
[17:13:00] Send payload
[17:13:00] Let's rock
[17:13:00] Wait for the payload to come online...
[17:13:01] all good
[17:13:01] Check GPT
Partitions:
{'kb': (2048, 2048), 'dkb': (4096, 2048), 'lk_a': (32768, 2048), 'tee1': (49152, 10240), 'lk_b': (65536, 2048), 'tee2': (81920, 10240), 'expdb': (98304, 20480), 'misc': (118784, 1025), 'persist': (131072, 32768), 'boot_a': (163840, 32768), 'boot_b': (196608, 32768), 'recovery': (229376, 32768), 'system_a': (294912, 1572864), 'system_b': (1867776, 1572864), 'cache': (3440640, 1605632), 'userdata': (5046272, 2588639)}

Would you like to root your device, or restore it?
[root/restore] > root
[17:13:10] SUCCESS: Dumped misc.bin from device.
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 204, in main
    shutil.copyfile("misc.bin", "backup/misc.bin")
  File "/usr/lib/python3.11/shutil.py", line 258, in copyfile
    with open(dst, 'wb') as fdst:
         ^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: 'backup/misc.bin'

As there is no "backup" directory in pwd, I'll try to reproduce a successful handshake after having created it and report back :)

[frostworx]

creating a backup dir within EchoCLI/internal/amonet brought me a bit further, but still not to the end:

Would you like to root your device, or restore it?
[root/restore] > root
[17:53:16] SUCCESS: Dumped misc.bin from device.
[17:53:16] INFO: Backed up misc partition...
[17:53:16] INFO: 
        This next step WILL brick your preloader, rendering your device unbootable without a computer, as this is a TETHERED exploit. This is a reversible change. Press enter if you understand the consequences and accept that I am not responsible for any damage to you device...
        

[17:53:28] FAIL: Failed to dump backup/preloader.bin
[17:53:28] INFO: Backed up preloader...
[17:53:28] INFO: Clearing preloader header
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 216, in main
    flash_data(
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 68, in flash_data
    log_info("[{} / {}]".format(x + 1, blocks), end="\r")
TypeError: log_info() got an unexpected keyword argument 'end'

no dice so far while trying to get another handshake to test if this is reproducible.
got some crypto related error in between in case this is interesting:

[18:00:39] Found port = /dev/ttyACM0
[18:00:39] Handshake
[18:00:39] Disable watchdog
[18:00:39] handshake success!

 * * * Remove the short and press Enter * * * 
 
[18:00:44] Init crypto engine
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 163, in main
    load_payload(dev, "brom-payload/build/payload.bin")
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/load_payload.py", line 85, in load_payload
    init(dev)
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/load_payload.py", line 9, in init
    dev.write32(CRYPTO_BASE + 0x0C0C, 0)
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/common.py", line 139, in write32
    self.check(self.dev.read(1), b'\xd4') # echo cmd
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/common.py", line 84, in check
    raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch

[Dragon863]

Sorry about that first error, that is now fixed (you'll have to clone the repo again). The crypto error happens quite often, it seems to be if the preloader manages to boot further than expected, you can safely ignore it and maybe try shorting the flash again if it happens. I'll try to add some error handling for that, I wasn't sure if it was just my device. Also the backup directory is my fault, I didn't notice that git had ignored it when pushing because it was empty, I'll add that too.

[frostworx]

Thank you for the quick bump!

just re-tried with 2643210 and got pretty far:

[18:56:26] Waiting for bootrom
[18:56:37] Found port = /dev/ttyACM0
[18:56:37] Handshake
[18:56:37] Disable watchdog
[18:56:37] handshake success!

 * * * Remove the short and press Enter * * * 


[18:56:41] Init crypto engine
[18:56:41] Disable caches
[18:56:41] Disable bootrom range checks
[18:56:41] Load payload from brom-payload/build/payload.bin = 0x45C0 bytes
[18:56:41] Send payload
[18:56:42] Let's rock
[18:56:42] Wait for the payload to come online...
[18:56:42] all good
[18:56:42] Check GPT
Partitions:
{'kb': (2048, 2048), 'dkb': (4096, 2048), 'lk_a': (32768, 2048), 'tee1': (49152, 10240), 'lk_b': (65536, 2048), 'tee2': (81920, 10240), 'expdb': (98304, 20480), 'misc': (118784, 1025), 'persist': (131072, 32768), 'boot_a': (163840, 32768), 'boot_b': (196608, 32768), 'recovery': (229376, 32768), 'system_a': (294912, 1572864), 'system_b': (1867776, 1572864), 'cache': (3440640, 1605632), 'userdata': (5046272, 2588639)}

Would you like to root your device, or restore it?
[root/restore] > root
[18:56:46] SUCCESS: Dumped misc.bin from device.
[18:56:46] INFO: Backed up misc partition...
[18:56:46] INFO: 
        This next step WILL brick your preloader, rendering your device unbootable without a computer, as this is a TETHERED exploit. This is a reversible change. Press enter if you understand the consequences and accept that I am not responsible for any damage to you device...
        

[18:57:12] SUCCESS: Dumped backup/preloader.bin from device.
[18:57:12] INFO: Backed up preloader...
[18:57:12] INFO: Clearing preloader header
[8 / 8]
[18:57:34] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 230, in main
    data[3] > data[4]
    ~~~~^^^
IndexError: index out of range
Select an option: > ^X^CTraceback (most recent call last):
  File "/media/nvme/sources/2023/07/EchoCLI/main.py", line 4, in <module>
    instance = CLI(args=sys.argv[1:])
               ^^^^^^^^^^^^^^^^^^^^^^
  File "/media/nvme/sources/2023/07/EchoCLI/cli.py", line 28, in __init__
    self.init_arguments(args)
  File "/media/nvme/sources/2023/07/EchoCLI/cli.py", line 55, in init_arguments
    self.main()
  File "/media/nvme/sources/2023/07/EchoCLI/cli.py", line 89, in main
    rooting_tools.root_menu(self)
  File "/media/nvme/sources/2023/07/EchoCLI/internal/rooting_tools.py", line 13, in root_menu
    option = str(input("\033[36mSelect an option:\x1b[0m > "))
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

not sure yet in which state the device is :)

[frostworx]

sorry for the noise...
just found that misc.bin has zero bytes (also in backup dir)

[Dragon863]

No problem, that is strange though. There should be some data at 0x363? It is used to say which slot the echo uses. Would you mind telling me the size of misc.bin? If it still doesn't work after retrying, try with the latest commit, it shouldn't make a difference but it's worth a try

[frostworx]

just retried with 45ee316, but no difference unfortunately.
the (previously removed) 0 bytes misc.bin files were re-created again with 0 bytes

[Dragon863]

I am so sorry, I think I've found the issue and sorted it in commit 1f3ee6d , it seems that the length of the file to dump wasn't defined so it was defaulting to zero. I'm so sorry for all of these issues, whilst I have tested it I think I already had the files dumped from reverse engineering the device.

[frostworx]

Wow, that was quick! Thank you very much for your excellent support and work again!

Just tried with latest commit and I can confirm the misc.bin issue is fixed (524800 bytes now)

I stumbled over another error, though:

[18:56:41] Init crypto engine
[18:56:41] Disable caches
[18:56:41] Disable bootrom range checks
[18:56:41] Load payload from brom-payload/build/payload.bin = 0x45C0 bytes
[18:56:41] Send payload
[18:56:42] Let's rock
[18:56:42] Wait for the payload to come online...
[18:56:42] all good
[18:56:42] Check GPT
Partitions:
{'kb': (2048, 2048), 'dkb': (4096, 2048), 'lk_a': (32768, 2048), 'tee1': (49152, 10240), 'lk_b': (65536, 2048), 'tee2': (81920, 10240), 'expdb': (98304, 20480), 'misc': (118784, 1025), 'persist': (131072, 32768), 'boot_a': (163840, 32768), 'boot_b': (196608, 32768), 'recovery': (229376, 32768), 'system_a': (294912, 1572864), 'system_b': (1867776, 1572864), 'cache': (3440640, 1605632), 'userdata': (5046272, 2588639)}

Would you like to root your device, or restore it?
[root/restore] > root
[18:56:46] SUCCESS: Dumped misc.bin from device.
[18:56:46] INFO: Backed up misc partition...
[18:56:46] INFO: 
        This next step WILL brick your preloader, rendering your device unbootable without a computer, as this is a TETHERED exploit. This is a reversible change. Press enter if you understand the consequences and accept that I am not responsible for any damage to you device...
        

[18:57:12] SUCCESS: Dumped backup/preloader.bin from device.
[18:57:12] INFO: Backed up preloader...
[18:57:12] INFO: Clearing preloader header
[8 / 8]
[18:57:34] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 230, in main
    data[3] > data[4]
    ~~~~^^^
IndexError: index out of range

Please let me know if you need anything else :)

[Dragon863]

That's interesting, would you please email the misc.bin file to me at dragon863.dev@gmail.com ? I would ask you to upload it here, but I'm not sure about copyright issues. It seems that the script is unable to verify which slot is being used, it will be possible to do this manually but I'd like to be able to determine why it isn't working

[frostworx]

The relevant part in the hex editor should be:

You just replied simultaneously. I'll send you the misc.bin in a sec. done :)

[Dragon863]

That's all I need, thanks. It seems that the slot info is at a different offset on your echo, I'm not sure why that would be. Seeing as 8F is greater than 3E, it is safe for you to comment out lines 231 to 238 in internal/amonet/amonet/__init__.py and add slot="a" on 239

[frostworx]

thanks! My echo was sold as new and indeed it looked completely unused. maybe that's the reason(?).

Now I get

[19:43:18] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 240, in main
    dump_binary(dev, f"lk_{slot}.bin", gpt[f"lk_{slot}.bin"][0])
                                       ~~~^^^^^^^^^^^^^^^^^^
KeyError: 'lk_a.bin'

I guess formatting should be fine, though:

...
#        slot = "b"
    slot = "a"
    dump_binary(dev, f"lk_{slot}.bin", gpt[f"lk_{slot}.bin"][0])
...

[Dragon863]

I think I might know what is happening. You mentioned that your echo was in almost factory condition; older echo dots were shipped with FireOS 5 before they were updated to the newer FireOS 6, based on Android Jellybean rather than Lollipop. It is possible to root your device on this older software version, but if you want to use this tool it would be much easier if you could use the restore option in the CLI to rewrite the original preloader, and then ask Alexa to check for updates and try rooting again on FireOS 6.

[frostworx]

hmm, thanks for your analysis!

I have to admit that I'm not too keen on setting up Alexa and/or depending on some amazon services even if it is temporarily.
I'd guess I'll have to sleep over it first :)

[viraniac]

gpt[f"lk_{slot}.bin"][0] that looks like a bug. Remove .bin from there. gpt only has lk_a or lk_b. There is no .bin suffix there

[Dragon863]

That's fine, I completely understand that. I've just fixed another error, the partition name wouldn't have .bin in it. Assuming your echo is on FireOS 6, you can potentially pull the latest changes and try again. Sorry for all the errors, I should've spotted them before,

[Dragon863]

Thanks @viraniac , it seems we commented at the same time!

[frostworx]

thank you both! :)
seems like you haven't pushed your changes though, @Dragon863.
I'll test it $manually shortly

[Dragon863]

Sorry! Pushed now :)

[frostworx]

was worth a try, but unfortunately, it seems like my os is too old indeed -
the file lk_a has 0 bytes.

I also get this error

[20:10:12] INFO: Clearing preloader header
[8 / 8]
[20:10:35] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
[20:10:35] SUCCESS: Dumped lk_a from device.
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 241, in main
    shutil.copyfile(f"lk_{slot}.bin", f"backup/lk_{slot}.bin")
  File "/usr/lib/python3.11/shutil.py", line 256, in copyfile
    with open(src, 'rb') as fsrc:
         ^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: 'lk_a.bin'

which likely can be fixed with

dump_binary(dev, f"lk_{slot}.bin", gpt[f"lk_{slot}"][0])

(so basically the .bin suffix was just appended at the wrong position previously)

[frostworx]

with the bin suffix fixed I get:

[20:17:40] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
[20:17:40] SUCCESS: Dumped lk_a.bin from device.
[20:17:40] INFO: Backed up LK a partition...
[20:17:40] WARN: 
                Could not detect LK version. Try updating your device using an OTA, or the official app if this method has not yet been patched. Press enter to continue, or press Ctrl+C to abort (safer).

(aborting here :))

[Dragon863]

Would you mind emailing the lk please? I'll be able to check what version it is and if the patch is safe in less than an hour

[viraniac]

with the bin suffix fixed I get:

[20:17:40] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
[20:17:40] SUCCESS: Dumped lk_a.bin from device.
[20:17:40] INFO: Backed up LK a partition...
[20:17:40] WARN: 
                Could not detect LK version. Try updating your device using an OTA, or the official app if this method has not yet been patched. Press enter to continue, or press Ctrl+C to abort (safer).

(aborting here :))

Yeah the code seems to be hardcoded for two lk versions. So you have to either update or modify the code

[frostworx]

the lk_a is 0 byte, so mailing it wouldn't make much sense :)

just bought another used device on ebay and will keep on testing with that instead when it arrives :)

[viraniac]

To patch lk, all that needs to be done is find '10b5 c0b0 0021 4ff4' and replace it with '0120 7047 0021 4ff4'. Thats the only change needed. And thats version agnostic. works with both 5.x and 6.x firmwares so far. So if you can get your lk to dump, you can make that change manually and flash it again

[viraniac]

the lk_a is 0 byte, so mailing it wouldn't make much sense :)

didn't you changed that to be lk_a.bin in the previous comment? Just making sure you are checking correct file

[viraniac]

makes sense. I haven't deleted that file yet, you can redownload from the previously shared link

[frostworx]

thanks, I kept a backup though :)
adb works fine now, but my system seems to be a bit limited.
there is no strings or find for example.

just pulling /dev/block/mmcblk0p16, which is the device node

/dev/block/platform/mtk-msdc.0/by-name
using adb pull, no idea if this is meant to be successful, as it already has 1gb.
if it works, I'll get your string from the copy.

grep version.name /system/*.prop
returns
ro.build.version.name=Fire OS 5.5.5.4 (680766420)

[viraniac]

Interesting. So the version I suggested yesterday for the preloader for restoration is your actual version. Thats a nice coincidence :)

[frostworx]

before I paste the whole stdout, should I worry about publishing any possible device specific data returned by the grep?

I guess the 1s31zyz7dcc2d.cloudfront.net urls returned are already known anyway, right? :)

[viraniac]

before I paste the whole stdout, should I worry about publishing any possible device specific data returned by the grep?

you can clean it up if you want and only share the urls.

I guess the 1s31zyz7dcc2d.cloudfront.net urls returned are already known anyway, right? :)

Depends on how they end. the interesting bit is not domain name what comes after

[frostworx]

thanks for your patience :)

here we go:

# strings mmcblk0p16 | grep "https.*.biscuit" | sort -u
0https://d1s31zyz7dcc2d.cloudfront.prod.ota-cloudfront.net/47a1457e0802980eb32f63cd3ce355c0/update-kindle-csm_biscuit-272.6.8.0_user_680767620.bin{"binaryType":"full","md5Sum":"805e721e1bed461d8a81015a1f703fc1","remoteFileSize":"396710733","sha256":"6ababc517529938f0d1e836c3410a91df19683ae62d7fca9e2ca57320d5d2faa"}
https://d1s31zyz7dcc2d.cloudfront.net/60556d35239d902637f0fc503411b791/update-kindle-csm_biscuit-272.6.7.2_user_672720020.bin/cache/update-kindle-csm_biscuit-272.6.7.2_user_672720020.binbinary/octet-stream
https://d1s31zyz7dcc2d.cloudfront.prod.ota-cloudfront.net/47a1457e0802980eb32f63cd3ce355c0/update-kindle-csm_biscuit-272.6.8.0_user_680767620.bin
https://d1s31zyz7dcc2d.cloudfront.prod.ota-cloudfront.net/47a1457e0802980eb32f63cd3ce355c0/update-kindle-csm_biscuit-272.6.8.0_user_680767620.bin/cache/update-kindle-csm_biscuit-272.6.8.0_user_680767620.binbinary/octet-stream

please let me know if you require anything else!

edit: I thought you might have the urls already, because you already have the 5.5.5.4 url

[viraniac]

This seems new https://d1s31zyz7dcc2d.cloudfront.net/60556d35239d902637f0fc503411b791/update-kindle-csm_biscuit-272.6.7.2_user_672720020.bin The other one is just 5.5.5.4

[frostworx]

nice, I'll provide the same data for the other device, as soon as I have root access

[frostworx]

yay, I have a version from my 2nd new dot:

root@biscuit:/ # grep version.name /system/*.prop
ro.build.version.name=Fire OS 5.5.2.1 (601481420)

strings mmcblk0p16 | grep "http.*.biscuit" | sort -u

doesn't have any match though.
is there anything else which might be interesting?

[viraniac]

what all strings you get that start with http:// or https:// ?

[frostworx]

I knew you asked this :)
here we go:

# strings mmcblk0p16 | grep "http:\|https:" | sort -u
    <a href="http://download.oracle.com/javase/6/docs/api/java/util/zip/CRC32.html">CRC-32 Documentation</a>
    <class value="AuthenticatedDeviceGetUpdatesQueryInput:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
    <class value="BaseInstalledSoftwareComponentDetails:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
    <class value="DeviceInstalledSoftwareComponentDetails:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
    <class value="GetSoftwareComponentDetailsForOtaGroupInput:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
    <class value="PaginatedSoftwareComponentDetailsForOtaGroup:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
    <class value="SoftwareComponentDependenciesContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
    <class value="SoftwareComponentVersionCodeContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
    <class value="SoftwareComponentVersionListContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
    <class value="UnauthenticatedDeviceGetUpdatesQueryInput:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
    <class value="UnauthenticatedDeviceTypeListContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
  https://w.amazon.com/index.php/DevicePlatform/DeviceRegistry
  https://w.amazon.com/index.php/Digital/Delivery/Messaging/Authentication
  https://w.amazon.com/index.php/Digital/Delivery/Messaging/FAQ#How_unique_do_message_IDs_have_to_be_on_the_device.3F
  https://w.amazon.com/index.php/Digital/Delivery/Messaging/Interface#Delivery_Options
  https://w.amazon.com/index.php/Digital/Delivery/Messaging/Interface#Endpoint
  https://w.amazon.com/index.php/Digital/Delivery/Messaging/Interface#Message
  https://w.amazon.com/index.php/Digital/Delivery/Messaging/Interface#Message_Metadata
  https://w.amazon.com/index.php/Digital/Delivery/Messaging/Interface#Response
  https://w.amazon.com/index.php/Digital/Delivery/Messaging/Interface#Status_Codes
  https://w.amazon.com/index.php/Digital/Delivery/Messaging/TransportProtocols/WebServiceHTTP#Response_2
  https://w.amazon.com/index.php?title=IdentityServices/DirectedIDs
 http://specs.openid.net/auth/2.0
!https://det-ta-g7g.amazon.com:443
!sdcdurl.cde.tahttps://cde-ta-g7g.amazon.com/FionaCDEServiceEngine>
#9dcdurl.websitehttps://www.amazon.com7
#]dcdurl.firs.tahttps://firs-ta-g7g.amazon.com/FirsProxy4
#odcdurl.todo.tahttps://todo-ta-g7g.amazon.com/FionaTodoListProxy=
$http://d3h5bk8iotgjvw.cloudfront.net
$http://www.amazon.com/ap/ext/oauth/2
$https://api.amazon.com/auth/O2/token
$https://dp-mont.integ.amazon.com:443
%9dcdurl.wsync.v2https://api.amazon.com)
%odcdurl.kdk.subshttps://kdk-ws.amazon.com/SubscriptionStatusProxy.
&https://identity-snds.amazon.com/snds/
'http://clients3.google.com/generate_204
'https://android.googleapis.com/gcm/send
'https://det-ta-g7g.integ.amazon.com:443
(https://device-metrics-us.amazon.com:443
)9dcdurl.panda.prodhttps://api.amazon.com6
)Edcdurl.panda.betahttps://api.integ.amazon.comH
)idcdurl.det.unauthhttps://det-ta-g7g.amazon.com/DeviceEventProxy
*https://det-ta-g7g.vipinteg.amazon.com:443
*https://device-metrics-us-2.amazon.com:443
+http://specs.openid.net/extensions/pape/1.0
,http://www.amazon.com/workAroundDcpBlackList
,https://devicemessaging.us-east-1.amazon.com
-]dcdurl.firs.ta.prodhttps://firs-ta-g7g.amazon.com/FirsProxyJ
-idcdurl.firs.ta.betahttps://firs-ta-g7g.integ.amazon.com/FirsProxy-
-odcdurl.todo.ta.prodhttps://todo-ta-g7g.amazon.com/FionaTodoListProxyS
-{dcdurl.todo.ta.betahttps://todo-ta-g7g.integ.amazon.com/FionaTodoListProxy?
/Idcdurl.panda.preprodhttps://api-preprod.amazon.com1
/adcdurl.facebook.authhttps://api.facebook.com/method/auth.loginI
1Ydcdurl.messaging.posthttps://device-messaging-na.amazon.comD
2http://specs.openid.net/auth/2.0/identifier_select
2https://device-messaging-na.amazon.com/GetMessages
2https://graph.facebook.com/oauth/access_token_info
3mdcdurl.firs.ta.preprodhttps://firs-ta-g7g-preprod.amazon.com/FirsProxyE
5dcdurl.dcas.pfmhttps://dcape-na.amazon.com/getCustomerAttribute?version=1_0;preferences=$PREFERENCEB
5https://devicemessaging.us-east-1.amazon.com/messages
5odcddmld.dms.endpointURLhttps://device-metrics-us.amazon.com/metricsBatch7
6https://softwareupdates.amazon.com/software/inventory2
7http://www.amazon.com/ap/specs/auth/confirm_credentials
7https://updates.amazon.com/software/inventory/companion
8http://internal.amazon.com/coral/com.amazon.whisperpush/
8https://api.facebook.com/method/auth.authorizeproxiedapp
9See also http://www.slf4j.org/codes.html#substituteLogger
9dcdurl.odachttps://www.amazon.com
9dcdurl.pandahttps://api.amazon.com)
:https://todo-ta-g7g.amazon.com/FionaTodoListProxy/getItems
<https://api.facebook.com/method/auth.grantextendedpermission
=adcdurl.twitter.access.tokenhttps://api.twitter.com/oauth/access_token1
>http://internal.amazon.com/coral/com.amazon.whisperpush.types/
>https://%s:443/dfu/sign/v1?deviceSerialNumber=%s&deviceType=%s
Adcdurl.grokhttps://kca.amazon.com/kca4
Ahttps://api.facebook.com/method/permissions.getandroiddescription
Bhttp://internal.amazon.com/coral/com.amazon.devicemessaging.types/
Chttp://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/
Dhttps://w.amazon.com/index.php/DigitalSecurity/CertificatePinningFAQ
Ehttp://internal.amazon.com/coral/com.amazon.devicemessaging.protocol/
Ghttps://w.amazon.com/index.php/IdentityServices/PandaService/Onboarding
ISee http://www.slf4j.org/codes.html#loggerNameMismatch for an explanation
ISee http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
ISee http://www.slf4j.org/codes.html#version_mismatch for further details.
KSee http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
M(https:\/\/|http:\/\/)?(z\.cn|amzn\.asia|a\.co|amzn\.co|amzn\.eu)\/\S*#verify
Mdcdurl.mysnhttps://kindle.amazon.com/socialg
URL does not use https: 
URL does not use https: %s
UTF-8 is not supported. This should not happen according to http://developer.android.com/reference/java/nio/charset/Charset.html
Udcdurl.emberhttps://www.amazon.com/gp/ember/xyml?
Wdcdurl.firshttps://firs-g7g.amazon.com/FirsProxyD
Wdcdurl.sndshttps://identity-snds.amazon.com/snds/
ZSee https://w.amazon.com/index.php/IdentityServices/Mobile/DevoPreprodProdSwitch/UserGuide
]    <namespace value="http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
accessibility_script_injection_urlhttps://ssl.gstatic.com/accessibility/javascript/android/AndroidVox_v1.js
b    <class value="DeviceId:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
c    <class value="Inventory:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
cdcdurl.dethttps://det-g7g.amazon.com/DeviceEventProxyC
d    <class value="UpdatePath:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
dcdurl.dcas.timezonehttps://dcape-na.amazon.com/getCustomerTimezone?version=1_0h
dcdurl.todo.ta.preprodhttps://todo-ta-g7g-preprod.amazon.com/FionaTodoListProxyN
dcdwifid.captiveportal.proto.cnhttp://>
dcdwifid.captiveportal.protohttp://:
e    <class value="OtaGroupKey:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
f    <class value="UpdateBinary:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
g    <class value="CallerDetails:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
g    <class value="DeviceDetails:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
g    <class value="OfferedUpdate:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
g    <class value="UpdatePathKey:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
gCheck https://w.amazon.com/index.php/IdentityServices/Mobile/DevoPreprodProdSwitch/UserGuide for detail
http://
http://prod.amazoncrl.com
https://
https://(.*)\.amazon\.[^/]+
https://api.amazon.com
https://arcus-uswest.amazon.com
https://www
i    <class value="DeviceInventory:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
i    <class value="UpdateBinaryKey:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
idcdurl.todohttps://todo-g7g.amazon.com/FionaTodoListProxy:
k    <class value="BaseDeviceDetails:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
k    <class value="SoftwareComponent:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
l    <class value="GetUpdateContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
l    <class value="ThrottledException:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
m    <class value="DependencyException:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
m    <class value="OtaGroupIdContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
mdcdurl.cdehttps://cde-g7g.amazon.com/FionaCDEServiceEngineA
n    <class value="DeliveryRestrictions:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
n    <class value="PutUpdateBinaryInput:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
n    <class value="RangeBasedUpdatePath:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
n    <class value="SoftwareComponentKey:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
o    <class value="DeviceIdListContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
o    <class value="PutDeviceDetailsInput:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
o    <class value="UpdateBinaryContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
odcdurl.storehttps://www.amazon.com/gp/digital/juno/index.html(
q    <class value="FailedOtaGroupInsertion:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
q    <class value="GetUpdatePathQueryInput:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
q    <class value="OtaGroupIdListContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
q    <class value="RangeBasedUpdatePathKey:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
q    <class value="SoftwareVersionByDevice:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
q    <class value="UpdatePathListContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
r    <class value="BaseGetUpdatesQueryInput:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
r    <class value="InvalidArgumentException:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
r    <class value="SoftwareComponentVersion:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
rMAP certificate pinning list: https://code.amazon.com/packages/MAPAndroidLib/blobs/mainline/--/pinned-ca-roots.pem
s    <class value="AvailableUpdatesContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
s    <class value="PutDevicesInOtaGroupInput:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
s    <class value="UnauthenticatedDeviceType:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
s    <class value="UpdateBinaryListContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
t    <class value="DeviceGetUpdatesQueryInput:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
t    <class value="OfferedUpdateListContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
t    <class value="PutDevicesInOtaGroupOutput:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
t    <class value="SoftwareComponentContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
u    <class value="SoftwareComponentDependency:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
u    <class value="SoftwareComponentVersionKey:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
v    <class value="PaginatedOtaGroupIdContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
w    <class value="DeviceIdWithSoftwareComponent:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
x    <class value="PaginatedDeviceIdListContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
x    <class value="SoftwareComponentDependencyKey:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
x    <class value="SoftwareComponentListContainer:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
xorg.slf4j.LoggerFactory could not be successfully initialized. See also http://www.slf4j.org/codes.html#unsuccessfulInit
z    <class value="GetUpdatesForCompanionQueryInput:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
z    <class value="PutSoftwareVersionsByDeviceInput:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>
{    <class value="InstalledSoftwareComponentDetails:http://internal.amazon.com/coral/com.amazon.devicesoftwaretracking/"/>

[frostworx]

nonsec_gelato_55.bin doesn't have one single google or github hit here, so maybe:

# strings mmcblk0p16 | grep "\.bin" | sort -u
%sso_data_migrator.bind_timeout_millis
/sdcard/Aspen.bin
0Failed to copy binary file: nonsec_gelato_55.bin
:Binary copied nonsec_gelato_55.bin -> /cache/OZ20A___FWG55
Firmware.bin
_(.*).bin$
_(\d+).bin$
android.binder.objects.death
android.binder.objects.local
android.binder.objects.proxy
batterystats.bin
batterystats.bin.tmp
batterystats.bin_ext	}
com.amazon.client.metrics.bind
entropy.bin
nonsec_gelato_55.bin
stats.bin
stats.bin.bakkak
status.bin
status.bin.bakak

might be interesting as well

[viraniac]

can you share the output of cat /proc/cmdline from that 5.5.2.1 device?

[frostworx]

root@biscuit:/ # cat /proc/cmdline
console=tty0 console=ttyS0,921600n1 console=ttyMT0,921600n1 earlycon=uart8250,mmio32,0x11002000 root=/dev/ram vmalloc=496M androidboot.hardware=mt8163 androidboot.unlocked_kernel=true androidboot.rpmb_state=1 androidboot.secure_cpu=1 androidboot.prod=1 androidboot.pl_version=0x0005 androidboot.tee_version=0x0102 androidboot.lk_version=0x0000 androidboot.pl_build_desc=bd7ae89-20221003_215949 androidboot.lk_build_desc=beb022a-20211202_231918 bootopt=64S3,32N2,64N2 androidboot.selinux=enforce androidboot.slot_suffix=_a printk.disable_uart=1 bootprof.pl_t=4150 bootprof.lk_t=3408 boot_reason=0 androidboot.serialno=XXXXXXOBSCUREDXXXXXXX androidboot.bootreason=power_key nt35521_id=0

[Billybangleballs]

The dot is opened up on the bench with a piece of foil shorting out c52.
The terminal says "Waiting for bootrom"
Should the rotating blue led show be happening?
How long do I need to wait?

[viraniac]

@frostworx That sucks. I saw the preprod in the url and was hoping that is a developer device.

@Billybangleballs no if you had it shorted correctly, it will not show blue light

[viraniac]

@frostworx how old is that firmware grep build.date /system/*.prop

[frostworx]

root@biscuit:/ #  grep build.date /system/*.prop
ro.build.date=Sat Mar 24 07:18:52 UTC 2018
ro.build.date.utc=1521875932

[viraniac]

The oldest OTA I have is from Dec 2016, followed by one from July 2019. Its a shame we don't have url for this one. It would have been one of the oldest firmware

[frostworx]

just have seen this in dmesg: :)

<4>[    0.057735] <0>**********************************************************
<4>[    0.057749] <0> (0)[1:swapper/0][name:trace&]**   NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE   **
<4>[    0.057758] <0> (0)[1:swapper/0][name:trace&]**                                                      **
<4>[    0.057767] <0> (0)[1:swapper/0][name:trace&]** trace_printk() being used. Allocating extra memory.  **
<4>[    0.057776] <0> (0)[1:swapper/0][name:trace&]**                                                      **
<4>[    0.057785] <0> (0)[1:swapper/0][name:trace&]** This means that this is a DEBUG kernel and it is     **
<4>[    0.057794] <0> (0)[1:swapper/0][name:trace&]** unsafe for produciton use.                           **
<4>[    0.057803] <0> (0)[1:swapper/0][name:trace&]**                                                      **
<4>[    0.057812] <0> (0)[1:swapper/0][name:trace&]** If you see this message and you are not debugging    **
<4>[    0.057821] <0> (0)[1:swapper/0][name:trace&]** the kernel, report this immediately to your vendor!  **
<4>[    0.057830] <0> (0)[1:swapper/0][name:trace&]**                                                      **
<4>[    0.057839] <0> (0)[1:swapper/0][name:trace&]**   NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE   **

[viraniac]

Its still there in latest 6.5.6.0 image. So I guess they never disabled it

[viraniac]

Anyways I think we can close this. If anyone have any issues, they can start a new issue

[Billybangleballs]

I think I've broken the dot, it doesn't work anymore, I shall have to go and check ebay for another one.

[viraniac]

@Billybangleballs did the rooting process got completed? Can you share the output of rooting process?

Also have you tried booting using mtkclient like the readme asks you to do?

[Billybangleballs]

[18:55:33] Waiting for bootrom
[19:01:34] Waiting for bootrom
[19:22:11] Waiting for bootrom
[19:24:10] Waiting for bootrom
[20:27:09] Waiting for bootrom
[21:02:20] Waiting for bootrom

So that is as far as I got.
I spent all day installing python3.8, but the amonet code that required it has been changed, so it might work on 3.7 now if I can get the dot to respond.
I'm having to revert the python3.8 because it has broken my pi.
apt-get requires python3.7 and refuses to play with other versions.
I managed to short out the capacitor, (no blue leds), but the software just waited for bootrom that never materialised.
So really, I'm no further on than I was last week.
I will take another look next week when I get time.

[viraniac]

@Billybangleballs Just confirming that you are following proper steps

1. run python3 main.py. choose step for rooting, choose step rooting again. and follow any other prompts until it reaches the waiting for bootrom prompt
2. short the capacitor to ground and while keeping it shorted
3. plug the echodot to pc or whatever you are using to run the script.

Exactly in that order. Please confirm that you are not plugging the echo dot first and then running the script. Also that capacitor and other surface mounted things besides it are extremely fragile and can be easily knocked off. So make you are not puting too much pressure when trying to short the capacitor

[frostworx]

@Billybangleballs, it would make sense if you opened a separate issue for that, as this one was closed.
good luck!

[Billybangleballs]

@frostworx I had the same idea about 12 hours ago ;)