Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

Read and write Dash spi flash through wifi

In setup mode Dash button has an open wifi named "Amazon ConfigureMe"

When the user configures it their wifi credentials are leaked on open wifi through http post

POST / HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 306

amzn_devid=G030G00553360818&
amzn_macid=t%25C2F%25A8n%252F&
amzn_nonce=%2591%25F2%253E%25AC%25BE%25F7%2523Z4%25D8%25A0%25ED%2503%2582%25D9%25D7%25DA%2593%2501ir%2580X%25A9mY%25234f%252B%2502%2597&
amzn_fwver=v0.9.119&
amzn_ssid=Kobayashi+Heavy+Industries&
idValue=Kobayashi+Heavy+Industries&
amzn_pw=badpassword8

Flash endpoint on web service can be seen in string dump of firmware

text/html
/flash
/token
/fresh.png
image/png
:%2x
hex:

And some commands

addr
sha1
cmd = %s; addr = %x; len = %x
read
write
erase
iread
update
update
%s line=%d msize=%dK
 blocks=%d

Running bad commands through the endpoint gives some feedback on the serial output

DMA overrun
cmd = *; addr = 0; len = 0
Found chirp at index 6400101
DMA overrun
Equalize: 24 16 26 22 
DMA overrun
Fail Fast Failure at index 1

Commands look like

?cmd=Command&len=LengthInHex&addr=StartAddressInHex

read 1mb flash http://192.168.0.1/flash?cmd=read&len=100000&addr=0

read 2mb spi flash rom http://192.168.0.1/flash?cmd=read&len=200000&addr=0

write command works on spi rom but need to run erase first and wants to write in 256 byte chunks

http://192.168.0.1/flash?cmd=erase&len=100000&addr=0

bash script to write binary to spi in chunks

mkdir -p chunks
cd chunks
split --bytes=256 myfirmware.bin chunks

add=0
while [ $add -lt 1048576 ]
do
    nextchunk=`ls -1|head -1`
    addr=`printf "%x" $add`
    echo "$addr $nextchunk"
    curl --data-binary @$nextchunk "http://192.168.0.1/flash?cmd=write&len=100&addr=$addr"
    rm -f $nextchunk
    add=$(( 0x${addr} + 0x100 ))
done

About

No description, website, or topics provided.

Resources

Releases

No releases published

Packages

No packages published