/dashing

No description, website, or topics provided.
Branch: master
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Download ZIP

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching Xcode...

If nothing happens, download Xcode and try again.

Launching Visual Studio...

If nothing happens, download the GitHub extension for Visual Studio and try again.

Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md

README.md

Read and write Dash spi flash through wifi

In setup mode Dash button has an open wifi named "Amazon ConfigureMe"

When the user configures it their wifi credentials are leaked on open wifi through http post

POST / HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 306

amzn_devid=G030G00553360818&
amzn_macid=t%25C2F%25A8n%252F&
amzn_nonce=%2591%25F2%253E%25AC%25BE%25F7%2523Z4%25D8%25A0%25ED%2503%2582%25D9%25D7%25DA%2593%2501ir%2580X%25A9mY%25234f%252B%2502%2597&
amzn_fwver=v0.9.119&
amzn_ssid=Kobayashi+Heavy+Industries&
idValue=Kobayashi+Heavy+Industries&
amzn_pw=badpassword8

Flash endpoint on web service can be seen in string dump of firmware

text/html
/flash
/token
/fresh.png
image/png
:%2x
hex:

And some commands

addr
sha1
cmd = %s; addr = %x; len = %x
read
write
erase
iread
update
update
%s line=%d msize=%dK
 blocks=%d

Running bad commands through the endpoint gives some feedback on the serial output

DMA overrun
cmd = *; addr = 0; len = 0
Found chirp at index 6400101
DMA overrun
Equalize: 24 16 26 22 
DMA overrun
Fail Fast Failure at index 1

Commands look like

?cmd=Command&len=LengthInHex&addr=StartAddressInHex

read 1mb flash http://192.168.0.1/flash?cmd=read&len=100000&addr=0

read 2mb spi flash rom http://192.168.0.1/flash?cmd=read&len=200000&addr=0

write command works on spi rom but need to run erase first and wants to write in 256 byte chunks

http://192.168.0.1/flash?cmd=erase&len=100000&addr=0

bash script to write binary to spi in chunks

mkdir -p chunks
cd chunks
split --bytes=256 myfirmware.bin chunks

add=0
while [ $add -lt 1048576 ]
do
    nextchunk=`ls -1|head -1`
    addr=`printf "%x" $add`
    echo "$addr $nextchunk"
    curl --data-binary @$nextchunk "http://192.168.0.1/flash?cmd=write&len=100&addr=$addr"
    rm -f $nextchunk
    add=$(( 0x${addr} + 0x100 ))
done