No description, website, or topics provided.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md

README.md

Read and write Dash spi flash through wifi

In setup mode Dash button has an open wifi named "Amazon ConfigureMe"

When the user configures it their wifi credentials are leaked on open wifi through http post

POST / HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 306

amzn_devid=G030G00553360818&
amzn_macid=t%25C2F%25A8n%252F&
amzn_nonce=%2591%25F2%253E%25AC%25BE%25F7%2523Z4%25D8%25A0%25ED%2503%2582%25D9%25D7%25DA%2593%2501ir%2580X%25A9mY%25234f%252B%2502%2597&
amzn_fwver=v0.9.119&
amzn_ssid=Kobayashi+Heavy+Industries&
idValue=Kobayashi+Heavy+Industries&
amzn_pw=badpassword8

Flash endpoint on web service can be seen in string dump of firmware

text/html
/flash
/token
/fresh.png
image/png
:%2x
hex:

And some commands

addr
sha1
cmd = %s; addr = %x; len = %x
read
write
erase
iread
update
update
%s line=%d msize=%dK
 blocks=%d

Running bad commands through the endpoint gives some feedback on the serial output

DMA overrun
cmd = *; addr = 0; len = 0
Found chirp at index 6400101
DMA overrun
Equalize: 24 16 26 22 
DMA overrun
Fail Fast Failure at index 1

Commands look like

?cmd=Command&len=LengthInHex&addr=StartAddressInHex

read 1mb flash http://192.168.0.1/flash?cmd=read&len=100000&addr=0

read 2mb spi flash rom http://192.168.0.1/flash?cmd=read&len=200000&addr=0

write command works on spi rom but need to run erase first and wants to write in 256 byte chunks

http://192.168.0.1/flash?cmd=erase&len=100000&addr=0

bash script to write binary to spi in chunks

mkdir -p chunks
cd chunks
split --bytes=256 myfirmware.bin chunks

add=0
while [ $add -lt 1048576 ]
do
    nextchunk=`ls -1|head -1`
    addr=`printf "%x" $add`
    echo "$addr $nextchunk"
    curl --data-binary @$nextchunk "http://192.168.0.1/flash?cmd=write&len=100&addr=$addr"
    rm -f $nextchunk
    add=$(( 0x${addr} + 0x100 ))
done