Let's Hack: Extracting Firmware from Amazon Echo Dot and Recovering User Data

День тому

Let's Hack the Amazon Echo!
In this new video format, I took a longer look at the Amazon Echo Dot (Generation 2) device I've worked on previously. This is an uncut video where I walk through my process when looking at a device and its filesystem. I ended up removing the eMCP chip and extracting the storage partitions on the device. I learned a lot from this process and look forward to poking around at this data more. If you take away anything from this video it is that you need to factory reset devices, if not destroy them, before they leave your possession... I'm sure there are some Android DFIR pros out there who can point me to interesting parts of the filesystem to look at in the future!
Feedback on this new video is welcomed!
eMMC reader I use:
www.ebay.com/itm/334442938179
🛠️ Stuff I Use 🛠️
🪛 Tools:
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4aaCOGt
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity #privacy #android #dfir

КОМЕНТАРІ: 131

@mattbrwn Рік тому

UPDATE: the storage partition also has API keys used for various amazon services that are associated with the previous user's account. (albeit probably expired)

@neon_Nomad Рік тому

Those are great for text to speech services;)

@marcwilkinson2072 Рік тому

Sure dd stands for disk dump bro 👍

@CaseyStrouse Рік тому

@@marcwilkinson2072 Disk destroyer is what I've always known it as

@snooks5607 11 місяців тому

@@marcwilkinson2072 there's many claims to what dd stands for and while it doesn't exactly matter for modern purposes ("disk destroyer" is just as valid imo) but for historical purposes it's a fact (corroborated by Dennis Ritchie, original co-author of Unix) that dd was inspired and named after an old JCL statement for IBM S/360 computers called DD where it stands for "Data/set definition"

@marcwilkinson2072 11 місяців тому

@@snooks5607 disk dump seems to resonate better with me in my personal opinion, as that's what the command does, it dumps the data to an image file, also it has write capabilities too, but I've never used the dd command to destroy a disk.

@randomfrequency Рік тому

There's multiple root filesystems because that's how they do OS updates - they update one root filesystem, then the bootloader switches to it - if it fails to boot, it reverts back to the last known working state. Typically any user data would be in its own partition - and you're right, it's an android based system. Amazon's fire products are android based.

@mattbrwn Рік тому

Yeah I kind of came to that conclusion over the course of looking at this device. It makes so much sense. Google has invested years of security work into android.

@randomfrequency Рік тому

@@mattbrwn FreeNAS does it too, it's how we update switches and routers for the last few decades. We use it for immutable infrastructure in the cloud too. Nix offers something like it, and there's a ZFS booter for linux that lets you replicate the same pattern but with snapshots

@randomfrequency Рік тому

@@mattbrwn Also IIRC this isn't really an .. 'android' feature, more of your bootloader.

@andreastepperink2495 9 місяців тому

Fujitsu does the same with its iRMC (management board for Primergy servers). You have two slots, one is active (running) and you flash new firmware to the 2nd (inactive) one. You can switch over manually or automatically ("use the slot with highest firmware version", "use the slot recently flashed", etc.). These management boards are Linux-based too ususally.

@S1Pack 10 годин тому

That Baltimore Ravens hat got you my subscription.

@user-ui8my9zs7o Рік тому

This content is so useful. I'm a software engineer but I'm trying to learn more on the hardware side. Thank you so much for posting this content!

@tomska7 6 місяців тому

Amazing Matt, please keep uploading this kind of live sessions. I personally learn a lot from this kind of videos! Thanks a lot for your work! :)

@jonmarler 5 годин тому

Great video Matt! The moniker "dd" stands for "data dumper" because it dumps data. Now you know!

@CM-xr9oq 8 днів тому

21:30 silicone is a thermal insulator. It has very low thermal conductivity. Great video. I learned a lot.

@thesilvercreepers Рік тому

These are the type of videos I was looking for, Keep up the good work!

@chester_ville_4066 4 місяці тому

Matt the way you show the commands I love it thanks you, keep it up brother.

@olmrgreen1904 10 місяців тому

Insane content. Its truly inspiring to see you in action.

@h8handles Рік тому

Love hacking but new to hardware on this scale. Learning a lot here thanks so much!

@paaabl0. 4 дні тому

Matt, this is brilliant!! Thank you for sharing!

@devsecfranklin Рік тому

Really nice work Matt!

@mattbrwn Рік тому

Thanks!

@ransomxvi Рік тому

This was fantastic! Thanks for the great walkthrough. Let us know how it continues :)

@mattbrwn Рік тому

thanks! this device was pretty interesting.

@marcosscriven Рік тому

Incredibly well presented video. Thank you. I’ve been trying to understand how an IoT device that uses eMMC can be analysed, as I was only familiar with either simple 8-pin chips, or setups where the firmware could be downloaded without encryption.

@harjoat Рік тому

Excited to see more :)

@Jason-ug7ey Рік тому

Do you ever do in-system programming (ISP) extractions?

@markayala7752 Рік тому

i have learned a lot hope you post more :) .

@mattbrwn Рік тому

Hoping to do lots of new videos in 3023!

@AdricM Рік тому

@@mattbrwn hope we dont have to wait that long. *eyeing the cryotank

@CA-FE-C0-FF-EE-00 2 місяці тому

Damn, that was damn interesting. Has been some time, since I watched a 1-hour video :D Thanks for all the helpful explanations, I really learned some stuff. I loved that you were like "let's find out together" when you didn't understand something instantly. This way, people like me can build up confidence when doing something like this alone. Most UKpostsrs act like they know anything, this way you get really unconfident as a viewer because you feel you ass a viewer are the only person who struggles with stuff on the first try :D Thanks! Keep it up.

@askal916 11 місяців тому

Thanks for making this video. I would like to understand this information enough, to apply it to a 1st generation Echo Plus for the purpose of repurposing the hardware. I have always felt that the ~9" tall cylinder has impressive features: Microphones, lighted volume ring, top function buttons, and a pretty great sounding speaker setup. Do you think the main board could be repurposed, or that a newly designed board could be fitted while maintaining the functionality of the other components? I have a new 1st generation Echo Plus I'd be willing to send you. Also is that a Ravens hat your wearing? 👍Let me know.

@nectarinetangerineorange Рік тому

when using the "dd" command; if you specify an appropriate blocksize (i.e. 'bs=4M' is reasonable for most flash storage), the "dd" command can finish much, much faster than if a less optimal blocksize (i.e. the default) was chosen Also amazon products use a derivation of 'FireOS' which is a fork of android from a while back, kinda like how linux-mint is a fork of ubuntu

@pierpa_76pierpaolo 4 місяці тому

19:57 WOW reballing. What equipment do you use?

@AdricM Рік тому

id love to see more analysis of the google home mini.

@randomfrequency Рік тому

The SSID or password could also be in some other flash/nvram storage that operates more like a k/v store, this is pretty common with some other devices, although this one has a lot of storage. Likely that keychain apk would lead to more details.

@S0ll Рік тому

Matt you are a genius 👏💯

@mattbrwn Рік тому

No one is a genius in this field. I probably get imposter syndrome just as much as the next guy. Just keep learning!

@thargok День тому

Absolutely is an Android system, the runtime environment dalvik has a folder in the root directory which was the giveaway before the APK files. It looks like Amazon took a sample image used by MediaTek for that chipset (probably originally made for Xiaomi as some of their stuff is on it) but I'm not sure if they are actually doing much more than running background services or even starting up the runtime environment as it seems like a lot of overhead for what is really just a glorified IoT microphone and DAC.

@ErickBuildsStuff 11 місяців тому

Matt, i stumbled upon your video after trying to solve the stuck red mute button and no ring light for my echo 4. I purchased as defective and unable to figure out the problem. Both do not reset and only light that turns on is red mute button at 2 different lighting levels. I'm guessing it's some type of firmware issue. Many others have the same problem and could you look at one in the used market? Follow up video would be awesome.

@frosty1433 5 днів тому

To reattach can you just use a solder mask and hope for the best or do you absolutely need to reball it?

@NKomarov 6 місяців тому

It would be so cool to replace a memory chip with a bigger one and stuff it with lots of pirated mp3s, don't you think? You could also change some scripts to start ssh server on startup and do other cool things to actually 0wn the device. Maybe install a torrent client with a web-UI to control from your phone. And after you patched it, you could go to the nearest guy repairing phones, he knows where or how to buy a special "mask" (a tiny board with lots of punched holes in it that strictly correspond the contacts on that chip) to apply on the chip and add little metallic balls in order to put it back on the board. Restart, and you finally own it! 😀 P.S. Thanks for a great video! An instant sub from me!

@baghdadiabdellatif1581 4 місяці тому

start your comment with spoiler alert 🤣

@KSITREVS Рік тому

Cool video, please keep it up.

@mattbrwn Рік тому

Thanks, will do!

@bagaselectra3469 10 місяців тому

Interesting content i want more content about extracting firmware ,and i never know use linux os but very interesting ,maybe i will try linux os tomorrow thanks bro👍

@RickDeckardt 7 місяців тому

dd stands for copy and convert, but since cc (c compiler) was already in use, they went for dd

@johnfeehley8100 10 годин тому

It was originally in IBM's JCL (labeled as "Data Definition") too

@shanebrady568 Рік тому

Not sure if you've covered this already but what microscope are you using? Could you go over the tools you have in a future video. Thank you!!!

@neon_Nomad Рік тому

Louis rossman.

@mattbrwn Рік тому

Yeah I will do some videos soon on that. I get a lot of stuff based on Louis Rossmann's recommendations.

@WalterGreenIII Рік тому

apk files are generally use in android???

@s3anuk 7 місяців тому

damn my xgecu t48 wont read that emmc :( that reader you used is really expensive too. anyone else found another way to read these? i've tried soldering it onto an sd breakout board but they are really difficult to reball and fit

@mattbrwn 7 місяців тому

Yeah unfortunately these readers are the best way to go. Sometimes the pads are available for ICP but not always

@lilladokka 9 місяців тому

like the features, setup was difficult for some of my devices (August Door lock, ukposts.infoUgkxhB5YOMNj04GuoAosExygP4cH-dKeb4aB Bose speaker)... but all switches and outlets (5), thermostat, tankless water heater. Unfortunately all I can do is turn on/off Bose. It doesn't support volume or changing channels, but I believe that is due to the particular speaker I have.... Worth getting if you already have other devices to use it with... I don't sit around and ask Alexa questions much so that doesn't really matter to me....

@Jules-ki9nx 3 місяці тому

Would love to know your lab set up.

@user-lq4gw1sj8n Рік тому

Грубые загрязнения хорошо счищается мягкой зубной щеткой. Чип от флюса хорошо чистить обычной салфеткой смоченной изопропиловым спиртом.

@randomfrequency Рік тому

You're very brave just doing `cat` on files instead of xxd :)

@randomfrequency Рік тому

For future readers, cat would not encode any escape characters in the contents of the files, which could lead the either corruption of state in your terminal emulator, or potentially worse

@FlorianGT396 Рік тому

That is REALLY great. Is there some way, we can exchange the extracted data, so people / others can work on Hacking the Bluetooth Firmware Update / Create alternative Firmware that does work without Amazon Stuff?

@gcm4312 Рік тому

its illegal to share firmware dumps

@FlorianGT396 Рік тому

@@gcm4312 hm ok. It would be cool to know, if there is some way to enable adb.

@gcm4312 Рік тому

@@FlorianGT396 xda forums is your friend

@WayneMetcalf 16 днів тому

If you rub a sharpie pen over the chip, it makes it 10x easier to read.

@randomfrequency Рік тому

Regarding "typing your password into youtube", why don't you just disable sudo prompting for passwords for users? by default there's a commented out entry in `visudo` that tells you how to do it.

@mattbrwn Рік тому

haha yeah that's not a bad idea...

@siosinv3851 7 місяців тому

What sources or publications did you use?

@siosinv3851 Місяць тому

@mattbrwn still waiting on the detail Matt.

@tanjiro3285 Рік тому

I'm trying to learn about writing firmware to cheap apple clone smartwatches and smartbands but I don't know where to look for tutorials on firmware development for mediatek chips and nrf chips.please guide 🙏

@mattbrwn Рік тому

check out the PineTime watch! www.pine64.org/pinetime/ wiki.pine64.org/wiki/PineTime Its software and hardware is open source! You would be able to study the HW and SW for your own learning.

@tanjiro3285 Рік тому

@@mattbrwni have seen the pinetime projectbut the hardware is not available easily in my country (India) please give me some course names which u followed

@redacted1946 Рік тому

That just sounds like regular embedded firmware development. Find a development board with the same mcu that those cheap devices use, reverse engineer the spi/i2c pinouts for the peripherals, write and test your embedded firmware, and then flash it back onto the chip via jtag/swd assuming those cheap devices expose those debuggers

@neon_Nomad Рік тому

You're not missing much without it ;p better off used for training purposes. Heres to that hotplate reflow station though

@mattbrwn Рік тому

yeah I've been wanting to get some BGA reball stencils and solder paste. This should be a good opportunity.

@neon_Nomad Рік тому

@@mattbrwn ebay is your friend:)

@neon_Nomad Рік тому

@@mattbrwn lookup theCarplayAiboxFriends

@SlinkyD Рік тому

47:35 run `less` on the files in recover/log edit: correction

@daveherd6864 12 годин тому

You can reball with hand it takes time use flux and stick the balls on and use a hot plate

@eduardoanonimo3031 Рік тому

Dude! I thought you have learned the leasson... sunshade hats are for gardening or for harvesting berries in the fields... Still repairing the roof?

@mattbrwn Рік тому

What devices should I look at in the future?

@markayala7752 Рік тому

I want starlink dishy :p .

@DJChol Рік тому

What about participating in John McMasters reverse engineering of the XGecu programmer?

@mattbrwn Рік тому

@@DJChol wow didn't know about this project! I currently use the xgecu software in wine. I'll look into this project!

@redacted1946 Рік тому

How about something that requires fault injection/voltage glitching. For example to bypass rdp protection on an stm32. Hooking up to a uart shell or a jtag/swd debugger or mounting a filesystem is only so interesting.

@viewgoog Рік тому

I have really been enjoying your videos they are all great! I would love to see you mess around with a DVR for cameras maybe one that is locked and see if you can unlock it? Could probably find one at a goodwill too!

@gcm4312 Рік тому

probably running FireOS which is a custom version of Android.

@mattbrwn Рік тому

ahh ok that makes sense

@MacGuffin1 2 місяці тому

DFU= Direct Firmware Update

@RevJimyJamz 2 місяці тому

30:23 data definition

@mosesmodise4998 4 місяці тому

how about writing this firmware on a new board i mean like cloning cos this one is now a mess

@neon_Nomad Рік тому

Block a or block b gotta flash both or itl wreck your day

@twitch54304 7 днів тому

There’s 36 pins that read that package

@pmkwiek 7 годин тому

Please.do the google home mini . I'll s3nd you one

@JakeHemmerle Рік тому

dd means data destroyer ;)

@stoiczfpv 5 місяців тому

Runs on android

@MrTattooland 3 місяці тому

Sei il figlio piccolo di Jim Carrey in the mask??

@neon_Nomad Рік тому

In the vehicle industry the us uses android, Europe uses android built on linux and russia uses linux

@christophernugent8492 3 місяці тому

No hacking is not easy. Programming and dealing with software design and code in general is hard topic to grok when even a small amount of complexity is involved.

@neon_Nomad Рік тому

Disk destroyer aka. "The dd cmd" that will wreck your day.....

@neon_Nomad Рік тому

Only use if you have a full backup...

@richardcarberry831 День тому

disk dump

@rinzo3570 6 місяців тому

Tell me bro that ,without electronics know ledge u can't do all that

@sebastienarseneault2602 4 місяці тому

What?

@adamarzo559 3 місяці тому

Kidding, right? He demonstrated very basic electronics knowledge. Most of it was in a command line inside of linux unpacking binaries. The only electronics knowledge you need is identifying things like UART/the chips similar in the video. Literally doesn't go past that. Desoldering chips is easy. You point a hot air gun at them and you wait until they pop off. You need far more linux knowledge for this stuff.

@user-ho7vd2gi6u Рік тому

dude you look like Jim Carrey

@JonathanSwiftUK 22 години тому

To be honest it doesn't seem to make any financial sense, those components and fabrication and construction must have cost the same or more than I paid for it, especially when you say there is 16GB ram and 16G storage.

@wastelandwanderer3883 8 годин тому

Big Corps taking advantage of Open Source without giving back: Typical capitalism for you! Unless Amazon gives back to the Linux community, which I doubt very much! dd : disk duplicate?

@mattbrwn 8 годин тому

idk about Amazon but lots of "Big Corps" have contributed to Linux: lwn.net/Articles/839772/?ref=news.itsfoss.com

@codemeister3 10 днів тому

You have GOT to cut out the UHs and UMs. You seem smart, it will be hard but you can do it. Only reason I am not subscribing right now. Well, maybe I will and hope the UHs stop soon ;)

@defooraap 11 місяців тому

In 1974, the dd command appeared as part of Version 5 Unix. According to Dennis Ritchie, the name is an allusion to the DD statement found in IBM's Job Control Language (JCL), in which it is an abbreviation for "Data Definition". en.wikipedia.org/wiki/Dd_(Unix)

@baghdadiabdellatif1581 4 місяці тому

Well done 👌👏

@rjbrake Рік тому

It's called DD because CC is already taken by the C Compiler. #trivia. edit: you need to learn regexp, no need to run multiple commands when you can one-line it.

@randomfrequency Рік тому

for i in `seq 1 13` ; do dd if=/dev/sdc$i of=sdc$i bs=1M ; done - no need for regex, just for loops will do.

@neon_Nomad Рік тому

Ah regex hell why doth thou taunt me

@delqyrus2619 12 годин тому

30:00 dd = disk dump. And you could do the whole stuff in one line by typing something like "for i in /dev/sdc?*; do dd if=$i of=${i#/dev/}.bin; done"

@arrombador Місяць тому

Share exported DATA for ALL

@GWorxOz 2 дні тому

dufusvision

@randomfrequency Рік тому

".dump" in sqlite3 is useful sometimes

@mattbrwn Рік тому

TIL! This is perfect. thanks

@ageofthetech7280 9 місяців тому

Bro my 2nd gen echo dot is not working.after connect to the powet it says download an update and after a hour it light ring become purple and not working plz help me bro what i need to now? 🥲