Let's Hack: Extracting Firmware from Amazon Echo Dot and Recovering User Data

UPDATE: the storage partition also has API keys used for various amazon services that are associated with the previous user's account. (albeit probably expired)

What sources or publications did you use?

You know what amazon isnt prepared for atall an adversary applying for a job as a warehouse goon working there i got a shell on the sorting stations with just alt f2 the scanners all run incredebly old windows embedded with a configured telnet client open ports are all over the warehouse etc etc

dd stands for copy and convert, but since cc (c compiler) was already in use, they went for dd

damn my xgecu t48 wont read that emmc :( that reader you used is really expensive too. anyone else found another way to read these? i've tried soldering it onto an sd breakout board but they are really difficult to reball and fit

a bash script to make it automatically go from sdc1 to sdc16, because I am lazy, I know you are too!

#!/bin/bash

for ((i = 1; i <= 16; i++))
do
partition="/dev/sdc$i"
output="sdc$i.bin"
sudo dd if="$partition" of="$output"
done

Bro my 2nd gen echo dot is not working.after connect to the powet it says download an update and after a hour it light ring become purple and not working plz help me bro what i need to now?
🥲

Insane content. Its truly inspiring to see you in action.

Interesting content i want more content about extracting firmware ,and i never know use linux os but very interesting ,maybe i will try linux os tomorrow thanks bro👍

Matt, i stumbled upon your video after trying to solve the stuck red mute button and no ring light for my echo 4. I purchased as defective and unable to figure out the problem. Both do not reset and only light that turns on is red mute button at 2 different lighting levels. I'm guessing it's some type of firmware issue. Many others have the same problem and could you look at one in the used market? Follow up video would be awesome.

Thanks for making this video. I would like to understand this information enough, to apply it to a 1st generation Echo Plus for the purpose of repurposing the hardware. I have always felt that the ~9" tall cylinder has impressive features: Microphones, lighted volume ring, top function buttons, and a pretty great sounding speaker setup. Do you think the main board could be repurposed, or that a newly designed board could be fitted while maintaining the functionality of the other components? I have a new 1st generation Echo Plus I'd be willing to send you. Also is that a Ravens hat your wearing? 👍Let me know.

Incredibly well presented video. Thank you. I’ve been trying to understand how an IoT device that uses eMMC can be analysed, as I was only familiar with either simple 8-pin chips, or setups where the firmware could be downloaded without encryption.

probably running FireOS which is a custom version of Android.

dude you look like Jim Carrey

Love hacking but new to hardware on this scale. Learning a lot here thanks so much!

Do you ever do in-system programming (ISP) extractions?

That is REALLY great. Is there some way, we can exchange the extracted data, so people / others can work on Hacking the Bluetooth Firmware Update / Create alternative Firmware that does work without Amazon Stuff?

These are the type of videos I was looking for, Keep up the good work!

This content is so useful. I'm a software engineer but I'm trying to learn more on the hardware side. Thank you so much for posting this content!

Matt you are a genius 👏💯

when using the "dd" command; if you specify an appropriate blocksize (i.e. 'bs=4M' is reasonable for most flash storage), the "dd" command can finish much, much faster than if a less optimal blocksize (i.e. the default) was chosen

Also amazon products use a derivation of 'FireOS' which is a fork of android from a while back, kinda like how linux-mint is a fork of ubuntu

Could you chroot into it? 🤔

dd means data destroyer ;)

Not sure if you've covered this already but what microscope are you using? Could you go over the tools you have in a future video. Thank you!!!

Block a or block b gotta flash both or itl wreck your day

In the vehicle industry the us uses android, Europe uses android built on linux and russia uses linux

Disk destroyer aka. "The dd cmd" that will wreck your day.....

You're not missing much without it ;p better off used for training purposes.
Heres to that hotplate reflow station though

The SSID or password could also be in some other flash/nvram storage that operates more like a k/v store, this is pretty common with some other devices, although this one has a lot of storage.

Likely that keychain apk would lead to more details.

".dump" in sqlite3 is useful sometimes

You're very brave just doing `cat` on files instead of xxd :)

There's multiple root filesystems because that's how they do OS updates - they update one root filesystem, then the bootloader switches to it - if it fails to boot, it reverts back to the last known working state.

Typically any user data would be in its own partition - and you're right, it's an android based system. Amazon's fire products are android based.

Dude! I thought you have learned the leasson... sunshade hats are for gardening or for harvesting berries in the fields...

Still repairing the roof?

apk files are generally use in android???

This was fantastic! Thanks for the great walkthrough. Let us know how it continues :)

Excited to see more :)

id love to see more analysis of the google home mini.

Cool video, please keep it up.

Really nice work Matt!

I'm trying to learn about writing firmware to cheap apple clone smartwatches and smartbands but I don't know where to look for tutorials on firmware development for mediatek chips and nrf chips.please guide 🙏

Грубые загрязнения хорошо счищается мягкой зубной щеткой.
Чип от флюса хорошо чистить обычной салфеткой смоченной изопропиловым спиртом.

What devices should I look at in the future?

i have learned a lot hope you post more :) .