UPDATE: the storage partition also has API keys used for various amazon services that are associated with the previous user's account. (albeit probably expired)
@@xxxxxx2072 there's many claims to what dd stands for and while it doesn't exactly matter for modern purposes ("disk destroyer" is just as valid imo) but for historical purposes it's a fact (corroborated by Dennis Ritchie, original co-author of Unix) that dd was inspired and named after an old JCL statement for IBM S/360 computers called DD where it stands for "Data/set definition"
@@snooks5607 disk dump seems to resonate better with me in my personal opinion, as that's what the command does, it dumps the data to an image file, also it has write capabilities too, but I've never used the dd command to destroy a disk.
There's multiple root filesystems because that's how they do OS updates - they update one root filesystem, then the bootloader switches to it - if it fails to boot, it reverts back to the last known working state. Typically any user data would be in its own partition - and you're right, it's an android based system. Amazon's fire products are android based.
Yeah I kind of came to that conclusion over the course of looking at this device. It makes so much sense. Google has invested years of security work into android.
@@mattbrwn FreeNAS does it too, it's how we update switches and routers for the last few decades. We use it for immutable infrastructure in the cloud too. Nix offers something like it, and there's a ZFS booter for linux that lets you replicate the same pattern but with snapshots
Fujitsu does the same with its iRMC (management board for Primergy servers). You have two slots, one is active (running) and you flash new firmware to the 2nd (inactive) one. You can switch over manually or automatically ("use the slot with highest firmware version", "use the slot recently flashed", etc.). These management boards are Linux-based too ususally.
I’m an old Unix and Xenix admin and programmer who started in the 80’s. dd- convert and copy was to be named cc, but the C compiler already had that name. The choice was made to move one letter in the alphabet and so dd became its name. dd was the tool we used to backup and restore raw disk partitions that held Oracle database tablespaces.
Senior Principal EE from a large Military Contractor with nearly 40 years experience here. I am today years old with regards to the microscope light trick. Excellent, will be using that. I still love learning new things. Thank you for that !
Hey man, I am in tech and have had absolutely no hardware hacking experience. But after watching this you have brought a new interest to me and I have no idea why. I feel like 90% of people would never see this as interesting but I'm already looking for tools to buy just so I can copy this project as my first start and then will be exploring further than you did to potentiall find anything you didn't.
when using the "dd" command; if you specify an appropriate blocksize (i.e. 'bs=4M' is reasonable for most flash storage), the "dd" command can finish much, much faster than if a less optimal blocksize (i.e. the default) was chosen Also amazon products use a derivation of 'FireOS' which is a fork of android from a while back, kinda like how linux-mint is a fork of ubuntu
Dude, usually I build race cars, street race and do some computer stuff but this is the first video that I seen that truly got me into wanting to explore more of the deep end on the chips. This is also the first video I've seen from you. New subscriber here.. Also just ordered my chip reader from your link in the description. Can't wait to see what other content you have on your channel!
Damn, that was damn interesting. Has been some time, since I watched a 1-hour video :D Thanks for all the helpful explanations, I really learned some stuff. I loved that you were like "let's find out together" when you didn't understand something instantly. This way, people like me can build up confidence when doing something like this alone. Most UA-camrs act like they know anything, this way you get really unconfident as a viewer because you feel you ass a viewer are the only person who struggles with stuff on the first try :D Thanks! Keep it up.
51:18 the user name "owner" and the 2 XML files you explored there are standard for android if u take a vanilla android image u can make additional users and the main will always be named owner and the other users when created will appear there also as u see in the first xml it prohibits the dialer and WiFi for the guest user and that's android standard too
Watching the joy of exploration in real time is so much fun. This is the true spirit of hacking! Thanks for sharing this journey and for diving in unscripted.
Thanks for making this video. I would like to understand this information enough, to apply it to a 1st generation Echo Plus for the purpose of repurposing the hardware. I have always felt that the ~9" tall cylinder has impressive features: Microphones, lighted volume ring, top function buttons, and a pretty great sounding speaker setup. Do you think the main board could be repurposed, or that a newly designed board could be fitted while maintaining the functionality of the other components? I have a new 1st generation Echo Plus I'd be willing to send you. Also is that a Ravens hat your wearing? 👍Let me know.
the 700MB sized partitions are android A/B SYSTEM partitions. The big one that had "data" directory is what is wiped when you do factory reset, it contains.. well, data. And ye, it is android. /data directory may be very intresting on biggest partition. /data/data IIRC for application data. I would take a peek at files in there. media / 0 is "sd card" storage in android
Thats interesting because old days, as I remember, there was a silicon only (with no nowadays additives as silver or diamonds or so) paste for better heat conductivity to the cpu/psu radiator
You can also use hot air on the chip or board while holding the braid with tweezers. As the solder liquifies, you use the braid to mop it up by just running it over.
Absolutely is an Android system, the runtime environment dalvik has a folder in the root directory which was the giveaway before the APK files. It looks like Amazon took a sample image used by MediaTek for that chipset (probably originally made for Xiaomi as some of their stuff is on it) but I'm not sure if they are actually doing much more than running background services or even starting up the runtime environment as it seems like a lot of overhead for what is really just a glorified IoT microphone and DAC.
Yeah, that was my thought as soon as the premise of the video was made clear. Also while Amazon may slap their logo on a device they didn't manufacturer jack crap. Just bought a bulk amount of components, hired a company in China to assemble them, and a couple of internal software engineers to write an API to make it all work together and answer to ALEXA. The amount of usable information that could possibly be altered or repurposed for something else is minimal at best.
All these smart speakers run some android or linux because making applications for android is damn easy and android already comes with all drivers and tools needed
Matt, i stumbled upon your video after trying to solve the stuck red mute button and no ring light for my echo 4. I purchased as defective and unable to figure out the problem. Both do not reset and only light that turns on is red mute button at 2 different lighting levels. I'm guessing it's some type of firmware issue. Many others have the same problem and could you look at one in the used market? Follow up video would be awesome.
Regarding "typing your password into youtube", why don't you just disable sudo prompting for passwords for users? by default there's a commented out entry in `visudo` that tells you how to do it.
Should definitely add newer lower temp desoldering solder (like CHIPQUIK) to the bottom of that to alloy with it and lower the melting temp, making it easier to clean up with the braid
If you could find the JTAG pins you'd be able to read off the Flash w/o having to remove. We've used JTAG for debugging our boards but this one having a low chip count they may have omitted it, but it is the "modern" way to test production boards ("bed of nails" being the other).
How about something that requires fault injection/voltage glitching. For example to bypass rdp protection on an stm32. Hooking up to a uart shell or a jtag/swd debugger or mounting a filesystem is only so interesting.
I have really been enjoying your videos they are all great! I would love to see you mess around with a DVR for cameras maybe one that is locked and see if you can unlock it? Could probably find one at a goodwill too!
That is REALLY great. Is there some way, we can exchange the extracted data, so people / others can work on Hacking the Bluetooth Firmware Update / Create alternative Firmware that does work without Amazon Stuff?
I have no interest (right now) to dump chips but I love that I'm learning some linux stuff while watching and picking up some hardware hacking tips. Thanks Matt!
Incredibly well presented video. Thank you. I’ve been trying to understand how an IoT device that uses eMMC can be analysed, as I was only familiar with either simple 8-pin chips, or setups where the firmware could be downloaded without encryption.
The SSID or password could also be in some other flash/nvram storage that operates more like a k/v store, this is pretty common with some other devices, although this one has a lot of storage. Likely that keychain apk would lead to more details.
damn my xgecu t48 wont read that emmc :( that reader you used is really expensive too. anyone else found another way to read these? i've tried soldering it onto an sd breakout board but they are really difficult to reball and fit
To be honest it doesn't seem to make any financial sense, those components and fabrication and construction must have cost the same or more than I paid for it, especially when you say there is 16GB ram and 16G storage.
It makes perfect financial sense, they sell them at a loss because they'll make the money back and more in ads and extra sales you make on it. It's the same reason printers are so cheap, they're selling the ink not the printers.
@graytico you mean they're a bit slow - they've only ever made massive losses, nobody buys on those things, yet they have stuck to making and selling them, maybe they are starting to suss out the business model about now, hence the heavy layoffs in this part of the business. Nice hardware, if I could figure out an actual use case, right now she is an expensive egg timer most of the time.
I'm trying to learn about writing firmware to cheap apple clone smartwatches and smartbands but I don't know where to look for tutorials on firmware development for mediatek chips and nrf chips.please guide 🙏
check out the PineTime watch! www.pine64.org/pinetime/ wiki.pine64.org/wiki/PineTime Its software and hardware is open source! You would be able to study the HW and SW for your own learning.
@@mattbrwni have seen the pinetime projectbut the hardware is not available easily in my country (India) please give me some course names which u followed
That just sounds like regular embedded firmware development. Find a development board with the same mcu that those cheap devices use, reverse engineer the spi/i2c pinouts for the peripherals, write and test your embedded firmware, and then flash it back onto the chip via jtag/swd assuming those cheap devices expose those debuggers
Will it ever be possible to overwrite the factory firmware with a Linux distro? There's currently a homebrew project using an RPi Zero 2W and Wyoming Satellite / Home Assistant to localize the voice assistant, but I prefer the big Echo's hardware for its elegance and sound "fidelity"
Your soldering iron tip looks pretty oxidized. If it’s been giving you trouble, make sure to keep a blob of solder on it when you’re putting it away. Tip should be nice and shiny for best results
For future readers, cat would not encode any escape characters in the contents of the files, which could lead the either corruption of state in your terminal emulator, or potentially worse
like the features, setup was difficult for some of my devices (August Door lock, ua-cam.com/users/postUgkxhB5YOMNj04GuoAosExygP4cH-dKeb4aB Bose speaker)... but all switches and outlets (5), thermostat, tankless water heater. Unfortunately all I can do is turn on/off Bose. It doesn't support volume or changing channels, but I believe that is due to the particular speaker I have.... Worth getting if you already have other devices to use it with... I don't sit around and ask Alexa questions much so that doesn't really matter to me....
It would be so cool to replace a memory chip with a bigger one and stuff it with lots of pirated mp3s, don't you think? You could also change some scripts to start ssh server on startup and do other cool things to actually 0wn the device. Maybe install a torrent client with a web-UI to control from your phone. And after you patched it, you could go to the nearest guy repairing phones, he knows where or how to buy a special "mask" (a tiny board with lots of punched holes in it that strictly correspond the contacts on that chip) to apply on the chip and add little metallic balls in order to put it back on the board. Restart, and you finally own it! 😀 P.S. Thanks for a great video! An instant sub from me!
I just Subbed - You are pretty good, I want to see a channel where someone teaches Linux on a Kernel Level and goes Up from there... Everyone diverges onto like, Languages and stuff like that but that's not what I'm looking for, I wanna see someone show me how to vuild my own custom Kernel to run on an old Phone and how to force the UBOOT into eating my files and booting my Kernel... I would feel pretty accomplished at that point. The entry for alot of people needs to be the Kernel Level, Need someone to explain the Tools and Hardware that we need to start Learning Properly by RevEngineering Basic Junk... and you went over all that so Kudos! There is a lot of Useful Garbage out there, it would be cool to learn how to repurpose things into Other Stuff...Great Vids I already watched 3 of them...
39:40 - Haven't watched the whole video yet, but it definitely runs android. You would find the exact same file structure if you accesed the root filesystem of Android on your phone. The interesting part is in the /data folder, there's your whole userdata of Android. /data is where the userdata partition gets mounted, however it possibly uses encryption, so you would just see gibberish. What you can do to get a root shell on a live system is modify some files to enable adb root access.
Could you try to get us into our defunct Amazon Cloud Cams please, so we can use our own virtual servers instead of having a paperweight. (I know at one time they offered Blink replacements, but I missed that 🤷🏻♂️).
A masterful removal of the chip and great video dude! 😊 Now I might be a little dumb here (as im primarily a software developer) but how does the flux and alcohol not damage the chip itself? Clearly it doesn't, i think i just don't understand how 🤔
Flux and alcohol are just chemicals used to allow solder to flow and clean the chip respectively. Doesn't affect chip internals or contact points. The alcohol is 99.9% so no corrosion.
@@mattbrwn Aaaaah I get ya, thanks that makes more sense now! 😁 As I say, I mostly just write code, but I'm messing with SBCs at the moment so this kind of knowledge is going to be super useful!
39:55 No, the Amazon Echo does not run Android. It operates on a custom operating system called Fire OS, which is based on the Android Open Source Project (AOSP) but is heavily modified by Amazon for its devices.
Here's a hint for doing this kinda thing in future.... If you do a dd of the *entire* device, you can then add partitions using `kpartx -a` and have them all available to mount / check directly without having to do it partition by partition. You can also then use tools like binwalk to start mapping out things.
Not a security expert, but I think it would be possible to restore your root password from the sound of your typing, especially given that you type another stuff there, so one could build a sound profile of your keyboard. Hope you've changed the password!
this is great how you can get into the brains of electronics wish you were my neighbor would love to learn about scaning this new encryption that are becoming popular all over.i bet that could be hacked too.
Easy to see you are quite inexperienced with soldering but keep at it and you will get better results. I cringed a lot when you used the solder braid tho. You used like 5% of it and still got a new strip. If you feel braid don’t work add fresh flux onto the braid and it soak up the tin. Use it until it’s full. Don’t waste or you might regret it when you need some but you’ve used it all. ;)
UPDATE: the storage partition also has API keys used for various amazon services that are associated with the previous user's account. (albeit probably expired)
Those are great for text to speech services;)
Sure dd stands for disk dump bro 👍
@@xxxxxx2072 Disk destroyer is what I've always known it as
@@xxxxxx2072 there's many claims to what dd stands for and while it doesn't exactly matter for modern purposes ("disk destroyer" is just as valid imo) but for historical purposes it's a fact (corroborated by Dennis Ritchie, original co-author of Unix) that dd was inspired and named after an old JCL statement for IBM S/360 computers called DD where it stands for "Data/set definition"
@@snooks5607 disk dump seems to resonate better with me in my personal opinion, as that's what the command does, it dumps the data to an image file, also it has write capabilities too, but I've never used the dd command to destroy a disk.
There's multiple root filesystems because that's how they do OS updates - they update one root filesystem, then the bootloader switches to it - if it fails to boot, it reverts back to the last known working state.
Typically any user data would be in its own partition - and you're right, it's an android based system. Amazon's fire products are android based.
Yeah I kind of came to that conclusion over the course of looking at this device.
It makes so much sense. Google has invested years of security work into android.
@@mattbrwn FreeNAS does it too, it's how we update switches and routers for the last few decades. We use it for immutable infrastructure in the cloud too.
Nix offers something like it, and there's a ZFS booter for linux that lets you replicate the same pattern but with snapshots
@@mattbrwn Also IIRC this isn't really an .. 'android' feature, more of your bootloader.
Fujitsu does the same with its iRMC (management board for Primergy servers). You have two slots, one is active (running) and you flash new firmware to the 2nd (inactive) one.
You can switch over manually or automatically ("use the slot with highest firmware version", "use the slot recently flashed", etc.).
These management boards are Linux-based too ususally.
Like android A/B?
I’m an old Unix and Xenix admin and programmer who started in the 80’s. dd- convert and copy was to be named cc, but the C compiler already had that name. The choice was made to move one letter in the alphabet and so dd became its name. dd was the tool we used to backup and restore raw disk partitions that held Oracle database tablespaces.
Senior Principal EE from a large Military Contractor with nearly 40 years experience here. I am today years old with regards to the microscope light trick. Excellent, will be using that. I still love learning new things. Thank you for that !
Hey man, I am in tech and have had absolutely no hardware hacking experience. But after watching this you have brought a new interest to me and I have no idea why. I feel like 90% of people would never see this as interesting but I'm already looking for tools to buy just so I can copy this project as my first start and then will be exploring further than you did to potentiall find anything you didn't.
This content is so useful. I'm a software engineer but I'm trying to learn more on the hardware side. Thank you so much for posting this content!
Amazing Matt, please keep uploading this kind of live sessions. I personally learn a lot from this kind of videos! Thanks a lot for your work! :)
when using the "dd" command; if you specify an appropriate blocksize (i.e. 'bs=4M' is reasonable for most flash storage), the "dd" command can finish much, much faster than if a less optimal blocksize (i.e. the default) was chosen
Also amazon products use a derivation of 'FireOS' which is a fork of android from a while back, kinda like how linux-mint is a fork of ubuntu
Dude, great videos! I can't stop watching them! Love the raw just digging into it and figuring it out step by step.
Dude, usually I build race cars, street race and do some computer stuff but this is the first video that I seen that truly got me into wanting to explore more of the deep end on the chips. This is also the first video I've seen from you. New subscriber here.. Also just ordered my chip reader from your link in the description. Can't wait to see what other content you have on your channel!
bro you are a friggin wizard, these videos are SO engaging i love them
Damn, that was damn interesting. Has been some time, since I watched a 1-hour video :D
Thanks for all the helpful explanations, I really learned some stuff.
I loved that you were like "let's find out together" when you didn't understand something instantly. This way, people like me can build up confidence when doing something like this alone.
Most UA-camrs act like they know anything, this way you get really unconfident as a viewer because you feel you ass a viewer are the only person who struggles with stuff on the first try :D
Thanks! Keep it up.
The one thing that would be very interesting is the microphone algorithm that allows it to pick out a voice command from a lot of background noise.
51:18 the user name "owner" and the 2 XML files you explored there are standard for android if u take a vanilla android image u can make additional users and the main will always be named owner and the other users when created will appear there also as u see in the first xml it prohibits the dialer and WiFi for the guest user and that's android standard too
Watching the joy of exploration in real time is so much fun. This is the true spirit of hacking! Thanks for sharing this journey and for diving in unscripted.
Matt the way you show the commands I love it thanks you, keep it up brother.
Thanks for making this video. I would like to understand this information enough, to apply it to a 1st generation Echo Plus for the purpose of repurposing the hardware. I have always felt that the ~9" tall cylinder has impressive features: Microphones, lighted volume ring, top function buttons, and a pretty great sounding speaker setup. Do you think the main board could be repurposed, or that a newly designed board could be fitted while maintaining the functionality of the other components? I have a new 1st generation Echo Plus I'd be willing to send you. Also is that a Ravens hat your wearing? 👍Let me know.
Some people call DD disk destroyer. That is because you must be careful with the if and of or you might erase what you tried to copy.
Nice
i agree... oh god D:
Great video Matt! The moniker "dd" stands for "data dumper" because it dumps data. Now you know!
i always call it disc destroyer - for uknown reasons ofc
@@DanielSimon1995 you can command DD to write all 0 preforming a low level format of the device destroying the disk to a layman
I always thought it stood for "copy and convert" but "cc" was already taken
@@kramermccabe8601 yeah, thats why i call it disc destroyer
Thank you! I've gone for an embarrassingly long time thinking that dd was just disk destroyer
the 700MB sized partitions are android A/B SYSTEM partitions. The big one that had "data" directory is what is wiped when you do factory reset, it contains.. well, data. And ye, it is android. /data directory may be very intresting on biggest partition. /data/data IIRC for application data. I would take a peek at files in there.
media / 0 is "sd card" storage in android
These are the type of videos I was looking for, Keep up the good work!
21:30 silicone is a thermal insulator. It has very low thermal conductivity.
Great video. I learned a lot.
Thats interesting because old days, as I remember, there was a silicon only (with no nowadays additives as silver or diamonds or so) paste for better heat conductivity to the cpu/psu radiator
@@jankomuzykant1844 silicon vs silicone
@@surewhynot6259 I mean silicone. The silicone paste looks like gel.
I'm sorry if I mess something, english is not my first language.
You can also use hot air on the chip or board while holding the braid with tweezers. As the solder liquifies, you use the braid to mop it up by just running it over.
Insane content. Its truly inspiring to see you in action.
I love how it has an android partition layout
It’s an IoT device. Many implementations use Android for its simplification and standard.
Do you ever do in-system programming (ISP) extractions?
What is that
also which terminal window manager do you use??
19:57 WOW reballing. What equipment do you use?
Boxers, for FreeBalling
Absolutely is an Android system, the runtime environment dalvik has a folder in the root directory which was the giveaway before the APK files.
It looks like Amazon took a sample image used by MediaTek for that chipset (probably originally made for Xiaomi as some of their stuff is on it) but I'm not sure if they are actually doing much more than running background services or even starting up the runtime environment as it seems like a lot of overhead for what is really just a glorified IoT microphone and DAC.
Yeah, that was my thought as soon as the premise of the video was made clear. Also while Amazon may slap their logo on a device they didn't manufacturer jack crap. Just bought a bulk amount of components, hired a company in China to assemble them, and a couple of internal software engineers to write an API to make it all work together and answer to ALEXA. The amount of usable information that could possibly be altered or repurposed for something else is minimal at best.
All these smart speakers run some android or linux because making applications for android is damn easy and android already comes with all drivers and tools needed
Really nice work Matt!
Thanks!
Matt, i stumbled upon your video after trying to solve the stuck red mute button and no ring light for my echo 4. I purchased as defective and unable to figure out the problem. Both do not reset and only light that turns on is red mute button at 2 different lighting levels. I'm guessing it's some type of firmware issue. Many others have the same problem and could you look at one in the used market? Follow up video would be awesome.
This was fantastic! Thanks for the great walkthrough. Let us know how it continues :)
thanks! this device was pretty interesting.
i have learned a lot hope you post more :) .
Hoping to do lots of new videos in 3023!
@@mattbrwn hope we dont have to wait that long. *eyeing the cryotank
Regarding "typing your password into youtube", why don't you just disable sudo prompting for passwords for users? by default there's a commented out entry in `visudo` that tells you how to do it.
haha yeah that's not a bad idea...
Should definitely add newer lower temp desoldering solder (like CHIPQUIK) to the bottom of that to alloy with it and lower the melting temp, making it easier to clean up with the braid
If you could find the JTAG pins you'd be able to read off the Flash w/o having to remove. We've used JTAG for debugging our boards but this one having a low chip count they may have omitted it, but it is the "modern" way to test production boards ("bed of nails" being the other).
What devices should I look at in the future?
I want starlink dishy :p .
What about participating in John McMasters reverse engineering of the XGecu programmer?
@@DJChol wow didn't know about this project! I currently use the xgecu software in wine. I'll look into this project!
How about something that requires fault injection/voltage glitching. For example to bypass rdp protection on an stm32. Hooking up to a uart shell or a jtag/swd debugger or mounting a filesystem is only so interesting.
I have really been enjoying your videos they are all great! I would love to see you mess around with a DVR for cameras maybe one that is locked and see if you can unlock it? Could probably find one at a goodwill too!
Not sure if you've covered this already but what microscope are you using? Could you go over the tools you have in a future video. Thank you!!!
Louis rossman.
Yeah I will do some videos soon on that. I get a lot of stuff based on Louis Rossmann's recommendations.
To reattach can you just use a solder mask and hope for the best or do you absolutely need to reball it?
As someone who hates the jumpcut-heavy, ADD-inducing, algorithm pandering meta... Love the uncut format.
Just watched this a year later after it was posted love it hope your doing more of this type of video already
id love to see more analysis of the google home mini.
That is REALLY great. Is there some way, we can exchange the extracted data, so people / others can work on Hacking the Bluetooth Firmware Update / Create alternative Firmware that does work without Amazon Stuff?
its illegal to share firmware dumps
@@u0000-u2x hm ok. It would be cool to know, if there is some way to enable adb.
@@FlorianGT396 xda forums is your friend
I have no interest (right now) to dump chips but I love that I'm learning some linux stuff while watching and picking up some hardware hacking tips. Thanks Matt!
Грубые загрязнения хорошо счищается мягкой зубной щеткой.
Чип от флюса хорошо чистить обычной салфеткой смоченной изопропиловым спиртом.
Incredibly well presented video. Thank you. I’ve been trying to understand how an IoT device that uses eMMC can be analysed, as I was only familiar with either simple 8-pin chips, or setups where the firmware could be downloaded without encryption.
The SSID or password could also be in some other flash/nvram storage that operates more like a k/v store, this is pretty common with some other devices, although this one has a lot of storage.
Likely that keychain apk would lead to more details.
damn my xgecu t48 wont read that emmc :( that reader you used is really expensive too. anyone else found another way to read these? i've tried soldering it onto an sd breakout board but they are really difficult to reball and fit
Yeah unfortunately these readers are the best way to go. Sometimes the pads are available for ICP but not always
To be honest it doesn't seem to make any financial sense, those components and fabrication and construction must have cost the same or more than I paid for it, especially when you say there is 16GB ram and 16G storage.
16gb storage is sus.
It's shared storage
It makes perfect financial sense, they sell them at a loss because they'll make the money back and more in ads and extra sales you make on it. It's the same reason printers are so cheap, they're selling the ink not the printers.
@@grayticoYep. In this case, your data is the “ink” that these run on😂
@graytico you mean they're a bit slow - they've only ever made massive losses, nobody buys on those things, yet they have stuck to making and selling them, maybe they are starting to suss out the business model about now, hence the heavy layoffs in this part of the business. Nice hardware, if I could figure out an actual use case, right now she is an expensive egg timer most of the time.
Im sure you have Googled it by now, but Echo uses FireOS (like on their tablets). Which is Android based.
Is there a serial port on the board and a username in the flash to login?
I'm trying to learn about writing firmware to cheap apple clone smartwatches and smartbands but I don't know where to look for tutorials on firmware development for mediatek chips and nrf chips.please guide 🙏
check out the PineTime watch!
www.pine64.org/pinetime/
wiki.pine64.org/wiki/PineTime
Its software and hardware is open source! You would be able to study the HW and SW for your own learning.
@@mattbrwni have seen the pinetime projectbut the hardware is not available easily in my country (India) please give me some course names which u followed
That just sounds like regular embedded firmware development. Find a development board with the same mcu that those cheap devices use, reverse engineer the spi/i2c pinouts for the peripherals, write and test your embedded firmware, and then flash it back onto the chip via jtag/swd assuming those cheap devices expose those debuggers
can we use easy jtag box to view file or manipulate the emmc
Will it ever be possible to overwrite the factory firmware with a Linux distro? There's currently a homebrew project using an RPi Zero 2W and Wyoming Satellite / Home Assistant to localize the voice assistant, but I prefer the big Echo's hardware for its elegance and sound "fidelity"
Your soldering iron tip looks pretty oxidized. If it’s been giving you trouble, make sure to keep a blob of solder on it when you’re putting it away. Tip should be nice and shiny for best results
He keeps it in lemon juice
What sources or publications did you use?
@mattbrwn still waiting on the detail Matt.
is it possible to do something similar to upgrade the storage chip on a fire stick?
Hey, did you ever get an Amazon Cloud Cam to try and get root access to?
Please do more of these videos.... Just starting out and Im learning a lot.
Would love to know your lab set up.
You should redo this process with an Echo that you have purchased and used yourself. See how much recognizable data you can find in an extraction.
Do you know how to bypass the activation window on echo show 15?
Great video, very detailed. What I wanna know is where in the world do you get that portrait in the background?
displate :)
I havent watched yet, but I'm excited to learn and will be back with notes!
Love hacking but new to hardware on this scale. Learning a lot here thanks so much!
Super Great format. Informative and fun to watch.
You're very brave just doing `cat` on files instead of xxd :)
For future readers, cat would not encode any escape characters in the contents of the files, which could lead the either corruption of state in your terminal emulator, or potentially worse
like the features, setup was difficult for some of my devices (August Door lock, ua-cam.com/users/postUgkxhB5YOMNj04GuoAosExygP4cH-dKeb4aB Bose speaker)... but all switches and outlets (5), thermostat, tankless water heater. Unfortunately all I can do is turn on/off Bose. It doesn't support volume or changing channels, but I believe that is due to the particular speaker I have.... Worth getting if you already have other devices to use it with... I don't sit around and ask Alexa questions much so that doesn't really matter to me....
It would be so cool to replace a memory chip with a bigger one and stuff it with lots of pirated mp3s, don't you think?
You could also change some scripts to start ssh server on startup and do other cool things to actually 0wn the device.
Maybe install a torrent client with a web-UI to control from your phone.
And after you patched it, you could go to the nearest guy repairing phones, he knows where or how to buy a special "mask" (a tiny board with lots of punched holes in it that strictly correspond the contacts on that chip) to apply on the chip and add little metallic balls in order to put it back on the board.
Restart, and you finally own it! 😀
P.S. Thanks for a great video! An instant sub from me!
start your comment with spoiler alert 🤣
Matt you are a genius 👏💯
No one is a genius in this field. I probably get imposter syndrome just as much as the next guy. Just keep learning!
apk files are generally use in android???
I just Subbed - You are pretty good, I want to see a channel where someone teaches Linux on a Kernel Level and goes Up from there... Everyone diverges onto like, Languages and stuff like that but that's not what I'm looking for, I wanna see someone show me how to vuild my own custom Kernel to run on an old Phone and how to force the UBOOT into eating my files and booting my Kernel... I would feel pretty accomplished at that point. The entry for alot of people needs to be the Kernel Level, Need someone to explain the Tools and Hardware that we need to start Learning Properly by RevEngineering Basic Junk... and you went over all that so Kudos! There is a lot of Useful Garbage out there, it would be cool to learn how to repurpose things into Other Stuff...Great Vids I already watched 3 of them...
dd stands for copy and convert, but since cc (c compiler) was already in use, they went for dd
It was originally in IBM's JCL (labeled as "Data Definition") too
39:40 - Haven't watched the whole video yet, but it definitely runs android. You would find the exact same file structure if you accesed the root filesystem of Android on your phone. The interesting part is in the /data folder, there's your whole userdata of Android. /data is where the userdata partition gets mounted, however it possibly uses encryption, so you would just see gibberish. What you can do to get a root shell on a live system is modify some files to enable adb root access.
I always understood dd to mean Disk to Disk, since its used for block level copying of data between devices.
Could you try to get us into our defunct Amazon Cloud Cams please, so we can use our own virtual servers instead of having a paperweight. (I know at one time they offered Blink replacements, but I missed that 🤷🏻♂️).
Very interesting. I'll pick one up on eBay and see what I can do.
Matt youre a god damn genius. My NEW favorite channel. Please keep at it mang
A masterful removal of the chip and great video dude! 😊 Now I might be a little dumb here (as im primarily a software developer) but how does the flux and alcohol not damage the chip itself? Clearly it doesn't, i think i just don't understand how 🤔
Flux and alcohol are just chemicals used to allow solder to flow and clean the chip respectively. Doesn't affect chip internals or contact points. The alcohol is 99.9% so no corrosion.
@@mattbrwn Aaaaah I get ya, thanks that makes more sense now! 😁 As I say, I mostly just write code, but I'm messing with SBCs at the moment so this kind of knowledge is going to be super useful!
39:55 No, the Amazon Echo does not run Android. It operates on a custom operating system called Fire OS, which is based on the Android Open Source Project (AOSP) but is heavily modified by Amazon for its devices.
You're not missing much without it ;p better off used for training purposes.
Heres to that hotplate reflow station though
yeah I've been wanting to get some BGA reball stencils and solder paste. This should be a good opportunity.
@@mattbrwn ebay is your friend:)
@@mattbrwn lookup theCarplayAiboxFriends
Love the video! Would be funny to replace Alexa with Mycroft.
Here's a hint for doing this kinda thing in future.... If you do a dd of the *entire* device, you can then add partitions using `kpartx -a` and have them all available to mount / check directly without having to do it partition by partition. You can also then use tools like binwalk to start mapping out things.
Cool video, please keep it up.
Thanks, will do!
Old, retired Unix admin from the 80's here. dd stands for disk dump. Surprised your man page didn't say that.
Matt, this is brilliant!! Thank you for sharing!
47:35 run `less` on the files in recover/log
edit: correction
Before this, I had no idea this is now my preferred entertainment..! Which is weird since I have no hacking skills whatsoever. 😅
Any way you can zoom more in when you are working in terminal
Yeah just realized that when editing my most recent video. Will keep that in mind next time
Dude! I thought you have learned the leasson... sunshade hats are for gardening or for harvesting berries in the fields...
Still repairing the roof?
I bet some journalist somewhere is gonna see this and spin up some article about "Are your Alexa's really safe?!!"
You should have just ran sdc under fdisk.
It would have identified all the partition types on the disk for you
That Baltimore Ravens hat got you my subscription.
Not a security expert, but I think it would be possible to restore your root password from the sound of your typing, especially given that you type another stuff there, so one could build a sound profile of your keyboard. Hope you've changed the password!
Haha that was my first thought too :)
Great video. Very interesting.
how about writing this firmware on a new board i mean like cloning cos this one is now a mess
this is great how you can get into the brains of electronics wish you were my neighbor would love to learn about scaning this new encryption that are becoming popular all over.i bet that could be hacked too.
Excited to see more :)
Easy to see you are quite inexperienced with soldering but keep at it and you will get better results. I cringed a lot when you used the solder braid tho. You used like 5% of it and still got a new strip. If you feel braid don’t work add fresh flux onto the braid and it soak up the tin. Use it until it’s full. Don’t waste or you might regret it when you need some but you’ve used it all. ;)
30:23 data definition
Should've look at the file that says don't panic hitch hikers guide to the galaxy reference