FORUMS
Remove All Ads from XDA

Amazon echo dot 2/locked hardware

2 posts
Thanks Meter: 1
 
By kekepremier, Junior Member on 3rd December 2016, 11:33 PM
Post Reply Email Thread
Hello everyone,

I recently bought an amazon echo dot 2nd generation ( smart home, voice control device from amazon which runs with their voice recognition service Alexa ) after struggling with open-source voice recognition projects (jasper, raspberry pi).

Long story short, this device is running on android 5.1, with a mediatek cpu (MT8163) and i'm trying to gain access to it via usb.

When plugged via usb to a computer, a MT65XX preloader is first briefly detected, then it boots normally. I have no access through adb (and no screen to change settings). I found the way to boot into fastboot (hold action button on boot for those interested), but most of the useful commands (flash, boot,...) end with a "remote: the command you input is restricted on locked hw".

I got an answer for getvar all thought:
Code:
(bootloader) 	lk_build_desc: 0e1d0d9-20161018_220224
(bootloader) 	prod: 1
(bootloader) 	unlock_status: false
(bootloader) 	unlock_code: 0x627cf130f18b078f
(bootloader) 	serialno: G090LF09646208F0
(bootloader) 	max-download-size: 0x6d00000
(bootloader) 	warranty: no
(bootloader) 	secure: yes
(bootloader) 	kernel: lk
(bootloader) 	product: BISCUIT
(bootloader) 	version-preloader: 0.1.00
(bootloader) 	version: 0.5
all: Done!!
finished. total time: 0.004s
Does the "locked hw" bit means there is a lock on the NAND memory which can only be removed on the hw, or is this something to do with the bootloader? And possibly, is there some way to go around this restriction to gain root access of this device?

If i'm not clear enough (I'm not an expert in android dev), feel free to ask.
The Following User Says Thank You to kekepremier For This Useful Post: [ View ] Gift kekepremier Ad-Free
 
 
4th December 2016, 03:37 AM |#2  
Senior Member
Thanks Meter: 1,016
 
More
Quote:
Originally Posted by kekepremier

Hello everyone,

I recently bought an amazon echo dot 2nd generation ( smart home, voice control device from amazon which runs with their voice recognition service Alexa ) after struggling with open-source voice recognition projects (jasper, raspberry pi).

Long story short, this device is running on android 5.1, with a mediatek cpu (MT8163) and i'm trying to gain access to it via usb.

When plugged via usb to a computer, a MT65XX preloader is first briefly detected, then it boots normally. I have no access through adb (and no screen to change settings). I found the way to boot into fastboot (hold action button on boot for those interested), but most of the useful commands (flash, boot,...) end with a "remote: the command you input is restricted on locked hw".

I got an answer for getvar all thought:

Code:
(bootloader) 	lk_build_desc: 0e1d0d9-20161018_220224
(bootloader) 	prod: 1
(bootloader) 	unlock_status: false
(bootloader) 	unlock_code: 0x627cf130f18b078f
(bootloader) 	serialno: G090LF09646208F0
(bootloader) 	max-download-size: 0x6d00000
(bootloader) 	warranty: no
(bootloader) 	secure: yes
(bootloader) 	kernel: lk
(bootloader) 	product: BISCUIT
(bootloader) 	version-preloader: 0.1.00
(bootloader) 	version: 0.5
all: Done!!
finished. total time: 0.004s
Does the "locked hw" bit means there is a lock on the NAND memory which can only be removed on the hw, or is this something to do with the bootloader? And possibly, is there some way to go around this restriction to gain root access of this device?

If i'm not clear enough (I'm not an expert in android dev), feel free to ask.

Most likely this means a locked bootloader, same story as FireTV stick2.

I think that without any screen it'll be hard to even get into ADB. I wonder if ADB is turned on by default. Try ADB over network using the IP address, see if it's going to let you in. If ADB is working, you can try the DirtyCow exploit.

Observe that on FireTV2 I could use a combination of things and actually now I have ADB working over the USB cable :
http://forum.xda-developers.com/fire...cises-t3511871
Kingroot has not succeeded yet, but perhaps future versions might work.
The Following User Says Thank You to bibikalka For This Useful Post: [ View ] Gift bibikalka Ad-Free
5th December 2016, 07:14 PM |#3  
OP Junior Member
Thanks Meter: 1
 
More
Thanks for the information. Unfortunately, I wasn't able to access adb, either by usb or wifi.

They seemed to have done a good job locking this device up. I will try to open it to see what I can get from it's board.
28th March 2017, 06:59 PM |#4  
Member
Thanks Meter: 5
 
More
adb
i think i read something about having to push the dot button on it for 5+ secs to turn on adb for a short period and im not sure wether thats adb by wire or by wifi

EDIT: ok so i went back and found the article its fastboot over wire but it is a locked bootloader
27th April 2017, 09:23 PM |#5  
xd1936's Avatar
Senior Member
Thanks Meter: 105
 
Donate to Me
More
It would be awesome if we could exploit this and get some kind of Linux or Android going on it, so we could turn it into a Google Assistant SDK device
The Following User Says Thank You to xd1936 For This Useful Post: [ View ] Gift xd1936 Ad-Free
18th May 2017, 10:09 PM |#6  
Junior Member
Thanks Meter: 1
 
More
+1 for loading the Google Assistant SDK onto an echo dot. That's currently what I'm trying to do. I have a rpi3 that I could use, but this hardware is perfectly suited for this...and cheaper than buying the rpi hardware!
The Following User Says Thank You to Jayr00 For This Useful Post: [ View ] Gift Jayr00 Ad-Free
13th June 2017, 09:34 PM |#7  
Junior Member
Thanks Meter: 6
 
More
regarding informations on vanderport.com blog, there are some research done about rooting amazon echo devices. One of them mentions a jtag method / emmc extender root boot that may could work...
..interesting.
26th June 2017, 01:48 AM |#8  
Quote:
Originally Posted by SoulInferno

regarding informations on vanderport.com blog, there are some research done about rooting amazon echo devices. One of them mentions a jtag method / emmc extender root boot that may could work...
..interesting.

That's only for the 1st generation Echo and Echo Dot. The 2nd Gen Echo Dot is missing the testpoints on the board for that, and runs Android instead of a Linux distribution.
The Following User Says Thank You to r3pwn For This Useful Post: [ View ] Gift r3pwn Ad-Free
9th July 2017, 01:49 AM |#9  
Senior Member
Flag San Francisco, CA
Thanks Meter: 214
 
Donate to Me
More
Maybe you guys could try using my old AFTV2 tools to see if you can get the preloader to read/write the flash (assuming they didn't disable the commands you need like they eventually did on the AFTV2).

https://gitlab.com/zeroepoch/aftv2-tools

---------- Post added at 05:49 PM ---------- Previous post was at 05:16 PM ----------

Quote:
Originally Posted by zeroepoch

Maybe you guys could try using my old AFTV2 tools to see if you can get the preloader to read/write the flash (assuming they didn't disable the commands you need like they eventually did on the AFTV2).

https://gitlab.com/zeroepoch/aftv2-tools

Nope I just tired them on my Amazon Echo Dot 2 just because I became curious. It handshakes fine with the preloader but as soon as you send the 32-bit read command, and address + size, it never sends back the expected ok status bytes (or any bytes) and just hangs.
3rd April 2018, 07:08 PM |#10  
Junior Member
Thanks Meter: 0
 
More
Guys, did anyone see any meaningful progress towards getting "root" access on Echo Dot 2?
16th April 2018, 11:47 AM |#11  
Junior Member
Thanks Meter: 0
 
More
Amazon Echo Tech Support
For any kind of Amazon Echo assistance, you can contact @ +1-888-293-1413.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes