Amazon echo dot 2/locked hardware

Search This thread

kekepremier

New member
Dec 3, 2016
2
1
Hello everyone,

I recently bought an amazon echo dot 2nd generation ( smart home, voice control device from amazon which runs with their voice recognition service Alexa ) after struggling with open-source voice recognition projects (jasper, raspberry pi).

Long story short, this device is running on android 5.1, with a mediatek cpu (MT8163) and i'm trying to gain access to it via usb.

When plugged via usb to a computer, a MT65XX preloader is first briefly detected, then it boots normally. I have no access through adb (and no screen to change settings). I found the way to boot into fastboot (hold action button on boot for those interested), but most of the useful commands (flash, boot,...) end with a "remote: the command you input is restricted on locked hw".

I got an answer for getvar all thought:
Code:
(bootloader) 	lk_build_desc: 0e1d0d9-20161018_220224
(bootloader) 	prod: 1
(bootloader) 	unlock_status: false
(bootloader) 	unlock_code: 0x627cf130f18b078f
(bootloader) 	serialno: G090LF09646208F0
(bootloader) 	max-download-size: 0x6d00000
(bootloader) 	warranty: no
(bootloader) 	secure: yes
(bootloader) 	kernel: lk
(bootloader) 	product: BISCUIT
(bootloader) 	version-preloader: 0.1.00
(bootloader) 	version: 0.5
all: Done!!
finished. total time: 0.004s

Does the "locked hw" bit means there is a lock on the NAND memory which can only be removed on the hw, or is this something to do with the bootloader? And possibly, is there some way to go around this restriction to gain root access of this device?

If i'm not clear enough (I'm not an expert in android dev), feel free to ask.
 
Last edited:
  • Like
Reactions: myeta

bibikalka

Senior Member
May 14, 2015
1,419
1,104
Hello everyone,

I recently bought an amazon echo dot 2nd generation ( smart home, voice control device from amazon which runs with their voice recognition service Alexa ) after struggling with open-source voice recognition projects (jasper, raspberry pi).

Long story short, this device is running on android 5.1, with a mediatek cpu (MT8163) and i'm trying to gain access to it via usb.

When plugged via usb to a computer, a MT65XX preloader is first briefly detected, then it boots normally. I have no access through adb (and no screen to change settings). I found the way to boot into fastboot (hold action button on boot for those interested), but most of the useful commands (flash, boot,...) end with a "remote: the command you input is restricted on locked hw".

I got an answer for getvar all thought:
Code:
(bootloader) 	lk_build_desc: 0e1d0d9-20161018_220224
(bootloader) 	prod: 1
(bootloader) 	unlock_status: false
(bootloader) 	unlock_code: 0x627cf130f18b078f
(bootloader) 	serialno: G090LF09646208F0
(bootloader) 	max-download-size: 0x6d00000
(bootloader) 	warranty: no
(bootloader) 	secure: yes
(bootloader) 	kernel: lk
(bootloader) 	product: BISCUIT
(bootloader) 	version-preloader: 0.1.00
(bootloader) 	version: 0.5
all: Done!!
finished. total time: 0.004s

Does the "locked hw" bit means there is a lock on the NAND memory which can only be removed on the hw, or is this something to do with the bootloader? And possibly, is there some way to go around this restriction to gain root access of this device?

If i'm not clear enough (I'm not an expert in android dev), feel free to ask.

Most likely this means a locked bootloader, same story as FireTV stick2.

I think that without any screen it'll be hard to even get into ADB. I wonder if ADB is turned on by default. Try ADB over network using the IP address, see if it's going to let you in. If ADB is working, you can try the DirtyCow exploit.

Observe that on FireTV2 I could use a combination of things and actually now I have ADB working over the USB cable :
http://forum.xda-developers.com/fire-tv/general/firetv-stick2-tank-dirtycow-exercises-t3511871
Kingroot has not succeeded yet, but perhaps future versions might work.
 
  • Like
Reactions: kekepremier

kekepremier

New member
Dec 3, 2016
2
1
Thanks for the information. Unfortunately, I wasn't able to access adb, either by usb or wifi.

They seemed to have done a good job locking this device up. I will try to open it to see what I can get from it's board.
 

razgriz1234

Senior Member
Mar 23, 2012
78
5
adb

i think i read something about having to push the dot button on it for 5+ secs to turn on adb for a short period and im not sure wether thats adb by wire or by wifi

EDIT: ok so i went back and found the article its fastboot over wire but it is a locked bootloader
 
Last edited:

Jayr00

Member
Apr 11, 2008
10
1
+1 for loading the Google Assistant SDK onto an echo dot. That's currently what I'm trying to do. I have a rpi3 that I could use, but this hardware is perfectly suited for this...and cheaper than buying the rpi hardware!
 
  • Like
Reactions: Saundersmtt

SoulInferno

Member
Jun 2, 2014
20
6
regarding informations on vanderport.com blog, there are some research done about rooting amazon echo devices. One of them mentions a jtag method / emmc extender root boot that may could work...
..interesting.
 

r3pwn

Inactive Recognized Developer
Jul 11, 2012
1,745
2,046
Lakeland, FL
r3pwn.com
regarding informations on vanderport.com blog, there are some research done about rooting amazon echo devices. One of them mentions a jtag method / emmc extender root boot that may could work...
..interesting.

That's only for the 1st generation Echo and Echo Dot. The 2nd Gen Echo Dot is missing the testpoints on the board for that, and runs Android instead of a Linux distribution.
 
  • Like
Reactions: SoulInferno

zeroepoch

Senior Member
Dec 30, 2010
313
215
San Jose, CA
www.zeroepoch.com
Maybe you guys could try using my old AFTV2 tools to see if you can get the preloader to read/write the flash (assuming they didn't disable the commands you need like they eventually did on the AFTV2).

https://gitlab.com/zeroepoch/aftv2-tools

---------- Post added at 05:49 PM ---------- Previous post was at 05:16 PM ----------

Maybe you guys could try using my old AFTV2 tools to see if you can get the preloader to read/write the flash (assuming they didn't disable the commands you need like they eventually did on the AFTV2).

https://gitlab.com/zeroepoch/aftv2-tools

Nope I just tired them on my Amazon Echo Dot 2 just because I became curious. It handshakes fine with the preloader but as soon as you send the 32-bit read command, and address + size, it never sends back the expected ok status bytes (or any bytes) and just hangs.
 
  • Like
Reactions: Kramar111

skn294

New member
Apr 3, 2018
1
0
Guys, did anyone see any meaningful progress towards getting "root" access on Echo Dot 2?
 

r3pwn

Inactive Recognized Developer
Jul 11, 2012
1,745
2,046
Lakeland, FL
r3pwn.com
If anyone's feeling adventurous, here's the eMMC pinout for the device.
6xRQvQq.png


Note, I did not find this out myself, I got it from this set of slides.

And if you do decide to try to solder an adapter to those, make note: those capacitors/resistors are super tiny, and be careful.
 
  • Like
Reactions: sudofox and sm4rk0

sudofox

New member
Jul 15, 2019
1
0
If anyone's feeling adventurous, here's the eMMC pinout for the device.

That's really useful information, thanks!
With how cheap these devices are nowadays, I don't see why it's not worth the risk of bricking the device to get back to hacking on it. I wonder if the eMMC is encrypted or not?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    If anyone's feeling adventurous, here's the eMMC pinout for the device.
    6xRQvQq.png


    Note, I did not find this out myself, I got it from this set of slides.

    And if you do decide to try to solder an adapter to those, make note: those capacitors/resistors are super tiny, and be careful.
    1
    Hello everyone,

    I recently bought an amazon echo dot 2nd generation ( smart home, voice control device from amazon which runs with their voice recognition service Alexa ) after struggling with open-source voice recognition projects (jasper, raspberry pi).

    Long story short, this device is running on android 5.1, with a mediatek cpu (MT8163) and i'm trying to gain access to it via usb.

    When plugged via usb to a computer, a MT65XX preloader is first briefly detected, then it boots normally. I have no access through adb (and no screen to change settings). I found the way to boot into fastboot (hold action button on boot for those interested), but most of the useful commands (flash, boot,...) end with a "remote: the command you input is restricted on locked hw".

    I got an answer for getvar all thought:
    Code:
    (bootloader) 	lk_build_desc: 0e1d0d9-20161018_220224
    (bootloader) 	prod: 1
    (bootloader) 	unlock_status: false
    (bootloader) 	unlock_code: 0x627cf130f18b078f
    (bootloader) 	serialno: G090LF09646208F0
    (bootloader) 	max-download-size: 0x6d00000
    (bootloader) 	warranty: no
    (bootloader) 	secure: yes
    (bootloader) 	kernel: lk
    (bootloader) 	product: BISCUIT
    (bootloader) 	version-preloader: 0.1.00
    (bootloader) 	version: 0.5
    all: Done!!
    finished. total time: 0.004s

    Does the "locked hw" bit means there is a lock on the NAND memory which can only be removed on the hw, or is this something to do with the bootloader? And possibly, is there some way to go around this restriction to gain root access of this device?

    If i'm not clear enough (I'm not an expert in android dev), feel free to ask.
    1
    Hello everyone,

    I recently bought an amazon echo dot 2nd generation ( smart home, voice control device from amazon which runs with their voice recognition service Alexa ) after struggling with open-source voice recognition projects (jasper, raspberry pi).

    Long story short, this device is running on android 5.1, with a mediatek cpu (MT8163) and i'm trying to gain access to it via usb.

    When plugged via usb to a computer, a MT65XX preloader is first briefly detected, then it boots normally. I have no access through adb (and no screen to change settings). I found the way to boot into fastboot (hold action button on boot for those interested), but most of the useful commands (flash, boot,...) end with a "remote: the command you input is restricted on locked hw".

    I got an answer for getvar all thought:
    Code:
    (bootloader) 	lk_build_desc: 0e1d0d9-20161018_220224
    (bootloader) 	prod: 1
    (bootloader) 	unlock_status: false
    (bootloader) 	unlock_code: 0x627cf130f18b078f
    (bootloader) 	serialno: G090LF09646208F0
    (bootloader) 	max-download-size: 0x6d00000
    (bootloader) 	warranty: no
    (bootloader) 	secure: yes
    (bootloader) 	kernel: lk
    (bootloader) 	product: BISCUIT
    (bootloader) 	version-preloader: 0.1.00
    (bootloader) 	version: 0.5
    all: Done!!
    finished. total time: 0.004s

    Does the "locked hw" bit means there is a lock on the NAND memory which can only be removed on the hw, or is this something to do with the bootloader? And possibly, is there some way to go around this restriction to gain root access of this device?

    If i'm not clear enough (I'm not an expert in android dev), feel free to ask.

    Most likely this means a locked bootloader, same story as FireTV stick2.

    I think that without any screen it'll be hard to even get into ADB. I wonder if ADB is turned on by default. Try ADB over network using the IP address, see if it's going to let you in. If ADB is working, you can try the DirtyCow exploit.

    Observe that on FireTV2 I could use a combination of things and actually now I have ADB working over the USB cable :
    http://forum.xda-developers.com/fire-tv/general/firetv-stick2-tank-dirtycow-exercises-t3511871
    Kingroot has not succeeded yet, but perhaps future versions might work.
    1
    It would be awesome if we could exploit this and get some kind of Linux or Android going on it, so we could turn it into a Google Assistant SDK device
    1
    +1 for loading the Google Assistant SDK onto an echo dot. That's currently what I'm trying to do. I have a rpi3 that I could use, but this hardware is perfectly suited for this...and cheaper than buying the rpi hardware!