Creating CFW for amazon echo's

[GuruPrasadAH]

So people, all people in this thread know that all echo's run android( oook fireos) and creating a cfw would be trivial because of what I've discovered:

If you search amazon source code on google, you can see a page that provides kernel, vendor etc for amaozn echo's.

WHAT IT also provides is verity keys!!!!!

so even though bootloader cant be unlocked, why cant we build a rom that uses verified boot from these keys to create cfw?

Share your thoughts.

Chill
GuruPrasadAH

EDIT: SOme of you are probably wondering, wth is a verity key? well, it is what is used to make a vbmeta image. The system partition is then checked for tampering using the hash from this image, and only then it will boot. So it will make a custom rom seem like an official firmware update to the echo.

 

[p0rtL]

So people, all people in this thread know that all echo's run android( oook fireos) and creating a cfw would be trivial because of what I've discovered:

If you search amazon source code on google, you can see a page that provides kernel, vendor etc for amaozn echo's.

WHAT IT also provides is verity keys!!!!!

so even though bootloader cant be unlocked, why cant we build a rom that uses verified boot from these keys to create cfw?

Share your thoughts.

Chill
GuruPrasadAH

EDIT: SOme of you are probably wondering, wth is a verity key? well, it is what is used to make a vbmeta image. The system partition is then checked for tampering using the hash from this image, and only then it will boot. So it will make a custom rom seem like an official firmware update to the echo.

Has anyone attempted to actually build a rom with this method?

 

[alitos]

Has anyone attempted to actually build a rom with this method?

...dot

 

[ROM_gamer987]

So people, all people in this thread know that all echo's run android( oook fireos) and creating a cfw would be trivial because of what I've discovered:

If you search amazon source code on google, you can see a page that provides kernel, vendor etc for amaozn echo's.

WHAT IT also provides is verity keys!!!!!

so even though bootloader cant be unlocked, why cant we build a rom that uses verified boot from these keys to create cfw?

Share your thoughts.

Chill
GuruPrasadAH

EDIT: SOme of you are probably wondering, wth is a verity key? well, it is what is used to make a vbmeta image. The system partition is then checked for tampering using the hash from this image, and only then it will boot. So it will make a custom rom seem like an official firmware update to the echo.

Where did you find the verity keys?, Couldn't find them anywhere

 

[ROM_gamer987]

I just checked and those are Public keys not private ones so it's pretty much useless

 

[j10hx40r]

I just checked and those are Public keys not private ones so it's pretty much useless

if we can unlock the echo, then its possible to disable dm-verity by using fos_flag as 0x80. Also selinux can be disabled by using dev_flags as 0x40.

I had tried this already on my echo dot 2nd gen and was successful with the same. The only problem I have is I had to boot via usb to boot from a patched preloader and patched lk to have the device recognize itself as unlocked.

I tried porting the amonet exploit that is used to unlock many fire devices by @k4y0z and @xyz` to my echo dot but hit a dead end when it came to modifying inject_microloader.py file. So now I am limited to booting via usb. I am planing to use a pi pico and a otg splitter cable so that I can pass patched preloader without having to rely on a computer.

 

[ROM_gamer987]

if we can unlock the echo, then its possible to disable dm-verity by using fos_flag as 0x80. Also selinux can be disabled by using dev_flags as 0x40.

I had tried this already on my echo dot 2nd gen and was successful with the same. The only problem I have is I had to boot via usb to boot from a patched preloader and patched lk to have the device recognize itself as unlocked.

I tried porting the amonet exploit that is used to unlock many fire devices by @k4y0z and @xyz` to my echo dot but hit a dead end when it came to modifying inject_microloader.py file. So now I am limited to booting via usb. I am planing to use a pi pico and a otg splitter cable so that I can pass patched preloader without having to rely on a computer.

You unlocked the bootloader? mine won't do that (1st gen) just tells me it's unsupported

 

[j10hx40r]

You unlocked the bootloader? mine won't do that (1st gen) just tells me it's unsupported

Saying that I unlocked the bootloader is not really 100% true. Its more like I patched bootloader to always say that the device is already unlocked

My device has MT8163 processor same as Amazon fire hd Karnak and Douglas tablets. So I took the Amonet exploit code for those tabled and modified the script so that It doesnt try to flash the lk-payload, microloader or twrp to the device. I still kept the part that writes zeros to preloader so that I don't have to short my emmc every time I have to boot the device from patched preloader. Initially I also modified the script to dump the complete emmc. Script took 2 days to dump the whole emmc. I used the emmc dump to get ota urls and also to do some initial analysis of the stock rom and its capabilities.

Then I used ghidra to analyze the preloader and lk that I found in the OTAs and then patched them to bypass lk_verification and unlock code checking respectively. I then flashed the patched lk to the device and am currently using mtkclient's plstage command to boot using the patched preloader.

If you want I can try to help you do the same as well. You mentioned that your device is first gen. I don't have first gen but based on the teardown, it doesn't seems to be based on mediatek. So not sure how much of it is possible for your device.

 

[ROM_gamer987]

Saying that I unlocked the bootloader is not really 100% true. Its more like I patched bootloader to always say that the device is already unlocked

My device has MT8163 processor same as Amazon fire hd Karnak and Douglas tablets. So I took the Amonet exploit code for those tabled and modified the script so that It doesnt try to flash the lk-payload, microloader or twrp to the device. I still kept the part that writes zeros to preloader so that I don't have to short my emmc every time I have to boot the device from patched preloader. Initially I also modified the script to dump the complete emmc. Script took 2 days to dump the whole emmc. I used the emmc dump to get ota urls and also to do some initial analysis of the stock rom and its capabilities.

Then I used ghidra to analyze the preloader and lk that I found in the OTAs and then patched them to bypass lk_verification and unlock code checking respectively. I then flashed the patched lk to the device and am currently using mtkclient's plstage command to boot using the patched preloader.

If you want I can try to help you do the same as well. You mentioned that your device is first gen. I don't have first gen but based on the teardown, it doesn't seems to be based on mediatek. So not sure how much of it is possible for your device.

Both 1st and 2nd gen echo show 5's do have the same cpu

 

[j10hx40r]

So you have a echo show. You never mentioned that before so I thought you have an echo or echo dot like me.

Both 1st and 2nd gen echo show 5's do have the same cpu

 

[salvatore_capolino]

Quindi hai uno spettacolo di eco. Non l'hai mai detto prima, quindi ho pensato che avessi un eco o un punto di eco come me.

Both 1st and 2nd gen echo show 5's do have the same cpu

Both 1st and 2nd gen echo show 5's do have the same cpu

hello can you post an image of mmc for educational purposes i have a 2nd gen echo and i want to work in collaboration to realize an universal rom image....hi