Questions on the process. #1
Comments
|
Hi, thank you for your interest in this little project :-). I have been working on this on and off over the past year, and will have to update some information on the wiki/repo, which I will do this week. I have tried a couple of different tools that are used for bypassing the bootloader protection (I will add a page of the tools) but none of them with success, including the MTK-bypass utility and the flash tool. There is bootloader source code available (I will add a page to the wiki) and it is possible to interact with the bootloader, but none of the things I have tried get me much further. The scatter file I also tried, and did not get to work. I do have the dump from the flash and managed to de-scramble it and find out more about the filesystems and files that are used, but also here ran into some challenges. I am also not sure how much of this can legally be shared via github. What you can try is to connect to the UART - you only need 2 - and connect TM54 to GND (it is right of the connector on the main board) which gave me this log which I think goes into fastboot. Let me try to collect and structure some more info add it to the wiki. When I started this I did not know anything either, still don't, but it's always fun to learn something new :-) |
|
Thanks for the response! What you mention about the bypass utility, I believe it did bypass the protection for me, I will later share some output logs but there is another tool called mtkclient which showed me some more info about the matter. What I did was first run MTK-bypass and later retrieve some information and the output showed SLA, SBC and DAA as disabled. But still, not sure if that is really the case. I also managed through mtkclient to dump the brom, preloader and sram presumably succesfully. Not sure what to do with that though, I pass it to ghidra and managed to see some decompiled strings and functions but did not gave it too much time to be honest. Something about your log that I noticed is that the partition table printed at the end differs from mine as I mentioned earlier, I will try pulling TM54 to ground to check if the output is different. Glad to hear that you are still working on it! Good work so far! And I agree, always fun to learn! |
|
Hi, I would very much like to try the mtkclient approach, see if it works for me as well. I have managed to read the flash data and have the binary images, but it is hard to actually read and I have tried a lot of things to get from the original binary data from the flash via xor-ing, various filesystems (ubifs, squash, etc) to something that resembles files and directories, but with very little success. But it gives a benchmark to compare against when reading via MTK-bypass and mtkclient. I will look into that. The partitions and what is logged can indeed be different, I also have a later dot firmware version which does not even show the partition data in any of the UART logs. |
|
Hi, I did a quick check of the files you have uploaded in the mtkclient issue. The preloader looks good - see the The brom also looks good, I can recognize some of the strings that are also in the above linked file, at least the following:
So I would say this looks very promising! What is in the the sram data? |
|
I checked it really fast yesterday and it was mostly strings, but again I have no experience and didn't put much time in it. Will come back later and check your messages :) |
|
I checked a bit the sram file with ghidra and as I said there are a lot of strings, they seem templates of what the device spits out through UART when booting
|
|
I don't know what the right settings are to load the brom into ghidra - I tried various languages (i.e. arm v8a, le 64 bits) and ram offsets, but I don't get any function tree or anything, except for the same strings as you have. I would expect that the brom can be loaded and it is possible to find i.e. the USB connection functions and see how the functions are related. A bit more research is needed. Also never really used ghidra, so no idea what the right approach is... Maybe I will try with my echo version to get the same files - did you use the mtk-bypass and client tools in Windows or Linux or other? |
|
I'm running on Windows 10. From what I checked, the processor is a Cortex-A35 (64-Bit Armv8-A). But ghidra cant decompile it for some reason (could be encryption?). If you use arm v8 as languaje it can decompile some, but also there some stuff at the end that I guess it cannot, it appears as ?? symbols but I'm not sure if that means that it is not decompiled or something else (maybe data?).
I never used ghidra before so I'm on the same boat. |
|
OK, I am running Ubuntu and Windows 11. On Ubuntu the bypass utility fails, on windows it is stuck. Do you have a step-by-step on how you managed to run the bypass and mtk client utils and the payload you used for the bypass? I think, if you managed to get the brom, sram etc, that with a scatter file it might be possible to get a dump from the flash. I tried once to put something together - maybe this helps as a start, see this google sheet under the scatter tab. It concatenates in the O column which you can copy to a text file. Some basic parameters might be needed as well (e.g. page size). I think it might also be possible to get the scatter from the sram dump, will look into that, specifically if your partition table is different. But with your results so far, I would think it becomes possible to dump the flash, bypass the security in the bootloader or LK and flash a modified version. |
|
Actually, I think my table is shorter due to a communication issue only. I'm using a JTAGulator and 921600 baud rate is not entirely supported, I added it myself to the firmware but it seems to skip bytes at that speed . What I do is:
That is why I believed is bypassed. BUT, compared with the output when bypass_utility has not been run I see that some others parameters are set to False Check Will check what you mention about the scatter. |
|
Hi, I tried this with another echo dot I have not tinkered with, and this seems to works for me now as well. I only had GND and USB D+/D- connected, no UART. I managed to run the bypass and got the same output for I tried |
|
Cool! I just got home, I will try to recreate a scatter file from your google sheet to see if I can do it through SP Flash Tool. |
|
Hi, I have made some progress but not much further than you were. I though that the bypass utility was to be used together with the mtk client, but I guess the mtk client does it all - no need to use the bypass utility first. I have now been able to get the sram, bootrom and preloader binaries as well, and I can confirm that they are the same (or similar enough) to yours. The mtk client hangs on DAXFlash upload (see below) and there is an error with the DA (Download agent) patching - I will try to find out what that is. You can also see some information about the flash pparitions in this section, with wich we maybe can make a scatter file |
|
Nice to hear that we can get rid of bypass_utility! Btw, I also have the same error on da1 patching but mine never got past Also, is the download agent Note: I found these articles about some deep dive of the booting process for some other MediaTek device which I think could be helpful http://www.lieberbiber.de/category/mediatek/ |
|
Is there any significante message on UART side when it hangs? |
|
I don't know, but I will try with UART connected later this weekend. I downloaded an old version of the |
|
It seems that mtkclient for Windows works differently so I get that hash mismatch error. And I don't have any Linux machine to try with :( Tried with VM but seems to be a pain |
|
So, not OS related. I tried with the Live DVD from mtkclient and I'm getting teh same hash mismatch error :( |
|
I tried with the UART connected, not much more there - this is a log of mtk client UART |
|
I was not able to get past Uploading stage 2 step while trying to read entire flash. I got in contact with mtkclient developer and he was trying to help me with a bunch of modifications to the program and a DA file but no luck so far. I tried with the Live DVD from him to see if I can get rid of the hash mismatch error but got the same. The only thing I was able to was to read back 256Mb of memory using the stage commands from mtkclient, but it wont read past the 256Mb mark. You can check it here, maybe it works different for you since you were able to go further. I also found 2 papers regarding reading the NAND dumps, maybe that can help you: D_Pawlaszczyk_J_Friese_C_Hummert_Alexa_tell_me_-_A.pdf Amazon_Echo_Forensics_for_WISEC_final.pdf I'm stuck at this point since I cannot get a dump of the entire flash |
|
Hi, what were the stag/stage2 commands you tried? The normal mtk client attempts gave me the same resutls in the mentioned issue. |
|
Then |
|
OK, I see - but this |
|
From this comment from the dev it seems the other way 🤔 but it could be. I will check the file contents and compare to the other dumps |
|
So I was able to find both the preloader and bootrom in the dumped file, but there is also a lot of other data. |
|
If the dev says so, then it probably is - sure he knows better than me :-) I will try to memread it all with |
|
You can directly write to file using --filename
El El lun, 12 jun 2023 a las 21:26, jvandewiel ***@***.***>
escribió:
If the dev says so, then it probably is - sure he knows better than me :-)
I will try to memread it all with python3 stage2 memread 0 1fffffff >
dump_all.bin and see what I get. There should be around 520mb of data in
total, and I have some of the data from the flash in another way, so should
be able to determine if it is indeed more than just brom and preloader. To
be continued ...
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AALTSCXS5MPZC2TWX7DL4GLXK5UPHANCNFSM6AAAAAAY3RWPXI>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
--
Santiago
|
|
@jvandewiel If I sent you the dump would you be able to compare it against the dump that you have? |
|
Hi, yes, that would certainly be possible. I can also put the dumps that I have somewhere, not sure about github policies for this. My dump is direct from the flash and needs a bit of work to make it useable - but I can share what I have. I tried the dump through stage/stage2, but it looks like it is all 00's after about 3mb; I will try again. I will also try to erase the pre-loader and run the stage/stage2 as suggested by the mtk client dev after that - likely tomorrow. |
|
Hi, I tried a few times to dump via stage2, each time the file maxes out around 268 MB and then the mtk tool "hangs". The contents of them are the same: the first ~3.14 MB (0-0x2FFFFE) contains data which is bootrom, preloader and some other data and then 0x00 for the rest of the file. The logs are below. Loading For dumping via I will try with a |
|
Exactly like my dump, 256Mb or so, bootrom, preloader, other stuff, and zeros. |
|
OK, and I assume you did not erase the preloader on the echo and run with
the --preloader option? I want to try that as well, but need to make sure I
erase the right stuff, will be later tonight :-)
…On Wed, Jun 14, 2023 at 9:35 AM Santiago Carullo ***@***.***> wrote:
Exactly like my dump, 256Mb or so, bootrom, preloader, other stuff, and
zeros.
—
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAXDF4UKYUDR2LO743QIZS3XLFSVBANCNFSM6AAAAAAY3RWPXI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Met vriendelijke groet,
Joost van de Wiel
|
|
I didn't. I'm still thinking about the error I get about a DA hash mismatch. The mtkclient dev patched it somehow but I believe that the underlying error will keep me from going further since I get the same error with SP Flash Tools. I wonder if it is OS related even that I tried with a Linux Live DVD but I don't have any other computer to try with. |
|
Hi @jvandewiel hope you are doing well. Any update? I managed to get a hold on a Linux laptop to discard that my issue is with the OS but still same results, I guess my Dot is a little different or different SW version that yours. |
|
Hi, thanks, all fine here - you? No updates on my end. I have not managed to get the erase to work, somehow it fails. Will try a few other things, but so far no progress. |
|
I'm interested in participating on this. I did some work on reversing Chromecast/Google Home a while back and would love to de-Amazon my Echo. |
|
Hi, thank you for reaching out! To be fair, I have had this project on ice for a while, but perhaps it is time to start it up again :-) Last year we have had some progress with the mtkclient and managed to get the preloader and bootloader, but we (see above) did not get much further. I also have all the data that I retrieved from the flash, but this is a raw nand dump and encoded in various ways. I can share what I have, both what I figured out and where I got stuck. It is not in this repo, but I can add it, the dump maybe via another route - I am not sure about that one? I was wondering if it would be possible to extract the certificates from the dump and pretend to be an amazon device and that way get a full new firmware version that can be analyzed, but this is a very much out of my comfort zone. Anyways, what can I give you to help you get started? |
|
I haven't had done any progress neither and I think this is way out of my league but I'm here to help with anything related to software. Good to see there is some interest in this! |
|
This may be a out of topic on the Echo 3rd Gen. But would like to know whether you have any infromation on this strange behaviour.
The same device was working few months back. Di anyone faced this behaviour?. Do you think Amazon bricked all old generation devices as the same issue reported in multiple forums. |
|
https://github.com/jvandewiel/no-alexa/wiki/Hardware#overview
Just a reminder that the Echo Dot 3rd Generation was in fact TWO devices: an MMC version and a NAND one. The initial/early one (model no D9N29T, codename 'Donut') released in 2018 contained a combined DDR + MMC chip (eMCP). It stored user data on an ext4 filesystem. High quality teardowns: 1, 2 A year later the Echo Flex and Echo Dot with Clock were announced. Their internals had gone through an important redesign: they used separate DDR RAM and raw NAND flash chips. Around the same time a new version of the regular Dot 3 also started shipping: model no C78MP8 (codename 'Crumpet'), the NAND version. Teardowns: 1, 2 Based on the teardowns I've seen it's quite likely that Amazon made the switch to raw NAND storage for smart speakers in 2019. (The only exception I found so far was the Spot 2024.) While most of this repository is neatly focused on the Crumpet/NAND variant I can see a few additions suggesting that they were run/taken on a Donut model. Please be aware of the differences ... which start at what type of storage the preloader can handle: The preloaders attached here and in the linked ticket also seem to be different versions, they were compiled years apart: |
|
Hello everyone - this is just to inform you that @gilderchuck has been able to actually make the dumped binary files into a readable and mountable image. If you are interested, please reach out privately; this image will not be published in the open due to the DMCA. |
Hey, just reaching out since I'm diving into the same but with less experience.
I've tied to UART and USB but on fastboot I don't get a green ring on the device, neither fastboot lists the device. I'm wondering if I'm doing the connection wrongly since I'm only using 3 of the pads (D-, D+, GND). On the other side, a USB device is appearing on my computer, so I'm not entirely sure. I'm using a USB-C female connector type as interface, maybe I did a mistake trying to figure which pad goes to which pin.
Besides that, I tried https://github.com/MTK-bypass/bypass_utility which allegedly disables bootrom protection, and then using SP Flash Tool I'm trying to dump the entire memory of the thing. The thing is that I'm missing a scatter file for it, do you think that is possible to build one just using the partition table that you documented? (btw, my UART log shows a different and shorter partition table, maybe a SW difference?).
As I mentioned, I'm a beginner in all of this so probably mostly of what I mentioned makes no sense or is incorrect.
Hope you are good!
The text was updated successfully, but these errors were encountered: