Exploring the Amazon Echo Dot, Part 2: Into MediaTek utility hell
tl;dr: New Year’s Day offered time to look at the Echo Dot. It appears it is possible to flash the device using Windows-based MediaTek tools once a “scatter file” has been created of the Echo Dot’s eMMC. Also, to access the locked bootloader, hold the dot (or uber) key when plugging it into the computer until the LED ring turns green, and it will appear as a fastboot device. Mute+VolumeDown will issue a factory reset. Also, the Fire HD 8 (2016) uses the same chipset. There will not be more research on this for the next few weeks.
Android hacking appears to be mostly modding, with xda-developers at its core. The extreme majority of posts on the forums are modders looking to personalize their phones, but there is a wealth of awesome information from talented developers hidden among all of it that takes hours to sift through. Unofficial ROMs and builds for specific devices are downloaded tens of thousands of times a day. Security wise, this is the same as downloading an OS image from Pirate Bay: who knows if there’s a backdoor? However it is really all you have if you’re digging into Android.
Rooting the Echo Dot: Hardware or software?
Since my last post, I have joined up with a community of others interested in the Echo, including those guys from The Citadel that wrote the paper on their Echo hardware root. Looking at a teardown of the Echo Dot v2, it appears that the board is much less hacker friendly than the big Echo, and the pads aren’t the same. The Echo Dot uses the MTK8163 tablet SoC, which doesn’t appear to have a published datasheet, and the Samsung/Micron flash chip also appears to be undocumented, although I could find that it’s the eMMC chip.
With little to go on, no access to a logic analyzer, microsoldering tools, or any way to pull the flash chip, it seemed to make more sense for me to attempt a software approach for now.
A sign of life from the USB port
In my last post on the Echo Dot firmware, I stated that the Echo did not appear to offer adb or any type of debug tool through the MicroUSB interface. This was wrong, because the Echo is showing up in dbus as a USB device. Setting watch on lsusb gave an output for under a second:
Bus 001 Device 010: ID 0ed8d:2000 MediaTek Inc. MT65xx PreloaderWhile we don’t have adb, the MediaTek device does appear to the computer on boot, exposing some type of low level USB interface. According to XDA and other sources, this is a low-level flashing interface that can be used with a utility called SP Flash Tool and the (unsigned) MediaTek VCOM drivers to reflash the Echo Dot to a different firmware. If you really want to dig into MediaTek, a team in Russia seems to have a ton of utilities on their website, but there is no guarantee they are clean.
With this in mind, out came an old, airgapped Windows notebook and the installation of these questionable tools in an attempt to speak to the Echo Dot’s preloader. With the VCOM drivers, the Dot is detected by the PC for just a second or two.
The scatter file: nope
We are still a long way off from being able to flash the device. MTK chipset devices rely on a scatter file for the Flash Tool, which appears to be a type of partition table for the on-device flash. Usually, scatter files for MediaTek devices are made with MTK Droid Root and Tools, which reads this information from the device’s proc filesystem and creates a file. However, this requires a rooted device with adb, which we don’t have with the Dot.
However, there is a scatter file for a different MT8163-powered device. Digging around shows that the Acer Iconia One 10 tablet B3-A30 also uses the MT8163, albeit with different flash memory. While this scatter file is likely not going to work correctly for us, we can hopefully use it to deduce what is going on with the Echo Dot. Setting the SP Flash Tool to “Advanced Mode” and then attempting a ROM dump seemed like it would yield great success, and yet… nothing.
No matter what I tried, the SP Flash Tool would not talk with my Echo. Every attempt would eventually fail with the cryptic BROM ERROR:S_COM_PORT_OPEN Fail(1013) and it would continue booting normally. Note this does not mean this will fail for you. It could just be my shitty PC. If you try a new version of the VCOM drivers and SP Flash Tool and it works for you, please write about it.
Round 2: keypress brute force
The Echo Dot has to have a way to force a bootloader or recovery mode. Next began the pressing of random buttons on boot to see if anything new appeared. The Echo Dot v2 has four buttons, in clockwise order from top: Volume Up, Uber, Volume Down, and Mute. Uber is the internal name for the “dot” button according to the firmware dump I have. Holding Uber while booting had an interesting effect of keeping the Echo Dot’s LEDs all green. Checking lsusb:
Bus 001 Device 019: ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 / Magic / TattooIs this the bootloader? Running fastboot devices:
[root@testbox scatter-hax]# fastboot devices
[REDACTED serial] fastbootBingo. We now have access to the bootloader. Maybe there’s something here.
Digging around the bootloader
More MediaTek madness. Learning from some documentation on the Ubuntu Touch device re: MediaTek’s fastboot implementation, we are currently using something called the Little Kernel. (Stormflut is a wealth of low level information on the MediaTek platform, and it is all worth reading.) To confirm, issue some getvars:
[root@testbox ota]# fastboot getvar all
(bootloader) lk_build_desc: c1306a2-20160912_073730
(bootloader) prod: 1
(bootloader) unlock_status: false
(bootloader) unlock_code: [REDACTED]
(bootloader) serialno: [REDACTED]
(bootloader) max-download-size: 0x6d00000
(bootloader) warranty: no
(bootloader) secure: yes
(bootloader) kernel: lk
(bootloader) product: BISCUIT
(bootloader) version-preloader: 0.1.00
(bootloader) version: 0.5
all: Done!!Note unlock_status is false. This means the bootloader is locked, like it is on the Amazon Fire. While we have an unlock_code, it is unlikely that Amazon is going to hand us the unlock files for this device anytime soon.
However, not all is lost. The new Amazon Fire HD 8 is another Fire OS tablet based on the Dot’s same MT8163V/B, so if a bootloader unlock, adb-less rooting or flashing method becomes available for the Fire HD 8, the same methods are likely to apply to the Echo Dot with little modification.
Project stalled for a few weeks
With some other projects coming up soon, there won’t be any more Dot exploration for the next week or so, but hopefully these posts will guide you in your own efforts.
This post unofficially brought to you by 180ml of Wakatake Onikoroshi Junmai Daiginjo. (jp)
