Exploring the Amazon Echo Dot, Part 1: Intercepting firmware updates

tl;dr: I have an Amazon Echo Dot to poke at. I had no idea what the device consisted of when I bought it. It’s just Amazon Fire OS (Android) and the updates to the device are pushed as .bin files over HTTP, making it possible to intercept the OTA firmware from Amazon’s servers. In this post, I set up a local interception environment to sniff the Echo’s traffic and pull down the firmware image from Amazon, extract it, and talk about what I’ve seen thus far. Next up: a whole ton of APK & ARM binary reversing, as well as getting my own CA onto the device to monitor TLS conversations from the Echo to Amazon’s servers.

I spent the better part of Christmas this year with a gift I bought myself: a second-hand Amazon Echo Dot. Before I begin, I hate these things, and I am not a fan of the “Internet of Things”. There’s nothing that rustles my infosec jimmies more than having an always-on microphone in my house that enjoys sending lots of data about me to a company that works people to death, literally, especially so when Amazon is relatively tight-lipped about what the box does and what it is capable of.

Given the fact that the Wynn puts one of these in every hotel room now, I knew that if there’s anything to be found on an Echo, it’ll be mayhem at DEF CON next year. Because what happens in Vegas ends up on Amazon’s cloud. (Pro tip: don’t hire any escorts with the name Alexa, Amazon, or Echo.)

There is a relative lack of knowledge I could compile from online sources about the Echo Dot system itself. While I could find lots of documentation on the Alexa Skills Kit and a teardown of the first-generation Echo Dot device, I was not able to find a firmware dump or any information about what the Echo is powered by. The best I could find was an infosec guy’s post on the setup process and what he found in Chrome dev tools. (Note: After finding this dump, I eventually stumbled upon some GPL-required source code for the Echo Dot published by Amazon, although it doesn’t contain anything interesting.)

As for the Echo itself, some guys at The Citadel were able to root one via eMMC by taking a real Echo apart and making an eMMC converter; they started a wiki but it hasn’t gone anywhere in a few months. There’s a whole forum dedicated to “Amazon Echo hacking” at echotalk.org, but it appears to be mostly related to Echo development versus reverse engineering.

Wiretapping the Echo with iptables and DD-WRT

To understand what the Echo is actually doing, first we need a test environment. For this, I flashed an ASUS RT-N12D1 with a Broadcom K2.6 mega build of DD-WRT. From this router, I can then use iptables as a poor man’s port mirror all traffic on its subnet by adding a tee. I set a static IP to my Wireshark monitoring device as 192.168.1.110 and added this to the iptables rules.

iptables -A PREROUTING -t mangle -j ROUTE --gw 192.168.1.110 --tee
iptables -A POSTROUTING -t mangle -j ROUTE --gw 192.168.1.110 --tee

However, this does not actually solve all of our issues: most services that speak HTTP these days use TLS connections, so even if we tee the traffic, we will probably not be able to see anything other than encrypted data being sent to an Amazon-owned CIDR. To really see what’s going on, we will have to intercept the TLS connection with an HTTP proxy. As the Echo Dot is a consumer device, I assumed it probably didn’t have any way to set an HTTP proxy for use in the software. With iptables to the rescue and a different ethernet interface with a static IP on the DD-WRT box, we can transparently proxy 80 and 443.

iptables -t nat -A PREROUTING -i br0 -s 192.168.1.1/255.255.255.0 -d 192.168.1.1/255.255.255.0 -p tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! 192.168.1.117 -p tcp --dport 443 -j DNAT --to 192.168.1.117:8080
iptables -t nat -A PREROUTING -i br0 -s 192.168.1.1/255.255.255.0 -d 192.168.1.1/255.255.255.0 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! 192.168.1.117 -p tcp --dport 80 -j DNAT --to 192.168.1.117:8080
iptables -t nat -I POSTROUTING -o br0 -s 192.168.1.1/255.255.255.0 -d 192.168.1.117 -p tcp -j SNAT --to 192.168.1.1
iptables -I FORWARD -i br0 -o br0 -s 192.168.1.1/255.255.255.0 -d 192.168.1.117 -p tcp --dport 8080 -j ACCEPT

Now any tcp/80 or tcp/443 connections will end up proxied to 192.168.1.117. Let’s tell it to ignore requests from the tee box as well.

iptables -t nat -I PREROUTING -i br0 -s 192.168.1.110 -j ACCEPT

With these firewall rules in place we have the network side of things set up for monitoring.

Proxying TLS connections: will the Echo play nice?

The setup process uses a mobile application or a web browser, where one navigates to http://alexa.amazon.com/ and go from there. For proxying TLS connections, one needs to be able to install a trusted certificate authority on the devices we are using that our proxy uses for TLS decryption as its “man in the middle”.

I created a clean Windows 10 Pro virtual machine in VirtualBox and set it to proxy all connections through the TLS proxy server; this Win10 VM also was told to trust the CA from my transparent HTTP proxy. For proxying purposes, I used PortSwigger’s Burp Suite.

At this stage, I couldn’t be sure the Echo Dot would play nice, as I didn’t know whether or not the Dot actually pays attention to good CAs or will accept any at all. So Burpw was started and the Echo Dot associated with the tapped AP, we could see whether or not the transparent proxying actually worked.

The Echo Dot doesn’t like our CA, but not everything is HTTPS

The Echo Dot didn’t work when intercepted in setup. TLS calls would fail, and the Echo would eventually state that it can’t complete setup with an API error code shown in the alexa.amazon.com SPA. To intercept TLS traffic from the Echo, we will end up needing to get our Burp CA certificate onto the Echo Dot. This might be tough, given that means we need to be able to modify the firmware on the device. At this point I sighed and plugged the USB port of the Echo Dot into my computer to lsusb, hoping it would show up as some sort of device. Nothing appeared. Time to disassemble the Dot to look for debug pads so we can get a serial shell or the like. This Christmas turned into a hardware hacking day, I guess.

But wait! Not everything from the Echo Dot is sent over HTTPS. Instead, Burp captured some HTTP calls as well, and a few of these are interesting.

First, the Dot calls itself a Kindle. The hostname for my Echo Dot is prefixed with kindle- with its default build, and one of the interesting HTTP requests is a periodic phone home to look for Internet connectivity:

GET /kindle-wifi/wifistub-echo.html HTTP/1.1
User-Agent: Java
Host: spectrum.s3.amazonaws.com
Connection: close
Accept-Encoding: gzip

The response from the server is for the “Kindle Reachability Platform”.

HTTP/1.1 200 OK
x-amz-id-2: [REDACTED]
x-amz-request-id: [REDACTED]
Date: [REDACTED]
Last-Modified: Thu, 31 Dec 2015 12:54:29 GMT
ETag: [REDACTED]
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 419
Server: AmazonS3
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Kindle Reachability Probe Page</title>
<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<!--[REDACTED uuid] created with python 2.5 uuid.uuid4()-->
</head>
<body bgcolor="#ffffff" text="#000000">
[SAME REDACTED uuid]
</body>
</html>

This redacted UUID did not change for me across requests, however, I am unsure whether or not it is unique to my IP or device based upon the HTTP request header so it is redacted from the above response.

However, the Dot’s next attempt at phoning home gave us more than an interesting endpoint.

GET /obfuscated-otav3-9/[len 32 hexadecimal hash]/update-kindle-full_biscuit-272.5.6.4_user_[9 digit integer].bin HTTP/1.1
Host: amzdigitaldownloads.edgesuite.net
Connection: close
User-Agent: AndroidDownloadManager/5.1.1 (Linux; U; Android 5.1.1; AEOBC Build/LVY48F)

Remember, we are still intercepting all traffic from this endpoint. This call completed and with that I have a local copy of a new .bin firmware dump. At this stage we also know that the Echo Dot is running Android 5.1.1. From what I can tell, LVY48F is not vulnerable to the Stagefright CVEs. However, given that the device is running Android, Android vulnerabilities are useful against Amazon Echo devices. And the Echo Dot has a cute codename: biscuit.

The Echo, from the inside

My firmware release contains a build.prop that tells us some information about the second-generation Echo Dot: namely, it is a MediaTek MT8163 64-bit quad core chipset:

ro.mediatek.chip_ver=S01
ro.mediatek.version.release=ALPS.W10.24.p0
ro.mediatek.platform=MT8163
ro.telephony.sim.count=2

We’ll also see that this “Kindle” runs FireOS just like the others:

ro.build.version.fireos=5.5.0.3
ro.build.version.fireos.sdk=4

/data/misc also contains a ProjectConfig.mk with some interesting configuration parameters for the chipset. This includes a couple Amazon-specific flags.

AMZN_DHA = yes
AMZN_DRMPROV = yes
AMAZON_8163_TLV_ADCDAC_SUPPORT = yes

Poking around the firmware

Now the fun begins. The .bin file is not encrypted or packed in any way, so I’m unsure what the “obfuscated” means in the URI above. file on the .bin shows “Java Archive Data”, so we can use jar x to extract the bin file into something more readable. With that, we can see a typical Android OTA update filesystem.

total 1063700
-rw-r--r-- 1 user user 7733248 Jul 21 07:23 boot.img
-rw-r--r-- 1 user user 35571 Jul 21 07:23 file_contexts
drwxr-xr-x 2 user user 4096 Dec 25 16:16 images
drwxr-xr-x 3 user user 4096 Dec 25 16:17 META-INF
-rw-r--r-- 1 user user 257 Jul 21 07:23 ota.prop
drwxr-xr-x 2 user user 4096 Dec 25 16:17 system
-rw-r--r-- 1 user user 540708864 Jul 21 07:23 system.new.dat
-rw-r--r-- 1 user user 0 Jul 21 07:23 system.patch.dat
-rw-r--r-- 1 user user 198 Jul 21 07:23 system.transfer.list

binwalk shows system.new.dat to contain an ext-based filesystem. binwalk will extract everything on the filesystem but we will end up in forensics mode with a lot of random files and no existing file structure. However, there’s a great script called sdat2img.py on XDA that will extract the system.new.dat image into a loopback-readable ext filesystem. Using this we can then mount system.img using a typical mount command, and we have a common Android filesystem.

drwxr-xr-x  9 root root   4096 Nov 30 17:54 app
drwxr-xr-x 3 root 2000 8192 Nov 30 17:54 bin
-rw-r--r-- 1 root root 6801 Nov 30 17:54 build.prop
drwxr-xr-x 3 root root 4096 Nov 30 17:54 data
drwxr-xr-x 17 root root 4096 Nov 30 17:54 etc
drwxr-xr-x 2 root root 4096 Nov 30 17:54 fonts
drwxr-xr-x 5 root root 4096 Nov 30 17:54 framework
drwxr-xr-x 9 root root 12288 Nov 30 17:54 lib
drwxr-xr-x 6 root root 8192 Nov 30 17:54 lib64
drwxr-xr-x 4 root root 4096 Nov 30 17:54 local
drwx------ 2 root root 4096 Dec 31 1969 lost+found
drwxr-xr-x 37 root root 4096 Nov 30 17:54 priv-app
-rw-r--r-- 1 root root 113031 Nov 30 17:54 recovery-from-boot.p
drwxr-xr-x 4 root root 4096 Nov 30 17:54 res
drwxr-xr-x 3 root root 4096 Nov 30 17:54 security
drwxr-xr-x 7 root root 4096 Nov 30 17:54 usr
drwxr-xr-x 7 root 2000 4096 Nov 30 17:54 vendor
drwxr-xr-x 2 root 2000 4096 Nov 30 17:54 xbin

As it’s Android, we have a series of APKs:

-rw-r--r-- 1 user user   678364 Dec 25 17:15 amazon.jackson-19.apk
-rw-r--r-- 1 user user 59016 Dec 25 17:15 android.amazon.perm.apk
-rw-r--r-- 1 user user 15936 Dec 25 17:15 AuthUtilsService.apk
-rw-r--r-- 1 user user 1592978 Dec 25 17:15 Bluetooth.apk
-rw-r--r-- 1 user user 2817 Dec 25 17:15 BluetoothController.apk
-rw-r--r-- 1 user user 1336616 Dec 25 17:15 CertInstaller.apk
-rw-r--r-- 1 user user 137950 Dec 25 17:15 com.amazon.communication.apk
-rw-r--r-- 1 user user 3381266 Dec 25 17:15 com.amazon.device.bluetoothdfu.apk
-rw-r--r-- 1 user user 749596 Dec 25 17:15 com.amazon.device.sync.apk
-rw-r--r-- 1 user user 967225 Dec 25 17:15 com.amazon.device.sync.sdk.internal.apk
-rw-r--r-- 1 user user 9982 Dec 25 17:15 com.amazon.dp.logger.apk
-rw-r--r-- 1 user user 603222 Dec 25 17:15 com.amazon.imp.apk
-rw-r--r-- 1 user user 3209008 Dec 25 17:15 com.amazon.kindleautomatictimezone.apk
-rw-r--r-- 1 user user 3972953 Dec 25 17:15 com.amazon.kindle.rdmdeviceadmin.apk
-rw-r--r-- 1 user user 3799 Dec 25 17:15 com.amazon.platformsettings.apk
-rw-r--r-- 1 user user 322178 Dec 25 17:15 com.amazon.tcomm.apk
-rw-r--r-- 1 user user 211709 Dec 25 17:15 CrashManager.apk
-rw-r--r-- 1 user user 9099 Dec 25 17:15 DefaultContainerService.apk
-rw-r--r-- 1 user user 52082 Dec 25 17:15 DeviceClientPlatformContractsFramework.apk
-rw-r--r-- 1 user user 1252024 Dec 25 17:15 DeviceMessagingAndroid.apk
-rw-r--r-- 1 user user 38995 Dec 25 17:15 DeviceMessagingAndroidInternalSDK.apk
-rw-r--r-- 1 user user 40536 Dec 25 17:15 DeviceMessagingAndroidSDK.apk
-rw-r--r-- 1 user user 278931 Dec 25 17:15 DeviceSoftwareOTA.apk
-rw-r--r-- 1 user user 47557 Dec 25 17:15 DeviceSoftwareOTAContracts.apk
-rw-r--r-- 1 user user 190978 Dec 25 17:15 DownloadProvider.apk
-rw-r--r-- 1 user user 165353 Dec 25 17:15 FireApplicationCompatibilityEnforcer.apk
-rw-r--r-- 1 user user 10792 Dec 25 17:15 FireApplicationCompatibilityEnforcerSDK.apk
-rw-r--r-- 1 user user 4618 Dec 25 17:15 fireos-res.apk
-rw-r--r-- 1 user user 7157 Dec 25 17:15 FireRecessProxy.apk
-rw-r--r-- 1 user user 14446992 Dec 25 17:15 framework-res.apk
-rw-r--r-- 1 user user 8440 Dec 25 17:15 FusedLocation.apk
-rw-r--r-- 1 user user 140960 Dec 25 17:15 InputDevices.apk
-rw-r--r-- 1 user user 48406 Dec 25 17:15 KeyChain.apk
-rw-r--r-- 1 user user 767179 Dec 25 17:15 LogManager-logd.apk
-rw-r--r-- 1 user user 39111 Dec 25 17:15 MetricsApi.apk
-rw-r--r-- 1 user user 347814 Dec 25 17:15 MetricsService.apk
-rw-r--r-- 1 user user 2783 Dec 25 17:15 Provision.apk
-rw-r--r-- 1 user user 15956 Dec 25 17:15 RemoteControlManager.apk
-rw-r--r-- 1 user user 149422 Dec 25 17:15 RemoteSettingsAndroid.apk
-rw-r--r-- 1 user user 39168 Dec 25 17:15 RemoteSettingsInternalSDK.apk
-rw-r--r-- 1 user user 99144 Dec 25 17:15 SettingsProvider.apk
-rw-r--r-- 1 user user 33401 Dec 25 17:15 Shell.apk
-rw-r--r-- 1 user user 4002 Dec 25 17:15 shipmode.apk
-rw-r--r-- 1 user user 3713 Dec 25 17:15 SimpleLauncher.apk
-rw-r--r-- 1 user user 3909 Dec 25 17:15 ThrottleDownloads.apk

Most of these decompile readily with jadx and do not have obfuscated source code. I had some trouble with some of them with my version of jadx. However, most of these APKs do not appear to be the meat of the Echo Dot’s software. The majority of the interesting things are in the /bin directory.

total 19320
drwxr-xr-x 3 root 2000 8192 Nov 30 17:54 .
drwxr-xr-x 18 root root 4096 Dec 31 1969 ..
-rwxr-xr-x 1 root 2000 31376 Nov 30 17:54 6620_launcher
-rwxr-xr-x 1 root 2000 9816 Nov 30 17:54 6620_wmt_concurrency
-rwxr-xr-x 1 root 2000 9768 Nov 30 17:54 6620_wmt_lpbk
-rwxr-xr-x 1 root 2000 66944 Nov 30 17:54 AcdApiDaemon
-rwxr-xr-x 1 root 2000 42384 Nov 30 17:54 akmd09911
-rwxr-xr-x 1 root 2000 34308 Nov 30 17:54 akmd8963
-rwxr-xr-x 1 root 2000 30220 Nov 30 17:54 akmd8975
-rwxr-xr-x 1 root 2000 263560 Nov 30 17:54 alarmd
-rwxr-xr-x 1 root 2000 54644 Nov 30 17:54 alexad
-rwxr-xr-x 1 root 2000 46360 Nov 30 17:54 alexaspeechplayer
-rwxr-xr-x 1 root 2000 210 Nov 30 17:54 am
-rwxr-xr-x 1 root 2000 30080 Nov 30 17:54 ami304d
-rwxr-xr-x 1 root 2000 5592 Nov 30 17:54 amzn_dha_hmac
-rwxr-xr-x 1 root 2000 9880 Nov 30 17:54 amzn_dha_tool
-rwxr-xr-x 1 root 2000 5356 Nov 30 17:54 amzn_drmprov_check
-rwxr-xr-x 1 root 2000 9624 Nov 30 17:54 amzn_drmprov_tool
-rwxr-xr-x 1 root 2000 18056 Nov 30 17:54 antdiv
-rwxr-xr-x 1 root 2000 62080 Nov 30 17:54 applypatch
-rwxr-xr-x 1 root 2000 213 Nov 30 17:54 appops
lrwxr-xr-x 1 root 2000 13 Nov 30 17:54 app_process -> app_process32
-rwxr-xr-x 1 root 2000 13640 Nov 30 17:54 app_process32
-rwxr-xr-x 1 root 2000 5715 Nov 30 17:54 appreg-install-merge.sh
-rwxr-xr-x 1 root 2000 295 Nov 30 17:54 appregReadyRm.sh
-rwxr-xr-x 1 root 2000 215 Nov 30 17:54 appwidget
-rwxr-xr-x 1 root 2000 136600 Nov 30 17:54 asrd
-rwxr-xr-x 1 root 2000 30536 Nov 30 17:54 atrace
-rwxr-xr-x 1 root 2000 189780 Nov 30 17:54 audioctrl
-rwxr-xr-x 1 root 2000 357812 Nov 30 17:54 audioencoderd
-rwxr-xr-x 1 root 2000 259444 Nov 30 17:54 audiohub
-rwxr-xr-x 1 root 2000 50456 Nov 30 17:54 audioplayerng
-rwxr-xr-x 1 root 2000 29976 Nov 30 17:54 authd
-rwxr-xr-x 1 root 2000 18792 Nov 30 17:54 autobt
-rwxr-xr-x 1 root 2000 75140 Nov 30 17:54 avahi-daemon
-rwxr-xr-x 1 root 2000 26160 Nov 30 17:54 badblocks
-rwxr-xr-x 1 root 2000 22224 Nov 30 17:54 bcc
-rwxr-xr-x 1 root 2000 13816 Nov 30 17:54 blkid
-rwxr-xr-x 1 root 2000 199 Nov 30 17:54 bmgr
-rwxr-xr-x 1 root 2000 63816 Nov 30 17:54 bmm050d
-rwxr-xr-x 1 root 2000 42616 Nov 30 17:54 bootanimation
-rwxr-xr-x 1 root 2000 722 Nov 30 17:54 bootBegins.sh
-rwxr-xr-x 1 root 2000 598 Nov 30 17:54 booting.sh
-rwxr-xr-x 1 root 2000 21872 Nov 30 17:54 BTSinkPlayer
-rwxr-xr-x 1 root 2000 156 Nov 30 17:54 bu
-rwxr-s--- 1 root 1007 9688 Nov 30 17:54 bugreport
-rwxr-xr-x 1 root 2000 1356752 Nov 30 17:54 busybox
-rwxr-xr-x 1 root 2000 9540 Nov 30 17:54 buttond
-rwxr-xr-x 1 root 2000 1165 Nov 30 17:54 buttonHandler.sh
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 cat -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 chcon -> toolbox
-rwxr-xr-x 1 root 2000 1241 Nov 30 17:54 checkaddeddhcp
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 chmod -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 chown -> toolbox
-rwxr-xr-x 1 root 2000 55152 Nov 30 17:54 clatd
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 clear -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 cmp -> toolbox
-rwxr-xr-x 1 root 2000 50548 Nov 30 17:54 conductor
-rwxr-xr-x 1 root 2000 207 Nov 30 17:54 content
-rwxr-xr-x 1 root 2000 554376 Nov 30 17:54 controld
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 cp -> toolbox
-rwxr-xr-x 1 root 2000 931 Nov 30 17:54 create_audio_shmbuf.sh
-rwxr-xr-x 1 root 2000 2789 Nov 30 17:54 createEarconSymlink_android.sh
-rwxr-xr-x 1 root 2000 1670552 Nov 30 17:54 curl
lrwxr-xr-x 1 root 2000 10 Nov 30 17:54 dalvikvm -> dalvikvm32
-rwxr-xr-x 1 root 2000 9444 Nov 30 17:54 dalvikvm32
-rwxr-xr-x 1 root 2000 13856 Nov 30 17:54 dalvikvm64
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 date -> toolbox
-rwxr-xr-x 1 root 2000 128340 Nov 30 17:54 dbus-daemon
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 dd -> toolbox
-rwxr-xr-x 1 root 2000 25944 Nov 30 17:54 debuggerd
-rwxr-xr-x 1 root 2000 42616 Nov 30 17:54 debuggerd64
-rwxr-xr-x 1 root 2000 46360 Nov 30 17:54 demo
-rwxr-xr-x 1 root 2000 13952 Nov 30 17:54 devicetype_service
-rwxr-xr-x 1 root 2000 75084 Nov 30 17:54 dex2oat
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 df -> toolbox
-rwxr-xr-x 1 root 2000 112384 Nov 30 17:54 dhcpcd
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 dmesg -> toolbox
-rwxr-xr-x 1 root 2000 168688 Nov 30 17:54 dnsmasq
-rwxr-xr-x 1 root 2000 17636 Nov 30 17:54 dnsmasq_endpointer
-rwxr-xr-x 1 root 2000 642 Nov 30 17:54 dnsmasq.sh
-rwxr-xr-x 1 root 2000 156 Nov 30 17:54 dpm
-rwxr-xr-x 1 root 2000 54600 Nov 30 17:54 drmserver
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 du -> toolbox
-rwxr-xr-x 1 root 2000 2361 Nov 30 17:54 dump-ramdump.sh
-rwxr-xr-x 1 root 2000 58960 Nov 30 17:54 dumpstate
-rwxr-xr-x 1 root 2000 13936 Nov 30 17:54 dumpsys
-rwxr-xr-x 1 root 2000 212552 Nov 30 17:54 e2fsck
-rwxr-xr-x 1 root 2000 29976 Nov 30 17:54 earconplayer
-rwxr-xr-x 1 root 2000 13784 Nov 30 17:54 enable_charger_det
-rwxr-xr-x 1 root 2000 66892 Nov 30 17:54 factory-reset
-rwxr-xr-x 1 root 2000 7408 Nov 30 17:54 firewall.sh
-rwxr-xr-x 1 root 2000 34336 Nov 30 17:54 fsck_msdos
-rwxr-xr-x 1 root 2000 1241 Nov 30 17:54 generateCerts.sh
-rwxr-xr-x 1 root 2000 636 Nov 30 17:54 generateGuid.sh
-rwxr-xr-x 1 root 2000 501 Nov 30 17:54 generate-self-signed-cert.sh
-rwxr-xr-x 1 root 2000 34896 Nov 30 17:54 geomagneticd
-rwxr-xr-x 1 root 2000 5296 Nov 30 17:54 get-dynconf-value
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 getenforce -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 getevent -> toolbox
-rwxr-xr-x 1 root 2000 42212 Nov 30 17:54 get-idme-value
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 getprop -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 getsebool -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 grep -> toolbox
drwxr-xr-x 2 root 2000 4096 Nov 30 17:54 gstreamer-1.0
-rwxr-xr-x 1 root 2000 9760 Nov 30 17:54 gzip
-rwxr-xr-x 1 root 2000 402820 Nov 30 17:54 hallod
-rwxr-xr-x 1 root 2000 96176 Nov 30 17:54 halutil
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 hd -> toolbox
-rwxr-xr-x 1 root 2000 173336 Nov 30 17:54 homeautod
-rwxr-xr-x 1 root 2000 584896 Nov 30 17:54 hostapd
-rwxr-xr-x 1 root 2000 43112 Nov 30 17:54 hostapd_cli
-rwxr-xr-x 1 root 2000 5396 Nov 30 17:54 i18nd
-rwxr-xr-x 1 root 2000 17960 Nov 30 17:54 i2cdetect
-rwxr-xr-x 1 root 2000 22056 Nov 30 17:54 i2cdump
-rwxr-xr-x 1 root 2000 17960 Nov 30 17:54 i2cget
-rwxr-xr-x 1 root 2000 22056 Nov 30 17:54 i2cset
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 id -> toolbox
-rwxr-xr-x 1 root 2000 30024 Nov 30 17:54 idled
-rwxr-xr-x 1 root 2000 17880 Nov 30 17:54 idme
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 ifconfig -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 iftop -> toolbox
-rwxr-xr-x 1 root 2000 194 Nov 30 17:54 ime
-rwxr-xr-x 1 root 2000 3255 Nov 30 17:54 initDeviceLocale_android.sh
-rwxr-xr-x 1 root 2000 201 Nov 30 17:54 input
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 insmod -> toolbox
-rwxr-xr-x 1 root 2000 71936 Nov 30 17:54 installd
-rwxr-x--- 1 root root 652 Nov 30 17:54 install-recovery.sh
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 ioctl -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 ionice -> toolbox
-rwxr-xr-x 1 root 2000 223296 Nov 30 17:54 ip
-rwxr-xr-x 1 root 2000 394088 Nov 30 17:54 ip6tables
-rwxr-xr-x 1 root 2000 385584 Nov 30 17:54 iptables
-rwxr-xr-x 1 root 2000 383 Nov 30 17:54 isDemo.sh
-rwxr-xr-x 1 root 2000 140 Nov 30 17:54 isSaviour.sh
-rwxr-xr-x 1 root 2000 112464 Nov 30 17:54 keystore
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 kill -> toolbox
-rwxr-xr-x 1 root 2000 14184 Nov 30 17:54 kisd
-rwxr-x--- 1 root user 337176 Nov 30 17:54 ledd
-rwxr-xr-x 1 root 2000 92349 Nov 30 17:54 linker
-rwxr-xr-x 1 root 2000 108489 Nov 30 17:54 linker64
-rwxr-xr-x 1 root 2000 17636 Nov 30 17:54 lipc-daemon
-rwxr-xr-x 1 root 2000 5296 Nov 30 17:54 lipc-get-prop
-rwxr-xr-x 1 root 2000 21844 Nov 30 17:54 lipc-hash-prop
-rwxr-xr-x 1 root 2000 9392 Nov 30 17:54 lipc-probe
-rwxr-xr-x 1 root 2000 9392 Nov 30 17:54 lipc-send-event
-rwxr-xr-x 1 root 2000 5296 Nov 30 17:54 lipc-set-prop
-rwxr-xr-x 1 root 2000 13488 Nov 30 17:54 lipc-wait-event
-rwxr-xr-x 1 root 2000 17960 Nov 30 17:54 lmkd
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 ln -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 load_policy -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 log -> toolbox
-rwxr-xr-x 1 root 2000 22056 Nov 30 17:54 logcat
-rwxr-xr-x 1 root 2000 108376 Nov 30 17:54 logd
-rwxr-xr-x 1 root 2000 22072 Nov 30 17:54 logwrapper
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 ls -> toolbox
-rwxr-xr-x 1 root 2000 30096 Nov 30 17:54 lsm303md
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 lsmod -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 lsof -> toolbox
-rwxr-xr-x 1 root 2000 26000 Nov 30 17:54 magd
-rwxr-xr-x 1 root 2000 18024 Nov 30 17:54 make_ext4fs
-rwxr-xr-x 1 root 2000 30540 Nov 30 17:54 mc6420d
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 md5 -> toolbox
-rwxr-xr-x 1 root 2000 210 Nov 30 17:54 media
-rwxr-xr-x 1 root 2000 13592 Nov 30 17:54 mediaserver
-rwxr-xr-x 1 root 2000 17952 Nov 30 17:54 memsicd
-rwxr-xr-x 1 root 2000 22056 Nov 30 17:54 memsicd3416x
-rwxr-xr-x 1 root 2000 558352 Nov 30 17:54 meta_tst
-rwxr-xr-x 1 root 2000 136588 Nov 30 17:54 metrics-collector
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 mkdir -> toolbox
-rwxr-xr-x 1 root 2000 54896 Nov 30 17:54 mke2fs
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 mknod -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 mkswap -> toolbox
-rwxr-xr-x 1 root 2000 43260 Nov 30 17:54 mobile_log_d
-rwxr-xr-x 1 root 2000 217 Nov 30 17:54 monkey
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 mount -> toolbox
-rwxr-xr-x 1 root 2000 9784 Nov 30 17:54 msensord
-rwxr-xr-x 1 root 2000 26336 Nov 30 17:54 mtpd
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 mv -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 nandread -> toolbox
-rwxr-xr-x 1 root 2000 9792 Nov 30 17:54 ndc
-rwxr-s--- 1 root 3003 9832 Nov 30 17:54 netcfg
-rwxr-xr-x 1 root 2000 182392 Nov 30 17:54 netd
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 netstat -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 newfs_msdos -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 nohup -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 notify -> toolbox
-rwxr-xr-x 1 root 2000 9672 Nov 30 17:54 nvram_daemon
-rwxr-xr-x 1 root 2000 128704 Nov 30 17:54 oatdump
-rwxr-xr-x 1 root 2000 275 Nov 30 17:54 onReboot.sh
-rwxr-xr-x 1 root 2000 239220 Nov 30 17:54 oobed
-rwxr-xr-x 1 root 2000 381964 Nov 30 17:54 openssl
-rwxr-xr-x 1 root 2000 457176 Nov 30 17:54 openssl64
-rwxr-xr-x 1 root 2000 19200 Nov 30 17:54 orientationd
-rwxr-x--- 1 root user 614 Nov 30 17:54 otamode.sh
-rwxr-xr-x 1 root 2000 152956 Nov 30 17:54 p2pd
-rwxr-xr-x 1 root 2000 50456 Nov 30 17:54 patchoat
-rwxr-xr-x 1 root root 42800 Nov 30 17:54 ping
-rwxr-xr-x 1 root 2000 47304 Nov 30 17:54 ping6
-rwxr-xr-x 1 root 2000 191 Nov 30 17:54 pm
-rwxr-xr-x 1 root 2000 25880 Nov 30 17:54 powerd
-rwxr-xr-x 1 root 2000 252184 Nov 30 17:54 pppd
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 printenv -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 prlimit -> toolbox
-rwxr-xr-x 1 root 2000 716 Nov 30 17:54 propmap.sh
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 ps -> toolbox
-rwxr-xr-x 1 root 2000 287032 Nov 30 17:54 racoon
-rwxr-xr-x 1 root 2000 292228 Nov 30 17:54 rawencoderd
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 readlink -> toolbox
-rwxr-xr-x 1 root 2000 5592 Nov 30 17:54 reboot
-rwxr-xr-x 1 root 2000 912224 Nov 30 17:54 recovery
-rwxr-xr-x 1 root 2000 13928 Nov 30 17:54 register
-rwxr-xr-x 1 root 2000 46560 Nov 30 17:54 remoted
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 renice -> toolbox
-rwxr-xr-x 1 root 2000 46624 Nov 30 17:54 resize2fs
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 restorecon -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 rm -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 rmdir -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 rmmod -> toolbox
-rwxr-xr-x 1 root 2000 355 Nov 30 17:54 rmPidFiles.sh
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 route -> toolbox
-rwxr-xr-x 1 root 2000 13864 Nov 30 17:54 rpmb_svc
-rwxr-x--- 1 root 2000 9688 Nov 30 17:54 run-as
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 runcon -> toolbox
-rwxr-xr-x 1 root 2000 26024 Nov 30 17:54 s62xd
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 schedtop -> toolbox
-rwxr-xr-x 1 root 2000 30240 Nov 30 17:54 sdcard
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 sendevent -> toolbox
-rwxr-xr-x 1 root 2000 9688 Nov 30 17:54 sensorservice
-rwxr-xr-x 1 root 2000 17960 Nov 30 17:54 service
-rwxr-xr-x 1 root 2000 18016 Nov 30 17:54 servicemanager
-rwxr-xr-x 1 root 2000 5296 Nov 30 17:54 set-dynconf-value
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 setenforce -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 setprop -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 setsebool -> toolbox
-rwxr-xr-x 1 root 2000 252 Nov 30 17:54 set_shmbuf_names.sh
-rwxr-xr-x 1 root 2000 178 Nov 30 17:54 settings
-rwxr-xr-x 1 root 2000 50548 Nov 30 17:54 settingsd
-rwxr-xr-x 1 root 2000 1454 Nov 30 17:54 setup_dsn_earcons.sh
-rwxr-xr-x 1 root 2000 284928 Nov 30 17:54 sh
-rwxr-xr-x 1 root 2000 9492 Nov 30 17:54 shmbuf_tool
-rwxr-xr-x 1 root 2000 38220 Nov 30 17:54 shmd
-rwxr-xr-x 1 root 2000 13592 Nov 30 17:54 shmq_tool
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 sleep -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 smd -> toolbox
-rwxr-xr-x 1 root 2000 496988 Nov 30 17:54 spotifyd
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 start -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 stop -> toolbox
-rwxr-xr-x 1 root 2000 9760 Nov 30 17:54 surfaceflinger
-rwxr-xr-x 1 root 2000 192 Nov 30 17:54 svc
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 swapoff -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 swapon -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 sync -> toolbox
-rwxr-xr-x 1 root 2000 92128 Nov 30 17:54 tc
-rwxr-xr-x 1 root 2000 5528 Nov 30 17:54 thermal_manager
-rwxr-xr-x 1 root 2000 9760 Nov 30 17:54 tinycap
-rwxr-xr-x 1 root 2000 13784 Nov 30 17:54 tinymix
-rwxr-xr-x 1 root 2000 9768 Nov 30 17:54 tinypcminfo
-rwxr-xr-x 1 root 2000 9760 Nov 30 17:54 tinyplay
-rwxr-xr-x 1 root 2000 26224 Nov 30 17:54 tinytest
-rwxr-xr-x 1 root 2000 247176 Nov 30 17:54 toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 top -> toolbox
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 touch -> toolbox
-rwxr-xr-x 1 root 2000 42576 Nov 30 17:54 tune2fs
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 umount -> toolbox
-rwxr-x--- 1 root root 30768 Nov 30 17:54 uncrypt
-rwxr-xr-x 1 root 2000 2308 Nov 30 17:54 updateAsrdDynConfig.sh
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 uptime -> toolbox
-rwxr-xr-x 1 root 2000 9688 Nov 30 17:54 vdc
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 vmstat -> toolbox
-rwxr-xr-x 1 root 2000 186624 Nov 30 17:54 vold
-rwxr-xr-x 1 root 2000 5672 Nov 30 17:54 vpartition
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 watchprops -> toolbox
-rwxr-xr-x 1 root 2000 694024 Nov 30 17:54 wifid
-rwxr-xr-x 1 root 2000 26400 Nov 30 17:54 wifitesttool
lrwxr-xr-x 1 root 2000 7 Nov 30 17:54 wipe -> toolbox
-rwxr-xr-x 1 root 2000 13784 Nov 30 17:54 wipe_fos_flags
-rwxr-xr-x 1 root 2000 190 Nov 30 17:54 wm
-rwxr-xr-x 1 root 2000 9696 Nov 30 17:54 wmt_loader
-rwxr-xr-x 1 root 2000 102256 Nov 30 17:54 wpa_cli
-rwxr-xr-x 1 root 2000 1568192 Nov 30 17:54 wpa_supplicant

Here we see alexad, oobed, homeautod, debuggerd, wifid, controld, spotifyd, and some common *nix utilities. These are all stripped ARM binaries. There’s also strange things like isSaviour.sh:

#!/bin/sh
if (. /etc/ota_version && [ "$IS_SAVIOUR_OF_THE_UNIVERSE" = 'Y' ]) >/dev/null 2>&1; then
echo '1'
exit 0
fi
echo '0'
exit 0

There are also a few TODOs scattered about, such as this one in buttonHandler.sh, which shows functionality for dumping device state perhaps coming soon:

# Perform a dump if the dumpstate button combination is hit for a very long press.
if [ "$3" = "dumpState" -a $4 -eq 5 ]; then
# TODO: DEE-22540: Dump the state of the device

The /local directory is also of note. /local/models appears to contain American, British English and German speech training models for the awake keywords “Alexa”, “Amazon”, and “Echo”, at least confirming Amazon’s statement that it does listen for these keywords.

drwxr-xr-x 2 root root    4096 Nov 30 17:54 .
drwxr-xr-x 5 root root 4096 Nov 30 17:54 ..
-rw-r--r-- 1 root root 292 Nov 30 17:54 ALEXA.bg.hclg.pfst
-rw-r--r-- 1 root root 3844 Nov 30 17:54 ALEXA.fg.hclg.pfst
-rw-r--r-- 1 root root 1200288 Nov 30 17:54 ALEXA.psvm
-rw-r--r-- 1 root root 809 Nov 30 17:54 ALEXA.scales
-rw-r--r-- 1 root root 6034557 Nov 30 17:54 finalQuant.mlp
-rw-r--r-- 1 root root 2084 Nov 30 17:54 final.trans
-rw-r--r-- 1 root root 9451 Nov 30 17:54 kw.cfg.json
-rw-r--r-- 1 root root 68 Nov 30 17:54 nonspeech_words.lst
-rw-r--r-- 1 root root 461 Nov 30 17:54 op.cfg.json
-rw-r--r-- 1 root root 404 Nov 30 17:54 pdf.counts
-rw-r--r-- 1 root root 211 Nov 30 17:54 phones.txt
-rw-r--r-- 1 root root 3369 Nov 30 17:54 pryon.config
-rw-r--r-- 1 root root 211 Nov 30 17:54 pryon.manifest
-rw-r--r-- 1 root root 292 Nov 30 17:54 STOP.bg.hclg.pfst
-rw-r--r-- 1 root root 1428 Nov 30 17:54 STOP.fg.hclg.pfst
-rw-r--r-- 1 root root 314116 Nov 30 17:54 STOP.psvm
-rw-r--r-- 1 root root 827 Nov 30 17:54 STOP.scales
-rw-r--r-- 1 root root 183 Nov 30 17:54 train_glob.cmvn
-rw-r--r-- 1 root root 114 Nov 30 17:54 transform.mlp
-rw-r--r-- 1 root root 27 Nov 30 17:54 words.shrunk.txt

All of the Echo Dot’s mp3s it speaks to you are in /local/share/earcon, so if you wanted to hack Alexa’s voice to be different, you can change out these audio files.

-rw-r--r-- 1 root root  48044 Nov 30 17:54 500ms_blank.wav
-rw-r--r-- 1 root root 26498 Nov 30 17:54 controls_buttons_mic_off.wav
-rw-r--r-- 1 root root 43246 Nov 30 17:54 controls_buttons_mic_on.wav
-rw-r--r-- 1 root root 192044 Nov 30 17:54 controls_buttons_multipress_long.wav
-rw-r--r-- 1 root root 38444 Nov 30 17:54 controls_volume_adjust.wav
-rw-r--r-- 1 root root 377641 Nov 30 17:54 system_alerts_alarming_03.mp3
-rw-r--r-- 1 root root 185120 Nov 30 17:54 system_alerts_alarming_03_short.wav
-rw-r--r-- 1 root root 283561 Nov 30 17:54 system_alerts_alec_baldwin.mp3
-rw-r--r-- 1 root root 192088 Nov 30 17:54 system_alerts_alec_baldwin_short.wav
-rw-r--r-- 1 root root 366697 Nov 30 17:54 system_alerts_atonal_02.mp3
-rw-r--r-- 1 root root 187244 Nov 30 17:54 system_alerts_atonal_02_short.wav
-rw-r--r-- 1 root root 487273 Nov 30 17:54 system_alerts_atonal_03.mp3
-rw-r--r-- 1 root root 192026 Nov 30 17:54 system_alerts_atonal_03_short.wav
-rw-r--r-- 1 root root 384073 Nov 30 17:54 system_alerts_dan_marino.mp3
-rw-r--r-- 1 root root 192088 Nov 30 17:54 system_alerts_dan_marino_short.wav
-rw-r--r-- 1 root root 268969 Nov 30 17:54 system_alerts_genuine_crush.mp3
-rw-r--r-- 1 root root 192088 Nov 30 17:54 system_alerts_genuine_crush_short.wav
-rw-r--r-- 1 root root 548952 Nov 30 17:54 system_alerts_grand_tour.mp3
-rw-r--r-- 1 root root 192088 Nov 30 17:54 system_alerts_grand_tour_short.wav
-rw-r--r-- 1 root root 396121 Nov 30 17:54 system_alerts_jason_schwartzman.mp3
-rw-r--r-- 1 root root 192088 Nov 30 17:54 system_alerts_jason_schwartzman_short.wav
-rw-r--r-- 1 root root 195241 Nov 30 17:54 system_alerts_melodic_01.mp3
-rw-r--r-- 1 root root 192088 Nov 30 17:54 system_alerts_melodic_01_short.wav
-rw-r--r-- 1 root root 188329 Nov 30 17:54 system_alerts_melodic_02.mp3
-rw-r--r-- 1 root root 192034 Nov 30 17:54 system_alerts_melodic_02_short.wav
-rw-r--r-- 1 root root 381001 Nov 30 17:54 system_alerts_melodic_03.mp3
-rw-r--r-- 1 root root 185618 Nov 30 17:54 system_alerts_melodic_03_short.wav
-rw-r--r-- 1 root root 252985 Nov 30 17:54 system_alerts_melodic_05.mp3
-rw-r--r-- 1 root root 275278 Nov 30 17:54 system_alerts_melodic_05_short.wav
-rw-r--r-- 1 root root 429241 Nov 30 17:54 system_alerts_melodic_06.mp3
-rw-r--r-- 1 root root 146162 Nov 30 17:54 system_alerts_melodic_06_short.wav
-rw-r--r-- 1 root root 498217 Nov 30 17:54 system_alerts_melodic_07.mp3
-rw-r--r-- 1 root root 174972 Nov 30 17:54 system_alerts_melodic_07_short.wav
-rw-r--r-- 1 root root 242665 Nov 30 17:54 system_alerts_missy_elliott.mp3
-rw-r--r-- 1 root root 192088 Nov 30 17:54 system_alerts_missy_elliott_short.wav
-rw-r--r-- 1 root root 393865 Nov 30 17:54 system_alerts_musical_02.mp3
-rw-r--r-- 1 root root 202760 Nov 30 17:54 system_alerts_musical_02_short.wav
-rw-r--r-- 1 root root 258505 Nov 30 17:54 system_alerts_repetitive_01.mp3
-rw-r--r-- 1 root root 192044 Nov 30 17:54 system_alerts_repetitive_01_short.wav
-rw-r--r-- 1 root root 315865 Nov 30 17:54 system_alerts_repetitive_04.mp3
-rw-r--r-- 1 root root 189316 Nov 30 17:54 system_alerts_repetitive_04_short.wav
-rw-r--r-- 1 root root 498169 Nov 30 17:54 system_alerts_rhythmic_02.mp3
-rw-r--r-- 1 root root 192632 Nov 30 17:54 system_alerts_rhythmic_02_short.wav
-rw-r--r-- 1 root root 602665 Nov 30 17:54 system_alerts_soothing_01.mp3
-rw-r--r-- 1 root root 278994 Nov 30 17:54 system_alerts_soothing_01_short.wav
-rw-r--r-- 1 root root 695017 Nov 30 17:54 system_alerts_soothing_05.mp3
-rw-r--r-- 1 root root 316868 Nov 30 17:54 system_alerts_soothing_05_short.wav
-rw-r--r-- 1 root root 55465 Nov 30 17:54 system_bluetooth_bt_connected.mp3
-rw-r--r-- 1 root root 42553 Nov 30 17:54 system_bluetooth_bt_disconnected.mp3
-rw-r--r-- 1 root root 27648 Nov 30 17:54 system_comm_call_connected.mp3
-rw-r--r-- 1 root root 22272 Nov 30 17:54 system_comm_call_disconnected.mp3
-rw-r--r-- 1 root root 26112 Nov 30 17:54 system_comm_call_hold.mp3
-rw-r--r-- 1 root root 82176 Nov 30 17:54 system_comm_call_incoming_ringtone_intro.mp3
-rw-r--r-- 1 root root 195072 Nov 30 17:54 system_comm_call_incoming_ringtone.mp3
-rw-r--r-- 1 root root 12288 Nov 30 17:54 system_comm_call_mute.mp3
-rw-r--r-- 1 root root 34560 Nov 30 17:54 system_comm_call_unhold.mp3
-rw-r--r-- 1 root root 16896 Nov 30 17:54 system_comm_call_unmute.mp3
-rw-r--r-- 1 root root 82176 Nov 30 17:54 system_comm_call_waiting.mp3
-rw-r--r-- 1 root root 57600 Nov 30 17:54 system_comm_dialing_tones.mp3
-rw-r--r-- 1 root root 67584 Nov 30 17:54 system_comm_drop_in_connected.mp3
-rw-r--r-- 1 root root 43776 Nov 30 17:54 system_comm_notification_generic_01.mp3
-rw-r--r-- 1 root root 163584 Nov 30 17:54 system_comm_outbound_ringtone.mp3
-rw-r--r-- 1 root root 44857 Nov 30 17:54 system_communications_sms_received_01.mp3
-rw-r--r-- 1 root root 59136 Nov 30 17:54 system_communications_sms_received_02.mp3
-rw-r--r-- 1 root root 33481 Nov 30 17:54 system_communications_sms_received_03.mp3
-rw-r--r-- 1 root root 39440 Nov 30 17:54 system_scone_low_battery_warning.wav
-rw-r--r-- 1 root root 72016 Nov 30 17:54 system_scone_mic_off.wav
-rw-r--r-- 1 root root 38520 Nov 30 17:54 system_scone_mic_on.wav
-rw-r--r-- 1 root root 96044 Nov 30 17:54 system_scone_pairing_start.wav
-rw-r--r-- 1 root root 120082 Nov 30 17:54 system_scone_pairing_success.wav
-rw-r--r-- 1 root root 96014 Nov 30 17:54 system_scone_unpaired.wav
-rw-r--r-- 1 root root 96044 Nov 30 17:54 system_state_active_start.wav
-rw-r--r-- 1 root root 64585 Nov 30 17:54 system_state_boot_error.mp3
-rw-r--r-- 1 root root 258217 Nov 30 17:54 system_state_boot_finished_ready.mp3
-rw-r--r-- 1 root root 48978 Nov 30 17:54 system_state_error_generic_2.wav
-rw-r--r-- 1 root root 72036 Nov 30 17:54 system_state_low_power_mode.wav
-rw-r--r-- 1 root root 226729 Nov 30 17:54 system_state_oobe_setup.mp3
-rw-r--r-- 1 root root 72036 Nov 30 17:54 system_state_ota_error.wav
-rw-r--r-- 1 root root 58612 Nov 30 17:54 system_state_power_supply_error.wav
-rw-r--r-- 1 root root 48169 Nov 30 17:54 system_state_setup_mode_off.mp3
-rw-r--r-- 1 root root 48044 Nov 30 17:54 system_state_user_speech_confirmed.wav
-rw-r--r-- 1 root root 530857 Nov 30 17:54 system_synchronization_tones_only.mp3

Where to go from here

While I didn’t get as far as I had wanted, I at least ended up with an intercepted firmware dump from my network, which has yielded a ton of APKs and binaries to reverse. Now I’m in the process of decompiling/disassembling the APKs and binaries using jadx and Binary Ninja, since I don’t have a personal IDA/Hex-Rays license.

While I know my way around the Android API and Java, this will be my first foray into ARM assembly, so it may take a while before I have anything useful.

This post was brought to you (unofficially) by Takatenjin Sword of the Sun, a honjozo sake. (jp link)