Echo Project

2022-05-10 #echo #amazon #reverse-engineering

Useful information for reverse engineering Echo Dot. This is a constantly edited page that will get more information as it is added.

Focusing on V2, since it is new enough to be pretty powerful, but old enough to have exploits, and it is old enough not to use a custom SOC, but the same SOC as the Kindle Fire HD 8.

Hardware info

Teardown of Echo Dot V2: Teardown Tuesday: Amazon Echo Dot v2
Another teardown with a little bit more info EDN Asia

Important Components:

Part Number	Description
ADC 3101 TI 681 AE4X	Microphone ADC
R3019 3236	Microcontroller on mic board
DAC 32031 TI 68k CQ61	output DAC
MEDIATEK MT6625LN 1628-AJC8L BAP0M972 ATG14T11	4 in 1 Wireless chip
MEDIATEK MT6323LGA 1629-AGAH CTG14U07	PMIC
MEDIATEK ARM MT8163V 1636-KBCAH CCMKYRHS	SoC
MICRON 6PA98 JWB30	Combo 4Gb LPDDR3, and 4GB eMMC MLC memory

MediaTek Software info

Old info on how mediatek SoCs boot up:

Bootloader Exploits

pre-packaged exploits for MediaTek SoCs: MTK-bypass
MTK utility for doing lots of stuff: MTKClient
Adapting a bootrom exploit for a new mediatek SoC: Dissecting a MediaTek BootROM exploit
Glitching MT8163 Theres a hole in your SoC
hardware root via shorting emmc during boot: Fire HD 8 (2018 ONLY) unbrick, downgrade, unlock & root
Amonet, the root exploit referred to above. amonet
Explanation of little kernal bootloader exploits Exploiting Samsung Galaxy S4 Secure Boot

Amazon Echo software info

Open Source releases: Source Code Notice
MitM Echo Dot update process: Intercepting Firmware

Basic Android Info

It seems like the goal of most android tablet exploits is to “unlock” the bootloader, which means enabling the freeboot bootloader to flash overwrite partitions.

Its not enough to get write access though, you also need to bypass Android Verified Boot.

MediaTek Software stuff

MT6183 linux kernel branch mt8163-mainline
random copy of mediatek little kernel lk_mtk