Echo Projectecho amazon reverse-engineering
Useful information for reverse engineering Echo Dot. This is a constantly edited page that will get more information as it is added.
Focusing on V2, since it is new enough to be pretty powerful, but old enough to have exploits, and it is old enough not to use a custom SOC, but the same SOC as the Kindle Fire HD 8.
Teardown of Echo Dot V2: Teardown Tuesday: Amazon Echo Dot v2
Another teardown with a little bit more info EDN Asia
|ADC 3101 TI 681 AE4X||Microphone ADC|
|R3019 3236||Microcontroller on mic board|
|DAC 32031 TI 68k CQ61||output DAC|
|MEDIATEK MT6625LN 1628-AJC8L BAP0M972 ATG14T11||4 in 1 Wireless chip|
|MEDIATEK MT6323LGA 1629-AGAH CTG14U07||PMIC|
|MEDIATEK ARM MT8163V 1636-KBCAH CCMKYRHS||SoC|
|MICRON 6PA98 JWB30||Combo 4Gb LPDDR3, and 4GB eMMC MLC memory|
MediaTek Software info
Old info on how mediatek SoCs boot up:
- MediaTek details: SoC startup
- MediaTek details: Little Kernel
- MediaTek details: Partitions and Preloader
- Explaining BROM protection
pre-packaged exploits for MediaTek SoCs: MTK-bypass
MTK utility for doing lots of stuff: MTKClient
Adapting a bootrom exploit for a new mediatek SoC: Dissecting a MediaTek BootROM exploit
Glitching MT8163 Theres a hole in your SoC
hardware root via shorting emmc during boot: Fire HD 8 (2018 ONLY) unbrick, downgrade, unlock & root
Amonet, the root exploit referred to above. amonet
Explanation of little kernal bootloader exploits Exploiting Samsung Galaxy S4 Secure Boot
Amazon Echo software info
Basic Android Info
It seems like the goal of most android tablet exploits is to “unlock” the bootloader, which means enabling the freeboot bootloader to flash overwrite partitions.
Its not enough to get write access though, you also need to bypass Android Verified Boot.