So far, we have discussed background on the Echo Dot V2, and why I am interested in reusing the hardware. We have also reused the amonet exploit to dump the eMMC of the dot.
As a next step, before we dive into the existing bootloader process, it would be useful to see a dump of the boot logs of the echo dot.
With many embedded linux systems, including android devices, a UART is included to provide lowlevel debug information about the boot process.
The first step in our process of hacking the Echo Dot is getting a dump of the EMMC, so that we can see if we can exploit the boot chain.
We have specifically chosen the Amazon Echo Dot V2 in order to aid this process. First of all, this is the last version of the Echo Dot that has a real usb port integrated in the base device. Later versions of the Echo Dot use the micro-usb port for power only, and have a proprietary footprint for the debug USB connector.
The Echo Dot V2 is an interesting smart speaker, because while it uses a very common tablet SoC, there has been very little work published about trying to root the device.
In the echo dot configuration, we have 512 Megabytes of RAM, and 4 Gigabytes of EMMC, so there is plenty of space to do interesting things. The prices have also gotten quite cheap, since the devices are getting long in the tooth, and it is easy to find sellers willing to part with them for almost nothing.
Useful information for reverse engineering Echo Dot. This is a constantly edited page that will get more information as it is added.
Focusing on V2, since it is new enough to be pretty powerful, but old enough to have exploits, and it is old enough not to use a custom SOC, but the same SOC as the Kindle Fire HD 8.
Hardware info Teardown of Echo Dot V2: Teardown Tuesday: Amazon Echo Dot v2