Almost worked

[Billybangleballs]

python3 main.py

[23:14:43] INFO: Version: 1.0.0

1: Rooting or restore device
2: Setup recorder
3: Start or restart process
4: Setup home assistant indicator
5: Exit

Select an option: > 1

1: Root or restore
2: Calculate and set fos_flags
3: Exit

Select an option: > 1
[23:14:56] INFO: Please short the device as shown in the image at https://dragon863.github.io/blog/mainboard.jpg
[23:14:56] INFO: To open the device, you will need a torx 8 screwdriver.
[23:14:56] Waiting for bootrom
[23:17:56] Found port = /dev/ttyACM0
[23:17:56] Handshake
[23:17:56] Disable watchdog
[23:17:56] handshake success!

 * * * Remove the short and press Enter * * *

[23:18:01] Init crypto engine
[23:18:01] Disable caches
[23:18:01] Disable bootrom range checks
[23:18:01] Load payload from brom-payload/build/payload.bin = 0x45C0 bytes
[23:18:01] Send payload
[23:18:02] Let's rock
[23:18:02] Wait for the payload to come online...
[23:18:03] all good
[23:18:03] Check GPT
Partitions:
{'kb': (2048, 2048), 'dkb': (4096, 2048), 'lk_a': (32768, 2048), 'tee1': (49152, 10240), 'lk_b': (65536, 2048), 'tee2': (81920, 10240), 'expdb': (98304, 20480), 'misc': (118784, 1025), 'persist': (131072, 32768), 'boot_a': (163840, 32768), 'boot_b': (196608, 32768), 'recovery': (229376, 32768), 'system_a': (294912, 1572864), 'system_b': (1867776, 1572864), 'cache': (3440640, 1605632), 'userdata': (5046272, 2588639)}

Would you like to root your device, or restore it?
[root/restore] > root
[23:18:21] INFO: Fetching misc partition...
[23:18:21] SUCCESS: Dumped misc.bin from device.
[23:18:21] INFO: Detected that device is using slot B.
[23:18:21] INFO:
        This next step WILL brick your preloader, rendering your device unbootable without a computer, as this is a TETHERED exploit. This is a reversible change. Press enter if you understand the consequences and accept that I am not responsible for any damage to you device...

[23:18:28] INFO: Backing up preloader...
[23:18:51] SUCCESS: Dumped preloader.bin from device.
[23:18:51] INFO: Clearing preloader header
[8 / 8]
[23:18:52] INFO: 6.x preloader detected, applying unlock patch
[23:18:52] INFO: Downgrading rpmb header
[23:18:52] INFO: rpmb downgrade ok
[23:18:53] INFO: Backing up lk_b...
[23:19:39] SUCCESS: Dumped lk_b.bin from device.
[23:19:39] SUCCESS: Modified Little Kernel! Flashing back to device now.
[23:19:39] INFO: Data is 1048576 and maximum size is not defined
[2048 / 2048]
[23:20:23] SUCCESS: Done! To finalise the process, return to the previous menu and use fos_flags to gain root via ADB.
Select an option: >
1: Root or restore
2: Calculate and set fos_flags
3: Exit
Select an option: > 2
[23:20:51] INFO: Please only use this option once you have run the rooting process. Press Ctrl+C if you wish to cancel
Do you want to use recommended options? (y/n) > y
[23:21:00] INFO: Setting fos_flags to 0xa3 using fastboot...
[23:21:00] INFO: Please replug your device now, holding the uber (dot) button. When you see a green LED ring, press enter to continue...
[Waiting for enter press...] >
sh: 1: fastboot: not found
[23:24:54] SUCCESS: Successfully set fos_flags! Rebooting...
sh: 1: fastboot: not found
Select an option: >
1: Rooting or restore device
2: Setup recorder
3: Start or restart process
4: Setup home assistant indicator
5: Exit
[23:30:18] FAIL: Invalid option: Exit. Please ensure option is an integer.
Select an option: > 1

1: Root or restore
2: Calculate and set fos_flags
3: Exit

Select an option: > 2
[23:31:22] INFO: Please only use this option once you have run the rooting process. Press Ctrl+C if you wish to cancel
Do you want to use recommended options? (y/n) > y
[23:31:27] INFO: Setting fos_flags to 0xa3 using fastboot...
[23:31:27] INFO: Please replug your device now, holding the uber (dot) button. When you see a green LED ring, press enter to continue...
[Waiting for enter press...] >
sh: 1: fastboot: not found
[23:32:36] SUCCESS: Successfully set fos_flags! Rebooting...
sh: 1: fastboot: not found
Select an option: >

My original problem was the usb lead, it seems to be a 'charge only' type lead. ;)

I replugged the device with my finger on the uber (dot) button, but a green light never appeared. I tried this twice, but still didn't manage a light of any colour...

Bedtime now anyway, will try and find time next week to continue.

[Dragon863]

@Billybangleballs what is the first output from? Regarding the second part, the setup.sh file was not supposed to make it into this repository, it was for testing from a different version of the amonet exploit I based this on, you won't need it for EchoCLI.

[Billybangleballs]

@Dragon863 EchoCLI/internal/amonet/amonet.log

[Dragon863]

That just logs the output from amonet as the name implies, nothing important

[Billybangleballs]

I have just 'restored', and when the echo dot rebooted, it beeped and now has a flashing green ring. Is this important? Alexa talks to me when spoken to, but this pulsating green ring is quite new to me.

[viraniac]

@viraniac It occurs to me that mtkclient might actually need PySide6 and shiboken6 to work correctly. I am working on the assumption that you know what you are doing, because I certainly don't have a clue, I'm just following instructions.

No it doesn't need any of them. What puzzles me is even though you don't get green light, you also don't boot of to blue light. Probably you can upload your lk somewhere and we can take a look

[viraniac]

I have just 'restored', and when the echo dot rebooted, it beeped and now has a flashing green ring. Is this important? Alexa talks to me when spoken to, but this pulsating green ring is quite new to me.

Never experienced that in my life, but then I keep most of the echo functions disabled. Here is the description for lights given by amazon

[Billybangleballs]

@viraniac http://billybangleballs.raspberryip.com/bins.tgz

It was a notification about some random tip about setting a timer. (the green ring).

[Billybangleballs]

Well that upset fail2ban, I have unbanned the ip, but I've no idea why it banned you in the first place. Or whether it was you, or someone else watching that tried to access the bin files. Seems it was a watcher...

[viraniac]

Trying to download the file, not able to access the shared url. it just results into connection timeout

[Billybangleballs]

It seems a very popular file, it has been downloaded 3 times by 3 different ip addresses in the last 10 minutes It also offends fail2ban for some reason, which immediately bans the requesting ip

[Dragon863]

I haven't downloaded it myself, could it have been Github's servers scanning for malicious links maybe?

[viraniac]

I am on a dynamic ip. My ISP has outgoing traffic exposed via a load balancer so each request can go out with different IP. I did tried to fetch the file 3 times, so its possible all 3 IPs were there because of me

[Billybangleballs]

@Dragon863 Maybe, but I need to change it to a zip or something that fail2ban finds acceptable. @viraniac give me a minute or two while I unban these addresses and make a zip file...

[Billybangleballs]

http://billybangleballs.raspberryip.com/bins.zip

[Billybangleballs]

It doesn't like zip either.

[viraniac]

tried twice. still can't access the same. If you are whitelisting IPs one by one, try whitelisting the range or something

[Billybangleballs]

I will try looking through the configuration files and see why it is being so tetchy.

[Billybangleballs]

I think it may work now.

[viraniac]

--2023-08-20 22:18:26--  http://billybangleballs.raspberryip.com/bins.zip
Resolving billybangleballs.raspberryip.com (billybangleballs.raspberryip.com)... 83.151.233.57
Connecting to billybangleballs.raspberryip.com (billybangleballs.raspberryip.com)|83.151.233.57|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2023-08-20 22:18:27 ERROR 403: Forbidden.```

[Billybangleballs]

At least it's not banning you now... it just doesn't like wget now

[viraniac]

I tried accessing via both chrome and wget, both didn't worked.

[Billybangleballs]

try now

The thing is locked down tight, because the slightest crack lets in the most nefarious hackers known to man, (the usa), and the Chinese too if you're not careful.

[viraniac]

worked from chrome

[Billybangleballs]

That was much harder than it should have been.

[viraniac]

You seem to be on quite an older version. Something that was released between 2019 to 2021. I will suggest you try rooting after upgrading your software on echo dot. To upgrade, simply restore your device and then ask Alexa, are there any updates?. Alexa will tell you that there is an update available and it will need some time to update and will ask whether you wish to proceed. Say yes and then in 5 to 10 minutes echo dot will get upgraded.

After that you can try to root again

[Billybangleballs]

I followed the instructions in the readme and blacklisted the update servers ;) I will undo this action and allow the updates, but not today, I'm going for a nap now, because us old people need our rest. I will post my results here when I have done it.

[Billybangleballs]

So I unblacklisted the update servers and asked Alexa if there was an update. And there was an update and it was going to take 30 minutes if I agreed to update. I agreed and the echo dot proceeded to brick itself. I now have a permanent rotating blue ring and the echo dot is offline and nmap can no longer find it on the lan. I gave it 24 hours and there is no change. So is that it? or is there a way to unbrick it?

[viraniac]

So I unblacklisted the update servers and asked Alexa if there was an update. And there was an update and it was going to take 30 minutes if I agreed to update. I agreed and the echo dot proceeded to brick itself. I now have a permanent rotating blue ring and the echo dot is offline and nmap can no longer find it on the lan. I gave it 24 hours and there is no change. So is that it? or is there a way to unbrick it?

Thats interesting.

You can try resetting your echo dot by pressing Volume down and Microphone off buttons for 20 seconds. The light ring will go off and then on again. Echo dot will then enter setup mode. Thats what is mentioned in amazon's official guide atleast

Even if that doesn't work, its a A/B system. So theoretically, you can just plug it to power, wait for it to boot, and if its still stuck then unplug the power. After couple of attempts, it should roll back to previous version automatically.

[Dragon863]

That is exactly the issue I had when I updated my second echo to FireOS 5, it was unmodified and I asked it to update and it bricked itself with the spinning light. I guess it's an issue with updating from very old versions, and resetting it had no effect. Unplugging it a few times is good advice, I didn't think of trying that, but manually updating with an OTA and a modified amonet worked for me.

[viraniac]

manually updating with an OTA and a modified amonet worked for me.

I don't think Billy will be comfortable trying to do that unless you can give him explicit step by step instructions for the same. Similar thing will be flashisg partitions using mtkclient which will be much faster then doing it from amonet. Something like 3-4 minutes to flash system partition instead of half a day with amonet. But again, he will need step by step instructions for that.

As he has mentioned he can't get to fastboot, we can also rule out erasing userdata partition using fastboot.

resetting it had no effect

Which option did you try to reset? Holding dot button, or holding volume down and mute button? Or did you try both options?

[Dragon863]

I tried holding volume down and mute button, and it said it was resetting but rebooted and during setup it tried to update and the same issue occurred. I still think it would be worth trying a reset, and I don't think (at least in my experience) using fastboot to erase userdata would work, I got some weird errors using fastboot to modify anything (Invalid sparse file format at header magic).

[Billybangleballs]

@viraniac The rolling back has failed miserably, the " volume down and mute button", just pauses the brickedness for a moment and then it returns to being broken. It's like the first thing the update did is overwrite the wifi details and assumed wrongly that there would be a dhcp server to help it out later. @Dragon863 Tell me more about this manual OTA and modified amonet of which you speak.

[Dragon863]

It isn't a very easy process, it involves downloading an OTA update from Amazon and extracting it, then modifying the main part of a tool called amonet to flash each partition individually from the extracted files. It also takes quite a long time, when I did it it took over 24 hours.

[viraniac]

@Billybangleballs I just made my device go into the same state as yours to see if I can bring it back. So here is what you can do

1) root your device using Echo cli. 2) Use mtkclient to boot the device while keeping the dot button pressed to get into fastboot mode i.e. green ring light. Dont leave dot button until the light becomes green which should be something like 30 seconds. I know it didn't worked for you before, but now that the device is updated, it will work 3) run the following command once the device is in fastboot mode. You will need android-tools installed on your system for this.

fastboot format userdata

4) You can also try using EchoCLI to set the fos_flags at this point.

Once that is complete, unplug the micro usb cable and plug it back in. Run the mtkclient again to boot the echo dot, no need to press dot button this time. Your echo dot will boot into setup mode

[Billybangleballs]

[16:07:21] INFO: Version: 1.0.0

1: Rooting or restore device
2: Setup recorder
3: Start or restart process
4: Setup home assistant indicator
5: Exit

Select an option: > 1

1: Root or restore
2: Calculate and set fos_flags
3: Exit

Select an option: > 1
[16:07:32] INFO: Please short the device as shown in the image at https://dragon863.github.io/blog/mainboard.jpg
[16:07:32] INFO: To open the device, you will need a torx 8 screwdriver.
[16:07:33] Waiting for bootrom
[16:08:28] Found port = /dev/ttyACM0
[16:08:28] Handshake
[16:08:28] Disable watchdog
[16:08:33] wrong handshake response, probably in preloader
[16:08:33] Waiting for bootrom
[16:09:13] Found port = /dev/ttyACM0
[16:09:13] Handshake
[16:09:13] Disable watchdog
[16:09:18] wrong handshake response, probably in preloader
[16:09:18] Waiting for bootrom

@viraniac I'm finding it difficult getting the correct handshake response, any suggestions?

[viraniac]

nothing other than run the script and then connect the echo dot while shorting the capacitor. if its not detected, unplug it again and plug it back in while keeping the capacitor shorted. just repeat until you succeed

[viraniac]

when the echodot gets into the correct mode for the EchoCli to detect it, the light ring won't turn on. If your light ring is not turning on and still EchoCLI is not able to detect it, try running EchoCli with sudo

[Billybangleballs]

I got green light this time... What next?

[16:58:34] INFO: Version: 1.0.0

1: Rooting or restore device
2: Setup recorder
3: Start or restart process
4: Setup home assistant indicator
5: Exit

Select an option: > 1

1: Root or restore
2: Calculate and set fos_flags
3: Previous menu

Select an option: > 1
[16:58:41] INFO: Please short the device as shown in the image at https://dragon863.github.io/blog/mainboard.jpg
[16:58:41] INFO: To open the device, you will need a torx 8 screwdriver.
[16:58:41] Waiting for bootrom
[16:59:00] Found port = /dev/ttyACM0
[16:59:00] Handshake
[16:59:00] Disable watchdog
[16:59:00] handshake success!

 * * * Remove the short and press Enter * * *

[16:59:05] Init crypto engine
[16:59:05] Disable caches
[16:59:05] Disable bootrom range checks
[16:59:05] Load payload from brom-payload/build/payload.bin = 0x45C0 bytes
[16:59:05] Send payload
[16:59:12] Let's rock
[16:59:12] Wait for the payload to come online...
[16:59:12] all good
[16:59:12] Check GPT
Partitions:
{'kb': (2048, 2048), 'dkb': (4096, 2048), 'lk_a': (32768, 2048), 'tee1': (49152, 10240), 'lk_b': (65536, 2048), 'tee2': (81920, 10240), 'expdb': (98304, 20480), 'misc': (118784, 1025), 'persist': (131072, 32768), 'boot_a': (163840, 32768), 'boot_b': (196608, 32768), 'recovery': (229376, 32768), 'system_a': (294912, 1572864), 'system_b': (1867776, 1572864), 'cache': (3440640, 1605632), 'userdata': (5046272, 2588639)}

Would you like to root your device, or restore it?
[root/restore] > root
[16:59:58] INFO: Fetching misc partition...
[16:59:58] SUCCESS: Dumped misc.bin from device.
[16:59:58] INFO: Detected that device is using slot A.
[16:59:58] INFO:
        This next step WILL brick your preloader, rendering your device unbootable without a computer, as this is a TETHERED exploit. This is a reversible change. Press enter if you understand the consequences and accept that I am not responsible for any damage to you device...

[17:00:06] INFO: Backing up preloader...
[17:00:38] SUCCESS: Dumped preloader.bin from device.
[17:00:38] INFO: Clearing preloader header
[8 / 8]
[17:00:38] INFO: 6.x preloader detected, applying unlock patch
[17:00:38] INFO: Downgrading rpmb header
[17:00:39] INFO: rpmb downgrade ok
[17:00:39] INFO: Backing up lk_a...
[17:01:43] SUCCESS: Dumped lk_a.bin from device.
[17:01:43] SUCCESS: Modified Little Kernel! Flashing back to device now.
[17:01:43] INFO: Data is 1048576 and maximum size is not defined
[2048 / 2048]
[17:02:32] SUCCESS: Done! To finalise the process, return to the previous menu and use fos_flags to gain root via ADB.

1: Root or restore
2: Calculate and set fos_flags
3: Previous menu

Select an option: > 2
[17:02:43] INFO: Please only use this option once you have run the rooting process. Press Ctrl+C if you wish to cancel
Do you want to use recommended options? (y/n) > y
[17:02:49] INFO: Setting fos_flags to 0xa3 using fastboot...
[17:02:49] INFO: Please replug your device now and run the mtkclient command in the README in another terminal whilst holding the uber (dot) button. When you see a green LED ring, press enter to continue...
[Waiting for enter press...] >
                                                   (bootloader) fos_flags set to a3
OKAY [  0.012s]
Finished. Total time: 0.013s
[17:07:21] SUCCESS: Successfully set fos_flags, your device is now rooted! Your echo will shut down, and you will be able to boot it using the mtkclient command in the README
Rebooting                                          OKAY [  0.002s]
Finished. Total time: 0.253s

1: Rooting or restore device
2: Setup recorder
3: Start or restart process
4: Setup home assistant indicator
5: Exit

Select an option: >

[viraniac]

Now you are rooted. Its upto you what you want to do with it.

You can open a root shell from a computer that your echo dot is connected to by running adb shell. What you do in there is up to you. You can also install custom roms to it, if someone ever decide to build one. Nothing exists at this point. So if you want to be the first person, go ahead and develop a custom rom for echo dot.

From now on until you restore your device, your echo dot will only boot using mtkclient. So it will always have to be plugged into a computer until you restore it.

[viraniac]

Also now you have successfully rooted your device. As you had complaints about the documentation, go ahead and modify the readme and raise a PR to make others life easier.

[Billybangleballs]

Don't abandon me now, I'm so close...

adb shell
* daemon not running; starting now at tcp:5037
* daemon started successfully
error: no devices/emulators found

[Dragon863]

Don't abandon me now, I'm so close...

adb shell
* daemon not running; starting now at tcp:5037
* daemon started successfully
error: no devices/emulators found

Do any devices show up on lsusb?

[Billybangleballs]

Bus 001 Device 090: ID 0e8d:0003 MediaTek Inc. MT6227 phone

[viraniac]

Is your echo dot booted? I mean, after you set fos_flags, you unpluged it, pluged it back again, used mtkclient to boot it without pressing the dot button. So it would have shown you some spinning blue lights. Only after that you can use adb

[viraniac]

Bus 001 Device 090: ID 0e8d:0003 MediaTek Inc. MT6227 phone

As I thought, its not booted. Use mtkclient to continue booting the device.

[Billybangleballs]

I followed the instructions, after I got the green light, I re-ran the mtk plstage --preloader=preloader_no_hdr.bin and there was some blue lights, but I didn't know what to do after that because the readme ended Bus 001 Device 097: ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 / Magic / Tattoo / FP1 and green ring now, but

adb shell
error: no devices/emulators found

[viraniac]

there was some blue lights,

yeah, so that was your device booting. If you unplugged the device after that, you have to re-ran the mtk command to boot the device. Once its booted, i.e blue light goes away, you can run adb shell to connect to it.

[viraniac]

and green ring now, but

Thats fastboot mode. happens if you keep the dot button pressed when running mtk command. you don't need to press the dot button unless you want to boot into fast boot. just unplug the device, plug it back in and run mtk command. Don't press the dot button

[Billybangleballs]

If I do it with uber button pressed, I get green ring, and without pressing button I get a short sequence of blue rings. adb shell doesn't do anything either way.

[viraniac]

I get a short sequence of blue rings. adb shell doesn't do anything either way.

whats the output of adb devices and lsusb after those short sequence of blue rings?