search

Dragon863 / EchoCLI

A python command line tool for rooting your Amazon Echo dot 2nd generation
101 stars 13 forks source link

Rooting of the Amazon Gen 3 #15

Open phodina opened 1 year ago

phodina commented 1 year ago

Hi,

could you recommend a way to root the Amazon Gen 3? It has a hidden USB on the board.

I'm waiting for a PCB to arrive though atm I have a working cable soldered to the board and can access the fastboot.

https://gitlab.com/phodina/echo-debug-gen3

Dragon863 commented 1 year ago

Hi! As far as I'm aware, the 3rd gen uses a MT8516 SoC instead of the MT8163 that the second gen has. To root it in the same way you would use the following process:

  1. Dump the internal flash, using either a modified amonet or by soldering to the board
  2. Patch the preloaded to allow booting an unsigned lk
  3. Patch the lk to make the device appear to be unlocked
  4. Flash the modified files back to the device
  5. Use mtkclient to pass the modified preloader each boot

I don't have a 3rd gen echo so unfortunately I cannot test anything for you, but if you can get mtkclient to work on it (pass the preloaded with the --preloader and then the path to your dumped preloader) then it shouldn't be too difficult.

phodina commented 1 year ago

Okay, thanks @Dragon863 . I'll try to get it working!

Dragon863 commented 1 year ago

No problem! I'll leave the issue open for few weeks in case you make progress so that others can benefit, we could potentially integrate it into this tool if you do get it working. Good luck!

phodina commented 1 year ago

I assume I also need to short circuit the eMMC data pin to ground right to trigger the bootrom based on the debug messages I get.

# ./bootrom-step.sh 
Init bootrom...
Please short the emmc as instructed in the article or readme.
[2023-08-28 21:04:50.758922] Waiting for bootrom
[2023-08-28 21:04:58.316020] Found port = /dev/ttyACM0
[2023-08-28 21:04:58.354981] Handshake
[2023-08-28 21:04:58.376507] Disable watchdog
[2023-08-28 21:05:03.382413] wrong handshake response, probably in preloader
[2023-08-28 21:05:03.384059] Waiting for bootrom

# ./mtk printgpt
MTK Flash/Exploit Client V1.6.2 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.

...........
Port - Device detected :)
Preloader -     CPU:            MT8167/MT8516/MT8362()
Preloader -     HW version:     0x0
Preloader -     WDT:            0x10007000
Preloader -     Uart:           0x11005000
Preloader -     Brom payload addr:  0x100a00
Preloader -     DA payload addr:    0x201000
Preloader -     CQ_DMA addr:        0x10212c00
Preloader -     Var1:           0xcc
Preloader - Disabling Watchdog...
Dragon863 commented 1 year ago

Yes, at least on the 2nd gen that forces it into bootrom mode

phodina commented 1 year ago

Here's the disassembled base board with the RF cage removed.

In the center there's the MT8516 SoC. On the left there's probably DDR memory from the manufacturer Nanya and on the right there's probably eMMC memory.

I'll try to probe the pins of the exposed components around the chip.

image

VictorBarros28 commented 1 year ago

I assume I also need to short circuit the eMMC data pin to ground right to trigger the bootrom based on the debug messages I get.

Hi, @Dragon863, first of all, thanks for the solution! I'm new to this type of mod and I have a lot of questions, would you mind helping me out?

I get the same "wrong handshake response, probably in preloader" after "Disable Watchdog" message (using echo dot 2nd Gen). I didn't shorten any part of the circuit, is that why I get the error mesage? If so, would you mind pointing out which elements should be shortened? I believe 'https://dragon863.github.io/blog/mainboard.jpg' refers to an fire tv instead of an echo dot 2, Thanks!!

Dragon863 commented 1 year ago

@VictorBarros28 That error is what you can expect if you don't short the board, as it won't boot into the mode that this tool requires. The picture linked is from the main board of the echo, to get to it you will need to pry off the metal cap on the main PCB using a flathead screwdriver, if you get a small piece of aluminium foil and put it in the area surrounded by the red box in the image before plugging in the echo it will put it in the appropriate mode. It might take a few tries, but if it doesn't work at first just adjust the foil and replug the echo.

VictorBarros28 commented 1 year ago

@VictorBarros28 That error is what you can expect if you don't short the board, as it won't boot into the mode that this tool requires. The picture linked is from the main board of the echo, to get to it you will need to pry off the metal cap on the main PCB using a flathead screwdriver, if you get a small piece of aluminium foil and put it in the area surrounded by the red box in the image before plugging in the echo it will put it in the appropriate mode. It might take a few tries, but if it doesn't work at first just adjust the foil and replug the echo.

Worked, thanks alot! but now, after this, Im getting:

[15:01:05] Init crypto engine [15:01:05] Disable caches [15:01:05] Disable bootrom range checks [15:01:05] Load payload from brom-payload/build/payload.bin = 0x45C0 bytes [15:01:05] Send payload [15:01:05] Let's rock [15:01:05] Wait for the payload to come online... [15:01:06] all good [15:01:06] Check GPT Traceback (most recent call last): File "", line 198, in _run_module_as_main File "", line 88, in _run_code File "C:\Users\victo\Downloads\EchoCLI-main\internal\amonet\amonet__main.py", line 3, in amonet.main() File "C:\Users\victo\Downloads\EchoCLI-main\internal\amonet\amonet__init__.py", line 219, in main switch_user(dev) File "C:\Users\victo\Downloads\EchoCLI-main\internal\amonet\amonet\init__.py", line 131, in switch_user block = dev.emmc_read(0) ^^^^^^^^^^^^^^^^ File "C:\Users\victo\Downloads\EchoCLI-main\internal\amonet\amonet\common.py", line 180, in emmc_read raise RuntimeError("read fail") RuntimeError: read fail

Dragon863 commented 1 year ago

@VictorBarros28 I also encountered that when testing, again retrying a few times usually sorts it. Would you please open a separate issue if that doesn't sort it to keep this one on topic and so I can assist you further? Thanks

VictorBarros28 commented 1 year ago

@VictorBarros28 I also encountered that when testing, again retrying a few times usually sorts it. Would you please open a separate issue if that doesn't sort it to keep this one on topic and so I can assist you further? Thanks

Of course! Ty

gptlang commented 1 year ago

@phodina

Were you able to get a root & does it require disassembling it?

need to short circuit the eMMC data pin

gptlang commented 1 year ago

I just realized that I have an Echo Pop rather than Dot. Is there a way to root that?

janstadt commented 9 months ago

Would be great if this was expanded to the echo flex devices. Amy ideas if that’s possible?

Dragon863 commented 9 months ago

Would be great if this was expanded to the echo flex devices. Amy ideas if that’s possible?

According to this article it uses a different CPU from the dot gen2, but it looks like it runs the same / similar software and in theory it may be possible. You'd have to be VERY careful shorting anything though, given that its PSU is operating from mains, so I'd advise against trying unless you know exactly what you're doing. I personally don't own one so I wouldn't be able to test anything.

KowalskiStan commented 7 months ago

@VictorBarros28 That error is what you can expect if you don't short the board, as it won't boot into the mode that this tool requires. The picture linked is from the main board of the echo, to get to it you will need to pry off the metal cap on the main PCB using a flathead screwdriver, if you get a small piece of aluminium foil and put it in the area surrounded by the red box in the image before plugging in the echo it will put it in the appropriate mode. It might take a few tries, but if it doesn't work at first just adjust the foil and replug the echo.

Worked, thanks alot! but now, after this, Im getting:

[15:01:05] Init crypto engine [15:01:05] Disable caches [15:01:05] Disable bootrom range checks [15:01:05] Load payload from brom-payload/build/payload.bin = 0x45C0 bytes [15:01:05] Send payload [15:01:05] Let's rock [15:01:05] Wait for the payload to come online... [15:01:06] all good [15:01:06] Check GPT Traceback (most recent call last): File "", line 198, in _run_module_as_main File "", line 88, in _run_code File "C:\Users\victo\Downloads\EchoCLI-main\internal\amonet\amonetmain.py", line 3, in amonet.main() File "C:\Users\victo\Downloads\EchoCLI-main\internal\amonet\amonetinit.py", line 219, in main switch_user(dev) File "C:\Users\victo\Downloads\EchoCLI-main\internal\amonet\amonetinit.py", line 131, in switch_user block = dev.emmc_read(0) ^^^^^^^^^^^^^^^^ File "C:\Users\victo\Downloads\EchoCLI-main\internal\amonet\amonet\common.py", line 180, in emmc_read raise RuntimeError("read fail") RuntimeError: read fail

I am getting the same thing @Dragon863 did you fix @VictorBarros28