Need some help with 'new in box' Echo Dot v2

[andrewlow]

First let me say Thank You for all the work you've put into this project. It's already given me quite a bit of entertainment.

I managed to grab some new in box Echo Dot v2's - and I'm trying to root them using your tooling here.

I'll try to summarize what has worked, and what hasn't.

• After a bunch of fiddling around, I've managed to get the echocli both get through the 'root' process, and setting the fos_flags. I've hit a wall getting the mtk tool to make progress to the next step.
• I have successfully run the 'restore' and gotten the device back to what I think is the initial state.
• From the initial state I can get fastboot to connect, but of course this is not a useful thing

When I use fastboot getvar all I see that the device is reported as "BISCUIT" - which leads me to assume that this is a 5.x firmware.

Reviewing the logs from echocli root process I see this.

[23:54:54] INFO: Detected that device is using slot A.
[23:54:54] INFO: 
        This next step WILL brick your preloader, rendering your device unbootable without a computer, as this is a TETHERED exploit. This is a reversible change. Press enter if you understand the consequences and accept that I am not responsible for any damage to you device...

[23:55:57] INFO: Backing up preloader...
[23:56:20] SUCCESS: Dumped preloader.bin from device.
[23:56:20] INFO: Clearing preloader header
[8 / 8]
[23:56:20] INFO: 6.x preloader detected, applying unlock patch
[23:56:20] INFO: Downgrading rpmb header

The fastboot information and the new in box state of these devices makes me think I'm dealing with a 5.x firmware. However, it seems like maybe the scripting is incorrectly detecting a 6.x version? And even if we were to hack this to force 5.x - it's possible that what I've got here is a 5.x preloader that hasn't been seen before.

https://github.com/Dragon863/EchoCLI/blob/main/internal/amonet/amonet/__init__.py#L183

[andrewlow]

I have read through https://github.com/Dragon863/EchoCLI/issues/3#issuecomment-1666910644 quite a bit - it feels like I'm in a similar situation. Unfortunately the Google Drive preloader is no longer available.

I've also explored the debrick path a little - and it seems the OTA firmware does have a preloader (but with a header?) so it may be possible to re-create the hacked 6.5.6.0 from an OTA firmware.. getting me into the right state.

Heck - I'd be happy to leverage the debrick process to force my device into the most recent firmware supported by echocli -- but what I'd rather avoid is doing anything with the Amazon OTA update process. (but it may come to that if there isn't an easy enough way to unlock whatever version of the firmware I've got).

[andrewlow]

This might need to be a different issue.. but the debrick process feels a bit confusing in the last few steps for me.

With my possibly 'badly patched' echo -- where I've run the root / fio_flag steps.. when I plug it in.. it just sits there 'dead' with no lights. I see /dev/ttyACM0 appear.. and that will hang out for a while like that - until I suspect a watchdog timer goes off and it reboots as /dev/ttyACM0 goes away.. and comes back.

Thus step 6 (blue lights) never happens for me as described

6. Plug in your echo. It will boot into "bootrom" mode after the blue lights have stopped, you will know this because the lights will turn off and it will show as 0e8d:0003 MediaTek Inc. MT6227 phone in lsusb

but.. let's ignore that and look at step 7

7. Run sudo mtk wl . --preloader [path to mtkclient]/Loader/Preloader/preloader_biscuit.bin

The --preloader feels like a filesystem path - but I don't have any files like that.. where or what step is supposed to create those?

[Dragon863]

Hi! Yes, it is entirely possible that it is being detected incorrectly, and I think pretty much all of these echos were shipped with 5.x firmware. I don't have access to a FireOS 5 device so unfortunately I can't test anything with older firmware versions. From what I have understood from others using this on older versions usually leads to the preloader not functioning correctly (what you described with no lights), so updating them to FireOS 6 first would be a good idea and using 6.5.6.0 is a good option like you mentioned. You can do it through with an OTA like in the debricking guide and it shouldn't cause any issues, but again I cannot test this so there would be some element of risk involved (updating from Amazon is much safer, but I can completely understand you not wanting to). I'd also recommend erasing the userdata partition after doing this if anything acts weirdly. It is normal to have a header on the OTA, we simply clear it so the echo is in a temporarily bricked state from which we can boot it. Regarding your comments on the debricking guide, the path is referencing where the mtkclient repository has been cloned to on your disk, I'll add that as a step in the guide to clarify for future users.

[andrewlow]

@Dragon863 thanks for being awesome.

When you say the mtkclient - sure that's a clone of this repo https://github.com/bkerler/mtkclient

🤦 -- oh.. and you mean here https://github.com/bkerler/mtkclient/tree/main/mtkclient/Loader/Preloader (but on my disk)

I'm going to try to debrick/upgrade my device.. I wonder how bad that will be..

[Dragon863]

Let me know how it goes! I have flashed my echo several times and haven't run into any major issues so you should be fine, but as I said before wiping userdata is can remove any weird problems from stuff not being migrated.

[andrewlow]

I can't seem to get mtk to detect my device.

If I plug it in and then run the mtk command - it tells me to unplug the device and run the mtk command first.

If I run the mtk command first - it just loops trying to detect the device.

I do see /dev/ttyACM0 appear when the device is connected, but still mtk just loops.. I gotta do other stuff but I'll come back to this later.

[Dragon863]

Sorry, just realised you will also have to flash the new preloader. When you get the time, see if the following helps:

1. Find the backup folder from EchoCLI and move your backed up preloader and lk to a different location (essentially making a backup of the backup) and delete them from the original folder.
2. Place the preloader from the OTA in the EchoCLI backup directory and make sure it is named preloader.bin
3. Run the restore option on EchoCLI, and the updated preloader should be flashed. Now try the mtkclient command after replugging it

[andrewlow]

Hmm.. ok - well I didn't see this until now (got busy) - anyways, I sort of took a different approach.

The latest OTA firmware appears to be still compatible with the hacks here - so that's what I did. I held my breath and signed the device up for amazon control. Yuck.

The device showed a build number 571207720.

I hit mute, and let it sit for a while. Less than 30mins later.. I had a newly updated Echo. Build number 8087722373

Then it was just a matter of running the normal root process you've made easy.

A few differences for me in terms of following the directions.

• I found it was easier to figure out if you'd shorted things correctly if you had the echo powered on. When you jammed in the foil the lights would go out when you had it 'right'.
• I setup a terminal to watch for the appearance of /dev/ttyACM0 - this let me know when the device was ready for mtk to run.
• Once I saw /dev/ttyACM0 appear, I could run the mtk command line. If I followed the directions and ran mtk first -- it would just spin looking for the device.

Thanks for all the support