Closed Binozo closed 3 weeks ago
Dragon863
commented
1 month ago Wow, that framework is really cool! That error isn't normal, but I suspect it's related to issue #22 , possibly a preloader update. I suspect that downgrading the preloader may help resolve this, but I can't currently test it so there's no guarantee it would even boot with an older one.
ESurge
commented
1 month ago Are you using an external method to short the VCC to get into bootrom? I have soldered an enameled wire with a DuPont connector that I have sticking out of the Echo for temporary testing in order to make it easier to get into bootrom without having to deal with an open Echo.
I'm also using an OTG cable and I was getting this error when using the ground from the cable going into the Echo. However, switching to the ground from the power source cable, this helped get things working as usual (except for the issue I'm having regarding debrick)
Binozo
commented
1 month ago Thanks for the quick replies, I will try downgrading the preloader.
I will notify you about my progress 🤙
Binozo
commented
1 month ago Are you using an external method to short the VCC to get into bootrom? I have soldered an enameled wire with a DuPont connector that I have sticking out of the Echo for temporary testing in order to make it easier to get into bootrom without having to deal with an open Echo.
I'm also using an OTG cable and I was getting this error when using the ground from the cable going into the Echo. However, switching to the ground from the power source cable, this helped get things working as usual (except for the issue I'm having regarding debrick)
No I am not into hardware hacking so this method is way too difficult for me, just shorted like it was in the image given in the command
Binozo
commented
1 month ago I am currently working my way through but sadly I lost my backup/preloader.bin
1: Root or restore
2: Calculate and set fos_flags
3: Previous menu
Select an option: > 1
[20:53:01] INFO: Please short the device as shown in the image at https://danieldb.uk/posts/alexa-1/mainboard.jpg
[20:53:01] INFO: To open the device, you will need a torx 8 screwdriver.
[20:53:01] Waiting for bootrom
[20:53:23] Found port = /dev/ttyACM0
[20:53:23] Handshake
[20:53:23] Disable watchdog
[20:53:28] wrong handshake response, probably in preloader
[20:53:28] Waiting for bootrom
[20:53:39] Found port = /dev/ttyACM0
[20:53:39] Handshake
[20:53:39] Disable watchdog
[20:53:39] handshake success!
* * * Remove the short and press Enter * * *
[20:53:44] Init crypto engine
[20:53:44] Disable caches
[20:53:44] Disable bootrom range checks
[20:53:44] Load payload from brom-payload/build/payload.bin = 0x45C0 bytes
[20:53:44] Send payload
[20:53:45] Let's rock
[20:53:45] Wait for the payload to come online...
[20:53:46] all good
[20:53:46] Check GPT
Partitions:
{'kb': (2048, 2048), 'dkb': (4096, 2048), 'lk_a': (32768, 2048), 'tee1': (49152, 10240), 'lk_b': (65536, 2048), 'tee2': (81920, 10240), 'expdb': (98304, 20480), 'misc': (118784, 1025), 'persist': (131072, 32768), 'boot_a': (163840, 32768), 'boot_b': (196608, 32768), 'recovery': (229376, 32768), 'system_a': (294912, 1572864), 'system_b': (1867776, 1572864), 'cache': (3440640, 1605632), 'userdata': (5046272, 2588639)}
Would you like to root your device, or restore it?
[root/restore] > restore
[20:53:56] INFO: Fetching misc partition...
[20:53:56] SUCCESS: Dumped misc.bin from device.
[20:53:56] INFO: Detected that device is using slot B.
[20:53:56] INFO: Restoring preloader...
Traceback (most recent call last):
File "<frozen runpy>", line 198, in _run_module_as_main
File "<frozen runpy>", line 88, in _run_code
File "/home/pi/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
amonet.main()
File "/home/pi/EchoCLI/internal/amonet/amonet/__init__.py", line 249, in main
flash_binary(dev, "backup/preloader.bin", 0)
File "/home/pi/EchoCLI/internal/amonet/amonet/__init__.py", line 110, in flash_binary
with open(path, "rb") as fin:
^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: 'backup/preloader.bin'
1: Root or restore
2: Calculate and set fos_flags
3: Previous menu
Select an option: >I completely wiped my disk some months ago and lost my backup/preloader.bin :,( because I didn't even knew that file existed.
Can anyone please provide me a valid backup file so I can restore?
Dragon863
commented
1 month ago Do you know what version you were on? There is an XDA thread with a lot of OTA links, some of which provide a preloader that should help you
Binozo
commented
1 month ago It may be ro.build.version.name=Fire OS 6.5.5.5 (NS6555/4313) but I'm not 100% sure
I got that information from my first alexa I rooted. I reset and rooted them all at once so it should be the same version
Dragon863
commented
1 month ago https://d1s31zyz7dcc2d.cloudfront.net/4c4fd21537a97548236e9a88cd835030/update-kindle-biscuit_puffin-NS6555_user_4310M_0008087721594.bin is it he 6.5.5.5 OTA. If that doesn't work there's a whole thread over at https://xdaforums.com/t/echo-dot-2nd-gen-ota-urls.4547353/ compiled by j10hx40r
Binozo
commented
1 month ago yesss thanks getting one step further 👍
currently restoring preloader
Binozo
commented
1 month ago I discovered something interesting:
While trying to restore
[root/restore] > restore
[21:42:26] INFO: Fetching misc partition...
[21:42:26] SUCCESS: Dumped misc.bin from device.
[21:42:26] INFO: Detected that device is using slot A.
[21:42:26] INFO: Restoring preloader...
[21:42:29] INFO: Data is 112601088 and maximum size is not defined
device failure]
device failure]
device failure]
device failure]
device failure]
device failure]
device failure]
device failure]
device failure]
device failure]
device failure]
device failure]
device failure]
device failure]
device failure]
device failure]
device failure]
device failure]
device failure]
device failure]
[8234 / 219924]
It goes up to about [8100 / 219924]
And then it suddenly stops, printing device failure], waits about 2 secs and then adds the value of 2 to the progress and currently repeating. Every 2 secs it adds 2 to the progress
Confirmed on two echos, currently running
Calculated how long this would take: About 58 hours 🤠
Dragon863
commented
1 month ago 112601088 seems massive for the preloader! You did extract the preloader from the OTA, right? Flashing the whole .bin would probably have some nasty consequences, I should've specified and I'm sorry about that. If you didn't extract it, there may still be hope for the echos if you can get a dump of the BOOT0 partition from someone else's working echo and then rewrite the serial number from a root shell
Binozo
commented
1 month ago Oh 🥲
yeah no worries I have 4 rooted echos (but they don't start) on my desk, it's ok if one dies 😅
Yes I didn't extract it, do I have to flash the images/preloader.img file?
Dragon863
commented
1 month ago That's the one! The issue now is that the file you flashed will have overwritten some stuff in the BOOT0 partition which contains firmware and serial number, meaning any echo where it got modified you may experience weirdness that can't easily be explained, in my case corrupted BOOT0 prevented WiFi or Amazon registration from working.
Binozo
commented
1 month ago Ok i understand, how should I proceed with dumping a valid BOOT0 on my corrupted alexa? Can you give me hints or directions?
Edit: Yee doesn't boot anymore 😔
[22:28:51] INFO: Please short the device as shown in the image at https://danieldb.uk/posts/alexa-1/mainboard.jpg
[22:28:51] INFO: To open the device, you will need a torx 8 screwdriver.
[22:28:51] Waiting for bootrom
[22:29:04] Found port = /dev/ttyACM0
[22:29:04] Handshake
[22:29:04] Disable watchdog
[22:29:04] handshake success!
* * * Remove the short and press Enter * * *
[22:29:07] Init crypto engine
[22:29:07] Disable caches
[22:29:07] Disable bootrom range checks
[22:29:07] Load payload from brom-payload/build/payload.bin = 0x45C0 bytes
[22:29:07] Send payload
[22:29:10] Let's rock
[22:29:10] Wait for the payload to come online...
[22:29:10] all good
[22:29:10] Check GPT
Partitions:
{'kb': (2048, 2048), 'dkb': (4096, 2048), 'lk_a': (32768, 2048), 'tee1': (49152, 10240), 'lk_b': (65536, 2048), 'tee2': (81920, 10240), 'expdb': (98304, 20480), 'misc': (118784, 1025), 'persist': (131072, 32768), 'boot_a': (163840, 32768), 'boot_b': (196608, 32768), 'recovery': (229376, 32768), 'system_a': (294912, 1572864), 'system_b': (1867776, 1572864), 'cache': (3440640, 1605632), 'userdata': (5046272, 2588639)}
Would you like to root your device, or restore it?
[root/restore] > restore
[22:29:14] INFO: Fetching misc partition...
[22:29:14] SUCCESS: Dumped misc.bin from device.
[22:29:14] INFO: Detected that device is using slot A.
[22:29:15] WARN: BOOT0 partition may be corrupt
[22:29:15] INFO: Restoring preloader...
[22:29:15] INFO: Data is 1048576 and maximum size is not defined
[2048 / 2048]
[22:30:00] INFO: Downgrading rpmb header
[22:30:01] INFO: rpmb downgrade ok
[22:30:01] SUCCESS: Restored device! If you experience any problems, please contact me.
Sorry to hear it won't boot at all. You can modify the amonet source within this repo to call the read_boot0() function, which will give a .bin
Binozo
commented
1 month ago Thanks, how should I flash this?
Should I concatenate the boot0.bin with the preloader.bin?
Somehow like flash(boot0.bin + preloader.bin)?
Dragon863
commented
1 month ago Firstly I'd just check with a hex editor that the contents isn't just zeros (I've had that issue before), then because the first part of boot0 is the preloader, you could probably just rename the file to preloader.bin and use the restore command. Is the BOOT0 dump from a fully working echo?
Binozo
commented
1 month ago Ok I confirmed a valid BOOT0 dump, it actually contains data.
I have two options to take a dump:
I just used the first option and successfully restored my alexa, my alexa app even displays that alexa as "Online", thanks! 🤩
I planned to completely reset that alexa and I hope it will downgrade the firmware to a pre-patch version.
Then I will try too root again 👷♂️
Edit: Looked into the alexa app and Version 10101205124 broke this exploit
Version 10101200772 may still work and 0008087722372 should definitely work
Dragon863
commented
4 weeks ago Glad it helped! I'll leave the issue open as there is clearly still a problem, I am curious as to what caused the exploit to stop working. Do you know what FireOS versions those correspond to? I can't find any reference online
ESurge
commented
4 weeks ago I believe the numbers are listed at the end of the OTA URLs
Binozo
commented
4 weeks ago Thanks guys, I will perform the root tomorrow if I find time again. Will inform you in this issue 🧑💻
Binozo
commented
3 weeks ago Hey guys, I finally got time to investigate 🧐
and I am proud to announce that I successfully rooted my Echo again 😎
biscuit_puffin:/ # grep version.name /system/*.prop
ro.build.version.name=Fire OS 6.5.6.2 (NS6562/5160)
biscuit_puffin:/ # uname -a
Linux localhost 3.18.19-g6e709ba-dirty #1 SMP PREEMPT Fri Apr 26 03:38:22 UTC 2024 armv7lThose were my steps to get the control of my echo back:
A little but important reminder: Just as stated in the Readme, the OTA links must be blocked otherwise the echo will almost brick itself. (I forgot that on some echos 🙃 which ended up almost bricked)
Thank you so much for your help!!!!
Hey there 🙋
some months ago I used this project to successfully root my echos and played with them a bit. I even made a framework in Go, you can take a look at EchoGoSDK if you're interested.
Now I found time to work on it again but now I get greeted with the following message 😕
It stays forever at
Preloader - Disabling Watchdog....I am confused and not sure what to do, it already worked that way in the past 🫠
Any tips?