short the device

[frostworx]

Hi there, First of all, thanks for this promising project! :)

I bought an echo dot2 just to try it and it arrived earlier today. Unfortunately, I have to admit that I'm a bit lost already with rooting the devices. It could be opened up easily, but I'm not sure how to follow those instructions:

INFO: Please short the device as shown in the image at https://dragon863.github.io/blog/mainboard.jpg

My first guess to simply ground it somewhere while plugging it into usb was apparently wrong (would have been too easy :)) so I'm afraid I'll have to communicate through the tiny pins shown here:

https://forum.xda-developers.com/t/amazon-echo-dot-2-locked-hardware.3512349/#post-77059942

right?

The url to the "set of slides" below the picture is 404 btw, but the good old wayback machine has a copy:

https://web.archive.org/web/20190926005232/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498230402.pdf

Would be great if you had a pointer into the right direction on how to short the device (still have (low) hopes that high precision soldering is not required :))

[Dragon863]

Don't worry, soldering isn't required! Have you already opened the echo? If so, you'll need to use something flat to pry off the RF cap covering the flash chip on the main board. Once you've done that, use a piece of aluminium foil or anything conductive and use it to short the contacts in the area I but the red box around to ground (the surrounding metal mounting for the RF lid is connected to ground). The script will then detect it once you plug it in with the short in place. You'll only have to do this part once unless you get an OTA update, you can then assemble it again. If you have any issues, please let me know!

[frostworx]

Thank you for the quick reply! Yay, glad to hear soldering is not required :) \o/ Yes, I already opened the device and removed the RF cap, sorry for not having mentioned it earlier.

What I did was connecting the bigger part left besides C52 with some ground (maybe just tried some invalid aluminium parts here) using a male-mal gpio pin cable and then attached the device to usb and started your tool. It idled with "Waiting for bootrom", so I guess my ground was invalid :) I'll report back when I have success (next try possibly not before tomorrow though).

Thank you again for your friendly help!

[Dragon863]

No problem! Just a thought, maybe try plugging in the usb after running the tool, it checks for new devices so it may be that although the OS had found the serial port, the script didn't because it was already attached. A jumper cable should work fine, all it does is shorts the power rails so that the chip can't be accessed so it boots into a fallback mode

[frostworx]

Thank you, the suggestion to leave the program running while fighting against my fat fingers was good :)

After several attempts I had (mostly) success:

[17:12:33] Waiting for bootrom
[17:12:49] Found port = /dev/ttyACM0
[17:12:49] Handshake
[17:12:49] Disable watchdog
[17:12:49] handshake success!

 * * * Remove the short and press Enter * * * 

[17:13:00] Init crypto engine
[17:13:00] Disable caches
[17:13:00] Disable bootrom range checks
[17:13:00] Load payload from brom-payload/build/payload.bin = 0x45C0 bytes
[17:13:00] Send payload
[17:13:00] Let's rock
[17:13:00] Wait for the payload to come online...
[17:13:01] all good
[17:13:01] Check GPT
Partitions:
{'kb': (2048, 2048), 'dkb': (4096, 2048), 'lk_a': (32768, 2048), 'tee1': (49152, 10240), 'lk_b': (65536, 2048), 'tee2': (81920, 10240), 'expdb': (98304, 20480), 'misc': (118784, 1025), 'persist': (131072, 32768), 'boot_a': (163840, 32768), 'boot_b': (196608, 32768), 'recovery': (229376, 32768), 'system_a': (294912, 1572864), 'system_b': (1867776, 1572864), 'cache': (3440640, 1605632), 'userdata': (5046272, 2588639)}

Would you like to root your device, or restore it?
[root/restore] > root
[17:13:10] SUCCESS: Dumped misc.bin from device.
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 204, in main
    shutil.copyfile("misc.bin", "backup/misc.bin")
  File "/usr/lib/python3.11/shutil.py", line 258, in copyfile
    with open(dst, 'wb') as fdst:
         ^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: 'backup/misc.bin'

As there is no "backup" directory in pwd, I'll try to reproduce a successful handshake after having created it and report back :)

[frostworx]

creating a backup dir within EchoCLI/internal/amonet brought me a bit further, but still not to the end:

Would you like to root your device, or restore it?
[root/restore] > root
[17:53:16] SUCCESS: Dumped misc.bin from device.
[17:53:16] INFO: Backed up misc partition...
[17:53:16] INFO: 
        This next step WILL brick your preloader, rendering your device unbootable without a computer, as this is a TETHERED exploit. This is a reversible change. Press enter if you understand the consequences and accept that I am not responsible for any damage to you device...

[17:53:28] FAIL: Failed to dump backup/preloader.bin
[17:53:28] INFO: Backed up preloader...
[17:53:28] INFO: Clearing preloader header
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 216, in main
    flash_data(
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 68, in flash_data
    log_info("[{} / {}]".format(x + 1, blocks), end="\r")
TypeError: log_info() got an unexpected keyword argument 'end'

no dice so far while trying to get another handshake to test if this is reproducible. got some crypto related error in between in case this is interesting:

[18:00:39] Found port = /dev/ttyACM0
[18:00:39] Handshake
[18:00:39] Disable watchdog
[18:00:39] handshake success!

 * * * Remove the short and press Enter * * * 

[18:00:44] Init crypto engine
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 163, in main
    load_payload(dev, "brom-payload/build/payload.bin")
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/load_payload.py", line 85, in load_payload
    init(dev)
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/load_payload.py", line 9, in init
    dev.write32(CRYPTO_BASE + 0x0C0C, 0)
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/common.py", line 139, in write32
    self.check(self.dev.read(1), b'\xd4') # echo cmd
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/common.py", line 84, in check
    raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch

[Dragon863]

Sorry about that first error, that is now fixed (you'll have to clone the repo again). The crypto error happens quite often, it seems to be if the preloader manages to boot further than expected, you can safely ignore it and maybe try shorting the flash again if it happens. I'll try to add some error handling for that, I wasn't sure if it was just my device. Also the backup directory is my fault, I didn't notice that git had ignored it when pushing because it was empty, I'll add that too.

[frostworx]

Thank you for the quick bump!

just re-tried with 2643210640d1cbe325f6e530072b8371ec42b722 and got pretty far:

[18:56:26] Waiting for bootrom
[18:56:37] Found port = /dev/ttyACM0
[18:56:37] Handshake
[18:56:37] Disable watchdog
[18:56:37] handshake success!

 * * * Remove the short and press Enter * * * 

[18:56:41] Init crypto engine
[18:56:41] Disable caches
[18:56:41] Disable bootrom range checks
[18:56:41] Load payload from brom-payload/build/payload.bin = 0x45C0 bytes
[18:56:41] Send payload
[18:56:42] Let's rock
[18:56:42] Wait for the payload to come online...
[18:56:42] all good
[18:56:42] Check GPT
Partitions:
{'kb': (2048, 2048), 'dkb': (4096, 2048), 'lk_a': (32768, 2048), 'tee1': (49152, 10240), 'lk_b': (65536, 2048), 'tee2': (81920, 10240), 'expdb': (98304, 20480), 'misc': (118784, 1025), 'persist': (131072, 32768), 'boot_a': (163840, 32768), 'boot_b': (196608, 32768), 'recovery': (229376, 32768), 'system_a': (294912, 1572864), 'system_b': (1867776, 1572864), 'cache': (3440640, 1605632), 'userdata': (5046272, 2588639)}

Would you like to root your device, or restore it?
[root/restore] > root
[18:56:46] SUCCESS: Dumped misc.bin from device.
[18:56:46] INFO: Backed up misc partition...
[18:56:46] INFO: 
        This next step WILL brick your preloader, rendering your device unbootable without a computer, as this is a TETHERED exploit. This is a reversible change. Press enter if you understand the consequences and accept that I am not responsible for any damage to you device...

[18:57:12] SUCCESS: Dumped backup/preloader.bin from device.
[18:57:12] INFO: Backed up preloader...
[18:57:12] INFO: Clearing preloader header
[8 / 8]
[18:57:34] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 230, in main
    data[3] > data[4]
    ~~~~^^^
IndexError: index out of range
Select an option: > ^X^CTraceback (most recent call last):
  File "/media/nvme/sources/2023/07/EchoCLI/main.py", line 4, in <module>
    instance = CLI(args=sys.argv[1:])
               ^^^^^^^^^^^^^^^^^^^^^^
  File "/media/nvme/sources/2023/07/EchoCLI/cli.py", line 28, in __init__
    self.init_arguments(args)
  File "/media/nvme/sources/2023/07/EchoCLI/cli.py", line 55, in init_arguments
    self.main()
  File "/media/nvme/sources/2023/07/EchoCLI/cli.py", line 89, in main
    rooting_tools.root_menu(self)
  File "/media/nvme/sources/2023/07/EchoCLI/internal/rooting_tools.py", line 13, in root_menu
    option = str(input("\033[36mSelect an option:\x1b[0m > "))
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

not sure yet in which state the device is :)

[frostworx]

sorry for the noise... just found that misc.bin has zero bytes (also in backup dir)

[Dragon863]

No problem, that is strange though. There should be some data at 0x363? It is used to say which slot the echo uses. Would you mind telling me the size of misc.bin? If it still doesn't work after retrying, try with the latest commit, it shouldn't make a difference but it's worth a try

[frostworx]

just retried with 45ee316b1ed95733daba2d2ff75f36a75b64f8c5, but no difference unfortunately. the (previously removed) 0 bytes misc.bin files were re-created again with 0 bytes

[Dragon863]

I am so sorry, I think I've found the issue and sorted it in commit 1f3ee6d , it seems that the length of the file to dump wasn't defined so it was defaulting to zero. I'm so sorry for all of these issues, whilst I have tested it I think I already had the files dumped from reverse engineering the device.

[frostworx]

Wow, that was quick! Thank you very much for your excellent support and work again!

Just tried with latest commit and I can confirm the misc.bin issue is fixed (524800 bytes now)

I stumbled over another error, though:

[18:56:41] Init crypto engine
[18:56:41] Disable caches
[18:56:41] Disable bootrom range checks
[18:56:41] Load payload from brom-payload/build/payload.bin = 0x45C0 bytes
[18:56:41] Send payload
[18:56:42] Let's rock
[18:56:42] Wait for the payload to come online...
[18:56:42] all good
[18:56:42] Check GPT
Partitions:
{'kb': (2048, 2048), 'dkb': (4096, 2048), 'lk_a': (32768, 2048), 'tee1': (49152, 10240), 'lk_b': (65536, 2048), 'tee2': (81920, 10240), 'expdb': (98304, 20480), 'misc': (118784, 1025), 'persist': (131072, 32768), 'boot_a': (163840, 32768), 'boot_b': (196608, 32768), 'recovery': (229376, 32768), 'system_a': (294912, 1572864), 'system_b': (1867776, 1572864), 'cache': (3440640, 1605632), 'userdata': (5046272, 2588639)}

Would you like to root your device, or restore it?
[root/restore] > root
[18:56:46] SUCCESS: Dumped misc.bin from device.
[18:56:46] INFO: Backed up misc partition...
[18:56:46] INFO: 
        This next step WILL brick your preloader, rendering your device unbootable without a computer, as this is a TETHERED exploit. This is a reversible change. Press enter if you understand the consequences and accept that I am not responsible for any damage to you device...

[18:57:12] SUCCESS: Dumped backup/preloader.bin from device.
[18:57:12] INFO: Backed up preloader...
[18:57:12] INFO: Clearing preloader header
[8 / 8]
[18:57:34] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 230, in main
    data[3] > data[4]
    ~~~~^^^
IndexError: index out of range

Please let me know if you need anything else :)

[Dragon863]

That's interesting, would you please email the misc.bin file to me at dragon863.dev@gmail.com ? I would ask you to upload it here, but I'm not sure about copyright issues. It seems that the script is unable to verify which slot is being used, it will be possible to do this manually but I'd like to be able to determine why it isn't working

[frostworx]

The relevant part in the hex editor should be:

You just replied simultaneously. I'll send you the misc.bin in a sec. done :)

[Dragon863]

That's all I need, thanks. It seems that the slot info is at a different offset on your echo, I'm not sure why that would be. Seeing as 8F is greater than 3E, it is safe for you to comment out lines 231 to 238 in internal/amonet/amonet/__init__.py and add slot="a" on 239

[frostworx]

thanks! My echo was sold as new and indeed it looked completely unused. maybe that's the reason(?).

Now I get

[19:43:18] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 240, in main
    dump_binary(dev, f"lk_{slot}.bin", gpt[f"lk_{slot}.bin"][0])
                                       ~~~^^^^^^^^^^^^^^^^^^
KeyError: 'lk_a.bin'

I guess formatting should be fine, though:

...
#        slot = "b"
    slot = "a"
    dump_binary(dev, f"lk_{slot}.bin", gpt[f"lk_{slot}.bin"][0])
...

[Dragon863]

I think I might know what is happening. You mentioned that your echo was in almost factory condition; older echo dots were shipped with FireOS 5 before they were updated to the newer FireOS 6, based on Android Jellybean rather than Lollipop. It is possible to root your device on this older software version, but if you want to use this tool it would be much easier if you could use the restore option in the CLI to rewrite the original preloader, and then ask Alexa to check for updates and try rooting again on FireOS 6.

[frostworx]

hmm, thanks for your analysis!

I have to admit that I'm not too keen on setting up Alexa and/or depending on some amazon services even if it is temporarily. I'd guess I'll have to sleep over it first :)

[viraniac]

gpt[f"lk_{slot}.bin"][0] that looks like a bug. Remove .bin from there. gpt only has lk_a or lk_b. There is no .bin suffix there

[Dragon863]

That's fine, I completely understand that. I've just fixed another error, the partition name wouldn't have .bin in it. Assuming your echo is on FireOS 6, you can potentially pull the latest changes and try again. Sorry for all the errors, I should've spotted them before,

[Dragon863]

Thanks @viraniac , it seems we commented at the same time!

[frostworx]

thank you both! :) seems like you haven't pushed your changes though, @Dragon863. I'll test it $manually shortly

[Dragon863]

Sorry! Pushed now :)

[frostworx]

was worth a try, but unfortunately, it seems like my os is too old indeed - the file lk_a has 0 bytes.

I also get this error

[20:10:12] INFO: Clearing preloader header
[8 / 8]
[20:10:35] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
[20:10:35] SUCCESS: Dumped lk_a from device.
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/media/nvme/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 241, in main
    shutil.copyfile(f"lk_{slot}.bin", f"backup/lk_{slot}.bin")
  File "/usr/lib/python3.11/shutil.py", line 256, in copyfile
    with open(src, 'rb') as fsrc:
         ^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: 'lk_a.bin'

which likely can be fixed with

dump_binary(dev, f"lk_{slot}.bin", gpt[f"lk_{slot}"][0])

(so basically the .bin suffix was just appended at the wrong position previously)

[frostworx]

with the bin suffix fixed I get:

[20:17:40] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
[20:17:40] SUCCESS: Dumped lk_a.bin from device.
[20:17:40] INFO: Backed up LK a partition...
[20:17:40] WARN: 
                Could not detect LK version. Try updating your device using an OTA, or the official app if this method has not yet been patched. Press enter to continue, or press Ctrl+C to abort (safer).

(aborting here :))

[Dragon863]

Would you mind emailing the lk please? I'll be able to check what version it is and if the patch is safe in less than an hour

[viraniac]

with the bin suffix fixed I get:

[20:17:40] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
[20:17:40] SUCCESS: Dumped lk_a.bin from device.
[20:17:40] INFO: Backed up LK a partition...
[20:17:40] WARN: 
                Could not detect LK version. Try updating your device using an OTA, or the official app if this method has not yet been patched. Press enter to continue, or press Ctrl+C to abort (safer).

(aborting here :))

Yeah the code seems to be hardcoded for two lk versions. So you have to either update or modify the code

[frostworx]

the lk_a is 0 byte, so mailing it wouldn't make much sense :)

just bought another used device on ebay and will keep on testing with that instead when it arrives :)

[viraniac]

To patch lk, all that needs to be done is find '10b5 c0b0 0021 4ff4' and replace it with '0120 7047 0021 4ff4'. Thats the only change needed. And thats version agnostic. works with both 5.x and 6.x firmwares so far. So if you can get your lk to dump, you can make that change manually and flash it again

[viraniac]

the lk_a is 0 byte, so mailing it wouldn't make much sense :)

didn't you changed that to be lk_a.bin in the previous comment? Just making sure you are checking correct file

[frostworx]

yes, sorry, typo, lk_a.bin has 0 bytes. giving up for today. thank you both again for your help!

[viraniac]

yes, sorry, typo, lk_a.bin has 0 bytes. giving up for today. thank you both again for your help!

@Dragon863 same bug as misc, size is missing

[Dragon863]

Sorry, I'm back now. Yes the script is currently hardcoded for two lk versions because it seems to be very difficult to get python to seek to the correct location, but I've just pushed a change that should sort the 0 bytes issue (and fixed the suffix again!). Assuming it is updated, that should match the md5 hash and allow it to be patched.

[Dragon863]

Double reply again!

[viraniac]

Sorry, I'm back now. Yes the script is currently hardcoded for two lk versions because it seems to be very difficult to get python to seek to the correct location

On the contrary, that part is quite easy. Look at this function code as an example

[Dragon863]

Thank you! That seems a lot more intuitive than finding the md5 file hash and using it to determine the appropriate patch, I'll look at integrating that method when I get a chance

[frostworx]

I already received my 2nd used dot today. just tried a flash (using 9c39656f10b6e4a8a528c0646eecd66ed6d4f03a):

also with this device I had to hardcode slot="a" (hex values looked mostly identical to those of my 1st device) because it crashed again with

[11:53:47] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/usr/src/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/usr/src/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 233, in main
    data[3] > data[4]
    ~~~~^^^
IndexError: index out of range

during the first run.

The second run went pretty far, but finally failed with:

[11:59:08] SUCCESS: Dumped backup/preloader.bin from device.
[11:59:08] INFO: Backed up preloader...
[11:59:08] INFO: Clearing preloader header
[8 / 8]
[11:59:32] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
[12:00:18] SUCCESS: Dumped lk_a.bin from device.
[12:00:18] INFO: Backed up LK a partition...
[12:00:18] WARN: 
                Could not detect LK version. Try updating your device using an OTA, or the official app if this method has not yet been patched. Press enter to continue, or press Ctrl+C to abort (safer).

Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/usr/src/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/usr/src/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 266, in main
    modify_lk(version=version, slot=slot)  # Patch the binary
                      ^^^^^^^
UnboundLocalError: cannot access local variable 'version' where it is not associated with a value

This time lk_a.bin was created though (1048576 bytes). If you'd like to test it, I'd be glad to send it to you. Otherwise please let me know if you need anything else.

[frostworx]

To patch lk, all that needs to be done is find '10b5 c0b0 0021 4ff4' and replace it with '0120 7047 0021 4ff4'. Thats the only change needed. And thats version agnostic. works with both 5.x and 6.x firmwares so far. So if you can get your lk to dump, you can make that change manually and flash it again

not sure if it is this what you meant, but replacing the only occurrence of "10b5 c0b0 0021 4ff4" with "0120 7047 0021 4ff4" in the dumped lk_a.bin and restoring that afterward did not work entirely:

Would you like to root your device, or restore it?
[root/restore] > restore
[12:32:50] INFO: Data is 524288 and maximum size is not defined
[1024 / 1024]
[12:34:00] INFO: Restored preloader...
[12:34:00] INFO: Data is 524800 and maximum size is not defined
[1025 / 1025]
[12:34:22] INFO: Restored misc partition...
[12:34:23] INFO: Data is 1048576 and maximum size is not defined
[2048 / 2048]
[12:35:06] INFO: Restored lk_a partition...
[12:35:06] SUCCESS: Restored device! If you experience any problems, please contact me.
[12:35:29] SUCCESS: Dumped misc.bin from device.
[12:35:29] INFO: Backed up misc partition...
[12:35:29] INFO: 
        This next step WILL brick your preloader, rendering your device unbootable without a computer, as this is a TETHERED exploit. This is a reversible change. Press enter if you understand the consequences and accept that I am not responsible for any damage to you device...

[12:35:57] SUCCESS: Dumped backup/preloader.bin from device.
[12:35:57] INFO: Backed up preloader...
[12:35:57] INFO: Clearing preloader header
[8 / 8]
[12:36:20] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
[12:37:06] SUCCESS: Dumped lk_a.bin from device.
[12:37:06] INFO: Backed up LK a partition...
[12:37:06] WARN: 
                Could not detect LK version. Try updating your device using an OTA, or the official app if this method has not yet been patched. Press enter to continue, or press Ctrl+C to abort (safer).

Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/usr/src/sources/2023/07/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/usr/src/sources/2023/07/EchoCLI/internal/amonet/amonet/__init__.py", line 266, in main
    modify_lk(version=version, slot=slot)  # Patch the binary
                      ^^^^^^^
UnboundLocalError: cannot access local variable 'version' where it is not associated with a value

[Dragon863]

If you could send it, that would be great, thank you. Assuming it is FireOS 6 it should be safe to set the version variable manually. I'm going to be away for a week, but afterwards I'm going to change the patching system to make it more reliable using the method viraniac mentioned

[viraniac]

@frostworx Could you please give my fork a try https://github.com/viraniac/EchoCLI

[Dragon863]

@viraniac would you mind if I merged your changes into the main branch?

[viraniac]

@Dragon863 I will raise a PR myself, once @frostworx confirms that it works for him

[Dragon863]

Thank you, really appreciate that

[frostworx]

@Dragon863 sent you the binary a few minutes ago (if it is still required :))

@viraniac to avoid confusions: I tested your fork with the hex-edited lk_a.bin still being flashed on the device and tried a "root" attempt. _(reverting to the original _lka.bin now)_

the first attempt failed due to the slot="a" issue, the 2nd attempt failed with

Would you like to root your device, or restore it?
[root/restore] > root
[12:54:39] SUCCESS: Dumped misc.bin from device.
[12:54:39] INFO: Backed up misc partition...
[12:54:39] INFO: 
        This next step WILL brick your preloader, rendering your device unbootable without a computer, as this is a TETHERED exploit. This is a reversible change. Press enter if you understand the consequences and accept that I am not responsible for any damage to you device...

[12:55:37] SUCCESS: Dumped backup/preloader.bin from device.
[12:55:37] INFO: Backed up preloader...
[12:55:37] INFO: Clearing preloader header
[8 / 8]
[12:56:00] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
[12:56:46] SUCCESS: Dumped lk_a.bin from device.
[12:56:46] INFO: Backed up LK a partition...
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/usr/src/sources/2023/07/Efork/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/usr/src/sources/2023/07/Efork/EchoCLI/internal/amonet/amonet/__init__.py", line 244, in main
    modify_lk(slot=slot)  # Patch the binary
    ^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/sources/2023/07/Efork/EchoCLI/internal/amonet/amonet/__init__.py", line 44, in modify_lk
    raise RuntimeError('Pattern not found. Lk can not be patched')
RuntimeError: Pattern not found. Lk can not be patched

[frostworx]

@viraniac, unfortunately with original lk_a.bin restored it failed with the same error:

Would you like to root your device, or restore it?
[root/restore] > restore
[13:01:03] INFO: Data is 524288 and maximum size is not defined
[1024 / 1024]
[13:02:13] INFO: Restored preloader...
[13:02:13] INFO: Data is 524800 and maximum size is not defined
[1025 / 1025]
[13:02:35] INFO: Restored misc partition...
[13:02:35] SUCCESS: Restored device! If you experience any problems, please contact me.
[13:02:58] SUCCESS: Dumped misc.bin from device.
[13:02:58] INFO: Backed up misc partition...
[13:02:59] INFO: 
        This next step WILL brick your preloader, rendering your device unbootable without a computer, as this is a TETHERED exploit. This is a reversible change. Press enter if you understand the consequences and accept that I am not responsible for any damage to you device...

[13:03:34] SUCCESS: Dumped backup/preloader.bin from device.
[13:03:34] INFO: Backed up preloader...
[13:03:34] INFO: Clearing preloader header
[8 / 8]
[13:03:58] SUCCESS: Dumped ../../preloader_no_hdr.bin from device.
[13:04:44] SUCCESS: Dumped lk_a.bin from device.
[13:04:44] INFO: Backed up LK a partition...
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/usr/src/sources/2023/07/Efork/EchoCLI/internal/amonet/amonet/__main__.py", line 3, in <module>
    amonet.main()
  File "/usr/src/sources/2023/07/Efork/EchoCLI/internal/amonet/amonet/__init__.py", line 244, in main
    modify_lk(slot=slot)  # Patch the binary
    ^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/sources/2023/07/Efork/EchoCLI/internal/amonet/amonet/__init__.py", line 44, in modify_lk
    raise RuntimeError('Pattern not found. Lk can not be patched')
RuntimeError: Pattern not found. Lk can not be patched

[viraniac]

what do you mean by hex-edited lk? what's the modification that you did?

[Dragon863]

Just checked the file, the pattern is there at 01D710 so I'm not sure why it wouldn't work

[Dragon863]

@frostworx have you already modified the lk? If so I'd delete the file and run the fork again, as it should now be able to patch it thanks to viraniac's new patch method

[frostworx]

@viraniac that modification

@Dragon863 I successfully recovered the unmodified lk on this attempt, but will give it another test with a completely fresh clone of the fork

[viraniac]

if it was already modified, then you already had it unlocked. It was supposed to fail that way. I will modify the code to check if lk is already patched, to give more proper user experience