Difference between revisions of "Amazon Tap"

From Exploitee.rs
Jump to navigationJump to search
m (Zenofex moved page Amazon Tap​ to Amazon Tap)
 

Latest revision as of 03:25, 11 August 2017

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

Amazon Tap Stock Photo.jpg

Amazon Tap

The Amazon Tap is a wireless bluetooth & wifi speaker featuring the "Alexa" voice assistant.

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Amazon Tap at Amazon

Hardware

  • Freescale [MCIMX6L8DVN10AB] i.MX 6 SoloLite Applications Processor
  • KMNJ2000ZM eMMC/DRAM
  • Broadcom BCM4343

Teardown

You can find an excellent teardown of the Amazon Tap at [ifixit.com].

UART

The Amazon Tap features UART pads that provides u-boot and kernel output, but allows for no practical input - no shells of any sort.

The UART pads can be found in the photo below, with the settings of 115200 8n1.

Amazon Tap UART.png

Gaining Bootloader Shell

The Amazon Tap implements a secure boot process, however a bootloader shell can be obtained by grounding the eMMC flash data pin while U-Boot is reading its own environmental variables into memory.

To access the bootloader shell.

  1. Connect to UART (keep your TX line disconnected!)
  2. Power on
  3. Wait for output over UART
  4. Ground resistor below the TP27 silkscreen
  5. U-Boot shell is available when presented with "=>"

The photo below illustrates the process.

Amazon Tap Flash Glitch.png

Demo