Difference between revisions of "Amazon Tap"

From Exploitee.rs
Jump to navigationJump to search
Line 28: Line 28:


== Gaining Bootloader Shell ==
== Gaining Bootloader Shell ==
The Amazon Tap implements a secure boot process but a bootloader shell can be obtained by grounding the flash data0 pin while u-boot is reading the kernel into memory.   
The Amazon Tap implements a secure boot process, however a bootloader shell can be obtained by grounding the eMMC flash data pin while U-Boot is reading its own environmental variables into memory.   


To access the bootloader shell.
To access the bootloader shell.


# Connect to UART
# Connect to UART (keep your TX line disconnected!)
# Ground resistor next to TP27 silkscreen
# Power on
# u-boot shell is available when presented with "=>"
# Wait for output over UART
# Ground resistor below the TP27 silkscreen
# U-Boot shell is available when presented with "=>"


The photo below illustrates the process.
The photo below illustrates the process.


[[File:Amazon Tap Flash Glitch.png|500px]]
[[File:Amazon Tap Flash Glitch.png|500px]]

Revision as of 01:22, 10 August 2017

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

Amazon Tap Stock Photo.jpg

Amazon Tap

The Amazon Tap is a wireless bluetooth & wifi speaker featuring the "Alexa" voice assistant.

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Amazon Tap at Amazon

Hardware

  • Freescale [MCIMX6L8DVN10AB] i.MX 6 SoloLite Applications Processor
  • KMNJ2000ZM eMMC/DRAM
  • Broadcom BCM4343

Teardown

You can find an excellent teardown of the Amazon Tap at [ifixit.com].

UART

The Amazon Tap features UART pads that provides u-boot and kernel output, but allows for no practical input - no shells of any sort.

The UART pads can be found in the photo below.

Amazon Tap UART.png

Gaining Bootloader Shell

The Amazon Tap implements a secure boot process, however a bootloader shell can be obtained by grounding the eMMC flash data pin while U-Boot is reading its own environmental variables into memory.

To access the bootloader shell.

  1. Connect to UART (keep your TX line disconnected!)
  2. Power on
  3. Wait for output over UART
  4. Ground resistor below the TP27 silkscreen
  5. U-Boot shell is available when presented with "=>"

The photo below illustrates the process.

Amazon Tap Flash Glitch.png