Amazon IoT Button Hacking: Part 1

dash2 dash1

Purpose

I am working on the steps to grab the firmware from the Amazon IoT button and flash it onto the $5 DASH Buttons (think Tide/Cottenelle/Ziploc). There are a few really good existing articles that detail the steps, but I had some difficulty getting started. To be fair, the articles are great, but I am a complete newbie to things like:

  • OpenOCD – Open On-Chip Debugger (openocd.org)
  • ST-Link – (STM32 Microprocessor discovery programmer)
  • STM32 microcontroller (Brain for the DASH)
  • Soldering super tiny DASH connections resulting in a hardware bricked IoT button (hence no firmware) and one $5 Ziploc button.

 

So, with that said, here are the steps I used to get everything setup to successfully flash the firmware on the $5 buttons…

 

Why snag the firmware?

The Amazon Web Services (AWS) IoT firmware version of the DASH button lets you interface with Amazon Web Services like DynamoDB, Lambda, etc. During the configuration, the firmware allows you to upload a public/private key set that enables communication with the AWS IoT service. The $5 version runs the same v1.0 hardware, so if we can get the IoT firmware, we should be able to make the $5 versions act like the more expensive $20 IoT button.

 

There have been a lot of really great articles detailing the tear down and internals of Amazon’s DASH button as well as flashing the firmware. These should get you up to speed with what were are doing here:

 

Resources:

  1. Great article and copy of the Cottenelle firmware. Useful if you brick your device (like me) https://github.com/dekuNukem/Amazon_Dash_Button/
  2. Adafruit’s article is one of the best for getting started. Details DASH hardware, and setting up a Vagrant VM to compile your own code against the DASH. It also provides instructions for reviving a bricked DASH. (https://learn.adafruit.com/dash-hacking-bare-metal-stm32-programming/overview) Vagrant may be the way to go, but in this article I am using standalone tools.
  3. OpenOCD Flash Commands for unlocking firmware/querying DASH flash (http://openocd.org/doc/html/Flash-Commands.html)

 

Hardware:

 

Check out Adafruit’s article on soldering the connections. Once you have that done, it should look something like this:

image1

Now you are ready to get OpenOCD and the ST-Link utility going.

BATTERY NOTE: I couldn’t find any clear documentation, but I have to DISCONNECT the battery to successfully connect with OpenOCD.

VCC 3.3 NOTE: Although the ST-Link v2 programmer has a 3.3v pin and ground, I found references stating that it would mess up the SWCLK. So, I only used (3) of the pins on the programmer (shown below) and connected and external 3.3v source:

image2

Programming Tools

Windows ST-Link Utility

ST-Link Connectivity Notes:

  1. Cannot read memory! Disable Read Out Protection and retry

See the ‘Unlock STM32 Flash’ note in the OpenOCD Section.

image3

 

Linux OpenOCD

  • Newbie Note: Connects to device, then lets you telnet to OpenOCD and interact with the device.
  • This tool can do what the ST-Link utility did, but most importantly, has the ‘stm32f2x unlock 0’ firmware command to unlock the DASH firmware.
  • Ubunutu NOTE: I had to download and install OpenOCD 0.9 to get this to work. The version installed with ‘apt-get install openocd’ was version 0.7. Unfortunately, it seems that some of the stm32 commands aren’t supported. I received this error: invalid command name ‘jtag_ntrst_delay’

image4

  • Once I pulled down the binary, I ran the following:
    • sudo mkdir -p /opt/gnuarmeclipse
    • cd /opt/gnuarmeclipse
    • sudo tar xvf ~/Downloads/gnuarmeclipse-openocd-debian64-0.9.0-201505190955.tgz

OpenOCD Connectivity Notes:

Connecting with OpenOCD.

  1. Move to the ‘/opt/gnuarmeclipse/openocd/0.9.0-201505190955/bin’ directory
  2. Connect to the device using the following command
  • sudo ./openocd –f ../scripts/interface/stlink-v2.cfg –f ../script/target/stm32f2x.cfg
  1. Now you can establish a telnet session to the OpenOCD process which will let you interact with the device

Here is a successful connection attempt with OpenOCD

image5

Telnet to the OpenOCD process to access the On-Chip Debugger.

This will let you interact with the DASH microcontroller

  1. Launch a separate terminal window. Now that openocd is running (see connecting above), you can ‘telnet localhost 4444’.

Here is a successful telnet connection

image5

  1. Now run the following commands to view the device details
  • Run ‘flash banks’ command

image6

Run ‘stm32f2x unlock num’  to unlock flash contents

  • Reboot for the unlock to take effect. To reboot run ‘reset init’

 

Once the device reboots, OpenOCD should automatically reconnect. You may have to relaunch the telnet session.

 

Unlocked Firmware Status

 image8

Dump Firmware Using OpenOCD

Run the following:

  1. flash list
  2. flash probe 0
  3. flash banks

image9

Note the size is 0x00100000 (That’s 1024KB, the size of the flash)

Run:

dump_image dash_fw.bin 0x0 0x100000.

I also tried to use the location 0x08000000.

Empty Firmware Dump: In both cases, the firmware I dump was empty. This may be due to disabling the flash protection. If you know how to disable the protection bit and recover the flash, please leave a comment.

image10

This dumps the firmware to the local directory you ran the openocd command from.

image11

Unlock STM32 Flash (This unlocks the flash, but may wipe the firmware)

image12

Next Steps and challenges

  1. [Need to unlock firmware without overwriting] During the STM32 flash unlock process, I found the source firmware unreadable. In the ST-Link utility it appears as ASCI character 152 (ÿ). I have not been able to find a way to disable the memory protection, and also save the firmware. It is possible (see the Cottenelle firmware retrieved here: https://github.com/dekuNukem/Amazon_Dash_Button/)
  2. [3D Printers] Ok, so after soldering about (4) buttons, I am getting better at it. The problem is, it’s time consuming and likelihood of turning it into a paper weight is high. I want to create a 3D printable model where you can insert header pins that will make contact with the (5) pins required to flash the DASH. Checkout Adafruit’s article above for more detail, but the basic pins are (SWCLK,SWDATA,Vcc 3.3, Reset, Ground). Here is a link to the image.(https://learn.adafruit.com/assets/27092) Also, not sure why, but someone created a fake DASH button on Thingiverse. We may be able to use this model to start: http://www.thingiverse.com/thing:766551/#files

Help!

Ok, so I need your help. In order to make Part 2 of this series, I need someone to continue where I left off. If anyone has successfully pulled the firmware and cares to share, please leave a comment below, or hit me up @ubergiek.

Comments 6

    1. Post
      Author

      Thanks Bjorn! I will look into getting one of the breakout boards. It has to be cheaper then my solder handy work.

  1. Were you able to connect to the button using the ST-Link utility software with the battery still attached ?

  2. Pingback: Amazon Dash – chriscohnen

  3. Pingback: yerba mate tea recipe

Leave a Reply

Your email address will not be published. Required fields are marked *

*