Skip to main content

Amazon Dash Button: Version 2


MacroFab, MacroFab, MacroFab...

It has been a while but I just couldn't just watch as people hacked their Amazon Dashes without a cute little debugging board.

DashDebugger Front

DashDebugger Back

I have had these since May of 2015... kind of. The first version I have had since May 2015. The second version, pictured above, I have had since early 2016. Both of the versions were done through MacroFab. I liked MacroFab when I did the first board but I love MacroFab after I did my second board. It kept track of the versioning, changes, and makes it feel like I am going through the various stages of product denial development.

The fact that I took so long to actually try these was a blessing in disguise. By the time I got around to testing the debuggers there was already a Amazon Dash Version 2. The first version was nice but had a Broadcom chip which made it a little less bit twiddler friendly. When I saw the second version teardown and spotted a glimpse of the familiar Atmel logo. I knew I had to buy a few hundred.

I gracefully tore mine down... opening the things are a pain. At first I just scored it over and over again until I was able to pry it open. I then tried applying heat (this didn't work too well). The trick that works really well 100% for me so far (15 Amazon Dashes) is just running a smaller flathead through the groove a handful of times until the slot has a good fit. Insert the flat head and give a twist and presto-change-o you now have an open Dash and only a minute of your time lost.

DashDebugger Connected

Okay so now you have an open Dash. Now you can take one of your V1 Amazon Dashes and steal a connector from there. They are the same footprints for both and solder down in a snap. If you send me a V1 Dash and V2 Dash, I will swap them for you.

After placing the debug connector on the V2 Dash, simply connect your DashDebugger and hack away...

Or so I thought...

It actually went more like, get a console... a locked down console... with taunts (courtesy of the exit command) and change some LED colors. The changing LED colors is cool but I wanted more. There are clearly other commands if you type help but the menu for users is menu (a much less exciting menu). You can read some firmware version numbers but that is about it. The worst of this restricted menu was the lock bit. The menu is kind enough to expose a register that reads from the NVM of the Atmel indicating whether or not the security bit is set. If the bit is set, you cannot touch it over JTAG (under normal conditions). I figured, what the heck, and gave JTAG a try anyways. Turns out it is locked (I was using the Atmel SAM ICE) and very annoyingly so, but the story doesn't end there. You might be asking yourself, okay so it is locked. There must be a way to unlock it. To unlock the chip you must bring the ERASE pin high. This will clear the security bit as well as the flash. I didn't really care about reversing the flash. I just wanted a cute little dev board. Next step was to find pin 3, the ERASE pin.

How hard could it be. I bet the nice engineers just added a jumper or via or something that could easily be reworked.

No Caption Needed

Okay, maybe just a little caption. I had stripped all the components off a board just to reverse the entire thing and found what I had feared. If you look at the picture above, look at pin 3 (the one with the green arrow). You can see that pin 3 (the ERASE pin) is not only tied with a via through the board but also directly to the ground pad underneath the chip. So in order to erase the microcontroller with the ERASE pin, you have to desolder the micro, cut the traces around the pad, and then solder it back down. This becomes less practical if you just wanted to write blinky for your device in assembly. That being said I have reworked a few and have been successful on all (except for the one that I cut the wrong trace).

Moral of the story, I need to learn more about power and clock glitching so I can reset the NVM security bit without desoldering anything... and who knows, I just might be able to preserve the flash too.

Happy bit twiddling and let me know if you need a hand.

UPDATE: You can now purchase that cute little connector here: https://www.tindie.com/products/qbit/amazon-dash-debugger-connector/

Comments

  1. Would it be possible to drill out the via to isolate the tie to the ground plane and then put a dab of solder in afterwards?

    ReplyDelete
    Replies
    1. The via is one side of the issue but if you look closely at pin three, you will see there is a small trace that connects it to the ground pad for the microcontroller. Thoughts for taking care of that without removing the IC? I am thinking decapping the chip partial and removing the bond wire... there must be a laser and some acid around here somewhere...

      Delete
  2. Awesome analysis. Thanks for the writeup! And Posting it in the other thread :)

    ReplyDelete
  3. Odd Thought - if you have access to pint3, could you apply some higher than usual voltage V+ to simulate the high state. Of course the pin is grounded, but I wonder if there is a certain voltage/current, applied to the pin that would raise it without killing everything down the line?

    ReplyDelete
    Replies
    1. Well, let's find out what it would take... (warning: this is a long shot).

      Assuming I was able to drill out the via (or cut the trace going to it) and the only path to ground was via the small trace going directly to the ground path underneath the micro, let's examine some assumptions:

      trace length = 1 mm
      trace width = 0.2 mm
      copper weight = 0.5 oz/ft^2

      using this guy: http://circuitcalculator.com/wordpress/2006/01/24/trace-resistance-calculator

      The approximate resistance is 0.0097 ohms.

      We want 3.3 V on that pin. V = IR, where V is voltage, I is current, and R is resistance. We know V (3.3V) and R (0.0097 ohms).

      This means we would need approximately 340 amps to put 3.3V on pin three.

      ... That being said I think I could apply that and hopefully destroy that little trace... It is worth a shot.

      Delete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. Hello,

    thanks for your very interesting information about the Amazon dash button on your blog http://key-basher.blogspot.de/2016/09/amazon-dash-button-version-2.html

    I'm also very interested in hacking this device. Unfortunately, only the second revision with the Atmel controller instead of the STM32 is available in Germany. Life would be so easy with the STM32, because it has a convenient easy-to-use UART bootloader and JTAG/SWD would be accessible without problems (locking).

    But I would also like to be able to erase the ATSAMG55 and flash an own firmware. As you mentioned, the ERASE pin is connected to GND and therefore not accessible without desoldering, which is not a good option.

    I have read that the ATSAMG55 contains an I2C/SPI ROM bootloader. Maybe it would be possible to use that way to erase the firmware? But I don't know if erasing the flash automatically would reset the security bit GPNVM bit0 to zero?

    You mentioned that you got a command console where you could read the value of the GPNVW bit0 of the Atmel. How does this console work? Is it accessible via UART? Which pins are used and which baudrate?

    Does this console menu also show the value of the GPNVM bit1 (Boot Mode bit)? If that bit is 0, the ROM bootloader should be accessible (via NRST toggling). When the ROM bootloader is active and an initial command is sent via I2C or SPI then the flash should be erased automatically. Maybe GPNVM bit0 would also be erased then and maybe JTAG would be accessible then?

    Unfortunately I do not have an SAM ICE. Could you please try if you can read and change the GPNVM Bit1 via JTAG?
    I read in a community post that "You can clear the GPNVM Boot Mode bit via Atmel Studio -> Device Programming menu".
    http://community.atmel.com/forum/entering-bootloader-atmel-samg55-xplained-pro

    I would be glad to hear from you.

    Thanks very much.

    Best regards from Germany
    Michael

    ReplyDelete
    Replies
    1. Hi Michael,

      I agree the STM32 is a nice choice because of the bootloader but then you have to use the broadcom part. You can't officially reset the part from the console. The UART pins can be found in the DashDebugger (https://github.com/nqbit/kicad-boards/tree/master/dash_connector). The baud rate is 115200. The console shows that the bit is set and talking over JTAG does not work. I will try visiting the Device Programming menu and see if I can clear it from there. Thank you for the tip!

      Delete
    2. Hello Nathaniel, hello Michael,

      I am currently collecting all the information about the Dash V2 for trying to mod it. All the informations are available here:
      https://github.com/EliasKotlyar/FreeDash

      Could you please make a image of the "Device Programming" Mode and provide it as a Pull-Request? I assume that a lot of people are curios how this menu looks like.

      Looking forward to see any progress on this. Just got the headers, and a J-Link for Debugging. Cant await to get my hands on.


      Greetings(also from Germany),
      Elias

      Delete
  6. The UART output on my dash button looks like this:


    ---snip begin---

    **** TAOS Bootloader 0.2.11 ****

    0x00000004 ms 0x000000FB us
    Reset Trigger : FIRST POWER UP
    (APP)(INFO)Chip ID 1503a0
    (APP)(INFO)DriverVerInfo: 0x134a134a
    (APP)(INFO)Firmware ver : 19.4.10 Svnrev 12577
    (APP)(INFO)Firmware Build May 10 2016 Time 00:50:07
    (APP)(INFO)Firmware Min driver ver : 19.3.0
    (APP)(INFO)Driver ver: 19.4.10 Svnrev 12577
    (APP)(INFO)Driver SVN URL branches/WIFIIOT-1400_2
    (APP)(INFO)Driver built at Jul 15 2016 11:31:12
    DBG: Set MAC address xx:xx:xx:xx:xx:xx
    DMA OVERRUN
    (APP)(INFO)Socket 0 session ID = 1
    (APP)(INFO)Sock to delete <0>
    (APP)(INFO)Socket 1 session ID = 2
    (APP)(INFO)Sock to delete <1>
    Shutting Down

    ---snip end---


    Pressing the dash button for about 6 seconds until the blue LED starts flashing puts it in the config mode and it will stay powered on a while, so there is some time to try command input via UART.

    After pressing the ENTER key, I get a command prompt, but no menu or help page.

    The following commands work:
    reset
    shutdown
    exit (which shows a sarcastic message, but let's see who will laugh at the end ... ;-)


    ---snip begin---

    > exit

    There is no exit from here. You are stuck in a forever loop...MUAHAHAHA!

    >

    ---snip end---


    Any ideas for further commands to try?
    Which command did you use to show the state of the GPNVM bit?
    Does your button have other firmware versions with more infos shown via UART?

    ReplyDelete

Post a Comment

Popular posts from this blog

Amazon Dash Button: Sourcing the connector

I should share my findings more often...

I recently ordered one of the Amazon Dash Buttons and popped it open.

These were some great references:
http://www.bitsofcents.com/post/118749233621/disassembling-the-dash
http://www.amateurradio.com/inside-the-802-11bgn-amazon-dash-button/

Albeit some were more eager to open it (possibly lacking the torx bit).

I wanted a clean solution to flash the little STM32 part and talk to the wiced module and so I found these connectors:
http://www.digikey.com/product-detail/en/AXE610124/255-3198-1-ND/2793931

They fit just swell. I have a debug board in the works and am working to verify the pinout is what I expect. More to come from these little 99 cent dev boards. Thank you Amazon.

KiCAD: BeMicro Max 10 Breakout

Let's start this new year off. I have removed all of my old posts. They do still exist but I like fresh starts. Perhaps I will move them elsewhere. This post will be short and sweet:

Visit: https://github.com/nqbit/kicad-boards



I have made a template for the BeMicro Max 10 board. It will soon be more than just a template.