Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rooting of the Amazon Gen 3 #15

Open
phodina opened this issue Aug 28, 2023 · 16 comments
Open

Rooting of the Amazon Gen 3 #15

phodina opened this issue Aug 28, 2023 · 16 comments

Comments

@phodina
Copy link

phodina commented Aug 28, 2023

Hi,

could you recommend a way to root the Amazon Gen 3? It has a hidden USB on the board.

I'm waiting for a PCB to arrive though atm I have a working cable soldered to the board and can access the fastboot.

https://gitlab.com/phodina/echo-debug-gen3
@Dragon863
Copy link
Owner

Hi! As far as I'm aware, the 3rd gen uses a MT8516 SoC instead of the MT8163 that the second gen has. To root it in the same way you would use the following process:

  1. Dump the internal flash, using either a modified amonet or by soldering to the board
  2. Patch the preloaded to allow booting an unsigned lk
  3. Patch the lk to make the device appear to be unlocked
  4. Flash the modified files back to the device
  5. Use mtkclient to pass the modified preloader each boot

I don't have a 3rd gen echo so unfortunately I cannot test anything for you, but if you can get mtkclient to work on it (pass the preloaded with the --preloader and then the path to your dumped preloader) then it shouldn't be too difficult.

@phodina
Copy link
Author

phodina commented Aug 28, 2023

Okay, thanks @Dragon863 . I'll try to get it working!

@Dragon863
Copy link
Owner

No problem! I'll leave the issue open for few weeks in case you make progress so that others can benefit, we could potentially integrate it into this tool if you do get it working. Good luck!

@phodina
Copy link
Author

phodina commented Aug 28, 2023

I assume I also need to short circuit the eMMC data pin to ground right to trigger the bootrom based on the debug messages I get.

# ./bootrom-step.sh 
Init bootrom...
Please short the emmc as instructed in the article or readme.
[2023-08-28 21:04:50.758922] Waiting for bootrom
[2023-08-28 21:04:58.316020] Found port = /dev/ttyACM0
[2023-08-28 21:04:58.354981] Handshake
[2023-08-28 21:04:58.376507] Disable watchdog
[2023-08-28 21:05:03.382413] wrong handshake response, probably in preloader
[2023-08-28 21:05:03.384059] Waiting for bootrom

# ./mtk printgpt
MTK Flash/Exploit Client V1.6.2 (c) B.Kerler 2018-2023

Preloader - Status: Waiting for PreLoader VCOM, please connect mobile

Port - Hint:

Power off the phone before connecting.
For brom mode, press and hold vol up, vol dwn, or all hw buttons and connect usb.
For preloader mode, don't press any hw button and connect usb.
If it is already connected and on, hold power for 10 seconds to reset.


...........
Port - Device detected :)
Preloader - 	CPU:			MT8167/MT8516/MT8362()
Preloader - 	HW version:		0x0
Preloader - 	WDT:			0x10007000
Preloader - 	Uart:			0x11005000
Preloader - 	Brom payload addr:	0x100a00
Preloader - 	DA payload addr:	0x201000
Preloader - 	CQ_DMA addr:		0x10212c00
Preloader - 	Var1:			0xcc
Preloader - Disabling Watchdog...

@Dragon863
Copy link
Owner

Yes, at least on the 2nd gen that forces it into bootrom mode

@phodina
Copy link
Author

phodina commented Aug 28, 2023

Here's the disassembled base board with the RF cage removed.

In the center there's the MT8516 SoC. On the left there's probably DDR memory from the manufacturer Nanya and on the right there's probably eMMC memory.

I'll try to probe the pins of the exposed components around the chip.

image

@VictorBarros28
Copy link

VictorBarros28 commented Aug 31, 2023
edited
Loading

I assume I also need to short circuit the eMMC data pin to ground right to trigger the bootrom based on the debug messages I get.

Hi, @Dragon863, first of all, thanks for the solution!
I'm new to this type of mod and I have a lot of questions, would you mind helping me out?

I get the same "wrong handshake response, probably in preloader" after "Disable Watchdog" message (using echo dot 2nd Gen).
I didn't shorten any part of the circuit, is that why I get the error mesage?
If so, would you mind pointing out which elements should be shortened?
I believe 'https://dragon863.github.io/blog/mainboard.jpg' refers to an fire tv instead of an echo dot 2, Thanks!!

@Dragon863
Copy link
Owner

@VictorBarros28 That error is what you can expect if you don't short the board, as it won't boot into the mode that this tool requires. The picture linked is from the main board of the echo, to get to it you will need to pry off the metal cap on the main PCB using a flathead screwdriver, if you get a small piece of aluminium foil and put it in the area surrounded by the red box in the image before plugging in the echo it will put it in the appropriate mode. It might take a few tries, but if it doesn't work at first just adjust the foil and replug the echo.

@VictorBarros28
Copy link

VictorBarros28 commented Aug 31, 2023
edited
Loading

@VictorBarros28 That error is what you can expect if you don't short the board, as it won't boot into the mode that this tool requires. The picture linked is from the main board of the echo, to get to it you will need to pry off the metal cap on the main PCB using a flathead screwdriver, if you get a small piece of aluminium foil and put it in the area surrounded by the red box in the image before plugging in the echo it will put it in the appropriate mode. It might take a few tries, but if it doesn't work at first just adjust the foil and replug the echo.

Worked, thanks alot! but now, after this, Im getting:

[15:01:05] Init crypto engine
[15:01:05] Disable caches
[15:01:05] Disable bootrom range checks
[15:01:05] Load payload from brom-payload/build/payload.bin = 0x45C0 bytes
[15:01:05] Send payload
[15:01:05] Let's rock
[15:01:05] Wait for the payload to come online...
[15:01:06] all good
[15:01:06] Check GPT
Traceback (most recent call last):
File "", line 198, in run_module_as_main
File "", line 88, in run_code
File "C:\Users\victo\Downloads\EchoCLI-main\internal\amonet\amonet_main.py", line 3, in
amonet.main()
File "C:\Users\victo\Downloads\EchoCLI-main\internal\amonet\amonet_init.py", line 219, in main
switch_user(dev)
File "C:\Users\victo\Downloads\EchoCLI-main\internal\amonet\amonet_init_.py", line 131, in switch_user
block = dev.emmc_read(0)
^^^^^^^^^^^^^^^^
File "C:\Users\victo\Downloads\EchoCLI-main\internal\amonet\amonet\common.py", line 180, in emmc_read
raise RuntimeError("read fail")
RuntimeError: read fail

@Dragon863
Copy link
Owner

@VictorBarros28 I also encountered that when testing, again retrying a few times usually sorts it. Would you please open a separate issue if that doesn't sort it to keep this one on topic and so I can assist you further? Thanks

@VictorBarros28
Copy link

@VictorBarros28 I also encountered that when testing, again retrying a few times usually sorts it. Would you please open a separate issue if that doesn't sort it to keep this one on topic and so I can assist you further? Thanks

Of course! Ty

@gptlang
Copy link

gptlang commented Nov 26, 2023

@phodina

Were you able to get a root & does it require disassembling it?

need to short circuit the eMMC data pin

@gptlang
Copy link

gptlang commented Nov 26, 2023

I just realized that I have an Echo Pop rather than Dot. Is there a way to root that?

@janstadt
Copy link

janstadt commented Mar 8, 2024

Would be great if this was expanded to the echo flex devices. Amy ideas if that’s possible?

@Dragon863
Copy link
Owner

Dragon863 commented Mar 8, 2024
edited
Loading

Would be great if this was expanded to the echo flex devices. Amy ideas if that’s possible?

According to this article it uses a different CPU from the dot gen2, but it looks like it runs the same / similar software and in theory it may be possible. You'd have to be VERY careful shorting anything though, given that its PSU is operating from mains, so I'd advise against trying unless you know exactly what you're doing. I personally don't own one so I wouldn't be able to test anything.

@KowalskiStan
Copy link

@VictorBarros28 That error is what you can expect if you don't short the board, as it won't boot into the mode that this tool requires. The picture linked is from the main board of the echo, to get to it you will need to pry off the metal cap on the main PCB using a flathead screwdriver, if you get a small piece of aluminium foil and put it in the area surrounded by the red box in the image before plugging in the echo it will put it in the appropriate mode. It might take a few tries, but if it doesn't work at first just adjust the foil and replug the echo.

Worked, thanks alot! but now, after this, Im getting:

[15:01:05] Init crypto engine [15:01:05] Disable caches [15:01:05] Disable bootrom range checks [15:01:05] Load payload from brom-payload/build/payload.bin = 0x45C0 bytes [15:01:05] Send payload [15:01:05] Let's rock [15:01:05] Wait for the payload to come online... [15:01:06] all good [15:01:06] Check GPT Traceback (most recent call last): File "", line 198, in run_module_as_main File "", line 88, in run_code File "C:\Users\victo\Downloads\EchoCLI-main\internal\amonet\amonet__main.py", line 3, in amonet.main() File "C:\Users\victo\Downloads\EchoCLI-main\internal\amonet\amonet__init__.py", line 219, in main switch_user(dev) File "C:\Users\victo\Downloads\EchoCLI-main\internal\amonet\amonet__init__.py", line 131, in switch_user block = dev.emmc_read(0) ^^^^^^^^^^^^^^^^ File "C:\Users\victo\Downloads\EchoCLI-main\internal\amonet\amonet\common.py", line 180, in emmc_read raise RuntimeError("read fail") RuntimeError: read fail

I am getting the same thing @Dragon863 did you fix @VictorBarros28

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@janstadt @phodina @VictorBarros28 @gptlang @Dragon863 @KowalskiStan