33C3: Hunz Deconstructs the Amazon Dash Button

The Amazon Dash button is now in its second hardware revision, and in a talk at the 33rd Chaos Communications Congress, [Hunz] not only tears it apart and illuminates the differences with the first version, but he also manages to reverse engineer it enough to get his own code running. This opens up a whole raft of possibilities that go beyond the simple “intercept the IP traffic” style hacks that we’ve seen.

Just getting into the Dash is a bit of work, so buy two: one to cut apart and locate the parts that you have to avoid next time. Once you get in, everything is tiny! There are a lot of 0201 SMD parts. Hidden underneath a plastic blob (acetone!) is an Atmel ATSAMG55, a 120 MHz ARM Cortex-M4 with FPU, and a beefy CPU all around. There is also a 2.4 GHz radio with a built-in IP stack that handles all the WiFi, with built-in TLS support. Other parts include a boost voltage converter, a BTLE chipset, an LED, a microphone, and some SPI flash.

The strangest part of the device is the sleep mode. The voltage regulator is turned on by user button press and held on using a GPIO pin on the CPU. Once the microcontroller lets go of the power supply, all power is off until the button is pressed again. It’s hard to use any less power when sleeping. Even so, the microcontroller monitors the battery voltage and presumably phones home when it gets low.

[Hunz] looked at the communication stream, finding HTTP data over SPI between the microcontroller and the WiFi radio chip, and TLS-encrypted HTTPS from there on out. So he soldered in an FPGA to man-in-the-middle attack the hardware, making a beautiful hacker’s development kit out of the $5 gadget.

The old Dash buttons had SWD debugging enabled and a serial console, and the new firmware has it disabled except for a few commands, so it’s not easy to dump. So [Hunz] desoldered the SPI flash and read it externally. That gave him the firmware, minus the bootloader and some configuration storage. Next came a great trick: he wrote the same firmware to a fresh SAMG55, and the firmware worked. The chip he flashed it to had SWD debugging running, however, so he was able to work in a much more friendly environment with developer console and everything. (Brilliant!)

With a firmware dump and a running version of the system under debugging, he eventually found a hole in the audio configuration protocol — which is used to configure the device through an audio file played into the microphone like an updated version of an old-school modem. The input in the audio protocol, unfortunately for Amazon, wasn’t checked for length. Buffer overflow and a complete flash dump ensue. The video of him hacking the button with an earbud is classic.

Amazon will patch this hole sometime soon, of course, but they can’t do so if the button can’t connect to their servers. [Hunz] has said he’s not going to work on it much more, but here’s his GitHub. Have at it!

Filed under: cons, Microcontrollers