Reverse Engineering Amazon Echo Digital Signal with a Logic Analyzer
Vložit
- čas přidán 29. 12. 2022
- In this video, I show how to analyze unknown digital signals on an Amazon Echo with a logic analyzer. Also, I use magnet wire to solder onto extremely small pads to read the signal.
Louis Rossmann's CZcams channel:
/ @rossmanngroup
saleae-logic2 program:
aur.archlinux.org/packages/sa...
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#iot #soldering #hacking #embedded_systems #microscope - Věda a technologie
You look like a teenager with that cap 😂
Crank up your sampling rate. 500KS/s is only 50 samples per 0.1ms frame. A 115200 baud rate would be 11.5 bits per 0.1ms per frame. ~4samples/bit may be masking a higher frequency bitrate. Do a quick capture at 5Mbit to see what the signal bit rate is and the dial back from there.
I do not think that 76800 is the correct baud rate. Note the bit position indicators drift in relation to the rising edge. Measure the time between rising edges to find the bit time.
The volume on this one is much better than your last one. FYI you can see how loud it should be by checking "stats for nerds". If the "content loudness" is negative it means your audio is too quiet and if it is positive it means it is too loud.
There is a lot of products with hidden stuff that we will most likely get no access too, I have a JBL Google Home speaker that I know can accept digital audio through its microusb port, but that was because it was hooked up to some black box thing in a retail display. I would love to get low latency aux in to this speaker one day as it sounds great.
Hey Matt, great vid!
I was one of the people commenting on your previous videos recommending you to get a new microphone
I think the new mic / mic balance is great now, I think it’s a big improvement over previous videos
Great content and keep hacking brother
Is this an ASMR channel, or a hardware reverse engineering channel? Pretty sure how the mic sounds is 99% irrelevant for the point he's getting at here.
@@gorak9000 regardless of the type of content he’s making in the previous videos his microphone was so harsh. It made it very difficult to watch, especially on a tv or good headphones
@@Anx181 Ok, I see what you mean - I went and checked some older videos - the video on arp poisoning has pretty hard to listen to audio. It's not so much the quality of the microphone so much as the level was set too high and it's continually clipping and distorted. That's not really fixable post-processing wise. Yes, clipped and distorted audio is very hard on the ears no matter the playback volume.
Already becoming one of my favorite tech channels!!! Can't wait to see you hit 1k subs and then even more ✌
I dont even know what an amazon echo is but its great to see the up coming generation digging into this stuff, good luck on getting some kind of interaction. I have to agree with the comments below 76800 doesnt seem right and I suspect your sampling is too slow. Personally I would connect a scope to line to see what its really doing before trying to use a logic analyser
Hi Matt,
You would be able to determine the baud rate based off the period of a single bits width.
That way you can get it right on the first try and no guessing. Cheers.
Sounds great!
Probably I2C. The signal looks too regular and is probably a clock. The resistors may be pullup.
You would need both lines to get the data if so (the other is likely data).
ayyy matt
great content for a small channel, keep hacking forward
Agree with a couple of others here that this is not UART. The signal is too repetitive to be transferring anything useful, it looks more like a clock to me.
With two signals next to each other like that it could be the clock side of I2C, or if it really is something then it may be one half of a differential pair.
I'm hoping I can learn how to interpret UART from videos like this!
I have a Smart Appliance with IoT functionality and consumable cartridges. (I want to refill my own cartridge)
I have successfully captured the signals between the the cartridge reader by tapping into the UART lanes exactly as you were able to.
I'm essentially stuck where this video leaves off.
I highly suggest the book: Attacking Network Protocols: A Hacker's Guide to Capture, Analysis, and Exploitation.
The next step after getting bytes is to try to make sense of the binary protocol in use. That book is a good intro to reverse engineering binary protocols.
then you might want to look into if you can program something like a Raspberry Pi Pico to send the same UART data you observed from the 1st party cartridge to the appliance.
The pulses mostly appear to have a 1:2 or 2:1 Mark-Space ratio, so I don't think this is a UART, but maybe even some form of Manchester coding, or the control signal for a NeoPixel LED.
Hey @Matt what papers or publications did you use to help you out on this?
76800 sounds bogus to me. Try with pulseview/sigrok instead.
I don't see why the decoder would need to know the baud rate in an offline analysis of an asynchronous signal to begin with. All it needs to look at is edges, and perhaps the duration between the edges (depending on what signaling standard is in use - RZ, NRZ, Manchester, etc). Baud rate is only relevant for real-time decoding, not offline analysis after the fact. Clearly a decoder written by a CS person that has some lack of understanding how the hardware actually works. Also, I'd trace where those lines go, and look up the datasheet - there's no point reverse engineering what's mostly likely a list of commands in the datasheet of whatever it's talking to. And yes, I'd also vote to use Sigrok rather than proprietary Salaee software - I'm surprised that the Salaee software even works with the $12 clones - I thought they got super anal about that a few years back.
The xbox one s has a paired optical drive to the console which makes it impossible to replace the disc drive without moving the old daughterboard into the new drive. In some cases users have replaced their drive without this understanding and lost the old drive making their console completely inoperable following a software update. It would be fantastic if a logic analyzer could be used to understand the serial number reporting back to the console create a modchip of sorts that could report the correct serial number and fix consoles with this type of problem.
How did you "discover" that signal in the first place?
great question.
I poked around the board with a multimeter first looking for any voltages that looks interesting. That coupled with the fact that these pads were next to the CPU made them interesting enough to look at with the logic analyzer.
@@mattbrwn oh, were they test pads? I couldn't see through the puddle of solder. I've been doing a little hardware hacking lately with my students. Mostly just looking for uarts in iot things so we can get a shell into them and look for exploits and vulnerabilities. It's amazing how much they leave wide open. You now, since those devices have an fccid, their are records of them on the fcc page including close up photos of all the circuit boards inside. I usually start there to see if anything stands out as a possibility, before I actually take something apart.
just dont freak out when you see brain monitoring stuff and its real and if you try to talk about it things happen !
Maybe 86400?
You should reverse engineer a gaming console like a new Xbox or PS4 or ps4
lol using amazon to order hardware to hack/reverse amazon hardware