Inside The Amazon Dash Button

The Amazon Dash Button is a tiny WiFi-enabled device that’s a simple button with a logo on the front. If you get the Tide-branded version, simply press the button and a bottle of laundry detergent will show up at your door in a few days. Get the Huggies-branded version, and a box of diapers will show up. Get the sugar-free Haribo gummi bear-branded version, and horrible evil will be at your doorstep shortly.

[Matt] picked up one of these Dash Buttons for 99 cents, and since a button completely dedicated to buying detergent wasn’t a priority, he decided to tear it apart.

The FCC ID reveals the Amazon Dash Button is a WiFi device, despite rumors of it having a Bluetooth radio. It’s powered by a single AA battery, and [Matt] posted pictures of the entire board.

Since this piece of Amazon electronics is being sold for 99 cents, whatever WiFi radio chip is inside the Dash Button could be used for some very interesting applications. If you have an idea of what chips are being used in [Matt]’s pictures, leave a note in the comments.

155 thoughts on “Inside The Amazon Dash Button

    1. Under that QR code sticker I suspect you’ll find a system-in-package “chip” containing most likely a Broadcom Wifi network processor. The WLCSP ST ARM ‘F205-looking microcontroller, SPI flash, crystals and other clues make this look like a Broadcom WICED implementation to me, rather than e.g. Qualcomm or another chipset manufacturer.

      1. I just tried to buy more than one, now way Jose. They’re limiting it to one each and only Prime members. Three products Tide, Bounty, and Cottonelle… and dollars to doughnuts these “brands” paid a kings ransom to get their dash’s out there first..thus the 18.01 discount for the guts. Tinker On!

        1. Also the brands in question aren’t cheap. Probably only takes a couple of presses before they make their money back.

          Apart from that, I’m pretty sure it’s not designed to make a profit. More like a pilot, leading to washing machines with Tide buttons built-in. Companies will pay well to have their, and nobody else’s, button on your washing machine or fridge. Or perhaps a selection of Lever products from the washing machine’s menu (which it will have, and a colour graphical display. Colour because more consumer impact).

          Might even lead to washing machines being significantly subsidised, like mobile phones with contracts (in the UK at least, dunno about the law elsewhere, but UK mobiles can cost around 20% of their price for things like Iphones, with a terrible enough contract). Or like printers, where they make money back on the consumables (although not quite as biased as printer ink, where a quid’s worth of cartridge sells for 40 quid).

          I do worry about the mic, even though it’s got a legitimate reason to be there, and is possibly the cheapest simplest way of solving the problem it does. Still, mic + wifi I just don’t like! It’s just too tempting for Our Friends to want a backdoor into. You could design the mic to only measure pulse length, as the signal crosses zero. That’d be enough to modulate a few kbits a second. And hopefully make intelligible speech impossible. But even then, how would anyone check that? There’s surely gonna be a DAC or two on the chip, or a chip like it.

          1. The microphone (visible in the last picture here: http://www.bitsofcents.com/post/118749233621/disassembling-the-dash (the silver thing on the left)) is an InvenSense INMP441, which is a MEMS microphone that communicates over I2S, meaning it does ADC internally. It’s not programmable for pulse length detection or anything else; they’d have to switch to another microphone for that. Most likely, they’d use an analog microphone connected to the microcontroller’s ADC and do the detection using DSP in the microcontroller, which is equivalent to how they actually did it (the only difference being the location of the ADC). Filtering in analog would require more parts, meaning more BOM cost.

          2. What is the mic for? The website mentions it’s for iOS devices with bluetooth disabled, couldn’t someone just turn on bluetooth? Why wouldn’t Android have a similar issue?
            I’m intrigued why they’d add an entire component to save someone turning on BT on their phone.

          3. Hi Sarah,

            The microphone and BLE are for one time use during initial registration of the button.
            Original dash button had no BLE, only wifi + audio.

            Android allows for programmatic / automatic changing of the access point in your phone. This allows your phone to connect to the Amazon ConfigureMe network and register, swap back to your original AP and continue talking to the Amazon server without any interaction.

            The same is impossible on iOS. Apple doesn’t allow for automatic changing of the AP. The app required the user to leave the app, go to settings, connect to Amazon ConfigureMe, return to the app, continue registration. There were too many steps for the user and many failed registration. This is why audio was used and why the microphone is there. Later, BLE was added to improve upon and increase successful registration rates.

            There is nothing to worry in terms of a back door. If this device was transmitting audio literally anybody could be able to see the traffic on their network via router or via wireshark.

        2. Weird all 3 of mine have shipped already. No issues getting 3 here. Unless you meant one of each brand per person? They’re all the same inside so technically it’s still 3.

      2. My router show a connection for it at device name “WICED DHCP Client”, but it disconnects quickly. I was able to get a ping response from it if I clicked the button while the ping was running.
        Pinging 192.168.1.30 with 32 bytes of data:
        Reply from 192.168.1.18: Destination host unreachable.
        Reply from 192.168.1.18: Destination host unreachable.
        Reply from 192.168.1.30: bytes=32 time=1272ms TTL=128
        Reply from 192.168.1.30: bytes=32 time=7ms TTL=128

      1. Looks like unique identificator of device. When you press button, this number should be sent somewhere. I did something like this for devices in my company, and there were last numbers under code too (for fast visual checking and identification).

  1. On the heels of the fracas over John Deere asserting its rights via DMCA/Copyright, I’d be curious to see what poor soul gets hung out to dry for tinkering with one of these.

      1. I wonder will Amazon react the same way as Digital Convergence did when people start reverse engineering the devices?
        I have a feeling we might see these for sale at electronics surplus sites in the near future.

    1. i was going to say the same thing. Don’t worry about hacking the hardware. just listen for what it’s trying to connect to and a simple proxy server at home can redirect it to do something other then buy detergent.

    2. I’m curious what kind of secret data it contains to let you know its you buying detergent, not someone else. Some kind of smart card challenge response, or would we be lucky enough that its pre-programmed with a static key.

      1. The “one per prime member” limit would seem to indicate they are preloaded with your information. I would guess the software chain somewhere, probably at the Amazon app side, knows you clicked the button once and will send you one bottle now and emails to confirm additional purchases… e.g. Jr. decides it’s fun to press the button 10 times — per day.

        1. That would be a terribly stupid way to assemble and manufacture them. Each device probably has a unique id and hash that is communicated to amazon when the button is pressed. At the time of purchase, the unique id is associated with the amazon account.

          1. Made in China. With their habit of putting back doors in firmware, I wouldn’t want to give them access to my wifi and a microphone.

            Maybe the chinese don’t care much about what I do. But some of these devices will surely find their way into corporate environments…

          2. Nice Scaramouche, you take a legitimate concern (NSA/law enforcement) and ignore it and instead go with an insane scenario where the chinese hope to have someone install it in the pentagon laundry room or some such, and be unmonitored, and then be able to spy on all the laundry secrets… right.

            Can you be more silly in your glorious work to try to make people scared of china? I wonder if it’s possible at all.

          3. He’s right though, the Chinese government *does* put back doors in a lot of products made there, and if there’s a low cost for doing it then they can take a scattershot approach (throw out as many small exploits as possible and hope some of them stick)

            Doesn’t mean the NSA isn’t *also* usnig them for that, but if we’re talking hacking and espionage then the Chinese government is just as likely

          4. What if the NSA and the Chinese are both listening so that they can get the group discount? At this point you might as well ask them to chip in for your cellphone plan ;)

        1. In theory yes but it may not have much range but if one was doing that you should be able to find out by watching it’s network traffic.
          If it’s sending audio back to a sever you should see several megabytes of traffic from it vs a couple of kilobytes.

          1. Depends how chatty you are. It could default to a low-bitrate audio, and turn off during silences. If Our Friend wants better audio, they could ask the device to send a higher-bit version.

            You might notice the traffic on your router, unless your router’s been made to hide transactions to certain destinations. Running your own firmware might combat this, but ultimately without scanning-tunnelling eyesight you can never truly know what’s happenning in there.

            Or maybe a van parked outside has it’s own Wifi connection, or a custom 2.4GHz link, the device only activating when it’s instructed to.

          2. If this thing was sending audio to wifi, it would last about an hour, max 3h. When not used it’s in deep sleep and only starts radio after button press. After several seconds it turns off again or battery would be exhausted. This way it can function for several years.

          3. It depends. There’s certainly lots of ways to do low-power radio and processing. Cherry have those buttons with a little magnet and coil inside that generate their own current. I think it’s Bluetooth compatible, tho it normally uses a custom protocol.

            Compressing the audio and missing out silent parts, on-demand transmission, and stuff like that, could stretch it out a lot further. Yes a constantly-on Wifi link would suck power. But you don’t need to do that. Sure if we used our brains we could invent something equivalent between us. Not that we should, but I’m saying there’s lots of useful technology.

            Then again, what’s the point in worrying when we actually know mobile phones have a secret backdoor in them to spy on the user all the time? I might pay money for a phone with a simple switch on the mic. Home-made phones are getting there, and the radio modules they use don’t have obvious mics on them.

    1. Dash Button is simple to set up. Use the Amazon app on your smartphone to easily connect to your home Wi-Fi network and select the product you want to reorder with Dash Button. Once connected, a single press automatically places your order. Amazon sends an order alert to your phone, so it’s easy to cancel if you change your mind. Unless you elect otherwise, Dash Button responds only to your first press until your order is delivered

  2. From Amazon : Note: You may need to increase your iPhone volume, since Dash Button uses ultrasonic tones to sync with your iPhone during setup.
    So that’s how it transfers the SSID & Password to the button.

    1. That’s freaking clever! That’s up there with the hookup link for the electric imp- it uses a photoreceptor to receive flashes of black/white from the screen.

      I wonder if there’s any sort of injection attacks you could preform on it through the audio interface.

          1. I also had one of those – it flashed lines on your computer screen like a bar codes, to load in the data to the watch. It was kind of neat at the time, a bit geek-like, but I thought pretty creative. Unfortunately, if was very limited in memory (I think 1k maybe?), and you had to watch every byte you used.

    2. They’re fibbing a bit here, it doesn’t use ultrasonic anything. My scope reads somewhere around 120Hz carrier and it looks to use amplitude modulation.

      1. You know – this is a really stupid thought, the microphone part – it they rectified the output they could use it to charge the battery with it, I know that’s weird, but think about it – it’s always going to be near a washing machine most likely – then there will always be sound energy to convert, thus a universal solar cell if you will, even in the dark, since they can’t guarantee it will be in the light. I know – stupid. But to convert the audio and send packets with that information would take a lot of power from shear volume, even if you notch filtered the audio – and the transmission part would be the most power consumption section I would guess. So it most likely would power down fairly quickly, why would they want that? I would think they would like this device to operate as long as possible.

  3. I just posted on the origin page, as I would love to get more details:

    “I notice in the screen shot that what is probably the WiFi chip has a sticker with a QR code and ‘9004’ on it. I scanned the QR code. It’s just a serial number: 1515OZ039004.

    1) If you remove that sticker (you’ll probably need head cleaner), what does it say underneath?

    2) Would you be able to get better shots of U5 and U6, the two chips without stickers on them? Perhaps if you change the lighting, we could see the serial numbers.”

    I hope to get a reply.

  4. Well, we know it is not TI chip since it does not have the SimpleLink feature. So, what is under the label with the QR code?
    I wonder if this chip is even simple than the ESP, since even that can be configured via wifi.

    Now, I hope anyone understands that this HW does not actually cost 0.99.

  5. “Get the sugar-free Haribo gummi bear-branded version, and horrible evil will be at your doorstep shortly” That’s why that particular button comes in a set with a toilet paper button, a preparation H button, an advil button and a gatorade button.

      1. esp8266+button+enclosure+battery is gonna run more(atleast more than the invited beta) and the dash sleeps most the time so the esp8266 will prolly not get anywhere near as good battery life

        1. yes, like I said, it costs 0.99 only because amazon makes money otherwise. So, unlike the ESP which is available with easy to access GPIO(not like the dash) there might be some availability restrictions on getting a dash. I know I cannot get one here in europe yet.

        2. Exactly this, i run a trivia type event about once a year, and for this past year i was able to make a wired buzzer system for it, using stupid parts. I costed it out to switch to the esp8266, and it would be about $7.00-8.00 per unit for a single button. It was cost of the chip $3.50, button $0.35, AAA 0.50 and a 3.3 volt step-up converter ebay has them at 2.20, 3d printed cases could be $1.50. I opted against this upgrade but if the dash becomes programmable, i’ll be getting a bunch of them.

          1. well, if you are really into a lot of soldering, than there are plenty or radios that would cost less. like the famous nrf24l01 is about $1 and you could plug in a simple <$1 microcontroller and this could actually work off a coin cell. But you will probably trade development time over parts cost.

          2. You could skip the AA plus voltage regulator and use a single CR2032. At 3V nominal it is within the voltage tolerance of the ESP8266, it’s small and cheap. Alternatively an ATTINY CPU and an nRF24L01 would probably work, and for less money.

          3. >>CR2032

            This sound great in theory, but the reality is there is not enough current in a CR2032 to get the ESP to even power up correctly.
            Yes, I did try this and it does not work.

          4. @Don,
            Yes, the 2032 cannot supply such high current. I have checked datasheets for larger cells, 3032, 2450 etc and all seem to crash with just a few mAs of load. I would say AAA is about as small you can go with these, or some high discharge rate Lithum accu.

          5. you know for a trivia thing i’d prolly go the lazy route – make it a web page and the contestants access via the smart phones 99% of them have on them anyway… just have a unique id string in the url for each team/contestant looking at the server side would show who buzzed-in/answered first, etc. you could even do it on the cheap using a rapsberry pi or similar device as the “server”.

    1. Looks like regular price is $5, which is a bit more than the cost of an esp8266 and a couple AA cells (but not lithium AA)
      If they keep the price at 99c, anyone that uses lithium aaa cells would save money just on scavenging the battery; a 2-pack of energizers sells for over $6 on Amazon.

  6. If you can reflash these, you’re looking at what could be the most inexpensive security system ever…

    Microphone is by itself a detector but desolder and add a magentic sensor for windows/doors or just basic contact. buy lots – every window/door is secured by a silent alarm. wifi door-bell. light-press button for wifi enabled lamps or enable lamps with wifi :).

    posibilities are endless.

  7. For a single function for indoor use, isn’t this tpp complex? Couldn’t button devices simply send a preset unique ultrasonic tone and then be detected by a companion usb microphone dongle plugged into the PC, Raspi or whatever. Or is ultrasonic communication too range limited? (Sorry if the answer is obvious, I don’t know the first thing about ultrasonic devices.)

    1. The nice thing about using WiFi is that (as long that you don’t shut down your router), you don’t need any external hardware running. Yes, ultrasonic sounds don’t travel overly far, and you don’t get hell of a bandwidth, so telling your button from the ones of your 100 neighbors might get a bit hairy at the point where ultrasonic communicators get popular.

      If you wanted a companion device based solution, you’d probably simply stick with ISM band (e.g. 433MHz) RF comm — chips are dirt cheap, and PCB trace antennas are much cheaper than microphones, and you’d typically need a fraction of the transmit power.

      1. yes, WiFi has the advantage of being there almost everywhere. And for the dash, it is easy to make a very low power solution since it needs to operate only very occasionally. I would not be surprised if battery life can be 5+ years for it.

  8. I’ve heard the planned German version is mains powered, with a case made of cast iron, water proof up to a depth of 100m, water cooled, GPS enabled and delivers a years supply of Uberweiss to your door upon the button being pushed.

    For now, its US only :(

  9. With comcast replacing everyones router with a router / wifi access point, things like this could easily communicate.

    Haven’t looked lately, but I think we now have three or four comcast wireless APs in this building alone.

    They want you to replace your old router to “take advantage of better features”, I personally don’t want one. Also not real willing to pay for the electricity to run their wireless… This place is already drowning in wireless devices :-).

  10. People keep asking how it gets wifi information but it’s already been figured out guys, amazon app on your phone programs it via sound cues as data, this sets the SSID and password for it to use from then on. Now no more phone is needed and it ‘just works’

    1. Update: I got mine and actually a bit confused, though-out the setup it never asked me to place the button near my phone, instead I put it into a pairing mode by holding the button and I think it did the SSID assignment and PW over wifi through the amazon app. Also these buttons are indeed “Product locked” to their distributors, while you are setting it up it brings you a pre-selected list of what you can buy with that particular button (lame, but predictable… I wanted to set one up to buy 0.1″ headers on demand!).

      So the unique serial of each pod seems to be registered with amazon and they know what product line it’s assigned to be able to purchase, I’ll bet each pod is running completely identical firmware otherwise.

        1. I’d rather get the actual protocol handler from the dalvik based app and write a handler in about a third of the time..

          or dump the firmware and signature match libraries in IDA and back-trace the protocol handler, and spend a lot of time reversing it. Unless Amazon provides firmware updates then just eliminate dumping.

  11. These just went on sale to everyone for $5 a pop. Would be great to see some reverse engineering kick back up. Existing dedicated “do anything” buttons are way too expensive.

  12. So, I may be crazy or dumb, but it appears to me that the Dash buttons have two MAC addresses.

    I lock down my router by MAC address. So before I “linked” the button to my WiFi network I pressed the button for ~6 seconds while doing a wireless survey. The SSID shows up as “Amazon ConfigureMe” with a MAC address. I then entered that MAC address to my routers whitelist.

    I then went thru the process of adding the Dash button using the Amazon app on my Android phone. The Android phone recognized the Dash button, I got to the point to where I enter my WiFi password and then nothing. The app would not connect to the Dash.

    I then turned off the MAC address whitelist, so any MAC address could connect, ran thru the Amazon app to add the Dash button and it connected.

    I then did another pressed the Dash button while doing a wireless survey and a MAC address appeared and it was different.

    I had the same results for 5 Dash buttons. Here are two example MAC address prefixes before and and after they were associated.

    Cottonelle:
    Before linked: 6C:0B:84:2E:63:F4
    After linked: 74:C2:46:15:3A:7E

    Tide:
    Before linked: 6C:0B:84:30:49:13
    After linked: 74:75:48:2D:3E:C7

    Can anyone else confirm this?

    1. I didn’t experience this. Maybe your wireless survey revealed the Bluetooth MAC Address instead of the WiFi MAC Address. They do differ.
      Since I also filter my network by MAC Address I had to find out what it was before I could configure it. Your post helped me though. Here are the steps I took:
      – Hold the button on the Dash for 6 seconds until the blue button glows.
      – Connect to the “Dash ConfigureMe” network from a WiFi device.
      – Use a browser on that device to navigate to 192.168.0.1
      – And then copy the MAC Address from the info page that appears.
      – Then add that MAC Address to the allowed list on your WiFi router. And then complete the Dash setup in the Amazon app.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s