Root, On An Amazon Echo Dot

The Amazon Echo has become an indispensable device for many people unconcerned by its privacy implications. It’s easy to forget that it’s not quite a new product anymore, with the oldest examples now long in the tooth enough to no longer receive security updates. A surprise is that far from being mere clients to Amazon cloud services, they in fact run a version of Android. This makes old dots interesting to experimenters, but first is it possible to gain root access? [Daniel B] has managed it, on a second-generation Echo Dot.

In a sense, this is nothing new, as root has previously been achieved on an Echo Dot through means of a patched kernel. Echo devices use a chain of trust boot process in which each successive step must verify the Amazon signing of the previous one. The kernel patch method breaks the ability to reboot the device with root access. [Daniel’s] method bypasses that chain of trust by using a custom pre-loader injected over USB through an exploit.

As an example, [Daniel] created a web server on his Dot, which can serve audio captured by the device. Don’t panic just yet — an analysis of the other security features suggests that this is not the dangerous exploit it might seem. It does however open up these powerful but now pretty cheap devices as potentially usable for other purposes, which can only be a good thing.

We’ve previously brought you [Daniel]’s work freeing the WiFi details from a Dot.

41 thoughts on “Root, On An Amazon Echo Dot

      1. I did have a look at the audio mixer, it looks like routing through aux should be possible. It seems to be using tinyalsa, a stripped down version of alsa, to manager audio. The main problem is that there is a process which restarts itself after being killed that uses the microphone, and on android to edit init scripts you have to unpack and repack the boot image. The led ring seems like it should be pretty useful too

        1. Well I’ve got one of these older units kicking around so if you do get the microphone audio out in a usable state that would be amazing! I think a new 3D printed mount for the microphone board with a big dead cat could be nifty. Hopefully and I get that this might be difficult, we can get individual audio streams from each microphone! Having them a separate streams would be really cool and make recording a lot more interesting.

          1. When I get a chance, I’ll take a look at modifying the boot image to get a stable mic output. If I do manage to get around the signing restrictions I’ll definitely look into porting a home assistant voice proxy and separating audio channels, when I use tinycap it seems to output a 9 channel wav file

    1. VoIP/SIP speakerphone. Actually, all those home spies are speakerphones by design and if you can reuse the firmware parts for audio processing, you’d get a really good one.

      1. I’m imagining turning the Ring of LEDs into some kind of persistence of vision display so we can output the visuals for Doom! I don’t think the resolution is going to be there but it would be funny nonetheless.

  1. Wow, this could be tremendously useful if you can stream a snippet of audio after the wake-word into an SBC running say Rhasspy. I have been using a 4-microphone array and porcupine as the wakeword engine with it and its not as sensitive and error rejecting as echo hardware and wakeword detection.
    A 2nd gen echo dot is also cheaper than just the 4-microphone array.

    1. It’s the “portable” one for us. Toddlers room or plug in a battery and take out on the balcony for music. The audio quality is questionable, but “it works” exactly as we need it to.
      Now i have a future project device…

    2. You consider Echo dots a fad? You have to be kidding me. I have one in every room (in addition to a few light switches, smoke detectors, HVAC controls, smart fridge, TVs, my car, etc.). I use them all the time for music, weather, news, and smarthome control, units convertion (and sometimes for quiz games, Google searches, phone calls, restaurant hours, etc). They are not going anywhere. Not a fad.

      1. Reminder to self: Never go to RPM’s house. Yes, i am one of those people who wouldn’t go into a house that is bugged by Google or any other company. Seriously.

          1. For Google it is certainly interesting as they can make money selling informations… :-/

            @Panic:
            FYI, i have a “standard” Casio (? – not even sure honestly) watch. It does show the time, without any internet connection, cloud, smart nonsense and integrated microphone…

        1. The privacy loophole in your doorbell
          Police were investigating his neighbor. A judge gave officers access to all his security-camera footage, including inside his home.
          03/07/2023

          Judge orders Amazon to hand over Echo recordings in double murder case
          November 10, 2018

          “Smart” homes are also potentially interesting:

          https://vimeo.com/178324074

        2. You know it doesn’t send audio to Meta/Google/Apple/LG/Samsung/etc unless it hears the wake word right? You can analyze your WiFi traffic to prove it to yourself. Do you run your own DNS? Do you route all your traffic through a VPN (that you trust)? Do you ware a mask when out in public? Everyone is being watched and recorded everywhere. No one cares. No human is reviewing all this data, there is just too much of it. I choose to use this great technology that makes my life better/fun/interesting. You can opt out due to fear of surveillance, but you are still going to be surveiled by other means unless you opt out of electricity and never leave home.

          1. Actually, pay more attention to the ads you are served and notice that some are coming strictly from conversions that you just had with people in your home. It’s uncanny.

          2. “No human is reviewing all this data.”

            Have you seen where AI is going? It will become trivial for a complete dossier to be constructed from all sources on literally everyone. Think you’re not interesting enough? Ask people in China who don’t have a “social credit score” high enough to participate in all aspects of society. Think that level of dystopia can’t happen in the west? Good luck with that…

          3. Absolutely I have a system that monitors and captures data sent from Amazon alexa and it does not capture data and send it without the wake word. Most likely your just talking about something popular and it’s coincidence. Tweekers are paranoid about that shit. If your not doing anything wrong why be concerned for real? Only people doing illegal stuff worry about that.

      2. Ditto
        Just asked it the temperature setting on the thermostat. Our 4 yo grand uses it constantly. He studies Spanish so I’ll ask alexa to translate to Spanish or Hebrew.

    3. Are you in an elderly care facility that houses predominantly conspiracy theory promoting conservatives?

      That’s really the only way I can imagine you don’t know anyone at all that still owns one of these. Like RPM said below me, a lot of people have one in every room, heck I’ve got one in every room of my house including my basement. Things are dead useful when it comes to pumping out audio / music.

  2. I bought one of these while living in UK. When i moved to Italy, the Echo service wasn’t still available there. Once Amazon Echo started its business in Italy, I asked for a software upgrade in Italian language of my old Amazon Echo Dot, since my children speak mainly Italian. Amazon replied that my old Amazon Echo Dot can only be available in English language. Go figure why.

  3. Just rooting these to make them into dumb boxes that can stream audio would at least lead to a useful re-purposing / de-eviling of a few kilotons of e-waste.

    Is there any sort of website that tracks these efforts across compatible hardware the way (fore example) the OpenWRT site curates a list of rootable devices?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.