Close
0%
0%

Exploring Amazon Dash Button

Documenting Amazon's inexpensive IoT button

Similar projects worth following
This project aims to document the technical details of Amazon Dash Button for those who want to tap into the potential of this inexpensive yet powerful IoT device.

Please do feel free to contribute or ask questions if you have something to share.

See github of this project for up-to-date high resolution images of the circuit board, pinout, data sheets, and serial debug outputs.

Below is the pinout of the circuit board I figured out so far.

  • WiFi module information

    dekuNukem05/18/2015 at 00:05 2 comments

    The WiFi module used in Amazon Dash button is Broadcom BCM943362WCD4. As can be seen below:

    The crystal, microcontroller and wifi module are exactly the same.



    It is supported by Broadcom's WICED SDK and IDE, which can be found in github here. Definitions and schematics of this particular module can be found here. JTAG headers are broken out in the testpads above so it should be easy to reprogram.

    And also if you can register an account, there are tons of information at Broadcom's official website here.

  • Flash Dump and Debug Output

    dekuNukem05/17/2015 at 21:15 0 comments

    Here is the firmware of a cottonelle button, dumped using ST-Link v2:

    https://drive.google.com/file/d/0B3Uf26cVOCONTjFONkgzZzVhWms/view?usp=sharing

    Skipping through the firmware and sure enough there are some juicy bits inside:

    As for the debug serial output under a number of situations, see here.

  • Blinking LED on Dash Button

    dekuNukem05/16/2015 at 00:54 1 comment

    First of all take a look at the GitHub of this project for pinouts and other information. I spent sometime figuring out the connection and testpads on the circuit board, fortunately Amazon has all the important signals broken out, including SWD signals for the microcontroller and JTAG for the wireless module. So it's very easy to hook up your favourite programmer and upload your own program into it. I used the ST-Link v2 on a discovery board to upload a blink program to the Dash Button:

View all 3 project logs

Enjoy this project?

Share

Discussions

pentestman03 wrote 09/22/2019 at 07:06 point

quick question from a beginner, with the flash dump data, is there a specific vulnerability that was exposed? or is there any data disclosure that was supposed to be encrypted that was not?

  Are you sure? yes | no

jlbrian7 wrote 03/16/2017 at 01:04 point

good job!

  Are you sure? yes | no

displacer2 wrote 07/09/2016 at 13:20 point

i have the Glade dash button thanks to the wife and it contains BLE. I confirmed this by connecting to my phones BLE. I have yet to see any info on this, I haven't started a teardown to get an answer (way too many other projects going on). Is there any info out there on the BLE element of the dash? As a side note, not all buttons have this as stated by amazon, but as I said above, the Glade button does contain it. So has anyone looked into this? I'll get to a teardown some day but if there's already info out there please point me in that direction

  Are you sure? yes | no

Ubergiek wrote 05/16/2016 at 18:34 point

I just received my Amazon IoT Dash button today. If someone hasn't already, I would like to pull the firmware off, and flash the other Product Dash buttons i own. The new firmware will allow you to upload cert/connect to Amaon IoT. Anyone happen to pull the firmware already?  Thanks!

Ok, quick update, I was able to successfully flash cottenelle.bin to validate the process for a different dash button, however I f'ed up my IoT button. The hardware appears to be the same, but I shorted something during soldering. Hoping someone else can successfully dump the firmware for the IoT button.

  Are you sure? yes | no

Yu-Jye(Jerry) Tung wrote 10/21/2015 at 22:35 point

I also tried to dump the firmware on the Amazon Dash by accessing the JTAG pins on the board, but I got the read-out protection error. How did you bypass read-out protection? 

  Are you sure? yes | no

Ubergiek wrote 05/22/2016 at 18:46 point

If you are using openpcd, once you open your telnet session, you should be able to use 'stm32f2x unlock num', where num is the number returned from 'flash banks'

  Are you sure? yes | no

bushing wrote 08/14/2015 at 13:02 point

I can't find anywhere else to leave this info, but analysis of Cottonelle.bin shows that the Dash button is using ThreadX as an RTOS and NetX as a TCP/IP stack, together with the WICED SDK.  It's going to be hard to write firmware that replaces the original firmware without at least using the WICED SDK, which contains a big binary blob that is the wifi firmware.   You'd have to replace the RTOS with something else.

  Are you sure? yes | no

BottomUpTelemetry wrote 06/26/2015 at 14:29 point

What battery does it use?

It works 100% off?

How long the battery?

which chip code power supply?

谢谢·

  Are you sure? yes | no

swapan wrote 05/18/2015 at 05:32 point

Most important for me to note is the ADMP441 chip embedded in there, are they listening to us secretly ? Is this a trojan, intended for something else ?

  Are you sure? yes | no

Brandon Harris wrote 05/22/2015 at 20:29 point

It doesn't seem so.

They use the ADMP441 microphone for setup (your phone sends the SSID/Password as a series of 18KHz pulses). There's some possibility that they can make a recording when you push the button (think voice commands) but given the size of the battery and that it is non-replacable they power off as much as possible when the device is not in use.

  Are you sure? yes | no

Starhawk wrote 05/17/2015 at 21:38 point

Very cool :) Good luck!

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates