Reverse Engineering Amazon Echo Digital Signal with a Logic Analyzer

  Рет қаралды 19,114

Matt Brown

Matt Brown

Күн бұрын

In this video, I show how to analyze unknown digital signals on an Amazon Echo with a logic analyzer. Also, I use magnet wire to solder onto extremely small pads to read the signal.
Louis Rossmann's KZbin channel:
/ @rossmanngroup
saleae-logic2 program:
aur.archlinux....
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nma...
#iot #soldering #hacking #embedded_systems #microscope

Пікірлер
@brianbirkerd8206
@brianbirkerd8206 Жыл бұрын
You look like a teenager with that cap 😂
@ctbrahmstedt
@ctbrahmstedt 2 жыл бұрын
Crank up your sampling rate. 500KS/s is only 50 samples per 0.1ms frame. A 115200 baud rate would be 11.5 bits per 0.1ms per frame. ~4samples/bit may be masking a higher frequency bitrate. Do a quick capture at 5Mbit to see what the signal bit rate is and the dial back from there.
@billheckel3891
@billheckel3891 2 жыл бұрын
I do not think that 76800 is the correct baud rate. Note the bit position indicators drift in relation to the rising edge. Measure the time between rising edges to find the bit time.
@Anx181
@Anx181 2 жыл бұрын
Hey Matt, great vid! I was one of the people commenting on your previous videos recommending you to get a new microphone I think the new mic / mic balance is great now, I think it’s a big improvement over previous videos Great content and keep hacking brother
@gorak9000
@gorak9000 2 жыл бұрын
Is this an ASMR channel, or a hardware reverse engineering channel? Pretty sure how the mic sounds is 99% irrelevant for the point he's getting at here.
@Anx181
@Anx181 2 жыл бұрын
@@gorak9000 regardless of the type of content he’s making in the previous videos his microphone was so harsh. It made it very difficult to watch, especially on a tv or good headphones
@gorak9000
@gorak9000 2 жыл бұрын
@@Anx181 Ok, I see what you mean - I went and checked some older videos - the video on arp poisoning has pretty hard to listen to audio. It's not so much the quality of the microphone so much as the level was set too high and it's continually clipping and distorted. That's not really fixable post-processing wise. Yes, clipped and distorted audio is very hard on the ears no matter the playback volume.
@Hexnano
@Hexnano 2 жыл бұрын
Already becoming one of my favorite tech channels!!! Can't wait to see you hit 1k subs and then even more ✌
@FAKEAXIS
@FAKEAXIS 2 жыл бұрын
There is a lot of products with hidden stuff that we will most likely get no access too, I have a JBL Google Home speaker that I know can accept digital audio through its microusb port, but that was because it was hooked up to some black box thing in a retail display. I would love to get low latency aux in to this speaker one day as it sounds great.
@Scyth3934
@Scyth3934 2 жыл бұрын
The volume on this one is much better than your last one. FYI you can see how loud it should be by checking "stats for nerds". If the "content loudness" is negative it means your audio is too quiet and if it is positive it means it is too loud.
@campbellmorrison8540
@campbellmorrison8540 2 жыл бұрын
I dont even know what an amazon echo is but its great to see the up coming generation digging into this stuff, good luck on getting some kind of interaction. I have to agree with the comments below 76800 doesnt seem right and I suspect your sampling is too slow. Personally I would connect a scope to line to see what its really doing before trying to use a logic analyser
@erlendse
@erlendse 2 жыл бұрын
Probably I2C. The signal looks too regular and is probably a clock. The resistors may be pullup. You would need both lines to get the data if so (the other is likely data).
@TomStorey96
@TomStorey96 2 жыл бұрын
Agree with a couple of others here that this is not UART. The signal is too repetitive to be transferring anything useful, it looks more like a clock to me. With two signals next to each other like that it could be the clock side of I2C, or if it really is something then it may be one half of a differential pair.
@siosinv3851
@siosinv3851 9 ай бұрын
Hey @Matt what papers or publications did you use to help you out on this?
@Aaron_Dayton
@Aaron_Dayton 2 жыл бұрын
Hi Matt, You would be able to determine the baud rate based off the period of a single bits width. That way you can get it right on the first try and no guessing. Cheers.
@t67m
@t67m 2 жыл бұрын
The pulses mostly appear to have a 1:2 or 2:1 Mark-Space ratio, so I don't think this is a UART, but maybe even some form of Manchester coding, or the control signal for a NeoPixel LED.
@r3dll
@r3dll 2 жыл бұрын
ayyy matt great content for a small channel, keep hacking forward
@benjaminlarsson8685
@benjaminlarsson8685 2 жыл бұрын
76800 sounds bogus to me. Try with pulseview/sigrok instead.
@gorak9000
@gorak9000 2 жыл бұрын
I don't see why the decoder would need to know the baud rate in an offline analysis of an asynchronous signal to begin with. All it needs to look at is edges, and perhaps the duration between the edges (depending on what signaling standard is in use - RZ, NRZ, Manchester, etc). Baud rate is only relevant for real-time decoding, not offline analysis after the fact. Clearly a decoder written by a CS person that has some lack of understanding how the hardware actually works. Also, I'd trace where those lines go, and look up the datasheet - there's no point reverse engineering what's mostly likely a list of commands in the datasheet of whatever it's talking to. And yes, I'd also vote to use Sigrok rather than proprietary Salaee software - I'm surprised that the Salaee software even works with the $12 clones - I thought they got super anal about that a few years back.
@arie1293
@arie1293 Жыл бұрын
The xbox one s has a paired optical drive to the console which makes it impossible to replace the disc drive without moving the old daughterboard into the new drive. In some cases users have replaced their drive without this understanding and lost the old drive making their console completely inoperable following a software update. It would be fantastic if a logic analyzer could be used to understand the serial number reporting back to the console create a modchip of sorts that could report the correct serial number and fix consoles with this type of problem.
@larrybud
@larrybud 8 ай бұрын
Sounds great!
@jonnyphenomenon
@jonnyphenomenon 2 жыл бұрын
How did you "discover" that signal in the first place?
@mattbrwn
@mattbrwn 2 жыл бұрын
great question. I poked around the board with a multimeter first looking for any voltages that looks interesting. That coupled with the fact that these pads were next to the CPU made them interesting enough to look at with the logic analyzer.
@jonnyphenomenon
@jonnyphenomenon 2 жыл бұрын
@@mattbrwn oh, were they test pads? I couldn't see through the puddle of solder. I've been doing a little hardware hacking lately with my students. Mostly just looking for uarts in iot things so we can get a shell into them and look for exploits and vulnerabilities. It's amazing how much they leave wide open. You now, since those devices have an fccid, their are records of them on the fcc page including close up photos of all the circuit boards inside. I usually start there to see if anything stands out as a possibility, before I actually take something apart.
@gael5773
@gael5773 5 ай бұрын
Nice video 🎉
@borontv6400
@borontv6400 2 жыл бұрын
I'm hoping I can learn how to interpret UART from videos like this! I have a Smart Appliance with IoT functionality and consumable cartridges. (I want to refill my own cartridge) I have successfully captured the signals between the the cartridge reader by tapping into the UART lanes exactly as you were able to. I'm essentially stuck where this video leaves off.
@mattbrwn
@mattbrwn 2 жыл бұрын
I highly suggest the book: Attacking Network Protocols: A Hacker's Guide to Capture, Analysis, and Exploitation. The next step after getting bytes is to try to make sense of the binary protocol in use. That book is a good intro to reverse engineering binary protocols. then you might want to look into if you can program something like a Raspberry Pi Pico to send the same UART data you observed from the 1st party cartridge to the appliance.
@DopeSaladz
@DopeSaladz Жыл бұрын
You should reverse engineer a gaming console like a new Xbox or PS4 or ps4
@asdhuman
@asdhuman 2 жыл бұрын
Maybe 86400?
@EinSwitzer
@EinSwitzer 2 жыл бұрын
just dont freak out when you see brain monitoring stuff and its real and if you try to talk about it things happen !
Reverse Engineering Smart TV Remote with Logic Analyzer
13:26
Matt Brown
Рет қаралды 24 М.
黑天使只对C罗有感觉#short #angel #clown
00:39
Super Beauty team
Рет қаралды 36 МЛН
Леон киллер и Оля Полякова 😹
00:42
Канал Смеха
Рет қаралды 4,7 МЛН
Сестра обхитрила!
00:17
Victoria Portfolio
Рет қаралды 958 М.
My favorite debugging tool (Logic analyzer)
7:56
Mycrostart Electronics
Рет қаралды 6 М.
Hack everything: re-purposing everyday devices - Matt Evans
50:39
Linux.conf.au 2012 -- Ballarat, Australia
Рет қаралды 808 М.
Finding UART and Getting a Root Shell on a Linux Router
20:11
Matt Brown
Рет қаралды 41 М.
Introduction to Firmware Reversing
11:32
Tony Gambacorta
Рет қаралды 313 М.