quick question from a beginner, with the flash dump data, is there a specific vulnerability that was exposed? or is there any data disclosure that was supposed to be encrypted that was not?

good job!

i have the Glade dash button thanks to the wife and it contains BLE. I confirmed this by connecting to my phones BLE. I have yet to see any info on this, I haven't started a teardown to get an answer (way too many other projects going on). Is there any info out there on the BLE element of the dash? As a side note, not all buttons have this as stated by amazon, but as I said above, the Glade button does contain it. So has anyone looked into this? I'll get to a teardown some day but if there's already info out there please point me in that direction

I just received my Amazon IoT Dash button today. If someone hasn't already, I would like to pull the firmware off, and flash the other Product Dash buttons i own. The new firmware will allow you to upload cert/connect to Amaon IoT. Anyone happen to pull the firmware already?  Thanks!

Ok, quick update, I was able to successfully flash cottenelle.bin to validate the process for a different dash button, however I f'ed up my IoT button. The hardware appears to be the same, but I shorted something during soldering. Hoping someone else can successfully dump the firmware for the IoT button.

I also tried to dump the firmware on the Amazon Dash by accessing the JTAG pins on the board, but I got the read-out protection error. How did you bypass read-out protection? 

If you are using openpcd, once you open your telnet session, you should be able to use 'stm32f2x unlock num', where num is the number returned from 'flash banks'

I can't find anywhere else to leave this info, but analysis of Cottonelle.bin shows that the Dash button is using ThreadX as an RTOS and NetX as a TCP/IP stack, together with the WICED SDK.  It's going to be hard to write firmware that replaces the original firmware without at least using the WICED SDK, which contains a big binary blob that is the wifi firmware.   You'd have to replace the RTOS with something else.

What battery does it use?

It works 100% off?

How long the battery?

which chip code power supply?

谢谢·

Most important for me to note is the ADMP441 chip embedded in there, are they listening to us secretly ? Is this a trojan, intended for something else ?

It doesn't seem so.

They use the ADMP441 microphone for setup (your phone sends the SSID/Password as a series of 18KHz pulses). There's some possibility that they can make a recording when you push the button (think voice commands) but given the size of the battery and that it is non-replacable they power off as much as possible when the device is not in use.

Very cool :) Good luck!