Amazon Dash Button Re-Hack!

So, we just got through Amazon Prime Day.  That means I got myself a handful of amazon dash buttons for $0.99 each.  How could I resist, I could do some coding in a new toolchain and architecture I’m not familiar with… ok no.  All I intended to do with these was to use the software-only hack that allows you to capture the button presses and pipe that through to my mqtt server.  Amazon decided to thwart me just a bit.

As noted in this wonderful teardown there’s a new kid on the block for amazon dash buttons (JK29LP).  The old one (JK76PL) had an stm32, the new one is an atmel.  I would normally like this, but no one else has blazed a trail for me yet so I’ll fall back to being lazy.  The new amazon dash buttons no longer broadcast the message that the original hack picks up, but I tweaked it and am back in business (although from the blink pattern you can tell what revision button you have).  There’s a new program someone wrote to have a windows daemon that runs a program or script whenever a button is pushed, and it even works on the new buttons.  But it only works on windows and I just won’t have that.

I based my work on the original code from a number of different places used for different purposes.  My modification is using the dash button to send out a message on a given topic on a given mqtt server (in my case it’s localhost).  I thought that if the windows program used the ip addresses that the router gave leases to then I could get the MAC addresses by checking the leases in my router.  If I had only been smart enough to remove this line:

if pkt[ARP].psrc == ‘0.0.0.0’: # ARP Probe

I would have seen the buttons being pressed.

from scapy.all import *
import os

def arp_display(pkt):
if pkt[ARP].op == 1: #who-has (request)
if pkt[ARP].hwsrc == ‘f0:27:2d:ef:a8:a2′: # ARP Probe
print “ARP Probe from: snuggle 1 ” + pkt[ARP].psrc
os.system(“mosquitto_pub -h localhost -t displayTopic -m snuggle1”)
if pkt[ARP].hwsrc == ’74:75:48:6f:3b:b7′: # ARP Probe
print “ARP Probe from: snuggle 2 ” + pkt[ARP].psrc
os.system(“mosquitto_pub -h localhost -t displayTopic -m snuggle2”)
if pkt[ARP].hwsrc == ’44:65:0d:78:94:12′: # ARP Probe
print “ARP Probe from: glad 1 ” + pkt[ARP].psrc
os.system(“mosquitto_pub -h localhost -t displayTopic -m glad1”)
if pkt[ARP].hwsrc == ’44:65:0d:c6:e5:21’: # ARP Probe
print “ARP Probe from: glad 2 ” + pkt[ARP].psrc
os.system(“mosquitto_pub -h localhost -t displayTopic -m glad2”)
if pkt[ARP].hwsrc == ‘0c:47:c9:7c:55:20’: # ARP Probe
print “ARP Probe from: redbull 1 ” + pkt[ARP].psrc
os.system(“mosquitto_pub -h localhost -t displayTopic -m redbull1”)
if pkt[ARP].hwsrc == ‘0c:47:c9:ed:9c:46′: # ARP Probe
print “ARP Probe from: redbull 2 ” + pkt[ARP].psrc
os.system(“mosquitto_pub -h localhost -t displayTopic -m redbull2”)
if pkt[ARP].hwsrc == ’44:65:0d:4d:a6:0b’: # ARP Probe
print “ARP Probe from: burt’s bees ” + pkt[ARP].psrc
os.system(“mosquitto_pub -h localhost -t displayTopic -m bees1″)

print sniff(prn=arp_display, filter=”arp”, store=0, count=0)

My code hardcodes the MAC addresses without checking for a 0.0.0.0 arp packet and prints out to the terminal and sends a mqtt command.  I run all this on my mqtt server pi and have it autostart just like the screen script.  Except not just like that because I want this one to run as root since I can’t do permissions worth a damn.  That would be here, and I’m still working on it.

I know this isn’t original as I see references to people removing that line, but I see no reference to the new dash button and this rock solid implementation of the year old python code.  That being said I also haven’t seen this tied to mqtt either, so that may be original.  NOTE: this triggers a notification on the amazon shopping app everytime a button that does not order a product is pressed.  This could be mitigated by blocking access to amazon’s servers for those buttons but I just sign out of the amazon shopping app (I could set them back up using a fake account, but it’s late).  I also like the thought of finding out how to respond to the buttons so they blink green when amazon responds, but I’m not willing to dig into that right now.

Advertisements

13 Responses to “Amazon Dash Button Re-Hack!”

  1. JImmy Rustling Says:

    This was very helpful in getting my Prime Day Dash haul working properly. I received a mix of JK29LP and JK76PL units. Had no problem getting the old ones setup, but the JK29LP units were never detected with the old code. Removed the check for 0.0.0.0 per your suggestion and everything is working great now. Thanks for posting!

    • abzman2000 Says:

      Glad to hear it, keep in mind this may pick up other devices connecting to your network so do that to get the mac, then hardcode the mac address to certain functions per button

  2. Tom Says:

    Wonderful! You just saved my butt. I took advantage of Amazons new offer of .99 buttons and bought 8 of them. When I couldn’t get them to work like my previous 2 buttons, I knew Amazon closed the loophole. Thanks for Re-Hacking the Buttons.

    • abzman2000 Says:

      Great, I’m glad I helped solve someone else’s problem. Did you find this article on google or what? I put the part numbers in it because that’s what I searched for when trying to fix it.

  3. Bending The New Amazon Dash Button To Your Will | Hackaday Says:

    […] Allen] writes to us with his work on bending the new Dash button to his will. He goes into detail on the subject of retrieving their MAC addresses, and modifications to […]

  4. Bending The New Amazon Dash Button To Your Will | BH Says:

    […] Allen] writes to us with his work on bending the new Dash button to his will. He goes into detail on the subject of retrieving their MAC addresses, and modifications to […]

  5. non-name Says:

    For this to work, you first need to setup the button to connect to Amazon? Anyway to avoid that?

    • abzman2000 Says:

      You need to partially connect it to amazon, well, you need to connect it to an account but not a product to be ordered. I don’t know of a way to avoid this, this is the only way you tell the button what network to connect to (otherwise it would never be able to be connected to an encrypted network, or it would connect to your neighbors’ printer network or something stupid like that).

  6. Fhem: Mit Amazon-Dash schalten und von Fhem Aktionen auslösen lassen | Robins Blog – Technik und Multimedia Says:

    […] Evans Techie Blog (ohne Fhem) […]

  7. hxtan Says:

    Hi, thanks so much for the post! 🙂

    Was wondering, I actually did remove the “if pkt[ARP].psrc == ‘0.0.0.0’:” line, but I don’t really see any ARP on the network. Did I miss out anything? Must the app be configured based on the Amazon account that it was purchased with, for this to work?

    Mine is the new button model.

    Thanks a lot!

    • abzman2000 Says:

      To the best of my knowledge you have to set up the button through the app (partially) to tell it how to connect to the wifi network you want it on. After that you can log out of the amazon app on the phone you used to set it up and everything should still work.

      • jv Says:

        I am encountering the same problem here. Seems like the newer buttons cannot be hacked like the old ones anymore.

      • joe Says:

        no, it still seems OK. i just received one today, and it’s still ARPing and doing a BOOTP request.

        i configured the button with the wifi password using the amazon app on my iPhone, but did not choose a product. unfortunately every time i pressed the button it tries to phone home and the iPhone app tells me to finish the setup. so then i went into my router and pointed the amazon address the button tries to resolve to 0.0.0.0, and now amazon does not know when i push the button anymore. but of course no dash button will work with that IP address blacklisted.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: