Amazon Dash Button: Retrospective

The Internet of things will revolutionize everywhere! Production? Dog walking? Rebooting coffee machines? Car driving? Food? Put the sensor in there! Marketing claims that any part of our lives will be improved with IoT. Why? Because with a simple sensor and a symphony of empty corporate chatter about machine learning, revolution is akin to the iPhone phenomenon about to happen! And here it is: Amazon Dash , around 2014.



The first product of the Dash family was the Amazon Dash Wand barcode scanner - it was distributed free of charge to Amazon Fresh customers [ food delivery services / approx. perev. ], which were supposed to hang it in the kitchen, for example, using a fridge magnet. When Fresh's customer ran out of milk, he could scan the bag before throwing it away, adding it to the shopping cart. I suspect these devices were quite expensive and sophisticated enough to be used the way Amazon wanted them to (so their launch was so limited). Amazon's goal was to allow potential customers to place orders with as little effort as possible, so that they would end up buying as much as possible. Remember the buy now for 1 click button?







And this Wand was eventually updated to a device containing Alex, activated by a button (leaving a barcode scanner and a magnet on the refrigerator), which is available to everyone . However, Amazon has pinned its hopes on a new gizmo. In mid-2015, Amazon introduced the “replenishment service” Dash Replenishment Service with its product, the Dash Button. This button was supposed to be a “1-click purchase” button in the physical world. To use the Wand barcode scanner, the user needed to remember that he was lying somewhere, find the barcode, scan it, remember the need to open his basket and order the goods. Too many steps, too many opportunities to get off the Bezos commercial roller coaster. The Dash Button worked easier! Press the button, get the product marked on it at the saved address. Each button had to be bought (for $ 5 with a $ 5 discount coupon) tied to a specific brand, and then set up online to buy a specific product when pressed. In the commercials, happy families placed them on washing machines to buy Tide, on kitchen cabinets for buying paper towels. Pretty tricky - it really is a buy now for 1 click button for the physical world.



Dash buttons had two options. Both had the same interface, and they worked essentially the same way. The device had one button (the software can recognize several sequences of clicks), one RGB LED and a microphone (no, it did not listen to your conversations, but we will come back to this). And he also had a WiFi transmitter. The second version (which was quietly released in 2016) added a Bluetooth connection and the filling completely changed, although this was not noticeable to the user.



In February 2019, Amazon stopped selling Dash Buttons.

But we write about glands, not about business

The Dash buttons were a cool hack! In a world familiar with ESP8266, hardware like the Dash Button is considered an entry-level standard home automation project. But in 2015, when the buttons were just released, ESP was just starting its way. Until that time, WiFi meant an unusual device such as Electric Imp or an integrated circuit labeled Texas . The market for low-cost devices with an Internet connection was completely different, and more expensive.



Probably, Amazon didn’t make sense to produce such a button if it cost more than a couple of dollars, so when developing it, the company turned a couple of tricks to lower the cost without reducing consumer qualities.







Cool hacks start with a connection. The classic methods of connecting to a home network of WiFi devices are a nightmare from the user's point of view. Download the device for the first time, wait until it realizes that there is no connection with the network, go to the access point mode, open the application, manually open the settings page and connect to the new WiFi network, return to the application, enter the login / password, wait forever, when it somehow informs you of success. And this will work only if your phone does not beat the application in the background or does not drop the WiFi network due to the lack of an Internet connection! Android developers at various times may have been forced to switch the WiFi network without user intervention, but even so, the experience of switching between platforms was terribly inconsistent.



What should a hacker do? Bluetooth works pretty well, but it needs another transmitter. The mentioned Electric Imp used a photocell to which it was necessary to lean the screen of the phone - it blinked in a certain sequence encoding access. Devices can be programmed in advance, as Amazon does with the new Kindle by entering the data from the customer’s account there, but this is a complex production process, and still needs some kind of scheme to change the network. But instead of all these workarounds, Amazon decided to use a method that I only found in jokes: acoustic pairing.





Dash Button V1



In both generations, there was a microphone that perceived the username / password of the user network through sounds obtained by frequency manipulation , at a frequency just below 20 kHz. Why 20 kHz and not higher? Acoustic pairing should work wherever there is a microphone and speaker. These requirements are so easy to fulfill that Amazon could design a pairing procedure so that it worked not only within the framework of their own mobile application - people could use anything from a Chromebook with a browser to another device from Amazon. I am not aware of any customization of these buttons through the nearby Amazon Echo, but technically it would be possible, but would look like magic. Given all this, the frequency should be such that it can always be accurately reproduced - that is, in the range accessible to the human ear. Click here for more details on parsing this protocol.





Inside V1



Looking inside the device, we are faced with a surprise: AA battery! Not some “industrial” battery under a different brand, but a simple consumer battery, without changing the brand, just soldered to the contacts. What? Well, apparently, Amazon decided that the tablet battery will not provide a sufficiently long battery life, possibly due to energy consumption when reconnecting via WiFi, and a larger tablet will be much more expensive than a regular battery. And although the battery holds the battery quite well (the black oval on the left), it is unfortunately soldered to the contacts, so the whole assembly will have to be changed when the battery is dead, after about a thousand clicks.



What about the rest of the body? Everything looks as simple as possible. Screws fix the board to the upper part of the case, everything else is glued or welded with ultrasound . The shapes of all the plastic components are selected so that they are easy to cast. In general, the device looks simple (and cheap) to manufacture, which is not so surprising.

Crackability

What can be hacked in the Dash Button? If people start throwing out these amazingly simple devices, can we give them a second life?



Perhaps the first hack was the use of these buttons for other purposes without any hacking, both software and hardware. Between presses, the button turns off to save energy. In the long run, even rare requests to keep in touch with WiFi consume a lot of energy: and Dash buttons should work for years, so they do not remain permanently connected. When the button is pressed, the device wakes up, turns on the LED, making it clear that it is alive, connects to WiFi, calls the Amazon API, then falls off the network and turns off the LED. When connected to the network, it without fail passes through several configuration steps, including broadcasting the ARP probe request, to make sure that no one else has such a MAC address.



Enterprising hackers realized that if you monitor LAN traffic, you can catch these requests and they will include the unique MAC address of the device. And because of the special style of the Dash button, if we see the ARP probe request, then we know that the device has just woken up, which means that the button has just been pressed. Then you can do anything you like with this [making the button order nothing / approx. transl.]. For the first time I learned about this method from Ted's blog . And even when the Amazon backend ever shuts down, the buttons will not stop working.





Board V1



ARP request trapping works, but it seems to me not very convenient. These devices already have processors, so let them say what they need. What about programming Dash buttons? It is not surprising that people have already figured out the board and painted what goes where. None of the button versions have any particularly rare spare parts: version 1 has a Broadcom Cypress BCM943362WCD4 module from the WICED family, which, in fact, is just an STM32F205, wired with a transmitter - it has a developer kit for it. On version 2 are the Atmel Microchip ATSAMG55 and Atmel Microchip ATWINC1500B, with the Cypress CYBL10563-68FNXI Bluetooth transmitter. These are ARM processors available to all with detailed documentation.



And, despite the availability of iron and buttons, no one seems to have advanced far on this front. It’s easy to find training materials on reprogramming devices and blinking LEDs or tracking button presses, but all the materials I found end in the most interesting place: “now we need to deal with WiFi”. So yes, they can be reprogrammed into some strange test devices, but so far we have yet to see how someone will be able to completely subjugate this button to gain access to all the rich possibilities hidden in it.

What's next?

In the end, a few words about Amazon. Small device manufacturing projects like Dash Button and Wand are my favorite types of enterprise experimentation. I always like it when a company tries to make an unusual device. This is much better than killing these projects before they even go outside the laboratory.



On the other hand, the Dash Button is a pretty wasteful thing. Although they have a limited service life, however, no marks on them will prevent them from being thrown into the trash after they stop working. What else does Amazon expect from customers? The device obviously has a battery inside, but since there is no clear indication on this subject on the case, users may not realize that it needs to be sent to the place where the batteries are recycled. Using an ordinary common battery is a tricky idea, but it should be followed by an obvious way to remove it, which would make it possible to use the product without time limits, and it would be better to treat the environment.



The plus will be that soon we will be able to collect these buttons in bags! When they begin to fail, we will be able to interrupt the flow of electronic garbage by collecting them and remaking them for other purposes.



After we begin to observe a wave of projects with these buttons, we will have two interesting ways to study these devices. One is to find a battery holder that is well-sized for the board so that the batteries can be changed, and also come up with a case suitable for printing, into which all this fits. Then the Dash button will be able to break out of its shackles of finite service life and work for as long as we want.



The second way is obvious - make WiFi work! In my experience, Broadcom’s WiFi under the WICED brand can be quite complicated, but the WINC1500 does not seem exotic. As noted in 2016 , this module was used in the Arduino MKR1000 and WiFi Shield 101, as well as in several boards from Adafruit. Can I figure it out? We hope so!