I was a huge fan of smart devices around my home but have slowly been cutting back, no real reason... maybe a little paranoia. I did stay away from the no-name branded stuff and always researched before implementing something new. I preferred Amazon/Alexa as my ecosystem. This video as well as the previous teardown makes me feel better that I made "the right choice" but in a cheeky way. I came here to share that my little experiment after having my devices for awhile was to ask Alexa to mute/unmute itself. I don't remember what happened exactly but it think it was something along the line of responding "I can't do that" and not just an unanswered request. Unfortunately I can't easily check at the moment. But I wanna say I was somewhat impressed at the time.
Excellent analysis and explanation! I'm actually extremely surprised to see so much circuitry for this function. It's ACTUALLY a mute button.... I think most designers would want to just control the LEDs from the SoC and implement the "mute" programmatically, i.e. stop processing speech.
Note that SOC control pin can only disable the mics. So you can disable them remotely, but in order to enable them back, you need to physically press the button. That's part of why this circuit it so complicated. Here is a detailed reverse engineering of the same circuit from Echo Dot ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-xH8LnK9hh6w.html
Probably my first public comment. Loved your work! And I am saying this with utmost respect to your work that you have a very soothing voice and you can go for a podcast to fall asleep to. It is a real deal on spotify!
I like your approach to unknown top markings. Usually people would just research it by putting the code into the big manufacturer's top mark web database searches. You: "I have opened the chip to looked at the die to find out what it really is".
Interesting. The fact that the SoC only can turn off the mute (likely in case of a reset, but who knows, maybe an attacker can force that to re-enable the microphone) means that there will always be proof of the device listening: the SoC can't turn the microphone on at a particular moment to sneakily evesdrop, then turn it off again to hide the proof.
If you follow the diagram, the SoC can only disable the mics, not enable. I'm not sure how they guarantee that the mics are turned on at power-on though...
How did you figure out the connections? You can't just look at the tracings. This is a multilayer PCB, which means you can't see all of the tracings that connect the components. Also how did you decap the components? Anything that will remove the ceramic case of the chip will also damage the silicon inside if it hits the silicon. And the separation between the case and the silicon is less than a millimeter usually. The only equipment that can do that successfully is multi million dollar equipment owned by the FBI, which they use to decap flash memory chips inside USB devices to read the data stored optically via a high power microscope. This allows them to check the content of USB sticks that have been intentionally damaged by the suspect, so as to prevent them from being read in a normal computer's USB port.
But in this case, the MOSFET only supplies power to the mic. The LED is powered by the output of the NAND gate which is controlled by the flip flops. It seems entirely possible to me for the MOSFET to fail and power the mic while the LED remains off because the flip flops have never been clocked and thus do not represent the state of power to the mic.
@@TomStorey96 Well, the LED is on when the mic is OFF. LED off when the mic is on. So if it is failing so that the LED doesn't turn on, it will basically be always telling you the mic is on, which is how it should do.
But if it fails while the mic is supposed to be turned off..? That's what I'm thinking of. You won't know until the next time you reset or try to change it.
Nice teardown as always! It seems that this microphone thing is freaking everybody out, but most of us carry several microphones in our pockets at all times, plus an active GPS, without a hardware mute button, tied to equally evil corporations. I don't get the level of fuzz about this other microphone.
But let's not go overboard here. Many people put their phones away when they're having a conversation that's not suitable for other people's ears. Nobody wants to run around the house and mute a ton of devices before they can have a talk about how there are no women with penises nor that there is global warming. In Norway right now it is a crime to say anything that could be construed as "transphobic" even when you say it at home and in private. Besides that, there are many other very good reasons not to have the voice of Amazon in your life all the time.
@@NiHaoMike64 It doesn't matter. Most phone SoCs have a number of high-powered application cores that run the user operating system which usually is some form of android. These cores are NOT in control of the multiple mikes on a phone nor the cameras on a phone. Instead phones have an additional core, often an ARM cortex-m that runs the entire telephony and mobile data stack (LTE/UMTS/GPRS). The camera interfaces are directly connected to that core as are the Analog/Digital Converters for the mikes. The firmware that runs on these radio cores as they are called is not publically explored much if at all. It's trivial for them to include a surveillance function that sends your location, audio and video from your phone without the Android side having any way to notice what is happening. The only thing you might observe from the outside is the device warming up and the battery not lasting as long as it usually does. This just to dispel your inappropriate sense of security.
This is great! I've noticed that the deaf state survives power cycle, at least on Echo Dot and Studio. How does that fit in for this circuit, or does it?
Best guess, the clock input and also the output state are also fed into the SOC so that it can also hard mute the mic and know what state it is in if the user mutes it. This may not have been an exhaustive reverse engineering attempt, so to confirm this you would need to probe all of the SOC pins and see if they are in any way connected to the mute circuit.
Hmm, may be I'm wrong, but it seems to me that the microphone turns on when the SOC resets the bistable. After resetting, the /Q outputs go into H state, and after inverting turn on P-MOS and microphone power.
Who cares if the red light really turns off the microphone? If you really wanna make sure that no word leaves your room, then you gonna unplug it anyway.
Sorry, had to unsubscribe, couldn't understand what you were saying sometimes. Seemed to talk rather fast in some parts of the video and I kept rewinding some bits to try and make out what was said, but gave up. No doubt a good piece of reverse engineering though.
@@float32 In college I had a calculus professor from Palestine who I simply did not understand for the first two weeks of the class. By the end of the class I understood him perfectly.
