Inside the Amazon Dash Button hack and how to make it useful

In my previous post about hacking the Amazon Dash Button I concluded by saying that I’d explain how to detect the ARP request using Ted Benson’s code and explain what you’ll have to do to make the code work.

Just to refresh, in that previous post we configured an Amazon Dash Button up to the point where we should have chosen the product that the button would trigger an order for when the button was pressed. Because we stopped there, now, when the button is pressed, the Dash Button will wake up, request an IP address via DHCP from the wireless network we configured it for, then, as any device should (whether or not it gets its IP address via DHCP), it will issue an ARP Probe to make sure that no other device on the local network is using the IP address it’s been assigned.

RFC 5227, section 2.1.1, explains how an ARP Probe functions:

A host probes to see if an address is already in use by broadcasting an ARP Request for the desired address. The client MUST fill in the ‘sender hardware address’ field of the ARP Request with the hardware address of the interface through which it is sending the packet. The ‘sender IP address’ field MUST be set to all zeroes; this is to avoid polluting ARP caches in other hosts on the same link in the case where the address turns out to be already in use by another host. The ‘target hardware address’ field is ignored and SHOULD be set to all zeroes. The ‘target IP address’ field MUST be set to the address being probed. An ARP Request constructed this way, with an all-zero ‘sender IP address’, is referred to as an ‘ARP Probe’.

What is useful about an ARP Probe is that it contains the requesting device’s media access control address (MAC address) which should be unique. So, if we watch the network for ARP Probes and decode them, we can figure out what the MAC address of our Dash Button is.

Ted’s code is in Python and that makes it very easy to use but first you’ll need to install the Scapy library. Scapy is not only a library, it’s also an amazing networking tool:

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc.

Installing Scapy should be easy but it turns out that there are a load of gotcha’s that’ll getcha; On OS X there’s an article by Juha Laaksonen on wrangling Scapy on OS X that will save you all sorts of anguish as will the following command:

sudo chmod go+r /dev/bpf*

This command will, for current flavors of OS X, resolve the error you’ll get …

Exception: en0: You don't have permission to capture on that device ((cannot open BPF device) /dev/bpf0: Permission denied)

… when you run the code because OS X, by default, only allows  root access to the Berkeley Packet Interface. The command solves this problem by changing all of the bpf interfaces  (/dev/bpf*) to be readable (+r) by g (group; users who are members of the file’s group) and o (others; users who are neither the owner of the file nor members of the file’s group). Installing Scapy for Windows and Linux is somewhat easier and the Scapy documentation covers it well.

So, here’s Ted’s code:

from scapy.all import *
 def arp_display(pkt):
  if pkt[ARP].op == 1: #who-has (request)
    if pkt[ARP].psrc == '0.0.0.0': # ARP Probe
    print "ARP Probe from: " + pkt[ARP].hwsrc
 print sniff(prn=arp_display, filter="arp", store=0, count=10)

What this code does is to monitor the network via raw packet capture, look for ARP Probes, then print the MAC address in each probe. Note that Ted’s code used the argument count=10 in the sniff function call which restricted the code to only capture 10 packets; on a busy network this will happen almost instantly so I removed the argument and chose to just inelegantly kill of the program using control-C.

After pressing the Dash Button, you should see a display like this (I’m using OS X “El Capitan” so sudo is required):

RedQueen:dash mgibbs$ sudo python dash-01.py Password: ARP Probe from: 74:c2:46:d7:7a:00

Voila! Now you have your button’s MAC address. You might try this once or twice more just to make sure that it really is your button’s MAC address as other devices on your network that have power saving modes (for example, Apple TV’s) will occasionally wake up and perform ARP Probes.

Ted suggests the following code to identify when your button is specifically pushed (this code recognizes two buttons named “Huggies” and “Elements”:

from scapy.all import *
def arp_display(pkt):
  if pkt[ARP].op == 1: #who-has (request)
    if pkt[ARP].psrc == '0.0.0.0': # ARP Probe
      if pkt[ARP].hwsrc == '74:75:48:5f:99:30': # Huggies
        print "Pushed Huggies"
      elif pkt[ARP].hwsrc == '10:ae:60:00:4d:f3': # Elements
        print "Pushed Elements"
      else:
        print "ARP Probe from unknown device: " + pkt[ARP].hwsrc
print sniff(prn=arp_display, filter="arp", store=0)

Ted goes on to explain that the button presses can be recorded in a Google Spreadsheet using Magic Form, a tool from his startup, Cloudstitch, and he provides the code to make this work.

Other choices for using the button press data are to send the events to Twitter via the Tweepy library, control Philips Hue lights via the Phue library (I recently reviewed the Hue system), or trigger anything that IFTTT supports using the ifttt library. And you can even go further in hacking the Dash Button; according to the Dash Button teardown article  by Matthew Petroff:

Adafruit now has a guide for reprogramming the Button. There’s also an interesting project on GitHub that has a firmware dump and other firmware and reprogramming information.

These hacks of the Amazon Dash Button are really interesting, crazy cheap, and potentially very useful Internet of Things experiments. If you find a good use for a hacked Dash Button beyond Ted’s baby poop and wake up tracking, let me know.