The Amazon Dash Button it an Internet connected button that allows ordering a single product from Amazon. Although it is not something I would ever use, I thought its guts might be interesting and bought two for a grand total of $2.10 with tax and free shipping. Others have already posted about disassembling it, so I’ll focus mostly on the electronics, since the aforementioned blog posts are missing high-resolution images of the circuit board and don’t quite get some details correct.
The first victim is the Cottonelle Dash Button. The outside of the Dash Button consists of a button, a microphone hole, a loop for tying to, and adhesive on the back. The different brands of Dash Buttons have the same model number,
JK76PL, differing only in the label.
Peeling back the label reveals three Torx T5 screws.
However, the two halves of the case are also glued together and must be pried apart once the screws are removed.
Opening the case reveals a small printed circuit board with an Energizer Ultimate Lithium AAA battery. Although the cost of the Dash Button is less than that of the battery alone, tabs are spot welded to the battery making reuse difficult; Amazon also limits customers to one of each brand of Dash Button.
Next are high-resolution images of the front and back of the PCB, both with components still on and with them removed. Here are full resolution copies: front with components, front without components, back with components, and back without components.
The circuit board is at least three layers and contains blind vias. The design seems based on the Broadcom BCM943362WCD4 WICED module reference design, with a Broadcom BCM43362 Wi-Fi module,
U9, and an ST STM32F205 microcontroller in a WLCSP (instead of a LQFP),
U5. This is similar to, but not the same as, the chip that is used in the Particle Photon. The Photon uses a USI chip that combines the Wi-Fi module and microcontroller into the same package but is otherwise the same. Other components on the Dash Button include an InvenSense INMP441 microphone,
MP1; a Micron M25P16 16Mbit serial Flash memory module in a UFDFPN8 package,
U6; an RGB LED,
DS1; and a 26 MHz crystal,
Y1. I transcribed the markings from the other integrated circuits but was not able to identify them.
Also included is a 0.40mm pitch 5×2 pin board-to-board connector (
Molex 503548-1020 Panasonic AXE5101271 ) and a number of test points. This header contains a JTAG interface to the microcontroller as well as what I think is a serial interface to the microcontroller. The pinout, labeled in the same order as the photo above, is:
GND NRST PC6 PA14 PC7 PA13 PB3 PA15 PB4 3.3V
which corresponds to
GND NRST USART6_TX JTCK-SWCLK USART6_RX JTMS-SWDIO JTDO/TRACESWO JTDI NJTRST 3.3V
as likely pin functions. Except for
NRST, these pins are also accessible from test points, with
TMF24->NJTRST. The column to the left of the previous test points, from top to bottom, corresponds to
JTDI. I have not yet tried to connect to either the JTAG or the USART. The other test points I was able to identify were
TX8->PB13. All identifications are based off of a combination of visual inspection and continuity testing of the PCB once all components were removed via hot air.
The Dash Button operates at 3.3 V boosted from the battery’s nominal 1.5 V, drawing 200–300 mA from the battery when on and 2.3 μA when in sleep. This means the ~1200 mAh battery should be able to power the device for at least four hours while on and decades while in sleep. Since the button is only on for a few seconds when activated, it can probably be used close to 1000 times before the battery dies. Thus, the button should become obsolete long before the battery is depleted.
Moving on to software, the Dash Button is configured using the Amazon mobile app using ultrasound2 to configure the button in the case of iOS and Wi-Fi in the case of Android. I have not reverse engineered the audio protocol, but the data seems to be transmitted using audio
frequency-shift keying around 18–19 kHz. The app transmits this message 20 times before giving up. Although not mentioned in the documentation, the Dash Button creates a Wi-Fi hotspot when placed in configuration mode,
Amazon ConfigureMe, which is used by the Android version of the Amazon Shopping app. Once connected to this hotspot, a web page is accessible at
192.168.0.1 via HTTP, which allows for configuring the Button’s Wi-Fi connection settings. However, the Amazon App is still required to finish setting up the Button. When connecting via HTTPS, a certificate signed by the
Amazon.com Internal Root Certificate Authority and issued to
Amazon.com Infosec CA G2 is presented, which expires 2016-06-22. However, I was not able to successfully connect even after bypassing the certificate error, so it might be using a different protocol over TLS. The Button’s firmware version,
v0.9.119, can be gleaned from the source of this page. By monitoring the Button’s network traffic, I was able to determine that the Button communicates with
parker-gateway-na.amazon.com via TLS.3 Additionally, it always uses
22.214.171.124 for DNS. Due to the use of ultrasound instead of Wi-Fi in the iOS version, I assume iOS doesn’t allow Amazon access to the Wi-Fi settings they want. The MAC address vendor prefix is
74-75-48 for my Tide Button when triggered; it is
6C-0B-84 when in configuration mode.
I still have a fully intact Tide Dash Button. Now that I know the pinout, I might disassemble it as well and try to connect to its microcontroller via JTAG and serial.
Edit (2015-08-01): An eagle-eyed reader pointed out that
U1 is probably a TI TPS61201 boost converter; the footprint, package markings, and pinout seem to fit.
Edit (2015-08-05): As mentioned in the comments, the Button uses a different MAC address, with a different vendor prefix, when in configuration mode versus when pressed; I updated the post to reflect this. Additionally, Buttons with different branding appear to have different MAC address vendor prefixes.
Edit (2015-08-06): I just tried configuring the Button using Android instead of iOS as I had originally done and discovered that Amazon’s Android app configures the Button using Wi-Fi instead of ultrasound like the iOS version does. I updated the post to reflect this.
Edit (2015-08-10): Ted Benson wrote an interesting article on how to repurpose the Button by watching for ARP probes.
Edit (2016-01-01): Jay Greco did some fascinating work reverse engineering the iOS audio configuration protocol. It turns out Amazon is using amplitude-shift keying, not frequency-shift keying; I updated the post to reflect this.
Edit (2016-03-07): Paul Bilke pointed out in the comments that my guess as to the part number of the board-to-board connector is incorrect; I struck this out in the post.
Edit (2016-06-02): Paul Bilke noted in the comments that Nathaniel Quillin figured out the part number of the board-to-board connector; I updated the post to contain the correct part number.
Edit (2016-07-12): I just finished a teardown of the new version of the Dash Button.
The mating connector is a Panasonic AXE610124. ↩
It’s only sort of ultrasound; I can still hear it. ↩
It also does at least basic checking on the TLS certificate. When I hijacked the DNS lookup and pointed it at the server hosting this blog, it never progressed past the TLS handshake. I didn’t try anything more sophisticated. ↩