[bodangly]

Near 100%. If you look at the binwalk output in his later posts you can clearly see certificates as one of the first things in the binary. I’ll be shocked if this guy ever actually gets his own firmware to run here.

[mgsk]

Her.

[azalemeth]

I've never really understood why Amazon doesn't want people hacking with their devices. If I were them, making a Really Hacker Friendly Device would boost sales hugely, as people would start making 'cool things' with it. All of their devices are incredibly tied down, however, despite the promise of relatively cheap computing (I don't own any of them, out of privacy concerns).

[jdiez17]

They don't make a profit on device sales. They want you to use their cloud services.

[walterbell]

Apparently they aren't making enough money elsewhere either, https://news.ycombinator.com/item?id=33680904

[jojobas]

Chances are the public key is stored on the same flash, preventing sideloading of an OTA update, rather than physical access.

[withinboredom]

The easiest thing would be to buy some flash, desolder the existing flash and install their own flash. Certs won’t matter then.

[Matthias247]

If some form of secure boot is used, then replacing the flash won't work either. There is one-time writable storage inside the SoC itself is used for verification. You won't be able to get it back into a state where it accepts non-signed firmware without also replacing the SoC.

[withinboredom]

Ah, I didn't know that. That's actually pretty neat.

[Namidairo]

You're assuming that flash storage is the only thing to be concerned about in a secure boot scenario.

Assuming that the platform is even secure boot capable, you'd blow a fuse or similar at the factory to put it into production mode.

However even then, secure boot isn't infallible. Either they're implemented shoddily, or you end up power glitching past verification.

(I've seen a certain vendor who's name starts with Qualco... fail because they didn't remember that u-boot was... configurable.)

[no_time]

Firmware signature verification is almost done in mask ROM exactly to prevent this.