Skip to content

perryflynn/amazon-dashbutton-pipe

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
by-id
by-id
 
 
by-mac
by-mac
 
 
by-name
by-name
 
 
lock
lock
 
 
log
log
 
 
script
script
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
dashinfo.sh
dashinfo.sh
 
 
dashpipe.sh
dashpipe.sh
 
 
include
include
 
 
saferun.sh
saferun.sh
 
 

Repository files navigation

Execute custom shell script with Amazon Dash Buttons.

Workflow

  • Press Amazon Dash Button
  • Capture DHCP DISCOVER packet in iptables and redirect to ulogd / fifi pipe
  • Read the pipe and execute the matching shell scripts by dash buttons MAC address

Script overview

  • dashinfo.sh: Show MAC, ID and name of all dash buttons
  • dashpipe.sh: Main script for execute the scripts
  • include: Functions for all scripts
  • saferun.sh: Wrapper to execute the scripts and prevent concurrent execution
  • by-*: Folders for script mapping, see the README files inside

Prepare dash buttons

  • Use the amazon app to setup the buttons into your Wifi network
  • Do not assign any product to the dash button
  • Capture with wireshark the MAC address of the button (or take a look into your router)

For professional environments:

  • Create a firewall rule to block traffic for the dash button
  • Use DNAT to redirect all traffic to your fake HTTPS webserver (much smaller red-blinking-time)
  • Delete the dash button from your amazon app (only possible after block dash button traffic)

Installation

This script uses iptables and ulogd to capture DHCP DISCOVER packets from a amazon dash button.

Ulogd write its log entries into a FIFO pipe. dashpipe.sh extracts the MAC address from that log entry and executes the matching shell scripts. See the README.md file in the by-* folders for more infos.

Install ulogd and create fifo:

apt-get install ulogd
groupapp amdash
useradd -G amdash -s /bin/bash -d /home/amdash -m amdash
gpasswd -a ulog amdash
mkfifo /tmp/ulogdash.fifo
chmod ug=rw,o=- /tmp/ulogdash.fifo

Setup ulogd

stack=logdash:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emudash:LOGEMU

[logdash]
group=1

[emudash]
file="/tmp/ulogdash.fifo"
sync=1

Restart ulogd.

iptables

Minimal configuration:

iptables -N AMDASH
iptables -A INPUT -m mac --mac-source ac:63:be:xx:xx:xx -j AMDASH
iptables -A INPUT -m mac --mac-source ac:63:b3:xx:xx:xx -j AMDASH
iptables -A AMDASH -d 255.255.255.255 -j NFLOG --nflog-group 1 --nflog-prefix "AMDASH"
iptables -A AMDASH -j RETURN

Replace the MAC addresses with yours.

Test it!

Just start dashpipe.sh and see what happening on button press.

Full iptables setup (professional environment)

I have running a special router VM for IoT stuff. The VM is configured as default gateway in my DHCP server and filters all traffic in my IoT subnet.

You need a second subnet to route between IoT and local network / internet.

Please do not use this if you dont unterstand it!

What this custom iptables ruleset does:

  • Allow traffic on one single MAC for setup in amazon app
  • Block all amazon dash button traffic
  • Redirect HTTPS and NTP traffic to local services (install services first!) to short the red-blinking-time
  • Fire the DHCPDISCOVER log for ulogd / dashpipe.sh
# Generated by iptables-save

# Restore with iptables-restore < rulesfile

# You must enable ip forwarding with sysctl:
# net.ipv4.ip_forward=1

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [39:3668]

# Server Access
# Allow access to local fake services by dash buttons
# You must modify this rules if your dont have a second lan interface
# eth1 = IoT Subnet; eth0 = trusted subnet
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT

# Forwarding
-A FORWARD -i lo -j ACCEPT
-A FORWARD -o lo -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# 001
# obsolete rule, for first setup only
#-A FORWARD -m mac --mac-source ac:63:be:e3:ff:ff -j ACCEPT

# 002
# obsolete rule, for first setup only
#-A FORWARD -m mac --mac-source 50:f5:da:0c:ff:ff -j ACCEPT

COMMIT

*nat
:PREROUTING ACCEPT [23:1352]
:INPUT ACCEPT [4:228]
:OUTPUT ACCEPT [4:280]
:POSTROUTING ACCEPT [10:760]
:MACDIRECT - [0:0]
:AMDASH - [0:0]

# Redirect DNS
# Redirect all DNS requests from hardcoded DNS server to my own
-A PREROUTING -i eth1 -p udp --dport 53 -j DNAT --to-destination 192.168.99.1:53
-A POSTROUTING -o eth0 -p udp --dport 53 -j MASQUERADE

# Rules by MAC address from IoT network
# All MAC-based rules
-A PREROUTING -i eth1 -j MACDIRECT

# 001
# Go to magic dash button chain
-A MACDIRECT -m mac --mac-source ac:63:be:e3:ff:ff -j AMDASH

# 002
# Go to magic dash button chain
-A MACDIRECT -m mac --mac-source 50:f5:da:0c:ff:ff -j AMDASH

# Jump back
-A MACDIRECT -j RETURN

# Redirect HTTP and NTP traffic to local services
# You must activate this sysctl config:
# net.ipv4.conf.eth1.route_localnet = 1
-A AMDASH -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:443
-A AMDASH -p udp --dport 123 -j DNAT --to-destination 127.0.0.1:123

# Fire log event and return to main chain
-A AMDASH -d 255.255.255.255 -j NFLOG --nflog-group 1 --nflog-prefix "AMDASH"
-A AMDASH -j RETURN

COMMIT

About

Execute custom shell script with Amazon Dash Buttons

Topics

iot amazon iptables shell-script amazon-dash-button ulogd

Resources

Readme

License

GPL-3.0 license
Activity

Stars

5 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages