https://github.com/perryflynn/amazon-dashbutton-pipe

Execute custom shell script with Amazon Dash Buttons
https://github.com/perryflynn/amazon-dashbutton-pipe

amazon amazon-dash-button iot iptables shell-script ulogd

Last synced: 12 months ago
JSON representation

Execute custom shell script with Amazon Dash Buttons

Host: GitHub
URL: https://github.com/perryflynn/amazon-dashbutton-pipe
Owner: perryflynn
License: gpl-3.0
Created: 2017-07-20T06:42:35.000Z (almost 9 years ago)
Default Branch: master
Last Pushed: 2017-07-20T20:17:51.000Z (almost 9 years ago)
Last Synced: 2025-07-06T01:37:26.221Z (12 months ago)
Topics: amazon, amazon-dash-button, iot, iptables, shell-script, ulogd
Language: Shell
Size: 21.5 KB
Stars: 5
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

Execute custom shell script with Amazon Dash Buttons.

## Workflow

- Press Amazon Dash Button
- Capture DHCP DISCOVER packet in iptables and redirect to ulogd / fifi pipe
- Read the pipe and execute the matching shell scripts by dash buttons MAC address

## Script overview

- `dashinfo.sh`: Show MAC, ID and name of all dash buttons
- `dashpipe.sh`: Main script for execute the scripts
- `include`: Functions for all scripts
- `saferun.sh`: Wrapper to execute the scripts and prevent concurrent execution
- `by-*`: Folders for script mapping, see the README files inside

## Prepare dash buttons

- Use the amazon app to setup the buttons into your Wifi network
- **Do not** assign any product to the dash button
- Capture with wireshark the MAC address of the button (or take a look into your router)

**For professional environments:**

- Create a firewall rule to block traffic for the dash button
- Use DNAT to redirect all traffic to your fake HTTPS webserver (much smaller red-blinking-time)
- Delete the dash button from your amazon app (only possible after block dash button traffic)

## Installation

This script uses iptables and ulogd to capture DHCP DISCOVER packets from a amazon dash button.

Ulogd write its log entries into a FIFO pipe. `dashpipe.sh` extracts the MAC address from that log entry and executes the matching shell scripts. See the README.md file in the `by-*` folders for more infos.

**Install ulogd and create fifo:**

```
apt-get install ulogd
groupapp amdash
useradd -G amdash -s /bin/bash -d /home/amdash -m amdash
gpasswd -a ulog amdash
mkfifo /tmp/ulogdash.fifo
chmod ug=rw,o=- /tmp/ulogdash.fifo
```

### Setup ulogd

```
stack=logdash:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emudash:LOGEMU

[logdash]
group=1

[emudash]
file="/tmp/ulogdash.fifo"
sync=1
```

Restart ulogd.

### iptables

Minimal configuration:

```
iptables -N AMDASH
iptables -A INPUT -m mac --mac-source ac:63:be:xx:xx:xx -j AMDASH
iptables -A INPUT -m mac --mac-source ac:63:b3:xx:xx:xx -j AMDASH
iptables -A AMDASH -d 255.255.255.255 -j NFLOG --nflog-group 1 --nflog-prefix "AMDASH"
iptables -A AMDASH -j RETURN
```

Replace the MAC addresses with yours.

### Test it!

Just start `dashpipe.sh` and see what happening on button press.

## Full iptables setup (professional environment)

I have running a special router VM for IoT stuff. The VM is configured as default gateway
in my DHCP server and filters all traffic in my IoT subnet.

You need a second subnet to route between IoT and local network / internet.

**Please do not use this if you dont unterstand it!**

What this custom iptables ruleset does:

- Allow traffic on one single MAC for setup in amazon app
- Block all amazon dash button traffic
- Redirect HTTPS and NTP traffic to local services (install services first!) to short the red-blinking-time
- Fire the DHCPDISCOVER log for ulogd / dashpipe.sh

```
# Generated by iptables-save

# Restore with iptables-restore < rulesfile

# You must enable ip forwarding with sysctl:
# net.ipv4.ip_forward=1

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [39:3668]

# Server Access
# Allow access to local fake services by dash buttons
# You must modify this rules if your dont have a second lan interface
# eth1 = IoT Subnet; eth0 = trusted subnet
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT

# Forwarding
-A FORWARD -i lo -j ACCEPT
-A FORWARD -o lo -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# 001
# obsolete rule, for first setup only
#-A FORWARD -m mac --mac-source ac:63:be:e3:ff:ff -j ACCEPT

# 002
# obsolete rule, for first setup only
#-A FORWARD -m mac --mac-source 50:f5:da:0c:ff:ff -j ACCEPT

COMMIT

*nat
:PREROUTING ACCEPT [23:1352]
:INPUT ACCEPT [4:228]
:OUTPUT ACCEPT [4:280]
:POSTROUTING ACCEPT [10:760]
:MACDIRECT - [0:0]
:AMDASH - [0:0]

# Redirect DNS
# Redirect all DNS requests from hardcoded DNS server to my own
-A PREROUTING -i eth1 -p udp --dport 53 -j DNAT --to-destination 192.168.99.1:53
-A POSTROUTING -o eth0 -p udp --dport 53 -j MASQUERADE

# Rules by MAC address from IoT network
# All MAC-based rules
-A PREROUTING -i eth1 -j MACDIRECT

# 001
# Go to magic dash button chain
-A MACDIRECT -m mac --mac-source ac:63:be:e3:ff:ff -j AMDASH

# 002
# Go to magic dash button chain
-A MACDIRECT -m mac --mac-source 50:f5:da:0c:ff:ff -j AMDASH

# Jump back
-A MACDIRECT -j RETURN

# Redirect HTTP and NTP traffic to local services
# You must activate this sysctl config:
# net.ipv4.conf.eth1.route_localnet = 1
-A AMDASH -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:443
-A AMDASH -p udp --dport 123 -j DNAT --to-destination 127.0.0.1:123

# Fire log event and return to main chain
-A AMDASH -d 255.255.255.255 -j NFLOG --nflog-group 1 --nflog-prefix "AMDASH"
-A AMDASH -j RETURN

COMMIT
```

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/perryflynn/amazon-dashbutton-pipe

Awesome Lists containing this project

README