In my previous post about hacking the Amazon Dash Button I concluded by saying that I\u2019d explain how to detect the ARP request using Ted Benson\u2019s code and explain what you\u2019ll have to do to make the code work.\nJust to refresh, in that previous post we configured an Amazon Dash Button up to the point where we should have chosen the product that the button would trigger an order for when the button was pressed. Because we stopped there, now, when the button is pressed, the Dash Button will wake up, request an IP address via DHCP from the wireless network we configured it for, then, as any device should (whether or not it gets its IP address via DHCP), it will issue an ARP Probe to make sure that no other device on the local network is using the IP address it\u2019s been assigned.\nRFC 5227, section 2.1.1, explains how an ARP Probe functions:\n\nA host probes to see if an address is already in use by broadcasting an ARP Request for the desired address. The client MUST fill in the 'sender hardware address' field of the ARP Request with the hardware address of the interface through which it is sending the packet. The 'sender IP address' field MUST be set to all zeroes; this is to avoid polluting ARP caches in other hosts on the same link in the case where the address turns out to be already in use by another host. The 'target hardware address' field is ignored and SHOULD be set to all zeroes. The 'target IP address' field MUST be set to the address being probed. An ARP Request constructed this way, with an all-zero 'sender IP address', is referred to as an 'ARP Probe\u2019.\n\nWhat is useful about an ARP Probe is that it contains the requesting device\u2019s\u00a0media access control address (MAC address) which should be unique. So, if we watch the network for ARP Probes and decode them, we can figure out what the MAC address of our Dash Button is.\nTed\u2019s code is in Python and that makes it very easy to use but first you\u2019ll need to install the Scapy library. Scapy is not only a library, it\u2019s also an amazing networking tool:\n\nScapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc.\n\nInstalling Scapy should be easy but it turns out that there are a load of gotcha\u2019s that\u2019ll getcha; On OS X there\u2019s an article by Juha Laaksonen on wrangling Scapy on OS X that will save you all sorts of anguish as will the following command:\nsudo chmod go+r \/dev\/bpf*\nThis command will, for current flavors of OS X, resolve the error you\u2019ll get ...\nException: en0: You don't have permission to capture on that device ((cannot open BPF device) \/dev\/bpf0: Permission denied)\n... when you run the code because OS X, by default, only allows \u00a0root access to the Berkeley Packet Interface. The command solves this problem by changing\u00a0all of the bpf interfaces \u00a0(\/dev\/bpf*) to be readable (+r) by g\u00a0(group; users who are members of the file's group) and o\u00a0(others; users who are neither the owner of the file nor members of the file's group). Installing Scapy for Windows and Linux is somewhat easier and the Scapy documentation covers it well.\nSo, here\u2019s Ted\u2019s code:\nfrom scapy.all import * def arp_display(pkt):\u00a0 if pkt[ARP].op == 1: #who-has (request)\u00a0 \u00a0 if pkt[ARP].psrc == '0.0.0.0': # ARP Probe\u00a0 \u00a0 print "ARP Probe from: " + pkt[ARP].hwsrc print sniff(prn=arp_display, filter="arp", store=0, count=10)\nWhat this code does is to monitor the network via raw packet capture, look for ARP Probes, then print the MAC address in each probe. Note that Ted's code used the argument count=10\u00a0in the\u00a0sniff\u00a0function call which restricted the code to only capture 10 packets; on a busy network this will happen almost instantly so I removed the argument and chose to just inelegantly kill of the program using control-C.\nAfter pressing the Dash Button, you should see a display like this (I\u2019m using OS X "El Capitan" so sudo is required):\nRedQueen:dash mgibbs$ sudo python dash-01.pyPassword: ARP Probe from: 74:c2:46:d7:7a:00\nVoila! Now you have your button\u2019s MAC address. You might try this once or twice more just to make sure that it really is your button\u2019s MAC address as other devices on your network that have power saving modes (for example, Apple TV\u2019s) will occasionally wake up and perform ARP Probes.\nTed suggests the following code to identify when your button is specifically pushed (this code recognizes two buttons named \u201cHuggies\u201d and \u201cElements\u201d:\n\nfrom scapy.all import *def arp_display(pkt):\u00a0 if pkt[ARP].op == 1: #who-has (request)\u00a0 \u00a0 if pkt[ARP].psrc == '0.0.0.0': # ARP Probe\u00a0 \u00a0 \u00a0 if pkt[ARP].hwsrc == '74:75:48:5f:99:30': # Huggies\u00a0 \u00a0 \u00a0 \u00a0 print "Pushed Huggies"\u00a0 \u00a0 \u00a0 elif pkt[ARP].hwsrc == '10:ae:60:00:4d:f3': # Elements\u00a0 \u00a0 \u00a0 \u00a0 print "Pushed Elements"\u00a0 \u00a0 \u00a0 else:\u00a0 \u00a0 \u00a0 \u00a0 print "ARP Probe from unknown device: " + pkt[ARP].hwsrcprint sniff(prn=arp_display, filter="arp", store=0)\nTed goes on to explain that the button presses can be recorded in a Google Spreadsheet using Magic Form, a tool from his startup, Cloudstitch, and he provides the code to make this work.\nOther choices for using the button press data are to send the events to Twitter via the Tweepy library, control Philips Hue lights via the Phue library (I recently reviewed the Hue system), or trigger anything that IFTTT supports using the ifttt library.\u00a0And you can even go further in hacking the Dash Button; according to the Dash Button teardown article\u00a0 by Matthew Petroff:\n\nAdafruit now has a\u00a0guide for reprogramming the Button. There\u2019s also an\u00a0interesting project on GitHub\u00a0that has a firmware dump and other firmware and reprogramming information.\n\nThese hacks of the Amazon Dash Button are really interesting, crazy cheap, and potentially very useful Internet of Things experiments. If you find a good use for a hacked Dash Button beyond Ted\u2019s baby poop and wake up tracking, let me know.