Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and...

138
Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

Transcript of Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and...

Page 1: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

Reversing IoT: Xiaomi

EcosystemGain cloud independence and

additional functionality by firmware modification (CC BY-NC-SA 4.0)

Page 2: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

2ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Outline

• Introduction

• Xiaomi Cloud

• Devices and Rooting

– Vacuum Cleaning Robot

– Smart Home Gateway/Lightbulbs/LED Strip

Page 3: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

3ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Outline

• Introduction

• Xiaomi Cloud

• Devices and Rooting

– Vacuum Cleaning Robot

– Smart Home Gateway/Lightbulbs/LED Strip

Page 4: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

4ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Why Xiaomi

“Xiaomi’s ‘Mi Ecosystem’ has 50 million connected devices” [1]

„[…] revenue from its smart hardware ecosystem exceeded 15 billion yuan” (1.9 billion €) [2]

Most important: The stuff is cheap

[1] https://techcrunch.com/2017/01/11/xiaomi-2016-to-2017/[2] https://www.reuters.com/article/us-xiaomi-outlook/chinas-xiaomi-targets-2017-sales-of-14-5-billion-after-2016-overhaul-idUSKBN14W0LZ

Page 5: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

5ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Costs

• Vacuum Cleaning Robot Gen1: ~ 260 €

• Vacuum Cleaning Robot Gen2: ~ 400 €

• Smart Home Gateway: ~25 €

• Sensors: ~5-14 €

• Wifi-Lightbulbs: ~6-12€

Page 6: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

6ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Xiaomi News

• Oculus Rift cooperation with Facebook

Page 7: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

7ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Xiaomi News

• Oculus Rift cooperation with Facebook

• Xiaomi buys Segway

Page 8: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

8ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

How we started

May 2017Mi Band 2Vacuum Robot Gen 1

June 2017Smart Home Gateway + Sensors

July 2017Yeelink Lightbulbs (Color+White)Yeelink LED Strip

Page 9: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

9ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

How we started

October 2017Yeelink DesklampPhilips Eyecare Desklamp

December 2017Yeelink/Philips Ceiling LightsPhilips Smart LED Lightbulb

January 2018Vacuum Robot Gen 2Yeelink Bedside Lamp

Page 10: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

10ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Why Vacuum Robots?

Source: Xiaomi advertisment

Page 11: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

11ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Why Vacuum Robots?

Source: Xiaomi advertisment

Page 12: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

12ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

THE XIAOMI CLOUD

Page 13: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

13ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Xiaomi Cloud

• Different Vendors, one ecosystem

– Same communication protocol

– Different technologies used

• „Public“ guidelines for implementation

– Implementation differs from manufacturer to manufacturer

– https://github.com/MiEcosystem/miio_open

– https://iot.mi.com/index.html

Page 14: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

14ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Xiaomi Ecosystem

HTTPS

ZigBee

XiaomiCloud

Gateway

WiFi

Page 15: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

15ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Xiaomi Ecosystem

HTTPS

ZigBee

XiaomiCloud

Gateway

Page 16: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

16ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Xiaomi Ecosystem

HTTPS

ZigBee

XiaomiCloud

Gateway

Page 17: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

17ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Device to Cloud Communication

• DeviceID

– Unique per device

• Keys

– Cloudkey (16 byte alpha-numeric)

• Is used for cloud communication (AES encryption)

• Static, is not changed by update or provisioning

– Token (16 byte alpha-numeric)

• Is used for app communication (AES encryption)

• Dynamic, is generated at provisioning (connecting to new WiFi)

Page 18: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

18ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Cloud protocol

• Same payload for UDP and TCP stream

• Encryption key depending of Cloud/App usage

• For unprovisioned devices:– During discovery: Token in plaintext in the checksum field

Byte 0,1 Byte 2,3 Byte 4,5,6,7 Byte 8,9,A,B Byte C,D,E,F

Header Magic:2131 Lenght 00 00 00 00 DID epoch (big endian)

Checksum Md5sum[Header + Key(Cloud)/Token(App) + Data(if exists)]

Data Encrypted Data (if exists, e.g. if not Ping/Pong or Hello message)• token = for cloud: key; for app: token• key = md5sum(token)• iv = md5sum(key+token)• cipher = AES(key, AES.MODE_CBC, iv, padded plaintext)

Page 19: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

19ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Cloud protocol

• Data– JSON-formated messages– Packet identified by packetid– Structures:

• commands: "methods" + "params"• responses : "results"

– Every command/response confirmed by receiver (except otc)• Example

– {'id': 136163637, 'params': {'ap': {'ssid’: ‘myWifi', 'bssid': 'F8:1A:67:CC:BB:AA', 'rssi': -30}, 'hw_ver': 'Linux', 'life': 82614, 'model': 'rockrobo.vacuum.v1', 'netif': {'localIp': '192.168.1.205', 'gw': '192.168.1.1', 'mask': '255.255.255.0'}, 'fw_ver': '3.3.9_003077', 'mac': '34:CE:00:AA:BB:DD', 'token': 'xxx'}, 'partner_id': '', 'method': '_otc.info'}

Page 20: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

20ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Xiaomi Ecosystem

HTTPS

ZigBee

XiaomiCloud

Gateway

WiFi

Page 21: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

21ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Xiaomi Ecosystem

HTTPS

ZigBee

XiaomiCloud

Gateway

WiFi

Page 22: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

22ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

App to Cloud communication

• Authentication via OAuth

• Layered encryption

– Outside: HTTPs

– Inside: RC4/AES using a session key

• Separate integrity

• Message format: JSON RPC

Page 23: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

23ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

App to Cloud communication

• REQ: api.io.mi.com/home/device_list method:POST params:[]

• RES: {"message":"ok","result":{"list":[{"did":"65981234","token":“abc…zzz","name":"Mi PlugMini","localip":"192.168.99.123", "mac":"34:CE:00:AA:BB:CC","ssid":"IoT","bssid":"FA:1A:67:CC:DD:EE","model":"chuangmi.plug.m1", "longitude":“-71.0872248","latitude":"42.33794500“, "adminFlag":1,"shareFlag":0,"permitLevel":16,"isOnline":true,"desc":"Power plug on ","rssi":-47}

Page 24: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

24ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

App to Cloud communication

• REQ: api.io.mi.com/home/device_list method:POST params:[]

• RES: {"message":"ok","result":{"list":[{"did":"65981234","token":“abc…zzz","name":"Mi PlugMini","localip":"192.168.99.123", "mac":"34:CE:00:AA:BB:CC","ssid":"IoT","bssid":"FA:1A:67:CC:DD:EE","model":"chuangmi.plug.m1", "longitude":“-71.0872248","latitude":"42.33794500“, "adminFlag":1,"shareFlag":0,"permitLevel":16,"isOnline":true,"desc":"Power plug on ","rssi":-47}

Page 25: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

25ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

App to Cloud communication

• "longitude":"-71.0872248","latitude":"42.33794500”

Source: Openstreetmaps

Page 26: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

26ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

LETS TAKE A LOOK AT THE PRODUCTS

Page 27: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

27ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Products

Different architectures

• ARM Cortex-A

• ARM Cortex-M

– Marvell 88MW30X (integrated WiFi)

– Mediatek MT7687N (integrated WiFi + BT-LE)

• MIPS

• Xtensa

– ESP8266, ESP32 (integrated WiFi)

Page 28: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

28ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Operation Systems

• Ubuntu 14.04

– Vaccum cleaning robots

• Embedded Linux

– IP cameras

• RTOS

– Smart Home products

– Lightbulbs, ceiling lights, light strips

Page 29: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

29ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Implementations

Vacuum Robot Smart Home Gateway Philips Ceiling Light

Manufacturer Rockrobo Lumi United Yeelight

MCU Allwinner + STM + TI Marvell (WiFi) Mediatek (WiFi + BLE)

Firmware Update Encrypted + HTTPS Not Encrypted Not Encrypted + HTTPS (No Cert!)

Debug Interfaces Protected Available Available

Page 30: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

30ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Implementations

Vacuum Robot Smart Home Gateway Philips Ceiling Light

Manufacturer Rockrobo Lumi United Yeelight

MCU Allwinner + STM + TI Marvell (WiFi) Mediatek (WiFi + BLE)

Firmware Update Encrypted + HTTPS Not Encrypted Not Encrypted + HTTPS (No Cert!)

Debug Interfaces Protected Available Available

Bonus: Chinese device, but unknown communication to Server in Salt Lake City, USA

Page 31: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

31ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

LETS GET ACCESS TO THE DEVICES

Page 32: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

32ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

VACUUM CLEANING ROBOTS

Page 33: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

33ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Device Overview

Source: Xiaomi advertisment

Page 34: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

34ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Overview sensors

• 2D LIDAR SLAM (5*360°/s)

• Gen1 only: Ultrasonic distance sensor

• multiple IR sensors

• 3-axis Magnetic Sensor

• 3-axis accelerometer

• 3-axis gyroscope

• Bump sensors

Page 35: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

35ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Rooting: Challenges

• Hardware-based access

– Micro USB Port ?

– Serial Connection on PCB ?

• Network-based access

– Portscan ?

– Sniff Network traffic ?

Page 36: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

36ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Teardown

Page 37: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

37ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Frontside layout mainboard

512 MB RAM

R16SOC

4GBeMMCFlash

WiFi Module

STM32 MCU

Page 38: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

38ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Backside layout mainboard

R16 UART(115200 baud)TxRx

STM UART (921600 baud)

Tx

LIDAR UART

Page 39: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

39ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Frontside layout mainboard (GEN2)

512 MB RAM

R16SOC

4GBeMMCFlash

WiFi Module

STM32MCU

Page 40: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

40ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Rooting

• Usual (possibly destructive) way to retrieve the firmware

Page 41: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

41ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Rooting

• Usual (possibly destructive) way to retrieve the firmware

Page 42: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

42ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Rooting

Our weapon of choice:

Page 43: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

43ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Pin Layout CPU1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

A

MMC

Reset D6 D4 D2 D0 D2 D0 CLK TX UART1

B D7 D5 D3 D1 D3 D1 CMD RX

C CLK SDA TWI1

D RX TX CMD SCL

E

F

Recov

ery

Confir

m UART2

G RX TX

H

Line

IN L

J

LINE

IN R

K

PHO

NE IN

L

PHO

NE IN

M

PHO

NE

MIC1

P

N

PHO

NE

MIC2

P

P SDA SCK RESET RSB0

R

T LCD9 LCD7 LCD5 LCD3 LCD1USB-

DM0

USB-

DP0 USB 1

U LCD8 LCD6 LCD4 LCD2 LCD0USB

DRV

USB-

DM1

USB-

DP1 USB 2

DRAM VCC/VDD GND LCD

UART0 MMC2 MMC1

Page 44: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

44ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Rooting

Initial Idea:

• Shortcut the MMC data lines

• SoC falls back to FEL mode

• Load + Execute tool in RAM

– Via USB connector

– Dump MMC flash

– Modify image

– Rewrite image to flash

Page 45: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

45ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Software

• Ubuntu 14.04.3 LTS (Kernel 3.4.xxx)

– Mostly untouched, patched on a regular base

• Player 3.10-svn

– Open-Source Cross-platform robot device interface & server

• Proprietary software (/opt/rockrobo)

– AppProxy

– RoboController

– Miio_Client

– Custom adbd-version

• iptables firewall enabled

– Blocks Port 22 (SSHd) + Port 6665 (player)

Page 46: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

46ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Available data on device

• Data– Logfiles (syslogs, duration, area, ssid, passwd)– “/usr/sbin/tcpdump -i any -s 0 -c 2000 –w”– Maps– Multiple MBytes/day

• Data is uploaded to cloud• Factory reset

– Restores recovery to system– Does not delete data

• Maps, Logs still exist

Page 47: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

47ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Available data on device

• Maps

– Created by player

– 1024px * 1024px

– 1px = 5cm

Page 48: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

48ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Available data on device

Northeastern University, ISEC Building, 6th floor

Page 49: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

49ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Robot intern

Communication relations

Miio_client

0.0.0.0:54321 (udp)(local):54322 (tcp)

player0.0.0.0:6665

RoboController

AppProxy

wifimgr

*.fds.api.xiaomi.com (https)maps,logs->

<-soundpackages, firmwareuart_mcuuart_ldscompass

IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)

Android/iPhone App

<-commands,reports->

ot.io.mi.com:80(tcp)ott.io.mi.com:8053(udp)

AES encrypted

Page 50: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

50ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

eMMC LayoutLabel Content Size in MByte

boot-res bitmaps & some wav files 8

env uboot cmd line 16

app device.conf (DID, key, MAC), adb.conf, vinda 16

recovery fallback copy of OS 512

system_a copy of OS (active by default) 512

system_b copy of OS (passive by default) 512

Download temporary unpacked OS update 528

reserve config + calibration files, blackbox.db 16

UDISK/Data logs, maps, pcap files ~1900

Page 51: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

51ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

eMMC LayoutLabel Content Size in MByte

boot-res bitmaps & some wav files 8

env uboot cmd line 16

app device.conf (DID, key, MAC), adb.conf, vinda 16

recovery fallback copy of OS 512

system_a copy of OS (active by default) 512

system_b copy of OS (passive by default) 512

Download temporary unpacked OS update 528

reserve config + calibration files, blackbox.db 16

UDISK/Data logs, maps, pcap files ~1900

Page 52: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

52ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Update process

Page 53: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

53ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Update process

miIO.ota {"mode":"normal“, "install":"1", "app_url":"https://[URL]/v11_[version].pkg", "file_md5":“[md5]",”proc":"dnld install“}

Page 54: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

54ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Update process

Page 55: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

55ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Update process

2. Download [app_url]

system_a

system_b

Download

Data

Activecopy

Page 56: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

56ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Update process

2. Download [app_url]

system_a

system_b

Download

Data

Activecopy

Page 57: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

57ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Update processsystem_a

system_b

Download

Data

Activecopy

Page 58: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

58ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Update processsystem_a

system_b

Download

Data

MD5 ok?

Activecopy

Page 59: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

59ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Update processsystem_a

system_b

Download

Data

Decrypt + image OK?

Activecopy

Page 60: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

60ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Update processsystem_a

system_b

Download

DataUnpack + dd

Activecopy

Page 61: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

61ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Update processsystem_a

system_b

Download

Data

Activecopy

Update root pwin /etc/shadow

Page 62: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

62ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Update processsystem_a

system_b

Download

Data

dd

Activecopy

Page 63: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

63ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Update processsystem_a

system_b

Download

Data

Activecopy

rebooting…

Page 64: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

64ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Update processsystem_a

system_b

Download

Data

Activecopy

rebooting…

Page 65: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

65ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Update processsystem_a

system_b

Download

Data

Activecopy

dd

Page 66: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

66ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Update processsystem_a

system_b

Download

Data

Activecopy

Page 67: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

67ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Firmware updates

• Full and partial images– Encrypted tar.gz archives– Full image contains disk.img

• 512 Mbyte ext4-filesystem

• Encryption– Static password: “rockrobo”– Ccrypt [256-bit Rijndael encryption (AES)]

• Integrity– MD5 provided by cloud

Page 68: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

68ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Firmware updates

• Full and partial images– Encrypted tar.gz archives– Full image contains disk.img

• 512 Mbyte ext4-filesystem

• Encryption– Static password: “rockrobo”– Ccrypt [256-bit Rijndael encryption (AES)]

• Integrity– MD5 provided by cloud

Sound PackagesStatic password: “r0ckrobo#23456”

Page 69: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

69ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Page 70: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

70ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Lets root remotely

• Preparation: Rebuild Firmware

– Include authorized_keys

– Remove iptables rule for sshd

• Send „miIO.ota“ command to vacuum

– Encrypted with token

• From app or unprovisioned state

– Pointing to own http server

Page 71: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

71ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Lets root remotely

unprovisioned state

Webserver

Page 72: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

72ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Lets root remotely

unprovisioned state

„Get Token“

Webserver

Page 73: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

73ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Lets root remotely

unprovisioned state

„Get Token“

Webserver

Page 74: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

74ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Lets root remotely

„miIO.ota“

unprovisioned state

„Get Token“

Webserver

Page 75: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

75ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Lets root remotely

„miIO.ota“

unprovisioned state

„Get Token“

Webserver

Page 76: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

76ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Lets root remotely

„miIO.ota“

„Get Token“

Webserver

Page 77: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

77ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

SSH

Page 78: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

78ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Page 79: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

79ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Page 80: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

80ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Page 81: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

81ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Page 82: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

82ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Page 83: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

83ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Gain Independence

Two methods:

• Replacing the cloud interface

• Proxy cloud communication

Xiaomi Cloud

Page 84: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

84ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Robot intern

My cloud client

https, mqtt, etc…(local):54322 (tcp)

Replacing the cloud interface

Miio_client

0.0.0.0:54321 (udp)(local):54322 (tcp)

ot.io.mi.com:80(tcp)ott.io.mi.com:8053(udp)

*.fds.api.xiaomi.com (https)

IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)

Android/iPhone App

<-commands,reports->

player0.0.0.0:6665

RoboController

AppProxy

wifimgr

uart_mcuuart_ldscompass

Page 85: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

85ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Robot intern

Replacing the cloud interface

*.fds.api.xiaomi.com (https)

IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)

<-commands,reports->

player0.0.0.0:6665

RoboController

AppProxy

wifimgr

uart_mcuuart_ldscompass

Page 86: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

86ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Robot intern

My cloud client

https, mqtt, etc…(local):54322 (tcp)

Replacing the cloud interface

*.fds.api.xiaomi.com (https)

IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)

FHEMHome Assistant

<-commands,reports->

player0.0.0.0:6665

RoboController

AppProxy

wifimgr

uart_mcuuart_ldscompass

Page 87: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

87ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Robot intern

My cloud client

https, mqtt, etc…(local):54322 (tcp)

Replacing the cloud interface

IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)

FHEMHome Assistant

/etc/hosts

127.0.0.1 awsbj0...127.0.0.1 aswbj0-files…127.0.0.1 cdn.cnbj0….

<-commands,reports->

player0.0.0.0:6665

RoboController

AppProxy

wifimgr

uart_mcuuart_ldscompass

Page 88: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

88ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Robot intern

player0.0.0.0:6665

RoboController

AppProxy

wifimgr

uart_mcuuart_ldscompass

Proxy cloud communication

Miio_client

0.0.0.0:54321 (udp)(local):54322 (tcp)

ot.io.mi.com:80(tcp)ott.io.mi.com:8053(udp)

IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)

Android/iPhone App

*.fds.api.xiaomi.com (https)

<-commands,reports->

Page 89: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

89ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Robot intern

player0.0.0.0:6665

RoboController

AppProxy

wifimgr

uart_mcuuart_ldscompass

Proxy cloud communication

Miio_client

0.0.0.0:54321 (udp)(local):54322 (tcp)

ot.io.mi.com:80(tcp)ott.io.mi.com:8053(udp)

IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)

Android/iPhone App

*.fds.api.xiaomi.com (https)

<-commands,reports->

Page 90: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

90ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Robot intern

player0.0.0.0:6665

RoboController

AppProxy

wifimgr

uart_mcuuart_ldscompass

Proxy cloud communication

Miio_client

0.0.0.0:54321 (udp)(local):54322 (tcp)

ot.io.mi.com:80(tcp)ott.io.mi.com:8053(udp)

IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)

Android/iPhone App

/etc/hosts

130.83.x.x ot.io.mi.com 130.83.x.x ot.io.mi.com

Dustcloud

*.fds.api.xiaomi.com (https)

<-commands,reports->

Page 91: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

91ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Summary of the Vacuum

• Rooting

– Remote!

• Cloud Connection

– Run without cloud

– Run with your own cloud

• Our goal: We want the Cloudkeys!

Page 92: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

92ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

SMART HOME GATEWAY, LIGHTBULBS AND LED STRIPS

Page 93: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

93ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Xiaomi Ecosystem

HTTPS

ZigBee

XiaomiCloud

Gateway

Page 94: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

94ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Xiaomi Ecosystem

HTTPS

ZigBee

XiaomiCloud

Gateway

Page 95: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

95ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Overview Hardware

• Application-MCU: Marvell 88MW30x– ARM Cortex-M4F @ 200 MHz– RAM: 512KByte SRAM– QSPI interface, supports XIP– Flash: 16 MByte (Gateway)

• 4 Mbyte SPI (LED Strip, Lightbulb)– Integrated 802.11b/g/n WiFi Core

• Zigbee-MCU: NXP JN5169 (Gateway only)– 32-bit RISC CPU– RAM: 32 kB– Flash: 512 kB embedded Flash, 4 kB EEPROM

Page 96: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

96ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Sensors connected via gateway

Zigbee (NXP JN5169) based• Door Sensor (Reed contact)• Temperature sensor• Power Plug• Motion Sensor• Button• Smoke Detector• Smart Door Lock• …

Page 97: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

97ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

• PCB got lots of testing points• SWD is enabled by default

Acquiring the Key

SDCLK SDIO

RST TX* GND RX*

We can get the keyfrom the memdump

*UART

Page 98: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

98ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Acquiring the Key

• Can we get the Key without a hardware attack?

• Firmware updates are not signed…

Page 99: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

99ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Acquiring the Key

• Can we get the Key without a hardware attack?

• Firmware updates are not signed…

Page 100: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

100ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Acquiring the Key

• Can we get the Key without a hardware attack?

• Firmware updates are not signed…

Lets create a modified firmwarewhich gives us the keyautomatically!

Page 101: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

101ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Acquiring the Key

• Can we get the Key without a hardware attack?

• Firmware updates are not signed…

No hardware access needed

Lets create a modified firmwarewhich gives us the keyautomatically!

Page 102: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

102ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Acquiring the Key

• Can we get the Key without a hardware attack?

• Firmware updates are not signed…

No hardware access needed

The lightbulb runs a bare-metal OS => we need to patch the binary

Lets create a modified firmwarewhich gives us the keyautomatically!

Page 103: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

103ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Binary Patching: Goals

Original code

Branch: Original code

Page 104: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

104ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Binary Patching: Goals

Original code

Branch: Original code

Patch code

Page 105: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

105ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Binary Patching: Goals

Original code

Patch code

Branch: Patch code

Page 106: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

106ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Binary Patching: Goals

Original code

Patch code

Branch: Patch code

Page 107: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

107ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Binary Patching: Goals

• Modify program flow

• Add additional code

• Use existing functions

Original code

Patch code

Branch: Patch code

Page 108: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

108ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Binary Patching: Why can it be hard?

• Overwrite branch instructionsNew Address = Value of PC + Offset (on ARM)

• Write new code in assembly

• Model address space (RAM / ROM / free space)

• Call existing functions

• Handle different firmware versions and devices

Page 109: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

109ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Binary Patching: Nexmon Framework

definitions.mk

Prerequisite: Know memory layout

Page 110: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

110ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Binary Patching: Nexmon Framework

definitions.mk

Prerequisite: Know memory layout

Original code

Branch: Original code

Patch code

Page 111: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

111ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Binary Patching: Nexmon Framework

definitions.mk

Prerequisite: Know memory layout

Original code

Branch: Original code

Patch code

Page 112: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

112ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Binary Patching: Nexmon Framework

definitions.mk

Prerequisite: Know memory layout

Original code

Branch: Original code

Patch code

Page 113: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

113ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Binary Patching: Nexmon Framework

wrapper.c

Prerequisite: Know function names and signature

Page 114: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

114ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Binary Patching: Nexmon Framework

Get function names:

main()

Compile Example Project with debug symbols

011010100011

vs

Use Bindiff to applyfunction names

Load binaryinto IDA

Page 115: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

115ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Binary Patching: Nexmon Framework

Putting it all together: Write your patch code in Cpatch.c

Page 116: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

116ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Binary Patching: Nexmon Framework

Putting it all together: Write your patch code in Cpatch.c

Original code

Branch: Original code

Patch code

Page 117: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

117ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Binary Patching: Nexmon Framework

Putting it all together: Write your patch code in Cpatch.c

Original code

Branch: Original code

Patch code

Page 118: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

118ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Preparing the modified binary (Marvell)

• Preliminary approach for lightbulbs SPI done by Uri Shaked*

• But SPI format != OTA format

* h

ttp

s://

ha

cker

no

on

.co

m/i

nsi

de-

the-

bu

lb-a

dve

ntu

res-

in-

reve

rse-

eng

inee

rin

g-s

ma

rt-b

ulb

-fir

mw

are

-1b

81

ce2

69

4a

6

Byte 0-3 4-7 8-11 12-15 16-19

Magic Magic Timestamp # of segments entry address

0x00000000 4D 52 56 4C 7B F1 9C 2E FF BE A8 59 03 00 00 00 19 37 00 1F

"MRVL" 0x1f003719

segment magic offset in file size of segment mem addr checksum

0x00000014 02 00 00 00 C8 00 00 00 50 36 00 00 00 00 10 00 20 C8 51 7D

0xc8 0x3650 0x100000

segment magic offset in file size of segment mem addr checksum

0x00000028 02 00 00 00 18 37 00 00 28 15 08 00 18 37 00 1F 0A 11 25 85

0x3718 0x81528 0x1f003718

segment magic offset in file size of segment mem addr checksum

0x0000003C 02 00 00 00 40 4C 08 00 54 19 00 00 40 00 00 20 FB 5F ED 39

0x84c40 0x1954 0x20000040

Page 119: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

119ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Preparing the modified binary (Marvell)

• Preliminary approach for lightbulbs SPI done by Uri Shaked*

• But SPI format != OTA format

• Dennis wrote a script for that + Mediatek OTA format ☺ * h

ttp

s://

ha

cker

no

on

.co

m/i

nsi

de-

the-

bu

lb-a

dve

ntu

res-

in-

reve

rse-

eng

inee

rin

g-s

ma

rt-b

ulb

-fir

mw

are

-1b

81

ce2

69

4a

6

Byte 0-3 4-7 8-11 12-15 16-19

Magic Magic Timestamp # of segments entry address

0x00000000 4D 52 56 4C 7B F1 9C 2E FF BE A8 59 03 00 00 00 19 37 00 1F

"MRVL" 0x1f003719

segment magic offset in file size of segment mem addr checksum

0x00000014 02 00 00 00 C8 00 00 00 50 36 00 00 00 00 10 00 20 C8 51 7D

0xc8 0x3650 0x100000

segment magic offset in file size of segment mem addr checksum

0x00000028 02 00 00 00 18 37 00 00 28 15 08 00 18 37 00 1F 0A 11 25 85

0x3718 0x81528 0x1f003718

segment magic offset in file size of segment mem addr checksum

0x0000003C 02 00 00 00 40 4C 08 00 54 19 00 00 40 00 00 20 FB 5F ED 39

0x84c40 0x1954 0x20000040

Page 120: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

120ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Applying the modified firmware

Xiaomi Cloud

Page 121: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

121ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Applying the modified firmware

Xiaomi Cloud

Page 122: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

122ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Applying the modified firmware

Xiaomi Cloud

Page 123: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

123ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Applying the modified firmware

Xiaomi Cloud

Xiaomi CDN

Page 124: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

124ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Applying the modified firmware

Xiaomi Cloud

Xiaomi CDN

Page 125: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

125ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Applying the modified firmware

Xiaomi Cloud

Xiaomi CDN

Page 126: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

126ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Applying the modified firmware

Xiaomi Cloud

Xiaomi CDN

Page 127: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

127ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Applying the modified firmware

Xiaomi Cloud

Xiaomi CDN

DNS

Page 128: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

128ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Applying the modified firmware

Xiaomi Cloud

Xiaomi CDN

DNS

Page 129: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

129ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Applying the modified firmware

Xiaomi Cloud

Xiaomi CDN

„Hillbilly“ CDN

DNS

Page 130: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

130ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Applying the modified firmware

Xiaomi Cloud

Xiaomi CDN

„Hillbilly“ CDN

DNS

Page 131: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

131ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Applying the modified firmware

Xiaomi Cloud

Xiaomi CDN

„Hillbilly“ CDN

DNS

Page 132: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

132ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Proxy cloud communication

ot.io.mi.com:80(tcp)ott.io.mi.com:8053(udp)

IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)

Android/iPhone App

DNS Records

130.83.x.x ot.io.mi.com 130.83.x.x ot.io.mi.com

Dustcloud

<-commands,reports->

Page 133: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

133ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Proxy cloud communication

ot.io.mi.com:80(tcp)ott.io.mi.com:8053(udp)

IPCplain json (tcp)enc(key) json (tcp/udp)enc(token) json (udp)

Android/iPhone App

DNS Records

130.83.x.x ot.io.mi.com 130.83.x.x ot.io.mi.com

Dustcloud

<-commands,reports->

Page 134: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

134ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Other Possible Modifications

• Marvell 88MW30x SDK WiFi sample apps

– p2p_demo

– raw_p2p_demo

– wlan_frame_inject_demo

– wlan_sniffer

Page 135: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

135ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

One word of warning…

• Never leave your devices unprovisioned

– Someone else can provision it for you

• Install malicious firmware

• Snoop on your apartment

• Be careful with used devices

– e.g. Amazon Marketplace

– Some malicious software may be installed

Page 136: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

136ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Acknowledgements & FAQ

• Secure Mobile Networking (SEEMOO) Labs and CROSSING S1

• Prof. Guevara Noubir (CCIS, Northeastern University)

www.dontvacuum.me*Will be updated after the ReCon ;)

Page 137: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

137ReCon BRX 2018 – Dennis Giese, Daniel Wegemer

Final remarks

• I (Dennis) want to personally thank the “Studienstiftung des deutschen Volkes”(SDV) for their scholarship and support for my graduate study. Without them I probably would not have time to do this research.

• This research was not financed by Xiaomi nor any competitor. The research was founded by my private funds and was done in our free time.

Page 138: Reversing IoT: Xiaomi Ecosystem · Reversing IoT: Xiaomi Ecosystem Gain cloud independence and additional functionality by firmware modification (CC BY-NC-SA 4.0)

138ReCon BRX 2018 – Dennis Giese, Daniel Wegemer