1
play

1 Dennis Giese and Daniel Wegemer 34C3 Post presentation remarks - PowerPoint PPT Presentation

Oct 07, 2022 •405 likes •1.14k views

1 Dennis Giese and Daniel Wegemer 34C3 Post presentation remarks 28.12. 18:00 Rooting is now possible without opening the device You can only root one device (your own) If you read the Heise article you might think that we might

  1. 1 Dennis Giese and Daniel Wegemer – 34C3

  2. Post presentation remarks 28.12. 18:00 • Rooting is now possible without opening the device • You can only root one device (your own) – If you read the Heise article you might think that we might root multiple devices in the internet • We consider the Xiaomi Cloud as a good and safe design • Due time restrictions (our time was cut from 45 minutes to 30 minutes, including FAQ), we had to exclude a lot of information – Look into the repo for more technical information • Contact: dustcloud@1338-1.org 2 Dennis Giese and Daniel Wegemer – 34C3

  3. Why Xiaomi “Xiaomi’s ‘Mi Ecosystem’ has 50 million connected devices” [1] „[…] revenue from its smart hardware ecosystem exceeded 15 billion yuan” (1.9 billion €) [2] Most important: The stuff is cheap [1] https://techcrunch.com/2017/01/11/xiaomi-2016-to-2017/ [2] https://www.reuters.com/article/us-xiaomi-outlook/chinas-xiaomi-targets-2017- sales-of-14-5-billion-after-2016-overhaul-idUSKBN14W0LZ 3 Dennis Giese and Daniel Wegemer – 34C3

  4. Why Vacuum Robots? Source: Xiaomi advertisment 4 Dennis Giese and Daniel Wegemer – 34C3

  5. Xiaomi Ecosystem HTTPS Xiaomi WiFi Cloud ZigBee Gateway 5 Dennis Giese and Daniel Wegemer – 34C3

  6. Xiaomi Ecosystem HTTPS Xiaomi Cloud ZigBee Gateway 6 Dennis Giese and Daniel Wegemer – 34C3

  7. Device Overview Source: Xiaomi advertisment 7 Dennis Giese and Daniel Wegemer – 34C3

  8. Rooting: Challenges • Hardware Access – Micro USB Port ? – Serial Connection on PCB ? • Network Based – Portscan ? – Sniff Network traffic ? 9 Dennis Giese and Daniel Wegemer – 34C3

  9. Teardown 10 Dennis Giese and Daniel Wegemer – 34C3

  10. Frontside layout mainboard 512 MB RAM STM32 MCU 4GB R16 eMMC SOC Flash WiFi Module 11 Dennis Giese and Daniel Wegemer – 34C3

  11. Backside layout mainboard LIDAR UART R16 UART (115200 baud) STM UART Tx Rx (921600 baud) Tx 12 Dennis Giese and Daniel Wegemer – 34C3

  12. Rooting Our weapon of choice: 13 Dennis Giese and Daniel Wegemer – 34C3

  13. Rooting Initial Idea: • Shortcut the MMC data lines • SoC falls back to FEL mode • Load + Execute tool in RAM – via USB connector – Dump MMC flash – Modify image – Rewrite image to flash Source: wikicommons 14 Dennis Giese and Daniel Wegemer – 34C3

  14. Software • Ubuntu 14.04.3 LTS (Kernel 3.4.xxx) – Mostly untouched, patched on a regular base • Player 3.10-svn – Open-Source Cross-platform robot device interface & server • Xiaomi proprietary software (/opt/rockrobo) – AppProxy – RoboController – Miio_Client – Custom adbd-version • iptables firewall enabled – Blocks Port 22 (SSHd) + Port 6665 (player) 15 Dennis Giese and Daniel Wegemer – 34C3

  15. Available data on device • Data – Logfiles (syslogs, duration, area, ssid, passwd) – “/ usr/sbin/tcpdump -i any -s 0 -c 2000 –w” – Multiple MBytes/day – Maps • Data is uploaded to cloud • Factory reset – Restores recovery to system – does not delete data • Maps, Logs still exist 16 Dennis Giese and Daniel Wegemer – 34C3

  16. Available data on device • Maps – Created by player – 1024px * 1024px – 1px = 5cm 17 Dennis Giese and Daniel Wegemer – 34C3

  17. Configurations • DeviceID – Unique per device • Keys – Cloudkey (16 byte alpha-numeric) • Is used for cloud communication • Static, is not changed by update or provisioning – Token (16 byte alpha-numeric) • Is used for app communication • Dynamic, is generated at provisioning (connecting to new WiFi) 18 Dennis Giese and Daniel Wegemer – 34C3

  18. Communication relations <-soundpackages, firmware compass uart_lds uart_mcu maps,logs-> *.fds.api.xiaomi.com (https) player 0.0.0.0:6665 ot.io.mi.com:80(tcp) wifimgr ott.io.mi.com:8053(udp) RoboController <-commands, AES encrypted Miio_client reports-> (local):54322 (tcp) AppProxy Android/ 0.0.0.0:54321 (udp) iPhone App Robot intern IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp) 19 Dennis Giese and Daniel Wegemer – 34C3

  19. Update process miIO.ota {"mode":"normal “, "install":"1", "app_url":"https://[URL]/v11_[version].pkg", "file_md5":“[md5]",”proc":" dnld install“} 20 Dennis Giese and Daniel Wegemer – 34C3

  20. Update process Active system_a copy system_b Download Data 2. Download [app_url] 21 Dennis Giese and Daniel Wegemer – 34C3

  21. Update process Active system_a copy system_b Download Data 2. Download [app_url] 22 Dennis Giese and Daniel Wegemer – 34C3

  22. Update process Active system_a copy system_b Download Data 23 Dennis Giese and Daniel Wegemer – 34C3

  23. Update process Active system_a copy system_b Download Data MD5 ok? 24 Dennis Giese and Daniel Wegemer – 34C3

  24. Update process Active system_a copy system_b Download Data 25 Dennis Giese and Daniel Wegemer – 34C3

  25. Update process Active system_a copy system_b Download Data Decrypt + image OK? 26 Dennis Giese and Daniel Wegemer – 34C3

  26. Update process Active system_a copy system_b Download Data Unpack + dd 27 Dennis Giese and Daniel Wegemer – 34C3

  27. Update process Active system_a copy system_b Update root pw Download in /etc/shadow Data 28 Dennis Giese and Daniel Wegemer – 34C3

  28. Update process Active system_a copy system_b Download dd Data 29 Dennis Giese and Daniel Wegemer – 34C3

  29. Update process Active system_a copy system_b Download Data 30 Dennis Giese and Daniel Wegemer – 34C3

  30. Update process Active system_a copy system_b Download Data rebooting … 31 Dennis Giese and Daniel Wegemer – 34C3

  31. Update process system_a Active system_b copy Download Data rebooting … 32 Dennis Giese and Daniel Wegemer – 34C3

  32. Update process system_a dd Active system_b copy Download Data 33 Dennis Giese and Daniel Wegemer – 34C3

  33. Update process system_a Active system_b copy Download Data 34 Dennis Giese and Daniel Wegemer – 34C3

  34. Firmware updates • Full and partial images – Encrypted tar.gz archives – Full image contains disk.img • 512 Mbyte ext4-filesystem • Encryption – Static password: “ rockrobo ” – Ccrypt [256-bit Rijndael encryption (AES)] • Integrity – MD5 provided by cloud 35 Dennis Giese and Daniel Wegemer – 34C3

  35. Lets root remotely • Preparation – Rebuild Firmware • Include authorized_keys • Remove iptables rule for sshd • Send „ miIO.ota “ command to vacuum – Encrypted with token • From app or unprovisioned state – Pointing to own http server 36 Dennis Giese and Daniel Wegemer – 34C3

  36. SSH 37 Dennis Giese and Daniel Wegemer – 34C3

  37. 38 Dennis Giese and Daniel Wegemer – 34C3

  38. 39 Dennis Giese and Daniel Wegemer – 34C3

  39. 40 Dennis Giese and Daniel Wegemer – 34C3

  40. 41 Dennis Giese and Daniel Wegemer – 34C3

  41. 42 Dennis Giese and Daniel Wegemer – 34C3

  42. Gain independence Xiaomi Cloud Two methods: Source: 20th Century Fox • Replacing the cloud interface • Proxy cloud communication 43 Dennis Giese and Daniel Wegemer – 34C3

  43. Replacing the cloud interface compass uart_lds uart_mcu *.fds.api.xiaomi.com (https) player 0.0.0.0:6665 ot.io.mi.com:80(tcp) wifimgr ott.io.mi.com:8053(udp) RoboController <-commands, My cloud client Miio_client reports-> (local):54322 (tcp) (local):54322 (tcp) AppProxy Android/ 0.0.0.0:54321 (udp) https, mqtt , etc… iPhone App Robot intern IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp) 44 Dennis Giese and Daniel Wegemer – 34C3

  44. Replacing the cloud interface compass uart_lds uart_mcu *.fds.api.xiaomi.com (https) player 0.0.0.0:6665 wifimgr RoboController <-commands, reports-> AppProxy Robot intern IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp) 45 Dennis Giese and Daniel Wegemer – 34C3

  45. Replacing the cloud interface compass uart_lds uart_mcu *.fds.api.xiaomi.com (https) player 0.0.0.0:6665 wifimgr RoboController <-commands, My cloud client reports-> (local):54322 (tcp) AppProxy FHEM https, mqtt , etc… Home Assistant Robot intern IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp) 46 Dennis Giese and Daniel Wegemer – 34C3

  46. Replacing the cloud interface compass uart_lds uart_mcu player 0.0.0.0:6665 wifimgr RoboController <-commands, My cloud client reports-> (local):54322 (tcp) AppProxy FHEM https, mqtt , etc… Home Assistant /etc/hosts Robot intern IPC 127.0.0.1 awsbj0... plain json (tcp) 127.0.0.1 aswbj0- files… enc(key) json (tcp/udp) 127.0.0.1 cdn.cnbj0…. enc(token) json (udp) 47 Dennis Giese and Daniel Wegemer – 34C3

  47. Proxy cloud communication compass uart_lds uart_mcu *.fds.api.xiaomi.com (https) player 0.0.0.0:6665 ot.io.mi.com:80(tcp) wifimgr ott.io.mi.com:8053(udp) RoboController <-commands, Miio_client reports-> (local):54322 (tcp) AppProxy Android/ 0.0.0.0:54321 (udp) iPhone App Robot intern IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp) 48 Dennis Giese and Daniel Wegemer – 34C3

Recommend

More recommend