1 Dennis Giese and Daniel Wegemer 34C3 Post presentation remarks - - PowerPoint PPT Presentation

1
SMART_READER_LITE
LIVE PREVIEW

1 Dennis Giese and Daniel Wegemer 34C3 Post presentation remarks - - PowerPoint PPT Presentation

Oct 07, 2022 405 likes •1.15k views

1 Dennis Giese and Daniel Wegemer 34C3 Post presentation remarks 28.12. 18:00 Rooting is now possible without opening the device You can only root one device (your own) If you read the Heise article you might think that we might

slide-1
SLIDE 1

1

Dennis Giese and Daniel Wegemer – 34C3

slide-2
SLIDE 2

2

Dennis Giese and Daniel Wegemer – 34C3

Post presentation remarks 28.12. 18:00

  • Rooting is now possible without opening the device
  • You can only root one device (your own)

– If you read the Heise article you might think that we might root multiple devices in the internet

  • We consider the Xiaomi Cloud as a good and safe design
  • Due time restrictions (our time was cut from 45 minutes to 30 minutes,

including FAQ), we had to exclude a lot of information

– Look into the repo for more technical information

  • Contact: dustcloud@1338-1.org
slide-3
SLIDE 3

3

Dennis Giese and Daniel Wegemer – 34C3

Why Xiaomi

“Xiaomi’s ‘Mi Ecosystem’ has 50 million connected devices” [1] „[…] revenue from its smart hardware ecosystem exceeded 15 billion yuan” (1.9 billion €) [2] Most important: The stuff is cheap

[1] https://techcrunch.com/2017/01/11/xiaomi-2016-to-2017/ [2] https://www.reuters.com/article/us-xiaomi-outlook/chinas-xiaomi-targets-2017- sales-of-14-5-billion-after-2016-overhaul-idUSKBN14W0LZ

slide-4
SLIDE 4

4

Dennis Giese and Daniel Wegemer – 34C3

Why Vacuum Robots?

Source: Xiaomi advertisment

slide-5
SLIDE 5

5

Dennis Giese and Daniel Wegemer – 34C3

Xiaomi Ecosystem

HTTPS ZigBee Xiaomi Cloud Gateway WiFi

slide-6
SLIDE 6

6

Dennis Giese and Daniel Wegemer – 34C3

Xiaomi Ecosystem

HTTPS ZigBee Xiaomi Cloud Gateway

slide-7
SLIDE 7

7

Dennis Giese and Daniel Wegemer – 34C3

Device Overview

Source: Xiaomi advertisment

slide-8
SLIDE 8

9

Dennis Giese and Daniel Wegemer – 34C3

Rooting: Challenges

  • Hardware Access

– Micro USB Port ? – Serial Connection on PCB ?

  • Network Based

– Portscan ? – Sniff Network traffic ?

slide-9
SLIDE 9

10

Dennis Giese and Daniel Wegemer – 34C3

Teardown

slide-10
SLIDE 10

11

Dennis Giese and Daniel Wegemer – 34C3

Frontside layout mainboard

512 MB RAM R16 SOC 4GB eMMC Flash

WiFi Module

STM32 MCU

slide-11
SLIDE 11

12

Dennis Giese and Daniel Wegemer – 34C3

Backside layout mainboard

R16 UART (115200 baud)

Tx Rx

STM UART (921600 baud)

Tx

LIDAR UART

slide-12
SLIDE 12

13

Dennis Giese and Daniel Wegemer – 34C3

Rooting

Our weapon of choice:

slide-13
SLIDE 13

14

Dennis Giese and Daniel Wegemer – 34C3

Rooting

Initial Idea:

  • Shortcut the MMC data lines
  • SoC falls back to FEL mode
  • Load + Execute tool in RAM

– via USB connector – Dump MMC flash – Modify image – Rewrite image to flash

Source: wikicommons

slide-14
SLIDE 14

15

Dennis Giese and Daniel Wegemer – 34C3

Software

  • Ubuntu 14.04.3 LTS (Kernel 3.4.xxx)

– Mostly untouched, patched on a regular base

  • Player 3.10-svn

– Open-Source Cross-platform robot device interface & server

  • Xiaomi proprietary software (/opt/rockrobo)

– AppProxy – RoboController – Miio_Client – Custom adbd-version

  • iptables firewall enabled

– Blocks Port 22 (SSHd) + Port 6665 (player)

slide-15
SLIDE 15

16

Dennis Giese and Daniel Wegemer – 34C3

Available data on device

  • Data

– Logfiles (syslogs, duration, area, ssid, passwd) – “/usr/sbin/tcpdump -i any -s 0 -c 2000 –w” – Multiple MBytes/day – Maps

  • Data is uploaded to cloud
  • Factory reset

– Restores recovery to system – does not delete data

  • Maps, Logs still exist
slide-16
SLIDE 16

17

Dennis Giese and Daniel Wegemer – 34C3

Available data on device

  • Maps

– Created by player – 1024px * 1024px – 1px = 5cm

slide-17
SLIDE 17

18

Dennis Giese and Daniel Wegemer – 34C3

Configurations

  • DeviceID

– Unique per device

  • Keys

– Cloudkey (16 byte alpha-numeric)

  • Is used for cloud communication
  • Static, is not changed by update or provisioning

– Token (16 byte alpha-numeric)

  • Is used for app communication
  • Dynamic, is generated at provisioning (connecting to new WiFi)
slide-18
SLIDE 18

19

Dennis Giese and Daniel Wegemer – 34C3

Robot intern

Communication relations

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp) player 0.0.0.0:6665 RoboController AppProxy wifimgr *.fds.api.xiaomi.com (https) maps,logs-> <-soundpackages, firmware uart_mcu uart_lds compass

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

<-commands, reports->

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

AES encrypted

slide-19
SLIDE 19

20

Dennis Giese and Daniel Wegemer – 34C3

Update process

miIO.ota {"mode":"normal“, "install":"1", "app_url":"https://[URL]/v11_[version].pkg", "file_md5":“[md5]",”proc":"dnld install“}

slide-20
SLIDE 20

21

Dennis Giese and Daniel Wegemer – 34C3

Update process

  • 2. Download [app_url]

system_a system_b Download Data

Active copy

slide-21
SLIDE 21

22

Dennis Giese and Daniel Wegemer – 34C3

Update process

  • 2. Download [app_url]

system_a system_b Download Data

Active copy

slide-22
SLIDE 22

23

Dennis Giese and Daniel Wegemer – 34C3

Update process

system_a system_b Download Data

Active copy

slide-23
SLIDE 23

24

Dennis Giese and Daniel Wegemer – 34C3

Update process

system_a system_b Download Data MD5 ok?

Active copy

slide-24
SLIDE 24

25

Dennis Giese and Daniel Wegemer – 34C3

Update process

system_a system_b Download Data

Active copy

slide-25
SLIDE 25

26

Dennis Giese and Daniel Wegemer – 34C3

Update process

system_a system_b Download Data Decrypt + image OK?

Active copy

slide-26
SLIDE 26

27

Dennis Giese and Daniel Wegemer – 34C3

Update process

system_a system_b Download Data Unpack + dd

Active copy

slide-27
SLIDE 27

28

Dennis Giese and Daniel Wegemer – 34C3

Update process

system_a system_b Download Data

Active copy

Update root pw in /etc/shadow

slide-28
SLIDE 28

29

Dennis Giese and Daniel Wegemer – 34C3

Update process

system_a system_b Download Data dd

Active copy

slide-29
SLIDE 29

30

Dennis Giese and Daniel Wegemer – 34C3

Update process

system_a system_b Download Data

Active copy

slide-30
SLIDE 30

31

Dennis Giese and Daniel Wegemer – 34C3

Update process

system_a system_b Download Data

Active copy

rebooting …

slide-31
SLIDE 31

32

Dennis Giese and Daniel Wegemer – 34C3

Update process

system_a system_b Download Data

Active copy

rebooting …

slide-32
SLIDE 32

33

Dennis Giese and Daniel Wegemer – 34C3

Update process

system_a system_b Download Data

Active copy

dd

slide-33
SLIDE 33

34

Dennis Giese and Daniel Wegemer – 34C3

Update process

system_a system_b Download Data

Active copy

slide-34
SLIDE 34

35

Dennis Giese and Daniel Wegemer – 34C3

Firmware updates

  • Full and partial images

– Encrypted tar.gz archives – Full image contains disk.img

  • 512 Mbyte ext4-filesystem
  • Encryption

– Static password: “rockrobo” – Ccrypt [256-bit Rijndael encryption (AES)]

  • Integrity

– MD5 provided by cloud

slide-35
SLIDE 35

36

Dennis Giese and Daniel Wegemer – 34C3

Lets root remotely

  • Preparation

– Rebuild Firmware

  • Include authorized_keys
  • Remove iptables rule for sshd
  • Send „miIO.ota“ command to vacuum

– Encrypted with token

  • From app or unprovisioned state

– Pointing to own http server

slide-36
SLIDE 36

37

Dennis Giese and Daniel Wegemer – 34C3

SSH

slide-37
SLIDE 37

38

Dennis Giese and Daniel Wegemer – 34C3

slide-38
SLIDE 38

39

Dennis Giese and Daniel Wegemer – 34C3

slide-39
SLIDE 39

40

Dennis Giese and Daniel Wegemer – 34C3

slide-40
SLIDE 40

41

Dennis Giese and Daniel Wegemer – 34C3

slide-41
SLIDE 41

42

Dennis Giese and Daniel Wegemer – 34C3

slide-42
SLIDE 42

43

Dennis Giese and Daniel Wegemer – 34C3

Gain independence

Two methods:

  • Replacing the cloud interface
  • Proxy cloud communication

Xiaomi Cloud

Source: 20th Century Fox

slide-43
SLIDE 43

44

Dennis Giese and Daniel Wegemer – 34C3

Robot intern

My cloud client https, mqtt, etc… (local):54322 (tcp)

Replacing the cloud interface

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp)

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

*.fds.api.xiaomi.com (https)

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

<-commands, reports-> player 0.0.0.0:6665 RoboController AppProxy wifimgr uart_mcu uart_lds compass

slide-44
SLIDE 44

45

Dennis Giese and Daniel Wegemer – 34C3

Robot intern

Replacing the cloud interface

*.fds.api.xiaomi.com (https)

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

<-commands, reports-> player 0.0.0.0:6665 RoboController AppProxy wifimgr uart_mcu uart_lds compass

slide-45
SLIDE 45

46

Dennis Giese and Daniel Wegemer – 34C3

Robot intern

My cloud client https, mqtt, etc… (local):54322 (tcp)

Replacing the cloud interface

*.fds.api.xiaomi.com (https)

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

FHEM Home Assistant

<-commands, reports-> player 0.0.0.0:6665 RoboController AppProxy wifimgr uart_mcu uart_lds compass

slide-46
SLIDE 46

47

Dennis Giese and Daniel Wegemer – 34C3

Robot intern

My cloud client https, mqtt, etc… (local):54322 (tcp)

Replacing the cloud interface

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

FHEM Home Assistant

/etc/hosts 127.0.0.1 awsbj0... 127.0.0.1 aswbj0-files… 127.0.0.1 cdn.cnbj0….

<-commands, reports-> player 0.0.0.0:6665 RoboController AppProxy wifimgr uart_mcu uart_lds compass

slide-47
SLIDE 47

48

Dennis Giese and Daniel Wegemer – 34C3

Robot intern

player 0.0.0.0:6665 RoboController AppProxy wifimgr uart_mcu uart_lds compass

Proxy cloud communication

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp)

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

*.fds.api.xiaomi.com (https) <-commands, reports->

slide-48
SLIDE 48

49

Dennis Giese and Daniel Wegemer – 34C3

Robot intern

player 0.0.0.0:6665 RoboController AppProxy wifimgr uart_mcu uart_lds compass

Proxy cloud communication

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp)

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

/etc/hosts 130.83.x.x ot.io.mi.com 130.83.x.x ot.io.mi.com

Dustcloud

*.fds.api.xiaomi.com (https) <-commands, reports->

slide-49
SLIDE 49

50

Dennis Giese and Daniel Wegemer – 34C3

Usecases

  • Home automation server
  • Webradio
  • Fileserver

– with integrated UPS

  • Bitcoin mining
slide-50
SLIDE 50

51

Dennis Giese and Daniel Wegemer – 34C3

slide-51
SLIDE 51

52

Dennis Giese and Daniel Wegemer – 34C3

DLC

  • Modified firmware (SSH + FHEM)
  • Dustcloud (Cloud emulation)

– totally broken, insecure code!

  • Pictures, Pinouts, and much more

www.dontvacuum.me

slide-52
SLIDE 52

53

Dennis Giese and Daniel Wegemer – 34C3

One word of warning…

  • Never leave your devices unprovisioned

– Someone else can provision it for you

  • Install malicious firmare
  • Snoop on your appartment
  • Be careful with used devices

– e.g. Amazon Marketplace – Some malicious software may be installed

slide-53
SLIDE 53

54

Dennis Giese and Daniel Wegemer – 34C3

Acknowledgements & FAQ

  • Secure Mobile Networking (SEEMOO) Labs
  • Prof. Guevara Noubir (CCIS, Northeastern University)
slide-54
SLIDE 54

55

Dennis Giese and Daniel Wegemer – 34C3

slide-55
SLIDE 55

56

Dennis Giese and Daniel Wegemer – 34C3

Pin Layout CPU

36

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 A MMC Reset D6

D4 D2 D0 D2 D0 CLK TX UART1

B

D7 D5 D3 D1 D3 D1

CMD

RX

C

CLK SDA TWI1

D

RX TX

CMD

SCL

E F

Recov ery Confir m

UART2

G

RX TX

H Line IN L J LINE IN R K PHO NE IN L PHO NE IN M PHO NE MIC1 P N PHO NE MIC2 P P

SDA SCK RESET RSB0

R T LCD9 LCD7 LCD5 LCD3 LCD1 USB- DM0 USB- DP0

USB 1

U LCD8 LCD6 LCD4 LCD2 LCD0 USB DRV USB- DM1 USB- DP1

USB 2 DRAM VCC/VDD GND LCD

UART0

MMC2 MMC1

slide-56
SLIDE 56

57

Dennis Giese and Daniel Wegemer – 34C3

Overview sensors

  • 2D LIDAR SLAM (5*360°/s)
  • Ultrasonic distance sensor
  • multiple IR sensors
  • 3-axis Magnetic Sensor
  • 3-axis accelerometer
  • 3-axis gyroscope
  • Bump sensors
slide-57
SLIDE 57

58

Dennis Giese and Daniel Wegemer – 34C3

Sound packages

  • Contents of /mnt/data/sounds

– Encrypted tar.gz archives – Contains wav-files in specific language or style

  • Encryption

– Static password: “r0ckrobo#23456” – Ccrypt [256-bit Rijndael encryption (AES)]

  • Integrity

– MD5 provided by cloud

38

slide-58
SLIDE 58

59

Dennis Giese and Daniel Wegemer – 34C3

eMMC Layout

Label Partion nand{} Size in MByte Start address boot-res a 8 0x00008000 env b 16 0x0000c000 app c 16 0x00014000 recovery d 512 0x0001c000 system_a e 512 0x0011c000 system_b f 512 0x0021c000 Download g 528 0x0031c000 reserve h 16 0x00424000 UDISK i ~1900 0x0042c000

39

slide-59
SLIDE 59

60

Dennis Giese and Daniel Wegemer – 34C3

eMMC Layout

Label Content Mountpoint boot-res bitmaps & some wav files env uboot cmd line app device.conf (DID, key, MAC), adb.conf, vinda /mnt/default/ recovery fallback copy of OS system_a copy of OS (active by default) / system_b copy of OS (passive by default) Download temporary unpacked OS update /mnt/Download reserve config + calibration files, blackbox.db /mnt/reserve/ UDISK logs, maps, pcap files /mnt/data

slide-60
SLIDE 60

61

Dennis Giese and Daniel Wegemer – 34C3

Communication relations

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp) Miio_client_helper_nomqtt.sh Miio_send_line Miio_recv_line player 0.0.0.0:6665 (udp) 0.0.0.0:6665 (tcp) RoboController AppProxy rrlogd SysUpdate wifimgr

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

awsbj0-files.fds.api.xiaomi.com (https) awsbj0.fds.api.xiaomi.com (https) cdn.cnbj0.files.fds.api.xiaomi.com (https)

<-firmware <-commands, reports-> maps->,logs-> <-soundpackages,logs-> uart_mcu uart_lds compass File:gridmap File:player_server_*.log File:SLAM_*.log File:NAV_*.log File:gridmap sqlite:robot.db sqlite:blackbox.db File:device.conf File:device.token

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

<-commands, reports->

slide-61
SLIDE 61

62

Dennis Giese and Daniel Wegemer – 34C3

Communication relations

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp) Miio_client_helper_nomqtt.sh Miio_send_line Miio_recv_line player 0.0.0.0:6665 (udp) 0.0.0.0:6665 (tcp) RoboController AppProxy rrlogd SysUpdate wifimgr

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

awsbj0-files.fds.api.xiaomi.com (https) awsbj0.fds.api.xiaomi.com (https) cdn.cnbj0.files.fds.api.xiaomi.com (https)

<-firmware <-commands, reports-> maps->,logs-> <-soundpackages,logs-> uart_mcu uart_lds compass File:gridmap File:player_server_*.log File:SLAM_*.log File:NAV_*.log File:gridmap sqlite:robot.db sqlite:blackbox.db File:device.conf File:device.token

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

<-commands, reports->

slide-62
SLIDE 62

63

Dennis Giese and Daniel Wegemer – 34C3

Communication relations

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp) Miio_client_helper_nomqtt.sh Miio_send_line Miio_recv_line player 0.0.0.0:6665 (udp) 0.0.0.0:6665 (tcp) RoboController AppProxy rrlogd SysUpdate wifimgr

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

awsbj0-files.fds.api.xiaomi.com (https) awsbj0.fds.api.xiaomi.com (https) cdn.cnbj0.files.fds.api.xiaomi.com (https)

<-firmware <-commands, reports-> maps->,logs-> <-soundpackages,logs-> uart_mcu uart_lds compass File:gridmap File:player_server_*.log File:SLAM_*.log File:NAV_*.log File:gridmap sqlite:robot.db sqlite:blackbox.db File:device.conf File:device.token

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

<-commands, reports->

slide-63
SLIDE 63

64

Dennis Giese and Daniel Wegemer – 34C3

Communication relations

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp) Miio_client_helper_nomqtt.sh Miio_send_line Miio_recv_line player 0.0.0.0:6665 (udp) 0.0.0.0:6665 (tcp) RoboController AppProxy rrlogd SysUpdate wifimgr

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

awsbj0-files.fds.api.xiaomi.com (https) awsbj0.fds.api.xiaomi.com (https) cdn.cnbj0.files.fds.api.xiaomi.com (https)

<-firmware <-commands, reports-> maps->,logs-> <-soundpackages,logs-> uart_mcu uart_lds compass File:gridmap File:player_server_*.log File:SLAM_*.log File:NAV_*.log File:gridmap sqlite:robot.db sqlite:blackbox.db File:device.conf File:device.token

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

<-commands, reports->

slide-64
SLIDE 64

65

Dennis Giese and Daniel Wegemer – 34C3

Communication relations

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp) Miio_client_helper_nomqtt.sh Miio_send_line Miio_recv_line player 0.0.0.0:6665 (udp) 0.0.0.0:6665 (tcp) RoboController AppProxy rrlogd SysUpdate wifimgr

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

awsbj0-files.fds.api.xiaomi.com (https) awsbj0.fds.api.xiaomi.com (https) cdn.cnbj0.files.fds.api.xiaomi.com (https)

<-firmware <-commands, reports-> maps->,logs-> <-soundpackages,logs-> uart_mcu uart_lds compass File:gridmap File:player_server_*.log File:SLAM_*.log File:NAV_*.log File:gridmap sqlite:robot.db sqlite:blackbox.db File:device.conf File:device.token

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

<-commands, reports->

slide-65
SLIDE 65

66

Dennis Giese and Daniel Wegemer – 34C3

Communication relations

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp) Miio_client_helper_nomqtt.sh Miio_send_line Miio_recv_line player 0.0.0.0:6665 (udp) 0.0.0.0:6665 (tcp) RoboController AppProxy rrlogd SysUpdate wifimgr

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

awsbj0-files.fds.api.xiaomi.com (https) awsbj0.fds.api.xiaomi.com (https) cdn.cnbj0.files.fds.api.xiaomi.com (https)

<-firmware <-commands, reports-> maps->,logs-> <-soundpackages,logs-> uart_mcu uart_lds compass File:gridmap File:player_server_*.log File:SLAM_*.log File:NAV_*.log File:gridmap sqlite:robot.db sqlite:blackbox.db File:device.conf File:device.token

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

<-commands, reports->

slide-66
SLIDE 66

67

Dennis Giese and Daniel Wegemer – 34C3

Communication relations

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp) Miio_client_helper_nomqtt.sh Miio_send_line Miio_recv_line player 0.0.0.0:6665 (udp) 0.0.0.0:6665 (tcp) RoboController AppProxy rrlogd SysUpdate wifimgr

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

awsbj0-files.fds.api.xiaomi.com (https) awsbj0.fds.api.xiaomi.com (https) cdn.cnbj0.files.fds.api.xiaomi.com (https)

<-firmware <-commands, reports-> maps->,logs-> <-soundpackages,logs-> uart_mcu uart_lds compass File:gridmap File:player_server_*.log File:SLAM_*.log File:NAV_*.log File:gridmap sqlite:robot.db sqlite:blackbox.db File:device.conf File:device.token

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

<-commands, reports->

slide-67
SLIDE 67

68

Dennis Giese and Daniel Wegemer – 34C3

Communication relations

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp) Miio_client_helper_nomqtt.sh Miio_send_line Miio_recv_line player 0.0.0.0:6665 (udp) 0.0.0.0:6665 (tcp) RoboController AppProxy rrlogd SysUpdate wifimgr

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

awsbj0-files.fds.api.xiaomi.com (https) awsbj0.fds.api.xiaomi.com (https) cdn.cnbj0.files.fds.api.xiaomi.com (https)

<-firmware <-commands, reports-> maps->,logs-> <-soundpackages,logs-> uart_mcu uart_lds compass File:gridmap File:player_server_*.log File:SLAM_*.log File:NAV_*.log File:gridmap sqlite:robot.db sqlite:blackbox.db File:device.conf File:device.token

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

<-commands, reports->

slide-68
SLIDE 68

69

Dennis Giese and Daniel Wegemer – 34C3

Communication relations

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp) Miio_client_helper_nomqtt.sh Miio_send_line Miio_recv_line player 0.0.0.0:6665 (udp) 0.0.0.0:6665 (tcp) RoboController AppProxy rrlogd SysUpdate wifimgr

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

awsbj0-files.fds.api.xiaomi.com (https) awsbj0.fds.api.xiaomi.com (https) cdn.cnbj0.files.fds.api.xiaomi.com (https)

<-firmware <-commands, reports-> maps->,logs-> <-soundpackages,logs-> uart_mcu uart_lds compass File:gridmap File:player_server_*.log File:SLAM_*.log File:NAV_*.log File:gridmap sqlite:robot.db sqlite:blackbox.db File:device.conf File:device.token

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

<-commands, reports->

slide-69
SLIDE 69

70

Dennis Giese and Daniel Wegemer – 34C3

Communication relations

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp) Miio_client_helper_nomqtt.sh Miio_send_line Miio_recv_line player 0.0.0.0:6665 (udp) 0.0.0.0:6665 (tcp) RoboController AppProxy rrlogd SysUpdate wifimgr

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

awsbj0-files.fds.api.xiaomi.com (https) awsbj0.fds.api.xiaomi.com (https) cdn.cnbj0.files.fds.api.xiaomi.com (https)

<-firmware <-commands, reports-> maps->,logs-> <-soundpackages,logs-> uart_mcu uart_lds compass File:gridmap File:player_server_*.log File:SLAM_*.log File:NAV_*.log File:gridmap sqlite:robot.db sqlite:blackbox.db File:device.conf File:device.token

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

<-commands, reports->

slide-70
SLIDE 70

71

Dennis Giese and Daniel Wegemer – 34C3

Communication relations

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp) Miio_client_helper_nomqtt.sh Miio_send_line Miio_recv_line player 0.0.0.0:6665 (udp) 0.0.0.0:6665 (tcp) RoboController AppProxy rrlogd SysUpdate wifimgr

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

awsbj0-files.fds.api.xiaomi.com (https) awsbj0.fds.api.xiaomi.com (https) cdn.cnbj0.files.fds.api.xiaomi.com (https)

<-firmware <-commands, reports-> maps->,logs-> <-soundpackages,logs-> uart_mcu uart_lds compass File:gridmap File:player_server_*.log File:SLAM_*.log File:NAV_*.log File:gridmap sqlite:robot.db sqlite:blackbox.db File:device.conf File:device.token

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

<-commands, reports->

slide-71
SLIDE 71

72

Dennis Giese and Daniel Wegemer – 34C3

Communication relations

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp) Miio_client_helper_nomqtt.sh Miio_send_line Miio_recv_line player 0.0.0.0:6665 (udp) 0.0.0.0:6665 (tcp) RoboController AppProxy rrlogd SysUpdate wifimgr

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

awsbj0-files.fds.api.xiaomi.com (https) awsbj0.fds.api.xiaomi.com (https) cdn.cnbj0.files.fds.api.xiaomi.com (https)

<-firmware <-commands, reports-> maps->,logs-> <-soundpackages,logs-> uart_mcu uart_lds compass File:gridmap File:player_server_*.log File:SLAM_*.log File:NAV_*.log File:gridmap sqlite:robot.db sqlite:blackbox.db File:device.conf File:device.token

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

<-commands, reports->

slide-72
SLIDE 72

73

Dennis Giese and Daniel Wegemer – 34C3

Communication relations

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp) Miio_client_helper_nomqtt.sh Miio_send_line Miio_recv_line player 0.0.0.0:6665 (udp) 0.0.0.0:6665 (tcp) RoboController AppProxy rrlogd SysUpdate wifimgr

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

awsbj0-files.fds.api.xiaomi.com (https) awsbj0.fds.api.xiaomi.com (https) cdn.cnbj0.files.fds.api.xiaomi.com (https)

<-firmware <-commands, reports-> maps->,logs-> <-soundpackages,logs-> uart_mcu uart_lds compass File:gridmap File:player_server_*.log File:SLAM_*.log File:NAV_*.log File:gridmap sqlite:robot.db sqlite:blackbox.db File:device.conf File:device.token

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

<-commands, reports->

slide-73
SLIDE 73

74

Dennis Giese and Daniel Wegemer – 34C3

Communication relations

Miio_client 0.0.0.0:54321 (udp) (local):54322 (tcp) Miio_client_helper_nomqtt.sh Miio_send_line Miio_recv_line player 0.0.0.0:6665 (udp) 0.0.0.0:6665 (tcp) RoboController AppProxy rrlogd SysUpdate wifimgr

  • t.io.mi.com:80(tcp)
  • tt.io.mi.com:8053(udp)

awsbj0-files.fds.api.xiaomi.com (https) awsbj0.fds.api.xiaomi.com (https) cdn.cnbj0.files.fds.api.xiaomi.com (https)

<-firmware <-commands, reports-> maps->,logs-> <-soundpackages,logs-> uart_mcu uart_lds compass File:gridmap File:player_server_*.log File:SLAM_*.log File:NAV_*.log File:gridmap sqlite:robot.db sqlite:blackbox.db File:device.conf File:device.token

IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp)

Android/ iPhone App

<-commands, reports->