1
play

1 Dennis Giese and Daniel Wegemer 34C3 Post presentation remarks - PowerPoint PPT Presentation

Oct 07, 2022 •405 likes •1.14k views

1 Dennis Giese and Daniel Wegemer 34C3 Post presentation remarks 28.12. 18:00 Rooting is now possible without opening the device You can only root one device (your own) If you read the Heise article you might think that we might

  1. 1 Dennis Giese and Daniel Wegemer – 34C3

  2. Post presentation remarks 28.12. 18:00 • Rooting is now possible without opening the device • You can only root one device (your own) – If you read the Heise article you might think that we might root multiple devices in the internet • We consider the Xiaomi Cloud as a good and safe design • Due time restrictions (our time was cut from 45 minutes to 30 minutes, including FAQ), we had to exclude a lot of information – Look into the repo for more technical information • Contact: dustcloud@1338-1.org 2 Dennis Giese and Daniel Wegemer – 34C3

  3. Why Xiaomi “Xiaomi’s ‘Mi Ecosystem’ has 50 million connected devices” [1] „[…] revenue from its smart hardware ecosystem exceeded 15 billion yuan” (1.9 billion €) [2] Most important: The stuff is cheap [1] https://techcrunch.com/2017/01/11/xiaomi-2016-to-2017/ [2] https://www.reuters.com/article/us-xiaomi-outlook/chinas-xiaomi-targets-2017- sales-of-14-5-billion-after-2016-overhaul-idUSKBN14W0LZ 3 Dennis Giese and Daniel Wegemer – 34C3

  4. Why Vacuum Robots? Source: Xiaomi advertisment 4 Dennis Giese and Daniel Wegemer – 34C3

  5. Xiaomi Ecosystem HTTPS Xiaomi WiFi Cloud ZigBee Gateway 5 Dennis Giese and Daniel Wegemer – 34C3

  6. Xiaomi Ecosystem HTTPS Xiaomi Cloud ZigBee Gateway 6 Dennis Giese and Daniel Wegemer – 34C3

  7. Device Overview Source: Xiaomi advertisment 7 Dennis Giese and Daniel Wegemer – 34C3

  8. Rooting: Challenges • Hardware Access – Micro USB Port ? – Serial Connection on PCB ? • Network Based – Portscan ? – Sniff Network traffic ? 9 Dennis Giese and Daniel Wegemer – 34C3

  9. Teardown 10 Dennis Giese and Daniel Wegemer – 34C3

  10. Frontside layout mainboard 512 MB RAM STM32 MCU 4GB R16 eMMC SOC Flash WiFi Module 11 Dennis Giese and Daniel Wegemer – 34C3

  11. Backside layout mainboard LIDAR UART R16 UART (115200 baud) STM UART Tx Rx (921600 baud) Tx 12 Dennis Giese and Daniel Wegemer – 34C3

  12. Rooting Our weapon of choice: 13 Dennis Giese and Daniel Wegemer – 34C3

  13. Rooting Initial Idea: • Shortcut the MMC data lines • SoC falls back to FEL mode • Load + Execute tool in RAM – via USB connector – Dump MMC flash – Modify image – Rewrite image to flash Source: wikicommons 14 Dennis Giese and Daniel Wegemer – 34C3

  14. Software • Ubuntu 14.04.3 LTS (Kernel 3.4.xxx) – Mostly untouched, patched on a regular base • Player 3.10-svn – Open-Source Cross-platform robot device interface & server • Xiaomi proprietary software (/opt/rockrobo) – AppProxy – RoboController – Miio_Client – Custom adbd-version • iptables firewall enabled – Blocks Port 22 (SSHd) + Port 6665 (player) 15 Dennis Giese and Daniel Wegemer – 34C3

  15. Available data on device • Data – Logfiles (syslogs, duration, area, ssid, passwd) – “/ usr/sbin/tcpdump -i any -s 0 -c 2000 –w” – Multiple MBytes/day – Maps • Data is uploaded to cloud • Factory reset – Restores recovery to system – does not delete data • Maps, Logs still exist 16 Dennis Giese and Daniel Wegemer – 34C3

  16. Available data on device • Maps – Created by player – 1024px * 1024px – 1px = 5cm 17 Dennis Giese and Daniel Wegemer – 34C3

  17. Configurations • DeviceID – Unique per device • Keys – Cloudkey (16 byte alpha-numeric) • Is used for cloud communication • Static, is not changed by update or provisioning – Token (16 byte alpha-numeric) • Is used for app communication • Dynamic, is generated at provisioning (connecting to new WiFi) 18 Dennis Giese and Daniel Wegemer – 34C3

  18. Communication relations <-soundpackages, firmware compass uart_lds uart_mcu maps,logs-> *.fds.api.xiaomi.com (https) player 0.0.0.0:6665 ot.io.mi.com:80(tcp) wifimgr ott.io.mi.com:8053(udp) RoboController <-commands, AES encrypted Miio_client reports-> (local):54322 (tcp) AppProxy Android/ 0.0.0.0:54321 (udp) iPhone App Robot intern IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp) 19 Dennis Giese and Daniel Wegemer – 34C3

  19. Update process miIO.ota {"mode":"normal “, "install":"1", "app_url":"https://[URL]/v11_[version].pkg", "file_md5":“[md5]",”proc":" dnld install“} 20 Dennis Giese and Daniel Wegemer – 34C3

  20. Update process Active system_a copy system_b Download Data 2. Download [app_url] 21 Dennis Giese and Daniel Wegemer – 34C3

  21. Update process Active system_a copy system_b Download Data 2. Download [app_url] 22 Dennis Giese and Daniel Wegemer – 34C3

  22. Update process Active system_a copy system_b Download Data 23 Dennis Giese and Daniel Wegemer – 34C3

  23. Update process Active system_a copy system_b Download Data MD5 ok? 24 Dennis Giese and Daniel Wegemer – 34C3

  24. Update process Active system_a copy system_b Download Data 25 Dennis Giese and Daniel Wegemer – 34C3

  25. Update process Active system_a copy system_b Download Data Decrypt + image OK? 26 Dennis Giese and Daniel Wegemer – 34C3

  26. Update process Active system_a copy system_b Download Data Unpack + dd 27 Dennis Giese and Daniel Wegemer – 34C3

  27. Update process Active system_a copy system_b Update root pw Download in /etc/shadow Data 28 Dennis Giese and Daniel Wegemer – 34C3

  28. Update process Active system_a copy system_b Download dd Data 29 Dennis Giese and Daniel Wegemer – 34C3

  29. Update process Active system_a copy system_b Download Data 30 Dennis Giese and Daniel Wegemer – 34C3

  30. Update process Active system_a copy system_b Download Data rebooting … 31 Dennis Giese and Daniel Wegemer – 34C3

  31. Update process system_a Active system_b copy Download Data rebooting … 32 Dennis Giese and Daniel Wegemer – 34C3

  32. Update process system_a dd Active system_b copy Download Data 33 Dennis Giese and Daniel Wegemer – 34C3

  33. Update process system_a Active system_b copy Download Data 34 Dennis Giese and Daniel Wegemer – 34C3

  34. Firmware updates • Full and partial images – Encrypted tar.gz archives – Full image contains disk.img • 512 Mbyte ext4-filesystem • Encryption – Static password: “ rockrobo ” – Ccrypt [256-bit Rijndael encryption (AES)] • Integrity – MD5 provided by cloud 35 Dennis Giese and Daniel Wegemer – 34C3

  35. Lets root remotely • Preparation – Rebuild Firmware • Include authorized_keys • Remove iptables rule for sshd • Send „ miIO.ota “ command to vacuum – Encrypted with token • From app or unprovisioned state – Pointing to own http server 36 Dennis Giese and Daniel Wegemer – 34C3

  36. SSH 37 Dennis Giese and Daniel Wegemer – 34C3

  37. 38 Dennis Giese and Daniel Wegemer – 34C3

  38. 39 Dennis Giese and Daniel Wegemer – 34C3

  39. 40 Dennis Giese and Daniel Wegemer – 34C3

  40. 41 Dennis Giese and Daniel Wegemer – 34C3

  41. 42 Dennis Giese and Daniel Wegemer – 34C3

  42. Gain independence Xiaomi Cloud Two methods: Source: 20th Century Fox • Replacing the cloud interface • Proxy cloud communication 43 Dennis Giese and Daniel Wegemer – 34C3

  43. Replacing the cloud interface compass uart_lds uart_mcu *.fds.api.xiaomi.com (https) player 0.0.0.0:6665 ot.io.mi.com:80(tcp) wifimgr ott.io.mi.com:8053(udp) RoboController <-commands, My cloud client Miio_client reports-> (local):54322 (tcp) (local):54322 (tcp) AppProxy Android/ 0.0.0.0:54321 (udp) https, mqtt , etc… iPhone App Robot intern IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp) 44 Dennis Giese and Daniel Wegemer – 34C3

  44. Replacing the cloud interface compass uart_lds uart_mcu *.fds.api.xiaomi.com (https) player 0.0.0.0:6665 wifimgr RoboController <-commands, reports-> AppProxy Robot intern IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp) 45 Dennis Giese and Daniel Wegemer – 34C3

  45. Replacing the cloud interface compass uart_lds uart_mcu *.fds.api.xiaomi.com (https) player 0.0.0.0:6665 wifimgr RoboController <-commands, My cloud client reports-> (local):54322 (tcp) AppProxy FHEM https, mqtt , etc… Home Assistant Robot intern IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp) 46 Dennis Giese and Daniel Wegemer – 34C3

  46. Replacing the cloud interface compass uart_lds uart_mcu player 0.0.0.0:6665 wifimgr RoboController <-commands, My cloud client reports-> (local):54322 (tcp) AppProxy FHEM https, mqtt , etc… Home Assistant /etc/hosts Robot intern IPC 127.0.0.1 awsbj0... plain json (tcp) 127.0.0.1 aswbj0- files… enc(key) json (tcp/udp) 127.0.0.1 cdn.cnbj0…. enc(token) json (udp) 47 Dennis Giese and Daniel Wegemer – 34C3

  47. Proxy cloud communication compass uart_lds uart_mcu *.fds.api.xiaomi.com (https) player 0.0.0.0:6665 ot.io.mi.com:80(tcp) wifimgr ott.io.mi.com:8053(udp) RoboController <-commands, Miio_client reports-> (local):54322 (tcp) AppProxy Android/ 0.0.0.0:54321 (udp) iPhone App Robot intern IPC plain json (tcp) enc(key) json (tcp/udp) enc(token) json (udp) 48 Dennis Giese and Daniel Wegemer – 34C3

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CephFS Development Update John Spray john.spray@redhat.com Vault 2015 Agenda Introduction

CephFS Development Update John Spray john.spray@redhat.com Vault 2015 Agenda Introduction

CephFS Development Update John Spray john.spray@redhat.com Vault 2015 Agenda Introduction to CephFS architecture Architectural overview What's new in Hammer? Test &amp; QA 2 Vault 2015 CephFS Development Update

701 views • 45 slides
CFHT STUDY OF TNOS - SEARCHING OF RESONANT TNOS BY NGVS Ying-Tung Chen (IANCU) 2009/12/08

CFHT STUDY OF TNOS - SEARCHING OF RESONANT TNOS BY NGVS Ying-Tung Chen (IANCU) 2009/12/08

CFHT STUDY OF TNOS - SEARCHING OF RESONANT TNOS BY NGVS Ying-Tung Chen (IANCU) 2009/12/08 NCU-CPS workshop WHATS NGVS The Next Generation Virgo Cluster Survey (NGVS) is an approved Large Programme for the Canada French Hawaii Telescope

237 views • 9 slides
SIMULATION MODELING PROJECT OF THE EYE SOC CLINIC Clay Goh, Mack Pan, Ng Yan Jun, Caroline Lee

SIMULATION MODELING PROJECT OF THE EYE SOC CLINIC Clay Goh, Mack Pan, Ng Yan Jun, Caroline Lee

SIMULATION MODELING PROJECT OF THE EYE SOC CLINIC Clay Goh, Mack Pan, Ng Yan Jun, Caroline Lee Innovation and Improvement 20 Aug 2013 Acknowledgment We would like show our appreciation to our beloved Nursing, Allied Health and Service

228 views • 10 slides
Clay mineral occurrences in volcanic and granitic geothermal contexts: signatures of high

Clay mineral occurrences in volcanic and granitic geothermal contexts: signatures of high

Clay mineral occurrences in volcanic and granitic geothermal contexts: signatures of high temperature fluid circulations in natural permeable fractures Genter Albert 1 , Patrier-Mas P., Beaufort D., Dezayes Ch. 1 , Guisseau D. 2 , Ledesert B.

434 views • 4 slides
The Swiss Railways in Silicon Valley Andreas Jossen Head of Technology &amp; Innovation Outpost

The Swiss Railways in Silicon Valley Andreas Jossen Head of Technology &amp; Innovation Outpost

The Swiss Railways in Silicon Valley Andreas Jossen Head of Technology &amp; Innovation Outpost Andreas Jossen | @andreas_jossen | SBB INNOVATION SBB is open for Innovation. From improving the core business to creating new business

357 views • 7 slides
Page 1 Dougs 20-Point Stock Checklist by Doug Gerlach, gerlach@iclub.com Companies with

Page 1 Dougs 20-Point Stock Checklist by Doug Gerlach, gerlach@iclub.com Companies with

Dougs 20-Point Stock Checklist by Doug Gerlach, gerlach@iclub.com Demonstrate BetterInvestings time-tested, proven method of analyzing companies using fundamental, long-term oriented growth approach. Consider 20 key factors

342 views • 13 slides
OFME Case for Change Detroit, Michigan September 24, 2030 1 Mobility refers to technologies and

OFME Case for Change Detroit, Michigan September 24, 2030 1 Mobility refers to technologies and

OFME Case for Change Detroit, Michigan September 24, 2030 1 Mobility refers to technologies and services that enable people and goods to move around more freely. Electrification refers to the range of technologies that use electricity to

820 views • 24 slides
PrecICE Mockup Review Pink A 10/18/18 2.009 Pink Team Pink A PrecICE Ice fishermen,

PrecICE Mockup Review Pink A 10/18/18 2.009 Pink Team Pink A PrecICE Ice fishermen,

PrecICE Mockup Review Pink A 10/18/18 2.009 Pink Team Pink A PrecICE Ice fishermen, Snowmobilers Ice thickness measuring device Outdoor winter sport accessories 10/18/18 2.009 Pink Team Pink A Model 10/18/18 2.009 Pink Team Pink A

398 views • 14 slides
Machine Learning for Glacier Monitoring in the Hindu Kush Himalaya AI for Good Research Lab

Machine Learning for Glacier Monitoring in the Hindu Kush Himalaya AI for Good Research Lab

Machine Learning for Glacier Monitoring in the Hindu Kush Himalaya AI for Good Research Lab Background and Motivation Glaciers in the Hindu Kush Himalaya (HKH) are ecologically and societally important, and are at risk due to climate change

291 views • 14 slides
The if statement and files The if statement Do a code block only when something is True if test:

The if statement and files The if statement Do a code block only when something is True if test:

The if statement and files The if statement Do a code block only when something is True if test: print &quot;The expression is true&quot; Example if &quot;GAATTC&quot; in &quot;ATCTGGAATTCATCG&quot;: print &quot;EcoRI site is present&quot;

376 views • 35 slides
Classifications of Uncertainty Spring 09 UC Berkeley Traeger 5 Risk and Uncertainty

Classifications of Uncertainty Spring 09 UC Berkeley Traeger 5 Risk and Uncertainty

The Economics of Climate Change C 175 Classifications of Uncertainty Spring 09 UC Berkeley Traeger 5 Risk and Uncertainty 18 The Economics of Climate Change C 175 Classification of Types of Uncertainty (Economic Language)

238 views • 6 slides
Interpretability in Convolutional Neural Networks for Building Damage Classification in Satellite

Interpretability in Convolutional Neural Networks for Building Damage Classification in Satellite

Interpretability in Convolutional Neural Networks for Building Damage Classification in Satellite Imagery NeurIPS 2020 Workshop Tackling Climate Change with Machine Learning Thomas Y. Chen Computer Vision, Satellite Imagery, and Building

401 views • 16 slides
!&quot;#$%&amp;%$%&quot;'()&quot;!&quot;*+&quot;%, !&quot;#$%&amp;#'(!)*&amp;+)&quot;,

!&quot;#$%&amp;%$%&quot;'()&quot;!&quot;*+&quot;%, !&quot;#$%&amp;#'(!)*&amp;+)&quot;,

!&quot;#$%&amp;%$%&quot;'()&quot;!&quot;*+&quot;%, !&quot;#$%&amp;#'(!)*&amp;+)&quot;, !&quot;#$%&amp;'#(#)*+,#-*.%-/ 012&amp;34&quot;5# )%!6&quot;748#9-4:76#;&quot;#%&lt;=7/&gt;- 72,#-+&amp; 99(#-?&quot;@4;8!8&amp;A#1343* !

366 views • 11 slides
Slide Show on Hierarchical Systems Analysis in Karst Terrains: Part A - Approaches and

Slide Show on Hierarchical Systems Analysis in Karst Terrains: Part A - Approaches and

U.S. GEOLOGICAL SURVEY OPEN-FILE REPORT 00-429-A Slide Show on Hierarchical Systems Analysis in Karst Terrains: Part A - Approaches and Applications to Environmental Characterization By Kenneth E. Kolm 1 and William H. Langer 2 This report is

575 views • 42 slides
Temporal validation Radan HUTH Faculty of Science, Charles University, Prague, CZ Institute of

Temporal validation Radan HUTH Faculty of Science, Charles University, Prague, CZ Institute of

Temporal validation Radan HUTH Faculty of Science, Charles University, Prague, CZ Institute of Atmospheric Physics, Prague, CZ What is it? validation in the temporal domain validation of temporal behaviour 2 different issues fall

364 views • 32 slides
2:00 PM 3:30 PM Thank you for attending! Preferred audio through computer

2:00 PM 3:30 PM Thank you for attending! Preferred audio through computer

Arizona Heat Season 2020 Recap Webinar December 3, 2020 2:00 PM 3:30 PM Thank you for attending! Preferred audio through computer microphone/speaker Alternate audio available through phone This webinar is being recorded. Slide

960 views • 85 slides
Community detection in networks with unobserved edges Leto Peel Universit catholique de

Community detection in networks with unobserved edges Leto Peel Universit catholique de

Community detection in networks with unobserved edges Leto Peel Universit catholique de Louvain @PiratePeel Community detection Aim: partition the network according similarity of link structure Community detection Aim: partition the

894 views • 22 slides
Update on Foils (in SBND and DUNE) Andrzej Szelc (University of Manchester) This Talk You've

Update on Foils (in SBND and DUNE) Andrzej Szelc (University of Manchester) This Talk You've

Update on Foils (in SBND and DUNE) Andrzej Szelc (University of Manchester) This Talk You've just heard about updates to the simulation of scintillation light in DUNE and SBND. This talk will give a quick update on the hardware side:

476 views • 15 slides
National Institutes of Water Resources February 27, 2017 Bill Werkheiser Acting Director U.S.

National Institutes of Water Resources February 27, 2017 Bill Werkheiser Acting Director U.S.

National Institutes of Water Resources February 27, 2017 Bill Werkheiser Acting Director U.S. Geological Survey U.S. Department of the Interior U.S. Geological Survey Happening Now USGS Leadership Changes New Presidential

359 views • 6 slides
How to Make Beautiful Technical Documents with LaTeX PHYS 87 Benjam n Grinstein UCSD Fall

How to Make Beautiful Technical Documents with LaTeX PHYS 87 Benjam n Grinstein UCSD Fall

How to Make Beautiful Technical Documents with LaTeX PHYS 87 Benjam n Grinstein UCSD Fall 2020 Benjam n Grinstein Intro to LaTeX LaTeX Install You received an email asking you to install LaTeX: Its free! Interactive course,

2.02k views • 169 slides
Selected Topics in Global Illumination Computation Jaroslav K ivnek Charles University,

Selected Topics in Global Illumination Computation Jaroslav K ivnek Charles University,

Selected Topics in Global Illumination Computation Jaroslav K ivnek Charles University, Prague Jaroslav.Krivanek@mff.cuni.cz Global illumination Light bouncing around in a scene www.photos -of- the - year.com Diffuse inter - reflection

580 views • 43 slides
Manipulate visualizations, not codes! Oleksandr Zinenko, Cdric Bastoul, Stphane Huot

Manipulate visualizations, not codes! Oleksandr Zinenko, Cdric Bastoul, Stphane Huot

Manipulate visualizations, not codes! Oleksandr Zinenko, Cdric Bastoul, Stphane Huot &lt;firstname.lastname@inria.fr&gt; 5th International Workshop on Polyhedral Compilation Techniques Amsterdam, January 19, 2015 Polyhedral Optimization

776 views • 52 slides
El Paso County, Texas Preliminary Flood Insurance Rate Map and Rio Grande Levee System Larry

El Paso County, Texas Preliminary Flood Insurance Rate Map and Rio Grande Levee System Larry

El Paso County, Texas Preliminary Flood Insurance Rate Map and Rio Grande Levee System Larry Voice, FEMA FEMA Mitigation August 26, 2020 Study Overview El El Paso Paso County Flood Risk Study: County Flood Risk Study: County-wide update

291 views • 17 slides
Instructional Design: Practice Problems in Open Textbooks August 27, 2020 Presenters: Julie

Instructional Design: Practice Problems in Open Textbooks August 27, 2020 Presenters: Julie

Instructional Design: Practice Problems in Open Textbooks August 27, 2020 Presenters: Julie Maier &amp; JR Dingwall Moderators: Alan Levine &amp; Clint Lalonde Thank you! Title or Statement Title or Statement Questions?

430 views • 10 slides

More recommend