Robot Hacking

Dennis Giese and Daniel Wegemer – 34C3 1
Post presentation remarks 28.12. 18:00

• Rooting is now possible without opening the device
• You can only root one device (your own)
– If you read the Heise article you might think that we might root multiple
devices in the internet
• We consider the Xiaomi Cloud as a good and safe design
• Due time restrictions (our time was cut from 45 minutes to 30 minutes,
including FAQ), we had to exclude a lot of information
– Look into the repo for more technical information
• Contact: dustcloud@1338-1.org

Why Xiaomi
“Xiaomi’s ‘Mi Ecosystem’ has 50 million

connected devices” [1]
„[…] revenue from its smart hardware ecosystem
exceeded 15 billion yuan” (1.9 billion €) [2]
Most important: The stuff is cheap
[1] https://techcrunch.com/2017/01/11/xiaomi-2016-to-2017/
[2] https://www.reuters.com/article/us-xiaomi-outlook/chinas-xiaomi-targets-2017-
sales-of-14-5-billion-after-2016-overhaul-idUSKBN14W0LZ
Why Vacuum Robots?
Source: Xiaomi advertisment

Xiaomi Ecosystem
HTTPS
Xiaomi
WiFi
Cloud
ZigBee
Gateway
Xiaomi Ecosystem
HTTPS
Xiaomi
Cloud
ZigBee
Gateway
Device Overview
Source: Xiaomi advertisment

Rooting: Challenges
• Hardware Access
– Micro USB Port ?
– Serial Connection on PCB ?
• Network Based
– Portscan ?
– Sniff Network traffic ?

Teardown

Frontside layout mainboard
512 MB RAM
STM32 MCU
4GB
R16 eMMC
SOC Flash
WiFi Module

Backside layout mainboard
LIDAR UART
R16 UART
(115200 baud)
STM UART Tx
(921600 baud) Rx
Tx

Rooting
Our weapon of choice:

Rooting
Initial Idea:
• Shortcut the MMC data lines
• SoC falls back to FEL mode
• Load + Execute tool in RAM
– via USB connector
– Dump MMC flash
– Modify image
– Rewrite image to flash
Source: wikicommons

Software
• Ubuntu 14.04.3 LTS (Kernel 3.4.xxx)
– Mostly untouched, patched on a regular base
• Player 3.10-svn
– Open-Source Cross-platform robot device interface & server
• Xiaomi proprietary software (/opt/rockrobo)
– AppProxy
– RoboController
– Miio_Client
– Custom adbd-version
• iptables firewall enabled
– Blocks Port 22 (SSHd) + Port 6665 (player)

Available data on device
• Data
– Logfiles (syslogs, duration, area, ssid, passwd)
– “/usr/sbin/tcpdump -i any -s 0 -c 2000 –w”
– Multiple MBytes/day
– Maps
• Data is uploaded to cloud
• Factory reset
– Restores recovery to system
– does not delete data
• Maps, Logs still exist

Available data on device
• Maps
– Created by player
– 1024px * 1024px
– 1px = 5cm

Configurations
• DeviceID
– Unique per device
• Keys
– Cloudkey (16 byte alpha-numeric)
• Is used for cloud communication
• Static, is not changed by update or provisioning
– Token (16 byte alpha-numeric)
• Is used for app communication
• Dynamic, is generated at provisioning (connecting to new WiFi)
Communication relations
<-soundpackages, firmware
compass uart_lds uart_mcu maps,logs->
*.fds.api.xiaomi.com (https)
player
0.0.0.0:6665
wifimgr ot.io.mi.com:80(tcp)
ott.io.mi.com:8053(udp)
RoboController
<-commands,
Miio_client AES encrypted
reports->
AppProxy (local):54322 (tcp)
Android/
0.0.0.0:54321 (udp)
iPhone App
Robot intern IPC
plain json (tcp)
enc(key) json (tcp/udp)
enc(token) json (udp)

Update process
miIO.ota {"mode":"normal“, "install":"1",

"app_url":"https://[URL]/v11_[version].pkg",
"file_md5":“[md5]",”proc":"dnld install“}

Update process Active
system_a copy
system_b
Download
Data
2. Download [app_url]

system_a copy
system_b
Download
Data
2. Download [app_url]

system_a copy
system_b
Download
Data

system_a copy
system_b
Download
Data
MD5 ok?

system_a copy
system_b
Download
Data

system_a copy
system_b
Download
Data
Decrypt + image OK?

system_a copy
system_b
Download
Data
Unpack + dd

system_a copy
system_b
Update root pw
Download
in /etc/shadow
Data

system_a copy
system_b
Download
dd
Data

system_a copy
system_b
Download
Data

system_a copy
system_b
Download
Data
rebooting
…

Update process
system_a
Active
system_b copy
Download
Data
rebooting
…

Update process
system_a
dd Active
system_b copy
Download
Data

Update process
system_a
Active
system_b copy
Download
Data

Firmware updates
• Full and partial images
– Encrypted tar.gz archives
– Full image contains disk.img
• 512 Mbyte ext4-filesystem
• Encryption
– Static password: “rockrobo”
– Ccrypt [256-bit Rijndael encryption (AES)]
• Integrity
– MD5 provided by cloud

Lets root remotely
• Preparation
– Rebuild Firmware
• Include authorized_keys
• Remove iptables rule for sshd
• Send „miIO.ota“ command to vacuum
– Encrypted with token
• From app or unprovisioned state
– Pointing to own http server

SSH

Gain independence
Xiaomi Cloud
Two methods: Source: 20th Century Fox
• Replacing the cloud interface

• Proxy cloud communication
Replacing the cloud interface
compass uart_lds uart_mcu *.fds.api.xiaomi.com (https)
player
0.0.0.0:6665
RoboController
<-commands,
MyMiio_client
cloud client
reports->
Android/
https, mqtt, etc…
0.0.0.0:54321 (udp)
iPhone App
Robot intern IPC
plain json (tcp)

player
0.0.0.0:6665
wifimgr
RoboController
<-commands,
reports->
AppProxy
Robot intern IPC

plain json (tcp)

player
0.0.0.0:6665
wifimgr
RoboController
<-commands,
My cloud client
reports->
FHEM
https, mqtt, etc…
Home Assistant
Robot intern IPC
plain json (tcp)

compass uart_lds uart_mcu
player
0.0.0.0:6665
wifimgr
RoboController
<-commands,
My cloud client
reports->
FHEM
https, mqtt, etc…
Home Assistant
/etc/hosts
Robot intern IPC
127.0.0.1 awsbj0... plain json (tcp)
127.0.0.1 aswbj0-files… enc(key) json (tcp/udp)
127.0.0.1 cdn.cnbj0….

Proxy cloud communication
player
0.0.0.0:6665
RoboController
<-commands,
Miio_client reports->
Android/
0.0.0.0:54321 (udp)
iPhone App
Robot intern IPC
plain json (tcp)

Proxy cloud communication
player
0.0.0.0:6665
Dustcloud
RoboController
<-commands,
Miio_client reports->
Android/
0.0.0.0:54321 (udp)
iPhone App
Robot intern IPC
/etc/hosts plain json (tcp)
130.83.x.x ot.io.mi.com
130.83.x.x ot.io.mi.com

Usecases
• Home automation server

• Webradio
• Fileserver
– with integrated UPS
• Bitcoin mining

DLC
• Modified firmware (SSH + FHEM)

• Dustcloud (Cloud emulation)
– totally broken, insecure code!
• Pictures, Pinouts, and much more
www.dontvacuum.me
One word of warning…
• Never leave your devices unprovisioned

– Someone else can provision it for you
• Install malicious firmare
• Snoop on your appartment
• Be careful with used devices
– e.g. Amazon Marketplace
– Some malicious software may be installed
Acknowledgements & FAQ
• Secure Mobile Networking (SEEMOO) Labs
• Prof. Guevara Noubir (CCIS, Northeastern University)

Pin Layout CPU
UART0 MMC2 MMC1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
MMC
A Reset D6 D4 D2 D0 D2 D0 CLK TX UART1
B D7 D5 D3 D1 D3 D1 CMD RX
C CLK SDA TWI1
D RX TX CMD SCL
E
Recov Confir
F ery m UART2
G RX TX
Line
H IN L
LINE
J IN R
PHO
K NE IN
PHO
L NE IN
PHO MIC1
M NE P
PHO MIC2
N NE P
P SDA SCK RESET RSB0
R
USB- USB-
T LCD9 LCD7 LCD5 LCD3 LCD1 DM0 DP0 USB 1
USB USB- USB-
U LCD8 LCD6 LCD4 LCD2 LCD0 DRV DM1 DP1 USB 2
DRAM VCC/VDD GND LCD
Dennis Giese and Daniel Wegemer – 34C3 36 56

Overview sensors
• 2D LIDAR SLAM (5*360°/s)
• Ultrasonic distance sensor
• multiple IR sensors
• 3-axis Magnetic Sensor
• 3-axis accelerometer
• 3-axis gyroscope
• Bump sensors
Sound packages
• Contents of /mnt/data/sounds
– Encrypted tar.gz archives
– Contains wav-files in specific language or style
• Encryption
– Static password: “r0ckrobo#23456”
– Ccrypt [256-bit Rijndael encryption (AES)]
• Integrity
– MD5 provided by cloud

eMMC Layout
Label Partion Size in Start address
nand{} MByte
boot-res a 8 0x00008000
env b 16 0x0000c000
app c 16 0x00014000
recovery d 512 0x0001c000
system_a e 512 0x0011c000
system_b f 512 0x0021c000
Download g 528 0x0031c000
reserve h 16 0x00424000
UDISK i ~1900 0x0042c000

eMMC Layout
Label Content Mountpoint
boot-res bitmaps & some wav files
env uboot cmd line
app device.conf (DID, key, MAC), adb.conf, vinda /mnt/default/
recovery fallback copy of OS
system_a copy of OS (active by default) /
system_b copy of OS (passive by default)
Download temporary unpacked OS update /mnt/Download
reserve config + calibration files, blackbox.db /mnt/reserve/
UDISK logs, maps, pcap files /mnt/data

awsbj0.fds.api.xiaomi.com (https)
File:gridmap
File:player_server_*.log <-soundpackages,logs->
player File:SLAM_*.log awsbj0-files.fds.api.xiaomi.com (https)
0.0.0.0:6665 (udp) File:NAV_*.log
maps->,logs->
0.0.0.0:6665 (tcp)
wifimgr cdn.cnbj0.files.fds.api.xiaomi.com (https)
<-firmware
RoboController ot.io.mi.com:80(tcp)
<-commands,
rrlogd reports->
File:gridmap
sqlite:robot.db
sqlite:blackbox.db Miio_client
Android/
0.0.0.0:54321 (udp) <-commands, iPhone App
reports->
SysUpdate
IPC
Miio_client_helper_nomqtt.sh plain json (tcp)
File:device.conf Miio_send_line enc(key) json (tcp/udp)
File:device.token enc(token) json (udp)
Miio_recv_line
File:gridmap
0.0.0.0:6665 (udp) File:NAV_*.log
maps->,logs->
0.0.0.0:6665 (tcp)
<-firmware
<-commands,
rrlogd reports->
File:gridmap
sqlite:robot.db
Android/
reports->
SysUpdate
IPC
Miio_recv_line
File:gridmap
0.0.0.0:6665 (udp) File:NAV_*.log
maps->,logs->
0.0.0.0:6665 (tcp)
<-firmware
<-commands,
rrlogd reports->
File:gridmap
sqlite:robot.db
Android/
reports->
SysUpdate
IPC
Miio_recv_line
File:gridmap
0.0.0.0:6665 (udp) File:NAV_*.log
maps->,logs->
0.0.0.0:6665 (tcp)
<-firmware
<-commands,
rrlogd reports->
File:gridmap
sqlite:robot.db
Android/
reports->
SysUpdate
IPC
Miio_recv_line
File:gridmap
0.0.0.0:6665 (udp) File:NAV_*.log
maps->,logs->
0.0.0.0:6665 (tcp)
<-firmware
<-commands,
rrlogd reports->
File:gridmap
sqlite:robot.db
Android/
reports->
SysUpdate
IPC
Miio_recv_line
File:gridmap
0.0.0.0:6665 (udp) File:NAV_*.log
maps->,logs->
0.0.0.0:6665 (tcp)
<-firmware
<-commands,
rrlogd reports->
File:gridmap
sqlite:robot.db
Android/
reports->
SysUpdate
IPC
Miio_recv_line
File:gridmap
0.0.0.0:6665 (udp) File:NAV_*.log
maps->,logs->
0.0.0.0:6665 (tcp)
<-firmware
<-commands,
rrlogd reports->
File:gridmap
sqlite:robot.db
Android/
reports->
SysUpdate
IPC
Miio_recv_line
File:gridmap
0.0.0.0:6665 (udp) File:NAV_*.log
maps->,logs->
0.0.0.0:6665 (tcp)
<-firmware
<-commands,
rrlogd reports->
File:gridmap
sqlite:robot.db
Android/
reports->
SysUpdate
IPC
Miio_recv_line
File:gridmap
0.0.0.0:6665 (udp) File:NAV_*.log
maps->,logs->
0.0.0.0:6665 (tcp)
<-firmware
<-commands,
rrlogd reports->
File:gridmap
sqlite:robot.db
Android/
reports->
SysUpdate
IPC
Miio_recv_line
File:gridmap
0.0.0.0:6665 (udp) File:NAV_*.log
maps->,logs->
0.0.0.0:6665 (tcp)
<-firmware
<-commands,
rrlogd reports->
File:gridmap
sqlite:robot.db
Android/
reports->
SysUpdate
IPC
Miio_recv_line
File:gridmap
0.0.0.0:6665 (udp) File:NAV_*.log
maps->,logs->
0.0.0.0:6665 (tcp)
<-firmware
<-commands,
rrlogd reports->
File:gridmap
sqlite:robot.db
Android/
reports->
SysUpdate
IPC
Miio_recv_line
File:gridmap
0.0.0.0:6665 (udp) File:NAV_*.log
maps->,logs->
0.0.0.0:6665 (tcp)
<-firmware
<-commands,
rrlogd reports->
File:gridmap
sqlite:robot.db
Android/
reports->
SysUpdate
IPC
Miio_recv_line
File:gridmap
0.0.0.0:6665 (udp) File:NAV_*.log
maps->,logs->
0.0.0.0:6665 (tcp)
<-firmware
<-commands,
rrlogd reports->
File:gridmap
sqlite:robot.db
Android/
reports->
SysUpdate
IPC
Miio_recv_line
File:gridmap
0.0.0.0:6665 (udp) File:NAV_*.log
maps->,logs->
0.0.0.0:6665 (tcp)
<-firmware
<-commands,
rrlogd reports->
File:gridmap
sqlite:robot.db
Android/
reports->
SysUpdate
IPC
Miio_recv_line

Robot Hacking

Uploaded by

Copyright:

Available Formats

Robot Hacking

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Robot Hacking

Uploaded by

Copyright:

Available Formats

What is Xiaomi's ecosystem and connected devices?

What is Xiaomi's ecosystem and connected devices?

What challenges did the researchers face in rooting the vacuum robot?

What challenges did the researchers face in rooting the vacuum robot?

Dennis Giese and Daniel Wegemer – 34C3 1

Post presentation remarks 28.12. 18:00

Dennis Giese and Daniel Wegemer – 34C3 2

“Xiaomi’s ‘Mi Ecosystem’ has 50 million

Source: Xiaomi advertisment

Source: Xiaomi advertisment

Dennis Giese and Daniel Wegemer – 34C3 9

Dennis Giese and Daniel Wegemer – 34C3 10

Dennis Giese and Daniel Wegemer – 34C3 11

Dennis Giese and Daniel Wegemer – 34C3 12

Our weapon of choice:

Dennis Giese and Daniel Wegemer – 34C3 13

Dennis Giese and Daniel Wegemer – 34C3 14

Dennis Giese and Daniel Wegemer – 34C3 15

Dennis Giese and Daniel Wegemer – 34C3 16

Dennis Giese and Daniel Wegemer – 34C3 17

Dennis Giese and Daniel Wegemer – 34C3 19

miIO.ota {"mode":"normal“, "install":"1",

Dennis Giese and Daniel Wegemer – 34C3 20

Dennis Giese and Daniel Wegemer – 34C3 21

Dennis Giese and Daniel Wegemer – 34C3 22

Dennis Giese and Daniel Wegemer – 34C3 23

Dennis Giese and Daniel Wegemer – 34C3 24

Dennis Giese and Daniel Wegemer – 34C3 25

Decrypt + image OK?

Dennis Giese and Daniel Wegemer – 34C3 26

Dennis Giese and Daniel Wegemer – 34C3 27

Dennis Giese and Daniel Wegemer – 34C3 28

Dennis Giese and Daniel Wegemer – 34C3 29

Dennis Giese and Daniel Wegemer – 34C3 30

Dennis Giese and Daniel Wegemer – 34C3 31

Dennis Giese and Daniel Wegemer – 34C3 32

Dennis Giese and Daniel Wegemer – 34C3 33

Dennis Giese and Daniel Wegemer – 34C3 34

Dennis Giese and Daniel Wegemer – 34C3 35

Dennis Giese and Daniel Wegemer – 34C3 36

Dennis Giese and Daniel Wegemer – 34C3 37

Two methods: Source: 20th Century Fox

• Replacing the cloud interface

Dennis Giese and Daniel Wegemer – 34C3 44

Robot intern IPC

Dennis Giese and Daniel Wegemer – 34C3 45

Dennis Giese and Daniel Wegemer – 34C3 46

Dennis Giese and Daniel Wegemer – 34C3 47

Dennis Giese and Daniel Wegemer – 34C3 48

Dennis Giese and Daniel Wegemer – 34C3 49

• Home automation server

Dennis Giese and Daniel Wegemer – 34C3 50

• Modified firmware (SSH + FHEM)

• Never leave your devices unprovisioned

• Prof. Guevara Noubir (CCIS, Northeastern University)

Dennis Giese and Daniel Wegemer – 34C3 54

C CLK SDA TWI1

P SDA SCK RESET RSB0

DRAM VCC/VDD GND LCD