Reverse-Engineering Xiaomi IoT Firmware

October 24, 2019 by Sharon Lin 13 Comments

IoT devices rarely ever just do what they’re advertised. They’ll almost always take up more space than they need to – on top of that, their processor and memory alone should be enough to run a multitude of other tasks while not necessarily compromising the task they were built to do.

That’s partially the motivation for rooting any device, but for Xiaomi devices, it’s a bit more fun – that is to say, it’s a little bit harder when you’re reverse engineering its firmware from scratch.

Similar to his other DEF CON 26 talk on modifying ARM Cortex-M firmware, [Dennis Giese] returns with a walkthrough of how to reverse-engineer Xiaomi IoT devices. He starts off talking about the Xiaomi ecosystem and the drawbacks of reusing firmware across all the different devices connected to the same cloud network before jumping into the walkthrough for accessing the devices.

Continue reading “Reverse-Engineering Xiaomi IoT Firmware” →

Advertise Your Conference Schedule Via SSID

October 22, 2019 by Tom Nardi 11 Comments

Whether it’s been a Python script running on a Linux box or an ESP8266, ~~abusing~~ using WiFi SSIDs to convey messages is hardly a new trick. But for DerbyCon 2019, [vgrsec] wanted to do put together something a little unique. Dare we say, even useful. Rather than broadcast out SSID obscenities or memes, this Raspberry Pi created fake WiFi networks that told everyone what talks were coming up.

The concept here is fairly simple: there’s a text file in /boot that contains the truncated names of all the talks and workshops in the schedule, one per line, and each line starts with the time that particular event is scheduled for. The script that [vgrsec] wrote opens this text file, searches for the lines beginning with the current time, and generates the appropriate SSIDs. With the number of tracks being run at DerbyCon, that meant there could be as many as five SSIDs generated at once.

Now in theory that would be enough to pull off this particular hack, but there’s a problem. The lack of an RTC on the Raspberry Pi means it can’t keep time very well, and the fact that the WiFi adapter would be busy pumping out SSIDs meant the chances of it being able to connect to the Internet and pull down the current time over NTP weren’t very good.

As the system was worthless without a reliable way of keeping time, [vgrsec] added an Adafruit PiRTC module to the mix. Once the time has been synchronized, the system could then run untethered via a USB battery bank. We might have put it into an enclosure so it looks a little less suspect, but then again, there were certainly far more unusual devices than this to be seen at DerbyCon.

Of course, if you’re OK with just dumping the entire schedule out at once and letting the user sift through the mountain of bogus SSIDs themselves, that’s even easier to accomplish.

A Spectrum Analyzer For The Smart Response XE

October 22, 2019 by Tom Nardi 27 Comments

Remember the Girl Tech IM-me? It was a hot-pink clearance rack toy that suddenly became one of the hottest commodities in the hacking world when it was discovered they could be used for all sorts of radio frequency shenanigans. Now they go for triple digits on eBay, if you can even find one. Well, we’re probably about to see the same thing happen to the Smart Response XE.

Thanks to the work of a hacker named [ea], this cheap educational gadget is finally starting to live up to the potential we saw in it back when a teardown revealed it was powered by an Arduino-compatible ATmega128RF chip. With a big screen, a decent QWERTY keyboard, and integrated wireless hardware, it seemed obvious that the Smart Response XE was poised to be the next must-have repurposed piece of kit.

Though as it turns out, [ea] isn’t using the device’s built-in wireless hardware. Step one in this exceptionally well documented and photographed project is to tack a CC1101 transceiver module to the SPI pins on the ATmega128RF. Then with the appropriate firmware loaded up, that nice big screen will show you what’s happening on the 300 MHz, 400 Mhz and 900 MHz bands.

But the fun doesn’t stop there. With the CC1101-modified Smart Response XE, there’s a whole new world of radio hacks you can pull off. As a proof of concept, [ea] has also included a POCSAG pager decoder. Granted the RTL-SDR has already made pulling pager messages out of the air pretty easy, but there’s something to be said for being able to do it on something so small and unassuming.

If you can’t tell, we’re exceptionally interested in seeing what the community can do with the Smart Response XE. At the time of this writing, the going rate on eBay for a good condition unit looks to be about $10 USD, plus the $3 or so for the CC1101 module. But the prices went through the roof when we first posted about it, so get them cheap while you still can.

[Thanks to bburky for the tip.]

Customizing Xiaomi ARM Cortex-M Firmware

October 19, 2019 by Sharon Lin 2 Comments

This hack was revealed a while ago at DEFCON26, but it’s still a fascinating look into vulnerabilities that affect some of the most widely used IoT devices.

[Dennis Giese] figured out a way to modify ARM Cortex-M based firmware for use in customizing the functionality of devices or removing access to the vendor. Obviously, there are more malicious activities that can be done with this type of hack, as with any exploits of firmware, but they are (also) obviously not condoned.

The talk goes into the structure of Xiaomi ecosystem and products before going into a step-by-step approach to binary patching the firmware. The first step was to acquire the firmware, either by dumping SPI flash memory (using JTAG, SWD, or desoldered Flash pins) or intercepting traffic during a firmware update and downloading the firmware. There’s also a possibility of downloading the firmware using a URL, although this can be more difficult to find.

The firmware can then be parsed, which first requires the format to be converted from a proprietary format to and ELF file. This conversion makes it easier to load into IDA pro, and gives information on the segments of the firmware and its entry point. Python tools luckily exist for converting binary files to ELF, which simplifies the task.

After loading the ELF file into the disassembler, you’ll want to find the key memory area, denoted by “TAG_MAC”, “TAG_DID”, and “TAG_KEY” in the example firmware (for storing the MAC address, device ID, and key). In order to prepare the firmware for Nexmon – a software that supported C-based firmware binary patching for ARM Cortex-A and ARM Cortex-M binaries – you’ll need to partition some space in the memory for patches and know the function names and signatures for the firmware.

The latter is done by doing a difference comparison in the disassembler between an unknown executable and the example executable.

With the necessary information gathered, you can now use Nexmon to make your modifications. The fact that this can be done for smart devices at home means that smart devices you acquire – especially those partitioned by others – may contain malicious code, so take care when handling used devices.

Continue reading “Customizing Xiaomi ARM Cortex-M Firmware” →

Bluetooth Control With Chrome

October 17, 2019 by Al Williams 4 Comments

All the cool projects now can connect to a computer or phone for control, right? But it is a pain to create an app to run on different platforms to talk to your project. [Kevin Darrah] says no and shows how you can use Google Chrome to do the dirty work. He takes a garden-variety Arduino and a cheap Bluetooth interface board and then controls it from Chrome. You can see the video below.

The HM-10 board is cheap and could connect to nearly anything. The control application uses Processing, which is the software the Arduino system derives from. So how do you get to Chrome from Processing? Easy. The p5.js library allows Processing to work from within Chrome. There’s also a Bluetooth BLE library for P5.

Continue reading “Bluetooth Control With Chrome” →

The MorningRod Wants Your Mornings Easier, Not Harder

October 14, 2019 by Donald Papp 19 Comments

Curtains are about as simple as household devices get, but they can be remarkably troublesome to automate. Everyone’s window treatments are slightly different, which frustrates a standardized solution. [dfrenkel] has a passion for DIY and wanted his mornings flooded with sunlight for more peaceful awakenings, so the MorningRod Smart Curtain Rod was born.

Replacing the curtain rod with aluminum extrusion and 3D printed fixtures goes a long way towards standardizing for automation.

MorningRod’s design takes advantage of affordable hardware like aluminum extrusions and 3D printed parts to create a system that attempts to allow users to keep their existing curtains as much as possible.

The curtain rod is replaced with aluminum extrusion. MorningRod borrows ideas from CNC projects to turn the curtain rod into a kind of double-ended linear actuator, upon which the curtains are just along for the ride. An ESP32 serves as the brains while a NEMA17 stepper motor provides the brawn. The result is a motorized curtain opening and closing with a wireless interface that can be easily integrated into home automation projects.

[dfrenkel] is offering a kit, but those who would prefer to roll their own should check out the project page on Thingiverse.

Make “Wireless” Earbuds Truly Wireless

October 7, 2019 by Kristina Panos 9 Comments

[Don] bought some off-brand Bluetooth earbuds online that actually sound pretty good. But while it’s true that they don’t require wires for listening to tunes, the little storage/charging box they sleep in definitely has a micro USB port around back. Ergo, they are not truly wireless. So [Don] took it upon himself to finish what the manufacturer started. Because it’s 2019, and words have meaning.

Finally, he had a use for that Qi charger he’s had lying around since the Galaxy S5 era. [Don] pried the earbud case open with a guitar pick and found a nicely laid-out charging circuit board without any black goop.

Once he located ground and Vcc pads, it was just a matter of performing a bit of surgery on the coil’s pins so he could solder wires there instead. Miraculously, the Qi coil fit perfectly inside the bottom of the case and the plastic is thin enough that it doesn’t interfere with the charging.

Want to try it for yourself? [Don]’s done an excellent job of documenting this hack, with clear pictures of every step. Soon you’ll be able to rid yourself of all those pesky USB cables.

Of course, [Don] still has to plug the charging base into the wall. If he ever wanted to add another level of wireless, he could always retrofit the base coil into his laptop.