Reverse-Engineering Xiaomi IoT Firmware

IoT devices rarely ever just do what they’re advertised. They’ll almost always take up more space than they need to – on top of that, their processor and memory alone should be enough to run a multitude of other tasks while not necessarily compromising the task they were built to do.

That’s partially the motivation for rooting any device, but for Xiaomi devices, it’s a bit more fun – that is to say, it’s a little bit harder when you’re reverse engineering its firmware from scratch.

Similar to his other DEF CON 26 talk on modifying ARM Cortex-M firmware, [Dennis Giese] returns with a walkthrough of how to reverse-engineer Xiaomi IoT devices. He starts off talking about the Xiaomi ecosystem and the drawbacks of reusing firmware across all the different devices connected to the same cloud network before jumping into the walkthrough for accessing the devices.

Continue reading “Reverse-Engineering Xiaomi IoT Firmware”

Customizing Xiaomi ARM Cortex-M Firmware

This hack was revealed a while ago at DEFCON26, but it’s still a fascinating look into vulnerabilities that affect some of the most widely used IoT devices.

[Dennis Giese] figured out a way to modify ARM Cortex-M based firmware for use in customizing the functionality of devices or removing access to the vendor. Obviously, there are more malicious activities that can be done with this type of hack, as with any exploits of firmware, but they are (also) obviously not condoned.

The talk goes into the structure of Xiaomi ecosystem and products before going into a step-by-step approach to binary patching the firmware. The first step was to acquire the firmware, either by dumping SPI flash memory (using JTAG, SWD, or desoldered Flash pins) or intercepting traffic during a firmware update and downloading the firmware. There’s also a possibility of downloading the firmware using a URL, although this can be more difficult to find.

The firmware can then be parsed, which first requires the format to be converted from a proprietary format to and ELF file. This conversion makes it easier to load into IDA pro, and gives information on the segments of the firmware and its entry point. Python tools luckily exist for converting binary files to ELF, which simplifies the task.

After loading the ELF file into the disassembler, you’ll want to find the key memory area, denoted by “TAG_MAC”, “TAG_DID”, and “TAG_KEY” in the example firmware (for storing the MAC address, device ID, and key). In order to prepare the firmware for Nexmon – a software that supported C-based firmware binary patching for ARM Cortex-A and ARM Cortex-M binaries – you’ll need to partition some space in the memory for patches and know the function names and signatures for the firmware.

The latter is done by doing a difference comparison in the disassembler between an unknown executable and the example executable.

With the necessary information gathered, you can now use Nexmon to make your modifications. The fact that this can be done for smart devices at home means that smart devices you acquire – especially those partitioned by others – may contain malicious code, so take care when handling used devices.

Continue reading “Customizing Xiaomi ARM Cortex-M Firmware”

Fried Desk Lamp Reborn: How To Use ESP8266 To Build Connected Devices

Some hacks are born of genius or necessity, and others from our sheer ham-fisted incompetence. This is not a story about the first kind. But it did give me an excuse to show how easy it is to design WiFi-connected devices that work the way you want them to, rather than the way the manufacturer had in mind.

It started out as a sensible idea – consumer electronics in Vietnam have many different electric plug types for mains AC power: A, C, G, F, and I are fairly present, with A and C being most common. For a quick review of what all those look like, this website sums it up nicely. There are universal power adapters available of course, but they tend to fit my most common type (C) poorly, resulting in intermittent power loss whenever you sneeze. So I figured I should replace all the plugs on my devices to be A-type (common to those of you in North America), as it holds well in all the power bar types I have, mainly leftover server PDUs.

This was very straightforward until I got to my desk lamp. Being a fancy Xiaomi smart lamp, they had opted to hide a transformer in the plug with such small dimensions that I failed to notice it. So instead of receiving a balmy 12 volts DC, it received 220 volts AC. With a bright flash and bang, it illuminated my desk one final time.

Continue reading “Fried Desk Lamp Reborn: How To Use ESP8266 To Build Connected Devices”

Hackaday Podcast 036: Camera Rig Makes CNC Jealous, Become Your Own Time Transmitter, Pi HiFi With 80s Vibe, DJ Xiaomi

Hackaday Editors Elliot Williams and Mike Szczys work their way through a fantastic week of hacks. From a rideable tank tread to spoofing radio time servers and from tune-playing vacuum cleaners to an epic camera motion control system, there’s a lot to get caught up on. Plus, Elliot describes frequency counting while Mike’s head spins, and we geek out on satellite optics, transistor-based Pong, and Jonathan Bennett’s weekly security articles.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Direct download (54 MB)

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 036: Camera Rig Makes CNC Jealous, Become Your Own Time Transmitter, Pi HiFi With 80s Vibe, DJ Xiaomi”

DJ Xiaomi Spins Beats And Brushes At The Same Time

Direct from the “Just Because I Can” department, this blog post by [Eddie Zhang] shows us how easy it is to get the Xiaomi robotic vacuum cleaner working as what might be the world’s most unnecessary Spotify Connect speaker. Will your home be the next to play host to an impromptu performance by DJ Xiaomi? Judging by the audio quality demonstrated in the video after the break, we doubt it. But this trick does give us a fascinating look at the current state of vacuum hacking.

For the first phase of this hack, [Eddie] makes use of Dustcloud, an ongoing project to document and reverse engineer various Xiaomi smart home gadgets. Using the information provided there you can get root-level SSH access to your vacuum cleaner and install your own software. There’s a sentence you never thought you’d read, right?

With the vacuum rooted, [Eddie] then installs a Spotify Connect client intended for the Raspberry Pi. As they’re both ARM devices, the software will run on the Xiaomi bot well enough, but the Linux environment needs a little tweaking. Namely, you need to manually create an Upstart .conf file for the service, as the vacuum doesn’t have systemd installed. There goes another one of those unexpected sentences.

We’re certainly no stranger to robotic vacuum hacking, though historically the iRobot Roomba has been the target platform for such mischief. Other players entering the field can only mean good things for those of us who get a kick out of seeing home appliances pushed outside of their comfort zones.

Continue reading “DJ Xiaomi Spins Beats And Brushes At The Same Time”

Security Engineering: Inside The Scooter Startups

A year ago, ridesharing scooter startups were gearing up for launch. Workers at Bird, Lime, Skip, and Spin were busy improving their app, retrofitting scooters, and most importantly, figuring out the logistics of distributing thousands of electronic scooters along the sidewalks of the Bay Area. These companies were gearing up for a launch in early summer, but one company — nobody can remember exactly who — decided to launch early. First mover advantage, and all. Overnight, these scooter companies burst into overdrive, chucking scooters out of panel vans onto the sidewalk simply to keep up with the competition.

The thing about San Francisco, and California in general, is that it’s a very direct democracy masquerading as a representative government. Yes, there are city council members and a state legislature, but the will of the people will rule. No one liked tripping over the scooters littering the sidewalks, so the scooters ended up at the bottom of a lake. Or in trees. Or in the trash. In time, city permits were issued, just like a hot dog cart or any other business operating on a public sidewalk, and the piles of electric scooters disappeared. Not before hundreds of scooters were vandalized, that is.

It’s still early in the electric scooter rental startup space, but if there’s one company leading the pack, It’s Bird. they’re getting the most press, the CEO was formerly at Lyft and Uber (which explains the press), and they’ve raised nearly a half Billion dollars in funding (which explains the press). Bird is valued at two Billion dollars, and it’s one of four major ridesharing scooter startups. Pets.com had nothing on this.

Despite how overvalued you think a scooter startup might be, they’re still a business, and they’re ruled by the bottom line. Bird has grown a lot in the past year, and with that comes engineering challenges. The Bird scooters must be more resistant to vandalism. The Bird scooters must be harder to steal. Above all else, they must remain in service longer. This is the teardown of how Bird managed to improve their bottom line and engineer a better scooter.

Continue reading “Security Engineering: Inside The Scooter Startups”

The Bedside Light App That Phones Home

Desiring a bedside lamp with a remote control, [Peadar]’s wife bought a Xiaomi Yeelight, an LED model with an accompanying Android app. And since he’s a security researcher by trade, he subjected the app to a close examination and found it to be demanding permissions phoning home to a far greater extent than you’d expect from a bedside light.

His write-up is worth a read for its fascinating run-through of the process for investigating any Android app, as it reveals the level to which the software crosses the line from simple light-controller into creepy data-slurper. The abilities to create accounts on your device, download without notification, take your WiFi details and location, and record audio are not what you’d expect to be necessary in this application. He also looks into the Xiaomi web services the app uses to phone home, revealing some interesting quirks along the way.

This story has received some interest across the Internet, quite rightly so since it represents a worrying over-reach of corporate electronic intrusion. It is interesting though to see commentary whose main concern is that the servers doing the data-slurping are in China, as though somehow in this context the location is the issue rather than the practice itself. We’ve written before about how some mildly sinister IoT technologies seem to bridge the suspicion gap while others don’t, it would be healthy to see all such services subjected to the same appraisal.

As a postscript, [Peadar] couldn’t get the app to find his wife’s Yeelight, let alone control it. That the spy part of the app works while the on-the-surface part doesn’t speaks volumes about the development priorities of its originator.

Image: Xiaomi Yeelight website.