Reversing IoT: Xiaomi Ecosystem

Dennis Giese, Daniel Wegemer

Event: Recon BRX 2018

Date: 2018/02/03

Abstract:

All Xiaomi products communicate via a proprietary cloud service soleley offered by Xiaomi. Their IoT devices are unable to function fully without cloud connection. The connection to the cloud is protected by AES and a unique device key. Data generated by the devices gets uploaded to the cloud of the vendor (e.g. Maps, Logfiles, etc). We show you how to get access to the firmware of different products like the vacuum robots, lightbulbs, or smart home gateways. For that, we are not only using methods that require opening the devices but also methods which leave the devices intact. The Nexmon framework (see materials) is used to alter the firmware of the ARM-based IoT devices. We are able to download patched firmware to the devices using the OTA function. The modified firmware is then used to extract secrets which are needed to run the IoT devices with your own cloud software. It is also possible to easily implement completely new functions into the firmware using C code.


Presentation slides(PDF) on recon.cx
Slides (PDF) hosted locally
Link to Abstract on official event website