Reversing IoT - Xiaomi Ecosystem

Explore the intricacies of reversing IoT devices within the Xiaomi ecosystem in this comprehensive conference talk from Recon Brussels 2018. Delve into the proprietary cloud service that all Xiaomi products rely on for full functionality, and learn how to access firmware for various devices such as vacuum robots, lightbulbs, and smart home gateways. Discover techniques for extracting device secrets and implementing custom functions using the Nexmon framework, enabling the creation of personalized cloud software for IoT devices. Gain insights into the challenges of rooting, device teardown processes, and binary patching methods. Presented by Dennis Giese, a grad student and researcher, and Daniel Wegemer from the Secure Mobile Network Lab, this talk covers topics including Xiaomi Cloud architecture, device-to-cloud communication, operating systems, firmware updates, and the broader Xiaomi ecosystem.

Intro
Xiaomi Cloud
Device to Cloud Communication
Cloud protocol
App to Cloud communication
Operation Systems
Implementations
Device Overview
Rooting: Challenges
Teardown
Backside layout mainboard
Frontside layout mainboard (GEN2)
Pin Layout CPU
Software
Available data on device
Communication relations
eMMC Layout
Update process
Firmware updates
Lets root remotely
Gain Independence
Replacing the cloud interface
Proxy cloud communication
Summary of the Vacuum
Xiaomi Ecosystem
Overview Hardware
Sensors connected via gateway
Acquiring the Key
Binary Patching: Goals
Binary Patching: Why can it be hard?
Binary Patching: Nexmon Framework
Preparing the modified binary (Marvell)
Applying the modified firmware