|
34C3 |
Recon BRX |
HITCON |
DC26 |
DC26 IoT |
BeVX |
Recording available? |
Y |
WIP |
WIP |
Y |
Y |
N |
Topics: |
|
|
|
|
|
|
Motivation |
|
|
+ |
+ |
+ |
+ |
Responsible Disclosure |
|
|
|
+ |
+ |
v2 |
|
|
|
|
|
|
|
Overview Xiaomi Ecosystem |
+ |
+ |
v2 |
v2 |
v2 |
v3 |
Device to Cloud communication |
+ |
+ |
+ |
+ |
+ |
+ |
Cloud Protocol |
+ |
+ |
+ |
+ |
+ |
+ |
App to Cloud communication |
|
+ |
+ |
+ |
+ |
+ |
Firmware update distribution |
|
|
|
|
+ |
v2 |
How to get firmware |
|
|
|
|
+ |
+ |
Dustcloud Intro |
|
|
|
+ |
+ |
+ |
How we work/our methods |
|
|
|
|
|
+ |
*Magic trick* (showed on BeVX only) |
|
|
|
|
|
+ |
|
|
|
|
|
|
|
General Devices |
|
|
|
|
|
|
Device Costs |
+ |
+ |
|
|
|
|
Overview Architectures/OS |
|
+ |
v2 |
v2 |
v2 |
v2 |
Overview Products |
|
|
+ |
+ |
+ |
+ |
ESP8266 |
|
|
+ |
|
+ |
+ |
Usual ways to get access |
|
+ |
+ |
|
+ |
+ |
|
|
|
|
|
|
|
App |
|
|
|
|
|
+ |
Plugin structure |
|
|
|
|
|
+ |
|
|
|
|
|
|
|
Vacuum Cleaning Robot Gen1 |
+ |
+ |
+ |
+ |
|
+ |
Sensors |
+ |
+ |
- |
- |
|
- |
PCB Layout |
+ |
+ |
+ |
|
|
+ |
EMMC Partition Layout |
+ |
+ |
+ |
+ |
|
+ |
Communication Relations |
+ |
+ |
+ |
+ |
|
v2 |
Rooting |
+ |
+ |
+ |
+ |
|
+ |
Firmware Update mechanism |
+ |
v2 |
v2 |
v2 |
|
v2 |
Data available on the device |
+ |
+ |
- |
v2 |
|
v2 |
Possible Countermeasures against us |
|
|
+ |
+ |
|
+ |
AES Log/Map Encryption (new) |
|
|
+ |
+ |
|
+ |
LTrace example |
|
|
+ |
+ |
|
+ |
Token Generation: Entropy fail |
|
|
|
+ |
|
+ |
Persistance |
|
|
|
+ |
|
+ |
Usecases of rooted device |
+ |
|
|
|
|
|
Hardware Modifications |
|
|
|
+ |
|
+ |
OnionBots |
|
|
|
+ |
|
+ |
Wi-Fi Mapper |
|
|
|
+ |
|
+ |
IoT chatting with IoT |
|
|
|
+ |
|
|
|
|
|
|
|
|
|
Vacuum Cleaning Robot Gen2 |
|
+ |
+ |
+ |
|
+ |
PCB Layout |
|
+ |
+ |
+ |
|
+ |
|
|
|
|
|
|
|
Smart Home Gateway/Lightbulbs |
|
+ |
+ |
|
+ |
|
Overview Hardware |
|
+ |
+ |
|
+ |
|
SWD/JTAG |
|
+ |
+ |
|
+ |
|
Binary Patching Intro |
|
+ |
+ |
|
+ |
|
Binary Patching Step-by-Step with Nexmon |
|
|
|
|
+ |
|
Nexmon Intro |
|
+ |
+ |
|
+ |
|
Nexmon Configuration |
|
|
|
|
+ |
|
Partition Layout |
|
|
|
|
+ |
|
CLI via Serial |
|
|
|
|
+ |
|
Firmware Update mechanism |
|
+ |
+ |
|
+ |
|
Marvell |
|
+ |
+ |
|
+ |
|
Mediatek |
|
|
+ |
|
+ |
|
|
|
|
|
|
|
|
Wi-Fi Network Speaker |
|
|
+ |
+ |
|
|
Overview Hardware |
|
|
+ |
+ |
|
|
Rooting/Exploit |
|
|
+ |
+ |
|
|
Firmware Updates |
|
|
|
+ |
|
|
|
|
|
|
|
|
|
Aqara Smart IP Camera |
|
|
|
+ |
|
+ |
Overview Hardware |
|
|
|
+ |
|
+ |
Hardcoded Root Password |
|
|
|
+ (first publication) |
|
+ |
Leaked Credentials |
|
|
|
+ |
|
+ |
Modifications |
|
|
|
+ |
|
+ |
|
|
|
|
|
|
|
Xiaomi M365 Electric Scooter |
|
|
|
|
|
+ |
Overview Hardware |
|
|
|
|
|
+ |
Rooting/Exploiting |
|
|
|
|
|
+ |
*another Magic trick* (showed on BeVX only) |
|
|
|
|
|
+ |