How-to modify ARM Cortex-M based firmware: A step-by-step approach for Xiaomi devices

Dennis Giese

Event: DEFCON 26 IoT Village

Date: 2018/08/11


Many IoT devices use an ARM Cortex-M based MCU and run some kind of RTOS/"bare metal" OS. In comparison to Linux-based firmwares it is a lot more difficult to modify the firmware. If you want to change the functionality you usually have the choice between rewriting the whole firmware yourself or do binary patching manually. In this talk we would like to demonstrate an easier method and show a step-by-step approach. You will see how to get access to the firmware of different Xiaomi Cloud products like lightbulbs or smart home gateways. Their IoT devices are unable to function fully without cloud connection. The connection to the cloud is protected by AES and a unique device key. Data generated by the devices gets uploaded to the cloud of the vendor (e.g. Logfiles, etc.). In May 2018 a subcontractor of Xiaomi, Yeelight, denied EU-based users and their devices access to their cloud infrastructure due the GDPR. To become independent from the vendor the way to go might be to modify or replace the firmware in the device. For that, we are not only using methods that require opening the devices but also methods which leave the devices intact. The Nexmon framework (by the SEEMOO Lab) is used to alter the firmware of the ARM-based IoT devices. The modified firmware is then used to extract secrets which are needed to run the IoT devices with your own cloud software. It is also possible to easily implement completely new functions into the firmware using C code.

Presentation Slides (PDF)
Recording of my talk (Youtube)
Dustcloud Nexmon Github Repo
Link to official event website

<-- Back to my homepage