• Now port mirroring from a switch (TP-Link TL-SG105E)
• Now getting all LAN data too! (port mirrored from AP)

• The switch doesn’t have true port mirroring - also seeing sink traffic
• Disabled IPv4 and (attempt to disable) IPv6 on the network adapter
• Can filter out irrelevant packets later

Will later use dumps to check frequency and access

System

[ 0.340]U-Boot 2011.09-rc1-dirty (Mar 25 2020 - 20:45:43) Allwinner Technology
[ 0.000000] Linux version 3.4.39 (rockrobo@apimg) (gcc version 4.8.4 (Ubuntu/Linaro 4.8.4-2ubuntu1~14.04.1) ) #1 SMP PREEMPT Wed Mar 25 20:47:59 CST 2020
[ 0.000000] CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d
[ 0.000000] Machine: sun8i
...

CPU: Allwinner R16 (ARM Cortex-A7) - ARMv7l / armhf
ACU: STM32F103VCT6 (ARM Cortex-M3)
Roborock Firmware version: 3.5.4_1558
Operating system: Ubuntu 14.04.3 LTS

Users

No additional users

root@rockrobo:~# ls /home
ruby

/home/ruby exists but no user ruby, though exists in /etc/passwd~

Processes

🚩 Everything is running as root

Ports

root@rockrobo:~# netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address      State       PID/Program name
tcp        0      0 127.0.0.1:54322         0.0.0.0:*            LISTEN      991/miio_client 
tcp        0      0 127.0.0.1:54323         0.0.0.0:*            LISTEN      991/miio_client 
tcp        0      0 0.0.0.0:22              0.0.0.0:*            LISTEN      1644/sshd       
tcp        0      0 127.0.0.1:55551         0.0.0.0:*            LISTEN      998/rriot_tuya  
tcp        0      0 0.0.0.0:6668            0.0.0.0:*            LISTEN      998/rriot_tuya  
tcp6       0      0 :::22                   :::*                 LISTEN      1644/sshd       

🚩 tcp/22 and tcp/6668 are exposed

Firewall

🤷‍♂️ At least port 22 is blocked by iptables

root@rockrobo:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source           destination         
DROP       udp  --  anywhere         anywhere           udp dpt:6665
DROP       tcp  --  anywhere         anywhere           tcp dpt:6665
DROP       tcp  --  anywhere         anywhere           tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source           destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source           destination      

• What runs on port 6665
  • player
  • What about file-based IPC?

root@rockrobo:~# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source           destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source           destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source           destination

🚩 … except IPv6 isn’t..

Future work: Test IPv6 lease

Other small tests

• Can I ping the internet / make outbound connections?
  • Yes
• Can I run my own software
  • Yes (armhf architecture)

Trivial Power Analysis

Batteries don’t last forever!

Test: What if I unplug the battery?

• No change in output during boot
• But device will turn off after around 20 seconds

Ubuntu 14.04.3 LTS rockrobo ttyS0

rockrobo login:                                                 #### Usual login prompt
wait-for-state stop/waiting
haveged: haveged Stopping due to signal 15                      #### Shutdown SIGTERM 

 * Stopping rsync daemon rsync                                           [ OK ] 
 * (not running)
 * Asking all remaining processes to terminate...                        [ OK ] 
 * All processes ended within 1 seconds...                               [ OK ] 
umount: /tmp: device is busy.
        (In some cases useful info about processes that use
         the device is found by lsof(8) or fuser(1))
 * Unmounting temporary filesystems...                                   [fail] 
 * Deactivating swap...                                                  [ OK ] 
 * Unmounting local filesystems...                                       [ OK ] 
 * Will now halt
[   26.948171] [MCU_UART] sent ap poweroff event to mcu         #### Device turns off

See 2-wire log, 4-wire log

File System Imaging

The eMMC only has 4GB of storage, so we can’t (also shouldn’t) image the flash onto itself… but we can image it remotely!

IP=10.10.10.8
for partition in `ssh root@$IP "ls /dev/mmcblk0?* -1"`
do
    ssh root@$IP "sudo dd if=$partition bs=1M" | dd of=$(basename $partition).img
done

File System Structure

Recovery Reset

Recovery supposedly resets system_a, system_b, UDISK and Download

• What about the other partitions?
• Can we install software in the recovery partition? A: Yes 🚩

I did a thing - Commentree

Plain-text annotation / commentary tool

The Search

• Looked for any passwords, secrets, keys, IDs, function calls, logs, …
• Find changed files (*)
• See where they are used
• See how they are used
• Anything of general interest

• mmcblk0p1
  • miio/device.token
  • miio/device.uid
  • rockrobo/
  • rockrobo/rrlog/ (logs are encrypted!)
• mmcblk0p8/opt/rockrobo
  • Binaries
  • scripts/pipes.sh
  • rrlog/misc.sh
• mmcblk0p11/endpoint.bin - AWS address + key?

mmcblk0p8/opt/rockrobo/rrlog/misc.sh

...

#echo "=======device.conf==========" >> /dev/shm/misc.log
#cat /mnt/default/device.conf >> /dev/shm/misc.log

...

mmcblk0p6/device.conf

did=DDDDDDDDD                    # (9 digits)
key=XXXXXXXXXXXXXXXX             # (16 alpha-num, case-sensitive)
mac=64:90:C1:1D:24:C4
vendor=roborock
model=roborock.vacuum.s6

Calls for system

/var/log/apt/history.log

Installed packages that are not part of the base system

Start-Date: 2016-01-25  11:18:05
Commandline: /usr/bin/apt-get install rsync
Install: rsync:armhf (3.1.0-2ubuntu0.2)
End-Date: 2016-01-25  11:18:11

Start-Date: 2016-04-05  12:30:59
Commandline: /usr/bin/apt-get install ccrypt
Install: ccrypt:armhf (1.10-4)
End-Date: 2016-04-05  12:31:01

Start-Date: 2016-04-25  09:58:29
Commandline: /usr/bin/apt-get install tcpdump
Install: tcpdump:armhf (4.5.1-2ubuntu1.2), libpcap0.8:armhf (1.5.3-2, automatic)
End-Date: 2016-04-25  09:58:33

• Why does a vacuum cleaner need rsync or tcpdump?
• No usage calls found yet

mmcblk0p7/usr/sbin/tcpdump

• External but unmodified binary
• Only hub traffic visible (wireless)
• (not really that interesting)

mmcblk0p8/opt/rockrobo/rrlog/rrlogd

✅ Logs are encrypted at rest (after being packed)
✅ Originally used to be a symmetric key, now using a public key
😕 Logging program has the functionality to unblock port 22?

iptables -I INPUT -j ACCEPT -p tcp --dport 22

mmcblk0p6/vinda

Previously… XOR this file to get the root password

File References

mmcblk0p7/usr/bin/adbd

• Custom ADB binary
• Had a brief look (more)

locksec_init_key: can not find the prefix str from adb conf file, use default
locksec_init_key: can not find the suffix str from adb conf file, use default
locksec_init_serial: adb read 465 bytes from /proc/cpuinfo
locksec_init_key: locksec_init_key, rockrobo%()+-[]_8a80ab8936d76c118000:;<=>?@{}rubydevicemodel
locksec_apply_key: locksec_apply_key, erI09cyW%()+-[]_8a80ab8936d76c118000:;<=>?@{}CzD2xuMNlwabTK7
locksec_apply_passwd: adb source str: erI09cyW%()+-[]_8a80ab8936d76c118000:;<=>?@{}CzD2xuMNlwabTK7
locksec_apply_passwd: locksec_apply_passwd, passwd: 0y[ad8@w

Related files

• mmcblk0p6/vinda
• mmcblk0p6/adb.conf
• mmcblk0p8/var/log/upstart/adbd.log

Future: the other programs

• cleaner
• miio
• rockrobo
• rrlog
• rriot

🚩 Wireless credentials are stored in plain text

• Anyone with physical access to the machine can gain wireless credentials
• However, takes a lot of effort to open up the device
• Why? wpa_supplicant is part of the underlying Linux framework

⚠️ SSH server exposed on tcp/22

• Why does this server exist?
• When / where is it used?
  • Allow rule inside the rrlogd binary
• Roborock has made an attempt to protect their product with iptables
• But did not fully product their product against access via IPv6

🚩 Processes are running as root

• Any vulnerability in any of the programs can result in elevated access
  • Dropping of iptables restrictions
  • Persistence planting
  • System takeover
• Should run as a de-privileged user
• Why? Compatibility, perhaps ease of development
  • i.e. udev rules

🚩 Recovery partition is modifiable

• Can be modified to contain malicious software that persists a factory reset
• Mountable - mount /dev/mmcblk0p7 ...
• Why? Allows easy updates of the ‘factory image’
• But the partition could somehow be encrypted

A note on hardware and software

access to the hardware = game over?

• Are there tamper-proof / tamper-evident design possibilities?
• What about some sort of “Secure Element”
• Or read protection?
• Choice of OS
• Choice of auth implementation (e.g. vinda)
• Limitation on what programs are allowed to execute?

✅ The Good Things

• An effort to restrict SSH access via iptables
• AuthN / AuthZ is present within interfaces to the device
• UART shell requires a password
• Logs are encrypted locally

Intercepting encrypted data / TLS traffic

• Ubuntu 14.04 has some issues (?)
  • PolarProxy is too new (libc requirements)
  • apt update doesn’t work with socks5:// or http proxies properly???
• Routing?
• Hook into the encryption/decryption process somehow?
  • Use Frida?
  • Or look at the data communicated by the smartphone app?
    • Objection tool didn’t work with the RoboRock app

Electricity is funny.

Using my main personal computer is not a good idea for a test-bench…
👏 Thank you Gigabyte for having ESD-protected USB ports

Still a lot of files to look at

Need to figure out which files are worthwhile to inspect..

File Inspection Approach 1 - Filter by date modified

Ubuntu 14.04.3 LTS was released back in 2014, any changes would have a later timestamp (hopefully)

File Inspection Approach 2 - Binary Comparisons

Compare executable files and find
differences in binary function

bindiff, binwalk, ssdeep, sdhash

As seen in A Large-Scale Analysis of the Security of Embedded Firmwares - Andrei C, Jonas Z, Aur’elien F, Davide B