Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

IoT devices are notoriously insecure, even though things are getting better. As a result, people need to know if the claims by the company, such as privacy and security, are valid. Additionally, the only way to know a used device is clean is to root it yourself. So, being able to root the devices is important for functionality, security and claim validation. The author device gave a similar talk in 2018 about another roomba-like and discusses the state of rooting for these.

This new cleaner stepped up its game in security though! The Ubuntu version had an obfuscated root password, a custom ADB version, a watchdog enforcing copy protection and a firewall via IP tables to prevent malicious access (this only worked on IPv4 and not IPv6 though). Additionally, the firmware is not signed and each vacuum has its own encryption keys. Good steps up!

The author noticed an open UART connection on the device. However the root password was obfuscated. Dennis de-obfuscates the password then uses this to gain access, but never mentions how this was done. An additional way was setting up single user mode in UBoot while the device was starting up. At this point in time, both of these methods are not restricted.

Prior to the research, 3 different robots were unrootable. While looking for a new methods of rooting, the author noticed that all of the previous exploits had been removed and decided to reverse the PCB. The SOCs by Allwinner all have a FEL or flashing mode. By disabling the flash IC or pulling the FEL pin on the chip, we can boot our own OS on the system! Since FEL mode is burned into the BOOTRom of the device, it cannot be removed.

This approach sounds simple in theory. However, actually loading a proper version of the Linux kernel is complicated because NAND support is proprietary. The steps are as follows:

1. Extract kernel config from the RockRobo kernel. This was likely done by JTAG or from previous rooting attempts.
2. Create a file system with custom tools on it.
3. Compile a minimal kernel using the Nintendo NES Classic source code. This works because they both use the same chip for running.
4. Create custom UBoot version with the extracted Roborock configuration.
5. Trigger the FEL mode by shorting TPA17 to GND.
6. Load everything (UBoot, kernel and new FS) via USB.
7. Patch original OS with our own. Now, our OS should just run! :)

ADB uses special authentication with a challenge-response method. This is based upon a secret file and the mode is controlled via an adb.conf file. Luckily for us, this is stored on an unencrypted and unprotected partition. By using in-system programming (ISP) or replacing the chip entirely, the configuration or secret can be changed by us. Access to the device is now given!

The next step is disabling SELinux. Currently, access to /dev and the network is blocked. However, bind mounts and kill are usable. By replacing the client with our own bash script via a bind-mount and kill the currently running client, the watchdog will attempt to turn the client on, which is just our bash script. Now, SELinux is disabled.

Finally, we need to get persistent access. There is custom ELF signature verification running within the kernel, which means we cannot add custom code to the device. However, there is a backdoor that allows all files with the name librrafm.so to run. Now, we have rooted the vacuum cleaner! What else can we do? OPTEE, which uses ARM Trust Zone, will decrypt firmware updates if we ask nicely. With this, we can reverse the firmware to find other issues.

Another device that the author was looking at had a debug interface for UART, USB and easy access to the boot selection pin. Using the FEL, this device could also be rooted quite easily. The author mentions getting the firmware off of the device as well.

This device (Dreame) has a backdoor in it that is accessible from the cloud. The credentials for the server are publicly facing and this is used for development. The user has sudo privileges, to make matters worse. There is an open FTP server that downloads debug scripts that could be altered as well. These devices have predictable root passwords: it's base64(SHA1(serial number)). The password for debug firmwares is #share!#, making it trivial to break into these devices from the internet.

This talk was enough content for 5 talks! It's amazing how much information is crammed into the talk and how much this researcher got done. I hope to see more rooted vacuums in the future and to get better with hardware hacking, such as this hacker.