TaszkSecLabs/xiaomi-c400-pwn PoC exploit and jailbreak for X...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/TaszkSecLabs/xiaomi-c400-pwn
• Blog Title: TaszkSecLabs/xiaomi-c400-pwn: PoC exploit and jailbreak for Xiaomi Smart Camera C400
• Suggested Section: Generic Hacking -> (new) IoT/Embedded devices provisioning attack surface OR Network Services Pentesting -> (new) Xiaomi/miIO UDP 54321 provisioning protocol; and/or Binary Exploitation -> ROP & JOP / ARM-specific ROP techniques (/proc/self/mem shellcode write)

🎯 Content Summary

What this repo is
GitHub repository TaszkSecLabs/xiaomi-c400-pwn provides an exploit PoC plus a jailbreak for Xiaomi smart cameras, focusing on Xiaomi Smart Camera C400.

The exploit is written against firmware 5.1.5_0379 and the author states the bug is still present on firmware 5.1.6_0423 (firmware images are referenced in the repo). No CVE is listed in the repository content.

High-level impact / severity
Wh...

🔧 Technical Details

Factory-provisioning attack surface on IoT setup AP: If a device exposes an onboarding Wi‑Fi AP, an attacker who can join it can often reach unauthenticated provisioning endpoints. Here the PoC assumes the camera is reachable at 192.168.14.1 and speaks a miIO-like UDP service on 54321/udp, using a hello packet to extract a per-session token and DID, then framing messages with a timestamp and an MD5 checksum over the declared sent_len.

Token-derived symmetric crypto (miIO-style): When a protocol derives AES-CBC key/IV solely from a transmitted token (e.g., key=MD5(token), iv=MD5(key+token)) and uses predictable framing, an attacker can fully encrypt/decrypt traffic after learning that token from an unauthenticated hello response, enabling full protocol interaction during onboarding.

Provisioning auth bypass by skipping/forging MACs: If a provisioning method expects HMAC sign...

🤖 Agent Actions

Summary:

• Added a concise technique section on ROP-based shellcode injection via /proc/self/mem and ARM Thumb jump detail.
• Appended required references to the blog post and repo.

File updated:

• src/binary-exploitation/rop-return-oriented-programing/README.md

Notes:

• I focused on the novel ROP technique from the blog. The miIO protocol/auth/RNG/heap overflow aspects likely belong to IoT/network protocol or heap exploitation pages, but I avoided adding those without a clearly matching existing page to prevent misplacement.

If you want me to also integrate the miIO provisioning/auth bypass/RNG/length-confusion overflow techniques, tell me which section you prefer and I’ll map them to the best existing HackTricks pages.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/TaszkSecLabs/xiaomi-c400-pwn

Content Categories: Based on the analysis, this content was categorized under "Generic Hacking -> (new) IoT/Embedded devices provisioning attack surface OR Network Services Pentesting -> (new) Xiaomi/miIO UDP 54321 provisioning protocol; and/or Binary Exploitation -> ROP & JOP / ARM-specific ROP techniques (/proc/self/mem shellcode write)".

Repository Maintenance:

• MD Files Formatting: 954 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0