Now You See mi Now You're Pwned

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://labs.taszk.io/articles/post/nowyouseemi/
• Blog Title: Now You See mi: Now You're Pwned
• Suggested Section: Hardware/Physical Access -> Firmware Analysis (SPI flash dumping, U-Boot env tampering, UART) and Binary Exploitation -> Libc Heap (uClibc fastbin exploitation / function-pointer overwrite / ARM ROP), with a cross-link from Network Services Pentesting for UDP proprietary protocol/crypto pitfalls

🎯 Content Summary

This post documents an end-to-end offensive research project against the Xiaomi C400 Smart Camera, reaching two outcomes: (1) Wi‑Fi/LAN-adjacent remote code execution (RCE) against the camera’s exposed service (miio_client on UDP/54321) by chaining a setup/auth bypass with a heap overflow, and (2) a persistent “cloud jailbreak” that keeps the camera functional without Xiaomi account/cloud reliance by replacing the control channel and blocking cloud traffic via firewalling.

1. Reverse engineerin...

🔧 Technical Details

IoT firmware access and root shell via boot-arg tampering: when UART provides only logs, dump SPI flash and modify the U-Boot env partition to change kernel cmdline (e.g., init=/linuxrc to init=/bin/sh), fix env CRC, and reflash to force a root shell on serial.

Attack surface mapping on embedded Linux: enumerate exposed ports and processes; focus on the only network-facing daemon (miio_client on UDP/54321) and understand the watchdog/supervisor (mi_daemon) because auto-restarts can enable crash-and-retry exploitation.

Protocol review (miIO): JSON wrapped in AES-128-CBC with PKCS#7 padding and token-derived key/IV; integrity uses a token-seeded MD5 checksum plus timestamp; setup handshake later derives a shared key K = HKDF(ECDH(...), salt).

Setup/auth bypass via handshake replay: a pairing flow intended to require physical possession (QR/spoken code) can be bypassed if replayable device-sent values allow completing setup without the code.

Weak PRNG breaks ECDH confidentiality: usin...

🤖 Agent Actions

Summary:
Added a UART-only recovery workflow using SPI flash + U-Boot env CRC fixes, a minimal gdbserver remote debugging snippet, and uClibc fastbin exploitation notes derived from the blog chain.
Updated the References section to include the blog URL and moved it to be the final section (with banner include kept after).

Tests:
Not run (documentation-only changes).

Files modified:
src/hardware-physical-access/firmware-analysis/README.md

If you want me to also cross-link this from other sections, say the word and I’ll align with the single-file constraint you set.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://labs.taszk.io/articles/post/nowyouseemi/

Content Categories: Based on the analysis, this content was categorized under "Hardware/Physical Access -> Firmware Analysis (SPI flash dumping, U-Boot env tampering, UART) and Binary Exploitation -> Libc Heap (uClibc fastbin exploitation / function-pointer overwrite / ARM ROP), with a cross-link from Network Services Pentesting for UDP proprietary protocol/crypto pitfalls".

Repository Maintenance:

• MD Files Formatting: 954 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0