Welcome to our repository for hacking and rooting of the Xiaomi Vacuum Robot Generation 1 (aka Rockrobo) and Generation 2 (aka Roborock S50). We provide you methods how to root your device without opening it or breaking the warranty seal.
More information for Generation 2 will follow.
You can find a step-by-step guide how to wirelessly root your vacuum robot here.
Our presentation was designed for 35 minutes (+10 min FAQ) , however our available time was cut to 20 minutes(+10 min FAQ). Therefore we had to reduce the content in our presentation. You can find a more detailed version of our 34c3 presentation with more details here. More technical information you find here (techinfo.pdf). The cloud protocol is described here (cloudprotocol.pdf)
Recording of our talk at 34C3: https://media.ccc.de/v/34c3-9147-unleash_your_smart-home_devices_vacuum_cleaning_robot_hacking
We will have a talk at Recon BRX 2018 (https://recon.cx/2018/brussels/)
No, you can root only your own device, devices which are in your own wifi or where you have physical access to.
Actually we think that Xiaomi did a good job in designing their cloud protocol (at least from a security perspective).
No, you can push the firmwareupdate to the robot without opening it. See the Update howto.
The vacuum transfers its connected SSID, the gateway's MAC address and the RSS value every 30 minutes to the cloud. Theoretically you can pinpoint a address very precisely with that information, e.g. by using Google's geolocation API.
Yes, however you need to use the firmware of Gen2 for the rooting. Do not flash Gen1 firmware on a Gen2 device and vice versa.
While you can build your own firmware with SSH, we are not sure if we want to provide a pre-rooted version with some default SSH keys. As we know you (and us) some people might not change the keys afterwards. So instead of giving just you access to the vacuum, other people would have also access to your vacuum. We would like to make the world safer and not more vulnerable. Therefore we are thinking of some solution for that.
No, dustcloud requires the symmetric key (extracted from /mnt/default/device.conf) to decrypt the AES connection to the cloud. The same key is used to encrypt the forwarded messages to the cloud. Note: I personally think that Xiaomis approach of device's unique AES key solves a lot of cloud problems: authentication, integrity (over hmac) and confidentiality.
Sure, however set a password to protect the Wifi AP of your vacuum robot. Edit the file /opt/rockrobo/wlan/wifi_start.sh and change this CMD="create_ap -c $channel -n wlan0 -g 192.168.8.1 $ssid_ap --daemon" to CMD="create_ap -c $channel -n wlan0 -g 192.168.8.1 $ssid_ap YourWPApassword --daemon". Then your unprovisioned vacuum has a protected Wifi and you are still able to connect (if you do not lose the password).
Technically there is, but i do not believe so. In any case you can disable updates (yours and Xiaomi's) by renaming the ccrypt command. See disable-UPDATES.md for additional information.
There are plans for that. But keep in mind that the devices were financed from my private budget, therefore the focus will be on devices that i will use myself after the hacking. Do not expect a smart fridge (i have a stupid one already) or a smart car (too expensive). However if you have broken devices (like a used Air purifier or something) or spare devices you want to get rid of, you can contact me. I might be interested in some PCBs ;)
Yes, there is a telegram channel. https://t.me/joinchat/Fl7MmxBwXWC7ETNZAXQLSQ
- Dennis Giese <dgi[at]posteo.de>
- Daniel Wegemer <daniel[at]wegemer.com>
- https://www.kaspersky.com/blog/xiaomi-mi-robot-hacked/12567/
- https://www.golem.de/news/xiaomi-mit-einem-stueck-alufolie-autonome-staubsauger-rooten-1712-131883.html
- http://www.zeit.de/digital/datenschutz/2017-12/34c3-hack-staubsauger-iot
- https://hackaday.com/2017/12/27/34c3-the-first-day-is-a-doozy/
- https://m.heise.de/newsticker/meldung/34C3-Vernetzter-Staubsauger-Roboter-aus-China-gehackt-3928360.html
- https://www.notebookcheck.com/Security-Staubsauger-sammelt-neben-Staub-auch-Daten-ueber-die-Wohnung.275668.0.html
- https://derstandard.at/2000071134392/Sicherheitsforscher-hacken-Staubsaugerroboter-und-finden-Bedenkliches (at some points very inaccurate)