Initial submission, more tools and information will follow ;)
You can find a step-by-step guide how to wirelessly root your vacuum robot here.
Our presenation was designed for 35 minutes, however our time was cut to 20 minutes. Therefore we had to reduce the content in our presentation. You can find a more detailed version of our 34c3 presentation with more details here. More technical information you find here (techinfo.pdf).
No, you can root only your own device, devices which are in your own wifi or where you have physical access to.
Actually we think that Xiaomi did a good job in designing their cloud protocol (at least from a security perspective).
No, you can push the firmwareupdate to the robot without opening it. See the Update howto.
There might be a way to root also Gen2. However as I (Dennis) do not have access to a Gen2 vacuum, i cannot give you more information on that. As soon as i will get my own Gen2 vacuum, i will update the information. [P.S.: you have a Gen2 vacuum and are on the 34C3? Then we should meet ;) ]
While you can build your own firmware with SSH, we are not sure if we want to provide a pre-rooted version with some default SSH keys. As we know you (and us) some people might not change the keys afterwards. So instead of giving just you access to the vacuum, other people would have also access to your vacuum. We would like to make the world safer and not more vulnerable. Therefore we are thinking of some solution for that.
No, dustcloud requires the symmetric key (extracted from /mnt/default/device.conf) to decrypt the AES connection to the cloud. The same key is used to encrypt the forwarded messages to the cloud. Note: I personally think that Xiaomis approach of device's unique AES key solves a lot of cloud problems: authentication, integrity (over hmac) and confidentiality.
- Dennis Giese <dgi[at]posteo.de>
- Daniel Wegemer <daniel[at]wegemer.com>