I’ve owned a RoboRock S5 for two years but only recently came across Dennis Giese’s research around the security of Xiaomi IoT products. His master thesis, where he details how he dumped and analyzed multiple firmwares, to gain root access ultimately, is a great read. His Def Con 26 talk is worth a watch too.

As soon as I realized my RoboRock was a capable quad-core computer running Ubuntu Trusty, I wanted to look at the firmware first-hand.

This post is not about “jailbreaking” the S5 - which has been covered elsewhere. Instead, I will be sharing the steps you can use to get your copy of the firmware so that you can review and decompile the scripts and binaries used to provision and run the robot.

Get a readable copy of the firmware

1) Get a copy of the firmware file. See here if you want to download a different version.

wget https://cdn.cnbj2.fds.api.mi-img.com/rubys/updpkg/v11_002034.fullos.55915876-2190-407a-9fcb-f1e760d9b623.pkg

2) Decrypt the firmware file (use rockrobo when prompted for a decryption key):

ccrypt -d v11_002034.fullos.55915876-2190-407a-9fcb-f1e760d9b623.pkg

NB: Newer robots use a different encryption mechanism.

3) The decrypted “pkg” is actually a gzip archive which contains a disk.img, so we’ll decompress it:

tar zxvf v11_002034.fullos.55915876-2190-407a-9fcb-f1e760d9b623.pkg

4) Let’s find out more about disk.img with the file command:

disk.img: Linux rev 1.0 ext4 filesystem data, UUID=c3a11fc8-0afb-4909-948f-f764e532f7a6, volume name "rootfs" (extents) (huge files)

5) It’s time to mount this image:

sudo mount -o loop disk.img /mnt

NB: This command will fail on Mac OS (no native support of ext4 or loop devices). Ubuntu in a VM will do.

6) You can now freely inspect the firmware! To go to the main folder, do:

cd /mnt/opt/rockrobo

So what can we see?

You can preview the full rockrobo/ file tree on this GitHub gist (26 directories, 738 files).

From cloc:

--------------------------------------------------------------------------------
Language                      files          blank        comment           code
--------------------------------------------------------------------------------
Bourne Shell                     11            154             38           1044
Perl                              1             19              2            110
Bourne Again Shell                1              1              0             21
--------------------------------------------------------------------------------
SUM:                             13            174             40           1175
--------------------------------------------------------------------------------

That’s a lot of bash scripts! It also turns out that they perform critical operations, but I’ll keep that and other fun facts for a future post.