Yeelight Smart AI Speaker: Responsible disclosure

Hello Hackers, if you are following me on twitter, you must know that since a few months, I have been posting about this personal project I am working on, which is the Smart AI Speaker from Yeelight.

Now, let’s talk a bit about the device itself. I got this from Aliexpress. It looks exactly like Amazon Alexa, but the primary in interface is Chinese, which couldn’t be changed. I had to use Google Translator for most of the interactions. Quite honestly, this was really a bottleneck for testing it effectively. Similar to any other Yeelight product, this works under Xiaomi ecosystem.

Let’s talk about the vulnerability that we reported.

Affected Version: 3.3.10_0074

Vulnerability Name: Root access from the hardware debug port

Vulnerability details: It was identified by analyzing the Mainboard, UART (hardware serial port), that gives access to the debug interface of the device, was open and it provided direct root access to the main OpenWRT running in the device. It poses a risk of using any 3rd party tools inside it, which might compromise privacy and security of the user.

Vulnerability Name: Critical Information disclosure in UART

Vulnerability details: By running the miio_client in the root console, I was able to view all the log and debug information. It was leaking sensitive information such as my WiFi Password, Firmware update link, and other control strings for internal use.

These are simple and yet powerful vulnerabilities in IoT devices. Vendors most of the time fail to disable the hardware debug port, which leads the attacker gain valuable information about the device and the user.

In my case, it gave root shell directly.

Now, by monitoring what is happening in the process, I can get information about the services running.

In this one, miio_client seems quite interesting. Let’s kill it and run it again to see the debug view.

Here, all the request to the device/cloud is logged and mqtt is used for communication between different processes.

By restarting the mosquitto server, we get this log

You can send the same command using the mosquitto_sub

mosquitto_pub -h localhost -t ‘miio/command’ -m ‘{“method”:”get_prop”,”params”: [“speaker_volume”,”speaker_rate”,”speaker_mute”,”microphone_mute”,”bright”,”ai_p

You can also sniff it to download the firmware update.

You can force it to update by using mosquitto_pub again

sh -c ‘mosquitto_pub -h localhost -t ‘miio/command’ -m ‘{“method”:”miIO.ota”,”params”:{“app_url”:”″,”file_md5″:”ea45e4b8eaa642cdb3ce26b03ee72dc0″,”signed_file”:true,”original_length”:52480016,”install”:”1″,”proc”:”dnld install”,”mode”:”normal”},”id”:364537,”from”:”1″}’

I tried to change the binary and upload from my local server.

mosquitto_pub -h localhost -t ‘miio/command’ -m ‘{“method”:”miIO.ota”,”params”:{“app_url”:””,”file_md5″:”ea45e4b8eaa642cdb3ce26b03ee72dc0″,”signed_file”:true,”original_length”:52480016,”install”:”1″,”proc”:”dnld install”,”mode”:”normal”},”id”:364537,”from”:”1″}’

It has signature check and upload failed.

You can also use arecord to pipe the audio to your machine. This is a fun hack.

Now a bit on the hardware. It runs on the Amlogic A112 processor. It is a specific SoC made for AI speakers and there is no technical documentation available on the Internet and no opensource code for it.

JTAG scan was performed using JTAGulator and JTAG pins are not found

I tried to remove all the components and see if i can reverse the schematics.

It turned out to be a 4 layer PCB, and when i tried to etch the top layer, it over-etched and damaged all the internal layer via “via”.

Reported the vulnerability: Nov 27, 2018

Follow-up Email: Dec 4, 2018

Second Follow-up Email: Dec 11, 2018

Third follow-up email with Xiaomi security team in CC: Dec 13, 2018

Acknowledgement from Xiaomi: Dec 14, 2018

Patched and requested to disclose after 90 days: Jan 15, 2019

With the below response.

I bought a new speaker since I have bricked it and applied the firmware update and the UART console is locked.

Public Disclosure: May 7, 2019

CVE ID: CVE-2018-20007

More details can be seen in this github repo

Leave a Reply

Your email address will not be published. Required fields are marked *

one × five =