05 April 2020

Analysis of Xiaomi YI camera connections

I have Xiaomi YI (YHS-113) camera at home and once I was wondering what servers does it connects to and what information it transmits. I had caught camera traffic on my router while it was booting and working.

Analysis revealed the following:
  1. Camera tried to connect to more than 20 servers.
  2. A part of connection is TCP, and other part is UDP.
  3. Not all connections were established (a part of servers didn't answer).
  4. Most of servers are in China, but several servers are in Amazon Cloud.
  5. Camera transfers to the "log.xiaoyi.com" server information about settings and WiFi name & ssid (see below).
  6. Camera checks is your router is Xiaomi Router or not.
  7. Connection to the "api.xiaoyi.com" server is secured by HTTPS with TLS 1.2.
List of supported ciphers:
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

For clarity prepared scheme.
Dashed line is not established session.


Example of GET request to "log.xiaoyi.com":
/info.gif?p=home_v1&sysVersion=1.8.7.0C_201705091058&mac=00:11:22:33:44:55&key=1&didm=1&sn=1&tfstat=10000&hdSize=5832928&hdLeftSize=320160&silentmode=0&lightmode=1&isdaymode=0&packetloss=0&out_packetloss=100&is_video_viewing=0&p2pconnect=0&p2pconnect_success=0&ssid=ROUTERNAME&bssid=11:22:33:44:55:66&ptz_horizontal_flip=0&workmod=0&doreset=0&xiaomirouter=0&bind_success=0&start_with_reset=0&miio_send=11&miio_recv=0&motion=0&p2ptype=0&alarm_enable=0&record_num=0&systick=112&video=0&pic=0&gen_url_fail=0&gen_url=0&ban_dev=0&cgi_check_mirouter_ok_cnt=0&nslookup_check_mirouter_ok_cnt=0&tnp_init_status=1&tnp_p2p_mode_cnt=0&tnp_relay_mode_cnt=0&tnp_check_login_success_cnt=0&tnp_check_login_fail_cnt=0&tnp_connect_success_cnt=0&tnp_immediate_bitrate=0&uid=12345678901234567890 HTTP/1.1
Host: log.xiaoyi.com
Accept: */*

No comments:

Post a Comment