Reversing Xiaomis Mi Router 3 - Part 1 - Teardown

Preface

I felt the urge to come back to where I started before I did some research on exploitation and especially the basic mitigations on GNU/Linux.
So here it is, my attempt to dig deeper into a router I somehow deemed as interesting enough to buy and crack open to see whats inside.
When I unboxed this thing I was surprised how small this one is, and even more how small the board inside of the casing really is!
But more about that later on. This first part will basically describe the teardown of the device and the hunt for debug ports on the hardware and how to spot the usual suspects.

assembled

I’m sorry for the potato quality. I still need to buy a decent camera to be able to better document my future digging into things.
If you have a recommendation which is affordable on a student budget hit me up please!

Teardown

Frontside

Cracking open the case was really straightforward by just removing one screw under the label on the back and then gently trying to remove the top half from the bottom half of the casing.
These two were just snapped together and its quickly opened with the help of a flat screwdriver or anything similar.
Afterwards this little guy shows up:

top_disass

One can directly see the 4 cables connecting the antennas.
Besides that we got one big chip on the left side from MEDIATEK and one interesting looking one on the right from NANYA.
I did not remove the heatsink yet, but I suspect the main CPU of the router to be below there.
According to XIAOMI the CPU should be a MediaTek MT7620!

MediaTek MT7620 (CPU)

medi

According to the official datasheet :

"The MT7620router-on-a-chip includes an 802.11n MAC and baseband, a 2.4GHz radio and FEM, a 580MHz MIPS® 24K™ CPU core,
a 5-port 10/100 switch and twoRGMII. The MT7620includes everything needed to build an AP router from a single chip.
The embedded highperformance CPU can process advanced applications effortlessly, such as routing, security and VoIP.
The MT7620also includes a selection ofinterfaces to support a variety  of applications, such as a USB port for accessing external storage."

Takeaways from the datasheet:

  • MIPS architecture
  • CPU supports I2C, I2S, SPI, PCM, UART, JTAG, MDC, MDIO, GPIO!
  • AP Firmware: Linux 2.6 SDK, eCOS with IPv6

Besides that there’s only a lot of clock timings, pin layouts and other technical specs.

MediaTek MT7612EN

The other big MediaTek chip on the front is labled MediaTek MT7612EN. After some short research I found the right MediaTek site, which states that this is not another CPU, but the ‘high performance 802.11ac Wi-Fi solution’.
So that chip handles everything related to the wireless connection and with that is not that interesting to us (for now), if we want to dig into the firmware for now.

NANYA NT5TU64M16HG-AC

This chip already was surrounded by a white ‘box’ and labeled RAM1 so it was pretty clear what this chip does.
Nevertheless it’s interesting that it seems impossible to directly connect to the RAM without desoldering the thing, since there are no obvious pins to the outside. The chip is designed with ‘balls’ at the bottom that are directly connected to the board below and with that hidden to the mean hardware hacker :(.

nanya

Once again the manufacuturer does provide a full datasheet.

  • Commercial,Industrial and Automotive DDR2 1Gb SDRAM
  • VDD/VDDQ = 1.70 to 1.90 Volt
  • Data Rate(Mbps) 800 with a 5-5-5 CL

What I personally like to see within a datasheet is how the chip specifier NT5TU64M16HG-AC was created and NANYA is so nice to exactly provide that information to us!

	                +--+ +--+ +-+ +-----+ +-+ +-+     +--+ +-+
	                |NT| |5T| |U| |64M16| |H| |G|  -  |AC| |L|
	                ++-+ +-++ +++ +--+--+ +++ +++     ++-+ +++
	                 |     |   |     |     |   |       |    |
       NANYA TECH. <-----+     |   |     |     |   |       |    +------> Special Type Option
	                       |   |     |     |   |       |             (NA = Commercial Grade,
    Product Family <-----------+   |     |     |   |       |              I = Industrial Grade,
    (5T = DDR2 SDRAM)              |     |     |   |       |              H = Automotie Grade 2,
	                           |     |     |   |       |              A = Automotive Grade 3,
	                           |     |     |   |       |              L = Low IDD6)
Interface & Power <----------------+     |     |   |       |
(U = SSTL_18 [1.8V])                     |     |   |       +------------> Speed
	                                 |     |   |                      (AC = DDR2-800  5-5-5,
	                                 |     |   |                       BE = DDR2-1066  7-7-7)
     Organization <----------------------+     |   |
     (64M 16 = 128M 8 = 1Gb)                   |   +---------------------> Package Code
	                                       |                           (E = 60-Ball TFBGA,
	                                       |                            G = 84-Ball TFBGA,
   Device Version <----------------------------+                            Z = 84 Ball VFBGA)
   (H = v8)

With that in mind future NANYA RAM chips will be easy to categorize.

Backside

The back side really does not have anything to offer expect one chip from Toshiba and some board branding on the bottom right.

back

Toshiba TC58BVG0S3HTA00

tosh

Luckily Toshiba itself is so nice to provide a full datasheet to this chip too!
So what is it about?

"The TC58BVG0S3HTA00 is a single 3.3V 1 Gbit (1,107,296,256 bits) NAND Electrically Erasable and
Programmable Read-Only Memory (NAND E 2 PROM) organized as (2048 + 64) bytes × 64 pages × 1024blocks.
The device has a 2112-byte static register which allows program and read data to be transferred between the
register and the memory cell array in 2112-bytes increments. The Erase operation is implemented in a single block
unit (128 Kbytes + 4 Kbytes: 2112 bytes × 64 pages)."

The most interesting part here is “NAND Electrically Erasable and Programmable Read-Only Memory (NAND E 2 PROM)”.
We potentially would like to access this chip later on and read out its contents if we manage to do that and see what we can get out of here!

"The TC58BVG0S3HTA00 is a serial-type memory device which utilizes the I/O pins for both address and data input/output
as well as for command inputs. The Erase and Program operations are automatically executed making the device most 
suitable for applications such as solid-state file storage, voice recording, image file memory for still cameras and 
other systems which require high-density non-volatile memory data storage."

tosh2

The datasheet gives full details about the pin assignment, so with a bit of luck we could connect directly to the chip instead of using a serial interface like UART.
This requires the chip/board to support something like the SPI or JTAG protocol.
Most often especially the latter is present, since it is primarly a debugging and control interface to see if all the chips on the board operate in an expected manner.

Debug ports

If you’re already familiar with finding debug ports on hardware, and especially with embedded/IOT devices like routers, you probably spotted one in the top down view on the right side of the board. There is a 4 pin layout.
This often indicates that we have a UART interface!
In this particular case I don’t even need to use a logic analyzer anymore, since the pinout is nicely labled by default!

tosh

Reminder: UART

UART, short for Universal Asynchronous Receiver/Transmitter is an interface for serial communication.
This communication can be either synchronous or asynchronous, depending on what the hardware supports.
A UART device takes a stream of bits of data, converts it to bits of serial data for transmission down a single wire, or bus, and then transmits it.
At the other end of the wire, another UART device receives the serial bits and converts them back into parallel packages of data.
The “Universal” portion of the name refers to the configurability of both the data format and the speeds at which it is transmitted/received.
In our case the other end of the wire, which the router gets connected to would be a device that also talks UART obviously, like a BusPirate, or the FTDI cable.
The pinout consists of 4 pins with the following specs:

TX - Transmit Data
RX - Receive Data
GND - Ground
VCC - (usally) 3.3V 

Conclusion

To be fair there is not much to conclude after this teardown.
The chip manufacturers did provide all the datasheets and finding them was no hassle at all.
This revealed that we’re working with a MIPS architecture CPU.
This can be a lot different for other devices where all the information you get is from some chinese seller on a dubious ‘ebay clone’ and you have no means to verify those chip specfications..
Also finding the debug port was more than obvious this time around.
In the next part I’ll solder the pins to the board and might hook up a logic analyzer to see if my glorious work is doing what I want.
Afterwards we’ll try to dive deeper into the system and finally dump the firmware from the device (hopefully) to be able to analyze the current system independently from the device.
Everything after that will be stated at the end of the next part.

So stay tuned for part 2 (which will happen hopefully soon)!

Comments