๐Ÿ’ก

Xiaomi light bulb

Hardware analysis

The board of the bulb is in two parts, a first one holds the LEDs (16 white and 6 RGB ones) on a circular board.
The second part hides under a tone of what seems to be a thermal exchange material covering the whole board, from the voltage converter to the SoC of the bulb, an ESP8266EX. Thatโ€™s nothing too fancy so far and at first I just wanted to use it for some testing and other projects

www.espressif.com
https://www.espressif.com/sites/default/files/documentation/0a-esp8266ex_datasheet_en.pdf

Then I noticed that there was also an EEPROM from GigaDevice

www.mouser.fr
https://www.mouser.fr/datasheet/2/870/gd25q16e_rev1_2_20211202-1825495.pdf

And I wanted to take a closer look at what it could hold before recycling it for other purposes.

Images of the PCBs

LED Ring

Main PCB rear
Main PCB Front
SoC Front
SoC Back

Firmware Extraction

For the firmware extraction, I have been using a CH314A the proper adapter and IMSPROG

once the proper chip selected I simply dumped it and saved the binary file

Firmware analysis

For the firmware analysis, nothing to fancy was needed, I just fired up Imhex and loaded the data.
Since it does not look obfuscated or encrypted, I simply looked for keywords like
SSID, password or wifi

GitHub - WerWolv/ImHex: ๐Ÿ” A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.
๐Ÿ” A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM. - WerWolv/ImHex
https://github.com/WerWolv/ImHex

and surely, Imhex returned me some interesting information ๐Ÿ˜ˆ

Conclusion

IoT is all fun until itโ€™s not anymore.
We start to understand the risks it posses when in the network, yet we donโ€™t pay enough attention to the disposal of these devices, even more when they seems as banal as light bulbs.

however, even when these devices break, they still holds sensitive information and should be discarded accordingly

even if a bit extreme, destroying such devices or removing the storing chips from it before discarding seems the best option at this time.

Destroying. Physical destruction of a device is the ultimate way to prevent others from retrieving your information.
Specialized services are available that will disintegrate, burn, melt,
or pulverize your computer drive and other devices. These sanitization
methods are designed to completely destroy the media and are typically
carried out at an outsourced metal destruction or licensed incineration
facility. If you choose not to use a service, you can destroy your hard
drive by driving nails or drilling holes into the device yourself. The
remaining physical pieces of the drive must be small enough (at least
1/125 inches) that your information cannot be reconstructed from them.
There are also hardware devices available that erase CDs and DVDs by
destroying their surface.
  • Magnetic media degaussers. Degaussers expose devices to strong magnetic fields that remove the data that is magnetically stored on traditional magnetic media.
  • Solid-state destruction. The destruction of all data storage chip memory by crushing, shredding, or disintegration is called solid-state destruction. Solid-State Drives should be destroyed with devices that are specifically engineered for
    this purpose.
  • CD and DVD destruction. Many office and
    home paper shredders can shred CDs and DVDs (be sure to check that the
    shredder you are using can shred CDs and DVDs before attempting this
    method).
Proper Disposal of Electronic Devices | CISA
In addition to effectively securing sensitive information on electronic devices, it is important to follow best practices for electronic device disposal.
https://www.cisa.gov/news-events/news/proper-disposal-electronic-devices