Post

Meross IoT Part I: Recon

The first part of my journey into the ecosystem of Meross IoT devices and some more hardware hacking.

Posted
Preview Image
By MatrixEditor
1 min read
Meross IoT Part I: Recon

So in the end of 2024 I was lucky enough to get my hands on a Meross smartplug (MSS210) and was curious about its internals. As the company is sourced in China, I was interested in understanding which data is transmitted upon registration and whether any backdoors were employed into the software.

This journey has led me down an awesome path. So brace yourself for some reverse engineering and hardware hacking action.

First Steps: Initial Recon

Before diving into the technical specifics, it’s essential to identify potential entry points for investigation. In this case, there are three key areas:

  • frontend: end-user application (mobile app)
  • backend: Meross cloud
  • applicance: IoT device (smartplug)

I wont explain too much about the architecture here, but @albertogeniola’s protocol introspection is a good starting point. In a few words: each appliance is bound to a user account with a shared key generated by the backend. All commands transmitted from the frontend are sent over an MQTT broker using the Meross cloud backend, and messages are not end-to-end encrypted; only signed with the shared key (more on this in a bit).

Given there are a lot of places to look and there is already a ton of research on the protocol, like

My initial steps of gathering more insight on the protocol being used and the pairing process included an analysis of the mobile application (frontend).

Here you can find out more: Part II: Mobile App

Next, with a basic understanding of the protocol, I continued to experiment with the device itself and repeat the binding process multiple times.

Part three is here: Part III: Smartplug

Additionally, I’ve investigated the firmware after extracting it from the device. Since I bricked the device while doing so, the journey took an unexpected turn.

How to brick your device: Part III: Serial Console and Part IV: Firmware

I’m still working on restoring a functional device - future parts will focus on resolving the issue.

How to un-brick your device: Part V: AmebaZ2

Findings

[redacted - this content will be revealed soon enough]
IoT
:iot hacking hardware mobile iot
This post is licensed under CC BY 4.0 by the author.