Hacking a Neato Robotics BotVac Connected

  • Admin

    Ok, finally got myself a robot vacuum cleaner. The choice fell on the new "connected" Neato cleaner so I could have it integrated into my Home Automation system (I thought). You know the drill.. Send the cleaner out when were not home (Armed Away)... Adjust security settings of the alarm systems when it's out cleaning (disable motion detectors) and turn them back on when finished.

    Well, it wasn't as simple as I first imagined. Sent an email to the customer support asking about the API specification for the cleaner.

    Hi, I just bought the new "connected" model and would like to integrate it into my home automation system.

    The plan is to write a script to control the vacuum cleaner when we're not at home (disabling motion detectors in our alarm system when the cleaner is running).

    But I need some API specification to do this. Could you please send me what you have.. No need to be anything fancy (some developer notes is enough) .. Just need to be able to turn the cleaner on/off open IP/Ethernet or alternatively query the vacuum cleaner to see if it running.

    I will of course publish my control script open source and our community members will most surely appreciate this boost your sales.

    Thanks in advance

    I was a bit surprised about the answer I got

    Hello Henrik,
    Thank you for contacting Neato Customer Care. My name is Hail and I will be assisting you today.

    I understand you are looking for Neato's API Specs for your Home Automation Integration System. At this time we do not have them available.

    You can watch for new Neatos, accessories, and news in regards to Neatos on our website: neatorobotics.com.

    Oh well I though... Maybe I just got a standard first level support reply... Sent another email...

    Hi Hail,

    I'm sorry but this is not an acceptable answer. So you seriously mean I should manually control it via some app? Totally worthless feature.

    The app already uses an api to interact with the cleaner (via your servers). You just need to send me this information. Please forward my request to the app developer team. Shouldn't take them more than a couple of minutes to give me the http-calls involved to send command and poll information from the cleaner.

    What is the purpose of a "connected" vacuum cleaner if I cannot interact with it? I feel you're missing the whole point of providing connected things.

    Just payed a good amount of money for it so I expect you make an effort to resolve this.

    I hope you don't expect me to go through the troubles of winshark:ing/hacking your protocol. Just a waste of my time and in the end I will not write anything good about the Neato company attitude/openness when I'm done.

    Best regards

    But, no.. they just won't send anything useful.

    Our Neato app was created so you could control the Neato manually either by driving it around while you are in your home or so you could start your Neato while away from home.

    I have sent your request to my corporate team and they have given the same answer: the API specs are not something we are releasing at this time. You are more than welcome to follow any new release Neatos or accessories on our website neatorobotics.com.

    I just don't get it. Don't they realise the potential of an open api?

    Well, so now I had to decompile their darn android app-apk file... Funny thing... They even included their unit-test-rest calls in it.
    com.neatorobotics.android-134_source_from_JADX.zip (stripped some external stuff from it)

    Why don't they just release some documentation?

  • Mod

    Neato? Didn't they make CD labels in the past?

  • Hero Member

    Does this mean that we can look forward to seeing some kind of HA integration?

  • @hek

    I will have a Botvac Connected to test with soon, hope to get it working with Vera.

  • I now have the Botvac connected and want to interact with it in Domoticz.

    To bad neato isn't willing to help us out so I downloaded the stripped app file.

    Can maybe someone put me in the right direction to extract some commands in these files.
    There are a lot of files and I don't know which one to use.

    Thank you.

  • Mod

    http://youtu.be/Vua9Z_8aESA is an introduction to Android reverse engineering. It might be useful.

  • Admin


    Sorry haven't had time to do much cleaner-hacking during x-mas here. But I must have stripped a bit too much from the zip above (the initial pack was way too big to upload here)..
    Might be easier if you decompile apk yourself to get the full file list.

    Anyhow a good starting point would be /res/values/strings.xml which contains the service endpoints

    <string name="beehive_endpoint_staging">https://beehive-staging.neatocloud.com</string>
     <string name="cometa_endpoint_playground">https://cometa-playground.neatocloud.com</string>
     <string name="cometa_endpoint_production">https://cometa.neatocloud.com</string>
    <string name="cometa_endpoint_staging">https://cometa-staging.neatocloud.com</string>

    Then you can follow that back in the program where it's used.
    Then search for C0746c and so on...

  • Thank you for your help.
    I have downloaded the "APK Downloader" add-on for Firefox (https://addons.mozilla.org/nl/firefox/addon/apk-downloader/) and followed the instructions.
    After downloading te APK I decompiled it at the given website. I now have almost 3000 files πŸ˜‰

    Will look in the files later. Hope I can find something usefull. Its the first time for me.

    I was wondering did you already find something usefull to use?

    Have a nice day to you all.

  • Hardware Contributor

    @hek I was looking at the Neato as well - except it was hart to HA integrate, are you happy with the robot?

  • Admin

    There is nothing wrong with its cleaning abilities. Impressed by their room scanning algorithm.

  • Hardware Contributor

    @hek I'm surprised you didn't research for maximum open source/HA support in first time. Suppose it's to late to change it now? Even if it's easy to hack this one, I think it's a good general principle - to a certain price of course.

  • Admin

    Yeah, yeah.. usually good at doing research.. But this one was a black friday find... Didn't have time to do my homework.. πŸ˜• Have to pay for that now ....

  • Hardware Contributor

    @hek ... but you'll also have more fun. πŸ˜‰

  • @hek

    I am now looking at the files you provided. I can't get some logic out of it.

    You gave some service endpoints and then you pointed to the java file. I don't see the link between these two.

    Sorry for my noob questions i'm not an programmer.

    I am only looking for a why to implement the Neato in my domoticz home automation. But google gives very little help. Only desent hit was this link.


  • @Kalle ... I think this isn't for the Neato Botvac Connected. It has a USB port, but we want to control it through the wifi connection it has.

  • Mod

    I agree that the wifi api seems more natural, but connecting an Arduino to the usb port might prove easier since documentation of the usb api is available.

  • Admin

    It seems (from a quick glance) that you need a USB host device, connected to that USB port.. So that would leave a standard arduino out of the question.

    Perhaps an raspberry, or another higher end platform running an OS, could be used..

  • Mod

    @kalle Chances are that the commands & format are identical for the newer wifi model -- companies tend not to reinvent the wheel for each product πŸ˜‰
    You'd only have to find out how these commands are transfered to the BotVac.

  • What I have come up with so far is that the Neato it self is running a websocket server on port 8081 - and uses some kind of standard Auth-behavior in the headers,

    Hypertext Transfer Protocol
    GET /drive HTTP/1.1\r\n
    Host: xxx.xxx.xxx.xxx:8081\r\n
    Sec-WebSocket-Key: XXXXXXX==\r\n
    Sec-WebSocket-Version: 13\r\n
    Upgrade: websocket\r\n
    Origin: ws://xxx.xxx.xxx.xxx:8081/drive\r\n
    Date: Tue, 29 Dec 2015 09:17:57 GMT\r\n
    Connection: Upgrade\r\n
    [Full request URI: http://xxx.xxx.xxx.xxx:8081/drive]
    [HTTP request 1/1]

    There also a port 8080 open but I can not figure out what's running on that one.

    The communication between the Neato and the central server is handled via a server on Amazon - this traffis is HTTPS though. Next step is to set up a SSLSplit and hope that they don't have a pinned cert.