Hacking a Neato Robotics BotVac Connected

hek

This won't be solved until I see a proper curl call ;)

Brutus

I have installed the Packet Capture app. But this isn't working I think.

When starting the capture, the app makes a VPN connection. This VPN is blocking some traffic for the Neato App because my bot doesn't come only in the app. When I shut the VPN connection the bot comes online after 3 seconds.

Going back to the capture I think we miss some vital information because of this block.

This is what I got so far form the app:

<--- (TEXT)
GET /sessions/check HTTP/1.1
Authorization: Token token=xxxxxxxxxxxxxxx
Accept: application/vnd.neato.beehive.v1+json
Content-type: application/json
X-Agent: android-22|SM-G928F|samsung|1.0.0|134
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; SM-G928F Build/LMY47X)
Host: beehive.neatocloud.com
Connection: Keep-Alive
Accept-Encoding: gzip

---> (TEXT)
HTTP/1.1 200 OK
Server: Cowboy
Date: Wed, 30 Dec 2015 00:32:03 GMT
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: application/json; charset=utf-8
Etag: W/"a3cdd45ce712890397436cafca38e79a"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: xxxxxxxxxxxxxxxxxxxxxx
X-Runtime: 0.022752
Strict-Transport-Security: max-age=31536000
Content-Length: 39
Via: 1.1 vegur

---> (JSON)
{"current_time":"2015-12-30T00:32:04Z"}

<--- (TEXT)
GET /dashboard HTTP/1.1
Authorization: Token token=xxxxxxxxxxxxxxxxxxxxxxxx
Accept: application/vnd.neato.beehive.v1+json
Content-type: application/json
X-Agent: android-22|SM-G928F|samsung|1.0.0|134
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; SM-G928F Build/LMY47X)
Host: beehive.neatocloud.com
Connection: Keep-Alive
Accept-Encoding: gzip

---> (TEXT)
HTTP/1.1 200 OK
Server: Cowboy
Date: Wed, 30 Dec 2015 00:32:03 GMT
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: application/json; charset=utf-8
Etag: W/"c390b2a69fb7b4a405c8637e86ff321a"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxx
X-Runtime: 0.014884
Strict-Transport-Security: max-age=31536000
Content-Length: 1337
Via: 1.1 vegur

---> (JSON)
{
"email":"xxxxx@xxxxx.nl",
"first_name":"xxxx",
"last_name":"xxxxxx",
"locale":"nl",
"newsletter":false,
"created_at":"2014-06-23T16:39:45Z",
"verified_at":"2015-05-25T13:19:08Z",
"robots": [
{
"serial":"xxxxxxxxxx",
"prefix":"SN",
"name":"xxxxxx",
"model":"BotVacConnected",
"secret_key":"xxxxxxxxxxxxxxxxxxxxx",
"purchased_at":"2015-12-22T00:00:00Z",
"proof_of_purchase_url":"https://neatorobotics.s3.amazonaws.com/proof_of_purchases/xxxxxxxxxx/ProofOfPurchase.jpg",
"proof_of_purchase_generated_at":"2015-12-23T18:31:21Z",
"mac_address":"xxxxxxxxx",
"firmware":"2.0.0",
"created_at":"2015-11-11T20:10:38Z",
"linked_at":"2015-12-23T17:23:55Z"
}
],
"recent_firmwares":{}

}

xxxxxxxxx = personal data

Yveaux

Have a look here guys. This discussion seems and attempt to control the same vacuum cleaner.

hek

Hmm.. my german isn't great.. Have they found out something useful?

Brutus

I can read it a little bit but I think there isn't any usable information in that topic. Its more a overall discussion on the Botvac.

Yveaux

@hek said:

Have they found out something useful?

Not sure ;-)

Daniel Eriksson

I have gotten stuck now on my venture -

Trying to figure out how the Authorization is calculated when it comes to the communication with the Neato. Found a place in the Java-code which mentions the Authorization part but can not figure out where it comes from

com/neatorobotics/android/activities/robot/C0645j.java:~142

private void m5619R() {
    if (!NeatoApplication.f2866a) {
        m5646a();
        try {
            URI uri = new URI("ws://" + this.f3263d + ":" + this.f3264e + "/drive");
            String b = C0764a.m5847b();
            String str = this.f3262c.toLowerCase() + "\n" + b + "\n";
            Mac instance = Mac.getInstance("HmacSha256");
            instance.init(new SecretKeySpec(this.f3265f.getBytes(), "HmacSha256"));
            str = C0770g.m5880a(instance.doFinal(str.getBytes("UTF-8"))).toLowerCase();
            Map hashMap = new HashMap();
            hashMap.put("Date", b);
            hashMap.put("Authorization", "NEATOAPP " + str);
            this.al = new C0655t(this, uri, new C0017f(), hashMap, 5000);
            this.al.m41a();
            new Thread(new C0661z(this)).start();
        } catch (Exception e) {
            C0767d.m5867a("ManualCleaningFragment", "Exception", e);
        }
    }

I have also found what String b is
com/neatorobotics/android/utils/C0764a.java:89: public static String m5847b() {

public static String m5847b() {
    Calendar instance = Calendar.getInstance();
    instance.add(12, (int) (((C0742a.m5809b(NeatoApplication.m5360a(), "SERVER_DEVICE_TIME_DELTA_MILLIS", 0) * -1) / 1000) / 60));
    SimpleDateFormat simpleDateFormat = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss 'GMT'", Locale.US);
    simpleDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
    return simpleDateFormat.format(instance.getTime());
}

So what we need to figure out is the following variables:
this.f3262c.toLowerCase()
this.f3265f.getBytes() < I am pretty sure this is secret_key

when we crack these - we get closer to communicating with the central server

Brutus

Maybe I can help because I figured something out. I can get my computer in between the App and the Neato Botvac.

I have a Asus motherboard with a Wifi adapter. With the software "Wifi Engine" from Asus I can make a Access point in my computer.

So what I have done is disabled my home Wifi Netwerk and configured the Wifi of my computer the same as the home network. Both my phone and the Neato Bot connect to the Wifi point with my computer in between now.

I have installed Wireshark so I could capture some date between the app and the Neato.
Unfortunately I can't make anything out of the data. It's not like the "Packet Capture" app I installed on my phone you can see in my earlier post.

Someone any idea what I could do to help us out?

Daniel Eriksson

Already sniffed the Web Socket traffic - was the first thing I did. No sensible easy output - needs more analysing and so. Need to start on the end with reversing the control-part of the app to see what it does.

enlo

This is the code I found in the app. there is also a selfsigned certificate, which probably matches the robot.
So the reason why you can't make out anything useful in the traffic: It's SSL encrypted.

            HttpsURLConnection httpsURLConnection3 = (HttpsURLConnection) new URL(str2).openConnection();
            try {
                if ("neatoProduction".contains("vorwerk")) {
                    httpsURLConnection3.setSSLSocketFactory(C0751h.m5821a(0));
                }
                httpsURLConnection3.setConnectTimeout(60000);
                httpsURLConnection3.setReadTimeout(60000);
                if (str.equals("GET") || str.equals("DELETE")) {
                    httpsURLConnection3.setDoOutput(false);
                } else {
                    httpsURLConnection3.setDoOutput(true);
                }
                httpsURLConnection3.setRequestMethod(str);
                String a = C0742a.m5803a(NeatoApplication.m5360a(), "ACCESS_TOKEN");
                if (a != null) {
                    httpsURLConnection3.setRequestProperty("Authorization", "Token token=" + a);
                }
                httpsURLConnection3.setRequestProperty("Accept", "application/vnd.neato.beehive.v1+json");
                httpsURLConnection3.setRequestProperty("Content-type", "application/json");
                httpsURLConnection3.setRequestProperty("X-Agent", C0765b.m5864f());```

Daniel Eriksson

@enlo That there isn't the problem - if you read my above post the problem is generating the HMAC correctly. I have already proxied the traffic from the app - since they don't used pinned certifications

kangguru

There's good news guys. I finally figured out how the HMAC signature is calculated and now i'm able to control the neato without the mobile application, which offers all kinds of new integration options.

What can be found in com/neatorobotics/android/activities/robot/C0645j.java is just half of the truth and i was looking at this part for way to long, i'm not sure where this part is used. maybe this would be the part where one can communicate with the neato without making use of the cloudservice. who knows ;)

The actual fun starts in com/neatorobotics/android/p040c/p042b/C0898b.java the code reveals that there are 3 ingredients making up the HMAC signature

• the robot's serial number
• the current date (as also found in the Date header)
• the http body

Together with the robot's secret key we're now able to properly sign the requests.

I've packaged this in a small ruby library https://github.com/kangguru/botvac which is
quite basic and just covers just a little more than i needed for my usecase
but i'm happy to extend this over time.

Especially the part to obtain the secret key for the robot just be done via
trafic capturing, which is not the most convinent thing i can think of :)

I hope this already helps some people to build new things around their robot. I've mixed the
stuff with ifttt.com and now can plan the cleaning schedule via a google calendar, which
makes it really convinent to skip single days in a given schedule, which ist kinda painful to
solve with the mobile app.

happy hacking

Brutus

Thats good news Kangguru. Nice job.

So maybe a noob question but How can I use this in my domotica program Domoticz running on Windows.
I can use LUA, Curl, Batch as far is a know.

Thnx for helping.

Ubiquitous

@kangguru

I also figured it out some time ago. You get the robot secret key and serial number when you log in to beehive.neatocloud.com and request https://beehive.neatocloud.com/dashboard
I've written a powershell module where I exposed the entire api (as implemented in the android and iphone app), complete with login. I've yet to upload it to github but I can send it to you if you're unsure about the beehive part.

Ubiquitous

As for replacing the cloud server, I don't think it's possible without rooting the robot. The first thing it does when it's connected to the internet is to start an HTTPS Comet session (long polling). The robot will kill the connection immediately if you try to MiTM it with a selfsigned certificate and there is no way to install new certificates on the robot. If anyone has opened the robot I'd be interested in pictures of the motherboard, especially of any pads labeled JTAG.

Brutus

@Ubiquitous

Also nice job! Hope to see a link soon to github so we can experiment with this to.

Thanks for the work.

kangguru

@Ubiquitous yea, i just was too lazy about the login stuff :) but i added the stuff over the weekend, to make it more "end"-user friendly.

d96mbe

@kangguru I have not done any ruby before and I'm stuck trying to use the gem. I think I've managed to install Ruby, devkit and Git (and added git.exe to path which is needed to be able to 'bundle install'). I don't see any errors, but I am unable to find any binary named botvac to run. I've run "gem env" and none of the variables seems strange.

Any suggestions? I'm on Windows 10 btw.

BR / M

korttoma

FYI, a friend of mine has created a PHP library for the Neato cloud service -> https://github.com/tomrosenback/botvac

It is based on the work @kangguru has done.

d96mbe

@korttoma Works like a charm. Used PHP CLI on Windows 10. You have to enable extensions; php_curl and php_openssl in php.ini.