Hacking a Neato Robotics BotVac Connected
-
I now have the Botvac connected and want to interact with it in Domoticz.
To bad neato isn't willing to help us out so I downloaded the stripped app file.
Can maybe someone put me in the right direction to extract some commands in these files.
There are a lot of files and I don't know which one to use.Thank you.
-
http://youtu.be/Vua9Z_8aESA is an introduction to Android reverse engineering. It might be useful.
-
Sorry haven't had time to do much cleaner-hacking during x-mas here. But I must have stripped a bit too much from the zip above (the initial pack was way too big to upload here)..
Might be easier if you decompile apk yourself to get the full file list.
http://www.javadecompilers.com/apkAnyhow a good starting point would be /res/values/strings.xml which contains the service endpoints
<string name="beehive_endpoint_staging">https://beehive-staging.neatocloud.com</string> <string name="cometa_endpoint_playground">https://cometa-playground.neatocloud.com</string> <string name="cometa_endpoint_production">https://cometa.neatocloud.com</string> <string name="cometa_endpoint_staging">https://cometa-staging.neatocloud.com</string>
Then you can follow that back in the program where it's used.
/com/neatorobotics/android/p032e/p042j/C0746c.java
Then search for C0746c and so on...
-
Thank you for your help.
I have downloaded the "APK Downloader" add-on for Firefox (https://addons.mozilla.org/nl/firefox/addon/apk-downloader/) and followed the instructions.
After downloading te APK I decompiled it at the given website. I now have almost 3000 filesWill look in the files later. Hope I can find something usefull. Its the first time for me.
I was wondering did you already find something usefull to use?
Have a nice day to you all.
-
@hek I was looking at the Neato as well - except it was hart to HA integrate, are you happy with the robot?
-
There is nothing wrong with its cleaning abilities. Impressed by their room scanning algorithm.
-
@hek I'm surprised you didn't research for maximum open source/HA support in first time. Suppose it's to late to change it now? Even if it's easy to hack this one, I think it's a good general principle - to a certain price of course.
-
Yeah, yeah.. usually good at doing research.. But this one was a black friday find... Didn't have time to do my homework.. Have to pay for that now ....
-
@hek ... but you'll also have more fun.
-
I am now looking at the files you provided. I can't get some logic out of it.
You gave some service endpoints and then you pointed to the java file. I don't see the link between these two.
Sorry for my noob questions i'm not an programmer.
I am only looking for a why to implement the Neato in my domoticz home automation. But google gives very little help. Only desent hit was this link.
Greetings.
-
Maybe this will help:
https://www.neatorobotics.com/resources/programmersmanual_20140305.pdf
https://groups.google.com/forum/#!msg/hbrobotics/zKz_33SD7ys/NSV1gjhiIj4J
-
@Kalle ... I think this isn't for the Neato Botvac Connected. It has a USB port, but we want to control it through the wifi connection it has.
-
I agree that the wifi api seems more natural, but connecting an Arduino to the usb port might prove easier since documentation of the usb api is available.
-
It seems (from a quick glance) that you need a USB host device, connected to that USB port.. So that would leave a standard arduino out of the question.
Perhaps an raspberry, or another higher end platform running an OS, could be used..
-
@kalle Chances are that the commands & format are identical for the newer wifi model -- companies tend not to reinvent the wheel for each product
You'd only have to find out how these commands are transfered to the BotVac.
-
What I have come up with so far is that the Neato it self is running a websocket server on port 8081 - and uses some kind of standard Auth-behavior in the headers,
Hypertext Transfer Protocol
GET /drive HTTP/1.1\r\n
Host: xxx.xxx.xxx.xxx:8081\r\n
Sec-WebSocket-Key: XXXXXXX==\r\n
Sec-WebSocket-Version: 13\r\n
Upgrade: websocket\r\n
Origin: ws://xxx.xxx.xxx.xxx:8081/drive\r\n
Date: Tue, 29 Dec 2015 09:17:57 GMT\r\n
Authorization: NEATOAPP XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\n
Connection: Upgrade\r\n
\r\n
[Full request URI: http://xxx.xxx.xxx.xxx:8081/drive]
[HTTP request 1/1]There also a port 8080 open but I can not figure out what's running on that one.
The communication between the Neato and the central server is handled via a server on Amazon - this traffis is HTTPS though. Next step is to set up a SSLSplit and hope that they don't have a pinned cert.
-
Nice find @Daniel-Eriksson,
Do we really need to know what's happening between the Neato <-> Cloud?
My initial though was to mimic the app to poll status and send commands via the cloud service.
-
If we can figure out what's going on between Cloud <-> Neato we can do a version which is in depended on the Cloud-service being online or not - which also means that we can disallow it internet access
-
That sounds like music to my ears. It is my device not Neato's
-
@Daniel-Eriksson said:
If we can figure out what's going on between Cloud <-> Neato we can do a version which is in depended on the Cloud-service being online or not - which also means that we can disallow it internet access
-
I recently ventured into writing some custom scripts both for my cloud connected home security system as well as my music streamer at home. It was quite easy to retrieve the commands needed from my android phone using an app I found called "Packet Capture" by the author Grey Shirts. Even https communication could be found. Perhaps this could be a way forward? Following this thread since I am considering getting a Botvac connected but failing to see the point if I would be dependent on a specific app on specific hardware..
-
This won't be solved until I see a proper curl call
-
I have installed the Packet Capture app. But this isn't working I think.
When starting the capture, the app makes a VPN connection. This VPN is blocking some traffic for the Neato App because my bot doesn't come only in the app. When I shut the VPN connection the bot comes online after 3 seconds.
Going back to the capture I think we miss some vital information because of this block.
This is what I got so far form the app:
<--- (TEXT)
GET /sessions/check HTTP/1.1
Authorization: Token token=xxxxxxxxxxxxxxx
Accept: application/vnd.neato.beehive.v1+json
Content-type: application/json
X-Agent: android-22|SM-G928F|samsung|1.0.0|134
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; SM-G928F Build/LMY47X)
Host: beehive.neatocloud.com
Connection: Keep-Alive
Accept-Encoding: gzip---> (TEXT)
HTTP/1.1 200 OK
Server: Cowboy
Date: Wed, 30 Dec 2015 00:32:03 GMT
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: application/json; charset=utf-8
Etag: W/"a3cdd45ce712890397436cafca38e79a"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: xxxxxxxxxxxxxxxxxxxxxx
X-Runtime: 0.022752
Strict-Transport-Security: max-age=31536000
Content-Length: 39
Via: 1.1 vegur---> (JSON)
{"current_time":"2015-12-30T00:32:04Z"}<--- (TEXT)
GET /dashboard HTTP/1.1
Authorization: Token token=xxxxxxxxxxxxxxxxxxxxxxxx
Accept: application/vnd.neato.beehive.v1+json
Content-type: application/json
X-Agent: android-22|SM-G928F|samsung|1.0.0|134
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; SM-G928F Build/LMY47X)
Host: beehive.neatocloud.com
Connection: Keep-Alive
Accept-Encoding: gzip---> (TEXT)
HTTP/1.1 200 OK
Server: Cowboy
Date: Wed, 30 Dec 2015 00:32:03 GMT
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: application/json; charset=utf-8
Etag: W/"c390b2a69fb7b4a405c8637e86ff321a"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxx
X-Runtime: 0.014884
Strict-Transport-Security: max-age=31536000
Content-Length: 1337
Via: 1.1 vegur---> (JSON)
{
"email":"xxxxx@xxxxx.nl",
"first_name":"xxxx",
"last_name":"xxxxxx",
"locale":"nl",
"newsletter":false,
"created_at":"2014-06-23T16:39:45Z",
"verified_at":"2015-05-25T13:19:08Z",
"robots": [
{
"serial":"xxxxxxxxxx",
"prefix":"SN",
"name":"xxxxxx",
"model":"BotVacConnected",
"secret_key":"xxxxxxxxxxxxxxxxxxxxx",
"purchased_at":"2015-12-22T00:00:00Z",
"proof_of_purchase_url":"https://neatorobotics.s3.amazonaws.com/proof_of_purchases/xxxxxxxxxx/ProofOfPurchase.jpg",
"proof_of_purchase_generated_at":"2015-12-23T18:31:21Z",
"mac_address":"xxxxxxxxx",
"firmware":"2.0.0",
"created_at":"2015-11-11T20:10:38Z",
"linked_at":"2015-12-23T17:23:55Z"
}
],
"recent_firmwares":{}}
xxxxxxxxx = personal data
-
Have a look here guys. This discussion seems and attempt to control the same vacuum cleaner.
-
Hmm.. my german isn't great.. Have they found out something useful?
-
I can read it a little bit but I think there isn't any usable information in that topic. Its more a overall discussion on the Botvac.
-
-
I have gotten stuck now on my venture -
Trying to figure out how the Authorization is calculated when it comes to the communication with the Neato. Found a place in the Java-code which mentions the Authorization part but can not figure out where it comes from
com/neatorobotics/android/activities/robot/C0645j.java:~142
private void m5619R() { if (!NeatoApplication.f2866a) { m5646a(); try { URI uri = new URI("ws://" + this.f3263d + ":" + this.f3264e + "/drive"); String b = C0764a.m5847b(); String str = this.f3262c.toLowerCase() + "\n" + b + "\n"; Mac instance = Mac.getInstance("HmacSha256"); instance.init(new SecretKeySpec(this.f3265f.getBytes(), "HmacSha256")); str = C0770g.m5880a(instance.doFinal(str.getBytes("UTF-8"))).toLowerCase(); Map hashMap = new HashMap(); hashMap.put("Date", b); hashMap.put("Authorization", "NEATOAPP " + str); this.al = new C0655t(this, uri, new C0017f(), hashMap, 5000); this.al.m41a(); new Thread(new C0661z(this)).start(); } catch (Exception e) { C0767d.m5867a("ManualCleaningFragment", "Exception", e); } }
I have also found what String b is
com/neatorobotics/android/utils/C0764a.java:89: public static String m5847b() {public static String m5847b() { Calendar instance = Calendar.getInstance(); instance.add(12, (int) (((C0742a.m5809b(NeatoApplication.m5360a(), "SERVER_DEVICE_TIME_DELTA_MILLIS", 0) * -1) / 1000) / 60)); SimpleDateFormat simpleDateFormat = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss 'GMT'", Locale.US); simpleDateFormat.setTimeZone(TimeZone.getTimeZone("GMT")); return simpleDateFormat.format(instance.getTime()); }
So what we need to figure out is the following variables:
this.f3262c.toLowerCase()
this.f3265f.getBytes() < I am pretty sure this is secret_keywhen we crack these - we get closer to communicating with the central server
-
Maybe I can help because I figured something out. I can get my computer in between the App and the Neato Botvac.
I have a Asus motherboard with a Wifi adapter. With the software "Wifi Engine" from Asus I can make a Access point in my computer.
So what I have done is disabled my home Wifi Netwerk and configured the Wifi of my computer the same as the home network. Both my phone and the Neato Bot connect to the Wifi point with my computer in between now.
I have installed Wireshark so I could capture some date between the app and the Neato.
Unfortunately I can't make anything out of the data. It's not like the "Packet Capture" app I installed on my phone you can see in my earlier post.Someone any idea what I could do to help us out?
-
Already sniffed the Web Socket traffic - was the first thing I did. No sensible easy output - needs more analysing and so. Need to start on the end with reversing the control-part of the app to see what it does.
-
This is the code I found in the app. there is also a selfsigned certificate, which probably matches the robot.
So the reason why you can't make out anything useful in the traffic: It's SSL encrypted.HttpsURLConnection httpsURLConnection3 = (HttpsURLConnection) new URL(str2).openConnection(); try { if ("neatoProduction".contains("vorwerk")) { httpsURLConnection3.setSSLSocketFactory(C0751h.m5821a(0)); } httpsURLConnection3.setConnectTimeout(60000); httpsURLConnection3.setReadTimeout(60000); if (str.equals("GET") || str.equals("DELETE")) { httpsURLConnection3.setDoOutput(false); } else { httpsURLConnection3.setDoOutput(true); } httpsURLConnection3.setRequestMethod(str); String a = C0742a.m5803a(NeatoApplication.m5360a(), "ACCESS_TOKEN"); if (a != null) { httpsURLConnection3.setRequestProperty("Authorization", "Token token=" + a); } httpsURLConnection3.setRequestProperty("Accept", "application/vnd.neato.beehive.v1+json"); httpsURLConnection3.setRequestProperty("Content-type", "application/json"); httpsURLConnection3.setRequestProperty("X-Agent", C0765b.m5864f());```
-
@enlo That there isn't the problem - if you read my above post the problem is generating the HMAC correctly. I have already proxied the traffic from the app - since they don't used pinned certifications
-
There's good news guys. I finally figured out how the HMAC signature is calculated and now i'm able to control the neato without the mobile application, which offers all kinds of new integration options.
What can be found in
com/neatorobotics/android/activities/robot/C0645j.java
is just half of the truth and i was looking at this part for way to long, i'm not sure where this part is used. maybe this would be the part where one can communicate with the neato without making use of the cloudservice. who knowsThe actual fun starts in
com/neatorobotics/android/p040c/p042b/C0898b.java
the code reveals that there are 3 ingredients making up the HMAC signature- the robot's serial number
- the current date (as also found in the Date header)
- the http body
Together with the robot's secret key we're now able to properly sign the requests.
I've packaged this in a small ruby library https://github.com/kangguru/botvac which is
quite basic and just covers just a little more than i needed for my usecase
but i'm happy to extend this over time.Especially the part to obtain the secret key for the robot just be done via
trafic capturing, which is not the most convinent thing i can think ofI hope this already helps some people to build new things around their robot. I've mixed the
stuff with ifttt.com and now can plan the cleaning schedule via a google calendar, which
makes it really convinent to skip single days in a given schedule, which ist kinda painful to
solve with the mobile app.happy hacking
-
Thats good news Kangguru. Nice job.
So maybe a noob question but How can I use this in my domotica program Domoticz running on Windows.
I can use LUA, Curl, Batch as far is a know.Thnx for helping.
-
I also figured it out some time ago. You get the robot secret key and serial number when you log in to beehive.neatocloud.com and request https://beehive.neatocloud.com/dashboard
I've written a powershell module where I exposed the entire api (as implemented in the android and iphone app), complete with login. I've yet to upload it to github but I can send it to you if you're unsure about the beehive part.
-
As for replacing the cloud server, I don't think it's possible without rooting the robot. The first thing it does when it's connected to the internet is to start an HTTPS Comet session (long polling). The robot will kill the connection immediately if you try to MiTM it with a selfsigned certificate and there is no way to install new certificates on the robot. If anyone has opened the robot I'd be interested in pictures of the motherboard, especially of any pads labeled JTAG.
-
Also nice job! Hope to see a link soon to github so we can experiment with this to.
Thanks for the work.
-
@Ubiquitous yea, i just was too lazy about the login stuff but i added the stuff over the weekend, to make it more "end"-user friendly.
-
@kangguru I have not done any ruby before and I'm stuck trying to use the gem. I think I've managed to install Ruby, devkit and Git (and added git.exe to path which is needed to be able to 'bundle install'). I don't see any errors, but I am unable to find any binary named botvac to run. I've run "gem env" and none of the variables seems strange.
Any suggestions? I'm on Windows 10 btw.
BR / M
-
FYI, a friend of mine has created a PHP library for the Neato cloud service -> https://github.com/tomrosenback/botvac
It is based on the work @kangguru has done.
-
@korttoma Works like a charm. Used PHP CLI on Windows 10. You have to enable extensions; php_curl and php_openssl in php.ini.
-
The PHP API Works great for me. I have two questions though.
- The [isCharging] value in the [details] array of the State JSON is always empty, even when it is clearly charging i.e. the [charge] value changes. Any Idea why?
- Whenever I call the pause cleaning, and then return to base, the robot will go back to its base, but it will not dock with it, is there any particular reason for this? and is there a way to have it return to the dock, and actually dock and charge with out just letting run through the entire cleaning cycle?
-
@Jonathan8301
You know, I've had that happen once or twice before I even found this page, but when I just tried it out, my botvac did dock properly.I just wish there were some way to get at the lower level sensor readings through this, I'd love to be able to see the 'map' that it builds when it cleans....
-
@Ubiquitous
I have plans to open up my D80 the day that the warrantee is up, not sure if that will or won't help you any...
-
Hmm it almost sounds like the Botvac could go for a firmware update, unfortunately it looks like Neato's post launch product support is severely lacking
-
@Jonathan8301
Funny thing is, before the connected was launched, I remember being able to find an API document and programming info for interfacing with the lower models...NOW, I can't so much as even find any page that contains a link to anything resembling an update file or api documentation...
-
@RawLiquid So you are looking for this -> https://www.neatorobotics.com/resources/programmersmanual_20140305.pdf
Or something else?
-
@korttoma actually, I already had that very document, and that is the one I was referring to. I might suggest keeping mentions of the exact url fairly low, It's likely an oversight that it's available still and if so, likely to be removed if they notice it. maybe use bitly to reference it instead...
I don't know what exactly changed within the company to cause such a drastic shift, but it's obvious that something changed....
-
Did anyone ever get this working with the Vera?
-
Hello hackers!
Let me introduce myself, I am Roberto Ostinelli, Neato Robotics' Director of Cloud Services.I'm impressed with the work that you've put into integrating with our robots! Great job!
Given the interest we've seen on this and other forums, we've listened and have just released the Neato Developer Network, which might hopefully be of interest for some of you here.
You can become a developer with just your Neato account from here:
https://developers.neatorobotics.comYou will find official documentation and SDKs for JavaScript, iOS and Android (for now, we plan on expanding to other languages too!).
Simply put, as a developer you can create your own OAuth apps that interacts with Neato robots.A demo of what you can achieve with the JavaScript SDK can be seen here (just login with your Neato account when requested):
https://developers.neatorobotics.com/demo/sdk-jsPlease note that all of this is in Beta, we're a small team but are doing our best!
Cheers,
r.
-
Thanks for finally acknowledging the fact that some people want to integrate their robotic vacuum cleaner with the rest of their smart home functionality.
Is your Neato Developer Network investment only targeting the new Neato Connected series and future versions or is there a communication module in the pipeline for older models like my Neato botvac 85?
-
@korttoma due to hardware and other considerations we are only targeting the connected series, that started with the BotVac Connected. There currently are also the D3/D5 available, and then the future products to come!
-
Welcome @roberto,
Thanks for making the Neato more hacker friendly. I'm sure it will boost your sales. The HA/DIY crowd and the early adopters buying robotic vacuum cleaners is coinciding.
-
Thank you @hek!
Sales are very nice indeed, but I'm also very interested in seeing what can be built with the creativity of all of you hackers on top of the Neato platform!
-
This is good news. Thank you Neato.
Is it possible to send commands with just an https url? These URL's I can implement in LUA scripts for my Domotica.
-
@Michael-van-der-Heijden Yes, everything is just standard http requests. Just head to the API section of the docs to learn more. You can see implementation examples in the existing SDK, that may help you out too!
-
@roberto Awesome to see you make the API public and official even though it seems that you're just making the endpoints "official" and pretty much identical to the API resulted from reverse engineering efforts. Any chance you (as in Neato) would consider allowing us to switch to our backend server, essentially replacing your cometa.io server (cometa.neatocloud.com)? And on a sidenote, to get access to the developers portal and API through your site, you have to accept to your new terms, yet you've made the libraries public on github.
-
@roberto - Thanks for making the API public! @kangguru and others - thanks for reverse engineering it!
@roberto - Any chance of making the local LAN, direct-to-robot API official and documenting it? Some people prefer the lower latency and non-cloud dependency of local LAN control.
P.S. I started an OpenHAB thread about developing a OpenHAB binding for the Neato Connected series.
-
@roberto Thanks for the documentation! Are there any plans to integrate with IFTTT? That would make it much easier for people to use with other smarthome things such as SmartThings, Echo, and Google Home.
-
Cool thread! I have got a Botvac Connected as well I see there is limitations to the scheduling in the software. I want to run the robot two times a day (set the schedule remotely). Any ideas on how to do that?
-
Looks like Smartthings is underway and Neato are engaged. I have not tested yet.
https://community.smartthings.com/t/neato-botvac-connected/24607/24
-
@Ubiquitous said:
Any chance you (as in Neato) would consider allowing us to switch to our backend server, essentially replacing your cometa.io server (cometa.neatocloud.com)?
We took your suggestion, but there are so many implications that i doubt this will get prioritized.
FYI, we do not use the cometa.io server, the official endpoint is https://nucleo.neatocloud.com:4443/ and the one you pointed out is for retro-compatibility only.@Stormwind said:
@roberto - Any chance of making the local LAN, direct-to-robot API official and documenting it? Some people prefer the lower latency and non-cloud dependency of local LAN control.
Suggestion noted. Note that direct-to-robot have limited functionalities.
@Seth-Daniel said:
@roberto Are there any plans to integrate with IFTTT? That would make it much easier for people to use with other smarthome things such as SmartThings, Echo, and Google Home.
A SmartThings integration exists, so does the Alexa one. IFTTT and Google Home are on the list of integrations that we are considering.
@Basic said:
I see there is limitations to the scheduling in the software. I want to run the robot two times a day (set the schedule remotely). Any ideas on how to do that?
This is an internal robot implementation. You can use the API to start your robot anytime you want, and build your own schedule system.
-
Greetings hackers!
Some of you may have seen that the latest 2.2 release for Botvac Connected includes the new maps functionality. Basically, you can now see the cleaning maps of your home in the Neato applications.We thought you might interested in accessing this functionality too, hence we've just released the new SDKs and API documentation which include this functionality. This main addition can be seen here:
https://developers.neatorobotics.com/api/beehiveHappy hacking! ^^_
Cheers,
r.
-
@roberto Are there any plans to integrate with IFTTT? That would make it much easier for people to use with other smarthome things such as SmartThings, Echo, and Google Home.
A SmartThings integration exists, so does the Alexa one. IFTTT and Google Home are on the list of integrations that we are considering.
Hope it's not only considered but done. SmartThings isn't available everywhere, IFTTT is.
Will Alexa be able to control the D5 in the future?
-
@roberto Now that the GDPR is in effect in Europe, will you prioritise local network control? It seems to me (privacy expert) that it will be hard to defend only having cloud-based control now that 'privacy by design' is mandatory?
-
@roberto Really supportive of the community to join this discussion.
I see there is a desire by the community unmet by what you're able to provide: local LAN controller. The obvious reasons include both the complexity that you might have in various cloud services that would be difficult to setup in a small LAN, the variance in server hardware or software to host the controller, and the IP that might become obvious if you ship a parsed language such as python.
This might actually be mitigated if you're willing to offer a docker image of a controller: supporting (or not-supporting: support yourselves, hackers!) is more consistent if one docker image can run on whatever orchestration we use, and we gain the ability to hit a local resource without uptime and latency and cloud-ness to worry about.
Understanding the subtle-but-continuous increase of cost in cloud services, this allows your uber-elite users that may generate above-average query load to shunt this load to their own resources.
Additionally, you'd seem like even more awesome people for doing this. Very cutting-edge. Define the next level of customer interaction and independence, GDPR privacy issues, etc.
I bet if you made a dummy service -- some go routine or python flask that simply responds with logical bogus values -- the open source community would build the docker image for you. Overnight.
Anyhow, it's a thought.