Hacking a Neato Robotics BotVac Connected


  • Mod

    @kalle Chances are that the commands & format are identical for the newer wifi model -- companies tend not to reinvent the wheel for each product πŸ˜‰
    You'd only have to find out how these commands are transfered to the BotVac.



  • What I have come up with so far is that the Neato it self is running a websocket server on port 8081 - and uses some kind of standard Auth-behavior in the headers,

    Hypertext Transfer Protocol
    GET /drive HTTP/1.1\r\n
    Host: xxx.xxx.xxx.xxx:8081\r\n
    Sec-WebSocket-Key: XXXXXXX==\r\n
    Sec-WebSocket-Version: 13\r\n
    Upgrade: websocket\r\n
    Origin: ws://xxx.xxx.xxx.xxx:8081/drive\r\n
    Date: Tue, 29 Dec 2015 09:17:57 GMT\r\n
    Authorization: NEATOAPP XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\n
    Connection: Upgrade\r\n
    \r\n
    [Full request URI: http://xxx.xxx.xxx.xxx:8081/drive]
    [HTTP request 1/1]

    There also a port 8080 open but I can not figure out what's running on that one.

    The communication between the Neato and the central server is handled via a server on Amazon - this traffis is HTTPS though. Next step is to set up a SSLSplit and hope that they don't have a pinned cert.


  • Admin

    Nice find @Daniel-Eriksson,

    Do we really need to know what's happening between the Neato <-> Cloud?
    My initial though was to mimic the app to poll status and send commands via the cloud service.



  • If we can figure out what's going on between Cloud <-> Neato we can do a version which is in depended on the Cloud-service being online or not - which also means that we can disallow it internet access



  • That sounds like music to my ears. It is my device not Neato's


  • Admin

    @Daniel-Eriksson said:

    If we can figure out what's going on between Cloud <-> Neato we can do a version which is in depended on the Cloud-service being online or not - which also means that we can disallow it internet access

    πŸ‘



  • I recently ventured into writing some custom scripts both for my cloud connected home security system as well as my music streamer at home. It was quite easy to retrieve the commands needed from my android phone using an app I found called "Packet Capture" by the author Grey Shirts. Even https communication could be found. Perhaps this could be a way forward? Following this thread since I am considering getting a Botvac connected but failing to see the point if I would be dependent on a specific app on specific hardware..


  • Admin

    This won't be solved until I see a proper curl call πŸ˜‰



  • I have installed the Packet Capture app. But this isn't working I think.

    When starting the capture, the app makes a VPN connection. This VPN is blocking some traffic for the Neato App because my bot doesn't come only in the app. When I shut the VPN connection the bot comes online after 3 seconds.

    Going back to the capture I think we miss some vital information because of this block.

    This is what I got so far form the app:

    <--- (TEXT)
    GET /sessions/check HTTP/1.1
    Authorization: Token token=xxxxxxxxxxxxxxx
    Accept: application/vnd.neato.beehive.v1+json
    Content-type: application/json
    X-Agent: android-22|SM-G928F|samsung|1.0.0|134
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; SM-G928F Build/LMY47X)
    Host: beehive.neatocloud.com
    Connection: Keep-Alive
    Accept-Encoding: gzip

    ---> (TEXT)
    HTTP/1.1 200 OK
    Server: Cowboy
    Date: Wed, 30 Dec 2015 00:32:03 GMT
    Connection: keep-alive
    X-Frame-Options: SAMEORIGIN
    X-Xss-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    Content-Type: application/json; charset=utf-8
    Etag: W/"a3cdd45ce712890397436cafca38e79a"
    Cache-Control: max-age=0, private, must-revalidate
    X-Request-Id: xxxxxxxxxxxxxxxxxxxxxx
    X-Runtime: 0.022752
    Strict-Transport-Security: max-age=31536000
    Content-Length: 39
    Via: 1.1 vegur

    ---> (JSON)
    {"current_time":"2015-12-30T00:32:04Z"}

    <--- (TEXT)
    GET /dashboard HTTP/1.1
    Authorization: Token token=xxxxxxxxxxxxxxxxxxxxxxxx
    Accept: application/vnd.neato.beehive.v1+json
    Content-type: application/json
    X-Agent: android-22|SM-G928F|samsung|1.0.0|134
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; SM-G928F Build/LMY47X)
    Host: beehive.neatocloud.com
    Connection: Keep-Alive
    Accept-Encoding: gzip

    ---> (TEXT)
    HTTP/1.1 200 OK
    Server: Cowboy
    Date: Wed, 30 Dec 2015 00:32:03 GMT
    Connection: keep-alive
    X-Frame-Options: SAMEORIGIN
    X-Xss-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    Content-Type: application/json; charset=utf-8
    Etag: W/"c390b2a69fb7b4a405c8637e86ff321a"
    Cache-Control: max-age=0, private, must-revalidate
    X-Request-Id: xxxxxxxxxxxxxxxxxxxxxxxxxx
    X-Runtime: 0.014884
    Strict-Transport-Security: max-age=31536000
    Content-Length: 1337
    Via: 1.1 vegur

    ---> (JSON)
    {
    "email":"xxxxx@xxxxx.nl",
    "first_name":"xxxx",
    "last_name":"xxxxxx",
    "locale":"nl",
    "newsletter":false,
    "created_at":"2014-06-23T16:39:45Z",
    "verified_at":"2015-05-25T13:19:08Z",
    "robots": [
    {
    "serial":"xxxxxxxxxx",
    "prefix":"SN",
    "name":"xxxxxx",
    "model":"BotVacConnected",
    "secret_key":"xxxxxxxxxxxxxxxxxxxxx",
    "purchased_at":"2015-12-22T00:00:00Z",
    "proof_of_purchase_url":"https://neatorobotics.s3.amazonaws.com/proof_of_purchases/xxxxxxxxxx/ProofOfPurchase.jpg",
    "proof_of_purchase_generated_at":"2015-12-23T18:31:21Z",
    "mac_address":"xxxxxxxxx",
    "firmware":"2.0.0",
    "created_at":"2015-11-11T20:10:38Z",
    "linked_at":"2015-12-23T17:23:55Z"
    }
    ],
    "recent_firmwares":{}

    }

    xxxxxxxxx = personal data


  • Mod

    Have a look here guys. This discussion seems and attempt to control the same vacuum cleaner.


  • Admin

    Hmm.. my german isn't great.. Have they found out something useful?



  • I can read it a little bit but I think there isn't any usable information in that topic. Its more a overall discussion on the Botvac.


  • Mod

    @hek said:

    Have they found out something useful?

    Not sure πŸ˜‰



  • I have gotten stuck now on my venture -

    Trying to figure out how the Authorization is calculated when it comes to the communication with the Neato. Found a place in the Java-code which mentions the Authorization part but can not figure out where it comes from

    com/neatorobotics/android/activities/robot/C0645j.java:~142

    private void m5619R() {
        if (!NeatoApplication.f2866a) {
            m5646a();
            try {
                URI uri = new URI("ws://" + this.f3263d + ":" + this.f3264e + "/drive");
                String b = C0764a.m5847b();
                String str = this.f3262c.toLowerCase() + "\n" + b + "\n";
                Mac instance = Mac.getInstance("HmacSha256");
                instance.init(new SecretKeySpec(this.f3265f.getBytes(), "HmacSha256"));
                str = C0770g.m5880a(instance.doFinal(str.getBytes("UTF-8"))).toLowerCase();
                Map hashMap = new HashMap();
                hashMap.put("Date", b);
                hashMap.put("Authorization", "NEATOAPP " + str);
                this.al = new C0655t(this, uri, new C0017f(), hashMap, 5000);
                this.al.m41a();
                new Thread(new C0661z(this)).start();
            } catch (Exception e) {
                C0767d.m5867a("ManualCleaningFragment", "Exception", e);
            }
        }
    

    I have also found what String b is
    com/neatorobotics/android/utils/C0764a.java:89: public static String m5847b() {

    public static String m5847b() {
        Calendar instance = Calendar.getInstance();
        instance.add(12, (int) (((C0742a.m5809b(NeatoApplication.m5360a(), "SERVER_DEVICE_TIME_DELTA_MILLIS", 0) * -1) / 1000) / 60));
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss 'GMT'", Locale.US);
        simpleDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
        return simpleDateFormat.format(instance.getTime());
    }
    

    So what we need to figure out is the following variables:
    this.f3262c.toLowerCase()
    this.f3265f.getBytes() < I am pretty sure this is secret_key

    when we crack these - we get closer to communicating with the central server



  • Maybe I can help because I figured something out. I can get my computer in between the App and the Neato Botvac.

    I have a Asus motherboard with a Wifi adapter. With the software "Wifi Engine" from Asus I can make a Access point in my computer.

    So what I have done is disabled my home Wifi Netwerk and configured the Wifi of my computer the same as the home network. Both my phone and the Neato Bot connect to the Wifi point with my computer in between now.

    I have installed Wireshark so I could capture some date between the app and the Neato.
    Unfortunately I can't make anything out of the data. It's not like the "Packet Capture" app I installed on my phone you can see in my earlier post.

    Someone any idea what I could do to help us out?



  • Already sniffed the Web Socket traffic - was the first thing I did. No sensible easy output - needs more analysing and so. Need to start on the end with reversing the control-part of the app to see what it does.



  • This is the code I found in the app. there is also a selfsigned certificate, which probably matches the robot.
    So the reason why you can't make out anything useful in the traffic: It's SSL encrypted.

                HttpsURLConnection httpsURLConnection3 = (HttpsURLConnection) new URL(str2).openConnection();
                try {
                    if ("neatoProduction".contains("vorwerk")) {
                        httpsURLConnection3.setSSLSocketFactory(C0751h.m5821a(0));
                    }
                    httpsURLConnection3.setConnectTimeout(60000);
                    httpsURLConnection3.setReadTimeout(60000);
                    if (str.equals("GET") || str.equals("DELETE")) {
                        httpsURLConnection3.setDoOutput(false);
                    } else {
                        httpsURLConnection3.setDoOutput(true);
                    }
                    httpsURLConnection3.setRequestMethod(str);
                    String a = C0742a.m5803a(NeatoApplication.m5360a(), "ACCESS_TOKEN");
                    if (a != null) {
                        httpsURLConnection3.setRequestProperty("Authorization", "Token token=" + a);
                    }
                    httpsURLConnection3.setRequestProperty("Accept", "application/vnd.neato.beehive.v1+json");
                    httpsURLConnection3.setRequestProperty("Content-type", "application/json");
                    httpsURLConnection3.setRequestProperty("X-Agent", C0765b.m5864f());```


  • @enlo That there isn't the problem - if you read my above post the problem is generating the HMAC correctly. I have already proxied the traffic from the app - since they don't used pinned certifications



  • There's good news guys. I finally figured out how the HMAC signature is calculated and now i'm able to control the neato without the mobile application, which offers all kinds of new integration options.

    What can be found in com/neatorobotics/android/activities/robot/C0645j.java is just half of the truth and i was looking at this part for way to long, i'm not sure where this part is used. maybe this would be the part where one can communicate with the neato without making use of the cloudservice. who knows πŸ˜‰

    The actual fun starts in com/neatorobotics/android/p040c/p042b/C0898b.java the code reveals that there are 3 ingredients making up the HMAC signature

    • the robot's serial number
    • the current date (as also found in the Date header)
    • the http body

    Together with the robot's secret key we're now able to properly sign the requests.

    I've packaged this in a small ruby library https://github.com/kangguru/botvac which is
    quite basic and just covers just a little more than i needed for my usecase
    but i'm happy to extend this over time.

    Especially the part to obtain the secret key for the robot just be done via
    trafic capturing, which is not the most convinent thing i can think of πŸ™‚

    I hope this already helps some people to build new things around their robot. I've mixed the
    stuff with ifttt.com and now can plan the cleaning schedule via a google calendar, which
    makes it really convinent to skip single days in a given schedule, which ist kinda painful to
    solve with the mobile app.

    happy hacking



  • Thats good news Kangguru. Nice job.

    So maybe a noob question but How can I use this in my domotica program Domoticz running on Windows.
    I can use LUA, Curl, Batch as far is a know.

    Thnx for helping.



  • @kangguru

    I also figured it out some time ago. You get the robot secret key and serial number when you log in to beehive.neatocloud.com and request https://beehive.neatocloud.com/dashboard
    I've written a powershell module where I exposed the entire api (as implemented in the android and iphone app), complete with login. I've yet to upload it to github but I can send it to you if you're unsure about the beehive part.



  • As for replacing the cloud server, I don't think it's possible without rooting the robot. The first thing it does when it's connected to the internet is to start an HTTPS Comet session (long polling). The robot will kill the connection immediately if you try to MiTM it with a selfsigned certificate and there is no way to install new certificates on the robot. If anyone has opened the robot I'd be interested in pictures of the motherboard, especially of any pads labeled JTAG.



  • @Ubiquitous

    Also nice job! Hope to see a link soon to github so we can experiment with this to.

    Thanks for the work.



  • @Ubiquitous yea, i just was too lazy about the login stuff πŸ™‚ but i added the stuff over the weekend, to make it more "end"-user friendly.



  • @kangguru I have not done any ruby before and I'm stuck trying to use the gem. I think I've managed to install Ruby, devkit and Git (and added git.exe to path which is needed to be able to 'bundle install'). I don't see any errors, but I am unable to find any binary named botvac to run. I've run "gem env" and none of the variables seems strange.

    Any suggestions? I'm on Windows 10 btw.

    BR / M


  • Hero Member

    FYI, a friend of mine has created a PHP library for the Neato cloud service -> https://github.com/tomrosenback/botvac

    It is based on the work @kangguru has done.



  • @korttoma Works like a charm. Used PHP CLI on Windows 10. You have to enable extensions; php_curl and php_openssl in php.ini.



  • The PHP API Works great for me. I have two questions though.

    1. The [isCharging] value in the [details] array of the State JSON is always empty, even when it is clearly charging i.e. the [charge] value changes. Any Idea why?
    2. Whenever I call the pause cleaning, and then return to base, the robot will go back to its base, but it will not dock with it, is there any particular reason for this? and is there a way to have it return to the dock, and actually dock and charge with out just letting run through the entire cleaning cycle?


  • @Jonathan8301
    You know, I've had that happen once or twice before I even found this page, but when I just tried it out, my botvac did dock properly.

    I just wish there were some way to get at the lower level sensor readings through this, I'd love to be able to see the 'map' that it builds when it cleans....



  • @Ubiquitous
    I have plans to open up my D80 the day that the warrantee is up, not sure if that will or won't help you any...



  • Hmm it almost sounds like the Botvac could go for a firmware update, unfortunately it looks like Neato's post launch product support is severely lacking



  • @Jonathan8301
    Funny thing is, before the connected was launched, I remember being able to find an API document and programming info for interfacing with the lower models...NOW, I can't so much as even find any page that contains a link to anything resembling an update file or api documentation...


  • Hero Member



  • @korttoma actually, I already had that very document, and that is the one I was referring to. I might suggest keeping mentions of the exact url fairly low, It's likely an oversight that it's available still and if so, likely to be removed if they notice it. maybe use bitly to reference it instead...
    I don't know what exactly changed within the company to cause such a drastic shift, but it's obvious that something changed....



  • Did anyone ever get this working with the Vera?



  • Hello hackers!
    Let me introduce myself, I am Roberto Ostinelli, Neato Robotics' Director of Cloud Services.

    I'm impressed with the work that you've put into integrating with our robots! Great job!

    Given the interest we've seen on this and other forums, we've listened and have just released the Neato Developer Network, which might hopefully be of interest for some of you here.
    You can become a developer with just your Neato account from here:
    https://developers.neatorobotics.com

    You will find official documentation and SDKs for JavaScript, iOS and Android (for now, we plan on expanding to other languages too!).
    Simply put, as a developer you can create your own OAuth apps that interacts with Neato robots.

    A demo of what you can achieve with the JavaScript SDK can be seen here (just login with your Neato account when requested):
    https://developers.neatorobotics.com/demo/sdk-js

    Please note that all of this is in Beta, we're a small team but are doing our best!

    Cheers,
    r.


  • Hero Member

    @roberto

    Thanks for finally acknowledging the fact that some people want to integrate their robotic vacuum cleaner with the rest of their smart home functionality.

    Is your Neato Developer Network investment only targeting the new Neato Connected series and future versions or is there a communication module in the pipeline for older models like my Neato botvac 85?



  • @korttoma due to hardware and other considerations we are only targeting the connected series, that started with the BotVac Connected. There currently are also the D3/D5 available, and then the future products to come!


  • Admin

    Welcome @roberto,

    Thanks for making the Neato more hacker friendly. I'm sure it will boost your sales. The HA/DIY crowd and the early adopters buying robotic vacuum cleaners is coinciding.



  • Thank you @hek!
    Sales are very nice indeed, but I'm also very interested in seeing what can be built with the creativity of all of you hackers on top of the Neato platform!



  • This is good news. Thank you Neato.

    Is it possible to send commands with just an https url? These URL's I can implement in LUA scripts for my Domotica.



  • @Michael-van-der-Heijden Yes, everything is just standard http requests. Just head to the API section of the docs to learn more. You can see implementation examples in the existing SDK, that may help you out too!



  • @roberto Awesome to see you make the API public and official even though it seems that you're just making the endpoints "official" and pretty much identical to the API resulted from reverse engineering efforts. Any chance you (as in Neato) would consider allowing us to switch to our backend server, essentially replacing your cometa.io server (cometa.neatocloud.com)? And on a sidenote, to get access to the developers portal and API through your site, you have to accept to your new terms, yet you've made the libraries public on github. πŸ™‚



  • @roberto - Thanks for making the API public! @kangguru and others - thanks for reverse engineering it!

    @roberto - Any chance of making the local LAN, direct-to-robot API official and documenting it? Some people prefer the lower latency and non-cloud dependency of local LAN control.

    P.S. I started an OpenHAB thread about developing a OpenHAB binding for the Neato Connected series.



  • @roberto Thanks for the documentation! Are there any plans to integrate with IFTTT? That would make it much easier for people to use with other smarthome things such as SmartThings, Echo, and Google Home.



  • Cool thread! I have got a Botvac Connected as well πŸ™‚ I see there is limitations to the scheduling in the software. I want to run the robot two times a day (set the schedule remotely). Any ideas on how to do that? πŸ™‚



  • Looks like Smartthings is underway and Neato are engaged. I have not tested yet.

    https://community.smartthings.com/t/neato-botvac-connected/24607/24



  • @Ubiquitous said:

    Any chance you (as in Neato) would consider allowing us to switch to our backend server, essentially replacing your cometa.io server (cometa.neatocloud.com)?

    We took your suggestion, but there are so many implications that i doubt this will get prioritized.
    FYI, we do not use the cometa.io server, the official endpoint is https://nucleo.neatocloud.com:4443/ and the one you pointed out is for retro-compatibility only.

    @Stormwind said:

    @roberto - Any chance of making the local LAN, direct-to-robot API official and documenting it? Some people prefer the lower latency and non-cloud dependency of local LAN control.

    Suggestion noted. Note that direct-to-robot have limited functionalities.

    @Seth-Daniel said:

    @roberto Are there any plans to integrate with IFTTT? That would make it much easier for people to use with other smarthome things such as SmartThings, Echo, and Google Home.

    A SmartThings integration exists, so does the Alexa one. IFTTT and Google Home are on the list of integrations that we are considering.

    @Basic said:

    I see there is limitations to the scheduling in the software. I want to run the robot two times a day (set the schedule remotely). Any ideas on how to do that? πŸ™‚

    This is an internal robot implementation. You can use the API to start your robot anytime you want, and build your own schedule system. πŸ™‚



  • Greetings hackers!
    Some of you may have seen that the latest 2.2 release for Botvac Connected includes the new maps functionality. Basically, you can now see the cleaning maps of your home in the Neato applications.

    We thought you might interested in accessing this functionality too, hence we've just released the new SDKs and API documentation which include this functionality. This main addition can be seen here:
    https://developers.neatorobotics.com/api/beehive

    Happy hacking! ^^_

    Cheers,
    r.



  • @roberto Are there any plans to integrate with IFTTT? That would make it much easier for people to use with other smarthome things such as SmartThings, Echo, and Google Home.

    A SmartThings integration exists, so does the Alexa one. IFTTT and Google Home are on the list of integrations that we are considering.

    Hope it's not only considered but done. SmartThings isn't available everywhere, IFTTT is.

    Will Alexa be able to control the D5 in the future?


  • Plugin Developer

    @roberto Now that the GDPR is in effect in Europe, will you prioritise local network control? It seems to me (privacy expert) that it will be hard to defend only having cloud-based control now that 'privacy by design' is mandatory?



  • @roberto Really supportive of the community to join this discussion.

    I see there is a desire by the community unmet by what you're able to provide: local LAN controller. The obvious reasons include both the complexity that you might have in various cloud services that would be difficult to setup in a small LAN, the variance in server hardware or software to host the controller, and the IP that might become obvious if you ship a parsed language such as python.

    This might actually be mitigated if you're willing to offer a docker image of a controller: supporting (or not-supporting: support yourselves, hackers!) is more consistent if one docker image can run on whatever orchestration we use, and we gain the ability to hit a local resource without uptime and latency and cloud-ness to worry about.

    Understanding the subtle-but-continuous increase of cost in cloud services, this allows your uber-elite users that may generate above-average query load to shunt this load to their own resources.

    Additionally, you'd seem like even more awesome people for doing this. Very cutting-edge. Define the next level of customer interaction and independence, GDPR privacy issues, etc.

    I bet if you made a dummy service -- some go routine or python flask that simply responds with logical bogus values -- the open source community would build the docker image for you. Overnight.

    Anyhow, it's a thought.


Log in to reply
 

Suggested Topics

  • 4
  • 9
  • 2
  • 17
  • 9
  • 15

14
Online

11.4k
Users

11.1k
Topics

112.7k
Posts