Navigation

    • Register
    • Login
    • OpenHardware.io
    • Categories
    • Recent
    • Tags
    • Popular
    1. Home
    2. Daniel Eriksson
    • Profile
    • Following
    • Followers
    • Topics
    • Posts
    • Best
    • Groups

    Daniel Eriksson

    @Daniel Eriksson

    1
    Reputation
    7
    Posts
    733
    Profile views
    0
    Followers
    1
    Following
    Joined Last Online

    Daniel Eriksson Follow

    Best posts made by Daniel Eriksson

    • RE: Hacking a Neato Robotics BotVac Connected

      What I have come up with so far is that the Neato it self is running a websocket server on port 8081 - and uses some kind of standard Auth-behavior in the headers,

      Hypertext Transfer Protocol
      GET /drive HTTP/1.1\r\n
      Host: xxx.xxx.xxx.xxx:8081\r\n
      Sec-WebSocket-Key: XXXXXXX==\r\n
      Sec-WebSocket-Version: 13\r\n
      Upgrade: websocket\r\n
      Origin: ws://xxx.xxx.xxx.xxx:8081/drive\r\n
      Date: Tue, 29 Dec 2015 09:17:57 GMT\r\n
      Authorization: NEATOAPP XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\n
      Connection: Upgrade\r\n
      \r\n
      [Full request URI: http://xxx.xxx.xxx.xxx:8081/drive]
      [HTTP request 1/1]

      There also a port 8080 open but I can not figure out what's running on that one.

      The communication between the Neato and the central server is handled via a server on Amazon - this traffis is HTTPS though. Next step is to set up a SSLSplit and hope that they don't have a pinned cert.

      posted in General Discussion
      Daniel Eriksson
      Daniel Eriksson

    Latest posts made by Daniel Eriksson

    • RE: What does !TSP:MSG:PVER mismatch mean?

      @mfalkvidd Ah ok, then I just have to wait for the stuff 🙂 Thanks!

      posted in Troubleshooting
      Daniel Eriksson
      Daniel Eriksson
    • RE: What does !TSP:MSG:PVER mismatch mean?

      Hello,

      I am having exactly the same issue with 2.0, works fine with 1.5.

      Using Arduino Mini Pro 5v - I do not have a Decoupling-Capacitor cause it hasnt been needed for 1.5 will that really be needed with 2.0?

      posted in Troubleshooting
      Daniel Eriksson
      Daniel Eriksson
    • RE: Hacking a Neato Robotics BotVac Connected

      @enlo That there isn't the problem - if you read my above post the problem is generating the HMAC correctly. I have already proxied the traffic from the app - since they don't used pinned certifications

      posted in General Discussion
      Daniel Eriksson
      Daniel Eriksson
    • RE: Hacking a Neato Robotics BotVac Connected

      Already sniffed the Web Socket traffic - was the first thing I did. No sensible easy output - needs more analysing and so. Need to start on the end with reversing the control-part of the app to see what it does.

      posted in General Discussion
      Daniel Eriksson
      Daniel Eriksson
    • RE: Hacking a Neato Robotics BotVac Connected

      I have gotten stuck now on my venture -

      Trying to figure out how the Authorization is calculated when it comes to the communication with the Neato. Found a place in the Java-code which mentions the Authorization part but can not figure out where it comes from

      com/neatorobotics/android/activities/robot/C0645j.java:~142

      private void m5619R() {
          if (!NeatoApplication.f2866a) {
              m5646a();
              try {
                  URI uri = new URI("ws://" + this.f3263d + ":" + this.f3264e + "/drive");
                  String b = C0764a.m5847b();
                  String str = this.f3262c.toLowerCase() + "\n" + b + "\n";
                  Mac instance = Mac.getInstance("HmacSha256");
                  instance.init(new SecretKeySpec(this.f3265f.getBytes(), "HmacSha256"));
                  str = C0770g.m5880a(instance.doFinal(str.getBytes("UTF-8"))).toLowerCase();
                  Map hashMap = new HashMap();
                  hashMap.put("Date", b);
                  hashMap.put("Authorization", "NEATOAPP " + str);
                  this.al = new C0655t(this, uri, new C0017f(), hashMap, 5000);
                  this.al.m41a();
                  new Thread(new C0661z(this)).start();
              } catch (Exception e) {
                  C0767d.m5867a("ManualCleaningFragment", "Exception", e);
              }
          }
      

      I have also found what String b is
      com/neatorobotics/android/utils/C0764a.java:89: public static String m5847b() {

      public static String m5847b() {
          Calendar instance = Calendar.getInstance();
          instance.add(12, (int) (((C0742a.m5809b(NeatoApplication.m5360a(), "SERVER_DEVICE_TIME_DELTA_MILLIS", 0) * -1) / 1000) / 60));
          SimpleDateFormat simpleDateFormat = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss 'GMT'", Locale.US);
          simpleDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
          return simpleDateFormat.format(instance.getTime());
      }
      

      So what we need to figure out is the following variables:
      this.f3262c.toLowerCase()
      this.f3265f.getBytes() < I am pretty sure this is secret_key

      when we crack these - we get closer to communicating with the central server

      posted in General Discussion
      Daniel Eriksson
      Daniel Eriksson
    • RE: Hacking a Neato Robotics BotVac Connected

      If we can figure out what's going on between Cloud <-> Neato we can do a version which is in depended on the Cloud-service being online or not - which also means that we can disallow it internet access

      posted in General Discussion
      Daniel Eriksson
      Daniel Eriksson
    • RE: Hacking a Neato Robotics BotVac Connected

      What I have come up with so far is that the Neato it self is running a websocket server on port 8081 - and uses some kind of standard Auth-behavior in the headers,

      Hypertext Transfer Protocol
      GET /drive HTTP/1.1\r\n
      Host: xxx.xxx.xxx.xxx:8081\r\n
      Sec-WebSocket-Key: XXXXXXX==\r\n
      Sec-WebSocket-Version: 13\r\n
      Upgrade: websocket\r\n
      Origin: ws://xxx.xxx.xxx.xxx:8081/drive\r\n
      Date: Tue, 29 Dec 2015 09:17:57 GMT\r\n
      Authorization: NEATOAPP XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\n
      Connection: Upgrade\r\n
      \r\n
      [Full request URI: http://xxx.xxx.xxx.xxx:8081/drive]
      [HTTP request 1/1]

      There also a port 8080 open but I can not figure out what's running on that one.

      The communication between the Neato and the central server is handled via a server on Amazon - this traffis is HTTPS though. Next step is to set up a SSLSplit and hope that they don't have a pinned cert.

      posted in General Discussion
      Daniel Eriksson
      Daniel Eriksson