RE: Hacking a Neato Robotics BotVac Connected

What I have come up with so far is that the Neato it self is running a websocket server on port 8081 - and uses some kind of standard Auth-behavior in the headers,

Hypertext Transfer Protocol
GET /drive HTTP/1.1\r\n
Host: xxx.xxx.xxx.xxx:8081\r\n
Sec-WebSocket-Key: XXXXXXX==\r\n
Sec-WebSocket-Version: 13\r\n
Upgrade: websocket\r\n
Origin: ws://xxx.xxx.xxx.xxx:8081/drive\r\n
Date: Tue, 29 Dec 2015 09:17:57 GMT\r\n
Authorization: NEATOAPP XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\n
Connection: Upgrade\r\n
\r\n
[Full request URI: http://xxx.xxx.xxx.xxx:8081/drive]
[HTTP request 1/1]

There also a port 8080 open but I can not figure out what's running on that one.

The communication between the Neato and the central server is handled via a server on Amazon - this traffis is HTTPS though. Next step is to set up a SSLSplit and hope that they don't have a pinned cert.

@mfalkvidd Ah ok, then I just have to wait for the stuff Thanks!

Hello,

I am having exactly the same issue with 2.0, works fine with 1.5.

Using Arduino Mini Pro 5v - I do not have a Decoupling-Capacitor cause it hasnt been needed for 1.5 will that really be needed with 2.0?

@enlo That there isn't the problem - if you read my above post the problem is generating the HMAC correctly. I have already proxied the traffic from the app - since they don't used pinned certifications

Already sniffed the Web Socket traffic - was the first thing I did. No sensible easy output - needs more analysing and so. Need to start on the end with reversing the control-part of the app to see what it does.

I have gotten stuck now on my venture -

Trying to figure out how the Authorization is calculated when it comes to the communication with the Neato. Found a place in the Java-code which mentions the Authorization part but can not figure out where it comes from

com/neatorobotics/android/activities/robot/C0645j.java:~142

private void m5619R() {
    if (!NeatoApplication.f2866a) {
        m5646a();
        try {
            URI uri = new URI("ws://" + this.f3263d + ":" + this.f3264e + "/drive");
            String b = C0764a.m5847b();
            String str = this.f3262c.toLowerCase() + "\n" + b + "\n";
            Mac instance = Mac.getInstance("HmacSha256");
            instance.init(new SecretKeySpec(this.f3265f.getBytes(), "HmacSha256"));
            str = C0770g.m5880a(instance.doFinal(str.getBytes("UTF-8"))).toLowerCase();
            Map hashMap = new HashMap();
            hashMap.put("Date", b);
            hashMap.put("Authorization", "NEATOAPP " + str);
            this.al = new C0655t(this, uri, new C0017f(), hashMap, 5000);
            this.al.m41a();
            new Thread(new C0661z(this)).start();
        } catch (Exception e) {
            C0767d.m5867a("ManualCleaningFragment", "Exception", e);
        }
    }

I have also found what String b is
com/neatorobotics/android/utils/C0764a.java:89: public static String m5847b() {

public static String m5847b() {
    Calendar instance = Calendar.getInstance();
    instance.add(12, (int) (((C0742a.m5809b(NeatoApplication.m5360a(), "SERVER_DEVICE_TIME_DELTA_MILLIS", 0) * -1) / 1000) / 60));
    SimpleDateFormat simpleDateFormat = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss 'GMT'", Locale.US);
    simpleDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
    return simpleDateFormat.format(instance.getTime());
}

So what we need to figure out is the following variables:
this.f3262c.toLowerCase()
this.f3265f.getBytes() < I am pretty sure this is secret_key

when we crack these - we get closer to communicating with the central server

If we can figure out what's going on between Cloud <-> Neato we can do a version which is in depended on the Cloud-service being online or not - which also means that we can disallow it internet access

What I have come up with so far is that the Neato it self is running a websocket server on port 8081 - and uses some kind of standard Auth-behavior in the headers,

Hypertext Transfer Protocol
GET /drive HTTP/1.1\r\n
Host: xxx.xxx.xxx.xxx:8081\r\n
Sec-WebSocket-Key: XXXXXXX==\r\n
Sec-WebSocket-Version: 13\r\n
Upgrade: websocket\r\n
Origin: ws://xxx.xxx.xxx.xxx:8081/drive\r\n
Date: Tue, 29 Dec 2015 09:17:57 GMT\r\n
Authorization: NEATOAPP XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\n
Connection: Upgrade\r\n
\r\n
[Full request URI: http://xxx.xxx.xxx.xxx:8081/drive]
[HTTP request 1/1]

There also a port 8080 open but I can not figure out what's running on that one.

The communication between the Neato and the central server is handled via a server on Amazon - this traffis is HTTPS though. Next step is to set up a SSLSplit and hope that they don't have a pinned cert.