@mfalkvidd Ah ok, then I just have to wait for the stuff Thanks!
Posts made by Daniel Eriksson
-
RE: What does !TSP:MSG:PVER mismatch mean?
-
RE: What does !TSP:MSG:PVER mismatch mean?
Hello,
I am having exactly the same issue with 2.0, works fine with 1.5.
Using Arduino Mini Pro 5v - I do not have a Decoupling-Capacitor cause it hasnt been needed for 1.5 will that really be needed with 2.0?
-
RE: Hacking a Neato Robotics BotVac Connected
@enlo That there isn't the problem - if you read my above post the problem is generating the HMAC correctly. I have already proxied the traffic from the app - since they don't used pinned certifications
-
RE: Hacking a Neato Robotics BotVac Connected
Already sniffed the Web Socket traffic - was the first thing I did. No sensible easy output - needs more analysing and so. Need to start on the end with reversing the control-part of the app to see what it does.
-
RE: Hacking a Neato Robotics BotVac Connected
I have gotten stuck now on my venture -
Trying to figure out how the Authorization is calculated when it comes to the communication with the Neato. Found a place in the Java-code which mentions the Authorization part but can not figure out where it comes from
com/neatorobotics/android/activities/robot/C0645j.java:~142
private void m5619R() { if (!NeatoApplication.f2866a) { m5646a(); try { URI uri = new URI("ws://" + this.f3263d + ":" + this.f3264e + "/drive"); String b = C0764a.m5847b(); String str = this.f3262c.toLowerCase() + "\n" + b + "\n"; Mac instance = Mac.getInstance("HmacSha256"); instance.init(new SecretKeySpec(this.f3265f.getBytes(), "HmacSha256")); str = C0770g.m5880a(instance.doFinal(str.getBytes("UTF-8"))).toLowerCase(); Map hashMap = new HashMap(); hashMap.put("Date", b); hashMap.put("Authorization", "NEATOAPP " + str); this.al = new C0655t(this, uri, new C0017f(), hashMap, 5000); this.al.m41a(); new Thread(new C0661z(this)).start(); } catch (Exception e) { C0767d.m5867a("ManualCleaningFragment", "Exception", e); } }
I have also found what String b is
com/neatorobotics/android/utils/C0764a.java:89: public static String m5847b() {public static String m5847b() { Calendar instance = Calendar.getInstance(); instance.add(12, (int) (((C0742a.m5809b(NeatoApplication.m5360a(), "SERVER_DEVICE_TIME_DELTA_MILLIS", 0) * -1) / 1000) / 60)); SimpleDateFormat simpleDateFormat = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss 'GMT'", Locale.US); simpleDateFormat.setTimeZone(TimeZone.getTimeZone("GMT")); return simpleDateFormat.format(instance.getTime()); }
So what we need to figure out is the following variables:
this.f3262c.toLowerCase()
this.f3265f.getBytes() < I am pretty sure this is secret_keywhen we crack these - we get closer to communicating with the central server
-
RE: Hacking a Neato Robotics BotVac Connected
If we can figure out what's going on between Cloud <-> Neato we can do a version which is in depended on the Cloud-service being online or not - which also means that we can disallow it internet access
-
RE: Hacking a Neato Robotics BotVac Connected
What I have come up with so far is that the Neato it self is running a websocket server on port 8081 - and uses some kind of standard Auth-behavior in the headers,
Hypertext Transfer Protocol
GET /drive HTTP/1.1\r\n
Host: xxx.xxx.xxx.xxx:8081\r\n
Sec-WebSocket-Key: XXXXXXX==\r\n
Sec-WebSocket-Version: 13\r\n
Upgrade: websocket\r\n
Origin: ws://xxx.xxx.xxx.xxx:8081/drive\r\n
Date: Tue, 29 Dec 2015 09:17:57 GMT\r\n
Authorization: NEATOAPP XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\n
Connection: Upgrade\r\n
\r\n
[Full request URI: http://xxx.xxx.xxx.xxx:8081/drive]
[HTTP request 1/1]There also a port 8080 open but I can not figure out what's running on that one.
The communication between the Neato and the central server is handled via a server on Amazon - this traffis is HTTPS though. Next step is to set up a SSLSplit and hope that they don't have a pinned cert.