There's good news guys. I finally figured out how the HMAC signature is calculated and now i'm able to control the neato without the mobile application, which offers all kinds of new integration options.
What can be found in com/neatorobotics/android/activities/robot/C0645j.java is just half of the truth and i was looking at this part for way to long, i'm not sure where this part is used. maybe this would be the part where one can communicate with the neato without making use of the cloudservice. who knows 
The actual fun starts in com/neatorobotics/android/p040c/p042b/C0898b.java the code reveals that there are 3 ingredients making up the HMAC signature
- the robot's serial number
- the current date (as also found in the Date header)
- the http body
Together with the robot's secret key we're now able to properly sign the requests.
I've packaged this in a small ruby library https://github.com/kangguru/botvac which is
quite basic and just covers just a little more than i needed for my usecase
but i'm happy to extend this over time.
Especially the part to obtain the secret key for the robot just be done via
trafic capturing, which is not the most convinent thing i can think of 
I hope this already helps some people to build new things around their robot. I've mixed the
stuff with ifttt.com and now can plan the cleaning schedule via a google calendar, which
makes it really convinent to skip single days in a given schedule, which ist kinda painful to
solve with the mobile app.
happy hacking
