Brain Hacking

U-Boot 2015.07-rc3-00005-gd777345 (Apr 25 2017 - 13:58:29 +0000) Allwinner Technology

CPU:   Allwinner A20 (SUN7I)
I2C:   ready
DRAM:  1 GiB
MMC:   Card did not respond to voltage select!
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Net:   eth0: ethernet@01c50000
Unknown command 'usb' - try 'help'


1076 bytes read in 60 ms (16.6 KiB/s)
Loaded environment from uEnv.txt
Running uenvcmd ...
gpio: pin 239 (gpio 239) value is 0
gpio: pin PH2 (gpio 226) value is 1
26268 bytes read in 97 ms (263.7 KiB/s)
4810064 bytes read in 553 ms (8.3 MiB/s)
## Booting kernel from Legacy Image at 4c000000 ...
   Image Name:   Linux-4.1.0
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    4810000 Bytes = 4.6 MiB
   Load Address: 40008000
   Entry Point:  40008000
   Verifying Checksum ... OK
## Flattened Device Tree blob at 48000000
   Booting using the fdt blob at 0x48000000
   Loading Kernel Image ... OK
   Loading Device Tree to 4eff6000, end 4efff69b ... OK

Starting kernel ...

Welcome to Arch Linux ARM!

[  OK  ] Created slice User and Session Slice.
[  OK  ] Reached target Remote File Systems.
[  OK  ] Listening on Device-mapper event daemon FIFOs.
[  OK  ] Listening on Journal Socket (/dev/log).
[  OK  ] Started Forward Password Requests to Wall Directory Watch.
[  OK  ] Listening on udev Control Socket.
[  OK  ] Listening on Process Core Dump Socket.
[  OK  ] Listening on Network Service Netlink Socket.
[  OK  ] Created slice System Slice.
[  OK  ] Created slice system-systemd\x2dfsck.slice.
[  OK  ] Reached target Slices.
[  OK  ] Created slice system-serial\x2dgetty.slice.
[  OK  ] Started Dispatch Password Requests to Console Directory Watch.
[  OK  ] Listening on /dev/initctl Compatibility Named Pipe.
[  OK  ] Listening on Journal Socket.
         Starting Journal Service...
         Starting Apply Kernel Variables...
         Starting File System Check on Root Device...
[  OK  ] Reached target Swap.
         Mounting Temporary Directory...
[  OK  ] Reached target Encrypted Volumes.
[  OK  ] Listening on udev Kernel Socket.
[  OK  ] Reached target Paths.
[  OK  ] Started Apply Kernel Variables.
[  OK  ] Mounted Temporary Directory.
[  OK  ] Started File System Check on Root Device.
         Starting Remount Root and Kernel File Systems...
[  OK  ] Started Journal Service.
[  OK  ] Started Remount Root and Kernel File Systems.
         Starting udev Coldplug all Devices...
         Starting Create Static Device Nodes in /dev...
[  OK  ] Started Create Static Device Nodes in /dev.
         Starting udev Kernel Device Manager...
[  OK  ] Reached target Local File Systems (Pre).
[  OK  ] Started udev Kernel Device Manager.
[  OK  ] Started udev Coldplug all Devices.
[  OK  ] Found device /dev/ttyS0.
[  OK  ] Found device /dev/mmcblk0p5.
[  OK  ] Found device /dev/mmcblk0p3.
[  OK  ] Found device /dev/mmcblk0p1.
[  OK  ] Found device /dev/mmcblk0p6.
         Starting File System Check on /dev/mmcblk0p6...
[  OK  ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
         Starting File System Check on /dev/mmcblk0p1...
         Starting File System Check on /dev/mmcblk0p3...
         Starting File System Check on /dev/mmcblk0p5...
[  OK  ] Started File System Check on /dev/mmcblk0p6.
         Mounting /update...
[  OK  ] Started File System Check on /dev/mmcblk0p1.
         Mounting /boot...
[  OK  ] Mounted /boot.
[  OK  ] Mounted /update.
[  OK  ] Started File System Check on /dev/mmcblk0p3.
         Mounting /steady...
[  OK  ] Started File System Check on /dev/mmcblk0p5.
         Mounting /var...
[  OK  ] Mounted /steady.
[  OK  ] Mounted /var.
         Starting Flush Journal to Persistent Storage...
         Starting Network Time Synchronization...
         Starting Update UTMP about System Boot/Shutdown...
         Starting Load/Save Random Seed...
[  OK  ] Reached target Local File Systems.
[  OK  ] Started Load/Save Random Seed.
[  OK  ] Started Flush Journal to Persistent Storage.
[  OK  ] Started Update UTMP about System Boot/Shutdown.
[  OK  ] Started Network Time Synchronization.
[  OK  ] Reached target System Time Synchronized.
[  OK  ] Reached target System Initialization.
[  OK  ] Listening on D-Bus System Message Bus Socket.
[  OK  ] Started Check if wifi connection is fine.
[  OK  ] Started Daily Cleanup of Temporary Directories.
[  OK  ] Started NEEO Housekeeping Service Timer.
[  OK  ] Started Daily rotation of log files.
[  OK  ] Listening on Avahi mDNS/DNS-SD Stack Activation Socket.
[  OK  ] Reached target Sockets.
[  OK  ] Reached target Basic System.
[  OK  ] Started D-Bus System Message Bus.
         Starting Network Service...
         Starting Login Service...
[  OK  ] Started Entropy Harvesting Daemon.
         Starting NEEO GPIO init...
[  OK  ] Started Daily verification of password and group files.
[  OK  ] Reached target Timers.
[  OK  ] Started Network Service.
[  OK  ] Reached target Network.
         Starting Permit User Sessions...
[  OK  ] Started OpenSSH Daemon.
[  OK  ] Reached target Network is Online.
         Starting A lightweight DHCP and caching DNS server...
         Starting Network Name Resolution...
[  OK  ] Started Permit User Sessions.
[  OK  ] Started NEEO GPIO init.
[  OK  ] Started Login Service.
[  OK  ] Started 6lowpan router.
[  OK  ] Started Prosyst Runtime.
[  OK  ] Started Serial Getty on ttyS0.
[  OK  ] Reached target Login Prompts.
[  OK  ] Started Network Name Resolution.
[  OK  ] Started A lightweight DHCP and caching DNS server.

Arch Linux 4.1.0 (ttyS0)

NEEO-xxxxxxxx login:

Now, to get the login... 😉

35replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • I do think you have voided your warranty 😉

    Reply Like
      • Richard
      • Richard
      • 1 yr ago
      • 1
      • Reported - view

      Patrick definitely.. 😀👍

      Reply Like 1
  • Richard did you ever manage to login to your brain? Given the latest responses?

    Reply Like
    • Gilles van den Hoven I was able to get the same screen but not been able to get in yet. :( 

      i have tried to shorten the eMMC chip to get passed uboot but it’s protected. 

      Desoldering the eMMC or worrying the pins to a sd card seems the only way to hack in. We just need someone that knows what he’s doing and willing to potentially destroy his brain

      Reply Like
    • Niels de Klerk not many people will do that now, given that getting a replacement is impossible. I'm still hoping NEEO can be convinced to give us access.

      Reply Like 1
    • Alexander Graf I will if i have to.

      Reply Like 1
    • Niels de Klerk right, I would as well, if I would know what I was doing :) I can solder SMT and know my way around an ARM CPU but I never tried anything like this.

      Reply Like
    • Alexander Graf i'm a noob at that. it doesn't seem fair to ask someone to do it. but it's a possible way in. who ever has the know how could chose to do this. the risk of turning the CP6 into a napkin holder is high.

      Background info:

      Reply Like
  • Technical information:

    Please keep discussions elswhere and only share missing info in that topic.

    Reply Like
    • Niels de Klerk Awesome! First step seems to be done. 

      Reply Like
    • Alexander Graf I'm hoping that others will pick up where i'm now.
      The information i provided are broad in terms of knowledge and impossible for me to focus on all bits. so let's see who is able to add to the knowledge i've provided. Also a good test to see who's willing and capable to move forward this product. 

      Reply Like
    • Niels de Klerk my background is software engineering and network infrastructure so I’m hopefully going to be more help later on.

      Reply Like 1
      • Tom M
      • Breaker of hardware, writer of bugs
      • Tom_M
      • 9 days ago
      • 2
      • Reported - view

      Niels de Klerk I'm setting up a wiki to hold all the info I get.   Embedded Linux and arm hardware is my day to day thing.

      Reply Like 2
    • Tom M great. I came a long way, but none of this is close to what i do for a living. We need expertise in the field.

      Reply Like 1
      • Tom M
      • Breaker of hardware, writer of bugs
      • Tom_M
      • 7 days ago
      • Reported - view

      Niels de Klerk Going by the pics from the FCC reports ( the remote is based on the STM32F4 MCU which is an Arm cortex M4 with FPU. I know you can run uclinux on that chip (did so as part of a proof of concept that went nowhere) but its clunky.

      I still have the eval board!

      TI CC3100 wifi and an NXP zigbee for comms.   Well now we know the neeolink is zigbee :)

      Reply Like
    • Tom M NEEOlink is 6lowpan. Both are using the same physical layer. ieee 802.15.4

      Reply Like
      • Tom M
      • Breaker of hardware, writer of bugs
      • Tom_M
      • 7 days ago
      • Reported - view

      Niels de Klerk At this point I'm only looking at the hardware.   I really want to know how they intended the palm sensor to work as the patent said very little.   And it confirms what the little lattice FPGA is for in the remote.   I can't see how it would have worked given its location.   Usually when I'm holding the remote that sensor on the back is in free air :)

      Reply Like
    • Tom M great. My hardware knowledge is not great. I’m learning while attacking it. But not at the level that I can actually make a difference. So knowing that you’re investigating is cool.

      Reply Like
      • Tom M
      • Breaker of hardware, writer of bugs
      • Tom_M
      • 7 days ago
      • Reported - view

      Niels de Klerk Have you looked at any of the communications from the brain to the app and to Neeo when adding/editing devices?

      Reply Like
    • Tom M yes. I’ve shared all these API’s in my post. The code tool emulates a brain in it simplest form, including informing the remote a change is made in the xml

      Reply Like
      • Tom M
      • Breaker of hardware, writer of bugs
      • Tom_M
      • 7 days ago
      • Reported - view

      Niels de Klerk Where does it get the IR codes from?   When you add a new device it must get the data from Neeo's cloud in some format.

      Reply Like
    • Tom M a cloud service protected by a certificate:/ my basic tricks didn’t work I’m afraid. 

      Reply Like
      • Tom M
      • Breaker of hardware, writer of bugs
      • Tom_M
      • 7 days ago
      • Reported - view

      Niels de Klerk ahh. that does make sense.   They would have been bonkers not to have secured it.

      What is confusing me is that while looking over the PCBs I have yet to find something that looks like a traditional IR receiver.

      Reply Like
    • Tom M I hoped there was a way to include Ir codes via the SDK but there seems no way of doing that. Yay to cloud services.... 🤔

      Reply Like 1
      • Tom M
      • Breaker of hardware, writer of bugs
      • Tom_M
      • 7 days ago
      • Reported - view

      Niels de Klerk They have stated that the device database was a key part of their IP.

      Reply Like
    • Tom M I know, I just tried to offer my own Ir drivers.

      Reply Like 1
      • Bernard Cooper
      • Software Tester / Tech Enthusiast / Disenchanted KS NEEO backer
      • Bernard_Cooper
      • 6 days ago
      • Reported - view

      Tom M True.... which is, of course, the only reason they're still adding codes for new devices.  Every time they add a device to the database under the auspices of supporting the NEEO owners they're also enhancing the Control4 eco-system and making it a more attractive product for those willing to throw money at the company.  If it weren't for that, we'd be in a true warranty period scenario where they just keep the lights on and (begrudgingly) fix major problems if enough people complain about / can replicate them.  I'm wondering if the promised learning functionality that was talked about was a lie.  Kickstarter projects that deliver but then never live up to the promises we're sold during the campaign are the ones that sting the most.

      I'm following the progress of Niels, yourself and others intently.  Sadly all I can offer to the pursuit of our NEEO dream is support and encouragement.

      Reply Like
      • Tom M
      • Breaker of hardware, writer of bugs
      • Tom_M
      • 6 days ago
      • 1
      • Reported - view

      Bernard Cooper Encouragement is good.   These forums have gone dead since they announced the sale to control4.   It is hard to express my disappointment in NEEO both as a product and a company without turning the air blue.   It had so much promise.   I'd love to have seen the sales pitch to control4 :)

      Reply Like 1
      • Markus M
      • Markus_M
      • 6 days ago
      • 1
      • Reported - view

      Niels de Klerk 

      I hoped there was a way to include Ir codes via the SDK but there seems no way of doing that.

      I had the same hope.

      Keep up hacking the remote! I still hope that the community manages to keep the remote alive.

      Reply Like 1
  • I don't think "hacking" or "hacking attempts" on the device is something that should be done on the forums of the manufacturer. It's like asking for trouble.

    Reply Like
    • Alessandro deGol could you explain why not? The most NEEO users are here already. It’s both transparent for us and for NEEO. If NEEO has obligations to it then we’ll hear that as well. 

      Reply Like 2
    • Niels de Klerk Hacking can't be transparent unless it's ethical hacking which is not the case. You are looking for ways to breach IP on the very same forum of the IP owner. It would be foolish, even if someone got into NEEOs firmware to release anything here as that's illegal activity. I understand the emotional reasoning behind this but you should know better than this.

      Reply Like
      • Tom M
      • Breaker of hardware, writer of bugs
      • Tom_M
      • 5 days ago
      • 1
      • Reported - view

      Alessandro deGol hold on, we are not breaking their IP.   Replace their IP, yes.   Make use of existing un-encrypted protocols, again yes.

      What we have is a brain that is an off the shelf ARM module running Linux connected to a Wifi module, a zwave module and a zigbee module along with a load of IR LEDs.   There is nothing proprietary in that design.   The remote design is equally simple and based on reference designs with the exception of the palm sensor.

      Writing new open source firmware for the NEEO is not illegal.   Getting it onto the brain might be a total pain though.

      Reply Like 1
    • Alessandro deGol it’s transparent as it’s on the NEEO forms. It’s visible and open to them, they have the data we shared under their control. 

      Where I live I own the product and may do with it what I want. What I cannot do is share parts of their code without their consent. We are not even close to that. But if we where then build a script to change their IP is still in the possibilities. Or replacing they’re IP entirely.

      NEEO is having control over what we’ve shared as it’s posted here, Both NEEO and Control4 have all my contact details. I had enough contact with the NEEO team to know they would have instantly called me and ask me to stop sharing my knowledge if they feel the need.

      with all this in mind I believe talking about it here is the best and honest thing to do.

      Reply Like 5
  • I'm afraid I can not offer much help, but find this all very interesting and will be following your progress. 👍

    Reply Like 2
Like9 Follow