Brain Hacking
U-Boot 2015.07-rc3-00005-gd777345 (Apr 25 2017 - 13:58:29 +0000) Allwinner Technology CPU: Allwinner A20 (SUN7I) I2C: ready DRAM: 1 GiB MMC: Card did not respond to voltage select! SUNXI SD/MMC: 1, SUNXI SD/MMC: 0 *** Warning - bad CRC, using default environment In: serial Out: serial Err: serial Net: eth0: ethernet@01c50000 Unknown command 'usb' - try 'help' BOOTING NEEO Brain CP6 1076 bytes read in 60 ms (16.6 KiB/s) Loaded environment from uEnv.txt Running uenvcmd ... gpio: pin 239 (gpio 239) value is 0 gpio: pin PH2 (gpio 226) value is 1 26268 bytes read in 97 ms (263.7 KiB/s) 4810064 bytes read in 553 ms (8.3 MiB/s) ## Booting kernel from Legacy Image at 4c000000 ... Image Name: Linux-4.1.0 Image Type: ARM Linux Kernel Image (uncompressed) Data Size: 4810000 Bytes = 4.6 MiB Load Address: 40008000 Entry Point: 40008000 Verifying Checksum ... OK ## Flattened Device Tree blob at 48000000 Booting using the fdt blob at 0x48000000 Loading Kernel Image ... OK Loading Device Tree to 4eff6000, end 4efff69b ... OK Starting kernel ... Welcome to Arch Linux ARM! [ OK ] Created slice User and Session Slice. [ OK ] Reached target Remote File Systems. [ OK ] Listening on Device-mapper event daemon FIFOs. [ OK ] Listening on Journal Socket (/dev/log). [ OK ] Started Forward Password Requests to Wall Directory Watch. [ OK ] Listening on udev Control Socket. [ OK ] Listening on Process Core Dump Socket. [ OK ] Listening on Network Service Netlink Socket. [ OK ] Created slice System Slice. [ OK ] Created slice system-systemd\x2dfsck.slice. [ OK ] Reached target Slices. [ OK ] Created slice system-serial\x2dgetty.slice. [ OK ] Started Dispatch Password Requests to Console Directory Watch. [ OK ] Listening on /dev/initctl Compatibility Named Pipe. [ OK ] Listening on Journal Socket. Starting Journal Service... Starting Apply Kernel Variables... Starting File System Check on Root Device... [ OK ] Reached target Swap. Mounting Temporary Directory... [ OK ] Reached target Encrypted Volumes. [ OK ] Listening on udev Kernel Socket. [ OK ] Reached target Paths. [ OK ] Started Apply Kernel Variables. [ OK ] Mounted Temporary Directory. [ OK ] Started File System Check on Root Device. Starting Remount Root and Kernel File Systems... [ OK ] Started Journal Service. [ OK ] Started Remount Root and Kernel File Systems. Starting udev Coldplug all Devices... Starting Create Static Device Nodes in /dev... [ OK ] Started Create Static Device Nodes in /dev. Starting udev Kernel Device Manager... [ OK ] Reached target Local File Systems (Pre). [ OK ] Started udev Kernel Device Manager. [ OK ] Started udev Coldplug all Devices. [ OK ] Found device /dev/ttyS0. [ OK ] Found device /dev/mmcblk0p5. [ OK ] Found device /dev/mmcblk0p3. [ OK ] Found device /dev/mmcblk0p1. [ OK ] Found device /dev/mmcblk0p6. Starting File System Check on /dev/mmcblk0p6... [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Starting File System Check on /dev/mmcblk0p1... Starting File System Check on /dev/mmcblk0p3... Starting File System Check on /dev/mmcblk0p5... [ OK ] Started File System Check on /dev/mmcblk0p6. Mounting /update... [ OK ] Started File System Check on /dev/mmcblk0p1. Mounting /boot... [ OK ] Mounted /boot. [ OK ] Mounted /update. [ OK ] Started File System Check on /dev/mmcblk0p3. Mounting /steady... [ OK ] Started File System Check on /dev/mmcblk0p5. Mounting /var... [ OK ] Mounted /steady. [ OK ] Mounted /var. Starting Flush Journal to Persistent Storage... Starting Network Time Synchronization... Starting Update UTMP about System Boot/Shutdown... Starting Load/Save Random Seed... [ OK ] Reached target Local File Systems. [ OK ] Started Load/Save Random Seed. [ OK ] Started Flush Journal to Persistent Storage. [ OK ] Started Update UTMP about System Boot/Shutdown. [ OK ] Started Network Time Synchronization. [ OK ] Reached target System Time Synchronized. [ OK ] Reached target System Initialization. [ OK ] Listening on D-Bus System Message Bus Socket. [ OK ] Started Check if wifi connection is fine. [ OK ] Started Daily Cleanup of Temporary Directories. [ OK ] Started NEEO Housekeeping Service Timer. [ OK ] Started Daily rotation of log files. [ OK ] Listening on Avahi mDNS/DNS-SD Stack Activation Socket. [ OK ] Reached target Sockets. [ OK ] Reached target Basic System. [ OK ] Started D-Bus System Message Bus. Starting Network Service... Starting Login Service... [ OK ] Started Entropy Harvesting Daemon. Starting NEEO GPIO init... [ OK ] Started Daily verification of password and group files. [ OK ] Reached target Timers. [ OK ] Started Network Service. [ OK ] Reached target Network. Starting Permit User Sessions... [ OK ] Started OpenSSH Daemon. [ OK ] Reached target Network is Online. Starting A lightweight DHCP and caching DNS server... Starting Network Name Resolution... [ OK ] Started Permit User Sessions. [ OK ] Started NEEO GPIO init. [ OK ] Started Login Service. [ OK ] Started 6lowpan router. [ OK ] Started Prosyst Runtime. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Started Network Name Resolution. [ OK ] Started A lightweight DHCP and caching DNS server. Arch Linux 4.1.0 (ttyS0) NEEO-xxxxxxxx login:
Now, to get the login... 😉
-
I do think you have voided your warranty 😉
-
Patrick definitely.. 😀👍
-
Patrick not really relevant anymore is it.
-
-
Richard did you ever manage to login to your brain? Given the latest responses?
-
Gilles van den Hoven I was able to get the same screen but not been able to get in yet. :(
i have tried to shorten the eMMC chip to get passed uboot but it’s protected.
Desoldering the eMMC or worrying the pins to a sd card seems the only way to hack in. We just need someone that knows what he’s doing and willing to potentially destroy his brain
-
Niels de Klerk not many people will do that now, given that getting a replacement is impossible. I'm still hoping NEEO can be convinced to give us access.
-
Alexander Graf I will if i have to.
-
Niels de Klerk right, I would as well, if I would know what I was doing :) I can solder SMT and know my way around an ARM CPU but I never tried anything like this.
-
Alexander Graf i'm a noob at that. it doesn't seem fair to ask someone to do it. but it's a possible way in. who ever has the know how could chose to do this. the risk of turning the CP6 into a napkin holder is high.
Background info:
-
-
Technical information:
https://planet.neeo.com/t/63nb25
Please keep discussions elswhere and only share missing info in that topic.
-
Niels de Klerk Awesome! First step seems to be done.
-
Alexander Graf I'm hoping that others will pick up where i'm now.
The information i provided are broad in terms of knowledge and impossible for me to focus on all bits. so let's see who is able to add to the knowledge i've provided. Also a good test to see who's willing and capable to move forward this product. -
Niels de Klerk my background is software engineering and network infrastructure so I’m hopefully going to be more help later on.
-
Niels de Klerk I'm setting up a wiki to hold all the info I get. Embedded Linux and arm hardware is my day to day thing.
-
Tom M great. I came a long way, but none of this is close to what i do for a living. We need expertise in the field.
-
Niels de Klerk Going by the pics from the FCC reports (https://fccid.io/2AKK7-RM633601/Internal-Photos/Internal-Photos-3404399) the remote is based on the STM32F4 MCU which is an Arm cortex M4 with FPU. I know you can run uclinux on that chip (did so as part of a proof of concept that went nowhere) but its clunky.
I still have the eval board!
https://www.st.com/en/evaluation-tools/32f429idiscovery.html
TI CC3100 wifi and an NXP zigbee for comms. Well now we know the neeolink is zigbee :)
-
Tom M NEEOlink is 6lowpan. Both are using the same physical layer. ieee 802.15.4
-
Niels de Klerk At this point I'm only looking at the hardware. I really want to know how they intended the palm sensor to work as the patent said very little. And it confirms what the little lattice FPGA is for in the remote. I can't see how it would have worked given its location. Usually when I'm holding the remote that sensor on the back is in free air :)
-
Tom M great. My hardware knowledge is not great. I’m learning while attacking it. But not at the level that I can actually make a difference. So knowing that you’re investigating is cool.
-
Niels de Klerk Have you looked at any of the communications from the brain to the app and to Neeo when adding/editing devices?
-
Tom M yes. I’ve shared all these API’s in my post. The code tool emulates a brain in it simplest form, including informing the remote a change is made in the xml
-
Niels de Klerk Where does it get the IR codes from? When you add a new device it must get the data from Neeo's cloud in some format.
-
Tom M a cloud service protected by a certificate:/ my basic tricks didn’t work I’m afraid.
-
Niels de Klerk ahh. that does make sense. They would have been bonkers not to have secured it.
What is confusing me is that while looking over the PCBs I have yet to find something that looks like a traditional IR receiver.
-
Tom M I hoped there was a way to include Ir codes via the SDK but there seems no way of doing that. Yay to cloud services.... 🤔
-
Niels de Klerk They have stated that the device database was a key part of their IP.
-
Tom M I know, I just tried to offer my own Ir drivers.
-
Tom M True.... which is, of course, the only reason they're still adding codes for new devices. Every time they add a device to the database under the auspices of supporting the NEEO owners they're also enhancing the Control4 eco-system and making it a more attractive product for those willing to throw money at the company. If it weren't for that, we'd be in a true warranty period scenario where they just keep the lights on and (begrudgingly) fix major problems if enough people complain about / can replicate them. I'm wondering if the promised learning functionality that was talked about was a lie. Kickstarter projects that deliver but then never live up to the promises we're sold during the campaign are the ones that sting the most.
I'm following the progress of Niels, yourself and others intently. Sadly all I can offer to the pursuit of our NEEO dream is support and encouragement.
-
Bernard Cooper Encouragement is good. These forums have gone dead since they announced the sale to control4. It is hard to express my disappointment in NEEO both as a product and a company without turning the air blue. It had so much promise. I'd love to have seen the sales pitch to control4 :)
-
Niels de Klerk
I hoped there was a way to include Ir codes via the SDK but there seems no way of doing that.
I had the same hope.
Keep up hacking the remote! I still hope that the community manages to keep the remote alive.
-
-
I don't think "hacking" or "hacking attempts" on the device is something that should be done on the forums of the manufacturer. It's like asking for trouble.
-
Alessandro deGol could you explain why not? The most NEEO users are here already. It’s both transparent for us and for NEEO. If NEEO has obligations to it then we’ll hear that as well.
-
Niels de Klerk Hacking can't be transparent unless it's ethical hacking which is not the case. You are looking for ways to breach IP on the very same forum of the IP owner. It would be foolish, even if someone got into NEEOs firmware to release anything here as that's illegal activity. I understand the emotional reasoning behind this but you should know better than this.
-
Alessandro deGol hold on, we are not breaking their IP. Replace their IP, yes. Make use of existing un-encrypted protocols, again yes.
What we have is a brain that is an off the shelf ARM module running Linux connected to a Wifi module, a zwave module and a zigbee module along with a load of IR LEDs. There is nothing proprietary in that design. The remote design is equally simple and based on reference designs with the exception of the palm sensor.
Writing new open source firmware for the NEEO is not illegal. Getting it onto the brain might be a total pain though.
-
Alessandro deGol it’s transparent as it’s on the NEEO forms. It’s visible and open to them, they have the data we shared under their control.
Where I live I own the product and may do with it what I want. What I cannot do is share parts of their code without their consent. We are not even close to that. But if we where then build a script to change their IP is still in the possibilities. Or replacing they’re IP entirely.
NEEO is having control over what we’ve shared as it’s posted here, Both NEEO and Control4 have all my contact details. I had enough contact with the NEEO team to know they would have instantly called me and ask me to stop sharing my knowledge if they feel the need.
with all this in mind I believe talking about it here is the best and honest thing to do.
-
Niels de Klerk i got to my hands the new Bootloader.bin and all other files from a control4 controller is there anyway to use your fake brain tool to load those into the neo remote??
-
ben simon possibly. There’s a firmware update provided by the brain to the remote.
-
ben simon whats new about this bootloader? New features? Can you share it with me?
-
Niels de Klerk is there a way to manipulate the remote to take the new files of frimware and bootloader from a different host,
-
ben simon Where on a Control4 controller or the Composer directory structure did you find the new Bootloader.bin?
-
-
I'm afraid I can not offer much help, but find this all very interesting and will be following your progress. 👍
-
Aaron Ranson I can only hope you manage to do this. Best wishes from Sweden
-
-
Recently I got my hands on one of the devices and took a look at the brain. Is there something in particular what the community wants to archive?
-
Dennis Giese I do not know if the effort is worth it is not a like xiaomi vacuum cleaner that is sold a lot, the device is no longer available. If there were any way to use the device independently of the cloud, that would of course be great. Because finally when the cloud is switched off, you can no longer add new IR devices.
If there was a way to customize the user interface, that would be great also. If there is any possibility to save existing devices and a way to re-import them to the device would also really great.
-
-
I see. My issue is, that I have now a rooted device and don't know exactly what the functionality of it is. So I need some guidance in that ;)
-
That sounds good, I would like to thank you very much for the commitment in DustCloud and the whole clarification of the protocol. I myself used the knowledge from DustCloud to control the vacuum cleaner via IP-Symcon and the card data is transferred from the vacuum cleaner to IP-Symcon.
The biggest hurdles at NEEO are:
- There is an SDK with limited possibilities. One thing is that the SDK driver always has to run on an external computer. So it would be the question whether it is somehow possible to run an SDK driver direct on the brian without additional hardware. I don't know if the brain has enough memory and the computing power to be able to do that.
- Setting up a new device only works via the cloud. If this is switched off, the device is electronic waste. It would, therefore, be important to be able to make a kind of backup so that at least the devices that have been set up at the time can be saved back at a later time or maybe even used for a second NEEO to transfer a configuration
- The possibilities of adapting the surface are very limited, if you could find a way to adapt more, this would at least significantly improve the operation of the device and the individualization.
- IR devices can only be added via the cloud, so if a new device is available in the future, you won't be able to add it anymore. Unless you understand the structure of the IR codes for NEEO and will find a way in the future to be able to add devices to the NEEO without the cloud.
- Ideally, something like DustCloud would be a solution for NEEO without the cloud that most users would want here, but will never come from the current owner of the rights and the hardware, who simply leaves the previous users in the rain. If the know-how is enough to get the device somehow independent of the cloud, that would be the only hope that many here may still use the device in the long term, until the hardware eventually gives up -
We should move the discussion to telegram or so. Drop me a mail and I share details. dgiese at mit.edu
-
Niels de Klerk if i only have the remote with no connected brain, how can I use your tool to flash files on the device using my laptop with node.js installed? Is there a default IP I can set my laptop too for the neeo to see the server running? thanks!
-
root access is now available. See also
Patch for NEEO brian for root accessor
-
Fonzo Wow! Great news. I look forward, with great anticipation, to see what new life we'll be able to breath into our NEEOs.
-
-
See also
https://twitter.com/dgi_DE/status/1267941534470680577
for more information for the Dustbuilder patch.
-
Hello
Im trying to install the patched firmware, but i cant find out the ip adress from the brain.
I use a apple airport timecapsule as a router.
any tips?
thanks
-
Daniel Jordi I don't know timecapsule, but isn't there a list like every router with dhcp in which all connected devices are listed?
-
Only the wireless connected devices are listed.
-
Daniel Jordi did you found out?
-
nuro yes i found the ip in the neeo app.
but i could not install the patched firmware. Dont know what im doing wrong
-
-
Check the Neeo App. There might be a page with this information.
Edit: Open the Settings through the icon in the top right corner and go to the page "About"
-
Daniel Jordi for the sake of completeness: You can also find an "about" menu on the NEEO remote bei tapping on the three bars on the main screen.
It shows the varios IP adresses, firmware versions an other information.
-
Markus M thanks, will gibe it a try within the next days.
-