VR300 firmware download... Neato..
VR300 firmware download... Neato..
So looking at the VR300 page, can download firmware 4.5.1
https://kobold.vorwerk.de/service/servi ... ease-notes
Unzip it... unzip the tar tgz....
Neato_4.5.1_186.bin ... with cert files.
Anyone been poking around at all on these?
https://kobold.vorwerk.de/service/servi ... ease-notes
Unzip it... unzip the tar tgz....
Neato_4.5.1_186.bin ... with cert files.
Anyone been poking around at all on these?
NeatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Re: VR300 firmware download... Neato..
This is interesting. I not know a way to flash it without ota update. Can be used for a reverse engineering, if the content isn't encrypted
Re: VR300 firmware download... Neato..
Not sure if encrypted or not... there is a little bit of readable text in there showing neato name, the d3/d5/d7 model names ...
What made me think of this, was playing with the USB>Serial interface on my d3/d7s...
Having "UPLOAD" and a comment about "VR300 brush motor"
What made me think of this, was playing with the USB>Serial interface on my d3/d7s...
Having "UPLOAD" and a comment about "VR300 brush motor"
NeatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Re: VR300 firmware download... Neato..
Would be intereating to see if this upload method works also on the neato devices. I have one d5 to update, maybe worth trying (if i find the otg cable )
Re: VR300 firmware download... Neato..
The content seem encrypted, but the first line is readable and seem that this update apply to D3, D4, D5, D6, D7 and VR220 models - no vr300 model (?). This can help people with firmware issues without waiting an ota update (like the problem that i've got with battery auth flag set to 0 and no charging, solved by a firmware update).
If i find the OTG cable that i've bought time ago, i'll try to flash it in a D5.
Why release it as vorwerk update, but not as a neato update? AFAIK neato allowed only OTA updates for the D series devices (while for older models there was also the usb update)
If i find the OTG cable that i've bought time ago, i'll try to flash it in a D5.
Why release it as vorwerk update, but not as a neato update? AFAIK neato allowed only OTA updates for the D series devices (while for older models there was also the usb update)
Re: VR300 firmware download... Neato..
Lost my otg cable... ordered 2 more. As soon as i receive them i'll try this firmware update
Re: VR300 firmware download... Neato..
Interested to see if it takes it.. thought about buying a D5 board, to upgrade the D3 I have with the side brush I added but can't be activated. Use the D3 board as a testing board for this and such things.. until its a brick.
NeatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Re: VR300 firmware download... Neato..
Uhm, 4.5.1 wasn't an update available for d series. Latest is 4.5.3-189
Re: VR300 firmware download... Neato..
That seems correct.masterx81 wrote:Uhm, 4.5.1 wasn't an update available for d series. Latest is 4.5.3-189
Which probably tells me Vorwerk now gets software in/at different intervals as the Neato hardware.
I doubt it is a 1:1 release versioning between Vorwerk and Neato.
Looking here, you can get older versions for the VR300
https://support.vorwerk.com/hc/en-us/ar ... hat-s-new-
4.4.1
4.5.0
4.5.1
4.5.3
NeatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Re: VR300 firmware download... Neato..
https://www.neatorobotics.com/it/my-nea ... update-d3/
And here for the d series. Seem that most are in common. 4.5.1 excluded
Maybe 4.5.1 included improvements only for the vr300
And here for the d series. Seem that most are in common. 4.5.1 excluded
Maybe 4.5.1 included improvements only for the vr300
Re: VR300 firmware download... Neato..
I managed to get access to the "Neato_4.5.3_189.tgz" Firmware. It contains the same files that you're seeing:
"Neato_4.5.3_189.bin"
"Neato_4.5.3_189.signed"
"Signing.crt"
So far no luck with the ".bin" but in a hex editor I do see the model numbers like you mentioned.
Does anyone know what type of OS the Neato is running? Some sort of Embedded Linux? It would help to know what type of SOC (chipset) the Neato has.
Edit:
Just noticed that Neato released some sort of XV toolchain here: https://www.neatorobotics.com/lab/linux/
Interesting, anyone know why they made this available?
"Neato_4.5.3_189.bin"
"Neato_4.5.3_189.signed"
"Signing.crt"
So far no luck with the ".bin" but in a hex editor I do see the model numbers like you mentioned.
Does anyone know what type of OS the Neato is running? Some sort of Embedded Linux? It would help to know what type of SOC (chipset) the Neato has.
Edit:
Just noticed that Neato released some sort of XV toolchain here: https://www.neatorobotics.com/lab/linux/
Interesting, anyone know why they made this available?
Re: VR300 firmware download... Neato..
Being it uses what looks to be a slightly custom ARM CPU based around the TI 962/962B ARM CPU.. linux variant.Scapegoat wrote:I managed to get access to the "Neato_4.5.3_189.tgz" Firmware. It contains the same files that you're seeing:
"Neato_4.5.3_189.bin"
"Neato_4.5.3_189.signed"
"Signing.crt"
So far no luck with the ".bin" but in a hex editor I do see the model numbers like you mentioned.
Does anyone know what type of OS the Neato is running? Some sort of Embedded Linux? It would help to know what type of SOC (chipset) the Neato has.
Edit:
Just noticed that Neato released some sort of XV toolchain here: https://www.neatorobotics.com/lab/linux/
Interesting, anyone know why they made this available?
QNX @ https://en.wikipedia.org/wiki/QNX looks to be it.
Interesting doc @ https://www.usenix.org/system/files/woo ... llrich.pdf
NeatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Re: VR300 firmware download... Neato..
Interesting doc @ https://www.usenix.org/system/files/woo ... llrich.pdf
Thanks for finding that,very interesting read. According to that white paper, the last version that contained the non-secure boot vulnerability is "4.4.0_72." I do have the "Neato_4.4.0_72.tgz" (Forums wouldn't let me upload it) for that firmware in case anyone wants to try the "Upload" command to flash the firmware and then attempt the exploit.
The part that I was most interested in was the Static Firmware Analysis. I'm surprised that the firmware dump actually gave them that much info
Re: VR300 firmware download... Neato..
Well I guess I should have formatted it better...
XV uses a Linux variant
Botvac uses QNX
Be interesting to see an old firmware model opened up... and if anyone can find any info/usage of the serial commands and such
XV uses a Linux variant
Botvac uses QNX
Be interesting to see an old firmware model opened up... and if anyone can find any info/usage of the serial commands and such
NeatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Re: VR300 firmware download... Neato..
So based on some research, it seems like the ".bin" is a compressed QNX Image File System (IFS).
If we could decompress the ".bin" then we could use the QNX "dumpifs" tool (https://github.com/askac/dumpifs) to dump the contents of the file system and get a peak at all the binaries.
I found this script that someone made years ago to decompress a ".bin" from an Audi QNX OS: https://github.com/unbe/mmi-ifs However, it does not work when decompressing the Neato firmware. Seems like the header it's looking for isn't there. The header it looks for comes from this QNX document http://www.qnx.com/developers/docs/6.6. ... eader.html looking through the ".bin" with a hex editor, I don't see anything close to that header.
I think the "Static Firmware Analysis" performed in the white paper actually dumped the IFS from the running bot. So if we could decompress the ".bin" then we could essentially see the same info/binaries that was outlined in the paper
If we could decompress the ".bin" then we could use the QNX "dumpifs" tool (https://github.com/askac/dumpifs) to dump the contents of the file system and get a peak at all the binaries.
I found this script that someone made years ago to decompress a ".bin" from an Audi QNX OS: https://github.com/unbe/mmi-ifs However, it does not work when decompressing the Neato firmware. Seems like the header it's looking for isn't there. The header it looks for comes from this QNX document http://www.qnx.com/developers/docs/6.6. ... eader.html looking through the ".bin" with a hex editor, I don't see anything close to that header.
I think the "Static Firmware Analysis" performed in the white paper actually dumped the IFS from the running bot. So if we could decompress the ".bin" then we could essentially see the same info/binaries that was outlined in the paper
Re: VR300 firmware download... Neato..
Any way I can get a copy of the Neato_4.4.0_72.tgz ?
NeatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Re: VR300 firmware download... Neato..
Sure, I just sent it to you in a PM for now since the forums won't let me upload it. I saw on one of your posts that you have a few Neatos that you seem to hack around with. Would be great if you could try some of the stuff from the white paper.jdredd wrote:Any way I can get a copy of the Neato_4.4.0_72.tgz ?
Let me know if you find anything
Re: VR300 firmware download... Neato..
Need to find a tool that can handle the QNX Neutrino flavor I take it.. ?
NeatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Re: VR300 firmware download... Neato..
Still need to do more research to determine that. Since the ".bin" seems to have a Neato header at the top (version info, model info, etc) it's possible that Neato compresses or encrypts the image somehow.jdredd wrote:Need to find a tool that can handle the QNX Neutrino flavor I take it.. ?
Re: VR300 firmware download... Neato..
Anyone attempt to run this bin yet on a Neato?
NeatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio
Windows @ https://github.com/jdredd87/NeatoToolio ... Toolio.exe
Google Play Store @ https://play.google.com/store/apps/deta ... eatoToolio