VR300 firmware download... Neato..

News and information about the Neato XV-11 Robotic Vacuum. All discussion and troubleshooting questions go here.
jdredd
Robot Addict
Posts: 181
Joined: December 31st, 2019, 4:57 pm

VR300 firmware download... Neato..

Post by jdredd »

So looking at the VR300 page, can download firmware 4.5.1

https://kobold.vorwerk.de/service/servi ... ease-notes

Unzip it... unzip the tar tgz....

Image

Neato_4.5.1_186.bin ... with cert files.

Anyone been poking around at all on these?
masterx81
Robot Addict
Posts: 134
Joined: May 9th, 2019, 5:08 am

Re: VR300 firmware download... Neato..

Post by masterx81 »

This is interesting. I not know a way to flash it without ota update. Can be used for a reverse engineering, if the content isn't encrypted
jdredd
Robot Addict
Posts: 181
Joined: December 31st, 2019, 4:57 pm

Re: VR300 firmware download... Neato..

Post by jdredd »

Not sure if encrypted or not... there is a little bit of readable text in there showing neato name, the d3/d5/d7 model names ...

Image

What made me think of this, was playing with the USB>Serial interface on my d3/d7s...

Having "UPLOAD" and a comment about "VR300 brush motor"

Image
masterx81
Robot Addict
Posts: 134
Joined: May 9th, 2019, 5:08 am

Re: VR300 firmware download... Neato..

Post by masterx81 »

Would be intereating to see if this upload method works also on the neato devices. I have one d5 to update, maybe worth trying (if i find the otg cable :roll: )
masterx81
Robot Addict
Posts: 134
Joined: May 9th, 2019, 5:08 am

Re: VR300 firmware download... Neato..

Post by masterx81 »

The content seem encrypted, but the first line is readable and seem that this update apply to D3, D4, D5, D6, D7 and VR220 models - no vr300 model (?). This can help people with firmware issues without waiting an ota update (like the problem that i've got with battery auth flag set to 0 and no charging, solved by a firmware update).
If i find the OTG cable that i've bought time ago, i'll try to flash it in a D5.
Why release it as vorwerk update, but not as a neato update? AFAIK neato allowed only OTA updates for the D series devices (while for older models there was also the usb update)
masterx81
Robot Addict
Posts: 134
Joined: May 9th, 2019, 5:08 am

Re: VR300 firmware download... Neato..

Post by masterx81 »

Lost my otg cable... ordered 2 more. As soon as i receive them i'll try this firmware update
jdredd
Robot Addict
Posts: 181
Joined: December 31st, 2019, 4:57 pm

Re: VR300 firmware download... Neato..

Post by jdredd »

Interested to see if it takes it.. thought about buying a D5 board, to upgrade the D3 I have with the side brush I added but can't be activated. Use the D3 board as a testing board for this and such things.. until its a brick.
masterx81
Robot Addict
Posts: 134
Joined: May 9th, 2019, 5:08 am

Re: VR300 firmware download... Neato..

Post by masterx81 »

Uhm, 4.5.1 wasn't an update available for d series. Latest is 4.5.3-189
jdredd
Robot Addict
Posts: 181
Joined: December 31st, 2019, 4:57 pm

Re: VR300 firmware download... Neato..

Post by jdredd »

masterx81 wrote:Uhm, 4.5.1 wasn't an update available for d series. Latest is 4.5.3-189
That seems correct.

Which probably tells me Vorwerk now gets software in/at different intervals as the Neato hardware.

I doubt it is a 1:1 release versioning between Vorwerk and Neato.

Looking here, you can get older versions for the VR300

https://support.vorwerk.com/hc/en-us/ar ... hat-s-new-

4.4.1
4.5.0
4.5.1
4.5.3
masterx81
Robot Addict
Posts: 134
Joined: May 9th, 2019, 5:08 am

Re: VR300 firmware download... Neato..

Post by masterx81 »

https://www.neatorobotics.com/it/my-nea ... update-d3/
And here for the d series. Seem that most are in common. 4.5.1 excluded
Maybe 4.5.1 included improvements only for the vr300
Scapegoat
Posts: 26
Joined: January 12th, 2020, 12:08 pm

Re: VR300 firmware download... Neato..

Post by Scapegoat »

I managed to get access to the "Neato_4.5.3_189.tgz" Firmware. It contains the same files that you're seeing:

"Neato_4.5.3_189.bin"
"Neato_4.5.3_189.signed"
"Signing.crt"

So far no luck with the ".bin" but in a hex editor I do see the model numbers like you mentioned.

Does anyone know what type of OS the Neato is running? Some sort of Embedded Linux? It would help to know what type of SOC (chipset) the Neato has.


Edit:

Just noticed that Neato released some sort of XV toolchain here: https://www.neatorobotics.com/lab/linux/

Interesting, anyone know why they made this available?
jdredd
Robot Addict
Posts: 181
Joined: December 31st, 2019, 4:57 pm

Re: VR300 firmware download... Neato..

Post by jdredd »

Scapegoat wrote:I managed to get access to the "Neato_4.5.3_189.tgz" Firmware. It contains the same files that you're seeing:

"Neato_4.5.3_189.bin"
"Neato_4.5.3_189.signed"
"Signing.crt"

So far no luck with the ".bin" but in a hex editor I do see the model numbers like you mentioned.

Does anyone know what type of OS the Neato is running? Some sort of Embedded Linux? It would help to know what type of SOC (chipset) the Neato has.


Edit:

Just noticed that Neato released some sort of XV toolchain here: https://www.neatorobotics.com/lab/linux/

Interesting, anyone know why they made this available?
Being it uses what looks to be a slightly custom ARM CPU based around the TI 962/962B ARM CPU.. linux variant.

QNX @ https://en.wikipedia.org/wiki/QNX looks to be it.

Interesting doc @ https://www.usenix.org/system/files/woo ... llrich.pdf
Scapegoat
Posts: 26
Joined: January 12th, 2020, 12:08 pm

Re: VR300 firmware download... Neato..

Post by Scapegoat »

Interesting doc @ https://www.usenix.org/system/files/woo ... llrich.pdf


Thanks for finding that,very interesting read. According to that white paper, the last version that contained the non-secure boot vulnerability is "4.4.0_72." I do have the "Neato_4.4.0_72.tgz" (Forums wouldn't let me upload it) for that firmware in case anyone wants to try the "Upload" command to flash the firmware and then attempt the exploit.

The part that I was most interested in was the Static Firmware Analysis. I'm surprised that the firmware dump actually gave them that much info
jdredd
Robot Addict
Posts: 181
Joined: December 31st, 2019, 4:57 pm

Re: VR300 firmware download... Neato..

Post by jdredd »

Well I guess I should have formatted it better...

XV uses a Linux variant
Botvac uses QNX

Be interesting to see an old firmware model opened up... and if anyone can find any info/usage of the serial commands and such :)
Scapegoat
Posts: 26
Joined: January 12th, 2020, 12:08 pm

Re: VR300 firmware download... Neato..

Post by Scapegoat »

So based on some research, it seems like the ".bin" is a compressed QNX Image File System (IFS).

If we could decompress the ".bin" then we could use the QNX "dumpifs" tool (https://github.com/askac/dumpifs) to dump the contents of the file system and get a peak at all the binaries.

I found this script that someone made years ago to decompress a ".bin" from an Audi QNX OS: https://github.com/unbe/mmi-ifs However, it does not work when decompressing the Neato firmware. Seems like the header it's looking for isn't there. The header it looks for comes from this QNX document http://www.qnx.com/developers/docs/6.6. ... eader.html looking through the ".bin" with a hex editor, I don't see anything close to that header.


I think the "Static Firmware Analysis" performed in the white paper actually dumped the IFS from the running bot. So if we could decompress the ".bin" then we could essentially see the same info/binaries that was outlined in the paper
jdredd
Robot Addict
Posts: 181
Joined: December 31st, 2019, 4:57 pm

Re: VR300 firmware download... Neato..

Post by jdredd »

Any way I can get a copy of the Neato_4.4.0_72.tgz ?
Scapegoat
Posts: 26
Joined: January 12th, 2020, 12:08 pm

Re: VR300 firmware download... Neato..

Post by Scapegoat »

jdredd wrote:Any way I can get a copy of the Neato_4.4.0_72.tgz ?
Sure, I just sent it to you in a PM for now since the forums won't let me upload it. I saw on one of your posts that you have a few Neatos that you seem to hack around with. Would be great if you could try some of the stuff from the white paper.


Let me know if you find anything
jdredd
Robot Addict
Posts: 181
Joined: December 31st, 2019, 4:57 pm

Re: VR300 firmware download... Neato..

Post by jdredd »

Need to find a tool that can handle the QNX Neutrino flavor I take it.. ?
Scapegoat
Posts: 26
Joined: January 12th, 2020, 12:08 pm

Re: VR300 firmware download... Neato..

Post by Scapegoat »

jdredd wrote:Need to find a tool that can handle the QNX Neutrino flavor I take it.. ?
Still need to do more research to determine that. Since the ".bin" seems to have a Neato header at the top (version info, model info, etc) it's possible that Neato compresses or encrypts the image somehow.
jdredd
Robot Addict
Posts: 181
Joined: December 31st, 2019, 4:57 pm

Re: VR300 firmware download... Neato..

Post by jdredd »

Anyone attempt to run this bin yet on a Neato?
Post Reply