Roomba 980 Wifi Connectivity Reverse engineering

vacuum
dth_appliances
project_small_appl

(FailedInsider) #1

So I bought a roomba 980 this weekend and I am determined to hook this up into SmartThings.

Has anyone sniffed the traffic so far or made any progress here?

Once I get my things back out of storage (just moved) I intend to sniff this traffic and break it apart


New Roomba 690
(Darryl) #2

I am actually about to buy one, as my renovation is almost complete (full first floor 3ftx8in wood tile), and want to use this to help keep dog hair cleaned up.

Please make this happen!!! :slight_smile:


(Pizzinini) #3

Have you looked at this thread? I don’t know much about Roombas… But thought this was a cool project:


(Darryl) #4

Hello

Unfortunately that uses a “plug in device” that doesn’t exist for the newer Roomba. The newer Roomba’s are wifi connected already, which mitigates the need for this add-on device.


(FailedInsider) #5

yep exactly the 980 is the first with wifi but no open API. I will hopefully sniff the traffic and take a look this weekend. If anyone is interested in helping out PM me.

I also reached out to irobot but let’s be honest they are not going to get back to me with anything helpful.

Edit: added question, no such thing as PM on here!


(FailedInsider) #6

I spent a couple of hours this weekend looking into it and got something working.
It seems the iphone app talks either directly to roomba when on wifi or via the cloud when not.
I only looked into the cloud connectivity.
HTTPS JSON Api with a username and password. Once i got around the HTTPS encryption the rest was easy.

I threw together a windows/windows phone UWP C# app to test it out and am now able to control my roomba from my desktop/phone. When I get chance I will look into turning this into a ST device and app.

The only downside is the username and password are generated by either the roomba/the smartphone/their cloud. So looking them up isn’t the easiest thing to do.

However on android i believe they are just stored in a DB with the app, so it may be easy to look them up. For now I know my username/pass and can control my Roomba.

I’ll post more details when I have more time to work on it.


(Darryl) #7

Please! Thanks!

I just got a 980 sat night. :slight_smile:


(FailedInsider) #8

Awesome, the only thing that I do wonder is how you will be able to find your username and password without going through the hoops i went through.

Do you have an android phone per chance? I think the u/p is stored in a sql lite DB which should be easy to retrieve and get at


(Darryl) #9

Yeah multiple android devices.

That being said, I am a SQL DBA so if you give me a direction, I should be good to follow it.


(FailedInsider) #10

Cool:)
Well I have to be honest I do not have or have ever used an Android phone but from what I know the security is more lacking than that of the iphone or windows phones.

Can you try and see if you can poke around in the ‘data’ directory for the irobot roomba app and let me know what you find. Feel free to PM me if you want to keep this off the forum. I think there are messaging capabilities on this board.


(FailedInsider) #11

In fact if you have a rooted device that would probably be the easiest way.
For this to work for others we need to find a simple way to reproduce retrieving the username and pass


(Darryl) #12

Yeah I will work on that soon, see if I can find a way for people to query the data.


(facu) #13

Hi @boreddead, can you share the specs you got at this time? host? port? scratch api reference?
can you able to obtain the VSLAM maps?
I dont see how PM to you. Can you write to me? im interesting to help, im node.js developer.

thanks! and good job!


(Martin) #14

Hi there. I’m interested in hearing if you got the 980 working with STs. I’m yet to buy one but want to. Also keen to hear if the Roomba is living up to your expectations? Cheers.


(FailedInsider) #15

Hey sorry everyone, I have been swamped with my apartment, work and life. In the next week or so I will post my findings so someone can write a device driver as I clearly don’t have the time right now.

I will also post how to get your password and generally sniff SSL traffic decrypted.

The roomba is brilliant, i love being able to control it from my smart phone and it will definitely fit into the smartthings hub with a tiny bit of work.


(Darryl) #16

I take it you just ran wireshark, and grabbed the data? If so, I will try it out this week.


(FailedInsider) #17

you need to decrypt the traffic first, there is only one way to do that really by adding a root certificate to your device where the app is installed and forcing it to use a https proxy and then having your pc as the https proxy and the owner of the root certificate. That way it can man in the middle the SSL traffic and snoop on it.


(FailedInsider) #18

in terms of the API:

POST

URL

https://irobot.axeda.com/services/v1/rest/Scripto/execute/AspenApiRequest

blid=USERNAME&robotpwd=PASSWORD&method=getStatus
returns JSON for the current status of the robot

Remote Command controls
blid=USERNAME&robotpwd=PASSWORD&method=multipleFieldSet&value=%7B%0A%20%20%22remoteCommand%22%20:%20%22start%22%0A%7D

Sorry for the URL encoding but you get the idea.

This one will surprise surprise start the robot going.

Other commands, replace ‘start’ are stop, pause and dock

any questions please feel free to get in contact.

Sorry I haven’t had the time to follow up on this.


(Darryl) #19

What was the high level of how you routed the app to use an HTTPS proxy? I’ve not seen that ability, and am unfamiliar with it. I get generating a cert, and also installing it though. :slight_smile:


update: I feel dumb–hah! Your using the wireless settings proxy, to point the traffic to a workstation with wireshark. I get it more now. Will have to try later, as I am not at the house. So high level steps:

  1. Generate an SSL cert on a PC
  2. Install cert to Android as root certificate
  3. Install wireshark
  4. Go to wireless settings on android phone with iRobot app
  5. Add IP/name of device with wireshark
  6. Trace info going to iRobot.axeda.com, and grab the URL string to piece out the pieces needed

Sound about right?


(Andreas A.) #20

You might be able to simplify things by using Charles to create the proxy on your computer - it takes the hassle out of all the certification stuff…