Nest Hacking
From Exploitee.rs
Info
- /dev/event1 is the knob; /dev/event2 is the button
Nest software
/nestlabs/sbin/nlclient -config /nestlabs/etc/client.config -config /nestlabs/etc/Display/Display-2/client.config
Nest backplate interface
- Connected on /dev/ttyO2
Turn on W1: d5aa96 8200 0200 00 01 29a2 Turn off W1: d5aa96 8200 0200 00 00 08b2 Turn on Y1: d5aa96 8200 0200 01 01 1891 Turn off Y1: d5aa96 8200 0200 01 00 3981 Turn on G : d5aa96 8200 0200 02 01 4bc4 Turn off G : d5aa96 8200 0200 02 00 6ad4 Turn on OB: d5aa96 8200 0200 03 01 7af7 Turn off OB: d5aa96 8200 0200 03 00 5be7 Turn on W2: d5aa96 8200 0200 04 01 ed6e Turn off W2: d5aa96 8200 0200 04 00 cc7e Turn on Y2: d5aa96 8200 0200 07 01 be3b Turn off Y2: d5aa96 8200 0200 07 00 9f2b Turn on * : d5aa96 8200 0200 0b 01 d37e Turn off * : d5aa96 8200 0200 0b 00 f26e
- All communications with backplane begin with (d5)d5aa96 (d5 is doubled only for data FROM backplane)
- 16-bit command
- 16-bit data length
- 16-bit checksum
Monitor:
strace -ff -p $(pidof nlclient) -x -s9999 -e read,write 2>&1 | grep '(54'
Checksum
<Bytes-from-end>.<bit-value> <xor-with>
01.01 3133 01.02 6266 01.04 c4cc 01.08 a989 01.10 7303 01.20 e606 01.40 cc0d 01.80 981b 02.01 3037 02.02 606e 03.01 b476 03.02 68ed 03.04 f1ca 03.08 c385 03.10 a71b 03.20 4e37 03.40 9c6e 03.80 38dd 07.20 687b
Run BeagleBone/Debian programs
ln -s . /lib/arm-linux-gnueabihf ln -s ld-2.11.1.so /lib/ld-linux-armhf.so.3
