The end date is approaching and I wonder If anyone got the working with HA with MQTT? Or am I forced to just decommission them and through then in the garbage?
I guess the people who own these thermostats either donβt have the know how or are unwilling to put the time in. The thermostat is still functional all be it adjustable manually only. I decided to buy a meross Wi-Fi thermostat with matter. It has integrations in home assistant and is not perfect but is cheap and does the job.
Maybe this will help⦠the guy updates it from the 11years old script. Last update was 6 months ago
2 Likes
The moment google announced their intentions with the Nest in Europe, and I had to acquire a new key for the next 5 years to keep it using for only a few months, I bought a Matter device and removed the google nest. If someone wants it to tinker, hack or use manually, drop me a line. Last time I bought Google hardware. Still remembering my 6p and the totally abandonment by Google, they just can not be trusted for the long run.
Thatβs me.
I have attempted several times, and the best attempt got me this far:
found device 0x0451:0xd00e
Active configuration: 1
Interface 0, altsetting 0 has 2 endpoints:
Endpoint 0x81: type 2, max packet size 512
Endpoint 0x01: type 2, max packet size 512
Claimed interface 0. Waiting 200ms before transfer...
download ok
while loop size = 246572
filesize = 246572
Error in libusb_bulk_transfer: -1 (Input/output error)
It seems the Nest doesnβt stay in DFU mode long (which is understandable), but even when I am able to initiate a transfer, I always get disconnected:
Claimed interface 0.
could not write to usb (res=-9, Pipe error, transferred=0, file_cnt=512)
or
Claimed interface 0.
libusb: error [submit_bulk_transfer] submiturb failed, errno=2
could not get ASIC ID (res=-1, Input/output error, transferred=-890893169)
If you are able to get it to work, let me know!
I will try it when I have some time.
And out of the box: When itβs in DFU mode and try transfer and in meanwhile spinning the aluminium outside. So there is movement on the module and maybe the hardware thinks its still in sort of process?
Hello everybody!
Thereβs a bounty for solving the problem, I just found out from Louis Rossmannβs youtube videos:
Maybe financial motivation will move this project forward?
@elecnix Iβm gonna try it myself. But im stuck at the end with:
root@Peters-iMac NestDFUAttack % docker run -it -v $(pwd):/workspace nest-build /workspace/Dev/build.sh
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
ββββββ ββββββββββββ ββββββ βββ ββββββ ββββββββββ ββββββββββββββββββ
ββββββββββββββββββββ ββββββ ββββββββββββββββββββββ ββββββββββββββββββββ
βββ ββββ βββ βββ ββββββββββββββββββββββ βββββββ ββββββ ββββββββ
βββ βββ βββ ββββ βββββββββββββββββββββββ βββββββ ββββββ ββββββββ
βββββββββ βββ βββββββ βββ ββββββ ββββββββββββββ ββββββββββββββ βββ
βββββββ βββ βββββ βββ ββββββ βββ ββββββββββ ββββββββββββββ βββ
[I] - Cross compiling u-boot.
[I] - Cross compiling Linux (this could take a few minutes.)
[I] - Cross compiling x-loader.
[I] - Compiling omap3_usbload for host machine.
I donβt know whatβs next?
Looks like I am a bit late to the party.
I have not got root yet but I am very close.
The original gtvhackers exploit has rusted somewhat but is still a decent path to follow.
I will find a way of publishing my where I have got to so far when I get home tonight.
4 Likes
There is hope!
I have root. Also have compiled a simple hello word that runs on the hardware.
I will start working on putting together a repo that allows others to do the same
6 Likes
Here is a link to my git repo that should get this working for a few people:
ajb142/cuckoo_loader
I am going to create some more repos with other related stuff, such as the hello world application and some notes on what I have learn so far about the hardware.
I had three thermostats in total (2 x gen 2 and 1 x gen 3). These have all been replaced with a different system but I still think the Nest is a cool bit of HMI that can be used for many things. I plan to make a scene selector for home assistant eventually.
For those struggling to get the original exploit working, these are the reasons why:
It looks like Nest started using different NAND chips at some point. The version of x-loader the exploit sends does not support these chips but a later versions does. I discovered this by attaching serial console cables to my Nest.
The omap3_loader tool is no good on modern computers. I have swapped to a newer project that works. This newer project also needed patching as the jump command (used to launch the kernel) was not in the correct format for x-loader
There where a couple of other build issues with u-boot and linux but easily patched around.
I will not take any responsibility for bricked devices, etc.
Keen to know how people get on. I can only test with what I have so go easy. I know the bash script could be better, I wanted to get something out there as I see there is interest.
9 Likes
sorry, are you saying this attack also gets root on a Gen 3 thermostat, or am I wishfully making 2 + 2 = 5 here?
Hopping in here to support this project. Iβm more of a script kiddie / vibe coder so Iβll be following along with the developments and trying it out once itβs ready.
Hopefully now that our Nests have been orphaned more people will be interested in getting a hack working.
My Kevo deadbolt also threatened to go offline right about now, but some friendly benefactor rushed in and saved the app and the HW from losing functionality. Really surprised Google hasnβt entertained offering the service to a third party. How much traffic do they really generate?
possibly of interest to folks here @ https://www.reddit.com/r/Nest/comments/1okr5q0/dont_throw_away_your_nest_thermostat_gen_1_2/
2 Likes
Thank very much!
Iβve been trying to get this hack working for a while now, since the abandoment notice.
I got stuck at the omap loader not working because of bit rot.
In fact, it semi-bricked one of the dev units⦠essentially endless reboot loop.
The last place I left off, was that Iβd have to modernize the omap loader.
Thanfully, someone did that for me.
I have 5 gen2 units, 3 are in-service, and two are for dev.
One of the dev units is for hardware mods / attachements / sluething, while the other is for remote software only changes (after the initial attack.)
I can confirm, using the cuckoo_loader, that my two dev units are succesfully attacked, and one of my in-service units.
My present setup is Ubuntu 22 on a FrameWork 16 direct to metal.
As I write this, Iβve been exploring the unit via ssh for a couple of hours now.
2 Likes
This looks very promising but not going to connect my thermostats to yet another (and untrusted) 3rd party. They claim they will release the server software soon so 
1 Like
@ajb34 can you describe what you mean by a serial cable? Like a USB to serial cable, or did you connect to test points on the PCB with something like an FTDI or a J-Link?
Update on the bounty:
They got solutions and will announce a winner in 1-2 weeks.