Local Backend attempt after server shutdown

[thomas-br]

Hi @LFE89,

thanks first of all for your great RE work on the nello. Sadly after the server shutdown, it is currently not possible any longer to use the nello devices. I would like to dig deeper into the topic of a local nello backend.

After going through your documentation my current understanding is, that we don't now the payload details of the mapping phase after resetting / initial setup, correct?

Do you still have the recorded messages between the backend and the nello device to continue reverse engineering on this? It would be awesomely insane if we can reproduce a mapping, that the nello device accepts the local backend.

Best

[nox26]

Damn, I hoped it work, since I need a "Test topic" or my new nello is useless :/

[Hypfer]

IMO, the only reasonable thing to do now would be to try to glitch the nrf to bypass the read-out protection and take a look at its firmware, which seems to be surprisingly easy for people skilled with hardware.

https://github.com/atc1441/ESP32_nRF52_SWD

[Robbilie]

good night sweet prince, https://nello.io is down now aswell

[pattyland]

Even the API is down... I made an unofficial statuspage a few days ago: https://stats.uptimerobot.com/5wQ9jh0mm1

[sistein]

SCLAK scheint nun jemand anderem zu gehören...

UDINO S.R.L., with registered office in via Amedeo Avogadro, 24 10121 Torino, VAT no. 11989000010

Eventuell wird da aktuell umgebaut...

[1Joe1]

Flashing nello one with tasmota isn't possible, is it?

[innotip-com]

Folks, I think that our last chance to use our nello is to get the domain upon expiry, hoping no one will take it before :D "2022-04-07" ;) I guess that if some of you are able to kind of "simulate" the nello servers, we could make it work, couldn't we ?

[pattyland]

@innotip-com With a local DNS server it is no problem to connect Nello to a running MQTT server. The challenge is the logic, which is described in the readme of this repository: https://github.com/LFE89/nello_one_without_cloud/blob/master/README.md

[Lovely-Maisonette]

Can I with a local mqtt server and DNS overwrite, detect rings and issue and "open door" command? I guess the phone app is totally useless now.

[bobo-in]

Hey Lars, thanks for your work!

Is it possible to receive only ring bell notifications without the message to the test topic from nello's MQTT server? live-mqtt.nello.io is online but it does not send messages to the test-topic when establishing a connection :(

Would the security bypass also be possible with your recorded message to the test-topic? Or do I need the message that was sent to my device ?

[XDjackieXD]

I'm currently in the process of reverse engineering the device firmware. Apparently the firmware is compiled again for each device as the device IDs are compiled into the topic strings and such (could also be templating in the binary but I highly doubt that). I'll share more info once I know a bit more (it has been a long time since I last reversed an embedded firmware...)

[1Joe1]

@XDjackieXD How are you doing? Any news or progress? Anything one can do to support? I am counting on you 😉. Would be really awesome to reactivate my nello. Couldn't find a replacement so far, that is equally suited.

[XDjackieXD]

I've identified some standard-lib functions and some mqtt related functions but it all being non-blocking code with pseudothreading in a RTOS makes it annoying to reverse-engineer because almost everything has some global state stored in RAM. I've also found some functions related to the "blink code transfer" of the wifi password but there's not really anything interesting to be found there.

If someone wants to also dump their firmware: I was using this ESP32 based glitcher project with a delay setting of 5290-5370. You have to remove the two capacitors on the DEC1 pin and cut the trace of the wifi module's enable line between the microcontroller and its pull-down resistor (because the wifi module once enabled draws too much current and the glitch won't work reliably; see the bottom left of the picture below)

As for reverse engineering I'm currently using Ghidra as it seems to work better for embedded arm firmware than radare2.

It'll take at least two more weeks until I can work some more on this because I have some upcoming exams in university which I have to focus on at the moment.

[XDjackieXD]

On another note: does someone have a valid mqtt message (for example a door message) sent from the nello server to their device and would share it's content with me? that would help checking if I'm on the right track

[sistein]

Why was this closed? Issue solved? ^^

[thomas-br]

Why was this closed? Issue solved? ^^

I felt like this issue is not really the right place for further communication and exchange any longer. Is issue is quite old, the thread is quite hard to follow from the start with multiple topics being discussed in parallel.

At least my hopes for the nello backend to function again in the cloud are quite low due to the bankruptcy of SCLAK. In my mind, dedicated locations for further exchange would be a better fit... Whatever / wherever that is.

[XDjackieXD]

We could start a new issue for the reverse engineering but in my opinion GitHub issues is a good place to work on this as it can be read by anyone in the future as a rough documentation. Moving this to some other chat would mean that many people would not get any idea of what's going on and the discussions will most likely be lost forever after a few weeks have passed

[KrOnAsK]

has there been any progress ?

[thomas-br]

Hi all,

I know it has been a long time and also sorry for being pessimistic in January for not being able to see high chances on this 😄. But I wanted to give a quick note that I was able to spend some time during the last months looking into the Nello Topic again. I was able to extract the contents of the flash, locate the device specific encryption key material & reverse engineer the command protocol between server & the nello.

As a small PoC I was able to patch the hostname in my firmware to have to talk to a minimal server that currently just keeps my nello "online" (for now due to time constraints) and at least sending Door Bell Notifications to a Telegram Bot. My personal plan is definitely to work on a server that comes close to feature parity of the original backend. Goal would be to keep using the nello as door opener with its core capabilities – but I cannot say when I can spend how much time to further work on this.

Of course in general it would also be possible to open source such a project from the beginning on, where interested folks could even contribute. But I was not sure whether I am the only one currently still interested in keeping my nello away from being electronic waste. If there is general interest for such a project, you could maybe indicate it via emoji reactions

Screenshot Ring Notification of my PoC:

[sistein]

Actually my Nello(s) are still installed. I did not find the time to build myself I solution (and I think Nello has had a lot of good design choices - for example the power source).

So yes. Definately interested.

[innotip-com]

I’m definitely interested and would be fine helping with financing someone to work in this ? Le 28 oct. 2022 à 09:19 +0200, thomas-br @.***>, a écrit :

Hi all,

I know it has been a long time and also sorry for being pessimistic in Jan not being able to get any progress on this 😄. But I wanted to give a quick note that I was able to spend some time during the last months looking into the Nello Topic again. I was able to extract the contents of the flash, locate the device specific encryption key material & reverse engineer the command protocol between server & the nello.

As a small PoC I was able to patch the hostname in my firmware to have to talk to a minimal server that currently just keeps my nello "online" (for now due to time constraints) and at least sending Door Bell Notifications to a Telegram Bot. My personal plan is definitely to work on a server that comes close to feature parity of the original backend. Goal would be to keep using the nello as door opener with its core capabilities – but I cannot say when I can spend how much time to further work on this.

Of course in general it would also be possible to open source such a project from the beginning on, where interested folks could even contribute. But I was not sure whether I am the only one currently still interested in keeping my nello away from being electronic waste. If there is general interest for such a project, you could maybe indicate it via emoji reactions

Screenshot Ring Notification of my PoC: [image]https://user-images.githubusercontent.com/46727578/198526624-21996403-3524-4ddf-9a25-44bbda4f53bd.png

— Reply to this email directly, view it on GitHubhttps://github.com/LFE89/nello_one_without_cloud/issues/1#issuecomment-1294565223, or unsubscribehttps://github.com/notifications/unsubscribe-auth/APDIPXDDNGWJNS55UDOHVDDWFN47NANCNFSM4OL6ONTA. You are receiving this because you were mentioned.Message ID: @.***>

[thomas-br]

I will start document my findings regarding the protocol as soon as possible. Will let you know once I have a state that can be shared. Sorry for the delay, I am currently pretty short on free-time.

[sistein]

I think we all know being short on free-time (or time at all).

[1Joe1]

I ordered a Ring Intercom as a replacement for my bello just a few weeks ago, believing that your efforts and therefore my last hope got the nello had died. I received and installed it this weekend, but have to admit, that even though it is mostly doing, what it is supposed to, I liked the nello better and would love to put it back in place. It is in my eyes simply the smarter solution (no batteries, fits inside my intercom phone, ...). So any progress is highly appreciated!

[thomas-br]

I was able to find some time to write down at least the most important stuff. It is by far not complete, neither by what I have reverse engineered, nor by where there are potentials for research. Still will try to extend it with my knowledge about the system from time to time. Especially the information regarding firmware patching what I did to connect to another MQTT server is not yet in (will do).

https://github.com/thomas-br/open-nello

I think it would be best to further discuss technical details and your questions over there (in the issues I have created one for this). Will also try to push my poc for a open source server implementation over the winter holidays when I hopefully find some time to continue my work on it. (There is also another issue for discussions and coordination around an open-source server solution)