As my old chinese vacuum robot die due to bearing failure I was not sad - it was time to find sth hackable (the old one did not have any WiFi connection, thus was not very hackable). I've looked on some auctions and found Conga 5090 for 40 EUR.
Conga brand was already hacked by Congatudo community, although 5090 model was not listed as hacked yet. I have treated it as challenge, thus went to buy it. I am glad that Termux exists, so I was not looking weird to old men selling this vacuum (yeah, some ppl have weird reactions when they see terminal, especially on laptop with tiling WM).
This was not the biggest challenge of my life: robot had default SSH password, thus logging into it was easy. I am curious how many Congas are part of botnet. Nevertheless this robot used old ssh-rsa algorithm, deprecated in OpenSSH 8.8, and that was the biggest obstacle getting inside, as well as my very first contribution to Congatudo.
Later we needed to connect Conga to my IoT WiFi network. There was dedicated tool to do this, named Agnoc. As I confirmed that it worked without any issues on my Conga 5090, I have created another PR. Next step was editing /etc/hosts to cheat my conga on DNS records force it to use my LAN. WAN access is forbidden by default on my IoT network (and I am glad - my SamsungTV is flooding this VLAN with requests, for what they need that much data?)
Though the bad times happened: my robot suffers from some kind of Alzheimer disease. It forgets the map every month. I have created an issue, where the Maintainer pointed it as invalid (the robot bug), though another user wrote that he have similar issue (but not the same).
There is my journey with reverse engineering of my robot begins, but it is not finished yet. I have decided to post it on my blog, just to save it for the future, or maybe sb would help me with it.
All text below are my WIP notes, so they are a little noisy.
I have found these binary/ELF files on my Conga 5090
-rwxr-xr-x 1 10315693 Aug 27 16:19 everest-server
-rwxr-xr-x 1 4631677 Jun 25 19:33 RobotApp
-rwxrwxr-x 1 3356824 Jun 25 19:10 uImage
-rwxr-xr-x 1 607451 Jun 25 19:32 Monitor
-rwxr-xr-x 1 12441 Jun 25 19:08 init
-rwxrwxr-x 1 512 Jun 25 19:09 magic.bin
everest-server seems to be the biggest, thus main app of the vacuum
funny thing - it has gdb-server preinstalled
It runs TinaLinux - OpenWRT based distro - quite funny that my vacuum and my router runs so close related software.
I am looking for info when the map gets resetted
Radare2 found [CRobotApp] handleUploadHistoryMapToServer map size %d m_save_map_id %d in everest-server, and
[CManagerMap] device_ctrl_save_map. was in the RobotApp
strings * | grep -ni save_map
22023:[CRobotApp] handleUploadHistoryMapToServer map size %d m_save_map_id %d
57114:[CManagerMap] device_ctrl_save_map.
Radare2 showed save_map string @ 0x008f61d9
> / save_map
0x008f61d9 hit0_0 .r map size %d m_save_map_id %d [CApp.
> pd -10
0x008f61b1 .string "[CRobotApp] handleUploadHistoryMapToServer map size %d m_save_map_id %d \n" ; len=74
0x008f61ea 0000 unaligned
;-- str._CAppCleanState__handleMapIDDownloadServerHistoryMapRsp_msg_len__d__seq__lld:
; DATA XREF from everest::manager::CAppCleanState::handleMapIDDownloadServerHistoryMapRsp(everest::manager::CRobotApp*, CMsgHead*) @ 0x26fad8(r)
0x008f61ec .string "[CAppCleanState] handleMapIDDownloadServerHistoryMapRsp msg len %d! seq %lld\n" ; len=77
0x008f6239 000000 unaligned
;-- str._CAppCleanState__handleMapIDDownloadServerHistoryMapRsp_here_:
; DATA XREF from everest::manager::CAppCleanState::handleMapIDDownloadServerHistoryMapRsp(everest::manager::CRobotApp*, CMsgHead*) @ 0x26fb14(r)
0x008f623c .string "[CAppCleanState] handleMapIDDownloadServerHistoryMapRsp here!\n" ; len=62
0x008f627a 0000 unaligned
;-- str._CAppCleanState__handleMapIDDownloadServerHistoryMapRsp_task_id__d:
; DATA XREF from everest::manager::CAppCleanState::handleMapIDDownloadServerHistoryMapRsp(everest::manager::CRobotApp*, CMsgHead*) @ 0x270430(r)
0x008f627c .string "[CAppCleanState] handleMapIDDownloadServerHistoryMapRsp task_id %d\n" ; len=67
0x008f62bf 00 unaligned
;-- str._CAppCleanState__handleMapIDDownloadServerHistoryMapRsp_erro__s_:
; DATA XREF from everest::manager::CAppCleanState::handleMapIDDownloadServerHistoryMapRsp(everest::manager::CRobotApp*, CMsgHead*) @ 0x27040c(r)
0x008f62c0 .string "[CAppCleanState] handleMapIDDownloadServerHistoryMapRsp erro %s!\n" ; len=65
0x008f6301 000000 unaligned
> pd 10
;-- hit0_0:
0x008f61d9 .string "[CRobotApp] handleUploadHistoryMapToServer map size %d m_save_map_id %d \n" ; len=74
0x008f61ea 0000 unaligned
;-- str._CAppCleanState__handleMapIDDownloadServerHistoryMapRsp_msg_len__d__seq__lld:
; DATA XREF from everest::manager::CAppCleanState::handleMapIDDownloadServerHistoryMapRsp(everest::manager::CRobotApp*, CMsgHead*) @ 0x26fad8(r)
0x008f61ec .string "[CAppCleanState] handleMapIDDownloadServerHistoryMapRsp msg len %d! seq %lld\n" ; len=77
0x008f6239 000000 unaligned
;-- str._CAppCleanState__handleMapIDDownloadServerHistoryMapRsp_here_:
; DATA XREF from everest::manager::CAppCleanState::handleMapIDDownloadServerHistoryMapRsp(everest::manager::CRobotApp*, CMsgHead*) @ 0x26fb14(r)
0x008f623c .string "[CAppCleanState] handleMapIDDownloadServerHistoryMapRsp here!\n" ; len=62
0x008f627a 0000 unaligned
;-- str._CAppCleanState__handleMapIDDownloadServerHistoryMapRsp_task_id__d:
; DATA XREF from everest::manager::CAppCleanState::handleMapIDDownloadServerHistoryMapRsp(everest::manager::CRobotApp*, CMsgHead*) @ 0x270430(r)
0x008f627c .string "[CAppCleanState] handleMapIDDownloadServerHistoryMapRsp task_id %d\n" ; len=67
0x008f62bf 00 unaligned
;-- str._CAppCleanState__handleMapIDDownloadServerHistoryMapRsp_erro__s_:
; DATA XREF from everest::manager::CAppCleanState::handleMapIDDownloadServerHistoryMapRsp(everest::manager::CRobotApp*, CMsgHead*) @ 0x27040c(r)
0x008f62c0 .string "[CAppCleanState] handleMapIDDownloadServerHistoryMapRsp erro %s!\n" ; len=65
0x008f6301 000000 unaligned
(everest::manager::CRobotApp*, CMsgHead*) @ 0x26fad8(r) shows us that probably CRobotApp is responsible for managing the map, which actually makes sense
/ save_map shows 0x0042b48a hit4_0 .ap] device_ctrl_save_map.[CManagerM.
`
so seeking that address shows everest::manager::CManagerMap::handleMessage function
[0x00235664]> s 0x0042b48a
[0x0042b48a]> pd -10
0x0042b462 .string "[CManagerMap] handle clean task report add.\n" ; len=44
│ 0x0042b46c 00000000 andeq r0, r0, r0
│ ;-- str._CManagerMap__device_ctrl_save_map.:
│ ; DATA XREF from everest::manager::CManagerMap::handleMessage(CMsgHead const&) @ 0x2355d8(r)
│ 0x0042b470 .string "[CManagerMap] device_ctrl_save_map.\n" ; len=36
│ 0x0042b494 00000000 andeq r0, r0, r0
│ ;-- str._CManagerMap__handleMessages_failed__d_: