It's a boot script called /bin/nolongerevil.sh that supplies its own trust material and redirects traffic intended for frontdoor.nest.com to a hard-coded IP 15.204.110.215. 99.9% of this image is the original copyrighted Nest image. Maybe it's enough for the bounty though? And I suppose you could change that IP to a local server. If you wanted to publish the server side Nest API discovered through WireShark . Just stand up your own http rest server.
(The wheel on ours was broken so we could only control it via app).
Edit: If I read closely I would have seen:
> The firmware images and backend API server code will be open sourced soon, allowing the community to audit, improve, and self-host their own infrastructure.
Trust me bro.
https://github.com/codykociemba/NoLongerEvil-Thermostat/issu...
LFP
If you read the GitHub Readme (typically a better way to judge a project than stalking someone on LinkedIn) you can see that they didn’t write a custom firmware. They modified the Nest firmware to contact different back end servers.
The firmware is the same (they claim) except for modifications to change which server is contacted. They then built a back end to mimic the original Google serves.
No. This is a thermostat at your home. It forwards its DNS requests to your router. Feel free to establish whatever security protocols you need there. Or, even better, host your own server.
Because it uses https? OP gets around this by manually injecting his certificate, but if you have physical access to a device it's generally considered to be game over in most threat models.
I have been working on REing the hardware itself to write drivers directly - for example at https://sett.homes/blogs/updates/the-lcd-display-reverse-eng....
I am designing whole new PCBs that mount in the Nest so that we have 100% firmware control over the device... time will tell if we can do the same thing on the Linux OS that the Nest currently runs on, or if custom hardware will be needed because the OS has too much locked down
Zigbee allows firmware upgrades, but will not take you hostage. It isn’t perfect, but I’ll take it for having a user-first design instead of ARR-first.
Weather comp + low load comp + PID which means your room temperature works at the precision range supported by your temperature sensor. In my case, within 0.02 Celsius. Saves energy and makes your house more comfortable. Operated via home assistant.
See real time data in Grafana
https://gasboiler.grafana.net/public-dashboards/8d44381aafa9...
Or Emoncms
https://emoncms.org/app/view?name=MyBoilerIdealLogicH24Opent...
- The Vitodens has like ten stages, but the Ecobee has no way to command them, it's just a binary call to the Taco pump for heat / no heat, with the boiler deciding on its own how hard to push (I guess based on the outside air sensor and maybe time of day?)
- The Vitodens is monitoring the return boiler water temperature, but the Ecobee doesn't know anything about that.
- None of this is interlinked with the heat pump, so the systems can run on top of each other and end up with the wrong parts of the house overheated or left cold. The heat pump's controller is proprietary but it works with the NetHome Plus app so there is a bridge to get the units on homeassistant.
I don't have the spoons right now to try to beat this all into shape, but eventually I'd like to get HA temp monitors in multiple places in the house so that a single central system can make smarter decisions about which system to run and when. For example, in the evening I mostly care about the bedrooms, and the bedrooms are covered by zone 2 of the heat pump, so it would make sense to prioritize the heat pump then and only run the boiler if the heat pump isn't able to keep up; whereas in the daytime if heat is needed, it's probably throughout the house so the boiler should run.
When it came to the install I was told in no uncertain terms that even though they produced the board and it was compatible with my boiler, any attempt at installation by myself or their approved installation engineer would immediately void the warranty.
So that was the end of my OpenTherm journey. Thanks Vaillant!
Which OpenTherm device would you recommend?
I really would want a more clever solution for our heating: district heating that goes int our "legacy" high-temperature old radiators, and also a secondary system with under floor heating but with a limited temperature. The problem is the "secondary" system is much bigger and heats most of the house, but is more or less unable to change its temperature since its always "capped" at the max since its driven from a high-temperature system, the shunt can not lower the temperature, also its a dumb one. So we have bang-bang thermostats everywhere for the floors which works, but is not at all optimal.
Also, you can change the current set temperature. That temperature will be overridden at the next scheduled change.
That's it, that's the app. There's no way to create a custom program for a single day. There's no way to set a hold temp that persists beyond the next schedule change.
Now, because it's a thermostat, and my needs are simple, and I don't even have A/C, it's never bothered me _that_ much. But it's clear it could be so much better, and they just haven't bothered to do _anything_ in a decade.
It basically feels like they shipped a PoC, Google bought them, and disbanded the team, and that was it.
https://www.reddit.com/r/Nest/comments/1im9gkg/adjusting_the...
I am hopeful that Cody's exploit lets us write whole new firmware without the extra step of needing the new PCBs, but they are my next best option
I look forward to it!
>Why does it say 74?? I had it set to 75!!1!
It's what I did, not because of relationship reasons, but the hvac and furnace thermostat disagreed on what temperature 23C should be so I had to tweak it.
Besides, would you really break off a relationship over something so petty as temperature preference? The people who find somebody who's literally perfect for them must be very rare, I think most people have to make small sacrifices and concessions.
"We agreed it would be set to 74!"
"It IS set to 74!"
"No, it's set to like 74.2 or 74.3 or something! The little pointer is not pointing directly at 74, and you know it!"
This is where you start explaining what hysteresis is and wait for their eyes to glaze over before changing the subject ;)
Don't get me wrong, I love to see things like this, but just go all the way and allow folks to set their own URLs (maybe to servers they own in their own home).
[0] https://bounties.fulu.org/bounties/nest-learning-thermostat-...
In fact - I don't even see a privacy policy on nolongerevil.com!
Hey, I can login at nolongerevil.com using my Microsoft-owned github login! And there's yet another company involved: clerk.com - yay?
"We are committed to transparency and the right-to-repair movement. The firmware images and backend API server code will be open sourced soon, allowing the community to audit, improve, and self-host their own infrastructure."
I look forward to it.
PS: Sorry for being so negative... perhaps the release should have been delayed until all of this is opened up.
I was assuming that I could point the nest data stream & control UI to my own hosted thing on eg my local NAS or docker farm. That’s what I think would warrant the moniker “free from evil” in this kind of strong privacy preserving marketing.
Not to diminish what this project has done, but they modified existing firmware to make it communicate with a different server. They've also implemented a server for the thermostat API.
It's pretty neat but, at this point, it's just a hacked firmware that talks to a different proprietary server.
Edit: It's not even a modification to the firmware binaries. They're just injecting /etc/hosts entries into the firmware[0]. If the Nest device just uses DNS to resolve these names then you wouldn't even need to modify the firmware-- just point it at a DNS server that's authoritative for the necessary names.
[0] https://github.com/codykociemba/NoLongerEvil-Thermostat/issu...
Edit: Guess I've got openssl in my termux environment. They're injecting a fake Nest root CA key. Makes sense.
I'm shocked it was this easy to subvert the root of trust on these devices. I would expect a newer device would have the trust root pinned in hardware (TPM, etc) and firmware updates would be have been authenticated.
All those things cost money in hardware or development time, so companies basically never bother. You're probably also letting all the stories about DRM on phones or whatever color your experience on IOT as a whole. TPM basically makes no sense to implement on anything that's not a PC. Not even phones use it.
You could argue TPM can work as a generic term for security coprocessors, but on a technical forum that makes as much sense as saying the pixel tablet is an "iPad".
[0] They didn't write their own firmware; they hacked the stock firmware to redirect traffic from Google's servers to their own.
Edit: looks like they plan to open source the backend and enable self-hosting "soon". Hopefully that comes to pass!
If you are paranoid about Nest being evil maybe stick to one of those Honeywell round hockey-puck things with the mercury inside.
Or use a Z-Wave/Zigbee thermostat from a reputable vendor (there aren't many) and control it from a gateway of your choice.
The ex-Apple culture in the early history of Nest was evident, which ostensibly spec'd FETs over mechanical relays for superficial reasons, because clicking sounds are ugly. The results were in the spirit of other Apple engineering marvels (Titanium Powerbook, Antennagate, Bendgate).
Anecdotally, I have a first generation Nest and haven't had a problem. Maybe some of the earlier hardware had fewer protection against misuse (e.g., with non-24VAC systems or otherwise incorrect installation), but that's generally the case with most new things.
It's not "signal switching", you see.
HVAC equipment is as old and varied as you can imagine, and there is higher current than you think running through those terminals, powering all sorts of nasties, oil burner relays, damper motors, crude AC contactors causing voltage spikes etc. HVAC low voltage power is as dirty as can be.
No one took this into account, they were more concerned with making the thermostat pretty.
In my heat pump, none of the thermostat wires directly control the contactors. They all run into a logic board that applies logic like time delays, temperature-controlled defrost cycling, and active protection lockouts for the compressor. I mean, there's a seven-segment LCD on the logic board for system troubleshooting. The air handler has a variable speed blower as well.
I understand that HVAC equipment varies wildly, but if you try to solve every possible problem or scenario and target every possible customer, you'll never make it to market.
I also understand that I am the target demographic.
> Open Source Commitment
>We are committed to transparency and the right-to-repair movement. The firmware images and backend API server code will be open sourced soon, allowing the community to audit, improve, and self-host their own infrastructure
This is one of the major problems with doing anything good online. People like this.
And, I would really love to wire my nest into home assistant, but getting past the Google house of horrors is even scarier.
Are there any good thermostats that can be used with home assistant? I would really like to start understanding my energy usage in a safe way.
Even if it wasn't evil, I'd consider buying an expensive one a waste of money, which is kinda important considering I'm looking to save money.
2. I paid less than $200 for it.
3. The device lets me control the thermostat remotely. I can turn on the heater when coming home from a trip, or turn it off if I forgot when I left.
4. I can just say "Hey Google, turn up the heat" out loud.
I don't care if Google knows about the temperature of my home. I absolutely would buy the product again.
[1] With one exception, which is really niche to me: The T6 has what looks like a PID-style control algorithm hiding in it, and instead of specifying a deadband between on/off, you can only specify a max number of cycles per hour. I already have a home-brewed PID algorithm controlling the temperature target of my boiler, so I actually _want_ a stupider thermostat that will stay on/off a little longer. But this is purely because I'm weird. The T6 is really good at keeping the temperature on target, and the homeassistant integration was fast and easy and has been totally solid. I recommend - I'm just waiting for the last one to arrive and I will have completely replaced my Nests (gen2 + gen3).
I'll also add that the local UI on the T6 is much better than the one on the nest. And the installation process was really simple -- Honeywell clearly learned from Nest on this one, and then beat them with the UI. I'm really happy with the upgrade, even though I'm totally annoyed with Google for wrecking my perfectly functional thermostat.
Despite their name, we have no idea if NoLongerEvil is evil or not. Why should I trust them? I don't know them at all. Why will they be immune to the regular economic pressures surrounding any connected online service? What will stop them from adding tracking or other anti-features? Even if they are a bunch of saints, what will stop them from selling the service to a company that will not respect my privacy?
Google is at least the devil we know, here.
I was expecting a fully open source firmware, with a fully open source backend service that people can host themselves if they so choose.
(I guess they didn't write their own firmware; they hacked Google's firmware so it redirects traffic from Google's servers to their own. So I guess in this model, I'd want to see an open source, self-hostable backend service, and a "build" process for the hacked firmware to set the API URL to the self-hosted backend.)
Edit: looks like they plan to open source the backend and enable self-hosting "soon". Hopefully that comes to pass!
Every so often you swap out the slowest one for a new one and keep adding more stuff to it.
Add the ability to isolate some of the machines as bastion hosts and we could do an awful lot without having to exfiltrate our own data.
There is even risc-v things with decent ram, nvme connector and costing about 50 bucks
Google has left these devices essentially completely unusable. You're not trading up Google because Google already abandoned these devices by shutting off the lights. Even if you don't agree with how robust their service is, they're offering you the ability to turn what's effectively e-waste into an operable device.
I'm not even sure when I would want a network-enabled thermostat. We inherited it from the previous owners.
Can you edit schedules directly on the thermostat? From what I recall, much of the functionality required the app. That can’t be used now.
If you’re only using it as an analog dial to set the temperature, you won’t miss anything. However the majority of functionality is now gone from the devices.
If you'd bought it for hundreds of dollars for the things it promised to do, you'd probably be much more excited to learn that you at least aren't stuck with a device that was made intentionally dumb by the manufacturer. They're perfectly capable of doing what they were designed to do!
Edit to mention that I was out of town one winter and my thermostat gave me an alert that my apartment had reached 40F! With my cats in there and a blizzard happening while I was four states away, I was able to ask a friend to walk over and check it out. Turns out my balcony doors had blown open during the storm, thankfully my cats wanted nothing to do with the snowy outside but I can’t imagine if they had been in that situation for the 3-4 days it would be before I got home.
They put these disclaimers into licenses because people have already won these kind of cases.
There are connected thermostats that do not feature a WiFi radio. I don't like zwave (I would really prefer WiFi with a HTTP or MQTT interface) but there is no thermostat that a) has a modern/working WiFi radio and b) a documented API.
Venstar is the only company that makes WiFi with an API but they seem to use the cheapest possible WiFi radios and I could never get mine to stay connected to my network for more than an hour or two. They also had a _really unusual_ firmware architecture: it was linux with a stripped down web browser; the UI was a SPA and it used some lua or js (don't recall, sorry) to communicate to the hardware driving GPIOs. They did expect firmware updates to be signed and that's where I stopped looking and moved on to a zwave thermostat.
It uses MQTT with Wifi as you requested :)
No real reason to keep running google's code on these things.
I think that putting MQTT on this would be an important step toward local control and connecting it to Home Assistant
Also, carefully consider its use with propane or natural gas HVAC units. Many can reach dangerous temperatures very quickly. Many years ago we had a thermostat failure that caused our HVAC to not shut off. While it had an over-heat cut-out, it was for temps above 200F. Because the unit had an oversized blower, it caused our home to reach dangerous temps as we slept, including our kids room which was a good 20F hotter than our bedroom. Luckily we woke up and the kids were okay.
No "smart" thermostats for me --- I have a round Honeywell that's been working perfectly for several decades.
ddingus•3mo ago
dare944•3mo ago
ddingus•3mo ago
For what it was worth, I really enjoyed helping everyone ramp up on NX. At that time in my career, I was ramping many similar groups up and many came from Apple and were experiencing sticker shock! (They bought the very best and it was not at all cheap!)
We talked about that and those in charge on my end were not at all happy with me showing people how geometry that normally requires a higher tier license to create, can be created with the base tier license, lol. (Mere mortals need that info because having the more expensive tool is not always on the table.)
Anyhow, stay cool. Maybe it will be different one day.
Please tell the others as you may encounter them, "That NX guy from PDX says, "Hi." You all may not know it, but I learned a ton from you guys. It was in the questions you asked and the processes you set up. I am applying some of that to my own projects today. So, thanks! ( way late! )
smt88•3mo ago