Never connected my Roomba to the internet and it has worked fine for the past several years. It insists that I should connect to it via the app to resolve the occasional minor issue, but I would always ignore those. It's starting to show its wear and it's probably time for a new vacuum. I'm not sure if I'll be able to bootstrap one without connectivity, nowadays. Any good recommendations out there?
Valetudo is the best out there. I rooted my Roborock, and connected it my home assistant. It's super useful without having to send data to the cloud. The only thing is the developers are severely limited by how many vacuums they can support. I recently bought a Dreame X50 and it's still not supported.
"From there, he built a Raspberry Pi joystick to manually drive the vacuum, proving that there was nothing wrong with the hardware."
He should make these and sell them. It would be worth it to just drive it in "discovery" mode and give it the exact path to follow while cleaning. The constant inability to learn the floor plan is beyond annoying.
Depending on where he lives this might be illegal. Yes, we live in a cyberpunk dystopia where the manufacturer can break what you bought and then send you to jail for repairing it. You can read more about it here: https://consumerrights.wiki/w/Digital_Millennium_Copyright_A...
This shit is absolutely dystopian. The law must not just be reversed, manufacturers need to be taken to court for shoddy software. Insecure data collection and transmission should be treated the same as having unsafe electrical wiring. It is a defect that needs to be either fixed or the product recalled. As long as manufacturers are not just allowed to but rewarded for selling defective products this won't change. I expect the moment unsolicited data collection becomes a liability manufacturers will drop it like a hot potato.
>>>>> I expect the moment unsolicited data collection becomes a liability manufacturers will drop it like a hot potato.
Possession of the data needs to be illegal.
Here's how it could work. It's similar to how copyrights for music are enforced. A person whose data are found in someone's files or server can sue for "statutory" damages, which are levied on a per-offense basis.
What are the odds individuals learn their data has been found. What kind of damages could be awarded that would make hiring a lawyer and giving them 50% of winnings a worth while effort? I could also easily see individual cases combining to become class action reducing the winnings even further.
In other words, I find this a silly suggestion as it's just never going to work in the real world.
There's an exemption from Section 1201 for "Computer programs that control devices designed primarily for use by consumers for diagnosis, maintenance, or repair of the device or system".
Thankful for people like this - with kids and family and work I’d probably have had this sit bricked for a year in my garage before finding time to tinker with it. Now I can just never buy any iLife product ever.
There is a significantly easier option (although still more work than just buying a vacuum and using it as the manufacturer intended): get one of the Valetudo supported vacuums[0]. This firmware replacement blocks telemetry and allows for near complete feature parity with the original firmware, and flashing is (usually) relatively simple. Certainly much simpler than the process described here.
I'm reminded of when AWS us-east-1 went down and all the beds made by EightSleep (business model: Juicero for beds) became disabled. EightSleep put all the significant control for their beds in the cloud, doubtless because they couldn't or didn't know how to hire embedded engineers, and the only devs they could find were node.js flunkies who only knew how to do cloud. Looks like the makers of this vacuum did the same thing; they didn't know how or didn't want to build just enough smarts to do the localization and mapping itself, and said "fuck it, we'll do it in the cloud".
That's awfully generous. Forcing phone-home, remote control, data harvesting features to be always-on creates a huge amount of data that can be sold for a lot of money. It gets all the wrong people excited about investing and normalizing the level of intrusion into your privacy, with some faceless corporation harvesting gigabytes of data per month from the most intimate and vulnerable physical location in nearly anyone's life.
That's always a good idea, but how many people have the resources to research these details? First of all you have to be aware that this issue even exists. Then you have to scrape the corners of the internet for whether an appliance has any anti-features, because no manufacturer will ever write "collects unsolicited data about you, we will break the appliance if you refuse us your personal information" on the box. And finally you need to be able to afford the time and patience for the whole process.
I don't own a smart vacuum cleaner because the trouble is not worth it to me. However, I can see smart vacuum cleaners being very good for elderly or disabled people, or someone who has very limited free time and could let the robot clean the house on its own while the owner is out. It is really disgusting that scumbag manufacturers are exploiting those people.
I suspect this is not the full story. Why would someone waste their time manually disabling a device? That makes me think that this device was doing something malicous to their servers, enough to trip an alert.
The owner did not hack the vacuum, he blocked the IP address on his network for the telemetry server. Same thing tons of people do with Pi-Hole DNS blocking, for example.
There's no sane world where it is defensible to remotely brick a device because it can't communicate with a telemetry server.
> As the business running the servers of smart vacuums, if I saw an atypical device reporting in, without context, I too would kill that device.
If you want to block a device from accessing your servers because it's behaving in an odd way, such as this one that was contacting the update server but not the telemetry server, that's not entirely unreasonable. Sending it a command to modify its software to stop it from operating entirely is outrageous.
Why would a business have the power to decide what should and what shouldn't be homogeneous about the property of others? A transaction took place, property has legally changed hands and the former owner is exerting control over property that isn't theirs any more.
How about if the builder of your house comes into your home via an access route unknown to you, and starts rearranging where things are placed, or where you and your wife are placed, etc. in order to maintain homogeneous layout?
> How about if the builder of your house comes into your home via an access route unknown to you, and starts rearranging where things are placed, or where you and your wife are placed, etc. in order to maintain homogeneous layout?
And if you complain he kicks you and your wife out of the house you bought. And if you dare to close off the backdoor he sends you to jail.
> How about if the builder of your house comes into your home via an access route unknown to you, and starts rearranging where things are placed, or where you and your wife are placed, etc. in order to maintain homogeneous layout?
I've seen this movie. Only, the twist was that the home was built 100+ years ago and the builder long since dead. The family living in the home currently had to resort to an exorcist.
Edit to say that the sarcasm is direct rebuttal with the preposterous nature of the hypothetical.
This is a cool article, and neat he got it working in the end.
One thing that is odd - if he blocked it calling home, it doesn't make sense that the kill code was issued remotely. It makes more sense that there is a line of code internally that kills the machine when it can't call home (which would be far less malicious).
Well, no. You can't just revoke a license.
As far as owning the software in the device, I works would argue that you do own a copy of it. I'm sure there is some buried tos claiming you just own a license to run it, and I know this is still being litigated. But when the average person purchases someone their expectation is that they've purchased it, not licensed it.
Previous post
https://news.ycombinator.com/item?id=45503560
which points to the actual blog of the author on github, instead of a news coverage of it.
Never connected my Roomba to the internet and it has worked fine for the past several years. It insists that I should connect to it via the app to resolve the occasional minor issue, but I would always ignore those. It's starting to show its wear and it's probably time for a new vacuum. I'm not sure if I'll be able to bootstrap one without connectivity, nowadays. Any good recommendations out there?
You might be interested in this project https://valetudo.cloud/
They have a list of supported vacuums
Valetudo is the best out there. I rooted my Roborock, and connected it my home assistant. It's super useful without having to send data to the cloud. The only thing is the developers are severely limited by how many vacuums they can support. I recently bought a Dreame X50 and it's still not supported.
"From there, he built a Raspberry Pi joystick to manually drive the vacuum, proving that there was nothing wrong with the hardware."
He should make these and sell them. It would be worth it to just drive it in "discovery" mode and give it the exact path to follow while cleaning. The constant inability to learn the floor plan is beyond annoying.
Depending on where he lives this might be illegal. Yes, we live in a cyberpunk dystopia where the manufacturer can break what you bought and then send you to jail for repairing it. You can read more about it here: https://consumerrights.wiki/w/Digital_Millennium_Copyright_A...
This shit is absolutely dystopian. The law must not just be reversed, manufacturers need to be taken to court for shoddy software. Insecure data collection and transmission should be treated the same as having unsafe electrical wiring. It is a defect that needs to be either fixed or the product recalled. As long as manufacturers are not just allowed to but rewarded for selling defective products this won't change. I expect the moment unsolicited data collection becomes a liability manufacturers will drop it like a hot potato.
>>>>> I expect the moment unsolicited data collection becomes a liability manufacturers will drop it like a hot potato.
Possession of the data needs to be illegal.
Here's how it could work. It's similar to how copyrights for music are enforced. A person whose data are found in someone's files or server can sue for "statutory" damages, which are levied on a per-offense basis.
What are the odds individuals learn their data has been found. What kind of damages could be awarded that would make hiring a lawyer and giving them 50% of winnings a worth while effort? I could also easily see individual cases combining to become class action reducing the winnings even further.
In other words, I find this a silly suggestion as it's just never going to work in the real world.
There's an exemption from Section 1201 for "Computer programs that control devices designed primarily for use by consumers for diagnosis, maintenance, or repair of the device or system".
I wish I had the abilities of the engineer, plus the time he could devote to the problem.
Thankful for people like this - with kids and family and work I’d probably have had this sit bricked for a year in my garage before finding time to tinker with it. Now I can just never buy any iLife product ever.
We should probably update this story to link directly to the hackers blog, they deserve the credit! https://codetiger.github.io/blog/the-day-my-smart-vacuum-tur...
There is a significantly easier option (although still more work than just buying a vacuum and using it as the manufacturer intended): get one of the Valetudo supported vacuums[0]. This firmware replacement blocks telemetry and allows for near complete feature parity with the original firmware, and flashing is (usually) relatively simple. Certainly much simpler than the process described here.
[0] https://valetudo.cloud/pages/general/supported-robots.html
Probably a felony under the DMCA.
I'm reminded of when AWS us-east-1 went down and all the beds made by EightSleep (business model: Juicero for beds) became disabled. EightSleep put all the significant control for their beds in the cloud, doubtless because they couldn't or didn't know how to hire embedded engineers, and the only devs they could find were node.js flunkies who only knew how to do cloud. Looks like the makers of this vacuum did the same thing; they didn't know how or didn't want to build just enough smarts to do the localization and mapping itself, and said "fuck it, we'll do it in the cloud".
That's awfully generous. Forcing phone-home, remote control, data harvesting features to be always-on creates a huge amount of data that can be sold for a lot of money. It gets all the wrong people excited about investing and normalizing the level of intrusion into your privacy, with some faceless corporation harvesting gigabytes of data per month from the most intimate and vulnerable physical location in nearly anyone's life.
I block this nonsense before it gets to the cash register.
That's always a good idea, but how many people have the resources to research these details? First of all you have to be aware that this issue even exists. Then you have to scrape the corners of the internet for whether an appliance has any anti-features, because no manufacturer will ever write "collects unsolicited data about you, we will break the appliance if you refuse us your personal information" on the box. And finally you need to be able to afford the time and patience for the whole process.
I don't own a smart vacuum cleaner because the trouble is not worth it to me. However, I can see smart vacuum cleaners being very good for elderly or disabled people, or someone who has very limited free time and could let the robot clean the house on its own while the owner is out. It is really disgusting that scumbag manufacturers are exploiting those people.
I suspect this is not the full story. Why would someone waste their time manually disabling a device? That makes me think that this device was doing something malicous to their servers, enough to trip an alert.
Not really. They probably flagged this as someone modifying the device and thought it could be someone reverse engineering it.
This seems a bit sensationalist.
Guy hacks smart vacuum. Smart vacuum behaves different than standard vacuum. Manufacturer kills vacuum remotely.
As the business running the servers of smart vacuums, if I saw an atypical device reporting in, without context, I too would kill that device.
Because they're vacuums. Why would they not be homogenous?
The owner did not hack the vacuum, he blocked the IP address on his network for the telemetry server. Same thing tons of people do with Pi-Hole DNS blocking, for example.
There's no sane world where it is defensible to remotely brick a device because it can't communicate with a telemetry server.
> As the business running the servers of smart vacuums, if I saw an atypical device reporting in, without context, I too would kill that device.
If you want to block a device from accessing your servers because it's behaving in an odd way, such as this one that was contacting the update server but not the telemetry server, that's not entirely unreasonable. Sending it a command to modify its software to stop it from operating entirely is outrageous.
> Why would they not be homogenous?
Why would a business have the power to decide what should and what shouldn't be homogeneous about the property of others? A transaction took place, property has legally changed hands and the former owner is exerting control over property that isn't theirs any more.
How about if the builder of your house comes into your home via an access route unknown to you, and starts rearranging where things are placed, or where you and your wife are placed, etc. in order to maintain homogeneous layout?
> How about if the builder of your house comes into your home via an access route unknown to you, and starts rearranging where things are placed, or where you and your wife are placed, etc. in order to maintain homogeneous layout?
And if you complain he kicks you and your wife out of the house you bought. And if you dare to close off the backdoor he sends you to jail.
> How about if the builder of your house comes into your home via an access route unknown to you, and starts rearranging where things are placed, or where you and your wife are placed, etc. in order to maintain homogeneous layout?
I've seen this movie. Only, the twist was that the home was built 100+ years ago and the builder long since dead. The family living in the home currently had to resort to an exorcist.
Edit to say that the sarcasm is direct rebuttal with the preposterous nature of the hypothetical.
This is a cool article, and neat he got it working in the end.
One thing that is odd - if he blocked it calling home, it doesn't make sense that the kill code was issued remotely. It makes more sense that there is a line of code internally that kills the machine when it can't call home (which would be far less malicious).
The business has no right to remotely kill a device purchased by an end user.
Yeah! Just degrade the battery life and user experience through forced updates so they are pushed to upgrade instead!
Did you accept the EULA?
Consumer law comes above the EULA. A clause which states the company can remotely brick your hardware should be rendered invalid.
Only sane comment in this thread
You don't own the software on the device, they do. If they choose to revoke that license, that is their choice.
In EU you have the right to use bundled software as long as you own the appliance. Not sure this is true for US.
Well, no. You can't just revoke a license. As far as owning the software in the device, I works would argue that you do own a copy of it. I'm sure there is some buried tos claiming you just own a license to run it, and I know this is still being litigated. But when the average person purchases someone their expectation is that they've purchased it, not licensed it.
I own the device and all of its storage. The exact state of that storage is my business and precisely no one else's.
Does low-effort rage-bait belong on HN? aka, are you f**ing kidding?