Close
0%
0%

Snark I-un Robot, Hacking the Shark ION RV750...

Reverse engineering the Shark RV750 robot vacuum, and other vacuums with similar hardware.

Public Chat
Similar projects worth following
The objective is to take a Shark Ion RV750 robot vacuum, and perform some Steve Austin stuff to make it much more...

The Shark ION RV750 is a pretty standard, no-frills, robot vacuum. The brains of the system comes from a STM32F071VBT6 mcu, and the rest of the components on the board are of the standard variety of easy to find and inexpensive. There is also an Azure Wireless CU300 daughter board connected through serial, but through my testing I found that it does not provide any support logic outside of interfacing with the Shark Clean App. I do suspect that it may be responsible for decryption/de-obfuscation of firmware binaries for the mcu, but I have not been able to put this to test.

I started on this project around May of 2020, and below is what I have accomplished, or lack there of so far.

My original idea was to extract the firmware from the STM32, but this proved to be a dead end I think. What I found was that the mcu was protected with RDP Level 1 ( SWD still works in Boot Loader, but ROM is protected), and normally this would not be an issue with the several methods that exist to bypass this on the Cortex-M0, but it seems somebody had the great idea of re-assigning the SWDIO and SWCLK pins in the main program... they are not connected to anything else.

I then turned to the Shark Clean android app to scrape any useful information from it. I did find an URL addresses to an AWS server where was a raw xml page with link to development and production firmware’s for the newer Shark Ion robot vacuums. I did try to reverse a firmware from the RV750N, but it seems the firmware is either highly obfuscated or encrypted.

In a last ditch effort, I decided to pull the 4MB SPI flash IC off the AW CU300 and read the contents... Well the SPI flash is not encrypted, and there is a decent amount of information. I ventured down a rabbit hole of information within some java script files about encryption/decryption, but it turned out to be the routine for exchanging shared keys for the Ayla IOT server that is used.

So this is where I am at now. I plan on creating my own custom FW to use the STM32 as a very basic ROS node to communicate with a RPi Zero W (yeah, I know!) as the master. The hope is to re-create most of the original cleaning path algorithm for the STM32 to execute, and pass sensor messages to the Rpi. The RPi will keep track of the sensor data from the STM32. The Rpi will also receive data from an IMU and a HLS-LFCD2 LiDAR sensor. From this sensor data a map of the environment will be created where the Rpi can determine the pose and location in the environment.

A wish would to also be able to implement a camera and open CV for object detection such as cords and rugs that can entangle the robot.

Oh yeah, and last of all.... I am a noob with much of this, and learning on the fly!

UPDATES 08/12/2020:

I worked with the CU300 WiFi module some more, and found a serial console on one of the ports... only problem is I seem to only have the receive side. What I thought would have been the transmit to the CU300 has a odd pulse sequence at startup that reminds me of an IR remote protocol, maybe Manchester?

I have also made some progress on the flash dump from the SPI flash.

This blog has helped quite a bit: https://medium.com/@urish/inside-the-bulb-adventures-in-reverse-engineering-smart-bulb-firmware-1b81ce2694a6 It seems that one of the segments of the Marvell firmware is obfuscated through some word reversal/swap routine. It looks simple at face value, but we shall see!

08/14/2020:

For posterity sake, https://hackaday.io/project/167594/logs I may forget about this later. This seems to be using the somewhat same method as the Shark.

UPDATES 08/29/2020:

In an interesting turn of events, I found that my sister has an Eufy Robovac 11. Opening it up "to clean it" I found it is very similar to the Shark RV750. It is missing some features, and a few board components are in different areas, but definitely based of the same base as the RV750... is the RV750 even original? From what I can find, it seems like the RV750_N is functionally the same as the base RV750, but it uses a STM32F103x MCU. The WiFi module is also integrated into the main board, and I don’t know what SoC it uses. More sleuthing online has revealed that the ECOVACS Deebot N79S is also based of the same design as the RV750_N.

Working on the firmware side of things, I have only made a little progress on the obfuscated firmware. I may be on track to figuring out the header format. Going back the Shark AWS site I found that there are a lot of *.zip files, and they all contain un-encrypted firmware… it seems like they all might be for...

Read more »

  • Starting again! Some recent findings!

    Jon Steel04/28/2021 at 22:16 0 comments

    So I have started up work on this again, and from learning new things with other projects I have been able to better move forward on this project.

    The bad news is that the index page to the AWS site has been locked, so now I can't navigate to find new firmware files.

    The good news is that I have made a lot of headway with learning Ghidra and reverse engineering the STM32 series MCU's. With this I have been able to make good headway in understanding the MCU firmware on some of the higher end Shark models that utilize SLAM navigation. These units utilize the STM32F3 Cortex-M4 MCU where as  the models I am working  with use the STM32F0 Cortex-M0 MCU.

    With the RV750N & RV850 models, the MCU used is also the STM32F0, and is more closely related to the original RV750. Of the files I was able to scrape from the AWS portal, I was able to determine the model line for the RV750N and RV850, and download firmware images for these models. The problem I am running in to with these images is that they are in a format that currently cannot be decompiled. I have been able to make some sense out of some common constant sections of what I figure is the header.

    Looking at the the above Hex, The "Some Sort of Header" section I am guess since in the file that points to this file, this area is a data section before an ascii string.

    Trying to cross reference the information found in these files to any other firmware format used in the STM32 line has been hopeless. I don't think the firmware is heavily obfuscated since there are sections of repeating byte sequences in some parts of the image. Here is one segment starting at 0x4418 and repeats 33 times.

    I have tried treating this section as if it supposed to be padded 0x00 or 0xFF, and using it as a key for XOR the file, but it has not worked. There is also another section near the end of the file from 0x1FD90 to 0x21F8F. From the end of this section until the last 16 bytes of the file is undecipherable data, but the last 16 bytes are always constant, and are the value 0x6CA48E4F9E9F5D9301A36C43962C0C95.

    And this is where I am at. I do have a mainboard from a Ecovac Deebot N79 coming in, as it seems to be of the same design style... We will see if the firmware can be extracted.

View project log

Enjoy this project?

Share

Discussions

Matt wrote 2 days ago point

Thanks for posting this!  I'm definitely following this project!  I just got a warranty replacement for my Shark IQ model, so I have a spare one to tinker with.  Long story short, I took it all apart to clean it and damaged one of the wheel motor connectors.  After trying a couple replacement wheel assemblies on eBay, I broke down and called shark to buy an exact replacement from them.  The lady told me they don't sell replacements as they weren't user serviceable, but she got it covered under warranty without me even asking about that option!   


I'd be interested in figuring out how to automate this one to curse when it runs into stuff like that one dudes YouTube video, maybe have a remote control feature, etc.  There's a ton out there on interfacing with Roomba, but not so much with the Shark models...

  Are you sure? yes | no

Jon Steel wrote 04/20/2021 at 22:10 point

Sadly, the site has been locked down

  Are you sure? yes | no

Marcus wrote 01/30/2021 at 19:56 point

Do you have the link the AWS site with the firmware files?

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates