Rooting The Nest Thermostat

nest-300x293 A few months ago, Google bought a $3.2 billion dollar thermostat in the hopes it would pave the way for smart devices in every home. The Nest thermostat itself is actually pretty cool – it’s running Linux with a reasonably capable CPU, and adds WiFi to the mix for some potentially cool applications. It can also be rooted in under a minute,

As [cj] explains, the CPU inside the Nest has a Device Firmware Update mode that’s normally used for testing inside the Nest factory. This DFU mode can also be used to modify the device without any restrictions at all.

With a simple shell script, [cj] plugs the Nest into his laptop’s USB port, puts the device into DFU mode, and uploads a two-stage booloader to enable complete control over the Linux-powered thermostat.

As a bonus, the shell script also installs an SSH server and enables a reverse SSH connection to get around most firewalls. This allows anyone to remotely control the Nest thermostat, a wonderful addition to the Nest that doesn’t rely on iPhone apps or a cloud service to remotely control your Internet enabled thermostat.

Video of the rooting process below.

48 thoughts on “Rooting The Nest Thermostat

    1. Then you better get rid of Cable TV. That cablebox has a camera watching you. Can you please move the TacoBell cup you have had sitting on your bluray player for the past week, we cant see into the kitchen with it there.

      Thank you for your co-operation with the NSA.

    2. I’m with you, kak. I have no reason to want my thermostat info shared everywhere. It’s not so much that it contains information that I mind being distributed. It’s that I don’t enjoy living in a world where ALL my information becomes a commodity no matter how pointless that info is. And the reason I have a problem with that is that profiling doesn’t seem to work, but the world pretends it does.

      I agree with the comment that this is difficult to stop. However, I also believe it is more difficult to stop when one does not even try to stop it or worst yet embraces it. And those who resign to unpleasant things inevitably defend them passionately.

      My problem with the Nest thermostat is that ours at least sucks. In our to use it on your phone you have to use wifi, but I had to secure my wifi because neighbors were apparently “borrowing” it to illegally download game softwatre because Spectrum warned us about downloading game software with bit torrents. Anyway, my wifi is old and to get a secure connection requires either WPS or the push button options (as opposed to passwords.)

      Maybe I could tweak the settings if I were willing to get a new wifi router, but why should I have to when the other world fine for everything else? And it seems it is not enough for Nest to wifi to your phone; they require the whole kit and kaboodle.

      Meanwhile, the default settings have about 4-5 degree range, so that while we have it set to 76 degrees, it oscillates between the low end of 75 and 78. So one minute we are freezing, and the next minute we are rather uncomfortably warm.

      A friend of mine has a son who does AC for a living, and he encouraged us to buy it when we upgraded our AC to a Bosch system. The Bosch part was probably not a bad idea, but man do we both hate this Nest thermostat. I wish we could change the software to something without these radical shifts in temperature. :( And we are home most of the time, so all these rants and raves about being able to turn it on and off when you aren’t home are not something we care about. The damned thing is way overrated, and I wish someone offered a nice way to replace their crappy default software to something usable.

  1. I attended a wireless Z-Wave/ZigBee seminar today, cool stuff on the horizon.
    But anything that Google wants to introduce that has to do with the household, RUN THE OTHER WAY AS FAST AS YOU CAN !!!
    I heard they’re trying to get into wireless hydro meter business.
    More data collection of individuals.
    Frankly, I see google as an unstoppable monster who will own us all because they will know our every habit & secret and will develope algorithms to accurately predict everything about each of us, and their “search & algorithm results” will have standing in law.
    You’d be horrified if your government kept as detailed a file on everyone as google does, but with a private company, “where’s the problem ??”.
    But I also see you facebookers as naive and complacent so likely you all blissfully see no problem with any of this data collection stuff.
    If I put up a satellite with live cameras and infinite archiving, I’d be indefinitly detained.
    Google is launching a butt load of exactly this, and no one sees a problem.
    I would however, do it too if I could.
    I’d also send a satelite to the moon to view the far side, but I think my country lawfully forbids me to launch or control a space vehicle.

    The thermstat is cool.

    1. I’m not excited to own anything that started out with google, touches google or has google interested in it.

      if I want to do this kind of thing, I’ll build my own and it won’t be a standard protocol or be cloud based.

      corps: you don’t deserve our trust. especially google!

        1. what does hat have to do with anything. from a security standpoint, iPhone’s are safer than androids hands down. also apples apps work better because there’s only 3 different versions of iPhone, there was over 1000 different versions of android, with all different hardware specs that causes apps to behave differently.

    2. I’ve been solidly pleased by every service google has had to offer to me thus far. If someone offered to provide me with GPS Maps with Voice Navigation, an index of the entire internet, 24/7 email service with functionally unlimited storage, live document sync and a full suite of office programs, thousands of hours of videos, an aggregation of the top news articles from around the planet updated every minute and an operating system that allows me to take pictures, store files, browse the internet and play games on my phone in exchange for the numbers on my thermostat I’d make that deal in a heartbeat.

      Seriously, I doubt I could ever sell or market my personal information in such a way as to be able to pay someone to give me all of those services. Google has less information about me than I’d put into my autobiography, and they sure give me more value for it than I’d ever make if I tried to sell my autobiography.

      Basically, I don’t expect Google to give me awesome stuff without me giving them something in return and I think some cursory information about my interests, or even my water bills, is a more than fair trade for the stuff they sell me.

      1. I agree, google could probably clone me with all the information they have, but I can live with that. I’d be surprised if they hadn’t worked with the NSA in the past too honestly. It’s invasive, it’s intrusive, and I can live with that.

        They may be our evil overlords, but they’re damn benevolent overlords.

        Now, the NSA on the other hand, that just pisses me off. Every camera on every street is probably streaming into the NSA, and god knows what else. The NSA collects information, but google accepts information. That’s a huge difference. One’s a grabby child grasping at your diddly bits, the other one is a guy on the sidewalk that watches who passes, and gives advise.

    3. Personally it’s all about the services they provide in return. Say the NSA kept a copy of all my data, if they were just doing it behind my back I’d be upset, if however they allowed me access to their backup in case one of my drives failed I’d be fine with it, maybe even pay them as they’d be providing a useful service. The same applies to the government vs corporations for spying, reading my emails? Not cool, reading my emails so you can remind me about tickets to see things, or track my packages for me, totally helpful.

    4. ZigBee? On the horizon? One thing that strikes me about ZigBee is that it’s been “on the horizon” for so long that it seems to be on its way out.

      Also, Google are the sort of company who will decide to leave this open so you can hack it if you want. Unlike those dicks at Apple.

      You’d enjoy The Circle by Dave Eggers – it’s about a company just like the evil Google you describe.

  2. To me this seems like an excellent feature that makes me want to buy a Nest. I could integrate it in to my other automation systems without sending data on my habits to Google.

    I’m a bit concerned how they call this a ‘Vulnerability’. The terminology alone might cause the manufacturer to “fix” this “problem”, and that wouldn’t be so nice.

    If you buy it you should be able to easily pwn it, right guys?

    1. I agree. If disassembly or physical deinstallation is required, then it’s not really a vulnerability anymore unless it’s a device intended to be installed unattended in completely uncontrolled space (e.g. a pay phone, if you’re old enough to remember one).

      Just about anything with a generic microcontroller installed will have a JTAG or similar ISP interface inside somewhere. That’s not a “vulnerability” either.

  3. This is excellent work! I hope it will be possible to add more protocols for unsupported heating equipment,

    All you had to do was follow the damn train cj! — Sorry about this. Couldnt resist.

  4. Since rooting it allows you to take out the hooks that connect it to Google and manage the device with tools of your own creation, it again begins to sound like something cool to play with.

    @Camel, once it’s rooted and you have SSH services running, you can probably remove or disable DFU if you choose.

  5. Remember citizens, freedom is slavery, ignorance is strength, and big brother knows what is best for you. Google needs more electricity, so everyones AC will be turned down a bit in the summer, and heating will be rationed in the winter.

    You can always get more heat/AC by telling google a bit more about yourself. Share your passwords, share your friends.

    Remember, civic deeds do not go unrewarded, and contrarywise, compliance with his cause will not go unpunished. Be safe, be aware.

    1. Totally agree. Put the nest in a faraday shield or come election day if you want hvac you better vote the correct way. The same applies to the smart power meters. Beware if Google starts offering the Nest at a reduced price, 19.95 rather than the 249.00, something is up and it’s not good. 3.2 billion for a thermostat co. when you can replace the one you have for 10.00 at Big Lots? Be safe, be aware and be suspicious.

  6. Can’t you just disable the wifi to keep Google out of your thermostat? it probably isn’t as simple as toggling a button under Settings, but should be possible to do with a hardware or software modification.

  7. Nothing with any network connection will ever enter my household equipment. I know nothing is 100% secure so i just don’t take the risk of someone in romania opening my garage, or heating my house in the summer :-) better safe than sorry..

  8. The Nest itself is a bad idea. Energy savings and comfort are at odds to each other. At best, a machine cannot “learn” your habits and consistently produce an acceptable compromise better than you can. At worst, the complexity required to even attempt it makes the Nest more prone to catastrophic failure; I’ve seen dozens of horror stories of the Nest wrecking havoc.

    At least for those who have already been suckered into paying $250 for a Nest and found it troublesome, this hack potentially provides a way to make it useful.

    And as for the rampant paranoia that dominates the comments here? Sheesh, y’all are nuts. My house is currently 76°F. I had Rice Crispies with sliced banana for breakfast, too. Surely the NSA cares, has recorded this, and will now flag me a terrorist.

    1. my nest has worked out well, our bills dropped and its nice to be able to remote control it. you can let it auto learn and it does a pretty good job, then you can go in and tweak the scheduler yourself.

      I’m sure there are horror stories, but then make an idiot proof device, and someone will beat it.

  9. If your that paranoid, sniff the traffic off the device and see where it leads. Once you have that information you could deny that device from reaching out of your lan. Google privacy this, google privacy that. You can keep wearing tin foil hats. The rest of us will just be discrete about our communications. Remember if your fearful of someone using some information against you, you have something to hide. If you have something to hide, then do not use a public means to transmit that information. Ever heard of face to face? Also google could get statistics from other sources other than directly from the user. Your cable company knows what you watch and targets the advertisements you get. Your paying those guys to have a large staff on hand tweaking the algorithms to get your adverts.

  10. This is cool, but not really too ‘impressive’… Nest just left open a feature allowing them to flash a custom uboot. I am surprised Nest would keep this functionality in production devices (usually you’d just burn a fuse that the bootrom checks before booting to this mode).

    1. Why should they? They have no particular interest in preventing you from fouling your own nest. It’s not like a BluRay player where they need to protect someone else’s intellectual property from the user to whom they sell the device.

  11. Is there any way to undo the rooting? For instance, if Nest, or Google were to ever deny rooted devices updates of features, or the ability to talk to other Works With Nest devices? I would like to keep my device working in production, but also would like to root it and see what possibilities are out there.

    Also, is there a way to not have the new GTHacker logo on it? I would like it to appear unhacked, and dont want the logo to scare my kids.

    Lastly, is there any way to get a linux distro and build it from scratch for the Nest so as to know that there are no backdoors built in? Perhaps instructions, from step one on how you went about the hack in addition to just offering the prepackaged hack?

    Thanks

  12. Is there any way to force firmware upgrade from official file on DEMO units? Its like special Nests for retailers or something with demo mode on by default. It will be useful to have this option because these units available on ebay for 50-60$

  13. Hello, my name is Laura and I am a Computer information systems student at College of Charleston, for a project we are doing this Nest project, is it possible to contact you and get your shell script? please contact me ASAP

  14. With Google ending support in August of 2019 for API access to the Nest thermostat, it seems like this will be very useful. Has any additional progress been made on this project or is the script publicly available? Perhaps publish on GitHub?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.