Cloud replacement for vacuum robots enabling local-only operation
View the Project on GitHub Hypfer/Valetudo
Newcomer Guide Why Valetudo? Why not Valetudo? Getting Started Supported Robots Rooting Essentials Buying Supported Robots Media & Content Creators
Implementation Overview Capabilities Overview Upgrading Firmware Updates
Valetudo Companion (Android) Valetudo Tray Companion Valeronoi Lovelace Valetudo Map Card I Can't Believe It's Not Valetudo node-red-contrib-valetudo Fun & Games Other Noteworthy Projects
MQTT Home Assistant Node-RED openHAB
FAQ Style Guide Troubleshooting
Valetudo is the roman name for the greek goddess Hygieia, which is the goddess of health, cleanliness and hygiene.
Yes!
That’s the whole idea behind it.
In Valetudo, there are only two things that connect to the internet:
Additionally, some robot firmwares include connectivity checks that:
8.8.8.8
) <- You can block that but that’s up to you.Firmware ML/AI features such as obstacle avoidance based on AI image recognition will continue to function offline, as such things can’t be cloud based for latency-reasons alone.
The SoCs on the supported robots are more than fast enough to handle such workloads. No cloud required.
No.
Think about it. Why would we go through all this rooting trouble if there was an easier way?
Especially since that easier way is so trivial, everyone has already come up with it 20s after learning about Valetudo existing.
No, life isn’t that simple, sorry. Or not sorry, actually, because that is a good thing. IoT should be secure for the regular user.
It would be terrible if you could easily take over a whole fleet of expensive vacuum robots in peoples home networks just by messing with DNS.
For us as people who want to own our devices it’s bad, yes, but insecure IoT devices aren’t the solution to that.
They being hackable just by-accident happens to be a super inefficient band-aid “solution” with lots of collateral damage.
e.g. regarding End-User privacy, security, DDoS Botnets etc.
The proper solution is strong legislation enforcing product usage either without the cloud or with your own cloud in a controlled fashion right out of the box. The vendor cloud can still be an option, but it must not be the only way to use an IoT Device.
No.
Valetudo does not support bypassing region locks to e.g. use a CN unit outside of CN.
The reasoning behind this stance is that, as it works right now, Valetudo existing does not have any negative impact
on sales for the vendors.
In fact, I’d argue that it has an ever-growing positive impact on their bottom line, because
lots of people buy their products only because they can use it with Valetudo.
However, as soon as you decide to undermine regional pricing strategies of these vendors, you’d be giving them a
very good reason to try their hardest to shut you down. It would be foolish and short-sighted to do that.
On-top, it would also be futile to do that.
You as some rando hacker and developer can’t win against a corporate entity of that scale. At least not long-term.
If you give them (or rather their investors) a business incentive to stop you, they will stop you.
And what would it be good for anyway?
Is allowing a few people to save some minor amounts of money worth souring the relations with the vendors?
Is getting what you want (CN unit with cool features in EU) worth jeopardizing the ability of regular buyers to use their
robot without the cloud?
Yes, I hear you, you bought the HW and now you want total freedom over it because you paid for it.
It’s an understandable perspective, but that’s not how the world works. And - most importantly - you won’t be able to change
how the world works by just forcefully trying to get what you want without considering the needs of other parties involved.
While Valetudo tries its best to be generic and reuse code wherever possible, since it is not a custom firmware, the backend is basically a few huge chunks of code that are very specific to the respective vendor firmware and cloud architecture they try to emulate.
Supporting any new vendors is thus quite a large task because not only requires it to write large parts of the backend again from scratch but also do the reverse engineering of data formats, authentication, communication and various functionality with no documentation from the vendor available.
It’s a time-consuming process that mostly involves random chance and that can only start once security vulnerabilities leading to system administrator level access on the hardware in question has been found. A similar reverse-engineering process without any documentation that is also quite time-consuming and mostly involves random chance.
Valetudo only runs on the supported robots because security researcher Dennis Giese found ways to root them.
Rooting in this context means taking these locked-down IoT devices, finding and exploiting security flaws in their design and gaining permanent system administrator level access to them to allow for running additional custom software such as Valetudo and modifying the system to make the unclouding possible.
These security flaws are all 0days of which we sometimes need multiple to achieve the rooting.
They’re also specific to one specific vendor’s implementation of something on one specific piece of hardware.
With a public root release, these get burned and usually quickly fixed by the vendors, making finding a working exploit chain for newer models after the release harder or sometimes even impossible.
Therefore, please refrain from asking if something that isn’t on this list is supported.
Please do not ask if someone “tried” it. Please do not state that you would like it if something would be supported.
Without explicitly mentioning this, readers often expect that something not being supported just means that no one has tried it yet, which is more akin to how e.g. running GNU+Linux on some random laptop works.
Thank you for your understanding
Because it would be harmful to have that.
You see, people in general are lazy.
The laziest of the lazy people then usually become programmers and the laziest of those then become the very good programmers.
This is because as a programmer, if you do it right, you only once have to teach a computer how to do something and after that it will just do its thing and you can return to doing nothing. But you can only do nothing in peace if you can ensure that the computer will actually do its work correctly.
Because of that, you’ll try your hardest to build bug-free software that just works because the last thing you want to do is actually work in front of a computer.
This inherent drive to not work at all and especially not with computers is the feedback loop and incentive system that creates great software.
So what happens if instead of spending 12h debugging some arcane network-related issue that deadlocks the system on each tuesday when there’s a full moon, you could just add a nightly reboot?
You’re a programmer. You’re lazy. Which option do you pick?
Exactly. You do the auto-reboot thing, shrug, say “eh, good enough” to yourself and then return to not working.
But what else did you do?
Adding a reboot button is accepting mediocrity. It’s accepting that you won’t understand what is going on. You just decide to not bother.
And that can be a reasonable choice depending on your situation.
For example, if you’re business, it might just make financial sense to just reboot instead of dumping a few hundred engineering hours into a rabbit hole. “Good enough” is all you need to sell a product.
You might also just be some hacker that wanted to solve an issue in a “good enough” way. That’s also fine. You don’t have to always go the extra mile. That doesn’t scale. Good enough can be good enough.
With Valetudo however, I don’t want the project to just be “good enough”. I want it to be great - or at least strive towards being that.
Because of that, there can’t be a reboot button, since as soon as there is one, things will just not get fixed, improved or even just reported anymore.
While this could be a text about why HTTPS isn’t really required for the Valetudo use-case, a more interesting answer is the following:
Because unfortunately, the way HTTPS is spec’d simply does not really account for private local usage.
What do I mean by that? Well if you think about how properly implemented HTTPS works, you’ll see the following:
You have a public-facing host with a globally unique identity (the Domain)
provided by some kind of global authority (the Institution behind the TLD)
that
is aware of your identity in exchange for a monthly rent.
Before LetsEncrypt or if you’re a serious entity, you’d also have another global authority (the Certificate Authority)
that is aware of your identity
who issues and assures a different globally unique identity (the Certificate)
based on the other globally unique identity (the Domain)
in exchange for a monthly rent.
If all of these things have a nice green check mark ✅, everything is fine. If not, however, the browser will do everything it can to stop your grandma from giving away her credit card information to a talking moose.
This is great if HTTPS is something exclusively used by serious institutions like your bank as it was before Snowden 2013.
However, it is not great if HTTPS is used everywhere for everything, because of all the global, public and rental components in there.
IMO, it really shows that the protocol has never fully left its historic roots behind. It solved the problems at the time and since then we’ve been modifying our problems so that they fit the existing solution by just putting everything into the cloud.
Yes, there are indeed workarounds. But, as the word states, they are just workarounds around a problem that needs fixing.
I’m sure that there are more options, but they all have one thing in common:
They’re not a solution. They’re all hacks that require money, knowledge, maintenance and (cloud) infrastructure.
They might be good enough most of the time, but they still suck in one way or another.
Well.. does it really?
Did you ever ssh into a raspberry pi sitting next to you?
That connection was secure, wasn’t it? And yet the thing was entirely local.
Imagine ssh having the same requirements as https.
Imagine it throwing the same big red warnings at you every time you use it without some public cloud identity that costs money.
Because why wouldn’t you imagine it. What makes it different?
The problem space it solves certainly is quite similar in that regard at least.
Yes, your grandma isn’t doing online banking over ssh, but is your grandma really the only stakeholder we should be considering in how we design basically all our software and connectivity?
After all, everything is HTTPS so shouldn’t HTTPS also be for everything?
One approach could be to un-hack the hacks and take the pain out of running a CA at home similar to what LetsEncrypt did for everything non-local. Make that something mere mortals can do. Make it so easy, it could be a feature of a prosumer router. Make it something that works reliably 10 years into the future.
My vision there would be to have a CA-in-a-Box that is e.g. just a Docker Image that you spin up and then point all your
IoT devices to so that they can pull certs via ACME or similar.
Management, metrics etc. would be done via a Webinterface and that Webinterface also comes with a Help section where you
get step-by-step guides on how to install the root cert written for all relevant devices (Android, iOS, Windows, Mac, etc.)
And with that, you suddenly have HTTPS at home in a way that works, that scales and that doesn’t require constant maintenance.
I’m sure that there are other approaches as well, however, I actually quite like this one, because it doesn’t require any change of the spec itself. It could be implemented right now. We have everything we need to do so. It’s not even that complex.
We could have proper offline, anonymous, accessible, compliant and cloud-free HTTPS at home tomorrow. Someone simply needs to do it. However, that will never happen if we always resort to workarounds that are just “good enough” and then not bother anymore.
Because I don’t want the app to be a paid yearly subscription supporting only some small garage startups in Cupertino and not the actual project.
You might not be aware of this, but since there’s no sideloading and no alternative stores on iDevices, the only way to get your software on there is through the official distribution channel of the vendor which comes with a yearly 80€ fee.
Furthermore, development for iApps can only be done on a Mac which needs to be bought and also won’t last forever. Assuming a reasonable 5 years of lifetime for the hardware, picking the cheapest Mac mini and a 2-gen-behind base-spec iPhone, at the time of writing, I end up with this calculation for 5 years:
Sum: 1828€
This money needs to be earned somehow, and it needs to be earned yearly, which forces you to find some way of generating recurring revenue - something I do not want to do with this project.
Fine. If you insist, we can go along with that:
Excluding any compensation for my time spent on actually building and supporting that app, by dividing that number by 5, you end up with 365.50€. 365.50€ that would need to be donated or paid by users every year just so that I don’t lose money out of my own pocket on paying the cloud landlord for wanting to exist.
But it gets worse, because the platform also takes a 15% (previously 30%) fee on everything sold there, meaning that people would actually have to buy apps/subscriptions for 420.44€ every year; all of it ending up at the platform and nothing benefiting the actual project people would’ve wanted to support.
Imagine donating 10€ to a FOSS project you really liked and wanted to support only to then a little while later discover that you’ve actually been donating to billion-dollar big tech destroyers of worlds all along.
Now imagine 40+ people living through that every year for 5 years.
And after those 5 years, the App just vanishes from the storefront with no way of installing it anymore.
Sounds quite crushing, doesn’t it?
No! You don’t.
The app is just being used for robot discovery on your network and can be completely replaced by
OR
All the android one does is discover Valetudo instances and then open a browser.
You already have a browser on your iDevice.
…though, one that is frequently broken with no way for you to switch to a different browser, because on iDevices, every browser is Safari as required by the ToS of their digital storefront.
There is no Blink or Gecko. There’s only Apples special blend of WebKit including all its bugs and quirks.
But this is a different rant.
On Android, it’s different:
With effectively no barrier of entry, you can just start hacking something together without first having to worry about some kind of business plan ensuring recurring revenue. This allows for creation of tools that on other platforms would never exist because you just can’t (or don’t want to) monetize them.
While Google - as all big tech - is of course following the exact same playbook, slowly chipping away at all that, for now at least, it’s way less bad and thus the best and only thing we have. :(
Just for reference, I’m not interested in any special Apple sponsorships or donations of iHardware.
If you even think about doing that, you’ve completely missed the point of the previous wall of text.
It’s not about money. It’s about not enabling these business practices.
Further reading:
A few reasons, actually.
The most important one being that Matter attempts to be a solution to a problem Valetudo simply doesn’t have. Any smarthome software that respects you and thus is suited to run something as vital to your life as your home already has open interfaces where you can connect Valetudo. We’ve had them since years. Decades even.
The only “smart” home “solutions” that won’t nicely integrate with FOSS are those cloud-based Big Tech ones and supporting these is a strong non-goal for the project for obvious reasons. Besides, why would you even uncloud to then recloud again? The stock vendor apps for our vacuum robots already integrate with Google Home/Alexa/etc.
Secondly, if you look at the spec, you’ll find that Matter was designed exclusively to solve Big Techs use-case of being able to talk to other Big Tech products. This of course didn’t happen because they wanted to but because it was the absolute bare minimum they had to do. Customers disliked the interoperability issues of IoT crap so much that they decided to just don’t buy any IoT products at all anymore.
If you look at the Matter spec, this shows, because you’ll see that to use it, you will need one of the 65535 possible Vendor IDs that you can get for $7000 a year from the Connectivity Standards Alliance that is behind Matter. A maximum of 65535 Parties forever and all of them required to pay thousands of dollars yearly for the right to use a protocol.
Does this sound open to you? Does this sound like something designed to “solve smarthome” in a way that goes beyond the needs of few large corpo players?
Nearly everything FOSS you’ve seen so far that talks Matter uses one of the reserved “Test Vendor 1-4” Vendor IDs that are supposed to be used for development only. Don’t think that is the intentional escape hatch for that fee though, because the vendors thought of that.
If you want to use your home-built Matter device with Google Home, you will have to jump through 6(!) hoops for every single device you want to use as documented in the Tasmota documentation. It is only a matter (heh) of time until the other Vendors will follow. So much for an “open standard”.
And even if you don’t want to build your own devices, remember that with Matter, you will still need all the vendor apps
for most product features because anything beyond the basics can’t be exposed via matter.
“Solving smarthome” but you’ll still need all the vendor apps with all their accounts. What was the point of it again?
Lastly, if you’ve followed the launch of Matter and are also following the current state of it, you will see just
how much of a dumpster fire that is. It just doesn’t work even for the bare minimum it promised to do.
By-design of the spec, it is unsuited to solve what people wanted it to solve and yet even the tiny subset that it would want to solve doesn’t work properly.
Matter is purely marketing that doesn’t deliver on any of its promises. Don’t let it fool you. Especially since the real thing is already here.
The FOSS smarthome actually is what Matter pretends to be. It’s here right now and has been since years.
The following was a reply by me to a reddit post titled "What do you folks think of Valetudo's criticism of Matter/Thread?":
Please keep in mind that the FAQ entry exists as a defense against hyped people wanting Matter support in Valetudo. The takeaway shouldn't necessarily be that Matter is genuinely bad. It's just bad for the use case.
Personally, I don't think that Matter is terrible. For what it is, it is a step forward.
It's a small step and it shouldn't be how it is in the first place, but as things are the way they are, it's a good development that the big tech vendors are opening up their devices even if it's just a little.
I also think that It's a very good thing that Nabu Casa is a member of the CSA-IOT (the standard body behind Matter) and does what they can to influence Matter to be as useful and local (and open?) as they can get it to be.
Without them, it would probably only be cloud-based big tech speaking with other cloud-based big tech.
One unfortunate downside of that however is that their involvement with Matter breaks the "if HA endorses it, it must be open, good and correct" heuristic people in this space tend to rely on.
Thus, what I'm missing a bit from Nabu Casa there is the "hey, this is bad and we know that this is bad but we're doing it anyway so that it is less bad for the community" talk. But otoh that's just me the idealist rambling while they are out there actually making real money to feed their families with something that is foss but also a commercial product.
Anyway, Matter hasn't failed and also isn't useless.
It isn't "the solution to smarthome" as it is being sold all the time though either.
It's somewhat local APIs for products that would otherwise never gain those and that's definitely a good thing.
The better thing however would be to not buy products like that in the first place. Because why buy something that does the absolute bare minimum? Why give people money for something that is actually bad but by pure circumstance became less bad?
If you want a takeaway about Matter (or anything in this space, really) then it's that you shouldn't get hyped up about new thing by people pretending to be tech journalists that are actually just an extension of the marketing team of whatever electronics manufacturer they're reporting about.
Just see and wait how things develop. Do not buy based on hype.
Well, you see, software developers are actually artists.
They create something out of nothing just by using their imagination and inspiration from the real world.
This also shows in their general views, sleep cycle etc. etc. which all tend to match the ones of people working in creative jobs/projects much more than the ones of people that work in “regular” jobs.
As with every piece of art, there’s always a part of the creator in it.
If you take the creator away mid-creation and replace them with someone else, the piece also becomes something else.
Even if you try to emulate what there was previously, the result will still be something different.
Worse, the result will not only be something different but also limited by the constraint of trying to be how it was before,
even though it could be so much more if it was to stand on its own instead of just continue what came before.
This is the main reason why there won’t ever be a maintainer handover. Because doing that is impossible.
As soon as you hand over maintainership, the old thing is gone and something new emerges.
And, as said, that’s bad.
Not only because it limits what the new thing could become but also because name, branding, website, etc. still imply
that it’s the same old thing. It creates a deceptive mismatch of what people expect vs what is the actual reality.
This is not only a theoretical issue. It is something that is being exploited in various ways all the time in the real world.
For example:
I don’t plan to stop maintaining Valetudo in the foreseeable future. I like maintaining Valetudo.
However, reality exist, diseases exist, buses that can run you over exist, jobs change, priorities change etc etc.
If for whatever reason I will stop maintaining Valetudo, Valetudo will die.
At that moment, it will be over.
However, since it’s foss, its spirit will live on.
Someone can and will pick it up, slap a new name on it - clearly communicating that change - and then life will go on.
Therefore, I’m not worried about “not having a contingency plan” or “not having any additional maintainers”, because the license is the contingency plan.
It’s not a fallback either. It’s the best contingency plan there can be.
Cloud replacement for vacuum robots enabling local-only operation
View the Project on GitHub Hypfer/Valetudo
Newcomer Guide Why Valetudo? Why not Valetudo? Getting Started Supported Robots Rooting Essentials Buying Supported Robots Media & Content Creators
Implementation Overview Capabilities Overview Upgrading Firmware Updates
Valetudo Companion (Android) Valetudo Tray Companion Valeronoi Lovelace Valetudo Map Card I Can't Believe It's Not Valetudo node-red-contrib-valetudo Fun & Games Other Noteworthy Projects
MQTT Home Assistant Node-RED openHAB
FAQ Style Guide Troubleshooting