So, you all know about that OnHub I got and hacked, right? No? Well, here's a refresher on everything since I can't remember if I even mentioned it here:
Back in 2014, Google partnered up with TP-Link and Asus to make two WiFi routers. They have the same software, and practically the same specs. I have the TP-Link version (I nicknamed it "the wifi vase" since it looks kind of like a vase)
Then later in 2016, Google released a newer version that could also provide mesh networking, and the hardware was also made in-house. They called it Google WiFi, and every unit could act as either the "main router" (the first one you set up, plugs into your modem) or an extender (aka "WiFi point") and all could be connected over ethernet.
And then in 2019, they made a newer version called Nest WiFi. Pretty much the same but with better range, and the WiFi points had a Google Assistant speaker built-in (though no ethernet ports. You can still use multiple Nest WiFi routers to extend the network both over wireless or via ethernet if needed)
Now, what do they all have in common? (aside from all needing to be configured through an app, and having their software being made by Google)
They all run Chrome OS on the inside. You're reading that right! These things (minus the Nest WiFi Points, which seem to be running a different OS, Android Things possibly?) are all Chromeboxes in a Router's clothing! And there's already guides on hacking the Asus/TP-Link OnHubs, and the 1st version of Google WiFi. (they re-released Google Wi-Fi a a cheaper option, but replaced the USB-C power port with a barreljack)
But there's no guide for Nest WiFi, so how do I know it still runs Chrome OS? Well, a few things lead me to that, actually, in addition to it still having its roots in being an OnHub, (including having a Thread radio!!) despite them making Nest WiFi networks and OnHubs incompatible for no good reason??
First, let's look at the evidence for Nest WiFi just being an OnHub with some of the IO gone and in a different shell.
1. Evidence that proves the Nest router is just a newer OnHub.
Here, Windows Explorer lists the router as an OnHub (rather than saying "Nest WiFi")
My PC isn't connected to the hacked OnHub I have; It's wired (mostly) directly into the Nest router over ethernet. And if we open the properties...
It even lists the website for the original OnHub! (I'm guessing google planned to make wayyyy more products under the "Google On" brand. I wish I could've seen that.)
It also lists "testwifi.here" which all 3 generations of WiFi routers have.
Going to that link, we see this:
(going to the router's IP address also brings you here, by default it's 192.168.86.1)
It says to get the Google WiFi app (which is wrong since you actually need the Home app for setup and management) and the page's Favicon is the Google On logo!
Now, here's why I know it runs Chrome OS internally:
2. Evidence that almost, if not fully, proves this thing runs Chrome OS inside.
First, let's look at how I had to get my OnHub into developer mode to get it to boot from USB:
1. Hold down the factory reset button until the light ring starts flashing red.
2. Plug in a USB keyboard, and press CTRL + D (Command + D if using a Mac style keyboard) until the light ring starts flashing Purple (why it ourple )
3. Press the developer mode switch on the OnHub (hidden under the rubber foot + a screw on the bottom of TP-Link OnHubs, but is inside the OnHub on the Asus ones)
4. Unplug USB keyboard and power from the OnHub, then plug in the USB for it to boot from. Bam.
(You still need to crack it open to be able to write to the internal flash, but I'll save that for a later blog post)
Now, let's look at THIS google support article: (https://support.google.com/googlenest/answer/6246619)
(instructions to factory reset an OnHub)
(Instructions to factory reset a Nest WiFi router)
Seems familiar, doesn't it?! Now, let's look at documentation from The Chromium Projects! (https://www.chromium.org/chromium-projects/)
Going to https://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices/, one of the first things we see is a list of routers!
I really like how these all have weather themed codenames (Minus the Asus OnHub which seems to be a Batman reference? Strange..)
Whirlwind, Storm, Gale, Mistral.. It just makes sense seeing how they're pushing WiFi through the air (or wind I guess)
Now, you've probably noticed that there's a hyperlink for the Nest router! Clicking that just takes us to the Google Store page to buy one.
The ONLY link in that table that leads to more docs is the OnHub one. (The 3 links above the table go to store pages for each router, minus the onhub link which goes to on.google.com/hub/)
While we're still at chromium.org, can I just point out that the first Chromebook was codenamed "Mario"?
Now, you're probably saying: "But Jeffy!! I have a Google WiFi Point/Nest WiFi Router and the only button on it is the factory reset!!"
That's because you're too much of a coward to crack the damn thing open! That's right, the developer mode button is INSIDE the router!
How do I know this? Thanks to the FCC! What, you thought that I was going to give MY WiFi Router the 'ole Hatchet Treatment™? Hell no! That thing's $150! And I have no spares.
Anyway, going to https://fccid.io/A4R-H2D/Internal-Photos/A4R-H2D-IntPho-4449852 will show us the gorey computer gutz of this wonderful little thing. (there's also some pictures of the outsides of it, click here for that)
I'll just skip to the interesting parts. Also, it's actually quite clever that they called it a "Interactive internet streaming device" instead of a router like they did for Google WiFi. Almost like they knew someone like me was going to poke around in there looking for pictures of the innards.
First, here's a chart of what we usually see on the bottom of the Nest router. (The "port" marked with orange isn't normally visible. IDK what it's for, maybe UART?)
Now, a chart I've made of the innards.
Kinda neat, huh? I think I'm probably the first person to even post this stuff. Maybe someone smarter than me can use this info and hack theirs.
OH! Also I think those golden holes in the board are probably where the security screws go to enable the firmware write protection.
Alright, see you guys next time!
Back in 2014, Google partnered up with TP-Link and Asus to make two WiFi routers. They have the same software, and practically the same specs. I have the TP-Link version (I nicknamed it "the wifi vase" since it looks kind of like a vase)
Then later in 2016, Google released a newer version that could also provide mesh networking, and the hardware was also made in-house. They called it Google WiFi, and every unit could act as either the "main router" (the first one you set up, plugs into your modem) or an extender (aka "WiFi point") and all could be connected over ethernet.
And then in 2019, they made a newer version called Nest WiFi. Pretty much the same but with better range, and the WiFi points had a Google Assistant speaker built-in (though no ethernet ports. You can still use multiple Nest WiFi routers to extend the network both over wireless or via ethernet if needed)
Now, what do they all have in common? (aside from all needing to be configured through an app, and having their software being made by Google)
They all run Chrome OS on the inside. You're reading that right! These things (minus the Nest WiFi Points, which seem to be running a different OS, Android Things possibly?) are all Chromeboxes in a Router's clothing! And there's already guides on hacking the Asus/TP-Link OnHubs, and the 1st version of Google WiFi. (they re-released Google Wi-Fi a a cheaper option, but replaced the USB-C power port with a barreljack)
But there's no guide for Nest WiFi, so how do I know it still runs Chrome OS? Well, a few things lead me to that, actually, in addition to it still having its roots in being an OnHub, (including having a Thread radio!!) despite them making Nest WiFi networks and OnHubs incompatible for no good reason??
First, let's look at the evidence for Nest WiFi just being an OnHub with some of the IO gone and in a different shell.
1. Evidence that proves the Nest router is just a newer OnHub.
Here, Windows Explorer lists the router as an OnHub (rather than saying "Nest WiFi")
My PC isn't connected to the hacked OnHub I have; It's wired (mostly) directly into the Nest router over ethernet. And if we open the properties...
It even lists the website for the original OnHub! (I'm guessing google planned to make wayyyy more products under the "Google On" brand. I wish I could've seen that.)
It also lists "testwifi.here" which all 3 generations of WiFi routers have.
Going to that link, we see this:
(going to the router's IP address also brings you here, by default it's 192.168.86.1)
It says to get the Google WiFi app (which is wrong since you actually need the Home app for setup and management) and the page's Favicon is the Google On logo!
Now, here's why I know it runs Chrome OS internally:
2. Evidence that almost, if not fully, proves this thing runs Chrome OS inside.
First, let's look at how I had to get my OnHub into developer mode to get it to boot from USB:
1. Hold down the factory reset button until the light ring starts flashing red.
2. Plug in a USB keyboard, and press CTRL + D (Command + D if using a Mac style keyboard) until the light ring starts flashing Purple (why it ourple )
3. Press the developer mode switch on the OnHub (hidden under the rubber foot + a screw on the bottom of TP-Link OnHubs, but is inside the OnHub on the Asus ones)
4. Unplug USB keyboard and power from the OnHub, then plug in the USB for it to boot from. Bam.
(You still need to crack it open to be able to write to the internal flash, but I'll save that for a later blog post)
Now, let's look at THIS google support article: (https://support.google.com/googlenest/answer/6246619)
(instructions to factory reset an OnHub)
(Instructions to factory reset a Nest WiFi router)
Seems familiar, doesn't it?! Now, let's look at documentation from The Chromium Projects! (https://www.chromium.org/chromium-projects/)
Going to https://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices/, one of the first things we see is a list of routers!
I really like how these all have weather themed codenames (Minus the Asus OnHub which seems to be a Batman reference? Strange..)
Whirlwind, Storm, Gale, Mistral.. It just makes sense seeing how they're pushing WiFi through the air (or wind I guess)
Now, you've probably noticed that there's a hyperlink for the Nest router! Clicking that just takes us to the Google Store page to buy one.
The ONLY link in that table that leads to more docs is the OnHub one. (The 3 links above the table go to store pages for each router, minus the onhub link which goes to on.google.com/hub/)
While we're still at chromium.org, can I just point out that the first Chromebook was codenamed "Mario"?
Now, you're probably saying: "But Jeffy!! I have a Google WiFi Point/Nest WiFi Router and the only button on it is the factory reset!!"
That's because you're too much of a coward to crack the damn thing open! That's right, the developer mode button is INSIDE the router!
How do I know this? Thanks to the FCC! What, you thought that I was going to give MY WiFi Router the 'ole Hatchet Treatment™? Hell no! That thing's $150! And I have no spares.
Anyway, going to https://fccid.io/A4R-H2D/Internal-Photos/A4R-H2D-IntPho-4449852 will show us the gorey computer gutz of this wonderful little thing. (there's also some pictures of the outsides of it, click here for that)
I'll just skip to the interesting parts. Also, it's actually quite clever that they called it a "Interactive internet streaming device" instead of a router like they did for Google WiFi. Almost like they knew someone like me was going to poke around in there looking for pictures of the innards.
First, here's a chart of what we usually see on the bottom of the Nest router. (The "port" marked with orange isn't normally visible. IDK what it's for, maybe UART?)
Now, a chart I've made of the innards.
Kinda neat, huh? I think I'm probably the first person to even post this stuff. Maybe someone smarter than me can use this info and hack theirs.
OH! Also I think those golden holes in the board are probably where the security screws go to enable the firmware write protection.
Alright, see you guys next time!