A breakthrough in modding Google's WiFi routers. I think?

So, you all know about that OnHub I got and hacked, right? No? Well, here's a refresher on everything since I can't remember if I even mentioned it here:

Back in 2014, Google partnered up with TP-Link and Asus to make two WiFi routers. They have the same software, and practically the same specs. I have the TP-Link version (I nicknamed it "the wifi vase" since it looks kind of like a vase)
Then later in 2016, Google released a newer version that could also provide mesh networking, and the hardware was also made in-house. They called it Google WiFi, and every unit could act as either the "main router" (the first one you set up, plugs into your modem) or an extender (aka "WiFi point") and all could be connected over ethernet.
And then in 2019, they made a newer version called Nest WiFi. Pretty much the same but with better range, and the WiFi points had a Google Assistant speaker built-in (though no ethernet ports. You can still use multiple Nest WiFi routers to extend the network both over wireless or via ethernet if needed)

Now, what do they all have in common? (aside from all needing to be configured through an app, and having their software being made by Google)
They all run Chrome OS on the inside. You're reading that right! These things (minus the Nest WiFi Points, which seem to be running a different OS, Android Things possibly?) are all Chromeboxes in a Router's clothing! And there's already guides on hacking the Asus/TP-Link OnHubs, and the 1st version of Google WiFi. (they re-released Google Wi-Fi a a cheaper option, but replaced the USB-C power port with a barreljack)
But there's no guide for Nest WiFi, so how do I know it still runs Chrome OS? Well, a few things lead me to that, actually, in addition to it still having its roots in being an OnHub, (including having a Thread radio!!) despite them making Nest WiFi networks and OnHubs incompatible for no good reason??
First, let's look at the evidence for Nest WiFi just being an OnHub with some of the IO gone and in a different shell.

1. Evidence that proves the Nest router is just a newer OnHub.
Here, Windows Explorer lists the router as an OnHub (rather than saying "Nest WiFi")
1644453358336.png


My PC isn't connected to the hacked OnHub I have; It's wired (mostly) directly into the Nest router over ethernet. And if we open the properties...
1644453474342.png

It even lists the website for the original OnHub! (I'm guessing google planned to make wayyyy more products under the "Google On" brand. I wish I could've seen that.)
It also lists "testwifi.here" which all 3 generations of WiFi routers have.

Going to that link, we see this:
1644453616238.png

(going to the router's IP address also brings you here, by default it's 192.168.86.1)
It says to get the Google WiFi app (which is wrong since you actually need the Home app for setup and management) and the page's Favicon is the Google On logo!

Now, here's why I know it runs Chrome OS internally:

2. Evidence that almost, if not fully, proves this thing runs Chrome OS inside.
First, let's look at how I had to get my OnHub into developer mode to get it to boot from USB:
1. Hold down the factory reset button until the light ring starts flashing red.
2. Plug in a USB keyboard, and press CTRL + D (Command + D if using a Mac style keyboard) until the light ring starts flashing Purple (why it ourple :rofl2:)
3. Press the developer mode switch on the OnHub (hidden under the rubber foot + a screw on the bottom of TP-Link OnHubs, but is inside the OnHub on the Asus ones)
4. Unplug USB keyboard and power from the OnHub, then plug in the USB for it to boot from. Bam.
(You still need to crack it open to be able to write to the internal flash, but I'll save that for a later blog post)

Now, let's look at THIS google support article: (https://support.google.com/googlenest/answer/6246619)
1644454310185.png

(instructions to factory reset an OnHub)

1644454483359.png

(Instructions to factory reset a Nest WiFi router)

Seems familiar, doesn't it?! Now, let's look at documentation from The Chromium Projects! (https://www.chromium.org/chromium-projects/)
Going to https://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices/, one of the first things we see is a list of routers!
1644454805590.png

I really like how these all have weather themed codenames (Minus the Asus OnHub which seems to be a Batman reference? Strange..)
Whirlwind, Storm, Gale, Mistral.. It just makes sense seeing how they're pushing WiFi through the air (or wind I guess)

Now, you've probably noticed that there's a hyperlink for the Nest router! Clicking that just takes us to the Google Store page to buy one.
The ONLY link in that table that leads to more docs is the OnHub one. (The 3 links above the table go to store pages for each router, minus the onhub link which goes to on.google.com/hub/)
While we're still at chromium.org, can I just point out that the first Chromebook was codenamed "Mario"?
1644455166847.png

Now, you're probably saying: "But Jeffy!! I have a Google WiFi Point/Nest WiFi Router and the only button on it is the factory reset!!"
That's because you're too much of a coward to crack the damn thing open! That's right, the developer mode button is INSIDE the router!
How do I know this? Thanks to the FCC! What, you thought that I was going to give MY WiFi Router the 'ole Hatchet Treatment™? Hell no! That thing's $150! And I have no spares.

Anyway, going to https://fccid.io/A4R-H2D/Internal-Photos/A4R-H2D-IntPho-4449852 will show us the gorey computer gutz of this wonderful little thing. (there's also some pictures of the outsides of it, click here for that)
I'll just skip to the interesting parts. Also, it's actually quite clever that they called it a "Interactive internet streaming device" instead of a router like they did for Google WiFi. Almost like they knew someone like me was going to poke around in there looking for pictures of the innards.

First, here's a chart of what we usually see on the bottom of the Nest router. (The "port" marked with orange isn't normally visible. IDK what it's for, maybe UART?)
1644457532114.png


Now, a chart I've made of the innards.

1644458523372.png


Kinda neat, huh? I think I'm probably the first person to even post this stuff. Maybe someone smarter than me can use this info and hack theirs.
OH! Also I think those golden holes in the board are probably where the security screws go to enable the firmware write protection.
Alright, see you guys next time!

Comments

Aw fuck, I hit post on accident! DON'T LOOK!!! ITS NOT DONE D:
Edit: Okay! It's done now. Feel free to look now!
 
Last edited:
  • Like
Reactions: Neo127
Very cool guide :P although I wouldn't trust google with my data it's funny that they're using chrome os, most likely it's going to be a super stripped down terminal version but still cool :D
 
  • Like
Reactions: jeffyTheHomebrewer
Very cool guide :P although I wouldn't trust google with my data it's funny that they're using chrome os, most likely it's going to be a super stripped down terminal version but still cool :D
Funny you say that, because on the OnHub I hacked, it IS just a linux terminal! (no apt though, this isn't yo mama's debian distro)
Though, since it has curl, and through that, Chromebrew (Like Homebrew on Macs, but for Chrome OS) I'm wondering what'll happen if I install a desktop environment + remote desktop software. (preferably Chrome Remote Desktop, though seeing as that was like going to hell and back just to get it working on Ubuntu, maybe not)
IDK how to get to its terminal over SSH (I've only really ever used SSH like, once when playing around with my Lego EV3 kit) so I just use telnet. Not as secure, but who cares if it's a direct ethernet connection?
 

Blog entry information

Author
jeffyTheHomebrewer
Views
5,236
Comments
3
Last update

More entries in Personal Blogs

More entries from jeffyTheHomebrewer

Share this entry

General chit-chat
Help Users
  • Psionic Roshambo @ Psionic Roshambo:
    Silver Shamrock?
  • Xdqwerty @ Xdqwerty:
    Im downloading playnite
  • MucharSol @ MucharSol:
    guys how would I know if the screen ribbons for my N3DSXL are damaged
  • K3Nv2 @ K3Nv2:
    Just upchucked my dinner and passed out for two hours I thought my therapy days of seeing psi and bigonya kiss were over
    +1
  • BigOnYa @ BigOnYa:
    I bet its morning sickness...ancientboi gonna be so happy to be a daddy.
    +1
  • K3Nv2 @ K3Nv2:
    And you a grandfather
    +1
  • K3Nv2 @ K3Nv2:
    I forgot I owned a 7950 gpu I bet it can still do decent switch emulation
    +1
  • Xdqwerty @ Xdqwerty:
    @K3Nv2, No device I have can run switch games
  • K3Nv2 @ K3Nv2:
    I keep forgetting
  • Xdqwerty @ Xdqwerty:
    I dont have any switch game-running device bc im stupid
  • Xdqwerty @ Xdqwerty:
    im so jealous of y'all
  • Xdqwerty @ Xdqwerty:
    good night
    +1
  • K3Nv2 @ K3Nv2:
    @BigOnYa, is a 3.5 chest freezer big enough to store a wife in
  • BigOnYa @ BigOnYa:
    Depends, if just married- yes, if been married for years- no
  • K3Nv2 @ K3Nv2:
    https://www.walmart.com/ip/835682709 kind of want it for the extra space and 115 is a good deal
    +1
  • BigOnYa @ BigOnYa:
    Yea not bad, they are nice to have. I use mine alot. We buy Costco portions of meat, then brake down to small portions n freeze.
  • K3Nv2 @ K3Nv2:
    Doesn't even look big enough to store a pizza in though
  • BigOnYa @ BigOnYa:
    20.60 x 22.20 x 33.50 Inches, size of a dishwasher, or newlywed wife.
  • K3Nv2 @ K3Nv2:
    Maybe if you live in Africa and buy her for two pigs
    +1
  • K3Nv2 @ K3Nv2:
    I got ancientboi for a calf that way
  • BigOnYa @ BigOnYa:
    Good deal. His SS will pay for that calf in no time.
  • K3Nv2 @ K3Nv2:
    His last SS idea didn't pan out we won
    K3Nv2 @ K3Nv2: His last SS idea didn't pan out we won