NoLongerEvil-Thermostat – Nest Generation 1 and 2 Firmware

Original Article ↗ Hacker News Discussion ↗

Project approach & technical details

  • The current image is largely stock Nest Gen1/2 firmware with a small boot script (/bin/nolongerevil.sh) added.
  • That script injects its own trust material and overrides DNS/hosts so traffic for Nest’s cloud (e.g., frontdoor.nest.com) is redirected to a hard‑coded IP of the new backend.
  • A fake Nest root CA is added so the device will trust certificates from the new server; this effectively subverts the original TLS trust chain.
  • Exploitation relies on known Nest bootloader vulnerabilities (via OMAPLoader) to gain filesystem access. Some are surprised it’s this easy to replace the root of trust; others note most IoT gear doesn’t pay for robust secure boot.
  • Multiple people see this as a stepping stone toward full custom firmware and/or MQTT integration, possibly with Home Assistant.

Open source, trust, and “no longer evil” claims

  • The backend server and code are not yet open source. The site promises they’ll be released “soon,” after a community bounty is processed.
  • Several commenters are uneasy that users are currently trading Google’s proprietary cloud for another opaque service without a privacy policy or self‑hosting support.
  • Others argue the reverse‑engineering work is substantial and that early imperfect releases are still valuable.
  • There is debate over whether this qualifies as “new firmware” for bounty purposes, given it mostly redirects traffic rather than replacing Google’s code.

Reactions to Google EOL and e‑waste

  • Many owners feel burned by Google disabling cloud functionality, saying they’ll avoid future Google hardware and preferring devices that integrate locally with Home Assistant.
  • Some insist the devices aren’t literal e‑waste because the thermostat still functions offline, but others counter that the premium price was for now‑removed “smart” features.

Alternatives, DIY efforts, and safety

  • Recommendations center on Z‑Wave/Zigbee/Matter thermostats with local control, especially Honeywell T6 Pro, Venstar, and various OpenTherm or EMS-ESP boiler controllers.
  • Some are designing replacement PCBs and fully custom firmware for Nest hardware.
  • Commenters stress HVAC safety, especially with gas systems, and urge the project to add explicit “no warranty” licensing and legal disclaimers.