Scooter hacking is wonderful – you get to create a better scooter from a pre-made scooter platform, and sometimes you can do that purely through firmware modifications. Typically, hackers have been uploading firmware using Bluetooth OTA methods, and at some point, we’ve seen the always-popular Xiaomi scooters starting to get locked down. Today, we see [Daljeet Nandha] from [RoboCoffee] continue the research of the new Xiaomi scooter realities, where he finds that SWD flashing is way more of a viable avenue that we might’ve expected.
[Daljeet] starts with an introductory post about the recent generation of Xiaomi scooters manufactured by Brightway – specifically, Xiaomi Electric Scooter 3 Lite, 4 (Canada) and 4 Pro. He’s found that the pairing procedure has had its security greatly improved, with a crypto coprocessor chip added into the equation – the usual OTA way of firmware mods is, indeed, closed off. Still, he gives us a breakdown of the scooter’s overall architecture, with a trove of information like register maps, UART captures, firmware analysis and hardware pictures. Then, it’s time to probe the chips involved in making the scooter tick.
Both the dashboard chip (“BLE”) and the ECU chip (“MCU”) have an SWD interface exposed, and that’s where [Daljeet] hits the jackpot – neither of them enable the usual tinkering-disrupting mechanisms like firmware readback protection or encryption – things typically switched on as part of routine pre-product-release checklist. The firmware updates are useful, too – while they are signed, they are not encrypted, making it trivial to decompile them for any firmware experiments of yours. What’s more, [Daljeet] has also verified that the BLE firmware, responsible for most of the scooter’s logic, can be modified and flashed back!
No doubt, this is a great start for anyone looking for a scooter platform to hack upon firmware-wise. While the SWD flashing required raises the bar for modification, as [Daljeet] has found last year, it’s not much of a barrier – nowadays even a Pi Pico can act as an SWD adapter. Xiaomi has its hands in many markets, and hackers keep up – in case scooters aren’t your cup of tea, you can make another one in a hacked Xiaomi kettle, making sure it’s just the right temperature with help of a hacked Xiaomi thermometer.
Xiaomi Scooter Firmware Hacking Gets Hands-On
Source: Manila Flash Report
0 Comments