Scooter hacking is wonderful – you get to create a better scooter from a pre-made scooter platform, and sometimes you can do that purely through firmware modifications. Typically, hackers have been uploading firmware using Bluetooth OTA methods, and at some point, we’ve seen the always-popular Xiaomi scooters starting to get locked down. Today, we see [Daljeet Nandha] from [RoboCoffee] continue the research of the new Xiaomi scooter realities, where he finds that SWD flashing is way more of a viable avenue that we might’ve expected.
[Daljeet] starts with an introductory post about the recent generation of Xiaomi scooters manufactured by Brightway – specifically, Xiaomi Electric Scooter 3 Lite, 4 (Canada) and 4 Pro. He’s found that the pairing procedure has had its security greatly improved, with a crypto coprocessor chip added into the equation – the usual OTA way of firmware mods is, indeed, closed off. Still, he gives us a breakdown of the scooter’s overall architecture, with a trove of information like register maps, UART captures, firmware analysis and hardware pictures. Then, it’s time to probe the chips involved in making the scooter tick.
Both the dashboard chip (“BLE”) and the ECU chip (“MCU”) have an SWD interface exposed, and that’s where [Daljeet] hits the jackpot – neither of them enable the usual tinkering-disrupting mechanisms like firmware readback protection or encryption – things typically switched on as part of routine pre-product-release checklist. The firmware updates are useful, too – while they are signed, they are not encrypted, making it trivial to decompile them for any firmware experiments of yours. What’s more, [Daljeet] has also verified that the BLE firmware, responsible for most of the scooter’s logic, can be modified and flashed back!
Support the originator by clicking the read the rest link below.
