An Electric Scooter Community on a Mission to Stamp out Transportation Mediocrity.

Discuss the Segway Ninebot ES and Ninebot Max Kick Scooter in this Forum. Topics include the Segway-Ninebot app, hardware, street riding, etc.
#56455
Hi there.

While disassembling a decommissioned and broken (Voi) Ninebot Max (SNSC 2.3), I took apart the lock which opens the battery compartment and found a small electronic lock mechanism, consisting of a servo motor and a circuitboard with a microcontroller.

The PCB is marked "MAX_Lockdriver_V0.4" and has an STM8S003F3 (TSSOP20) chip [1], and is connected to a levered microswitch-button on the side of the PCB enclosure (presumably used to detect whether the battery compartment is open or closed).

The PCB has 4 test pads clearly marked "NRST", "SWIM", "VCC" and "GND".

Curious as to whether I could figure out a way to open the battery compartment electronically, I decided to try and connect to the chip to see if I could dump the firmware for further analysis/reverse engineering.
It would be very convenient to be able to just connect to the julet connector on the cable going into the lock, instead of having to remove screws and use a 3D printed key or some other tool, to unlock the battery door.

I connected the test pads to an ST-LINK/V2 dongle and tried dumping the flash program memory, RAM and data EEPROM using the stm8flash tool [2], but it seems I may have triggered the memory Read Out Protection as I am only able to read the RAM [3], which isn't really interesting in this state, and everything else just gives me "7171 7171 7171 7171" (HEX) for the entire memory regions, which I assume suggests that they have been overwritten.

If anyone with experience in microcontrollers and/or hardware hacking has an unused lock of the same kind, I would be very curious to see if they would be able to bypass the ROP with a setup like this [4].

Furhtermore, does anyone know how the lock is meant to be operated? I assume there exists an unlock command, probably sent by the dashboard after receiving the request via BLE from an app?

Connecting a logic analyzer to the julet connector and analyzing the signals when the unlock command is sent would be very interesting too, and possible bypass the need to reverse engineer the lock firmware. One could (hopefully) just replay the signal with an Arduino or similar, and unlock the battery door. I am not able to do this myself, as the scooter I have is completely broken.

Any input would be greatly appreciated!

[1] https://www.st.com/resource/en/datasheet/stm8s003f3.pdf
[2] https://github.com/vdudouyt/stm8flash
[3] https://pastebin.com/raw/nt8EjG5n
[4] https://itooktheredpill.irgendwo.org/2020/stm8-readout-protection/
#56503
Yeah, that all sounds neat with the electric lock mechanism but Dam if you have to go thru all this I would recommend simply just using a drill and just make one tiny hole on the right side side of scooter so you could insert a self fashioned tool/ instrument triggering the unlock / release level that's inside the deck on the lock mechanism. I've done several like such all with beautiful success simple and easy. What ever you do you want to avoid damaging the lid / battery door because dam will you have a irritating loud a** scooter that will be irritating to the point neighbors wouldn't be able to tell the sound difference from you riding a scooter or a shopping cart down the railroad tracks.
Image
#56506
xnop wrote:
Sun Mar 13, 2022 2:24 pm
Hi there.

While disassembling a decommissioned and broken (Voi) Ninebot Max (SNSC 2.3), I took apart the lock which opens the battery compartment and found a small electronic lock mechanism, consisting of a servo motor and a circuitboard with a microcontroller.

The PCB is marked "MAX_Lockdriver_V0.4" and has an STM8S003F3 (TSSOP20) chip [1], and is connected to a levered microswitch-button on the side of the PCB enclosure (presumably used to detect whether the battery compartment is open or closed).

The PCB has 4 test pads clearly marked "NRST", "SWIM", "VCC" and "GND".

Curious as to whether I could figure out a way to open the battery compartment electronically, I decided to try and connect to the chip to see if I could dump the firmware for further analysis/reverse engineering.
It would be very convenient to be able to just connect to the julet connector on the cable going into the lock, instead of having to remove screws and use a 3D printed key or some other tool, to unlock the battery door.

I connected the test pads to an ST-LINK/V2 dongle and tried dumping the flash program memory, RAM and data EEPROM using the stm8flash tool [2], but it seems I may have triggered the memory Read Out Protection as I am only able to read the RAM [3], which isn't really interesting in this state, and everything else just gives me "7171 7171 7171 7171" (HEX) for the entire memory regions, which I assume suggests that they have been overwritten.

If anyone with experience in microcontrollers and/or hardware hacking has an unused lock of the same kind, I would be very curious to see if they would be able to bypass the ROP with a setup like this [4].

Furhtermore, does anyone know how the lock is meant to be operated? I assume there exists an unlock command, probably sent by the dashboard after receiving the request via BLE from an app?

Connecting a logic analyzer to the julet connector and analyzing the signals when the unlock command is sent would be very interesting too, and possible bypass the need to reverse engineer the lock firmware. One could (hopefully) just replay the signal with an Arduino or similar, and unlock the battery door. I am not able to do this myself, as the scooter I have is completely broken.

Any input would be greatly appreciated!

[1] https://www.st.com/resource/en/datasheet/stm8s003f3.pdf
[2] https://github.com/vdudouyt/stm8flash
[3]
[4] https://itooktheredpill.irgendwo.org/20 ... rotection/
The battery hatch cannot be operated with retail firmware, the offsets don't exist. The commands to open it don't do anything unless you are on rental firmware which wouldn't work unless you have an it attached
#56683
Johndoesta wrote:
Sat Mar 26, 2022 6:27 pm
Yeah, that all sounds neat with the electric lock mechanism but Dam if you have to go thru all this I would recommend simply just using a drill and just make one tiny hole on the right side side of scooter so you could insert a self fashioned tool/ instrument triggering the unlock / release level that's inside the deck on the lock mechanism. I've done several like such all with beautiful success simple and easy. What ever you do you want to avoid damaging the lid / battery door because dam will you have a irritating loud a** scooter that will be irritating to the point neighbors wouldn't be able to tell the sound difference from you riding a scooter or a shopping cart down the railroad tracks.
Image
can u show use were u drilled the hole and how big, did u use a rubber plug to close it up, Thanks

DO NOT BY PASS BMS i removed the old BMS and inst[…]

LIME 3.GEN PERSONAL.....

Hi, im wondering if anyone here has spare displa[…]

PaulNathan, je suis français aussi, ouvre t[…]

Hi.I just cannot manage to read,identify the stm32[…]