Page 1 of 1

Ninebot Max battery compartment electronic lock reverse engineering

Posted: Sun Mar 13, 2022 2:24 pm
by xnop
Hi there.

While disassembling a decommissioned and broken (Voi) Ninebot Max (SNSC 2.3), I took apart the lock which opens the battery compartment and found a small electronic lock mechanism, consisting of a servo motor and a circuitboard with a microcontroller.

The PCB is marked "MAX_Lockdriver_V0.4" and has an STM8S003F3 (TSSOP20) chip [1], and is connected to a levered microswitch-button on the side of the PCB enclosure (presumably used to detect whether the battery compartment is open or closed).

The PCB has 4 test pads clearly marked "NRST", "SWIM", "VCC" and "GND".

Curious as to whether I could figure out a way to open the battery compartment electronically, I decided to try and connect to the chip to see if I could dump the firmware for further analysis/reverse engineering.
It would be very convenient to be able to just connect to the julet connector on the cable going into the lock, instead of having to remove screws and use a 3D printed key or some other tool, to unlock the battery door.

I connected the test pads to an ST-LINK/V2 dongle and tried dumping the flash program memory, RAM and data EEPROM using the stm8flash tool [2], but it seems I may have triggered the memory Read Out Protection as I am only able to read the RAM [3], which isn't really interesting in this state, and everything else just gives me "7171 7171 7171 7171" (HEX) for the entire memory regions, which I assume suggests that they have been overwritten.

If anyone with experience in microcontrollers and/or hardware hacking has an unused lock of the same kind, I would be very curious to see if they would be able to bypass the ROP with a setup like this [4].

Furhtermore, does anyone know how the lock is meant to be operated? I assume there exists an unlock command, probably sent by the dashboard after receiving the request via BLE from an app?

Connecting a logic analyzer to the julet connector and analyzing the signals when the unlock command is sent would be very interesting too, and possible bypass the need to reverse engineer the lock firmware. One could (hopefully) just replay the signal with an Arduino or similar, and unlock the battery door. I am not able to do this myself, as the scooter I have is completely broken.

Any input would be greatly appreciated!

[1] https://www.st.com/resource/en/datasheet/stm8s003f3.pdf
[2] https://github.com/vdudouyt/stm8flash
[3] https://pastebin.com/raw/nt8EjG5n
[4] https://itooktheredpill.irgendwo.org/2020/stm8-readout-protection/

Re: Ninebot Max battery compartment electronic lock reverse engineering

Posted: Sat Mar 26, 2022 6:27 pm
by Johndoesta
Yeah, that all sounds neat with the electric lock mechanism but Dam if you have to go thru all this I would recommend simply just using a drill and just make one tiny hole on the right side side of scooter so you could insert a self fashioned tool/ instrument triggering the unlock / release level that's inside the deck on the lock mechanism. I've done several like such all with beautiful success simple and easy. What ever you do you want to avoid damaging the lid / battery door because dam will you have a irritating loud a** scooter that will be irritating to the point neighbors wouldn't be able to tell the sound difference from you riding a scooter or a shopping cart down the railroad tracks.
Image

Re: Ninebot Max battery compartment electronic lock reverse engineering

Posted: Mon Mar 28, 2022 1:11 am
by Sc00tr
xnop wrote:
Sun Mar 13, 2022 2:24 pm
Hi there.

While disassembling a decommissioned and broken (Voi) Ninebot Max (SNSC 2.3), I took apart the lock which opens the battery compartment and found a small electronic lock mechanism, consisting of a servo motor and a circuitboard with a microcontroller.

The PCB is marked "MAX_Lockdriver_V0.4" and has an STM8S003F3 (TSSOP20) chip [1], and is connected to a levered microswitch-button on the side of the PCB enclosure (presumably used to detect whether the battery compartment is open or closed).

The PCB has 4 test pads clearly marked "NRST", "SWIM", "VCC" and "GND".

Curious as to whether I could figure out a way to open the battery compartment electronically, I decided to try and connect to the chip to see if I could dump the firmware for further analysis/reverse engineering.
It would be very convenient to be able to just connect to the julet connector on the cable going into the lock, instead of having to remove screws and use a 3D printed key or some other tool, to unlock the battery door.

I connected the test pads to an ST-LINK/V2 dongle and tried dumping the flash program memory, RAM and data EEPROM using the stm8flash tool [2], but it seems I may have triggered the memory Read Out Protection as I am only able to read the RAM [3], which isn't really interesting in this state, and everything else just gives me "7171 7171 7171 7171" (HEX) for the entire memory regions, which I assume suggests that they have been overwritten.

If anyone with experience in microcontrollers and/or hardware hacking has an unused lock of the same kind, I would be very curious to see if they would be able to bypass the ROP with a setup like this [4].

Furhtermore, does anyone know how the lock is meant to be operated? I assume there exists an unlock command, probably sent by the dashboard after receiving the request via BLE from an app?

Connecting a logic analyzer to the julet connector and analyzing the signals when the unlock command is sent would be very interesting too, and possible bypass the need to reverse engineer the lock firmware. One could (hopefully) just replay the signal with an Arduino or similar, and unlock the battery door. I am not able to do this myself, as the scooter I have is completely broken.

Any input would be greatly appreciated!

[1] https://www.st.com/resource/en/datasheet/stm8s003f3.pdf
[2] https://github.com/vdudouyt/stm8flash
[3]
[4] https://itooktheredpill.irgendwo.org/20 ... rotection/
The battery hatch cannot be operated with retail firmware, the offsets don't exist. The commands to open it don't do anything unless you are on rental firmware which wouldn't work unless you have an it attached

Re: Ninebot Max battery compartment electronic lock reverse engineering

Posted: Sat May 14, 2022 2:26 pm
by vicenetefernandez
Johndoesta wrote:
Sat Mar 26, 2022 6:27 pm
Yeah, that all sounds neat with the electric lock mechanism but Dam if you have to go thru all this I would recommend simply just using a drill and just make one tiny hole on the right side side of scooter so you could insert a self fashioned tool/ instrument triggering the unlock / release level that's inside the deck on the lock mechanism. I've done several like such all with beautiful success simple and easy. What ever you do you want to avoid damaging the lid / battery door because dam will you have a irritating loud a** scooter that will be irritating to the point neighbors wouldn't be able to tell the sound difference from you riding a scooter or a shopping cart down the railroad tracks.
Image
can u show use were u drilled the hole and how big, did u use a rubber plug to close it up, Thanks

Re: Ninebot Max battery compartment electronic lock reverse engineering

Posted: Fri Jul 01, 2022 9:26 am
by st0r
Anymore info on this? How does a typical charging session look like for a juicer? Are they prepared and charge battery packs at night and then simply replace empty ones? Or do they charge the scooters through the charging port? Without taking the battery out?

What about placing a logger inside the scooter and see if its possible to sniff any traffic? Maybe they only use the electric lock when they replace the whole pack or need access to the board etc
… one could place a logger inside and then simulate a broken batttery which will force them to unlock it i dunno

Re: Ninebot Max battery compartment electronic lock reverse engineering

Posted: Tue Jul 19, 2022 5:25 am
by JubbaJames
Just came across this if any help to anyone hear
Image
Image

Re: Ninebot Max battery compartment electronic lock reverse engineering

Posted: Fri Mar 17, 2023 1:23 am
by JubbaJames
And I've since came across this if relevant or helps in any way
https://flespi.com/protocols/segway-ninebot

Re: Ninebot Max battery compartment electronic lock reverse engineering

Posted: Fri Mar 17, 2023 1:19 pm
by Sc00tr
Yeah that's how you can control it if you have access to the it from a bakend, which is only useful if you own a segway it that is connected and usable which most people here don't have since they're just braindead theifs who steal these off the street anyway
JubbaJames wrote:
Fri Mar 17, 2023 1:23 am
And I've since came across this if relevant or helps in any way
https://flespi.com/protocols/segway-ninebot

Re: Ninebot Max battery compartment electronic lock reverse engineering

Posted: Wed Mar 29, 2023 8:46 am
by vvmk1
I recorded the signal with a logic analyzer in the process of opening the servo.
I assume the blue wire on the lock connector is CLC(D0 channel), Green is DATA(D1 channel). Black is GND. Red is +5V.
Signal level 3.3v.
I assume it's i2c ,but not sure.
Later, I will post the entire recording from Pulseview. If you are interested.
Image

Re: Ninebot Max battery compartment electronic lock reverse engineering

Posted: Wed Sep 27, 2023 3:19 pm
by john scatman
vvmk1 wrote:
Wed Mar 29, 2023 8:46 am
I recorded the signal with a logic analyzer in the process of opening the servo.
I assume the blue wire on the lock connector is CLC(D0 channel), Green is DATA(D1 channel). Black is GND. Red is +5V.
Signal level 3.3v.
I assume it's i2c ,but not sure.
Later, I will post the entire recording from Pulseview. If you are interested.
Image
nice to see! can you post better picture or dump?