By xnop - Sun Mar 13, 2022 2:24 pm
- Sun Mar 13, 2022 2:24 pm
#56455
Hi there.
While disassembling a decommissioned and broken (Voi) Ninebot Max (SNSC 2.3), I took apart the lock which opens the battery compartment and found a small electronic lock mechanism, consisting of a servo motor and a circuitboard with a microcontroller.
The PCB is marked "MAX_Lockdriver_V0.4" and has an STM8S003F3 (TSSOP20) chip [1], and is connected to a levered microswitch-button on the side of the PCB enclosure (presumably used to detect whether the battery compartment is open or closed).
The PCB has 4 test pads clearly marked "NRST", "SWIM", "VCC" and "GND".
Curious as to whether I could figure out a way to open the battery compartment electronically, I decided to try and connect to the chip to see if I could dump the firmware for further analysis/reverse engineering.
It would be very convenient to be able to just connect to the julet connector on the cable going into the lock, instead of having to remove screws and use a 3D printed key or some other tool, to unlock the battery door.
I connected the test pads to an ST-LINK/V2 dongle and tried dumping the flash program memory, RAM and data EEPROM using the stm8flash tool [2], but it seems I may have triggered the memory Read Out Protection as I am only able to read the RAM [3], which isn't really interesting in this state, and everything else just gives me "7171 7171 7171 7171" (HEX) for the entire memory regions, which I assume suggests that they have been overwritten.
If anyone with experience in microcontrollers and/or hardware hacking has an unused lock of the same kind, I would be very curious to see if they would be able to bypass the ROP with a setup like this [4].
Furhtermore, does anyone know how the lock is meant to be operated? I assume there exists an unlock command, probably sent by the dashboard after receiving the request via BLE from an app?
Connecting a logic analyzer to the julet connector and analyzing the signals when the unlock command is sent would be very interesting too, and possible bypass the need to reverse engineer the lock firmware. One could (hopefully) just replay the signal with an Arduino or similar, and unlock the battery door. I am not able to do this myself, as the scooter I have is completely broken.
Any input would be greatly appreciated!
[1] https://www.st.com/resource/en/datasheet/stm8s003f3.pdf
[2] https://github.com/vdudouyt/stm8flash
[3] https://pastebin.com/raw/nt8EjG5n
[4] https://itooktheredpill.irgendwo.org/2020/stm8-readout-protection/
While disassembling a decommissioned and broken (Voi) Ninebot Max (SNSC 2.3), I took apart the lock which opens the battery compartment and found a small electronic lock mechanism, consisting of a servo motor and a circuitboard with a microcontroller.
The PCB is marked "MAX_Lockdriver_V0.4" and has an STM8S003F3 (TSSOP20) chip [1], and is connected to a levered microswitch-button on the side of the PCB enclosure (presumably used to detect whether the battery compartment is open or closed).
The PCB has 4 test pads clearly marked "NRST", "SWIM", "VCC" and "GND".
Curious as to whether I could figure out a way to open the battery compartment electronically, I decided to try and connect to the chip to see if I could dump the firmware for further analysis/reverse engineering.
It would be very convenient to be able to just connect to the julet connector on the cable going into the lock, instead of having to remove screws and use a 3D printed key or some other tool, to unlock the battery door.
I connected the test pads to an ST-LINK/V2 dongle and tried dumping the flash program memory, RAM and data EEPROM using the stm8flash tool [2], but it seems I may have triggered the memory Read Out Protection as I am only able to read the RAM [3], which isn't really interesting in this state, and everything else just gives me "7171 7171 7171 7171" (HEX) for the entire memory regions, which I assume suggests that they have been overwritten.
If anyone with experience in microcontrollers and/or hardware hacking has an unused lock of the same kind, I would be very curious to see if they would be able to bypass the ROP with a setup like this [4].
Furhtermore, does anyone know how the lock is meant to be operated? I assume there exists an unlock command, probably sent by the dashboard after receiving the request via BLE from an app?
Connecting a logic analyzer to the julet connector and analyzing the signals when the unlock command is sent would be very interesting too, and possible bypass the need to reverse engineer the lock firmware. One could (hopefully) just replay the signal with an Arduino or similar, and unlock the battery door. I am not able to do this myself, as the scooter I have is completely broken.
Any input would be greatly appreciated!
[1] https://www.st.com/resource/en/datasheet/stm8s003f3.pdf
[2] https://github.com/vdudouyt/stm8flash
[3] https://pastebin.com/raw/nt8EjG5n
[4] https://itooktheredpill.irgendwo.org/2020/stm8-readout-protection/