An Electric Scooter Community on a Mission to Stamp out Transportation Mediocrity.

Discuss the Segway Ninebot ES and Ninebot Max Kick Scooter in this Forum. Topics include the Segway-Ninebot app, hardware, street riding, etc.
User avatar
By TIER
#4572
RSB0 wrote:
Tue Feb 12, 2019 10:56 am
I saw somewhere that is possible to do somekind of MITM atack to the firmware update servers and put stock or modded firmware and force update but unfortunately there is not much info online about it... In theory it could remove the rental firmware.

People on the ninebot Onewheel community are more advanced on this kind of hacks and maybe we from the kickscooter community can use some of that info since the APP is the same.
The guy that does the ninebot onewheel has an agreement with the guy doing the scooter software to not touch the scooter firmware.

Scooter software will not be free. Rumors say it will be around 50 USD to use it. That's why he does not want others to offer free software. :evil:

If it will be able to overwrite rental software or flash clone board at all nobody knows. But it will be possible to install cutom firmware like on the M365.
User avatar
By RSB0
#4667
TIER wrote:
Tue Feb 12, 2019 11:49 am
RSB0 wrote:
Tue Feb 12, 2019 10:56 am
I saw somewhere that is possible to do somekind of MITM atack to the firmware update servers and put stock or modded firmware and force update but unfortunately there is not much info online about it... In theory it could remove the rental firmware.

People on the ninebot Onewheel community are more advanced on this kind of hacks and maybe we from the kickscooter community can use some of that info since the APP is the same.
The guy that does the ninebot onewheel has an agreement with the guy doing the scooter software to not touch the scooter firmware.

Scooter software will not be free. Rumors say it will be around 50 USD to use it. That's why he does not want others to offer free software. :evil:

If it will be able to overwrite rental software or flash clone board at all nobody knows. But it will be possible to install cutom firmware like on the M365.
Does anyone have any idea how to preform MITM (wireshark?) analysis to the ninebot app so we can get the download links for the original firmware ?
In the same way using a personal DNS the russians have performed fake update server and injected modified firmware on the inewheels using the official app!

The only problem for us kickscooters is that they read the firmware first from chip or use app so the firmware generated is for the serial number of the scooter.

Using the repository https://github.com/Ch4rlus/ninebot_firmware that firmware was probably generated for the serial number of his owner's
I tried to use a hex editor on the bin but was unable to find any good info, russians also direct hex edit the firmware so even if the serial number is a problem if we could hex-edit it was only a mater of changing the serial on the bin file.

What you guys think ?
By Tonda
#4769
Communication with servers its secured, so this is probably not so easy task. I was also investigating this option, however, this is way too complex. You also need to have genuine scooter, with older firmware, so app will actually try to update firmware - and once firmware is updated, you are out of attempts...
But yeah, I see many possibilities, how to get firmware file, or how to force app to update firmware. ith the right equipment, skils and time.

- Hack/decomplile/reverse engineer the app

- MITM between app and server
-- Fake new firmware version number, to make app think that scooter has older version
-- Fake serial&current version, so server will provide firmware
-- Get firmware while being donwloaded for stock scooter

- MITM between (bluetooth) cooter and app:
-- Modify version/serial data sent by scooter, so app thinks that firmware is old and serial is stock scooter
-- Intercept comunication from App to Scooter while firmware is being uploaded to scooter to get the firmware file and update routine.

- Extract firmware file from phone (Android)
-- After firmware is downloaded from server, it might be stored/extracted somewhere in the phone

-MITM between Mainboard and Bluetooth module - Most probably serial comunication, most probably not encrypted
-- Intercept firmware being transfered/flashed to mainboard
-- Fake Serial& firmware version
-- Create device, that pretends beeing a mainboard with old firmware so app will provide firmware file :-)

- Create device, that pretends beeing a stock scooter with old firmware so app will provide firmware file :-)


Once firmware file is obtained, we have to figure out, how to flash it. Possible problems:
1) Chip will enter flash mode, only after some unlock code, which may be tied to serial, is provided.
-- Would be required to do MITM first, as mentioned above
2) Firmware will be flashed (with external programmer), but wont match to serial number saved in some persistent memory, so refuses to work.
--Since its seems that changing serial number is complicated or impossible, it may be suitable to replace whole MCU with new (stock part), unlocked one. Then write matching serial number and firmware to its memory.
-- Assuming that check is done by the same firmware, which was just flashed, it may be possible decompile firmware and either to remove such check or change serial number to match the number in MCU, before flashing

Or, write completely custom firmware, for new unlocked MCU.
#6938
Apparently you guys have not seen this..

https://mimod.ru/en_US/es-rollback

I can confirm it does work on genuine ESC's. So you have multiple attempts now to get the firmware out of the ninebot app.. A simple caching proxy should do the job. I can also confirm this does not work on bird ESC's.. as the app comes with firmware that is flashable on stock ones.. And it gets to 1% and says Chunk Failed. Apparently the bird esc's have protection in them to only take firmware thats got some kind of specific header.. We'd need a bird firmware to figure out the diference and reverse that into something the ESC would take and use to update.
User avatar
By NomadMech
#7308
Are we sure that it is ninebot app being malicious and plastering v0.5.0.5 on everything? I have too many options on my phone and have deleted ninebot app all together because I don't know for sure what all they're up to but there is DEFINITELY a reason they are so adamant about specific server access, mandatory updates/block on APK old version and if nothing else being a play store app tells me they are at least data logging. Anyone try direct uart access using nrf uart app? Obviously bird is able to get firmware updated and have had it infiltrate EVERYTHING! That's why I say malicious. Had 2 other share brandith 2 very different setups , from 2 different companies and even though they had their own proprietary firmware, never pulled the ninebot app for either and wasn't even installed on the phone and wiped cache for second which appeared to be a hardware-based security set up and read as version 1.3.9 drv, I'll be damned if both didn't end up 5.0.5! Makes me angry and I'm trying to figure out who the guilty party is. I even used custom firmware immediately then checked to make sure the version was still the same after acquiring the 1.3.9 because I was tired of messing around and everything appeared to be copacetic. I know others had the app on their phone however never connected to my unit and I have been very careful. Started bugging out so I checked version on down g and sure enough it said that I needed an encoded file and it was on 5.0.5! I actually paid money for that controller being that I wanted to figure this out and was very aware that something was going on yet it still got me. Obviously I can't afford a new b l e for every unit and actually doing the hard link and updating d l e virgin is the main priority ATM wanted to have the rest of the unit in unison and supportive. Took the time to put clean firmware on the same version for the external battery, internal battery, drv & ble although rollback gave me an error. I was persistent and it finally allowed me to check version without error and always correct other than the controller being 5.0.5 or so I thought. Verified with another couple of apps and I'm at a loss. Wtf?! Where is it coming from? If it is that quick and simple for them to install you would think it would be that quick and simple to override. Just have to fight fire with fire but I am afraid to open up any of my NRF apps because I'm not positive it didn't come from there and that would be my only logical link to bird stuffs. the local electronics store has a floor model and I am going to swing by there today and try to connect but I'm pretty sure I know what the end result will be and while I would like to say I feel bad for the schmuck who buys a $700 Segway that has scooter share firmware on it, I really don't and hope that maybe it helps to expose them. My own custom firmware using the website generator and down g seems to upload without a hitch however even if it temporarily represents the version I based my CFW off of it always ends up back at 5.0.5. Got me good you f*ckers! Okay now tell me how to get it back. Lol :cry:
User avatar
By James007
#7310
NomadMech wrote:
Sun Apr 21, 2019 10:29 am
Are we sure that it is ninebot app being malicious and plastering v0.5.0.5 on everything? I have too many options on my phone and have deleted ninebot app all together because I don't know for sure what all they're up to but there is DEFINITELY a reason they are so adamant about specific server access, mandatory updates/block on APK old version and if nothing else being a play store app tells me they are at least data logging. Anyone try direct uart access using nrf uart app? Obviously bird is able to get firmware updated and have had it infiltrate EVERYTHING! That's why I say malicious. Had 2 other share brandith 2 very different setups , from 2 different companies and even though they had their own proprietary firmware, never pulled the ninebot app for either and wasn't even installed on the phone and wiped cache for second which appeared to be a hardware-based security set up and read as version 1.3.9 drv, I'll be damned if both didn't end up 5.0.5! Makes me angry and I'm trying to figure out who the guilty party is. I even used custom firmware immediately then checked to make sure the version was still the same after acquiring the 1.3.9 because I was tired of messing around and everything appeared to be copacetic. I know others had the app on their phone however never connected to my unit and I have been very careful. Started bugging out so I checked version on down g and sure enough it said that I needed an encoded file and it was on 5.0.5! I actually paid money for that controller being that I wanted to figure this out and was very aware that something was going on yet it still got me. Obviously I can't afford a new b l e for every unit and actually doing the hard link and updating d l e virgin is the main priority ATM wanted to have the rest of the unit in unison and supportive. Took the time to put clean firmware on the same version for the external battery, internal battery, drv & ble although rollback gave me an error. I was persistent and it finally allowed me to check version without error and always correct other than the controller being 5.0.5 or so I thought. Verified with another couple of apps and I'm at a loss. Wtf?! Where is it coming from? If it is that quick and simple for them to install you would think it would be that quick and simple to override. Just have to fight fire with fire but I am afraid to open up any of my NRF apps because I'm not positive it didn't come from there and that would be my only logical link to bird stuffs. the local electronics store has a floor model and I am going to swing by there today and try to connect but I'm pretty sure I know what the end result will be and while I would like to say I feel bad for the schmuck who buys a $700 Segway that has scooter share firmware on it, I really don't and hope that maybe it helps to expose them. My own custom firmware using the website generator and down g seems to upload without a hitch however even if it temporarily represents the version I based my CFW off of it always ends up back at 5.0.5. Got me good you f*ckers! Okay now tell me how to get it back. Lol :cry:
Are you trying to flash cfw on a shared controller?
#7585
i own 2 former bird scooters. one is es2 one is es4. the es4 has an authentic replacement dashboard and stays in sport mode (red s) goes 20mph with custom firmware, and still doesn't allow for mode switching. maybe it's just a custom overall control board?
the es2 has a chinese dash that stays in standard (white s) mode.

As this was a rental version whos overstock was […]

Any one got any info on beryl bikes I seen a few[…]

LH/ TF-100 Style Display.

Hi I recently converted a Bird Zero to a personal […]

How do you operate dash without button? I have[…]