What I already found about how the whole rental service is working:
-I sniffed the traffic of the TIER app with Charles proxy. Here are the results:
To view images REGISTER or LOGIN for full access. Here, the app basically connects to a frontend link from the company "fleetbird"
which is specialized for renting vehicles. You can visit their homepage under this site: https://fleetbird.com/
On YouTube I found some vids about the fleetbird api and hardware in action on a ninebot es2. Here are the links to the vids:
(I asked that guy for the functionality of the activation box.)
As you can obviously see here they attached this little black box down on the column, the same as TIER is using them on their scooters.
To view images REGISTER or LOGIN for full access.
But back to the unlocking part. This is how the scooter gets unlocked by the user:
The users app asks the server to unlock the scooter --> The server checks if everything's fine (Is the user blocked, is there a payment method, etc.) --> If everything's ok, the server sends an unlock request to the scooter and the user can ride.
The scooter does not get unlocked by bluetooth, because one time I faked my GPS orientation to be in front of a scooter and it got unlocked. We need to find out the IP adress of that little black box and we need to find out the unlock request from the server. But I didn't find anything on the internet on how to detect the http traffic from a cellular network.
Maybe these people who already jammed up a TIER scooter would be a HUGE help for this topic. Maybe you could open that little mystery black GPS box and inform us what's inside?
And please, don't come up with "just steal a scooter and just buy new electronics", I don't want to puch that much effort in it.
Hope you could help.