Communication with servers its secured, so this is probably not so easy task. I was also investigating this option, however, this is way too complex. You also need to have genuine scooter, with older firmware, so app will actually try to update firmware - and once firmware is updated, you are out of attempts...
But yeah, I see many possibilities, how to get firmware file, or how to force app to update firmware. ith the right equipment, skils and time.
- Hack/decomplile/reverse engineer the app
- MITM between app and server
-- Fake new firmware version number, to make app think that scooter has older version
-- Fake serial¤t version, so server will provide firmware
-- Get firmware while being donwloaded for stock scooter
- MITM between (bluetooth) cooter and app:
-- Modify version/serial data sent by scooter, so app thinks that firmware is old and serial is stock scooter
-- Intercept comunication from App to Scooter while firmware is being uploaded to scooter to get the firmware file and update routine.
- Extract firmware file from phone (Android)
-- After firmware is downloaded from server, it might be stored/extracted somewhere in the phone
-MITM between Mainboard and Bluetooth module - Most probably serial comunication, most probably not encrypted
-- Intercept firmware being transfered/flashed to mainboard
-- Fake Serial& firmware version
-- Create device, that pretends beeing a mainboard with old firmware so app will provide firmware file This is an image - REGISTER or LOGIN to view.
- Create device, that pretends beeing a stock scooter with old firmware so app will provide firmware file This is an image - REGISTER or LOGIN to view.
Once firmware file is obtained, we have to figure out, how to flash it. Possible problems:
1) Chip will enter flash mode, only after some unlock code, which may be tied to serial, is provided.
-- Would be required to do MITM first, as mentioned above
2) Firmware will be flashed (with external programmer), but wont match to serial number saved in some persistent memory, so refuses to work.
--Since its seems that changing serial number is complicated or impossible, it may be suitable to replace whole MCU with new (stock part), unlocked one. Then write matching serial number and firmware to its memory.
-- Assuming that check is done by the same firmware, which was just flashed, it may be possible decompile firmware and either to remove such check or change serial number to match the number in MCU, before flashing
Or, write completely custom firmware, for new unlocked MCU.