Xiaomi Scooter Firmware Hacking Gets Hands-On

A Xiaomi 3 Lite dashboard with the panel taken off and the PCB visible, four wires connected to the SWD header.

Scooter hacking is wonderful – you get to create a better scooter from a pre-made scooter platform, and sometimes you can do that purely through firmware modifications. Typically, hackers have been uploading firmware using Bluetooth OTA methods, and at some point, we’ve seen the always-popular Xiaomi scooters starting to get locked down. Today, we see [Daljeet Nandha] from [RoboCoffee] continue the research of the new Xiaomi scooter realities, where he finds that SWD flashing is way more of a viable avenue that we might’ve expected.

[Daljeet] starts with an introductory post about the recent generation of Xiaomi scooters manufactured by Brightway – specifically, Xiaomi Electric Scooter 3 Lite, 4 (Canada) and 4 Pro. He’s found that the pairing procedure has had its security greatly improved, with a crypto coprocessor chip added into the equation – the usual OTA way of firmware mods is, indeed, closed off. Still, he gives us a breakdown of the scooter’s overall architecture, with a trove of information like register maps, UART captures, firmware analysis and hardware pictures. Then, it’s time to probe the chips involved in making the scooter tick.

Both the dashboard chip (“BLE”) and the ECU chip (“MCU”) have an SWD interface exposed, and that’s where [Daljeet] hits the jackpot – neither of them enable the usual tinkering-disrupting mechanisms like firmware readback protection or encryption – things typically switched on as part of routine pre-product-release checklist. The firmware updates are useful, too – while they are signed, they are not encrypted, making it trivial to decompile them for any firmware experiments of yours. What’s more, [Daljeet] has also verified that the BLE firmware, responsible for most of the scooter’s logic, can be modified and flashed back!

No doubt, this is a great start for anyone looking for a scooter platform to hack upon firmware-wise. While the SWD flashing required raises the bar for modification, as [Daljeet] has found last year, it’s not much of a barrier – nowadays even a Pi Pico can act as an SWD adapter. Xiaomi has its hands in many markets, and hackers keep up – in case scooters aren’t your cup of tea, you can make another one in a hacked Xiaomi kettle, making sure it’s just the right temperature with help of a hacked Xiaomi thermometer.

16 thoughts on “Xiaomi Scooter Firmware Hacking Gets Hands-On

  1. I think the best way is to replace the motor controller with VESC + DIY board with ESP32 running a Python firmware to implement the EScooter logic application. Also, add own DIY display with another ESP32 running Python firmware – this display communicate wireless with the other ESP32 EScooter board, using the ESPNow (trivial on Python firmware).

    In fact, I am doing just all that as OpenSource on my EBike, with a Bafang M500 mid drive motor: https://opensourceebike.github.io/

    1. casainho, love your project! Also love VESC! I’ve turn an ex rental scooter into a 40mph (flatland and yes, MPH, GPS verified as well. 1500W continuous with 3200kw bursts. Of course I had to do some modifications, battery is a 13s 6p 21Ah pack vs the stock 10s 5p 18ah pack, hub motor is actually stock but its side covers are vented to allow for cooling. Still runs hot after aggressive extended rides but not nearly as hot as when sealed, I burned/shorted the windings on two motors before resorting to venting.
      VESCs addition of field weakening in FOC commutation has been the gamechanger that’s allowed for speed increases above and beyond of what increased voltage allows. Yes, its not nearly as efficient but it sure is fun.
      I use your FW with an ESP32 to transmit telemetry/data to a “dash” mounted display. Works great, no stock electronics needed and performance is phenomonal with vesc.

  2. If the SWD port is unprotected then a hacker can reprogram your scooter when you lock it to a bike rack. You could end up in the canal or splattered on someones back bumper or it might shut down when you are in the middle of an intersection and you get hit by a bus. If the software can wipe itself it would make a good murder weapon, leaving no evidence.

    1. Tin foil hat anyone? Who the hell is going to take the time to take your display apart, write a custom firmware that randomly blips your throttle, then put it all back together without nobody being the wiser. At that point they might as well just build a bomb and stick it to the backside, or loosen a few nuts on your stem… cmon m8

      1. I don’t think it’s unreasonable to point out security issues on HaD, even if they are not for your average script kiddie. Also, since this doesn’t have a fly-by-wire brake it’s probably not going to be a use assassination vector. Note, there is a paper describing a similar issue with fly-by-wire cars (including erasing the evidence once you detect airbag deployment).

        I would more incline to target less respectful riders. But the custom firmware would work like normal for 30-90 seconds, then drop max throttle to 10% of total capacity, then after 3 to 5 minutes completely cut out, after a few minutes of not working, it would return to the normal profile for 30-90 seconds and repeat the cycle. This would help cut down on the types who ride far too fast in pedestrian area.

        1. That makes the scooter unusable for long stretches of a road without pedestrians on it – remember, the range is 10-20km easily, and crossing a kilometer-long bridge alone will make the scooter stop. I ride a lot, I ride fast where possible, been doing it for years without accidents. Mentally going through my scooter usage patterns, it’s pretty tricky to correlate road behaviour to data from the scooter’s sensors (which are basically, throttle and brake). Also, suddenly limiting the scooter’s throttle can make it more dangerous to ride in certain situations. Can recommend putting more thought into such an algorithm – otherwise, your comment is a real-life demonstration of why people need to try using scooters day-to-day before trying to propose things =D

          1. Yeah, although I was (half) joking, that was the goal, make the scooter generally less usable and more annoying for the rider. I see lots of people riding their scooters fast in pedestrian areas, and I don’t need to ride a scooter day-to-day to know that this isn’t reasonable behavior. While the majority of people riding too fast in pedestrian areas are not getting into accidents, they are still large inconvenience to other users of that area.

    2. For context, the current “needs an SWD flasher” method is a significant departure from what we used to have, in a good direction – all these years, anyone could push a malicious firmware onto your scooter simply by standing next to it and using a universal “upgrade firmware” app on their smartphone, no interaction needed. The security has been awful for a good period of time, and they’ve gotten more secure now. Having said that – where’s all the reflashed-scooter-murder victims? Orbiting the Russell’s teapot?

    3. this shit is old. been flashing xiaomi scooters since before the Wuhan flu was viral like like Gangnam style… if someone wanted to take yer shit or do harm they aren’t gonna fiddle with an stlink hoping you crash into water.. here in Baltimore they shoot you then dump you in the harbor.

  3. X, Your argument sounds like the premise of a new movie in the Speed franchise, or something worthy of the Mission Impossible franchise even.
    “The hacker has reprogrammed your scooter to run at 40mph. If you slow down or stop, you’ll be vaporised by the device he’s also attached with an rpm counter.”
    Starring Keanu Reeves of course!

    Thomas Anderson is right, of course. You’d have to be someone pretty important for them to screw around like that, but there are no doubt easier ways to do it, as he implied.
    You might fall foul of local laws though, when the governments finally catch up and realise that scooters can be just as dangerous as cars or bicycles on the roads and actually legislate to make their sale and use regulated (in the UK it is still illegal to ride private e-scooters on the roads, even though thousands of people do it, daily). We need to make the bloody things legal to be used on the roads, AND the rider should be liable if there’s an accident, just as with cars and bicycles.
    If, say you overclocked your e-scooter and were involved in an accident, and that was a contributing factor, then you’d be in a whole lot of trouble, and so you should be.
    I’m not saying that people shouldn’t mod their scooters. It’s actually a pretty nifty idea. You could trick it out with all sorts of add-ons, extra lights, etc.
    That’s the beauty of hacks like this, you could build your own after-market mods, improve the interface, make it more secure, etc.

    1. LOL that gave me an image of Keanu Reeves as an X-games star on a tricked-out e-scooter. With “Wyld Stallyns” sprayed along the body!
      *Reeve’s trademark “Whoa!”*

  4. Hello everyone I have just bought the Pro 4 in Italy. unfortunately in this country the scooter is limited to 20 kpH
    There are ways to increse the speed?
    I’ve been reading that with the Pro 4 there are not possibilies to hack it as for the earlier models such as the Pro2 at least so it was like that when the pro 4 was released in the EU.
    Any news lately that can help me?

    Thank you all

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.