The dash of Xiaomi Mi 1S scooter, with the top panel taken off and an USB-UART adapter connected to the dashboard, sniffing the firmware update process

Xiaomi Cryptographically Signs Scooter Firmware – What’s Next?

[Daljeet Nandha] from [RoboCoffee] writes to us, sharing his research on cryptographic signature-based firmware authenticity checks recently added to the Xiaomi Mi scooter firmware. Those scooters use an OTA firmware update mechanism over BLE, so you can update your scooter using nothing but a smartphone app – great because you can easily get all the good new features, but suboptimal because you can easily get all the bad new features. As an owner of a Mi 1S scooter but a hacker first and foremost, [Daljeet] set up a HTTPS proxy and captured the firmware files that the app downloaded from Xiaomi servers, dug into them, and summarized what he found.

Scooter app firmware update dialog, saying "New firmware update available. Update now?"
Confirming this update will indefinitely lock you out of any third-party OTA updates

Unlike many of the security measures we’ve seen lacking-by-design, this one secures the OTA firmware updates with what we would consider the industry standard – SHA256 hash with elliptic cryptography-backed signing. As soon as the first firmware version implementing signature checks is flashed into your scooter, it won’t accept anything except further firmware binaries that come with Xiaomi’s digital signature. Unless a flaw is found in the signature checking implementation, the “flash a custom firmware with a smartphone app” route no longer seems to be a viable pathway for modding your scooter in ways Xiaomi doesn’t approve of.

Having disassembled the code currently available, [Daljeet] tells us about all of this – and more. In his extensive writeup, he shares scripts he used on his exploration journey, so that any sufficiently motivated hacker can follow in his footsteps, and we highly recommend you take a look at everything he’s shared. He also gives further insights, explaining some constraints of the OTA update process and pointing out a few security-related assumptions made by Xiaomi, worth checking for bypassing the security implemented. Then, he points out the firmware filenames hinting that, in the future, the ESC (Electronic Speed Control, responsible for driving the motors) board firmware might be encrypted with the same kind of elliptic curve cryptography, and finds a few update hooks in the decompiled code that could enable exactly that in future firmware releases.

One could argue that these scooters are typically modified to remove speed limits, installed there because of legal limitations in a variety of countries. However, the legal speed limits are more nuanced than a hard upper boundary, and if the hardware is capable of doing 35km/h, you shouldn’t be at mercy of Xiaomi to be able to use your scooter to its full extent where considerate. It would be fair to assert, however, that Xiaomi did this because they don’t want to have their reputation be anywhere near “maker of scooters that people can modify to break laws with”, and therefore we can’t expect them to be forthcoming.

Furthermore, of course, this heavily limits reuse and meaningful modification of the hardware we own. If you want to bring a retired pay-to-ride scooter back to usefulness, add Bluetooth, or even rebuild the scooter from the ground up, you should be able to do that. So, how do we go around such restrictions? Taking the lid off and figuring out a way to reflash the firmware through SWD using something like a Pi Pico, perhaps? We can’t wait to see what hackers figure out.

How To Make An Electric Scooter Chain Sprocket With Nothing But Hand Tools

Sometimes, mechanical parts can be supremely expensive, or totally unavailable. In those cases, there’s just one option — make it yourself. It was this very situation in which I found myself. My electric scooter had been ever so slightly bested by a faster competitor, and I needed redemption. A gearing change would do the trick, but alas, the chain sprocket I needed simply did not exist from the usual online classifieds.

Thus, I grabbed the only tools I had, busied myself with my task. This is a build that should be replicable by anyone comfortable using a printer, power drill, and rotary tool. Let’s get to work!

Continue reading “How To Make An Electric Scooter Chain Sprocket With Nothing But Hand Tools”

Indonesian Jungle Vespas

Typically, we associate Vespas with Italians, riding their posh scooters midday under the heat of the Mediterranean sun. In one community, however, the riders and vehicles are pretty different – and by that we mean a whole lot different. Think Mad Max: Fury Road meets The Jungle Book.

The first Vespa arrived in Indonesia in the 1960s when the vehicles were rewarded to Indonesian peacekeepers returning from a mission in Africa. While many of the Vespas on the archipelago maintain the same classic style, some riders have modified theirs into entirely new conceptions.

Indonesian photographer [Muhammad Fadli] captures these riders on their Vespa sampah (“garbage Vespa”) and Vespa gembel (“Vespa drifter”), as they are known by locals. The unique design of the riders is partially attributed to their emergence in the early 2000s coinciding with the fall of the Soeharto authoritarian regime. The newfound freedom and self expression, as well as the relaxed law enforcement, contributed to the development of new types of modified vehicles on the road.

While the scooters are widespread, there isn’t any known count of extreme Vespas in the country. Most of the Vespas are not meant for riding, but rather to show off their physical form. While some are made from cheap steel frames and tires, others are adorned with road scraps and symbols. Anything from buffalo skeletons to machine gun rounds are used to accentuate the design of the scooters, many of which have a punk or metal vibe.

Within the community, there are annual extreme Vespa gatherings, which can draw thousands of riders from all over Indonesia. From frames made of bamboo to frames made of garbage, stalls that collect recyclables to add to their vehicles, and riders from all walks of life, there’s no apparent limit to the builders’ creativity.

[Thanks edmonkey for the tip!]

Liberating Birds For A Cheap Electric Scooter

A few months ago, several companies started deploying electric scooters on the sidewalks of cities around the United States. These scooters were standard, off-the-shelf electric scooters made in China, loaded up with battery packs, motors, and a ‘brain box’ that has a GPS unit, a cellular modem, and a few more electronics that turn this dumb electric scooter into something you can ride via an app. Dropping electronic waste on cities around the country was not looked upon kindly by these municipalities, and right now there are hundreds of Bird and Lime scooters in towing yards, just waiting to be auctioned off to the highest bidder.

This is a remarkable opportunity for anyone who can turn a screwdriver and handle a soldering iron. For mere pennies on the dollar you can buy dozens of these scooters, and you can own thousands of dollars in batteries and electronics if you show up to the right auction. [humanbeing21] over on the scootertalk forums is preparing for the Bird apocalypse, and he’s already converted a few of these scooters to be his personal transportation device.

The subject of this conversion are scooters deployed by Bird, which are in actuality Xiaomi MIJIA M365 scooters with a few added electronics to connect to the Internet. The ‘conversion kit’ for a Bird scooter comes directly from China, costs $30, and is apparently a plug-and-play sort of deal. The hardest part is finding a screwdriver with the right security bits, but that again is a problem eBay is more than willing to solve.

Right now, [humanbeing21] is in contact with a towing company that has well over a hundred Bird scooters on their lot, each accruing daily storage fees. Since these scooters only cost about $400 new, we’re probably well past the time when it makes sense for Bird to pay to get them out of storage. This means they’ll probably be heading for an auction where anyone can pick them up — all of them — for a hundred bucks or so.

Right now, scooter hacking is becoming one of the most interesting adventures in modern-day hacking. You’ve got batteries and electronics and motors just sitting there, ready for the taking (and yes, through these auctions you can do this legally). We’re looking at a future filled with 18650-based Powerwalls from discarded electric scooters and quadcopters built around scooter motors filling the skies. This is cyberpunk, and we can’t wait to see the other builds these scooters will become.