eScooter IOT & Software Part 3 (Smart Lock – Cracking and Integration of Smart Lock Software)
I will share with you the Smart Lock technology of the 3rd article of the eScooter or kick scooter and technology and rental escooters + IOT + Lock (Lock) system and its integration into the escooter integrations we have done so far..
Seagull, Binbin, Palm, Cat etc. almost all rental escooters have the same lock. It’s a black box and usually just above the black IOT box. You can see this lock in the picture.
This lock is purchased from China.. And it has bluetooth 4.x supported technology and they also give you the mobile software.. However, it only works with that software.. You need to integrate this lock into your own system.. For this, you need to talk to the manufacturer and ask for PROTOCOL data. This will allow you to do the integration easily..
Instead of China, I bought the German-made Semptec SmartLock (Actually, this is also produced in China, everything is in China!), which offers similar bluetooth technology and is more sophisticated and better . even (I have read but I don’t speak German, so I can read but I don’t understand the situation!)… Just know how to turn it on and off.. You can also download the app from Google Play Store and apply it to your bike, etc., and scooter from there. If they cut the wire, it beeps unbelievably (I haven’t tried it, of course) even the battery Even if you try to pull it out (I tried it, it’s awesome!), it still sounds incredible… Here are his pictures:
As I mentioned above, I need protocol data. But unfortunately you cannot receive it.
I already bought this on purpose.. I would like to HACK and CRACK this lock … And integrate it into my other systems..
First, in our 1st article, we had the raspberry pi Zero W and we accessed all the 3 controls of the Xiaomi m365 escooter with bluetooth, and we accessed and applied functions such as battery charge, lock or unlock the engine or turn on the taillight.
In our article, we integrated the SIM+GSM+GNSS+GPS system into the first system with an electronic module card, SIM808. We read and wrote the data via the SIM card with MQTT broker and client.
Now we will integrate the lock .. My goal is 2 issues. One of them is to break the Android software I downloaded from the Google Play store, learn what it does, and if necessary, obtain the source codes even though it is difficult and keep it..
These types of systems work similarly, but their protocols are different. So you can apply what you read here to other systems with similar methodologies.. Anyway, my goal is not to catch the fish, but to show you how to catch fish..
First I put a battery in the lock and started it. I installed the Android software + I connected my Android phone to the notebook with a cable + I opened any project in Android Studio and ran the software on the mobile device. . I opened the LogCat tab at the bottom in Android Studio and started to see everything that is currently running on the mobile device and the allowed debug messages of this software. This should be the first part an engineer will examine.. I saw a lot of data and copied it to notepad and saved it + examined.
I cracked the Android software in 2 different ways and looked at the source codes. I compared it with the data above. What happens when I press which button at which stage, I looked at the debug data and took my notes.
In the end, just like in my 1st article, there is a HEADER followed by a 6-digit numeric password, which is 123456 at the first moment, you can change it with the android software you download and the code of the operation you want to do at the end.. 1 unlock 6, is the lock status open or closed, etc. .. HEADER is an interesting value and unique.. The data is 8 bytes long but this is only valid for unlock.. For example change password etc. It contains about 20 bytes of data..
I have this unlock protocol data and I connect to it with GATTTOOL on raspberry , just like I connected to the bluetooth of m365 in my 1st post . But we need to learn the MAC address of this device . It’s very easy, type hcitool lescan and press enter, you will see SmartLock is written next to the MAC address. ..
Then type gatttool -t hci0 -b MAC_ADRES -I … then type connect and it will say connected.. if not, type connect again.. Of course, let me tell you that your device must be turned on and the lock is also locked..
Now we need to learn the characteristics UUIDs of the device, so you can know from our article 1. Type characteristics .
You see many values.. The following value that interests us…
handle: 0x0024, char properties: 0x0a, char value handle: 0x0025, uuid: 0000fff1-0000-1000-8000-00805f9b34fb
Here we will send the value to the char value handle 0x0025.. the value will be the unlock command..
char-write-req 0x0025 XXYYYYYYYYYYYYYKK where the header value is XX. Y’s are for 1 of our password, for example 123456, where 1 is taken as an integer, not a number, and the ascii code is 49 and the HEX value is 31. to give the latest KK or 01 or 06 command, the first of which is unlock and the second, what does the lock status mean..
It’s just like that, but it doesn’t open.
NOT WORKING ..!
It’s sending a byte array there, I’m sending HEX so you know it doesn’t matter.. I’m trying to examine the complicated code for 3-4 days to see where the problem is..
I’m going to the seaside to a little different places.. Since we took the scooter behind my car, I put it on everyone in my family, so I’m traveling and having fun at the same time… We didn’t buy it for nothing, right? Sometimes I think of it, I have to go crazy, I haven’t been able to figure it out yet, but I don’t worry because I’ve been dealing with these and similar situations for 30 years. There’s nothing I couldn’t solve! do it like this, get some oxygen, travel and dust..
Finally, I definitely understand that the software first sends 2 CRC /Checksum verify data to this lock . I finally understand what this is. If so, my first goal now is to get the source code by adding + correcting some parts myself.. About this I have a lot of work to do so I got it done in 1 day.. I have everything now.. I can see those 2 verify values clearly with debug now.. How did you do it…
And now I send the sample of those 2 data and the data in the first part one after the other in GATTTOOL to the device…
AND THE LOCK IS OPENED WITH A LONG FEARING BEEP…
They made it quite complicated, but I’m curious too…
I would like to share the commands in GATTTOOL by hiding some parts below.
pi@raspberrypi:~ $ gatttool -t hci0 -b 64:69:5A:33:B4:DD -I
[64:69:5A:33:B4:DD][LE]> connect
Attempting to connect to 64:69:5A:33:B4:DD
Error: connect error: Function not implemented (38)
[64:69:5A:33:B4:DD][LE]> connect
Attempting to connect to 64:69:5A:33:B4:DD
Error: connect error: Transport endpoint is not connected (107)
[64:69:5A:33:B4:DD][LE]> connect
Attempting to connect to 64:69:5A:33:B4:DD
connection successful
[64:69:5A:33:B4:DD][LE]> char-write-req 0x0025 XXPPPPPPPPPPPPKKCCCCCCCCCCCCCCCCCCCCCC
Characteristic value was written successfully
[64:69:5A:33:B4:DD][LE]>
(gatttool:11994): GLib-WARNING **: 16:09:27.272: Invalid file descriptor.
[64:69:5A:33:B4:DD][LE]> connect
Attempting to connect to 64:69:5A:33:B4:DD
connection successful
[64:69:5A:33:B4:DD][LE]> char-write-req 0x0025 XXPPPPPPPPPPPPKKCCCCCCCCCCCCCCCCCCCCCC
Characteristic value was written successfully
[64:69:5A:33:B4:DD][LE]> char-write-req 0x0025 XXPPPPPPPPPPPPKK
Characteristic value was written successfully
[64:69:5A:33:B4:DD][LE]>
(gatttool:11994): GLib-WARNING **: 16:10:12.182: Invalid file descriptor.
[64:69:5A:33:B4:DD][LE]>
XX HEADER value above
PPs are bytes or HEX, as I explained above, your password..
KK is the code of the desired operation.
Thus, with this hard work, I have both the source codes of the software and all the protocol data and what they mean. If the company does not give it, we will find it!
It is now very easy to integrate the lock into the Xiaomi m365 bluetooth + IOT (SIM+GNSS+GPS) system.. Our software working in those parts was C++ or Python . For example, you write a short code with python and test it, then the brain of the engine in the other parts and the SIM card etc. You can integrate it into the Python software that speaks with..
Some of my readers have asked how we can do this part.. There are commands to use the commands we wrote in GATTTOOL in Python as well.. You will install pygatt or similar libraries and import them into the project and use them. You will find the service and then the characteristic of that device and you will send the commands to that characteristic together with the data. That’s it!
Let’s finish by writing the conceptual solution approach of the system here. There are actually 2 options:
1-) You can unlock the lock from the mobile software like Bird does from companies in America. So, scan the QR Code, send the information you want to rent to the system, and if it is OK, your mobile software will send the protocol data and open the lock easily as I explained above..
2-) Scan the QR code, as most of our companies do, let the information you want to rent go to the system, and OK, let the bluetooth of hardware like raspberry pi in IOT unlock with a python code…
Apart from these 2 options, we can sometimes see that it is connected directly to the escooter with a special cable…
That is all…
Stay well..
Selcuk Celik
