Hacking Xiaomi m365 & Pro & Pro 2 & Segway Encrypted Brain Software
As you know, we can see how companies operating Kick scooters, such as Marti, Binbin, Cat, Dost in Turkey and Lime and Bird in USA, Voi in Sweden etc., apply this technology, how we can reach the BLE, MOTOR and BATTERY control circuits of the escooter and receive data, or how we can get data or lock, turn on the taillight, etc. I explained how we can intervene, how we can make IOT circuits, and finally how the smart lock device works and how they are integrated into the escooter.
In my first article, when I bought the Xiaomi m365 scooter, because the new version brain software was installed and cracking these functions should be done with a future study, so I flashed the brain software to the scooter to achieve my goal. I also changed the Firmware versions.. I made BLE 073 and Firmware 1.3.8.. After R&D finished and I wrote my articles, this time I upgraded my escooter to its normal versions..
The new Xiaomi m365, Pro, Pro 2 and Segway scooters all now have encrypted brain software…
So, how do we break this crypto and reach its algorithms and process this data?
We started working with our beloved cat and helper IRMA!…
Unfortunately, I saw disappointment when a few people called me about this issue and stated that they could not do the scooters they bought as I did in my articles because with the wrong software, the device may become useless, which we call brick, or that the downgrade is dangerous in terms of data.
But now I had time and in a few days I saw that they had to break all crypto and algorithms and in addition to that, their data had to be sent in a very very special order..
What was the method? I teach you how to fish, you know.. I usually don’t give the fish..
There are 2 softwares that can read this data in Android Play Store, I reverse engineered them with all new old versions. Most of the time they mixed the code..
I ran them one by one, connected the device to the notebook, ran the android studio, looked at the LogCats and archived it..
Let me tell you that it is very difficult.
After seeing everything, I came up with a crypto class.. This was not enough, it was necessary to use it in the right order.. In addition, I had to make an android mobile software and test with it… 1. I had to use all the characteristics etc etc. that I specified in my article..
I have a crypto class and many functions in it.
You initialize Class with the unique name of whatever scooter you connect to, and you get an instance.
Then you encrypt a fixed and very important data to a method of this class and send it once and you need to send the data in chunks of 20. On the other hand, we catch the event from the notification handle and see that 3 values are frozen. We combine them and send them to the decrypt in our crypto class. and now we have the serial number of the device in front of us.. This is very important.. Also, a random key is created that every time the software starts, this value is different according to that… We have both the serial number and the random key..
There is a fixed value 3 times, we add the random key to it and encrypt it and send it to the device..
Then we encrypt it 4 times, this time adding a different fixed value serial number and send it to the device…
Valaaaaaa… The device returns a few special values, but we don’t need them right now. A data of the value in it may be important in the future, it may differ depending on the device.. Let’s close the issue in case we take action accordingly..
Now we can do anything…
For example, if we encrypt the value of 5aa5013e20037D02 with the crypto class and convert it to a byte array and send it to the device, it will turn on the backlight… If we do the same for 5aa5013e20037D00, it will turn off the lamp.
Yet another example, if we encrypt and send the value 5aa5013e20011A02 and capture the return value with an event, we see that there is a value like 5AA502B03A1CE4DAA9C3DFDA09000A, and if we decrypt it automatically in our program, the value we have is 5AA502233E011A5601. ..
Thus, with this study, the brain software is encrypted and sending and receiving encrypted data;
We see that we can access the data of all Xiaomi m365, Pro, Pro 2 and Segway scooters…