search

M4GNV5 / 9BotONE

research tool to read/write data from/to a Ninebot ONE A1/S2
22 stars 4 forks source link

Adding features #2

Closed mccasian closed 2 years ago

mccasian commented 2 years ago

Hello

I like what you did and I would like to add some more features to it like turning the lights on/off, changing region, etc.. My first problem however is that I have a F40D, and the 4'th byte is not 0x11 or 0x09. I noticed you have a branch for ES2 but that doesn't help either.

Anyhow, I would like to ask how you managed to figure out then 4'th byte... actually how you managed to scan the bluetooth traffic you needed for reverse engineering?

I've been trying with bluetooth hci snoop logs on android, with wireshark+adb, but no success yet.

Thanks

M4GNV5 commented 2 years ago

As far as i know the data sent via Bluetooth is forwarded to the vehicle single-wire UART bus (probably at 115200 Baud 8N1). You could try sniffing that one and then triggering commands via the App.

Nevertheless the btsnoop logs should contain all information you need. Did you open them using wireshark? Do they show any packets? Wireshark should be able to decode GATT Attribute read/writes

mccasian commented 2 years ago

Hi

I have already tried to sniff the communication that way but everything seems to be encrypted, except the name of the scooter. I only see useless stuff, strange characters. BtSnoop on my Samsung does not show anything useful.... and probably because of the same reason: it's encrypted i think.

Meantime I have found a project that is compatible with my F40 and I can send commands to it: https://github.com/dnandha/miauth/tree/7df4f35c258f926ce396df3691d7f91d86ad761e I am running it on raspi zero w and no sniffing is needed since there is the option of using -v to see the entire comunication. Example of usage: python3 cli.py <mac_address> --nb --command 5aa5013e20017801 # reboot scooter

However, analysing the scripts and the communication I realised that there is a massive amount of code needed for proper communication and the log shows a lot of sent and received messages for just sending one command: 5aa5013e20017801 ->reboot

I am wondering how you did it so simple...? It is possible that with latest firmwares the communications are way different and require more advanced cryptography?

Example of output:

root@raspberrypiw0:/projects/miauth/lib/python/miauth# python3 cli.py DF: --nb --command 5aa5013e20027801 -v Namespace(mac='DF:', m365=False, nb=True, command='5aa5013e20027801', serial=False, fwver=False, verbose=True, register=False, register_did=None, token_file='./mi_token') Using Nb Connecting enabling notifications for: 6e400003-b5a3-f393-e0a9-e50e24dcca9e enabling notifications for: None Authenticating Current state: State.CON Sending message: 5aa5005fa53efc000046ff0000 Current state: State.CON Sending message: 5aa5005fa53efc000046ff0000 Received message: 5aa51e43b93efde614a9e5c7f71d6876d8625439 Decoded message: 5aa51e213d5b018335d30c38340f Received message: 5aa51e43b93efde614a9e5c7f71d6876d86254396ea8ed2b143dafb9f123236b80dee854b5000000 Decoded message: 5aa51e213d5b018335d30c38340f7f2b1b8d8e5beacd114e35474646323134364331 Received message: 5aa51e43b93efde614a9e5c7f71d6876d86254396ea8ed2b143dafb9f123236b80dee854b5000000f60000 Decoded message: 5aa51e213d5b018335d30c38340f7f2b1b8d8e5beacd114e35474646323134364331323631 Got cmd: 5aa51e213d5b01` BLE Key: 8335d3 Serial: N5GFF Setting ble data/key in crypto Current state: State.PING Sending message: 5aa5107ec7e5da220c47d90f140e10e129263a06dbf0180000b3f70000 Current state: State.PING Sending message: 5aa5107ec7e5da220c47d90f140e10e129263a06dbf0180000b3f70000 Received message: 5aa500bb12a01bca755edd0002 Decoded message: 5aa500213d5c00 Got cmd: 5aa500213d5c00 Current state: State.PRE

Please press the POWER button on the device Sending message: 5aa50ea0a2bff8d2685428fcf03fa70baef7b7d77d2c5c0c230003 Received message: 5aa500bcbebef81813308b0003 Decoded message: 5aa500213d5c00 Got cmd: 5aa500213d5c00 Current state: State.PRE Please press the POWER button on the device Sending message: 5aa50e0582f1043e3e4f3e51468f709e8ac219df5855e00fb70004 Received message: 5aa500199ef10589689dea0004 Decoded message: 5aa500213d5d01 Got cmd: 5aa500213d5d01 Nb authentication successful! Sending message: 5aa5010791b9aec1c919d2eb0005 Received message: 5aa500188ce6d709f399e40005 Decoded message: 5aa500213d5d01 Got cmd: 5aa500213d5d01 Nb authentication successful! UART reply: 5a a5 00 18 8c e6 d7 09 f3 99 e4 00 05 Disconnecting Received message: 5aa500ea6e766e51e9bc3c0006 Decoded message: 5aa500203e0500 Got cmd: 5aa500203e0500

M4GNV5 commented 2 years ago

Hmm it looks like beginning with newer version Xiami started to add an encryption layer over the BLE communication. This makes a lot of sense, as with the old communication one could sniff the lock and roguely lock the scooter etc.

The docs in the repo you linked seem to document this new communication scheme. I do not have one of the newer Xiami scooters to try this, so i will not be able to implement this. You are probably better off using the library you linked and/or adding support for the encryption scheme to this project.