Skip to content
/ Unleash-the-m365 Public

This repository contains multiple files regarding the investigation about the Xiaomi Mijia M365 Scooter

License

MIT license
29 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

h3ku/Unleash-the-m365

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Unleash the m365

This repository contains multiple files regarding the investigation about the Xiaomi Mijia M365 Scooter.

Table of Contents

Research

This section contains information regarding the research about things like the official apps or the Bluetooth communication protocol.

Mi Home

Android

APP Server Communication

All the requests performed by the app to the servers regarding with the scooter (Check updates etc) are ciphered using RC4, in the case of the latest android version all the parameters used to create the key are sent on every request.

data=zqnK2TlkGDq6iZToITYyt9CAEtoWht4LEh88XRnU&rc4_hash__=u8lit+iwOqc0P1k+VsRSlZ72POBvp701tEWFSg==&signature=A/l2lbo3OOdt/VoyEyLECfI/6BY=&_nonce=pFBJTd2vcbUBgaHP&ssecurity=Tw+X976Vymge9yBtgZPeMQ==

The paremeters used to create the key are "ssecurity" and "_nonce" in the following way. B64Encode(Sha256(concat(B64Decode(ssecurity), B64Decode(_nonce))))

Then this key is B64Decoded and used in a common RC4 algorithm but with 1024 'fake rounds', the following snippet shows a python implementation of this RC4 algorithm.

#b64decoded data and key
def rc4mi(data, key):
    S, j, out = list(range(256)), 0, []

    for i in range(256):
        j = (j + ord(key[i % len(key)]) + S[i]) % 256
        S[i], S[j] = S[j], S[i]

    # 1024 fake rounds
    i = j = 0
    for x in range(1024):
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]

    for ch in data:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        out.append(chr(ord(ch) ^ S[(S[i] + S[j]) % 256]))

IOS

Downgrade

When the app check for upgrades it performs a requests to the xiaomi servers, more exactly to the following endpoint "/app/home/latest_version" sending the following content (It change a little bit from android to IOS but its not important).

{"model":"ninebot.scooter.v1"}

Then the server response the following data, to perform the update its as easy as intercept the response from the server, fill all the parameters and cipher the message with the correct sscurity and the nonce of the request.

{"code":0,"message":"ok","result":{"version":"","url":"","changeLog":"","md5":""}}
  • Code: 0
  • message: ok
  • result
    • version: anything you want Example 1.0.1_237
    • url: Url to a zip file containing the firmware
    • changeLog: anything you want
    • md5: md5 hash of the zip file

Firmware Mods

Hardware Mods

Files Index

License

This project is licensed under the MIT License - see the LICENSE.md file for details

Acknowledgments

About

This repository contains multiple files regarding the investigation about the Xiaomi Mijia M365 Scooter

Resources

Readme

License

MIT license
Activity

Stars

29 stars

Watchers

11 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published