Knifa Posted February 16, 2018 Share Posted February 16, 2018 (edited) Ninebot One A1/S1 users want to unlock the full capabilities of their unit, i.e., by using S2 firmware. Let's do that. Making a new thread for this since I've posted info elsewhere already, but not well contained. I've got an S2 here so, while I don't need the upgrade, I'm interested in making it happen and happy to help out. If we can figure out how to bump the speed up for the S2 as well along the way, that'd be pretty cool. Stuff we will definitely need: Firmware files for both A1/S1 & S2. A way to flash firmware to the unit, ideally in a way that's recoverable if it goes horribly wrong. Both direct in hardware and through software are options here. Stuff I've looked at for grabbing the firmware: I looked into downloading the firmware by either decompiling the Android app or packet sniffing during firmware upgrade. Unfortunately, the Android app is packed with SeoNet and I was unsuccessful in unpacking it using android-unpacker (at least in the ADK emulator and on my device), so this ended pretty quickly. Perhaps someone else can try this on their device? You need to be rooted and to disable SELinux. Grabbing anything useful from packet sniffing was also unsuccessful though I do have links to the endpoint (https://api4.ninebot.cn/v4/Vehicle/update_firmware). All requests are encrypted/encoded somehow and I was unable to figure out with what. It looks like Base64 but it is not. Responses are thankfully in plain text. Unfortunately, my S2 unit is up to date so I got nothing useful back. Requests to anything beyond /v4/sys/init return an invalid data response, even with the exact same request body. Requests seem to be keyed in some way. Every call to /v4/Vehicle/update_firmware is different, though only maybe 30-40 characters towards the end change. You can see in the response that, alas, there are no upgrades available. I've attached my Fiddler archive (ninebot.saz) if anyone else wants to take a crack at it. Stuff I haven't looked at for grabbing the firmware: The board has pins on the back for a UART connection. The CPU (an STM32F3) has to be flashed during manufacturing at some point --- maybe this is it? STM32 chips come with a bootloader that allows you to both download and upload firmware over these pins. Not sure if you can disable this after the fact, though, and they could also be using their own bootloader (but unlikely?) I have a board for debugging STM32 chips so I can look into this. I strongly do not want to take my unit apart again but I'm psyching myself up for doing it so stay tuned! Stuff I've thought about for flashing the firmware If we can get the firmware files, and figure out the responses from the Android app when firmware upgrades are available, we can hijack the requests from the app and replace them with our own files (similar to what was done for the MiniPro, etc) Stuff that could be looked at by other people, or in the future: If anyone has a unit that needs a firmware upgrade, or Ninebot release some new firmware, we can run the packet sniffing again and either grab the firmware file or work out where they are. This would be pretty good. Any other thoughts? Edited February 16, 2018 by Knifa 2 1 Quote Link to comment Share on other sites More sharing options...
winter Posted February 17, 2018 Share Posted February 17, 2018 (edited) Edited August 18, 2018 by nte Fixed link 1 Quote Link to comment Share on other sites More sharing options...
RooEUC Posted February 18, 2018 Share Posted February 18, 2018 Thanks for starting this thread, @Knifa . I will be following this like a hawk. I have the S1 so if there’s anything I can be of help with, let me know. Quote Link to comment Share on other sites More sharing options...
Lavabo Posted March 2, 2018 Share Posted March 2, 2018 Can we grab the firmware direct from the eeprom ? I can open my S1 to locate the chip and try to read it. Im just new to EUC, but i did this on other (VW car cluster and ECU). Then is the firmware encrypted . Need to read a bit from the russians... Quote Link to comment Share on other sites More sharing options...
Popular Post MRN76 Posted March 13, 2018 Popular Post Share Posted March 13, 2018 The firmware is not encrypted The addresses in the processor are: 8000000-80013FF -> Bootloader 8001400-80027FF -> Firmware 8002800-8003BFF -> The area where the firmware is being downloaded when updating 8003C00-8003FFF -> User data. PS1. I have firmware 1.0.4 and 1.0.7 PS2. The model is determined by serial number, stored at 8003C020-8003C02D (A1 with two batteries rides 21km/h, S2 is already up to 24km/h) 4 3 Quote Link to comment Share on other sites More sharing options...
RooEUC Posted March 13, 2018 Share Posted March 13, 2018 (edited) 42 minutes ago, MRN76 said: The firmware is not encrypted The addresses in the processor are: 8000000-80013FF -> Bootloader 8001400-80027FF -> Firmware 8002800-8003BFF -> The area where the firmware is being downloaded when updating 8003C00-8003FFF -> User data. PS1. I have firmware 1.0.4 and 1.0.7 PS2. The model is determined by serial number, stored at 8003C020-8003C02D (A1 with two batteries rides 21km/h, S2 is already up to 24km/h) Great info. Is it possible to change the serial number to make the S1 think it's an S2? I'm guessing it's not going to be as simple as that. Edited March 13, 2018 by RooMiniPro Quote Link to comment Share on other sites More sharing options...
MRN76 Posted March 13, 2018 Share Posted March 13, 2018 1 hour ago, RooMiniPro said: Great info. Is it possible to change the serial number to make the S1 think it's an S2? I'm guessing it's not going to be as simple as that. Just. Above is all the information.https://electrotransport.ru/ussr/index.php?topic=48365.0 1 Quote Link to comment Share on other sites More sharing options...
RooEUC Posted March 14, 2018 Share Posted March 14, 2018 On 13/03/2018 at 2:28 PM, MRN76 said: Just. Above is all the information.https://electrotransport.ru/ussr/index.php?topic=48365.0 Thanks but that thread only shows it being done on a Ninebot One, not a Segway S1. Quote Link to comment Share on other sites More sharing options...
MRN76 Posted March 15, 2018 Share Posted March 15, 2018 17 hours ago, RooMiniPro said: Thanks but that thread only shows it being done on a Ninebot One, not a Segway S1. Shows the example of C/C+/E/E+/P.. But if you carefully read, you can guess how to do it on A1/S2. Did not describe this as something that few devices have A1/S2. Here are the connection points for the programmer. Everything else was described in the article by the link above 2 1 Quote Link to comment Share on other sites More sharing options...
MRN76 Posted March 15, 2018 Share Posted March 15, 2018 New version Ninebot.rar 3 Quote Link to comment Share on other sites More sharing options...
RooEUC Posted March 15, 2018 Share Posted March 15, 2018 4 hours ago, MRN76 said: New version Ninebot.rar Thanks for this effort @MRN76. @Knifa are you able to make sense of this? Can it be applied to the S1/S2? Quote Link to comment Share on other sites More sharing options...
MRN76 Posted March 16, 2018 Share Posted March 16, 2018 At S2 so far only you can see the information, I can add the choice of firmware (for now I have 1.0.4 and 1.0.7) 1 Quote Link to comment Share on other sites More sharing options...
Knifa Posted March 19, 2018 Author Share Posted March 19, 2018 Fantastic work, @MRN76! With your tooling, is it possible to specify speed limits outside the normal range (e.g., above what the model would provide normally)? This looks pretty straight forward as long as you pick up the right equipment. Awesome stuff. Quote Link to comment Share on other sites More sharing options...
MRN76 Posted March 20, 2018 Share Posted March 20, 2018 With this tool, you can not change the speed, but you can change the firmware. You can use the IDA PRO to deassemble the firmware and change the limits. 1 Quote Link to comment Share on other sites More sharing options...
Popular Post MRN76 Posted April 14, 2018 Popular Post Share Posted April 14, 2018 For the testers. To download it, you need to change the list from the list in the controller Spoiler 4 Quote Link to comment Share on other sites More sharing options...
MRN76 Posted April 14, 2018 Share Posted April 14, 2018 I based on the firmware 1.0.9 did mod. On one battery, the restriction is 22 km / h, with two batteries, the restriction is 30 km / h. Also, this firmware shows idling! And on full charge, like the younger brother "one P," it is 44-45 km. I made the firmware at the request of a friend. it will be tested in motorcycle protection, and can be overlaid with the video test. Spoiler Test on the raised wheel 1 1 Quote Link to comment Share on other sites More sharing options...
RooEUC Posted May 8, 2018 Share Posted May 8, 2018 (edited) I'm just waiting to see someone successfully do this on an S1, to know that it works, before trying it myself. Also, with the language difference it's a bit harder for me to follow using Google Translate. Edited May 8, 2018 by RooMiniPro Quote Link to comment Share on other sites More sharing options...
winter Posted May 8, 2018 Share Posted May 8, 2018 (edited) Edited August 18, 2018 by nte Quote Link to comment Share on other sites More sharing options...
MRN76 Posted May 8, 2018 Share Posted May 8, 2018 j-link v8 -12$ st-link v2 - 2$ Who wants to, I can fill the modified firmware, but only for those with the programmer j-link v8. (I'll put protection against reading, you can always return your native firmware if you do not like this) I'm sorry, I write through Google translate 1 1 Quote Link to comment Share on other sites More sharing options...
MRN76 Posted May 8, 2018 Share Posted May 8, 2018 100% battery 25% battery 1 1 Quote Link to comment Share on other sites More sharing options...
Rotciv Posted May 9, 2018 Share Posted May 9, 2018 @MRN76 this is a great step in the right direction. Thanks for all your work. Quote Link to comment Share on other sites More sharing options...
Dimon311 Posted May 17, 2018 Share Posted May 17, 2018 On 5/9/2018 at 2:13 AM, MRN76 said: j-link v8 -12$ st-link v2 - 2$ Who wants to, I can fill the modified firmware, but only for those with the programmer j-link v8. (I'll put protection against reading, you can always return your native firmware if you do not like this) I'm sorry, I write through Google translate Thats great work! How can we get this firmware? Quote Link to comment Share on other sites More sharing options...
winter Posted May 17, 2018 Share Posted May 17, 2018 (edited) Edited August 18, 2018 by nte Quote Link to comment Share on other sites More sharing options...
winter Posted May 17, 2018 Share Posted May 17, 2018 (edited) Edited August 18, 2018 by nte 1 Quote Link to comment Share on other sites More sharing options...
GMOne Posted May 19, 2018 Share Posted May 19, 2018 Is it possible to share this patched firmware for S2? I think whole community will be grateful about it. Thanks in advance, GM Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.