Jump to content

Ninebot A1/S1 to S2 Upgrade Effort


Knifa

Recommended Posts

Ninebot One A1/S1 users want to unlock the full capabilities of their unit, i.e., by using S2 firmware. Let's do that.

Making a new thread for this since I've posted info elsewhere already, but not well contained.

I've got an S2 here so, while I don't need the upgrade, I'm interested in making it happen and happy to help out. :) If we can figure out how to bump the speed up for the S2 as well along the way, that'd be pretty cool.

Stuff we will definitely need:

  • Firmware files for both A1/S1 & S2.
  • A way to flash firmware to the unit, ideally in a way that's recoverable if it goes horribly wrong. Both direct in hardware and through software are options here.

Stuff I've looked at for grabbing the firmware:

I looked into downloading the firmware by either decompiling the Android app or packet sniffing during firmware upgrade.

Unfortunately, the Android app is packed with SeoNet and I was unsuccessful in unpacking it using android-unpacker (at least in the ADK emulator and on my device), so this ended pretty quickly. Perhaps someone else can try this on their device? You need to be rooted and to disable SELinux.

Grabbing anything useful from packet sniffing was also unsuccessful though I do have links to the endpoint (https://api4.ninebot.cn/v4/Vehicle/update_firmware). All requests are encrypted/encoded somehow and I was unable to figure out with what. It looks like Base64 but it is not. Responses are thankfully in plain text. Unfortunately, my S2 unit is up to date so I got nothing useful back.

Requests to anything beyond /v4/sys/init return an invalid data response, even with the exact same request body. Requests seem to be keyed in some way. Every call to /v4/Vehicle/update_firmware is different, though only maybe 30-40 characters towards the end change.

Untitled.thumb.png.451d29fb91c64571eb498def970ac38f.png

You can see in the response that, alas, there are no upgrades available.

I've attached my Fiddler archive (ninebot.saz) if anyone else wants to take a crack at it.

Stuff I haven't looked at for grabbing the firmware:

The board has pins on the back for a UART connection. The CPU (an STM32F3) has to be flashed during manufacturing at some point --- maybe this is it?

image.thumb.png.804a67830f77b4ca1934be12fbc9ddb2.png

STM32 chips come with a bootloader that allows you to both download and upload firmware over these pins. Not sure if you can disable this after the fact, though, and they could also be using their own bootloader (but unlikely?)

I have a board for debugging STM32 chips so I can look into this. I strongly do not want to take my unit apart again but I'm psyching myself up for doing it so stay tuned!

Stuff I've thought about for flashing the firmware

If we can get the firmware files, and figure out the responses from the Android app when firmware upgrades are available, we can hijack the requests from the app and replace them with our own files (similar to what was done for the MiniPro, etc)

Stuff that could be looked at by other people, or in the future:

If anyone has a unit that needs a firmware upgrade, or Ninebot release some new firmware, we can run the packet sniffing again and either grab the firmware file or work out where they are. This would be pretty good.

Any other thoughts?

Edited by Knifa
  • Like 2
  • Upvote 1
Link to comment
Share on other sites

  • 2 weeks later...

Can we grab the firmware direct from the eeprom ?

I can open my S1 to locate the chip and try to read it.  Im just new to EUC, but i did this  on other  (VW car cluster and ECU).

Then is the firmware encrypted .  Need to read a bit from the russians...

Link to comment
Share on other sites

  • 2 weeks later...
42 minutes ago, MRN76 said:

The firmware is not encrypted
The addresses in the processor are:
8000000-80013FF -> Bootloader
8001400-80027FF -> Firmware
8002800-8003BFF -> The area where the firmware is being downloaded when updating
8003C00-8003FFF -> User data.

PS1. I have firmware 1.0.4 and 1.0.7
PS2. The model is determined by serial number, stored at 8003C020-8003C02D (A1 with two batteries rides 21km/h, S2 is already up to 24km/h)

Great info.  Is it possible to change the serial number to make the S1 think it's an S2?  I'm guessing it's not going to be as simple as that.

Edited by RooMiniPro
Link to comment
Share on other sites

17 hours ago, RooMiniPro said:

Thanks but that thread only shows it being done on a Ninebot One, not a Segway S1. 

Shows the example of C/C+/E/E+/P.. But if you carefully read, you can guess how to do it on A1/S2. Did not describe this as something that few devices have A1/S2. Here are the connection points for the programmer. Everything else was described in the article by the link above

2018-03-15_145408.png

image-0-02-05-7c8fffa62d5c71f06500d543fe3586be2eb0963ce5d55f4097f0b98f8476c7d3-V.jpg

  • Like 2
  • Upvote 1
Link to comment
Share on other sites

Fantastic work, @MRN76!

With your tooling, is it possible to specify speed limits outside the normal range (e.g., above what the model would provide normally)?

This looks pretty straight forward as long as you pick up the right equipment.

Awesome stuff. :)

Link to comment
Share on other sites

  • 4 weeks later...

I based on the firmware 1.0.9 did mod. On one battery, the restriction is 22 km / h, with two batteries, the restriction is 30 km / h. Also, this firmware shows idling! And on full charge, like the younger brother "one P," it is 44-45 km.
I made the firmware at the request of a friend. it will be tested in motorcycle protection, and can be overlaid with the video test.

Spoiler


Screenshot_20180414-161648.thumb.png.1e2997d07d07810f8b7881efaf3649cd.png5ad2499565090_Screenshot_20180414-160749-.thumb.png.602d1cfa670dc098e4b257aa69a159f4.png5ad2499c67479_Screenshot_20180414-161017-.thumb.png.cd894aa4f4afe240f432180a7195b663.png

 

Test on the raised wheel

  • Like 1
  • Upvote 1
Link to comment
Share on other sites

  • 4 weeks later...

I'm just waiting to see someone successfully do this on an S1, to know that it works, before trying it myself.  Also, with the language difference it's a bit harder for me to follow using Google Translate. 

Edited by RooMiniPro
Link to comment
Share on other sites

j-link v8 -12$

st-link v2 - 2$

Who wants to, I can fill the modified firmware, but only for those with the programmer j-link v8. (I'll put protection against reading, you can always return your native firmware if you do not like this)

I'm sorry, I write through Google translate

  • Like 1
  • Upvote 1
Link to comment
Share on other sites

  • 2 weeks later...
On 5/9/2018 at 2:13 AM, MRN76 said:

j-link v8 -12$

st-link v2 - 2$

Who wants to, I can fill the modified firmware, but only for those with the programmer j-link v8. (I'll put protection against reading, you can always return your native firmware if you do not like this)

I'm sorry, I write through Google translate

Thats great work! How can we get this firmware?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...