Full Report
Electric scooter hacking!? Sign me up! In this article, the author takes a look into the Brightway Scooters made for NAVEE and Xiaomi. The scooter has a Controller in the bottom that communicates with a motor and a battery. In the top of the scooter is a dashboard that communicates with the Controller uses UART. The Dashboard communicates with cell phones using BLE. To pair a scooter, the app must be downloaded and a QR code is scanned. To activate the scooter, a home video must be watched. The 'Mi Home' API is integrated with the vendors app. By looking into this internal application, we find the locations of important registers (such as put the scooter into drive mode) and more. The format for an packet for the scooter is as follows: TYPE: The command type. Write, read, MCU (controller) read/write and a few others. ADDRESS: The register address mentioned above. REST: The package being used. LEN: The length of the payload. PAYLOAD: The hex values to transmit. They decided to take apart the scooter and map out all of the hardware. While doing this, they noticed that Single Wire Debug (SWD) pins were left on! All they had to do to access JTAG was connect via OpenOCD. With this, they have complete access to the system memory, control flow and anything else they want. Another oversight they noticed was that the firmware updates (OTA) for BLE are unencrypted. This allowed for reverse engineering of the system as a whole. Recently, Xiaomi introduced firmware signing to secure the BLE firmware from tampering. However, the MCU firmware is still not signed. This allows for some tampering of the device still. They tried uploading their own firmware to various components for fun using this issue. The device has BLE encryption and a secure chip. However, using these does not mean security by default. Protections still need to be put in place for other things. Overall, fun post on reverse engineering!
Analysis Summary
# Vulnerability: Critical Hardware and Firmware Security Oversights in Brightway/Xiaomi Scooters
## CVE Details
- **CVE ID:** No CVE assigned (Security Research Case Study)
- **CVSS Score:** N/A (Estimated 6.8 - Medium/High based on physical access requirements)
- **CWE:**
- CWE-1299: Exposure of Sensitive System Information with Sentinels
- CWE-1277: Firmware Not Updateable
- CWE-347: Improper Verification of Cryptographic Signature
## Affected Systems
- **Products:** Electric Scooters manufactured by Brightway Innovation Intelligent Technology
- **Versions:**
- Xiaomi Electric Scooter 3 Lite
- Xiaomi Electric Scooter 4
- Xiaomi Electric Scooter 4 Ultra
- NAVEE brand scooters (shared architecture)
- **Configurations:** All units where physical debug interfaces (SWD) remain active and MCU firmware signing is not enforced.
## Vulnerability Description
Security research into the Brightway/Xiaomi "3 Lite" architecture revealed multiple systemic security flaws:
1. **Exposed Debug Interfaces:** The Single Wire Debug (SWD) pins on the Dashboard (Realtek RTL8762D) and the Motor Control Unit (MCU - LKS32MC08x) were left unprotected. This allows an attacker with physical access to connect via JTAG/OpenOCD to dump system memory, bypass lockout mechanisms, or flash custom malicious firmware.
2. **Lack of Firmware Signing (MCU):** While Xiaomi recently introduced signing for BLE firmware to prevent over-the-air (OTA) tampering, the MCU (Controller) firmware remains unsigned.
3. **Unencrypted OTA Blobs:** Firmware update packages transmitted via Bluetooth Low Energy (BLE) were found to be unencrypted, facilitating easy reverse engineering of the system logic and register maps.
## Exploitation
- **Status:** PoC Available (researcher successfully dumped and reflashed firmware).
- **Complexity:** Medium (Requires hardware disassembly and knowledge of embedded systems).
- **Attack Vector:** Physical (for SWD exploitation); Adjacent (for potential BLE-based MCU firmware tampering).
## Impact
- **Confidentiality:** High (Firmware logic, proprietary communication protocols, and unique identifiers can be extracted).
- **Integrity:** High (Ability to flash modified firmware to remove speed limiters, bypass activation, or alter braking/motor behavior).
- **Availability:** High (Device can be permanently bricked or rendered unsafe via physical or OTA firmware manipulation).
## Remediation
### Patches
- **Firmware Signing:** Vendor has implemented signing for BLE components on newer updates, but the MCU remains vulnerable. Users should update to the latest version via the "Mi Home" app to at least secure the BLE pathway.
### Workarounds
- **Physical Security:** Owners should ensure the scooter is not left unattended in public areas where someone could disassemble the dashboard (requires only basic tools) to access SWD pins.
- **BLE Hard Reset:** If the device becomes unresponsive due to pairing issues, use the hardware reset (Throttle + Power Button x5).
## Detection
- **Indicators of Compromise:** Non-standard scooter behavior (increased speed limits), inability to connect to the official Mi Home app, or physical signs of dashboard tampering (tampered stickers/QR codes).
- **Detection Methods:** Use of `OpenOCD` or `ST-Link` utilities to check if the chip's read-out protection (ROP) bytes have been altered or if the flash content matches known-good hashes.
## References
- **Original Research:** hxxps[://]robocoffee[.]de/?p=436
- **Hardware Reference:** hxxps[://]github[.]com/Koxx3/SmartESC_STM32_v2
- **Vendor:** Brightway Innovation Intelligent Technology (Suzhou) Co., Ltd.