- Sun Nov 28, 2021 3:06 pm #56073
I've spent about 4 months hacking these scooters, both on the retail and rental firmware. I've reverse engineered the firmware enough that I can say I've completely cracked all of it. I will not share the specifics of how the firmware works, I am however going to share why you really shouldn't bother with hacking and/or stealing the voi SNSC 2.3 series. It's not worth the effort.
TL;DR: Just buy a retail scooter.
- The SNSC 2.3.2 has more than one GPS tracker and they all have internal batteries that work independently of the main battery
- If you manage to flash the dashboard, one of the electronic brakes will not work since the retail version does not feature it.
- The enclosure/lid for the dashboard is not the same as the retail version, so you'll need to make your own if you want a proper dashboard with speed indications etc. Time to work on your 3D modelling skills.
- None of the rental firmware versions for either the dashboard, the BMS or the ESC are compatible with the retail versions. All have to be flashed for it to work.
- The SWD/Debug/ST-Link port is disabled on the ESC when the software is running. It's possible to work around this however, but it requires some effort with low power modes etc to get the STM32F103 into the right state.
- If you just flash esc126_fulldump, you'll get error 27. There are ways to overcome this.
- If you overcome error 27, your next error is 45. This error does not exist in the rental firmware. There is no way around this without patching. The publicly available CFW tools will not do this.
- The retail firmware cannot talk to the battery lock, so you will never be able to open the lid if you close it without significant effort, assuming you didnt just drill or cut the lid open in which case you've already significantly damaged the scooter.
- The communication between the ESC and the battery lock is encrypted, so dont expect to just put a logic analyzer on it and crack it that way. It's an I2C-like interrupt driven protocol with custom timings.
- Forget about cracking the rental firmware. On top of the heartbeat, it requires an authenticated heartbeat with an encryption key that's unique per scooter that must be sent at least every 30 seconds. The exchange is a challenge/response type that changes values on every iteration. This makes it immune to replay attacks so you cannot just stick a protocol analyzer on it and replay the data. If this is not done correctly, you'll get error 56.
On top of the authenticated heartbeat, you also need to authenticate every time you lock/unlock the scooter, unlock the battery hatch, shutdown, reboot, or do a firmware upgrade. This is the case for DRV386 and onwards, which to my knowledge has been rolled out everywhere. The older versions would still let you do these actions but would error 56 on you after 30 seconds or so. Also, the data indexes for the unlocking actions are not documented publicly.
- The 1004Wh battery (NEE1009-W) uses an STM32G030 CPU, unlike the older models which uses an STM8L151 CPU. Completely different architecture. You cannot flash BMS versions earlier than 5.0.0 on these, and there is to my knowledge no retail version of this firmware. Dont even try, you'll brick the battery.
- The IAP commands have been changed in the rental firmware, i.e: IAP_BEGIN, IAP_TRANS, IAP_VERIFY, and MCU_RESET. They also work with different encryption keys than the retail versions, so even if you manage to authenticate yourself to the ESC and find the new command codes you still need an image encrypted with the rental key for flashing to work. To my knowledge, they didn't do this for older versions of the BMS for some reason which is why you see people flashing the NEE1006-M1 battery packs.
- If you still manage to get through it, now you have the physical part left. You must remove all GPS trackers, and for the SNSC 2.3.2 model you also need to make some kind of cover for where the IoT module in the front was mounted since you'll otherwise have a big square hole in that place.
- The voi scooters are heavily branded. I spent weeks scraping the paint off to apply new. This is in my opinion the hardest part. You need to dismount the scooter down to the bare metal before you begin in order to access all the painted areas.
- The chassis serial number is laser engraved into the metal. You can remove it with sandpaper but again - this takes time.
TL;DR: Just buy a retail scooter.