Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Xiaomi M365 Custom Firmware
0x00004e1e movw r2, #0xc977
0x00004e26 movw r1, #0xc977
0x00004e3e movw r2, #0xc977
0x00004e46 movw r1, #0xc977
0x00004e5c movw r3, #0xc977
void sub_4dec(int arg0, int arg1, int arg2) {
r2 = arg2;
r12 = *(int8_t *)0x20000610;
r7 = 0x20000610;
asm { ldrd r4, r3, [r7, #0x8] };
r7 = *(r7 + 0x4);
if (r12 >= 0x7) goto loc_4e70;
loc_4e06:
goto *0x4e0a[r2];
loc_4e70:
asm { strd r1, r2, [r0] };
return;
loc_4e12:
r2 = SAR(0xc977 * (sign_extend_32(*0x4001243c) - r4), 0xa);
goto loc_4e70;
loc_4e54:
r2 = *0x4001283c;
r2 = SAR(0xc977 * (sign_extend_32(r2) - r4), 0xa);
goto loc_4e70;
}
@losnir

This comment has been minimized.

Show comment
Hide comment
@losnir

losnir Mar 6, 2018

Yesterday this video was uploaded to youtube: https://www.youtube.com/watch?v=BawJjLjP3gE

Some group of Spanish hackers (I think?) found a way to hack the firmware, and even wrote an Android application to flash the hacked firmware and/or downgrade.

Details:

Version 2.0 week (also called 1.5): CFW W (850W)
+ Starting point 0
+ Power control (Normal: 850W MAX, ECO: 400W MAX)
- Xiaomi cruise speed regulator
======================================
Version 2.0: CFW (1000W, not recommended)
+ Starting point 0
+ Start off by power (????)
+ Power control (Normal: 1000W MAX, ECO: 600W MAX)
- Xiaomi cruise speed regulator
+ Retention deleted (????)
+ More aggressive front brake
+ Maximum speed 32km / h

I don't if it's true but people in the comments say this is a leaked version of DOC-HELLO (LIST?) firmware.
It is based on V1.3.0 of the scooter.

There are two hacked versions:

  • 200CFW (Maximum 1000W to motor, NOT RECOMMENDED)
  • 200CFW_W (Maximum 800W to motor, RECOMMENDED)

They say it is NOT recommended to use the 1000W CFW because it can damage the scooter, better use the CFW 800W because is is safer (less demanding).

DISASSEMBLY

I disassembled & decompiled the binaries (I will also upload that) and compared the different results.

Between CFW100 vs CFW_W800 there are only a few changes, which I think are the maximum motor power limits.
In assembly code, it shows 5 times in those addresses:

(From original V1.3.0 firmware)

0x00004e1e movw r2, #0xc977
0x00004e26 movw r1, #0xc977
0x00004e3e movw r2, #0xc977
0x00004e46 movw r1, #0xc977
0x00004e5c movw r3, #0xc977

The ARMv7m procedure:

void sub_4dec(int arg0, int arg1, int arg2) {
    r2 = arg2;
    r12 = *(int8_t *)0x20000610;
    r7 = 0x20000610;
    asm { ldrd       r4, r3, [r7, #0x8] };
    r7 = *(r7 + 0x4);
    if (r12 >= 0x7) goto loc_4e70;

loc_4e06:
    goto *0x4e0a[r2];

loc_4e70:
    asm { strd       r1, r2, [r0] };
    return;

loc_4e12:
    r2 = SAR(0xc977 * (sign_extend_32(*0x4001243c) - r4), 0xa);
    goto loc_4e70;

loc_4e54:
    r2 = *0x4001283c;
    r2 = SAR(0xc977 * (sign_extend_32(r2) - r4), 0xa);
    goto loc_4e70;
}

The different power constants:

(v1.3.0): 0xc977.           === 51575 (DEC) === 1100100101110111  (BINARY)
(CFW_W800): 0x6ce5  === 27877 (DEC) === 110110011100101   (BINARY)
(CFW1000): 0x64bb.   === 25787 (DEC) === 110010010111011   (BINARY)

So it tells us two things:

  1. The difference between CFW_W800 and CFW1000 is ONLY motor power, nothing else.
  2. A lower number for the motor power constant means more power (low = high power, high = low power).

Not sure what the number means, maybe it is the inverse of the motor physical RPM / ERPM (Electric RPM)?

Between V1.3.0 and CFW there are a few more changes of course, it can be seen with diff.
Between V1.3.0 and V1.3.4 the changes are massive, but maybe it is possible to hack that as well with the info we now have.

I attached the apk (Android) and also the firmware binaries which I extracted from the apk.
Unfortunately I didn’t have time to decompile the Java class / dex files and look how the app flashes the firmware, but it can be very simple.

Disassembled & decompiled with Hopper (https://www.hopperapp.com).

I will try the custom firmware now and report back!

Have fun and good luck!

Owner

losnir commented Mar 6, 2018

Yesterday this video was uploaded to youtube: https://www.youtube.com/watch?v=BawJjLjP3gE

Some group of Spanish hackers (I think?) found a way to hack the firmware, and even wrote an Android application to flash the hacked firmware and/or downgrade.

Details:

Version 2.0 week (also called 1.5): CFW W (850W)
+ Starting point 0
+ Power control (Normal: 850W MAX, ECO: 400W MAX)
- Xiaomi cruise speed regulator
======================================
Version 2.0: CFW (1000W, not recommended)
+ Starting point 0
+ Start off by power (????)
+ Power control (Normal: 1000W MAX, ECO: 600W MAX)
- Xiaomi cruise speed regulator
+ Retention deleted (????)
+ More aggressive front brake
+ Maximum speed 32km / h

I don't if it's true but people in the comments say this is a leaked version of DOC-HELLO (LIST?) firmware.
It is based on V1.3.0 of the scooter.

There are two hacked versions:

  • 200CFW (Maximum 1000W to motor, NOT RECOMMENDED)
  • 200CFW_W (Maximum 800W to motor, RECOMMENDED)

They say it is NOT recommended to use the 1000W CFW because it can damage the scooter, better use the CFW 800W because is is safer (less demanding).

DISASSEMBLY

I disassembled & decompiled the binaries (I will also upload that) and compared the different results.

Between CFW100 vs CFW_W800 there are only a few changes, which I think are the maximum motor power limits.
In assembly code, it shows 5 times in those addresses:

(From original V1.3.0 firmware)

0x00004e1e movw r2, #0xc977
0x00004e26 movw r1, #0xc977
0x00004e3e movw r2, #0xc977
0x00004e46 movw r1, #0xc977
0x00004e5c movw r3, #0xc977

The ARMv7m procedure:

void sub_4dec(int arg0, int arg1, int arg2) {
    r2 = arg2;
    r12 = *(int8_t *)0x20000610;
    r7 = 0x20000610;
    asm { ldrd       r4, r3, [r7, #0x8] };
    r7 = *(r7 + 0x4);
    if (r12 >= 0x7) goto loc_4e70;

loc_4e06:
    goto *0x4e0a[r2];

loc_4e70:
    asm { strd       r1, r2, [r0] };
    return;

loc_4e12:
    r2 = SAR(0xc977 * (sign_extend_32(*0x4001243c) - r4), 0xa);
    goto loc_4e70;

loc_4e54:
    r2 = *0x4001283c;
    r2 = SAR(0xc977 * (sign_extend_32(r2) - r4), 0xa);
    goto loc_4e70;
}

The different power constants:

(v1.3.0): 0xc977.           === 51575 (DEC) === 1100100101110111  (BINARY)
(CFW_W800): 0x6ce5  === 27877 (DEC) === 110110011100101   (BINARY)
(CFW1000): 0x64bb.   === 25787 (DEC) === 110010010111011   (BINARY)

So it tells us two things:

  1. The difference between CFW_W800 and CFW1000 is ONLY motor power, nothing else.
  2. A lower number for the motor power constant means more power (low = high power, high = low power).

Not sure what the number means, maybe it is the inverse of the motor physical RPM / ERPM (Electric RPM)?

Between V1.3.0 and CFW there are a few more changes of course, it can be seen with diff.
Between V1.3.0 and V1.3.4 the changes are massive, but maybe it is possible to hack that as well with the info we now have.

I attached the apk (Android) and also the firmware binaries which I extracted from the apk.
Unfortunately I didn’t have time to decompile the Java class / dex files and look how the app flashes the firmware, but it can be very simple.

Disassembled & decompiled with Hopper (https://www.hopperapp.com).

I will try the custom firmware now and report back!

Have fun and good luck!

@trabitboy

This comment has been minimized.

Show comment
Hide comment
@trabitboy

trabitboy Apr 10, 2018

Super awesome!
Would you have the full source of your decompilation?
I have been waiting for the source of the firmware to popup for month,
to try to add functionality to the scooter :) ( way to trigger the cruise control, etc ... )
Also I am pretty curious to see how the motor is actually controlled.

Super awesome!
Would you have the full source of your decompilation?
I have been waiting for the source of the firmware to popup for month,
to try to add functionality to the scooter :) ( way to trigger the cruise control, etc ... )
Also I am pretty curious to see how the motor is actually controlled.

@4ng4rp3

This comment has been minimized.

Show comment
Hide comment
@4ng4rp3

4ng4rp3 Apr 24, 2018

Could you explain how to decompile the binaries? Thank you

4ng4rp3 commented Apr 24, 2018

Could you explain how to decompile the binaries? Thank you

@terenzio88

This comment has been minimized.

Show comment
Hide comment
@terenzio88

terenzio88 Apr 30, 2018

Hi,
I am very interested in this project and I want to try to do some modifications on firmware.

Can you help me How to decompile/recompile .bin file ?
Attached there are all versions of differents firmware that I tryed.

Hi,
I am very interested in this project and I want to try to do some modifications on firmware.

Can you help me How to decompile/recompile .bin file ?
Attached there are all versions of differents firmware that I tryed.

@DamnStr4ight

This comment has been minimized.

Show comment
Hide comment
@DamnStr4ight

DamnStr4ight May 18, 2018

Hi,

Does anyone know whether or not it would be possible to limit the scooter to only ECO mode, or rather, 20km/h? This would make it legal to ride in Norway.

Hi,

Does anyone know whether or not it would be possible to limit the scooter to only ECO mode, or rather, 20km/h? This would make it legal to ride in Norway.

@Tommixoft

This comment has been minimized.

Show comment
Hide comment
@Tommixoft

Tommixoft May 21, 2018

@DamnStr4ight go here https://m365.botox.bz and select your scooter fw version (i guess it's 1.3.8). Select Patch to Maximum speeds and enter your desired values and at bottom you will see Patch button this will create you custom FW, and you can flash it with modified flasher, also available at that website.

@DamnStr4ight go here https://m365.botox.bz and select your scooter fw version (i guess it's 1.3.8). Select Patch to Maximum speeds and enter your desired values and at bottom you will see Patch button this will create you custom FW, and you can flash it with modified flasher, also available at that website.

@waldemar-szostak

This comment has been minimized.

Show comment
Hide comment
@waldemar-szostak

waldemar-szostak May 23, 2018

The patched version of the flash tool already includes a number of bin files but gives no way to actually use the firmware customized on that website - or am I missing something? I've tried to re-package the app with replaced bin files but the flashing fails at 99% :-) Any ideas?

UPDATE: used the wrong app - see BotoX/xiaomi-m365-firmware-patcher#3

waldemar-szostak commented May 23, 2018

The patched version of the flash tool already includes a number of bin files but gives no way to actually use the firmware customized on that website - or am I missing something? I've tried to re-package the app with replaced bin files but the flashing fails at 99% :-) Any ideas?

UPDATE: used the wrong app - see BotoX/xiaomi-m365-firmware-patcher#3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment