Xiaomi Cryptographically Signs Scooter Firmware Whats Next?

[Daljeet Nandha] from [RoboCoffee] wrote to us and shared his research on a cryptographic signature based firmware that was recently added to the Xiaomi Mi Scooter firmware. These scooters use the OTA over BLE firmware update method, so you can update your scooter with just a smartphone app - great because you can easily get all the cool new features, but not optimal because you can get all new bad features. Easy to find. As the owner of the Mi 1S scooter, but first and foremost a hacker, [Daljeet] created an HTTPS proxy, retrieved the downloaded firmware files from Xiaomi's servers and summarized what he found.

Unlike many security measures that fail during development, this measure makes OTA firmware updates secure with what we believe is the industry standard: SHA256 hashing support for elliptic cryptographic signatures. If the first firmware version that implements signature verification is installed on your scooter, it will only accept the following firmware binaries, digitally signed by Xiaomi. Unless there is an error in the implementation of signature verification, the "flash custom firmware via smartphone app" method does not seem like a possible way to modify your scooter in a way that Xiaomi does not approve.

After examining the existing code, [Daljeet] tells us all this and more. In his in-depth article, he shares the scenarios he used during his research journey for any hacker motivated enough to follow in his footsteps, and we encourage you to check out everything he shares. Additionally, it provides additional insights by explaining some limitations of the OTA update process and showing some security-related assumptions made by Xiaomi that need to be validated for security operations implemented. It then lists the firmware file names, suggesting that future ESC (Electronic Speed​​​​ Control) board firmware may be coded using the same elliptic curve cryptography, and many updates are available in the compiled code. , who can do this. In future firmware versions.

Perhaps due to legal restrictions in various countries, these scooters are often modified to exceed the speed limit set there. However, legal speed limits are more subtle than a hard cap and if the device is up to 35km/h then you don't have to be at Xiaomi's mercy to get the most out of your scooter. However, it's fair to argue that Xiaomi did this because they don't want their name to be associated with "making scooters that people can modify to break the law," and we don't expect them to accommodate.

Of course, this also greatly limits the use of the hardware we have and significant changes. Whether you want to disable your scooter, add Bluetooth, or build it from scratch, you should be able to. How to work against these limitations? Looking for a way to remove the cover and flash software via SWD using something like the Pi Pico? We can't wait to see what the hackers come up with.

The perfect e-scooter for 800 euros? Xiaomi Scooter 4 Pro Review