Connect with us

Tech News

Xiaomi Cryptographically Signs Scooter Firmware – What’s Next?

Avatar

Published

on

[Daljeet Nandha] from [RoboCoffee] writes to us, sharing his research on cryptographic signature-based firmware authenticity checks recently added to the Xiaomi Mi scooter firmware. Those scooters use an OTA firmware update mechanism over BLE, so you can update your scooter using nothing but a smartphone app – great because you can easily get all the good new features, but suboptimal because you can easily get all the bad new features. As an owner of a Mi 1S scooter but a hacker first and foremost, [Daljeet] set up a HTTPS proxy and captured the firmware files that the app downloaded from Xiaomi servers, dug into them, and summarized what he found.

Confirming this update will indefinitely lock you out of any third-party OTA updates

Unlike many of the security measures we’ve seen lacking-by-design, this one secures the OTA firmware updates with what we would consider the industry standard – SHA256 hash with elliptic cryptography-backed signing. As soon as the first firmware version implementing signature checks is flashed into your scooter, it won’t accept anything except further firmware binaries that come with Xiaomi’s digital signature. Unless a flaw is found in the signature checking implementation, the “flash a custom firmware with a smartphone app” route no longer seems to be a viable pathway for modding your scooter in ways Xiaomi doesn’t approve of.

Having disassembled the code currently available, [Daljeet] tells us about all of this – and more. In his extensive writeup, he shares scripts he used on his exploration journey, so that any sufficiently motivated hacker can follow in his footsteps, and we highly recommend you take a look at everything he’s shared. He also gives further insights, explaining some constraints of the OTA update process and pointing out a few security-related assumptions made by Xiaomi, worth checking for bypassing the security implemented. Then, he points out the firmware filenames hinting that, in the future, the ESC (Electronic Speed Control, responsible for driving the motors) board firmware might be encrypted with the same kind of elliptic curve cryptography, and finds a few update hooks in the decompiled code that could enable exactly that in future firmware releases.

One could argue that these scooters are typically modified to remove speed limits, installed there because of legal limitations in a variety of countries. However, the legal speed limits are more nuanced than a hard upper boundary, and if the hardware is capable of doing 35km/h, you shouldn’t be at mercy of Xiaomi to be able to use your scooter to its full extent where considerate. It would be fair to assert, however, that Xiaomi did this because they don’t want to have their reputation be anywhere near “maker of scooters that people can modify to break laws with”, and therefore we can’t expect them to be forthcoming.

Furthermore, of course, this heavily limits reuse and meaningful modification of the hardware we own. If you want to bring a retired pay-to-ride scooter back to usefulness, add Bluetooth, or even rebuild the scooter from the ground up, you should be able to do that. So, how do we go around such restrictions? Taking the lid off and figuring out a way to reflash the firmware through SWD using something like a Pi Pico, perhaps? We can’t wait to see what hackers figure out.

Source: hackaday.com

Tech News

After 30 Years, Genetic Study Confirms Sarin Nerve Gas As Cause of Gulf War Illness

Avatar

Published

on

Troops who had genes that help metabolize sarin nerve gas were less likely to develop symptoms. For three decades, scientists have debated the underlying cause…

The post After 30 Years, Genetic Study Confirms Sarin Nerve Gas As Cause of Gulf War Illness appeared first on SciTechDaily.

Original Source: scitechdaily.com

Continue Reading

Tech News

Vicious Little Desktop Shredder Pulverizes Plastic Waste

Avatar

Published

on

We’ve all likely seen video of the enormous industrial shredders that eat engine blocks for lunch and spit out a stream of fine metal chips. The raw power of these metal-munching monsters is truly fearsome, and they appear to be the inspiration for SHREDII, the miniature plastic shredder for at-home recycling of plastic waste.

The fact that SHREDII isn’t all that large doesn’t make it any less dangerous, at least to things smaller and softer than engine blocks, like say fingers. The core of the shredder is a hexagonal axle carrying multiple laser-cut, sheet steel blades. The rotating blades are spaced out along the axle so they nest between a bed of stationary blades; rotating the common axle produces the shearing and cutting action needed to shred plastic.

On version one of the shredder, each blade had two hooked teeth, and the whole cutting head was made from relatively thick steel. When driven by a NEMA 34 stepper — an admittedly odd choice but it’s what they could get quickly — through a 50:1 planetary gearbox, the shredder certainly did the business. The shreds were a little too chunky, though, so version two used thinner steel for the blades and gave the rotary blades more teeth. The difference was substantial — much finer shreds that were suitable for INJEKTO, their homebrew direct-feed injection molding machine.

There’s a lot to be said for closing the loop on plastics used in desktop manufacturing processes, and the team of SHREDII and INJEKTO stands to help the home gamer effectively reuse plastic waste. And while that’s all to the good, let’s face it — the oddly satisfying experience of watching a shredder like this chew through plastic like it isn’t even there is plenty of reason to build something like this.

Thanks for the tip, [Alen]!

Original Source: hackaday.com

Continue Reading

Tech News

Intense Exercise While Dieting May Reduce Cravings for High-Fat Food

Avatar

Published

on

In a new study that offers hope for human dieters, rats on a 30-day diet who exercised intensely resisted cues for favored, high-fat food pellets….

The post Intense Exercise While Dieting May Reduce Cravings for High-Fat Food appeared first on SciTechDaily.

Source Here: scitechdaily.com

Continue Reading

Trending

OMNT.com