STM32F103C8T6 E Scooter firmware reverse engineering

Bastler · December 12, 2020, 1:08pm

Hello folks,

I am new here, come from Germany and want to take some experince in reverse engineering code for hobby purpose. I have a Ninebot G30D E Scooter, and I want to find out how this thing work indisde. There are some people who found that already out, but they say nothing about their knowledge, so I think I have to get into this stuff and find it out by myself.

Now I want to ask if you can help me a little bit with doing that. What I actually about the controller µC of the scooter know is:

STM32F103C8T6 inside (Every chinese BLDC Controller uses them, that seems to be a unwritten rule among chinese BLDC controller companies)

ARM Cortex M3 with little endian and 64kb of flash (They have in real 128kb, but ST says 64kb)

Now is the first question: IDA asks me about the Memory organisation of the µC, so could someone here tell me how to set up IDA correctly so I will not already fail by decompiling itself? I tried by myself, but did always get error that the memory configuration is wrong.
I have the memory map, but didnt get really smart out of it.

Hope you can halp me, I think we are now in a time I will not come around learning coding and reversing/editing code anymore because everything has code inside nowdays.

Bastler · December 14, 2020, 9:02pm

Ok, memory map problem solved, hex code succesfully decompiled. Can anyone give me a little bit help or something to read about reverse engineering (Understanding) ARM Code?

messede · December 15, 2020, 2:23pm

I appreciate your persistence , here’s something that hopefully will help you

clockw0rk · December 16, 2020, 8:56pm

Whew, I was offline since almost a year because my computer somehow broke apart lolz.
I believe an E-Scooter µC does not have THAT many build in commands, did you consider ripping it apart and applying a good old Arduino into it? I know these things are expensive af, but what does it do except controlling a PWM signal between battery and motor?

Bastler · December 16, 2020, 9:21pm

You take that too easy, its battery communicates with the motor, the motor is a BLDC, it communicats over UART with the dashboard, and over bluetooth with a app, and I want to make a open source firmware / Share my knowledge with the community, so everyone can flash the modified software on his scooter with the original hardware in it. (G30 is widely spread) there are people who call themselves Scooterhacking.org, they have reversed the firmware already. But they dont share their knowledge, and thats the point I dont like on them. So I want to find out too, what they found out, and make it accessible for everyone. Heres a photo of a G30 Scooter from Ninebot: https://www.ebike-tuningparts.com/Segway-Ninebot-MAX-G30D?curr=EUR&gclid=CjwKCAiA_eb-BRB2EiwAGBnXXvvzj8vW4y_MOrnLa-nwXAHunuGF9LMRT2xpxlFsl8S83amWHCESvxoCqDUQAvD_BwE

Bastler · December 18, 2020, 11:33pm

Hello folks,

Does someone here have further hints how to read the output from IDA and/or the HEX Rays decompiler?

And another question: Do you think there would be enough people interested to start a community to reverse the scooter firmware to the point everyone can change it like a open source firmware?

Its really sad that the big companies dont provide source code, I think closed source isnt contemporary anymore. But until the companies start thinking the same way, it will be nothing left for us than reverse things we want to edit

messede · December 19, 2020, 4:31am

Well , take a short crash course on ARM assembly , stuff like this can’t be learnt in one day so give it some time , once you learn a few new things go back to IDA disassembly and look if stuff makes more sense , im no expert in reverse engineering but my first step in these cases would be to look for useful strings in the program and how they are being used .