GM Mode G30(D), 1S, Pro2 without XiaoFlasher (English)

St0fzuiger

Moderator
Crewmitglied
Registriert
8 Juni 2020
Beiträge
114
Punkte Reaktionen
185
Ort
Reutlingen
E-Roller
G30+1S
Hello All,

At the moment XiaoFlasher has become a hot topic as the payment model has been changed. There is an alternative solution which requires a bit more work the first time its done and also depends on XiaoFlasher a last time to execute it.

It is an alternative solution for a great program but if you have the paid version of XiaoFlasher you better stick to that one right now. In the near future we will present a solution that is more easy to do and involves just one button press on an external hardware device.

Also this won't be a replacement for XiaoFlasher to flash many scooters for free because we think its not fair to get financial benefits using a free software and we can fully understand the reason why XiaoFlasher became a paid solution (or with long waiting time for the free solution).

So what is it all about then ........
In general it's not a big secret, we just do a replay of the packets that XiaoFlasher sends to the scooter.

XiaoFlasher sends first the selected GM mode serial number (just US mode) and then it sends a controller reset so that the scooter is in US mode. After that it sends 3 times the German serial but does not reset it. This means when you restart your scooter manually it will do the reset and it will revert back to the German serial.

Preparation
What do you need:
Android Mobile Phone (No root required)
XiaoFlasher/NineFlasher (GOOGLE PLAY LINK)
NRF Connect App (GOOGLE PLAY LINK)
Python3 [DOWNLOAD LINK PYTHON]
GM Extract Python Script

Howto
First install NRF Connect on your phone through the play store.

Then install Python3 and make sure you select the following option during installation.
1596045045479.png

Then download the GM Python script to your PC and put it into a folder that is easy to remember as we also need to copy some files from the Android phone to that folder later.
The next step is to activate the developer options on your Android phone. How this works differs between the manufacturers Android versions but the rough steps are:
To enable developer options, open the settings app, scroll down to the bottom, and tap "About phone" or "About tablet". Scroll down to the bottom of that screen and find the build number.
Tap the build number field seven times to enable Developer Options. After a few taps you’ll see a toast notification with a countdown that reads “You are now X steps away from being a developer.”
When you’re done, you’ll see the message “You are now a developer!”.

Tap the Back button and you’ll see the developer options menu just above the “About Phone” or "About Tablet" section in the settings app. This menu is now enabled on your device and you won’t have to repeat this process again unless you perform a factory reset.

Then we must enable "Bluetooth HCI Logging"
Go to the settings app on your Android device.
Get into the developer options menu.
On the developer options window you then click on enable Bluetooth HCI snoop log. This will enable your log file.
Turn off Bluetooth on your Android device.
Turn on Bluetooth.
Restart or reboot your android device.

After restarting your phone open XiaoFlasher and connect to your scooter. Select the GM mode as normal. Before you press the start button of XiaoFlasher take note of the current (exact) time. As the last step, disconnect from the scooter and turn the Bluetooth HCI snoop log off again in developer settings.

Note: Copying the Bluetooth log file and also the name of the file varies from device to device. Please refer to the internet to find out how to copy the file from your smartphone to your computer. The solution described here refers to a Xiaomi Mi smartphone!

Open your file manager and enter "hci" in the file search field and if you are lucky you will find a file as the image below shows. We are looking for the .cfa file.
1596045190013.png
Copy this .CFA file to your PC to the same location where you have placed the GM Python script.
Your directory should look similar to this: (This means you open a CMD prompt at the location where you stored the files)
1596045218897.png

Now type the following:
Bash:
python extract_gm.py the_filename_of_your_file.cfa
In my case it’s:
Bash:
python extract_gm.py hci_snoop20200725103146.cfa

When you did everything right you will see the following output with no errors:
1596045246246.png
An .XML file should have appeared in the folder. If required you can rename this as i have two scooters i need two unique files.

Copy these files back to your Android phone preferred to the Download directory as that is easily accessible.
Note: Do not use Google Drive as it does something to the files where NRF Connect can't read the files anymore.
Now turn on your Scooter and start NRF Connect. Go to Scanner and do a Scan.
Your scooters details will now be visible, press the Connect button. When the connection is successful you will see similar data to the image below.
1596045281501.png

Now press the red button and then the "Arrow Down" button.
You now can browse to your files and choose where you have stored the file on your Phone. Note: Do not use Google Drive as it does something to the files where NRF Connect can't read the files anymore.
When you have selected the file, it’s time to test it.
You'll see a play button when everything is right, just press it and wait a bit. You will hear a few beeps.
1596045313028.png

The total process takes about 15 seconds and NRF Connect shows what it does.
1596045335682.png

When everything went fine you can then check your scooter speed. It should be exactly the same thing as if you've done a Manouver with the XiaoFlasher app.
When you turn off your Scooter it reverts back to the normal mode.

Keep in mind we rely on specific data and that means if you change the name of your scooter you would need to do the packet extraction again as things in the data would change.

Remember that the recorded packages only work for the scooter name (e.g. NBScooterXXX) set during recording and also the serial number set at that time. If one of them is changed, the recording of the Bluetooth packets must also be repeated.

Lets take a look at the gibberish and what it does .....
1596045364054.png
We are searching the CFA file for specific packets sent from XiaoFlasher to your scooter when you activate the GM mode. I have marked these if you are interested to take a look by yourself with Wireshark (You can open the CFA file in Wireshark) And we capture these packets and replay them over Bluetooth.

We know this is not the easy option but we are working on other solutions as you already might have heard.
What options do we have in mind?:
iPhone App (Being worked on)
Android App (Being worked on)
ESP32 Smart Watch for unlocking scooter without any additional required app (With RP Logo :) ) (Planned)
1596045411829.png

For these options the packet extraction process would not be required as we are able to grab these packets directly.

If you have any problems or its all too difficult for you we can generate the required XML file for you. We just need the CFA file from you. Please leave your comments or suggestions.

A big thanks to: K Toffel for the Scripting, XiaoFlasher/NineFlasher for their application and Armin for the GM mode.


Spelling checked by Doragonnaito, sorry St0fzuiger.
 

Anhänge

  • 1596045175348.png
    1596045175348.png
    19,3 KB · Aufrufe: 3
Oben Unten