Close
0%
0%

Bike sharing smart lock turns into car GPS

A bike sharing company left my town, leaving behind dozens of bikes with smart locks. This is my effort in reverse engineering the locks

Public Chat
Similar projects worth following
When the largest bike sharing operator in my town left I received as a gift a few black boxes, both literally and figuratively. Even though the device MCU was without any identificaton marking, I finally was able to identify it and reverse engineer the PCB and the firrmware. This led to reuse of the devices as educative platforms (at least for me) and as anti-theft car GPSs.

https://ydiaeresis.wordpress.com/2018/04/23/i-dont-steal-bikes/

https://ydiaeresis.wordpress.com/2018/04/23/i-dont-steal-bikes-part-2/

https://ydiaeresis.wordpress.com/2020/01/13/dont-steal-my-car/

svg+xml - 4.88 MB - 07/23/2022 at 08:41

Download

  • Readme

    maurizio.butti07/23/2022 at 09:13 0 comments

    MCU

    Sonix SN32F707

    debug connector

    from the SIM card side (left), to the switch (right)

    • GND
    • SWDCLK
    • SWDIO
    • +3.3V

    GPRS module: Quectel M26

    on USART1 (9600,N,8,1) turn on with GPIO P2.7

    useul commands

    • AT+QIREGAPP="TM",,
    • AT+QIOPEN="TCP","129.6.15.28",13
    • AT+QNTP="193.204.114.233",123

    GPS

    UBLOX UBX-G70xx on USART0 (9600,N,8,1) turn on with GPIO P2.4

    infos at start::

    GPTXT,01,01,02,u-blox ag - www.u-blox.com*50
    GPTXT,01,01,02,HW  UBX-G70xx   00070000 *77
    GPTXT,01,01,02,ROM CORE 1.00 (59842) Jun 27 2012 17:43:52*59
    GPTXT,01,01,02,PROTVER 14.00*1E
    GPTXT,01,01,02,ANTSUPERV=AC SD PDoS SR*20
    GPTXT,01,01,02,ANTSTATUS=DONTKNOW*33
    GPTXT,01,01,02,LLC FFFFFFFF-FFFFFFFD-FFFFFFFF-FFFFFFFF-FFFFFFF9*53
    GPTXT,01,01,02,ANTSTATUS=INIT*25
    GPTXT,01,01,02,ANTSTATUS=OK*3B
    

    Photos from FCC

    https://fccid.io/2AI2O-OC30/Internal-Photos/Internal-photos-3426571

    Mobile provider

    https://www.hologram.io

    Accelerometer: LIS3DH

    example code

    Cold boot stepping

    apparently the instruction at 0x2b8 is

    ldr r3,[r4,#12] 

    putting an adress minus 12 in r4 it is posible to read memory at the specified address.

    This makes a "cold boot stepping" attack possible.

    See Bypassing CRP on Microcontrollers by Andrew Tierney

    Other components

    Routines of the bootloader (0x1fff0000)

    • 0x1fff0318 eraseFlash(r0=address)
    • 0x1fff033c writeFlash(r0=address,r1=bytes,r2=data address)

    Curiosities

    In the original firmware you can find a string containing coordinate expressed according to the NMEA standard (2237.75314,N,11408.62621,E). The point to somewhere in Shenzen  1500m from  the site of Omni Intelligent Technology Co.

    EEPROM dump

    Arduino program adapted from https://www.insidegadgets.com/2010/12/22/reading-data-from-eeprom-i2c-on-a-pcb/ (rows containig only FF are not shown)

    0020|AA 55 55 AA 68 6F 6C 6F 67 72 61 6D 00 FF FF FF |.UU.hologram....|
    0040|FF FF FF FF 30 30 30 30 00 FF 31 32 33 34 35 36 |....0000..123456|
    0050|00 FF FF FF 30 00 FF FF 31 32 30 2E 32 34 2E 32 |....0...120.24.2|
    0060|32 38 2E 31 39 39 00 FF FF FF FF FF FF FF FF FF |28.199..........|
    0090|FF FF FF FF FF FF FF FF 39 36 36 36 00 FF FF FF |........9666....|
    00A0|4F 4D 00 FF FF FF FF FF 79 4F 54 6D 4B 35 30 7A |OM......yOTmK50z|
    00B0|00 FF FF FF 56 67 7A 37 00 FF FF FF 04 00 FF FF |....Vgz7........|
    00C0|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
    0400|55 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |U...............|

View project log

Enjoy this project?

Share

Discussions

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates