downgrade firmware

[keshcreations]

would it be possible to add a feature that helps you downgrade the software installed on a bike?

[mjarkk]

I think in theory it should be possible and it would be so cool to have tough it will require lots of reverse engineering.

I actually already looked into this a bit but I sadly have very limited time atm and beside that I'm very new to debugging bluetooth devices so with only my effort it will probably take a very long time :(.
That said all help with making this happen is very welcome even if it's just information about the bikes upgrading process!

[jo3p]

I think in theory it should be possible and it would be so cool to have tough it will require lots of reverse engineering.

I actually already looked into this a bit but I sadly have very limited time atm and beside that I'm very new to debugging bluetooth devices so with only my effort it will probably take a very long time :(. That said all help with making this happen is very welcome even if it's just information about the bikes upgrading process!

Maybe @quintenadema can help with some information about the bikes upgrading process? :)

[quintenadema]

I have fully reverse engineered the OTA firmware update/downgrade process but the issue is that the OTA firmware manager uses a version table where they have blocked downgrades from 1.8.1 to a lower FW. I'm currently working with some other smart people to decipher the firmware files that I intercepted and try to change the version number of a 1.7.6 file to a higher number than 1.8.

[tjhorner]

Hi @quintenadema, are you able to send over some of those firmware payloads you are working with? I would love to take a look and see if I can discover anything new.

[mjarkk]

@tjhorner I and probably @sanderDijkxhoorn can also provide you with a firmware update if you want to help!
I personally want to work on this but I'm am very busy atm with other things so I cannot really work on reverse engineering this at the moment sadly :(

If you get in contact via discord I can send you the a firmware update file (for version 1.8.1)
My discord username is ʞʞɹɐɾɯ#1220

@sanderDijkxhoorn do you also still have the firmware update file?

[sanderDijkxhoorn]

Hi @quintenadema, are you able to send over some of those firmware payloads you are working with? I would love to take a look and see if I can discover anything new.

I do still have the update file, I could share it with you over Discord since I am not sure if it contains any personal information.

Discord: マルキンフルロ#0440

[tjhorner]

Just sent you both a friend request on Discord. I'm in the middle of moving but once I'm settled in I will see what I can learn from the firmware.

[mrvnklm]

If you guys make any progress on this, please share it here.

[doublej]

People are offering downgrades as a service now on marktplaats so it seem someone somewhere has made progress. Actually, the pictures in their ads show hardware that seems propietary vanmoof so it could be ex-employees.

[mrvnklm]

People are offering downgrades as a service now on marktplaats so it seem someone somewhere has made progress. Actually, the pictures in their ads show hardware that seems propietary vanmoof so it could be ex-employees.

Interesting, I did not find any promising result for "vanmoof downgrade". What did you search for?

[sanderDijkxhoorn]

People are offering downgrades as a service now on marktplaats so it seem someone somewhere has made progress. Actually, the pictures in their ads show hardware that seems propietary vanmoof so it could be ex-employees.

Interesting, I did not find any promising result for "vanmoof downgrade". What did you search for?

https://link.marktplaats.nl/m2083960545

ex^

I have not seen anyone provide actual proof of this working except for the ex employees providing this illegally with their work phone they still have.

Downgrading firmware doesn’t seem super hard if you take a look at how the bell upload works. I just have no interest in looking at it since I’m on a perfect firmware anyways.

[doublej]

that one looks a bit scammy but this one looks legit. I specifically asked to check if he could only replace or also actually downgrade, and he can also downgrade my already upgraded cartridge. I asked what info he could share and he said he uses his laptop, no more info unfortunately.

https://link.marktplaats.nl/m2085169312?utm_source=ios_social&utm_medium=social&utm_campaign=socialbuttons&utm_content=app_ios

[sanderDijkxhoorn]

“Moofon”, in Amsterdam someone is offering many kind of reparation services and has the same hardware for cable testing too.

[VagBav]

@tjhorner I and probably @sanderDijkxhoorn can also provide you with a firmware update if you want to help! I personally want to work on this but I'm am very busy atm with other things so I cannot really work on reverse engineering this at the moment sadly :(

If you get in contact via discord I can send you the a firmware update file (for version 1.8.1) My discord username is ʞʞɹɐɾɯ#1220

@sanderDijkxhoorn do you also still have the firmware update file?

@mjarkk I sent you and @sanderDijkxhoorn request on Discord.

[sanderDijkxhoorn]

@tjhorner I and probably @sanderDijkxhoorn can also provide you with a firmware update if you want to help! I personally want to work on this but I'm am very busy atm with other things so I cannot really work on reverse engineering this at the moment sadly :(
If you get in contact via discord I can send you the a firmware update file (for version 1.8.1) My discord username is ʞʞɹɐɾɯ#1220
@sanderDijkxhoorn do you also still have the firmware update file?

@mjarkk I sent you and @sanderDijkxhoorn request on Discord.

Hi, what is your discord username? I have a ton of requests. Might be better to join the Discord group from the readme Discord

[VagBav]

what is your discord username? I have a ton of requests. Might be better to join the Discord group from the readme Discord

My Discord is: vangelisb_
and apparently I didn't read the readme carefully xD

[dannypolicarpo]

I'm on 1.9.3 and would love to downgrade, last firmware has caused my e-shifter to not work properly.

If you find a solution to downgrade then please work on it and share! Thanks

[doublej]

I've witnessed a working downgrade on my cartridge. I felt it wasnt fair to ask his entire process nor do I expect he would tell me as it's his business, but he explained it's a physical connection through the port that's behind the rearlight (so not the front socket of the cartridge). So the person that has solved it, did not go the OTA route.

[ReinierH]

Hmm can you elaborate further? I think they have used the JTAG connector to flash the firmware. (Check the image below) But I question how they got the whole dump as the MCU is fused and the OTA binary only contains the control firmware, and not the OTA bootloader. I have a cartridge that works and that I can prototype on. Have plenty of time and would love to get this to work. Can anyone send me the files?

[doublej]

I wish I could help. You could try and ask him directly though. Perhaps he will tell you something that is of use, he's a very friendly guy.

I think you're right re: JTAG. He described it as a debugging port which I think from a quick google now is what JTAG is.

[DabLoad]

Hi guys! I saw that some of you have an update file for the bike. Can someone share it please? You can do this through discord, or telegram. My username is: dabload

[Knight1]

You can download the update File trough the API. Like the App does. But it is encrypted. Also the pak File is definitely to small to include everything.

My File for 1.8.3 to 1.9.1 part 1 is 283464Byte
"firmwareCrc": "cc5c51da", "transportCrc": "6770ea73",
1.9.1 part 1 to 1.9.3 is 216404Byte
"firmwareCrc": "dc3ac300", "transportCrc": "6770ea73",

Can someone look up if the crc sums are the same?
Any Ideas why the transport crc is the same?

But without the First Update you do not get the second File.
The Filename is Update1.9.1 - batteryware 1.23.1 x mainware 1.9.1.pak
According to Heskon the Firmware File should be named version 117.

I am currently focusing on the STM32C0 on the BMS because there are better tools available to get the code from it.
Should be doable with the VP desoldered and BAL disconnected via the SWD Interface (if it directly goes to the STM32).
But we need to keep in mind that a Firmware Flash is possible with the Module and the PBU Tool.

The Module does have the better STM32F4 but there are also Tools available to dump the Firmware. If you can dump the Firmware 1:1 you can play with it in an Emulator and of course reflash it via the JTAG Port. The STM32 only prevents you from reading the memory, it does not prevent you to overwrite the content.

Sadly i do not have a spare Module nor a cable Tree to Try things out. So i will focus on the BMS because i have two spare Battery's.

@DabLoad i send you a Discord invite.

[TimTheBeastNL]

Hey, maybe a bit late. Just like said before it's possible to get the files through the API. I believe that there is some kind of check with uploading older firmware versions using bluetooth where it rejects every version below 1.8.1. I think that even if someone over here can get their hands on the decrypted firmware that there will be no way to distribute it using bluetooth since you need to find out how to get the key to encrypt them.

You're able to overwrite any component firmware version using the debug port. I know how to do this but I only need the decrypted firmware. I believe you can get it by desoldering the memory chip and reading it with an eeprom reader and then dumping the file. I personally don't have a cartridge to sacrifice to test if I can extract the firmware.

[doublej]

I've asked for more information. The reads like an OTA solution.

[TimTheBeastNL]

I don't think that's real, sounds more like if the bike supports 37 km/h then it will work. They also use a screenshot of Moofer, why wouldn't they use one of their own app? Sounds a bit fake to me.

[doublej]

It’s questionable yeah. See what he says

…

On Thu, 1 Aug 2024 at 15:31, Tim Kunst ***@***.***> wrote: I don't think that's real, sounds more like if the bike supports 37 km/h then it will work. They also use a screenshot of Moofer, why wouldn't they use one of their own app? Sounds a bit fake to me. — Reply to this email directly, view it on GitHub <#6 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEF37Q6W5NKUYL26PUJBJLZPI2EPAVCNFSM5XVWYS42U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMRWGMYDKNJRGAYA> . You are receiving this because you commented.Message ID: ***@***.***>

[Knight1]

From what i know it is not possible to downgrade via BT. So to flash anything lower then 1.8.1 you need to use the JTAG Port and write the firmware to the STM32F4 MCU. But first you would need that specific firmware unencrypted or the decryption key.

I made progress. I actually got the V004 Firmware from the BMS.

[TimTheBeastNL]

Yeah I also thought that it isn't possible. I think the easiest way of getting the decrypted firmware is by reading the memory chip.

Great progress with the BMS firmware. What are you planning to achieve with the BMS firmware?

[Knight1]

There are many things to explore. I am particularly interested in:

• What exactly changed in firmware V117 and can we easily flash that Version so bikes don't break down that often.
• The trigger values which are sent to the LSI Chip's register
• Understanding the function that makes the final decision to melt the fuse, given that the LSI chip does not have such a function
• How the MCU communicates with the module
• What values the error register holds, beyond those shown in the Reddit image
• How the firmware update is pushed over the RX/TX pins so that the BMS MCU updates itself
• Exploring the 40 GPIO pins
• Investigating the EEPROM related to the error register (if it exists) and the potential for a charge cycle reset.
• Attempting to overwrite the EEPROM with good values to remove any previous errors. It is worth a try to clear the EEPROM and see if it gets rewritten.

This is a deep dive into hardware hacking and reverse engineering for me.

I hope to buy a cable tree in two weeks. I am still looking for a module. For now, I only want to read the SPI chip from my personal module and leave it at that.

I don't think that this will work. If the ROP is set to 1 or 2, you can not read the running memory. Furthermore, my Update Part 1 mentioned above is 283,472 bytes total. The STM32F4 MCU which VM used in the Module only features 256Kilobyte of SRAM. 64Kilobytes from the 320Kilobytes are reserved for the MCU System, so the encrypted update would nor even fit into the SRAM for storage, let alone for decryption. The MCU also does not feature a bank system to swap boot banks. But it can boot from an external SPI Memory.

Further things to tinker with:

• VM is able to remotely diagnose the BMS. How is this possible?
• The VM shop can force a bike diagnostic. How is this done so we can do this?
• Is it possible to force flash a Firmware? The update only contains some parts, so who knows. It might also be possible to flash anything. I did not find anything like a signature check on the BMS. So we might be able to flash a BMS which never burns the fuse when it is not necessary.
• What is triggering an Error Message to display. What IOs are used to self-diagnose the bike and recognize any broken parts.

[TimTheBeastNL]

I took a look at a what you can see using the debug port (don't know the official name). It shows me the following things:

• The main bike firmware is 220144 bytes (1.8.2)
• The E-shifter firmware is 11944 bytes
• The motor firmware is 61720 bytes
• Battery firmware is 83940 bytes

You can overwrite them all separately.

[Knight1]

The Port is called JTAG.

The File itself.

#sha512sum bms.bin
e96582b98262bca9fc9b6a8edd36b79bcd3368a709b9b98cfa460252f6c6bfe3460d4d09d9b198ce6918eaabb16f59e96c0ad3e5439d9b09a6944796d518800f  bms.bin

#binwalk bms.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------

#file bms.bin
bms.bin: data

#strings bms.bin | grep VanMoof
I am G5 VanMoof BL V004 2019-11-19

I compressed the bms Firmware.
47KB as zip
37KB with zstd level 19

If the update file contains the whole firmware it seems a bit to small. So it is encrypted and compressed?

I am still trying to find out if my assumption is correct that the Module MCU can even boot from the SPI Flash.
At least it is somehow possible to put the USB Port on the MCU into DFU (Device Firmware Update) Mode.
Bootloader selection

[mrvnklm]

Danil.B from marketplace did downgrade for me

how? wireless / bluetooth or jtag? using a computer or a special device?

[DabLoad]

I can do a downgrade to 1.07.02 for some of you, if you can send your cartridge to Netherlands

[zonatesla]

I can do also downgrade

[TimTheBeastNL]

He have special device with connector made by him

It isn't a special device, it's a UART to USB adapter which he connects to the bike and to a laptop / pc. Then you can upload the firmware if you have the decrypted firmware file, which almost nobody has.

[zonatesla]

I can also fix err 23 )))

[TimTheBeastNL]

Guys, let's just keep it downgrade related

[zonatesla]

I can share this files of the 1.7.6 , 1.7.2 and 1.7.1 ( 20,000 E))

[Knight1]

@zonatesla can you send me the files via Discord/Telegram?
I only have modules with 01.08.02 :/

[mjarkk]

@zonatesla If they are decrypted can you share them with anyone within this thread so we can make it hopefully available for everyone to downgrade their main firmware.
If not please stop yapping.

[mjarkk]

Can anyone here make a firmware dump of the main bike firmware as that's where i think the logic is that blocks the unlimited speed option.

[ReinierH]

I think he did this:

https://hackaday.com/2023/02/05/need-to-dump-a-protected-stm32f0x-use-your-pico/

[Knight1]

No need for this.

@mjarkk I have it in the PACK Format. Something unknown. I just did not find a way to separate the one File into the Firmwares. It is not compressed and it contains the filenames plus the Order at the end.