ornias
100 W
- Joined
- Jul 18, 2021
- Messages
- 172
Bafang locked down the firmware for the m500 and m600, or did they?
I'll drop in some notes after spending a day looking at the current Firmware files and the current version of BESST.
Mostly I was interested in the possibility of increasing the MAX Current for a m500.
BESST
Or rather: WORST security ever.
One could write a complete alternative backend for BEST in about a week or two, Spoofing the login is easily and the whole UI is just an Electron App, so you can just read the Javascript sourcecode yourself. However:
- BESST does not contain the UI elements required to modify firmware
- The settings that can be altered with the right login, are limited. There is no UI or backend element to change the current limit or voltage for example. However: Reading the code I cannot exclude that it is, in fact, possible to use the canbus to alter these settings.
- It looks like the BESST tool (the physical thing) is mostly just a generic CANBUS/UART usb adapter without any special magic to decode firmwares or things like that.
- The BESST code does seem to include some references where certain values can be found on the canbus for it's GET, the users working at reverse enginering the CANBUS should be able to use the Javascript UI to reverse engineer the correct bussaddresses for those values and start trying to SET those.
Firmware
Looking at the firmware is more interesting however. Most of our first guesses where that the firmware was being encrypted. So I started off with an entrophy scanning tool. Luckily the entrophy did not indicate an encrypted firmware file.
Next was a carefull look with binwalk:
- The firmware files do not contain a boot volume or something like that, just one big code blob
- The firmware seems to be deflate compressed
- The firmware seems to be writhen for an ARM based microcontroller
- The Microcontroller seems to be using THUMB instructions
Next was a first look with Ghidra:
- I asummed a ARM, little endian cortex program, as that is the most likely what the controller is running.
- I have no actual bafang m500 or m600 laying around, so if anyone is friendly enough tell us the precise controller: Please do!
- Decompiling the code, I noticed that the Reset related code (that should link to the main function) is 0x0 So this does not seem to be a complete program for this platform, as some portions are missing
- I number of instructions did not decompile, this is most likely due to THUMB and ARM instructions being mixed.
- However, it did find some structures that look like code which does warrant another look.
I'm no ghidra expert in any way, shape or form, but i'm pretty certain that this firmware is reverse engineerable.
*Disclaimer*
The above is for educational purposes only and, under my jurisdiction, I cannot be held liable for discussing reverse engineering.
I'll drop in some notes after spending a day looking at the current Firmware files and the current version of BESST.
Mostly I was interested in the possibility of increasing the MAX Current for a m500.
BESST
Or rather: WORST security ever.
One could write a complete alternative backend for BEST in about a week or two, Spoofing the login is easily and the whole UI is just an Electron App, so you can just read the Javascript sourcecode yourself. However:
- BESST does not contain the UI elements required to modify firmware
- The settings that can be altered with the right login, are limited. There is no UI or backend element to change the current limit or voltage for example. However: Reading the code I cannot exclude that it is, in fact, possible to use the canbus to alter these settings.
- It looks like the BESST tool (the physical thing) is mostly just a generic CANBUS/UART usb adapter without any special magic to decode firmwares or things like that.
- The BESST code does seem to include some references where certain values can be found on the canbus for it's GET, the users working at reverse enginering the CANBUS should be able to use the Javascript UI to reverse engineer the correct bussaddresses for those values and start trying to SET those.
Firmware
Looking at the firmware is more interesting however. Most of our first guesses where that the firmware was being encrypted. So I started off with an entrophy scanning tool. Luckily the entrophy did not indicate an encrypted firmware file.
Next was a carefull look with binwalk:
- The firmware files do not contain a boot volume or something like that, just one big code blob
- The firmware seems to be deflate compressed
- The firmware seems to be writhen for an ARM based microcontroller
- The Microcontroller seems to be using THUMB instructions
Next was a first look with Ghidra:
- I asummed a ARM, little endian cortex program, as that is the most likely what the controller is running.
- I have no actual bafang m500 or m600 laying around, so if anyone is friendly enough tell us the precise controller: Please do!
- Decompiling the code, I noticed that the Reset related code (that should link to the main function) is 0x0 So this does not seem to be a complete program for this platform, as some portions are missing
- I number of instructions did not decompile, this is most likely due to THUMB and ARM instructions being mixed.
- However, it did find some structures that look like code which does warrant another look.
I'm no ghidra expert in any way, shape or form, but i'm pretty certain that this firmware is reverse engineerable.
*Disclaimer*
The above is for educational purposes only and, under my jurisdiction, I cannot be held liable for discussing reverse engineering.