Xiaomi recently added three new scooter models to their portfolio: Xiaomi Electric Scooter 3 Lite, Xiaomi Electric Scooter 4 (Canada) and Xiaomi Electric Scooter 4 Pro. This blog post seeks to explore the Xiaomi scooter product line and its interweb with different manufacturers.
Ultimately, this blog article seeks to answer the question, if any of the new models can be hacked or not.
History: Xiaomi, Mi, Mijia?
Xiaomi released its first scooter, the „Xiaomi Mi Electric Scooter“, also known as „Xiaomi Mijia M365“, in December 2016. „Mi“ and „Mijia“ are two brands used by Xiaomi for smart home devices. The „Mijia“ brand is more prominent in Asian regions, whereas the „Mi“ brand is used globally.
The „Mi“ label was dropped from the latest scooters model names. But, the „Mijia“ brand still exists in Asian regions.
Who produces Xiaomi scooters?
Xiaomi is primarily a design and marketing company, meaning that it does not manufacture all of its products in-house. Instead, Xiaomi partners with a network of suppliers and contract manufacturers to produce its products.
For example, Xiaomi works with Foxconn, a major contract manufacturer, to produce some of its smartphones. It also works with other manufacturers for different product categories, such as Huami for its wearables and Viomi for its home appliances.
Unsurprisingly, Xiaomi does not actually produce scooters. The producers are named in the following list, together with detailed information on each released scooter model and their internal device naming (Xiaomi Mi Home App):
- Ninebot (Changzhou) Tech Co., Ltd. [founded in 2012, acquired the U.K. based Segway Inc. in 2015]
- M365 [ninebot.scooter.v1]
- M365 Pro [ninebot.scooter.v2]
- Mi 1S [ninebot.scooter.v3]
- Mi Pro 2 [ninebot.scooter.v4]
- Mi Lite (Essential) [ninebot.scooter.v5]
- Mijia 1S (China) [ninebot.scooter.v6]
- Mi 3 [ninebot.scooter.v7]
- 4 Pro (old version?) [ninebot.scooter.v8]
- Mi 3 (new version?) [ninebot.scooter.v10]
- 4 Go [ninebot.scooter.v13]
- 4 Pro [ninebot.scooter.15/v15]
- 5 Pro (China) [ninebot.scooter.v16]
- Brightway Innovation Intelligent Technology (Suzhou) Co., Ltd. [founded in 2020]
- NAVEE Electric Scooter S65 [dreame.scooter.p2223]
- Mijia Electric Scooter 3 Youth Edition (China) [dreame.scooter.t2185]
- Xiaomi Electric Scooter 3 Lite [dreame.scooter.epro]
- Xiaomi Electric Scooter 4 [dreame.scooter.t2201]
- Xiaomi Electric Scooter 4 Ultra [dreame.scooter.p2301]
- Xiaomi Electric Scooter 4 Lite [navee1.scooter.t2210]
- NAVEE Electric Scooter V40 [navee1.scooter.t2208]
- NAVEE Electric Scooter V50 [navee1.scooter.t2211]
- NAVEE Electric Scooter S65C [navee1.scooter.t2214]
Up until recently, all „Xiaomi“ scooters were produced by Ninebot. This changed when Brightway came to light in 2020.
Brightway first released a scooter for the Chinese market, named 米家电动滑板车3青春版 (Mijia Electric Scooter 3 Youth Edition). This scooter is now available globally under the name „Xiaomi Electric Scooter 3 Lite“. Fun fact: The original name indicates it’s target audience (youngsters), which explains why the scooter has the weakest specs of all scooters in the Xiaomi portfolio.
Furthermore, Brightway has its own scooter brand: NAVEE TECH. Even if Brightway doesn’t use the NAVEE brand for all Xiaomi models, they left traces with „Navee“ tags all over the place, for example, in the Xiaomi 3 Lite FCC documents.
Brightway vs. Dreame
In the Xiaomi Mi Home app, all Brightway scooter model names start with „dreame.scooter“. This is strange, because „Dreame“ mainly produces vacuum cleaning robots… So the question is: How is Brightway related to Dreame?
My research concludes that Brightway and Dreame are both brands owned by the Chinese company Shenzhen Liwei Electronics Co., Ltd. (also known as Liwei Century or Liwei Chuangzhi).
Liwei Electronics is a leading manufacturer of home appliances, including vacuum cleaners, air purifiers, and other cleaning products. Dreame is Liwei’s premium brand of vacuum cleaners and other cleaning products, while Brightway is… well… a scooter brand.
With regards to the Mi Home app, I assume, that Liwei Electronics wanted to bundle both their Dreame and Brightway products within the Xiaomi Mi Ecosystem and found the easiest way to achieve this by using the already existing „dreame“ namespace/account.
Ninebot scooters have had a long-standing reputation for being hacker-friendly. However, this changed last year with the introduction of new security features (cryptographic signatures) specifically aimed at preventing tampering with the device firmware. Now, with the „4 Pro“ model, Ninebot put a nail in the coffin of firmware manipulation: They added a secure chip, dubbed „MJA1“, to (possibly) store encryption keys and cryptographic functions. Secure chips usually come with a physical protection layer that, for example, causes the chip to erase itself when tampered with physically. (Side note: Xiaomi also uses the „MJA1“ in other devices, such as the „Vacuum-Mop 2“ robot vacuum cleaner and the „Smart Camera 2 PTZ“ security cam.)
It can be said that, starting with the „4 Pro“, all upcoming Ninebot scooters will be difficult to hack.
However, public information about Brightway scooters (including the „3 Lite“, „4“ and NAVEE scooters) do not seem to indicate similar measures: FCC documents from the NAVEE Electric Scooter S65 show a dashboard equipped with a Realtek MCU (AMB1) and exposed serial wire pins (CLK/DIO/G), meaning: a potential for further exploration!