Skip to content

About

Purpose

This project documents the Bluetooth Low Energy communication protocol used by Segway-Ninebot vehicles. The goal is to enable interoperability — allowing vehicle owners to build their own tools, integrate vehicle data into their systems, and exercise control over hardware they own.

This is not about circumventing security or enabling theft. It's about the principle that if you own a vehicle, you should be able to communicate with it using software of your choosing.

Motivation

Modern vehicles increasingly rely on manufacturer-controlled apps for basic functions like checking battery status, adjusting settings, or running diagnostics. When the manufacturer decides to discontinue the app, change its terms, or restrict functionality, owners lose access to features of hardware they paid for.

By documenting the communication protocol, we ensure that:

  • Owners are not locked into a single app ecosystem
  • Third-party tools can be built for diagnostics, fleet management, and accessibility
  • The community can maintain vehicle connectivity independent of manufacturer support
  • Vehicle data remains accessible to the person who owns the vehicle

EU Software Directive (2009/24/EC)

Article 6 explicitly permits decompilation when it is necessary to achieve interoperability with independently created software. The conditions are:

  1. The person has a lawful copy of or access to the software
  2. The interoperability information is not already readily available
  3. The results are only used for interoperability purposes

This research satisfies all three conditions. The protocol information was not publicly available, and the documentation is intended solely for building interoperable software.

EU Right to Repair

The European Parliament has been actively strengthening right-to-repair legislation. The EU is moving toward requiring manufacturers to make vehicles more repairable and to provide independent access to vehicle data and diagnostics. This research aligns with that direction.

What this project does and does not contain

This project contains:

  • Protocol documentation (message formats, command IDs, data structures)
  • Description of the encryption scheme and key derivation method
  • An independent, clean implementation of the BLE client in Python
  • Device configuration data (command sets, board addresses)

This project does not contain:

  • Proprietary source code or decompiled application code
  • Firmware images or binaries from Segway-Ninebot
  • Tools for circumventing vehicle security (theft, immobilizer bypass)
  • Modifications to safety-critical systems

Prior art

This type of protocol documentation is well-established in the vehicle and IoT communities:

  • ScooterHacking.org — Custom firmware and tools for Ninebot/Xiaomi scooters
  • OpenDBC — Open CAN bus database for vehicles
  • comma.ai openpilot — Open-source driver assistance
  • Various OBD-II diagnostic tools and databases

Methodology

The protocol was reverse-engineered through:

  1. Static analysis of the official Android application's native cryptographic library using Ghidra
  2. Decompilation of the application's Java code
  3. Analysis of device configuration files that define command sets and board addresses
  4. Implementation of a clean-room BLE client to verify the protocol understanding

This analysis was performed under Article 6 of the EU Software Directive because the protocol and interface information required for interoperability was not made available by the manufacturer through any other means.

No live interception of other users' communications was performed. All analysis was conducted on software and hardware owned by the researcher.

Contributing

Contributions are welcome, especially:

  • Protocol details for additional device models
  • Corrections to command references
  • Additional language implementations of the BLE client
  • Improved documentation or diagrams

Acknowledgments

  • The ScooterHacking community for pioneering open Ninebot/Segway research
  • Ghidra from the NSA for making binary analysis accessible
  • The Bleak project for cross-platform Python BLE support

License

The documentation and code in this project are released under the MIT License.

This means you are free to use, modify, and distribute the code and documentation for any purpose, including commercial use, provided you include the original copyright notice.

Disclaimer

This documentation is provided for educational and interoperability purposes. The authors are not responsible for any misuse. Users are responsible for ensuring their use complies with applicable laws in their jurisdiction.

Use of this protocol documentation with vehicles you do not own may violate local laws. Only use these tools with your own vehicles or with explicit permission from the owner.