Page 1 of 1

UART commands for Rental Ninebots

Posted: Tue Sep 15, 2020 8:19 am
by dumdum
I have some of the UART commands for rental Ninebots (Lock, Unlock, Read/Write Info), but I don't have access to any scooters. Is there someone to test a command for me?
If this one works, I will be releasing extensive information on other UART commands.

Read Unique ID: 5A A5 01 3E 20 01 56 02 47 FF

Also, only Read commands are static and remain the same in every scooter. Write cmds (Lock/Unlock etc.) are hardware specific and they are calculated for each scooter based on 3 parameters, that I have only partly reversed. It is also possible that the command changes for each device connecting to the same scooter.

If this command worked, please PM me what it returned.

Re: UART commands for Rental Ninebots

Posted: Thu Oct 15, 2020 9:05 pm
by FerniDios
Hello! I tested the command, I can't PM you (I guess cause I am a new member). The command works, the data segment consists of two bytes, 2E 74. I'm guessing that's short for a Unique Identifier. Let me know if you are still working on this project, I could use the info you mentioned.

Re: UART commands for Rental Ninebots

Posted: Sat Oct 17, 2020 6:37 pm
by dumdum
Hello! I tested the command, I can't PM you (I guess cause I am a new member). The command works, the data segment consists of two bytes, 2E 74. I'm guessing that's short for a Unique Identifier. Let me know if you are still working on this project, I could use the info you mentioned.
Hi, that must be it. I have some decompiled JAVA files of a rental App, but I don't have the time to write any software right now. Do you have any coding knowledge to help me out? There is a specific part in the code that I don't think I can debug, without running numerous UART commands on an actual scooter, in order to get the Lock/Unlock commands.

I have these 2 for now:
Read Lock Status: 5A A5 01 3E 20 01 B2 01 EC FE
Power Off: 5A A5 02 3E 20 03 79 01 00 22 FF (It should make the scooter seem locked, although the Lock Status should still be 'Unlocked'. There is no 'Power On' command.)

And another 2 for which I am not sure my scripting was correct:
Lamp On: 5A A5 01 3E 20 18 01 87 FF or 5A A5 00 3E 20 18 01 88 FF
Lamp Off: 5A A5 01 3E 20 18 00 88 FF or 5A A5 00 3E 20 18 00 89 FF

Please do let me know if any of those four work for you!