Communication Protocol

The S3/X3 communicates via low energy bluetooth as a GATT service; highly suggest reading that to learn more about BLE GATT services and characteristics. The Bike advertises itself as a bluetooth peripheral and accepts GATT requests. However, only one central device can connect to it. All payloads except getting a nonce and reading the frame number are encrypted using AES operating in ECB mode. The key used in the AES cipher is a 32 byte random array generated by Vanmoof servers when you register your bike. I believe this would also change if you change your keycode or password.

There are two important characteristics in the service: CHALLENGE, and KEY_INDEX. Essentially, the CHALLENGE UUID is used as a nonce to sign subsequent messages to reduce plaintext attacks. KEY_INDEX is used for initial authentication to unlock further functionality with the bike. Any writes would require a read from the CHALLENGE characteristic and integrate that as part of the encrypted write payload. All reads from the bike does not have a signed nonce.

TODO: explain the challenge handshake payload.