Apps, firmware and smart features: what to weigh

Scootify Team 10 min read

Two machines with the same motor and battery can behave very differently — and the reason is often not the hardware but the software. The companion app, the firmware, the cloud and the data never appear on a spec table, which is exactly why buyers overlook them. They shouldn’t: software now shapes how a scooter behaves as much as motor power does. This guide covers the software side of choosing; the engineering depth is left to the software and firmware guide.

What companion-app features actually matter

Most modern Bluetooth scooters pair to a manufacturer app, and the genuinely useful controls cluster into a handful of categories.

  • Electronic lock and motion alarm. The app can disable the motor remotely so a thief cannot ride the scooter away even if they pick it up; any movement while locked triggers a loud alarm (Unagi; Levy). Treat this as a deterrent layer, not a real lock — the full treatment is in the anti-theft and locks post. GPS-equipped models add last-known location and geofence alerts (Segway-Ninebot app feature set, per review coverage).
  • Speed limit / region cap. The factory speed limiter is firmware-based and often tied to a region setting in the controller (EU builds are typically capped at 25 km/h while “global” builds expose the full hardware speed) (Arwibon; community ScooterHacking documentation). In regulated markets it is worth checking what the legal/region cap is and whether the app exposes it.
  • Cruise control. Toggled in-app on many models so the rider can hold a steady speed without keeping throttle pressure — useful on long straight runs (Unagi; iScooter).
  • Regen / KERS level. The app lets you set the strength of regenerative braking (often low/medium/high), which changes how aggressively the scooter slows when you ease off the throttle (Unagi; the M365 toolkit exposes a KERS minimum-speed setting). More in the regenerative braking guide.
  • Light control, ride stats, telemetry. Headlight and turn-signal toggles, plus live speed, battery %, estimated range, trip distance and battery temperature (general companion-app coverage; isinwheel).
  • Diagnostics and error codes. Better apps surface controller/BMS error codes, component health and maintenance reminders — the same fault information a built-in display shows; so for the detail on codes and telemetry see the display, throttle and error-code parts guide (companion-app coverage; isinwheel error-code reference).

The buying takeaway, stated plainly: a well-maintained app with these controls is a real feature; a flaky app, or one that locks basic settings behind a mandatory account login, is a real drawback.

OTA firmware updates: fixes — and post-sale changes

The upside. Over-the-air firmware (pushed through the app over Bluetooth) lets a maker fix bugs, refine motor control and throttle response, improve battery management, add riding modes (for example an Eco mode) and patch security — without a service-centre visit (Arwibon firmware guide; general review coverage). For a buyer this is a plus: an actively-updated model gets safer and better over time, while an abandoned one stagnates.

The catch — firmware can also take features away. Because top speed, the power curve and region are firmware-defined, the same update channel that fixes bugs can also throttle the scooter or change its behaviour after you have bought it:

  • Region and speed caps are enforced in firmware, and newer firmware can make them harder to undo. Segway-Ninebot’s later firmware (for example G2 Max 1.4.8+) adds cryptographic signing that blocks unauthorised firmware and rollback; on some models the Bluetooth region/speed changes that worked on older firmware (DRV 1.7.3 and below) became unreliable or blocked on newer firmware (ScooterHacking / community documentation). The practical point: an update can lock down what the scooter is allowed to do.
  • Shared-fleet scooters already do remote, location-based speed control. Bird’s Community Safety Zones use GPS geofencing to automatically cap scooter speed to 8 mph inside designated zones (initially around schools), piloted in Miami, Marseille and Madrid from August 2021 (Engadget, 2021). Lime similarly enforces no-ride and slow zones; it moved the zone maps onto the scooter itself so the device can check its position roughly every second rather than waiting on a server round-trip (Lime, geofencing announcement, via reporting). This is the clearest proof that a connected scooter’s speed can be changed remotely by the operator — a mechanism the consumer market is moving toward.

The buying takeaway: prefer makers with a track record of useful updates, and understand that “smart” also means the vendor retains a lever over the product after the sale. Ask whether updates are optional and whether you can stay on a known-good version.

Custom and community firmware

A large community modifies firmware on popular Xiaomi-class and Ninebot scooters. ScooterHacking Utility is a free Android tool that reads and flashes BLE/ESC/BMS firmware, includes a custom-firmware (SHFW) generator, and can change region and bypass downgrade protection on the Xiaomi M365/M365 Pro/Lite/1S/Pro 2 and Ninebot Max G30 families (ScooterHacking Utility overview). The web-based M365 Custom Firmware Toolkit lets users set max speed in Normal/Eco modes, the motor-power constants (“lower values = more power”), the motor-start threshold, KERS regen behaviour, the cruise-control delay, the wheel-size multiplier and even battery-voltage parameters (m365.botox.bz).

What it unlocks: higher top speed, stronger acceleration and torque, tuned regen, cruise-control tweaks, region change, and display/feature patches (ScooterHacking; M365 toolkit).

The real risks — state them clearly:

  • Motor or battery damage. The official toolkit itself warns that “a higher motor power will shorten the lifetime of your battery and could damage your motor,” and community guidance flags that the most aggressive power profiles (for example a 1000 W M365 CFW) can damage the scooter, with milder profiles considered safer (m365.botox.bz; community CFW guidance). Pushing more current than the controller and battery were rated for is an over-current and thermal hazard.
  • Bricking. Flashing firmware for the wrong hardware version or model can permanently lock the controller; toolkits add safety checks but the risk is not zero, so version and compatibility must match exactly (botox.bz toolkit; community guides).
  • Warranty void. Manufacturers can detect firmware modification, and flashing custom firmware voids the warranty in most cases (Arwibon firmware guide).
  • Legality. Raising the speed beyond the regional legal cap can mean fines, confiscation or liability in a crash (Arwibon; general regulatory coverage) — the country-by-country detail is left to the regulations-by-country guide.
  • Security side-effect. Modified or unsigned firmware can itself become a vector for attack (see the connection-security section below).

The buying takeaway: community firmware is powerful and popular, but it trades warranty, safety margin and (often) legality for performance — it should be a deliberate, informed choice, not an expectation of a stock product.

Cloud lock-in and server dependency

The key buying question: does a feature live in the scooter itself, or on the company’s servers? Bluetooth-local features keep working forever; cloud-required features die if the app is sunset or the company folds.

  • Shared scooters are almost entirely cloud- and phone-dependent by design — you cannot start one without the app or account; even Lime’s “no-download” option still needs a phone, scanning the QR via an iOS App Clip / Android Instant App and paying through it (MakeUseOf). When the operator shuts the service, the hardware is simply inert.
  • The VanMoof cautionary tale (e-bike, 2023). When VanMoof went bankrupt, owners faced losing access to their own bikes: unlocking relied on a key generated by VanMoof’s servers, so “no server, no key code, no unlock,” and app-side features (gear and assistance modes, lock/unlock) were cloud-dependent — owners risked an “e-brick” (Tom’s Guide, 2023; Hackaday, 2023). Crucially, basic Bluetooth functionality and a backup coded-unlock survived; a community “Key Exporter” project on GitHub let owners save their key, and rival firm Cowboy released an app to keep unlocking working offline (Hackaday, 2023). Hackaday’s framing is the lesson: critical device functionality should not depend on perpetual cloud connectivity.

The buying takeaway for owned scooters: favour models whose core functions (riding, locking, mode and regen settings, a local copy of the firmware) work Bluetooth-local, so the scooter is not hostage to a server. Be wary of features that require a live account or a cloud call to operate, and of subscription-gated capabilities.

Privacy and data

Connected scooters and their apps collect personal and location data; how much, and where it goes, varies sharply.

  • Shared-fleet apps are data-hungry. Renting requires consenting to route and location tracking; the app records your route, distance and speed, and services may sample scooter position frequently while it is active (CBC, 2023; ACLU of Northern California). Account onboarding can pull in profile data (for example a name and photo via Facebook login) and, for some operators, a driver’s-licence photo; the ACLU notes that Bird/Lime/Spin reserve broad rights to disclose user data on a “good-faith belief,” to share it within their corporate “family” of companies, and to pass mobility data to city and transport authorities (ACLU of Northern California). An academic study of e-scooter rental apps found extensive permission requests and third-party tracking and data-sharing baked into the apps (ACM WiSec, 2022). City collection of trip data has itself been litigated on privacy grounds (LA / MDS coverage; EPIC).
  • Owned scooters typically collect less, but a maker app may still request location, store ride history and tie everything to an account; the data-handling depends on the vendor’s privacy policy. The buying advice is to read what permissions the app demands (does it need location when you are not riding?) and to prefer apps that work without a mandatory cloud account.

The full treatment is in the engineering guides on privacy and data protection and cybersecurity.

Security of the connection

Connectivity is also an attack surface, and the canonical example here is verifiable and authoritative.

  • Xiaomi M365 Bluetooth flaw (Zimperium zLabs, February 2019). The app’s password was validated only on the phone side; the scooter “doesn’t keep track of the authentication state,” so commands could be sent without the password. An attacker within about 100 m could lock a scooter (denial of service), install malicious firmware for full control, or force sudden braking or acceleration on a rider (Zimperium, 2019; The Hacker News, 2019). The interim mitigation was to stay connected via the official app while riding, but a real fix required Xiaomi to update the scooter itself (Zimperium, 2019).

Make the buying point from this: BLE security and a maker’s willingness to ship security patches (see the OTA section above) are part of choosing well, not an afterthought.

Does it work without a phone?

State the reassuring baseline first, then the caveats.

  • Owned scooters generally ride fine without a phone. You can power on and ride on the default mode without the app; you simply lose advanced controls — remote lock, settings customisation, live stats, region change (Best Buy Okai Q&A; Gyroor; Mi support). Some models add a physical, NFC or code unlock, so the lock feature survives offline.
  • The app is an enhancement layer, not the engine on owned models — but the exact line varies by maker, which is why the previous section’s “what lives where” question matters.
  • Shared scooters are the opposite: the phone is mandatory to unlock and pay (MakeUseOf).

The buying takeaway: confirm the scooter’s essential functions (ride, brake, lights, lock) work without the phone, and treat heavy app-dependence for basic operation as a red flag.

A short buyer’s checklist

No marketing, just five questions. (1) Are the app’s core functions Bluetooth-local? (2) Does the maker ship regular, optional firmware updates with a security track record? (3) What can an OTA update or region cap let the vendor change after sale? (4) What data does the app demand, and is a cloud account mandatory? (5) Does the scooter ride fully without a phone? Put these five questions next to the spec table — and pair them with the software and firmware engineering guide for depth.

Read next

Consultation