This oBike dockless share bike had been parked in the street for several days, and eventually kicked over. Without a helmet attached, it can't be legally used in Melbourne. So let's lock a helmet on to encourage someone to hire it, and figure out how the locking system works along the way...
A semi-circular chromed steel shackle rides in a zinc-plated steel shell, inside the weatherproof plastic case. The electronics, actuator, latch, etc. are built into a nylon housing which also serves as an additional guide for the shackle. The shackle is spring-loaded to open unless held locked by the latch. The latch is actuated by an electric motor via reduction gearing. The position of the latch is sensed via a microswitch. The latch is also spring-loaded, so that it can be released when the shackle is open but will not engage until the shackle is moved to the lock position.
The microcontroller is a TI CC2541, a $1.64 low-power Bluetooth-capable SOC based on an 8051 core. The lock appears as a Bluetooth device with the name "bike:[many hex digits here]". Presumably the app negotiates unlocking over this short-range link, once the user has scanned the bike's QR code and the app has retrieved unlock authorisation and credentials from oBike's servers. Protocol capture and reverse engineering are left as an exercise for the reader.
The lock has no GPS, cellular, or Wi-Fi capability, so positioning must be done by the oBike app when the user "logs out" of the bike. If a bike is moved without "logging in" to it through the app, the system has no way of knowing its new location until someone randomly finds it and attempts to log in to it.
The lock is powered by a lithium ion cell, charged by a solar panel. The battery can be replaced via a panel without completely opening the case, however the lock still needs to be removed from the bike to gain access to the panel.
Physically the lock seems secure, although as demonstrated it can easily be removed. Example physical attacks include drilling a hole through the case of the lock to gain direct access to the latch. However, the bikes' heavy steel frames, distinctive appearance, low quality fittings, and lack of gears make it unlikely that many people would choose to illegally repurpose them. More likely the bikes will just be vandalised, which doesn't require damaging the lock.
I put the bike back on the street in the same location where it was found, passed the helmet's straps through the lock, and latched it, ready for the next user. Within two hours, the bike was gone. Off on a new adventure, or being sent to a watery grave? Only oBike know.
Music: BoOp – Voir au loin
Free download: http://play.dogmazic.net/song.php?song_id=26891
Music distributed under the Free Art License: http://artlibre.org/licence/lal/en/
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License (CC-BY-SA 4.0)