An Electric Scooter Community on a Mission to Stamp out Transportation Mediocrity.

Brains of the e-scooter. Topics covering controllers, throttles, etc in this section.
By raxrip
#52998
Hi
I have a Zero 10 electric scooter using the QS-S4 LCD display and this display is using the HR8P506 MCU.
This is some Chinese MCU and I cant find to much info about it. My goal is to reprogram it so that I can use it legally on my scooter. In my country electric scooter must have a max speed of 22km/h to be legal and the P8 settings (for adjusting max power) must be locked to some % value that prevent the scootr to go faster.
I see there are other LCD displays available and I was wondering if anyone know what kind of MCU these displays are using.
If I am lucky then I could find a display using an SMT32, ESP, Atmega or PIC controller. I know these MCU's pretty good an I know how to re flash them.

For now I inserted a small atmega 32U4 to intercept (MITM) the serial data sent from the LCT to the controller.
The data sent are blocks of 15 bytes at 1200bps containing more ore less all the P settings programmed to the display.

Here are some sample data:

LCD send:
01 03 01 00 05 05 1A 00 35 80 00 0A 1C 0A B0 <- First chunk after power on
01 03 02 00 05 06 1A 00 35 80 6C 0A 1C 0A DC
...
01 03 16 00 05 7A 1A 00 35 00 6C 0A 1C 0A 34
01 03 17 00 05 7F 1A 00 35 00 6C 0A 1C 0A 30
01 03 18 00 05 78 1A 00 35 00 6C 0A 1C 0A 38
00 03 19 00 05 7D 1A 00 35 00 6C 0A 1C 0A 3C <- Last chunk after I pressed power off

This is what I found out about these bytes:
B00 B01 B02 B03 B04 B05 B06 B07 B08 B09 B10 B11 B12 B13 B14
01 03 18 00 05 78 1A 00 35 00 6C 0A 1C 0A 38

B00 = Power on/off (01=on. 00=off)
B01 = 03 ?
B02 = Packet Counter. (Counts from 0 to 0xFF and then restarts. 1 packet is all 15 bytes)
B03 = 00 ?
B04 = Gear (Using bit 0, 1, 2, 3. xxxx0101=1, xxxx1010=2, xxxx1111=3)
B05 = ?? rand?
B06 = P09 = Kickstart (Only bit 1 is used. xxxxxx1x=kickstart, xxxxxx0x=no kick) (Usually 0x1A for kickstart)
B06 = P17 = Cruise Control (Only bit 2 is used. xxxxx0xx=off, xxxxx1xx=on) (Usually 0x1A for off)
B07 = 00 ?
B08 = P08 = Power Limit
B09 = Lights on/off (Using 1 bit 3. xxxx0xxx=off, xxxx1xxx=on)
B09 = Brakes on/off (Using 1 bit 6. x0xxxxxx=off, x1xxxxxx=on)
B10 = 0x6D or 0x6C ??
B11 = P11 = Electronic Breaking (Using bit 3, 4, 5. xx000xxx=0, xx001xxx=1, xx010xxx=2, xx011xxx=3, xx100xxx=4, xx101xxx=5) (Usually 0x1A for 3)
B11 = P12 = Acceleration (Using bit 0, 1, 2. xxxxx000=1, xxxxx001=2, xxxxx010=3, xxxxx011=4, xxxxx100=5) (Usually 0x1A for 3)
B12 = 0x1C
B13 = P06 = Wheel Diameter
B14 = XOR checksum (That is when all 15 bytes are xor'ed the sum should be 0x00)

My 32U4 modifies byte 8 containing the max speed values to whatever I want but the modification only happens after I insert a code to enable it. The code is read by pressing the brakes and the code value read will be the gear setting. That is, the code can only contain the digits 1-3 and atm can be from 3-8 chars long. When I power cycle the display I have to insert the code again for the speed setting to unlock.

Here is a picture of the QS-S4 PCB
Image

As this was a rental version whos overstock was […]

Any one got any info on beryl bikes I seen a few[…]

LH/ TF-100 Style Display.

Hi I recently converted a Bird Zero to a personal […]

How do you operate dash without button? I have[…]