An Electric Scooter Community on a Mission to Stamp out Transportation Mediocrity.

Changing mobility one trip at a time.
#20043
Hello Everyone,

I've been pretty checked out of the forum since February when we got the speed unlocked. I finally figured out why I couldn't get my scooter working with the fast code and it was either the cable or the Arduino. As soon as I ordered more Arduino Nano and tested with a new build it worked great.

Since then I've been making scooter unlocking boxes, probably 35 total with another 10 on hold. I found finally a source of what I call 'power modules' on Ali Express. They are not micro USB for my Arduino's from Amazon but two bare wires. I found out today what happens when you suck the soldering job, a nice big spark that fries your Nano. I'll be more careful in the future and used some hot glue liberally.

In any case, I've had tons of fun riding these scooters and making unlocking boxes for myself and others. I've received and started testing a pair of ESP32 boards and code from @MrSpriggs1 to get bluetooth unlocking to work but no success yet. I think I have the code right, the cable is good enough, but not sure on the pin outs.

Once I hopefully get it going, I want to put this unlocked in the steering column of the scooter and test it long term. I am worried about power drain but can just charge at work I guess. I can worry about that if I get it working.

Long term, though, I'm still not happy with the power. I need to either lose 80 lbs or maybe find a way to boost power. If any one finds an easy way to do this let me know. I prefer not mess around with the battery or controller but it seems like either that or buying a new scooter.

For now, just keeping the dream alive. In case I'm busy riding the scoots for a while, thank you all so much for your help. I really love riding this stupid scooter way more than I should; especially while listening to 'high way to the danger zone'.

Bigredrobot
#20052
Do you have any suggestions on how to monitor both the IOT and the scooter ESC TX simultaneously? I was wondering if theres a way to use arduino software serial to open two pins for serial monitoring and somehow log them at the same time. Or if there is an automated way to do this. The arduino is the board I have at my disposal though and its how I monitored the signals originally before this update, so if I could use this that would be ideal. Obviously the timestamps are critical as this message gets sent very frequently and can easily be misaligned if the time isn't accurate. Let me know the thoughts, thanks!

Jvon wrote:
Sat Mar 07, 2020 9:32 pm
Yes I think You’re right about the serial number of scooter. I think GPS box is doing something like handshake with ESC. ESC sending some requests packet to IoT and IoT send encoded with serial number answer.

By the way

7a 12 0a 45 4f a2 da 4d ee f7 3f 8a 3d c6

“7a 12 “- in here it’s something like a header of the packet,
“0a “ - its a length of 10 bytes
“45 4f a2 da 4d ee f7 3f 8a 3d “ - is 10 bytes of data
“C6” - this is crc8 byte coded with crc8 maxim.

And this packets they look like CAN packets.
So if we’ll get both Rx and Tx data I m sure we ll find out the algorithm.
funbag wrote:
Sat Mar 07, 2020 4:10 am
Great to hear that the scooter still is on!

The security codes may be unique for each scooter but that's a matter of finding the algorithm which might be based on the scooter's unique serial number or so.

My theory is that ESC sends a verification request with predefined prefix (7a 12 0a as well?) but random data suffix (based on serial number and/or internal clock perhaps?) to IoT box. The IoT box then sends a verification message back based on an algorithm and the input data with the 7a 12 0a prefix we've seen. So the only way to find a solution would be to find the algorithm, but to do that we need both Tx and Rx data with timestamps so we know which reply that belongs to each request.

In a best case scenario (probably too much to hope for), the IoT replies with exactly the same code that is sent by the ESC. Why would they do like this? Just to verify that the IoT box is connected.

Keep us posted! 🙂
1215941571 wrote:
Fri Mar 06, 2020 11:17 pm
Yeah when I have time i'm going to look into this. The scooter is still on i've just not had the time to log the data. I hope to do it for a hour or so to collect information, and hopefully capture any duplicates.

However with this being said i think its important to mention that there is a slight chance every bird may use its own unique sequence of security codes now. I tried forwarding the information from the glitched bird scooter to a standard deactivated scooter and it did activate but shut down after a few minutes with an error code. Either that or the two way communication from the scooter and IOT box is now mandatory, im unsure of this (i only forwared IOT TX to the deactivated scooter, not the RX).

Also, a lazy fix to this that I figured out is to spam the enable pin and constantly spam the enable TX code on the arduino. This will keep the scooter activated when the failsafe for the security bytes trigger, but the scooter will still have to come to a stop every few minutes. You can also overflow the buffer on the scooter by spamming the messages really quickly, which keeps it on for longer than 2 minutes as a result. But I'm not sure if theres a way around this the lazy way, but you have to be careful with the code because if you send the deactivate code and the enable is also sent to low, the scooter will come to a instant stop even if the wheel is spinning. I feel like the scooter update can be bypassed but it might require a bit of work...
#20054
Thank you very much For your efforts.The easiest way is to use 2 arduionos boards . Connect botch rx and tx to rx lines of arduinos and gnd pins should be common for all devices. On pc u can use “serial port monitor eltima” software in double window to monitor each port of each arduino.
1215941571 wrote:
Mon Mar 09, 2020 8:56 pm
Do you have any suggestions on how to monitor both the IOT and the scooter ESC TX simultaneously? I was wondering if theres a way to use arduino software serial to open two pins for serial monitoring and somehow log them at the same time. Or if there is an automated way to do this. The arduino is the board I have at my disposal though and its how I monitored the signals originally before this update, so if I could use this that would be ideal. Obviously the timestamps are critical as this message gets sent very frequently and can easily be misaligned if the time isn't accurate. Let me know the thoughts, thanks!

Jvon wrote:
Sat Mar 07, 2020 9:32 pm
Yes I think You’re right about the serial number of scooter. I think GPS box is doing something like handshake with ESC. ESC sending some requests packet to IoT and IoT send encoded with serial number answer.

By the way

7a 12 0a 45 4f a2 da 4d ee f7 3f 8a 3d c6

“7a 12 “- in here it’s something like a header of the packet,
“0a “ - its a length of 10 bytes
“45 4f a2 da 4d ee f7 3f 8a 3d “ - is 10 bytes of data
“C6” - this is crc8 byte coded with crc8 maxim.

And this packets they look like CAN packets.
So if we’ll get both Rx and Tx data I m sure we ll find out the algorithm.
funbag wrote:
Sat Mar 07, 2020 4:10 am
Great to hear that the scooter still is on!

The security codes may be unique for each scooter but that's a matter of finding the algorithm which might be based on the scooter's unique serial number or so.

My theory is that ESC sends a verification request with predefined prefix (7a 12 0a as well?) but random data suffix (based on serial number and/or internal clock perhaps?) to IoT box. The IoT box then sends a verification message back based on an algorithm and the input data with the 7a 12 0a prefix we've seen. So the only way to find a solution would be to find the algorithm, but to do that we need both Tx and Rx data with timestamps so we know which reply that belongs to each request.

In a best case scenario (probably too much to hope for), the IoT replies with exactly the same code that is sent by the ESC. Why would they do like this? Just to verify that the IoT box is connected.

Keep us posted! 🙂

#20095
Everything is encrypted in one way or another. But we were still able to retrieve the unlock codes, mainly due to the fact that communication between IoT and ESC could be read. Same can hopefully go for the keep alive challenge.

STM32 in the IoT box has read protection, but the serial flash feeding data to it has not. The STM32 probably has write protection as well so it's not just a matter of re-flashing it. Sorry, I don't believe it's the easiest solution.

I'm still highly interested in the Rx/Tx data sent between IoT box and ESC. Hopefully things can be found there.
fernlop wrote:
Thu Mar 12, 2020 10:11 am
The security codes are encrypted.
There is no way to duplicate this, the GPS Box STM32 Chip has read out protection.
You would need to write a new software for the STM32 inside the motor controller.
We should focus on this.
This way everything would get much easier.
#20109
quote=funbag post_id=20095 time=1584041315 user_id=20695]
Everything is encrypted in one way or another. But we were still able to retrieve the unlock codes, mainly due to the fact that communication between IoT and ESC could be read. Same can hopefully go for the keep alive challenge.

STM32 in the IoT box has read protection, but the serial flash feeding data to it has not. The STM32 probably has write protection as well so it's not just a matter of re-flashing it. Sorry, I don't believe it's the easiest solution.

I'm still highly interested in the Rx/Tx data sent between IoT box and ESC. Hopefully things can be found there.
fernlop wrote:
Thu Mar 12, 2020 10:11 am
The security codes are encrypted.
There is no way to duplicate this, the GPS Box STM32 Chip has read out protection.
You would need to write a new software for the STM32 inside the motor controller.
We should focus on this.
This way everything would get much easier.
[/quote]

Would it be possible to send in some code between Simcard and STM32 in GPSBox somehow and see if it gets encrypted on the way out? In that case it will be easier to get sufficient data for analysing and we will have correct timestamps. But in case that works we don't have to figure out the crypto since we can send the unlock that way.
There should be a TC2050 connector on the IOT box
Image
#20170
Any progress so far? Is the scooter still running? Any new readouts?
1215941571 wrote:
Mon Mar 09, 2020 8:56 pm
Do you have any suggestions on how to monitor both the IOT and the scooter ESC TX simultaneously? I was wondering if theres a way to use arduino software serial to open two pins for serial monitoring and somehow log them at the same time. Or if there is an automated way to do this. The arduino is the board I have at my disposal though and its how I monitored the signals originally before this update, so if I could use this that would be ideal. Obviously the timestamps are critical as this message gets sent very frequently and can easily be misaligned if the time isn't accurate. Let me know the thoughts, thanks!
#20202
Scooter is still running yeah, just waiting on the second Arduino to arrive as I only have one. I wish there was a way to read both serial lines with a single Arduino this would make things easier.
funbag wrote:
Mon Mar 16, 2020 7:03 pm
Any progress so far? Is the scooter still running? Any new readouts?
1215941571 wrote:
Mon Mar 09, 2020 8:56 pm
Do you have any suggestions on how to monitor both the IOT and the scooter ESC TX simultaneously? I was wondering if theres a way to use arduino software serial to open two pins for serial monitoring and somehow log them at the same time. Or if there is an automated way to do this. The arduino is the board I have at my disposal though and its how I monitored the signals originally before this update, so if I could use this that would be ideal. Obviously the timestamps are critical as this message gets sent very frequently and can easily be misaligned if the time isn't accurate. Let me know the thoughts, thanks!
  • 1
  • 65
  • 66
  • 67
  • 68
  • 69
  • 80

As this was a rental version whos overstock was […]

Any one got any info on beryl bikes I seen a few[…]

LH/ TF-100 Style Display.

Hi I recently converted a Bird Zero to a personal […]

How do you operate dash without button? I have[…]