An Electric Scooter Community on a Mission to Stamp out Transportation Mediocrity.

Enjoy the juice
#53013
SneakX wrote:
Mon Dec 07, 2020 1:56 pm
the problem is that LIME has updated their controllers with a new security patch.
that's why its not working
Hello SneakX,

I'm wondering about what do you mean by 'security patch' ? are you talking about the fact that there is a hardware update they removed the SWD pins (but the holes are still there :D ) OR are you talking about a software security upgrade that prevents the chips to be reflashed ?

I'm saying that because, I came across the same upgraded version that you're talking about (with no connectors on the controller for SWD pins) but I managed to use some "pin_headers" like theses:
Male version:
Image

Femal version:
Image

Then I used a multimeter to perform a continuity test VCC, SWCLCK, GND, SWDIO on the board and their respective pins on the MCU and it seems that they are all still connected to the stm32f103c8t6 chip.

For the moment I didn't managed to flash the .hex, that's maybe due to the fact that maybe:

1. I'm using a cheap STLINK v2 clone (which apparently doesn't seems to work well for this)
2. I didn't set the the line "VALUE:" to "FFFFFFFFFFFFFFFF" in STVP, on the tab "OPTION BYTES" tab. I'm referring to this message Here

I still have to try again, but a wanted to asked you this two questions :

1. Do you think that Lime use some sort of security mechanism inside the stm32f103c8t6 MCU that prevent people for reflashing it ? Please check the point 4.2.1 and 4.2.2 starting at page 17 of the datasheet
2. If so, don't you think that it should be possible to replace the "stm32f103c8t6 chip" on the board with a blank one that we bought on the market, and from there being able to flash the .hex again?

Thank you :)
Last edited by Bug_meh on Sat May 22, 2021 4:23 pm, edited 1 time in total.
#53026
M20001 wrote:
Sat May 22, 2021 7:25 am
SneakX wrote:
Mon Dec 07, 2020 1:56 pm
the problem is that LIME has updated their controllers with a new security patch.
that's why its not working
Hello, from where do you have this information?
own experience and tests.
the old controller has 4 pins for the ST-Link and the flash patch worked.
now the newer controller (is the same) the 4 pins are removed and when you try to soldering the pins and connect it to the ST-Link you can flash it but you still get the error on the LIME LCD and it doesn't move. sadly.
#53029
I dont think they made this "Security patch" Because of us, they simply updated the software to a newer one and this newer one doesnt have the bug anymore, that a unlocked motor controller can unlock a combox too.
(Thias can cause syncing errors while renting the scooter between combox and controller so lime solved it)

the missing pin header has a simple declaration too: The first scooters had it for debugging, now lime knows that the software works, so they dont put the header on the PCB anymore, but the holes and the ciricut is still there, so you can put a header in the holes, and push with your finger against the header to make it contact, then you can flash the controller.

The problem now is, that we would have to reflash the combox too, to make the scooter operate offline.

But unfortunately, no one knows how to read out a combox with the old version and flash then the old software version to another combox.

I dont think that lime spands the money to build dedicated locking mechanisms against personal conversion in their scooters, only a few people are converting scooters to private, and the most of those are legally obtained.

Compared to the "Conversers" the people who simply destroy the scooters on the street (Vandalism) are a ways bigger problem for lime, but there does no software security help...

I still hope, lime gives us the possibility to control those scooters (Sells them to private people), as soon as they are rolling out the next generation (In Paris already on the streets as far as I know, but I think this hope is useless...
#53031
Ok I start to understand the problem. So, on newer scooter, we can flash the controller but the combox has been upgraded from V2_3_0_0 to V2_4_0_0 and due to that it's not working anymore, and since we can't extract the firmware from an old combox to a newer one, we are stuck...., hummm.....
maybe we can emulate the behavior of a combox (V2_3_0_0) on newer scooter that have been patched with the unlocked firmware... here is the idea....

What if :
1. We ask someone who have a working version of the combox (V2_3_0_0) and a controller with unlocked firmware running) to capture the traffic between the combox and the controller (black cable on the combox) on all six wires, with a logic analyser.
2. Then write some code that will run on something like an Arduino nano that replicates what we have seen in the capture.
3. Replace the combox (V2_4_0_0) on newer scooter with the Arduino nano.


And maybe we can even reuse the display cable to connect it to some RaspberryPI.

Do you think that could work ?
#53032
I think greenbox is there only to communicate between esc and display &throttle and to send logic command to esc to unlock/lock

I am pretty much sure because I have (had) working old gen 3. The thing is I put lock switch on negative battery wire and someday after lock unlock sequence (by my mistake in between a second) I probably made huge spike which probably burned green box - now my scooter works only for a 30 second then throttle becomes unresponsive, display is only blinking “00”, and red light under display…

Now i ordered new esc with throttle and display from China…
#53033
Bug_meh wrote:
Sun May 23, 2021 10:05 am
Ok I start to understand the problem. So, on newer scooter, we can flash the controller but the combox has been upgraded from V2_3_0_0 to V2_4_0_0 and due to that it's not working anymore, and since we can't extract the firmware from an old combox to a newer one, we are stuck...., hummm.....
maybe we can emulate the behavior of a combox (V2_3_0_0) on newer scooter that have been patched with the unlocked firmware... here is the idea....

What if :
1. We ask someone who have a working version of the combox (V2_3_0_0) and a controller with unlocked firmware running) to capture the traffic between the combox and the controller (black cable on the combox) on all six wires, with a logic analyser.
2. Then write some code that will run on something like an Arduino nano that replicates what we have seen in the capture.
3. Replace the combox (V2_4_0_0) on newer scooter with the Arduino nano.


And maybe we can even reuse the display cable to connect it to some RaspberryPI.

Do you think that could work ?
I dont think you have a chance to be succesful with this, as far as I know, the conversion between greenbox and ESC is secured over challenge - response, google for it if you dont know what it is. the only way would be to reflash the combox with a firmware from a older one, but I dont know how to dump and then flash the firmware of the combox.
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 19

As this was a rental version whos overstock was […]

Any one got any info on beryl bikes I seen a few[…]

LH/ TF-100 Style Display.

Hi I recently converted a Bird Zero to a personal […]

How do you operate dash without button? I have[…]