An Electric Scooter Community on a Mission to Stamp out Transportation Mediocrity.

Covers electric scooter models whether shared or for consumers.
By julien
#16364
Wow u r lucky you don't have the black gum on the dashboard. Mine was completely froze by this black gellly and in the mainboard contrôler too. I need to cut the mainboard with a dremel and I unfortunately I cut a component. I wrote to the stx companie too, they said they have too much demand about this model and they cannot give an answer rapidly. In // I have a contact In China for controllers and I give him photos and he ask and the factory near him doesn't know this model of scooter, he think it's only for Europe.
I expect some news for parts because I need an contrôler and mainboard ;)
Image
Image
Image
Image
By basti256
#16494
I Also have made some kind of "progress" i took an serial analyzer and logged the communication lines between the motor controller and the dashboard. I can't see too much in this communication.

I don't know what kind of communication it is, is it I2c in 2 directions, is it JTAG, is it SPI???

I can't see an clear Clock Signal maybe because I don't have enough experience in doing this.

You will find an download link for this file. You can download PulseView to make this measurement visible.

Pulseview Download (freeware):
https://sigrok.org/wiki/Downloads

Pulseview Record:
(removed the record)



It would be nice to see if someone can help decoding this communication.
Last edited by basti256 on Mon Oct 21, 2019 8:24 am, edited 1 time in total.
By basti256
#16614
Short Update:

I made it work!

Yesterday I had some time and spent it with decompilöing the Signals going from the Motor Controller to the LCD and back.

I made some progress and I am able to send packets from the removed GPS Module to the LCD to tisplay whatever I want. (numbers from 0 to 99) I am using an arduino for it.

So actually I am able to wakeup the Bus, and send an information from the GPS Module to the Motor Controller, and then to the LCD.

I will now try to get the Motor Controller starting, now that I know how and how fast he's communicating with the devices.
I don't know the command itself, but if necessary i'm brute forcing it....

Cheers,
Sebastian
By basti256
#16671
El cesse wrote:
Tue Oct 22, 2019 9:49 am
BE CAUTION... Found this
https://scooter-unlock.eu , is this legit, can someone please explain if it is possible?

Regards
wow.... Good find.
I thin this makes my work useless :lol: 60€ is an pretty good price for an full working end user friendly solution... I think i've spent more than 20hrs til now and I'm still away from an usable solution :roll:
By El cesse
#16674
[/quote]

wow.... Good find.
I thin this makes my work useless :lol: 60€ is an pretty good price for an full working end user friendly solution... I think i've spent more than 20hrs til now and I'm still away from an usable solution :roll:
[/quote]

So it is possible??
By basti256
#16727
El cesse wrote:
Wed Oct 23, 2019 3:06 am


wow.... Good find.
I thin this makes my work useless :lol: 60€ is an pretty good price for an full working end user friendly solution... I think i've spent more than 20hrs til now and I'm still away from an usable solution :roll:
So it is possible??
What can I say... It is possible yes.
But reverse engineering is very time intensive as you don't have any plan whats going on inside of the scooter.
The Scooter companys have an big interest in hiding any informations about their scooters. I'll understand them. The "found" scooter rate would rise up like crazy.
I'm not posting here anything til now because i'm very sure the scooter lenders are also reading here. (it's the biggest platform for informations).
And as soon as I will put my solution on the web clearly written, they will change the firmware so my way is useles...


But back to your primary question," is it possible?"
I think you mean my actual "status".
I'm actually very busy and don't have really time for this. Since my last post (were I managed to bring the LCD doing what I want) I didn't made so much progress. But I've maybe spent not more than 1.5 hrs.
I tried brute forcing into the scooter by using an webcam with motion detection and an programm (of course with the right hardware) trying every combination in these packets that are possible.
The motion detection made two timestamps with two pictures. In these pictures you can see the LCD turned on.
But no light and nothing. I have to calculate now the time and with this the progress or the possible combinations for the moment the lcd turned on.

I will keep you updated.
If anyone here on the web can share any more information with me, like an source code, update file or anything, please share it with me! This will make my work so much easier !

Cheers,
Seb :mrgreen:
By hanz
#16766
basti256 wrote:
Thu Oct 24, 2019 2:31 am
If anyone here on the web can share any more information with me, like an source code, update file or anything, please share it with me! This will make my work so much easier !

Cheers,
Seb :mrgreen:
The only information I found so far is that the display uses an STM8S903K3 and the GPS Module a nRF52840. The STM8 has a unpopulated SWIM header next to it, SWIM, RST, GND, VCC; unfortunately the ReadOut Protection is turned on.
The nRF has a TC2050 (10 Pin Tag Connect) Header next to it, but there are far more pins connected than I could find in the reference schematics.
Unfortunately I was too late for your captured signal
By basti256
#16779
hanz wrote:
Fri Oct 25, 2019 4:42 am

The only information I found so far is that the display uses an STM8S903K3 and the GPS Module a nRF52840. The STM8 has a unpopulated SWIM header next to it, SWIM, RST, GND, VCC; unfortunately the ReadOut Protection is turned on.
The nRF has a TC2050 (10 Pin Tag Connect) Header next to it, but there are far more pins connected than I could find in the reference schematics.
Unfortunately I was too late for your captured signal
Thanks in advance for your infos... these infos were directly saved in my project folder :D

What i Know about the chips used in the scooter:

LCD: STM8 (StLink) , Connected directly to the Controller. Communication Status: Emulatable (Charge in percent, switch on, switch off the lcd)


Controller: STM32L071 Formfactor: LQFP64 - 64pin 10x10mm (StLink)


Battery: STM32L071 Formfactor LQFP32 - 32pin 7x7mm (StLink)
Details: Switches the Mass of the battery pack away. Communicates directly with the motor controller.

GPS Module: STM32F411 64 Pins
GSM: Quectel BG96
NEW INFO: BT-Modul: Bluenrg1 (StLink)

About the Bluetooth: Today I found out that there is an Bluetooth Chip on the GPS Module. Actually I'm trying to Brute force into the scooter but I don't have made any new progress in this till yet. It looks like theres no serious communication running from the gps module to the controller...

Then I thought about an post in the very very early stage of the project, where an user said that he found an bluetooth connection on his phone called "tier" he tried to connect but failed in entering the pin...
So i looked again over the GPS board and remove the Metal covers from the PCB and found this bluetooth chip... now I have an new Idea...

We know that Electisan is also selling his scooters in the web through 3rd party resellers like juicedbikes, or sxt.
These normally selled scooters ALWAYS have the possibility to be connected by an app via BLUETOOTH...
With this app you can change the speed, turn it on or off, or you can see the status.
What if tier just said: Hey let's use this function, modify a bit with another pin or something, make the bluetooth unpublic and bam, we have an serious very fast connection with the scoot without too much development, the possibility to update the scooter and enabling/disabling.
The bluetooth chip is already the Low Power edition with the improved bluetooth protocol so an sniffing is nearly impossible.
For me the only option would be (if we find the bluetooth communication anyhow) to brute force the bluetooth pin. But this would be completely new to me.

Maybe someone has more knwoledge of doing this.


So enough for today... enjoy the wekkend :D
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 9

As this was a rental version whos overstock was […]

Any one got any info on beryl bikes I seen a few[…]

LH/ TF-100 Style Display.

Hi I recently converted a Bird Zero to a personal […]

How do you operate dash without button? I have[…]