hanz wrote: ↑Fri Oct 25, 2019 4:42 am
The only information I found so far is that the display uses an STM8S903K3 and the GPS Module a nRF52840. The STM8 has a unpopulated SWIM header next to it, SWIM, RST, GND, VCC; unfortunately the ReadOut Protection is turned on.
The nRF has a TC2050 (10 Pin Tag Connect) Header next to it, but there are far more pins connected than I could find in the reference schematics.
Unfortunately I was too late for your captured signal
Thanks in advance for your infos... these infos were directly saved in my project folder
What i Know about the chips used in the scooter:
LCD: STM8 (StLink) , Connected directly to the Controller. Communication Status: Emulatable (Charge in percent, switch on, switch off the lcd)
Controller: STM32L071 Formfactor: LQFP64 - 64pin 10x10mm (StLink)
Battery: STM32L071 Formfactor LQFP32 - 32pin 7x7mm (StLink)
Details: Switches the Mass of the battery pack away. Communicates directly with the motor controller.
GPS Module: STM32F411 64 Pins
GSM: Quectel BG96
NEW INFO: BT-Modul: Bluenrg1 (StLink)
About the Bluetooth: Today I found out that there is an Bluetooth Chip on the GPS Module. Actually I'm trying to Brute force into the scooter but I don't have made any new progress in this till yet. It looks like theres no serious communication running from the gps module to the controller...
Then I thought about an post in the very very early stage of the project, where an user said that he found an bluetooth connection on his phone called "tier" he tried to connect but failed in entering the pin...
So i looked again over the GPS board and remove the Metal covers from the PCB and found this bluetooth chip... now I have an new Idea...
We know that Electisan is also selling his scooters in the web through 3rd party resellers like juicedbikes, or sxt.
These normally selled scooters ALWAYS have the possibility to be connected by an app via BLUETOOTH...
With this app you can change the speed, turn it on or off, or you can see the status.
What if tier just said: Hey let's use this function, modify a bit with another pin or something, make the bluetooth unpublic and bam, we have an serious very fast connection with the scoot without too much development, the possibility to update the scooter and enabling/disabling.
The bluetooth chip is already the Low Power edition with the improved bluetooth protocol so an sniffing is nearly impossible.
For me the only option would be (if we find the bluetooth communication anyhow) to brute force the bluetooth pin. But this would be completely new to me.
Maybe someone has more knwoledge of doing this.
So enough for today... enjoy the wekkend