An Electric Scooter Community on a Mission to Stamp out Transportation Mediocrity.

Covers electric scooter models whether shared or for consumers.
#56586
Mick Ray wrote:
Mon Jul 20, 2020 6:47 pm
Today I tried to intercept data. I don't know if I done it right or wrong. I've created something like extension cable, with RX and TX cables to read data (one wire should be enough but I have both of them). Connected there by HC-05 and waiting for data. I monitored, that green box is sending sometimes something. When I restarted green box (strong magnet) I register some data.
It's not as on TheJoker187 plan above. Maybe I done it wrong way, but I tried.
So thinking that all is OK, I unlocked Lime scooter (renting it), then green box sent some data. I registered that there are lot of data like: check id, serial, make something like reboot, and command looking like enable scooter from earlier firmware. But sending it again to other patched controller doesn't work. Its like:

46 4316 61 00 03 F1 00 00 F8 AC

But... 4316 are "connected", I don't know if it should be like that. In my app hex fields sticked together means that is like new line. Maybe it should be like that:

46 43 16 61 00 03 F1 00 00 F8 AC

Anyway, that command don't work for me. Maybe I done something wrong, or whatever. I attach a log file from "unlocking" moment. There are mine commands, lines preceded with time (like: 13:02:43.779). So that's not green box but mine, to separate some data and find easier that moment.

Maybe someone can help?
File:
serial_20200720_130151.zip
Please someone send me the file to artin961@abv.bg, I have a scooter to test, and will report the results. Thank you in advance
#56924
There are several controllers in the off state ... Responds to charging, shows the percentage of charge, but does not turn on in driving mode ... Nothing happens when GND RX TX is connected, when trying to connect via st link v2, the chip is not detected by the program .... On blue wire supplied 3.3 - 5v... help me figure it out ... maybe there is something to share? my mail is dim4ik1992@gmail.com
#57015
Hi, The communication protocol looks a lot like Modbus, but with some custom commands.
The device address and register address are 16bit(2byte), checksum is also 16 bit at the end
From the old command that doesn't work after the update 464316610001F1F28F
4643 is the address of the motor controller every command to it starts with that
16 is a command to write a register
6100 is the address of the register
01 is the length of data to be written (1 byte)
F1 is the value to be written
f28f is the checksum calculated with CRC-16/XMODEM
The master (green box) sends the command and then the controller replies. If the last command was writing(16) the controller just replies it back to ACK it. If the the command was read(11) the controller replies with the data and the appropriate length. The command maybe doesn't work maybe because they made some sort of handshaking like reading something dynamic from the controller calculating something and writing it back.
I hope the information is helpful for somebody.
Maybe if someone could sniff the communication renting the scooter more cleanly with 2 serial RX ports on the 2 lines, from the bootup to the unlock we could analyze it better.
#57407
Hello everyone,
I was trying to turn on the scooter for a couple of weeks, and finally I didn't manage to do it.
I've written a python script which bruteforces the transmission, tried over 80 000 combinations, no luck
Dumping firmware didn't help either, ASM is black magic for me (still I'm not sure if it's the actual firmware)
I also noticed DataLen acts weird? everything bigger than 0 gives the same results

I'm on 1.8.5 fw

Here I'm leaving the bruteforce script, might help someone (or not):
https://gitlab.com/dani3l0/limesj2.5-stuff

Edit: fixed the script and now it works. My mistake that I haven't uploaded the right file as I had many of them.
Last edited by dani3l0 on Sun Jan 08, 2023 11:08 am, edited 1 time in total.
  • 1
  • 17
  • 18
  • 19
  • 20
  • 21

As this was a rental version whos overstock was […]

Any one got any info on beryl bikes I seen a few[…]

LH/ TF-100 Style Display.

Hi I recently converted a Bird Zero to a personal […]

How do you operate dash without button? I have[…]