An Electric Scooter Community on a Mission to Stamp out Transportation Mediocrity.

Covers electric scooter models whether shared or for consumers.
User avatar
By Rick Sanchez
Posts LikeBB Avatar
#18669
I felt forced to open up a new topic since nobody seems to read the original post of mine and still a lot Jerries try their luck with random UART codes to deal with the ES400 claiming they don't work while ignoring the content I gave them To view images REGISTER or LOGIN for full access.

I caught a living ES400 and did a record on its logic states, as far as I had my process DIO0 of my record (yellow line) seems to be CAN low @250khz, DIO2 seems t be some kind of CAN hight but due to the fact that I can just set the threshold for all channels in common on my logic analyzer it can't interpret the CAN high 1 and 0 levels correctly because CAN High has different levels and I was running out of time for a second run because someone else was already ringing for the scooter To view images REGISTER or LOGIN for full access.

I had to upload my records outside the forum because they got too big to be uploaded here due to the high sample rates of 5Msamples/s. So here's the link:

https://www.file-upload.net/download-13 ... h.rar.html

It is compressed with Winrar, no PW and also includes pictures from the process. To open the record files use Waveforms that can be downloaded from Digilents website, it will run in demo mode without a piece of Digilents hardware attached but all decoder functions are available on the green little plus button even when the program sometimes is a pain in the ass to use by zooming in and scroll left/right. I you need measuring cursors take the buttons in the upper right corner of the logic window. Have much fun with decoding, I'll use my next few days to build a data logger that can be installed inside a living ES400 to sniff the signal they're using to unlock the battery compartment when changing the battery as soon as I found out what protocol the board in the lock mechanism speaks To view images REGISTER or LOGIN for full access.
And now let the race for the first unlocks begin To view images REGISTER or LOGIN for full access.
If you got questions let me know.
To view images REGISTER or LOGIN for full access.
Last edited by Rick Sanchez on Sat Jan 04, 2020 4:12 pm, edited 1 time in total.
UgloBuglo, MrSpriggs1, Nissan and 1 others liked this

User avatar
By MrSpriggs1
Posts LikeBB LikeBB Avatar
#18674
Hey Rick,
Have you thought about using an Arduino with a can bus decoder and SD Card. Maybe dedicated hardware solution is an better option. https://www.sparkfun.com/products/13262
If you throw in battery and some Posi-Taps you can just hookup and ride.

I built a UART version for the ES-200 and it worked nicely to monitor the TX
Rick Sanchez wrote:
Fri Jan 03, 2020 1:38 pm
I felt forced to open up a new topic since nobody seems to read the original post of mine and still a lot Jerries try their luck with random UART codes to deal with the ES400 claiming they don't work while ignoring the content I gave them To view images REGISTER or LOGIN for full access.

I caught a living ES400 and did a record on its logic states, as far as I had my process DIO0 of my record (yellow line) seems to be CAN low @250khz, DIO2 seems t be some kind of CAN hight but due to the fact that I can just set the threshold for all channels of my logic analyzer it can't interpret the CAN high 1 and 0 levels correctly and I was running out of time for a second run because someone else was already ringing for the scooter To view images REGISTER or LOGIN for full access.

I had to upload my records outside the forum because they got too big to be uploaded here due to the high sample rates of 5Msamples/s. So here's the link:

https://www.file-upload.net/download-13 ... h.rar.html

It is compressed with Winrar, no PW and also includes pictures from the process. To open the record files use Waveforms that can be downloaded from Digilents website, it will run in demo mode without a piece of Digilents hardware attached but all decoder functions are available on the green little plus button even when the program sometimes is a pain in the ass to use by zooming in and scroll left/right. I you need measuring cursors take the buttons in the upper right corner of the logic window. Have much fun with decoding, I'll use my next few days to build a data logger that can be installed inside a living ES400 to sniff the signal they're using to unlock the battery compartment when changing the battery as soon as I found out what protocol the board in the lock mechanism speaks To view images REGISTER or LOGIN for full access.
And now let the race for the first unlocks begin To view images REGISTER or LOGIN for full access.
If you got questions let me know.
To view images REGISTER or LOGIN for full access.

User avatar
By Rick Sanchez
Posts LikeBB Avatar
#18688
@MrSpriggs1 Yes I thought about that but solved it much more simple today. Now I made some own adapters that are plugged between the original battery compartment lock (the red connector), the ESC (the black/green connector) and the IOT module that provide taps to all lines. My datalogger isn't ready yet but I noted the scooters serial to find it again in the app (there are just around 75 scooters running in the area I'm dealing with)........It's a strange feeling converting a scooter that's still on bussiness into an "undercover agent" To view images REGISTER or LOGIN for full access.
My only problem is that I'm running out of time because I have to travel back to work tomorrow and from there I might end up proceed working every second weekend on it. I'm working in a different country than the one I'm living in and I need the other weekends to learn the language, running around there speaking english,german and french only is no option for the future To view images REGISTER or LOGIN for full access.

I'll order a CAN decoder, a GPS receiver and a LoRa-Wan set next and I'll try to make a remote sniffing box that can be installed inside the steering bar below the IOT module. If I set up a repeater in the city where it'll be installed I might be able to receive it from work because it is just a few hundred miles from here. (I would like to see the faces of the guys who will find this one day To view images REGISTER or LOGIN for full access.
)
UgloBuglo, SneakX liked this


User avatar
By Rick Sanchez
Posts LikeBB Avatar
#18713
@funbag hooking onto the data service of the SIM would make the scooter suspicious in the system what I don't want and I want the lowest invasive method that can be removed in a few minutes just in case someone will catch me to hold the argument that I was just experimenting and haven't physically damaged anything or caused exzessive expenses. The SIMs are for IOT purpose only so I don't expect them to have big flatrate capacity....maybe they're just designed to use M2M or SMS, who knows. I just did a test with a Lime SIM late summer 2019 that I extracted from a scooter that took a bath in the harbour (Whoever tosses them in there is a Moron in my eyes) and pushed it into an old tablet that I had laying around as "burndevice" and it just took them 24h to deactivate the access.

User avatar
By Rick Sanchez
Posts LikeBB Avatar
#18714
By the way, if anyone got a good e-book about CAN BUS basics in English, French or German let me *buuuurrrbbb* know.....Latin would be interesting also but I don't expect something like that to exist To view images REGISTER or LOGIN for full access.

User avatar
By Aquaman
Posts Avatar
#18717
Maybe a little off topic but here it goes To view images REGISTER or LOGIN for full access.


What's the purpose of "powerPin" in the code below; has it been used in other schematics with enable-pin/wire connected to pin 5 or what's the deal?
Any difference in codes or does this work on all Okai, electrisan, Tier(besides es400), Voiager 1/1.1/2 ?
What's the difference between voiager 1.1 and voiager 2?
Code: Select all
#include <Arduino.h>

int powerPin = 5;
byte messageA[] = {0xA6, 0x12, 0x02, 0x10, 0x14, 0xCF};
byte messageB[] = {0xA6, 0x12, 0x02, 0x11, 0x14, 0x0B};
byte messageC[] = {0xA6, 0x12, 0x02, 0x15, 0x14, 0x30};

void setup() {
  // initialize Serial:
  Serial.begin(9600);

  pinMode(powerPin, OUTPUT);
  digitalWrite(powerPin, HIGH);

}

void loop() {
  delay(500);
  Serial.write(messageC, sizeof(messageC));
}

On Topic
I read this in the other thread ( viewtopic.php?f=56&t=6284&start=170#p18387 ), does it mean that it is UART when booting and switches over to CAN after a while or something else?
Is it only ES400 that have CAN bus?
Rick Sanchez wrote:
Tue Dec 24, 2019 1:14 am
Hey my Glip Glops, ol grandpa Rick C-137 is back. Merry fucking christmas "buuurrrrb". I was stuck on Gazorpazorp with no juice left on my portalgun while I had a "buuurrrrbb" breakthrough on one of the first readout that was plausible decoding from the ES400 (that is quite hard to find on foreign planets To view images REGISTER or LOGIN for full access.
)
To view images REGISTER or LOGIN for full access.

In the pic you can see a "burrrrbb" pack of 42 bytes in the boot process of the IOT board communicating down to the ESC. Surprisingly it is not CAN like we expected it is still UART with 9,6kbit/s. In the next days I might hit on the next herd of "buuuuuuuurrrbb" ES400s with my travelling laboratory and with enough time to start the readout of the unlock and lock sequence, so keep beeing horny for that To view images REGISTER or LOGIN for full access.

AND NOW ENJOY YOUR PRESENTS, TO BE DRUNK AND TO KICK THE ASSES OF YOUR JERRIES To view images REGISTER or LOGIN for full access.


User avatar
By SneakX
Posts Avatar
#18722
I have a funny idea. would be interesting if that works (maybe i can test that out soon if i had more time)
just use an ES200 Controller and change it with the ES400 Controller.
then upload the code into the Arduino and unlock the scooter. To view images REGISTER or LOGIN for full access.

because of the changeable battery, you can drive much longer.
i have 3 batterys and one inside the Scooter.
4 pcs. so.. one battery can 35km... that means with 4.. 140km. (okay, it depends on the weight.. so i can drive 100 - 120km. To view images REGISTER or LOGIN for full access.

User avatar
By UgloBuglo
Posts LikeBB LikeBB Avatar
#18723
SneakX wrote:
Mon Jan 06, 2020 10:44 am
I have a funny idea. would be interesting if that works (maybe i can test that out soon if i had more time)
just use an ES200 Controller and change it with the ES400 Controller.
then upload the code into the Arduino and unlock the scooter. To view images REGISTER or LOGIN for full access.

because of the changeable battery, you can drive much longer.
i have 3 batterys and one inside the Scooter.
4 pcs. so.. one battery can 35km... that means with 4.. 140km. (okay, it depends on the weigh.. so i can drive 100 - 120km. To view images REGISTER or LOGIN for full access.
Before you do anything, be aware of that ES-400 uses 13S battery as opposed to 10S of ES-200... don't blow anything up!
SneakX, Rick Sanchez liked this

I was able to solve the 3 short 1 long red blink b[…]

AWESOME!! Thanks for taking the time effort to car[…]

GPS Bird scooter HACK

Prosím mám problém lime S[…]

Those are the same dashboards in the Lime SJ2.5 a[…]