Re: [TUT] How to unlock your Electisan Tier or Dott scooter *Alpha*
Posted: Fri Mar 20, 2020 5:32 am
Update !
An electric scooter community on a mission to stamp out transportation mediocrity.
https://scootertalk.org/forum/
#include <Arduino.h>
void setup() {
// initialize both serial ports:
Serial.begin(9600); //pc
Serial1.begin(9600); //iot device
Serial2.begin(9600); //esc (speed controller)
delay(250);
}
void loop() {
// read from port 1, send to port 0 & 2:
if (Serial1.available() > 0) {
byte inIotBytes[Serial1.available()];
for(int i=0; i<sizeof(inIotBytes); i++){
inIotBytes[i] = Serial1.read();
}
Serial2.write(inIotBytes, sizeof(inIotBytes));
Serial2.flush();
// say what you got:
Serial.println();
Serial.write(inIotBytes, sizeof(inIotBytes));
delay(50); //give the ESC some time for reply...
}
// read from port 2 (ESC), send to port 1 (IOT):
if (Serial2.available() > 0) {
byte inBytes[Serial2.available()];
for(int i=0; i<sizeof(inBytes); i++){
inBytes[i] = Serial2.read();
}
Serial1.write(inBytes, sizeof(inBytes));
Serial1.flush();
Serial.println();
Serial.write(inBytes, sizeof(inBytes));
delay(50); //give the ESC some time for reply...
}
}
7A120A88D7CF933CBF6BA813281F
7A120A61C619B3A9E693590D27FF
7A120A784C86677C583F86FA1E73
7A120ADE3CD09FA2D8337585348D
7A120AA02DE9EF70F1571469004E
7A120AD958030FE53C7769471FEA
7A120A380A105B306AF311EB3E4A
7A120A008BA313B4F31FA4370038
7A120A8FF936C34B216F4DA61700
7A120AAA962A13AA6E1B8F051022
7A120AB91CAF9F451023BD830F8C
7A120A65AAAD832D4227A22E2B35
7A120ACAFDF383CEC503AB52024C
7A120AC8BB3B93CCA3E7BCE728DE
7A120A0084A69FDCF8C7D89426E8
7A120AA8613D6F7B4675FFFEA612 // invalid CRC8!
7A120A3063A7EB3CEBDB5FE40074
7A120A33ADE29F7B392F6CEB034C
funbag wrote: ↑Thu Mar 12, 2020 3:28 pmEverything is encrypted in one way or another. But we were still able to retrieve the unlock codes, mainly due to the fact that communication between IoT and ESC could be read. Same can hopefully go for the keep alive challenge.
STM32 in the IoT box has read protection, but the serial flash feeding data to it has not. The STM32 probably has write protection as well so it's not just a matter of re-flashing it. Sorry, I don't believe it's the easiest solution.
I'm still highly interested in the Rx/Tx data sent between IoT box and ESC. Hopefully things can be found there.
fernlop wrote: ↑Thu Mar 12, 2020 10:11 amThe security codes are encrypted.
There is no way to duplicate this, the GPS Box STM32 Chip has read out protection.
You would need to write a new software for the STM32 inside the motor controller.
We should focus on this.
This way everything would get much easier.
Would be interesting to see the doc! Assuming that codes look exactly the same.
Reflashed with original firmware? Do you have the firmware dump?
solarwasser wrote: ↑Fri Mar 20, 2020 2:32 pmI wanted to grab the timestamps with the recording terminal (CoolTerm) but thought of counting Ticks of Arduino too.
I will go to get a Tier for recording now.