An Electric Scooter Community on a Mission to Stamp out Transportation Mediocrity.

Covers electric scooter models whether shared or for consumers.
#14161
Ok fellas. Reveal time for the Lime SJ2.5. The following information is only tested on one FW version (try it out and tell us on which ones it is working on).

First of all I want to say thanks for the people who shared the pinouts and identified signals which made the "investigation" easier.

This is not Ninebot, so maybe this post is not the correct place for it... But I do not want to litter the forum. - Post got moved

I really did not want to post this information because of people who "find" their scooters and decide that is time for them to go become a personal scooter...
But for this kind of "hack" there is an easy fix from Lime... They can do a mass update for the scooters that are still in service and these commands will become useless. I had so many ideas while working on this scooter how they could improve their product to make my life harder To view images REGISTER or LOGIN for full access.


FOR THOSE WHO WILL FIGURE OUT HOW TO COMBINE THE MESSAGE, DO NOT POST IT

I am not going to post a complete solution it is up to you to figure out how to implement it, but I will post what I have found through my analysis and guestimation.

First of all the dash communication (could be used to connect the dash to third party motor controllers):

Command composition:
"Add" "Unk#1" "Unk#2" "Err "ChgMd" "Unk#3" "ChgLvl" "Spd" "DrvMd" "Hdlt" "HdltMd" "Chk"

  • Add Address Byte UI was only echoing the commands sent when this part was 02 so it was assumed that this is address
  • Unk#1 Unknown Byte I did not manage to figure out the purpose of this
  • Unk#2 Unknown Byte I did not manage to figure out the purpose of this
  • Err Error Code Byte If here is anything other than 00 UI displays E and the code sent
  • ChgMd Charge Mode Byte When this is set to 01 batery symbol is blinking and battery charge level is displayed numerically. If not charging this is set to 00
  • Unk#3 Unknown Byte I did not manage to figure out the purpose of this
  • ChgLvl Charge Level Word This is the charge level which is represented as battery bars when driving and numerically when charging. Max value: 3E7 HEX = 999 DEC = 99.9%
  • Spd Speed Word Speed value. Math behind this is quite odd. It seems that some kind of constant aproximatelly 2250 DEC is divided by Spd 'HEX' and after ditching the remainder represented as 123 'DEC' = 12.3 km/h
  • DrvMd Drive Mode Byte When F0 and ChgMd is 00 display is off. When F1 and ChgMd is 00 display is on and displaying speed
  • Hdlt Headlight Byte When 00 headlight is off. When 80 headlight is on
  • HdltMd Headlight Mode Byte When 00 and Hdlt is 80 headlight is lit constantly. When 80 and Hdlt is 80 headlight is blinking.
  • Chk CheckSum Byte This is a simple checksum. All command bytes are simply XOR'ed. If you are getting echo, then the CheckSum is correct
And the motor controller:

Command composition:

"MotCtrlAdd" "DevAdd" "RW" "Command" "Unk#1" "DataLen" "[DATA]" "Chk"
  • MotCtrlAdd Motor controller address Well the commands "work" when this is 0x46, constant
  • DevAdd Device address This might be an identificator for a GSM/GPS board or a diagnostics tool??? But 0x43 works
  • RW Read Write As far as I can understand if this byte is 0x11 then it is read and if it is 0x16 then it is write
  • Command Command This points to an actual dataset in the controller... I guess
  • Unk#1 Unknown No idea what is this, maybe reserved for longer messages? what works is 0x00
  • DataLen Data length Length in bytes of the data sent/received
  • [DATA] Actual data DataLen bytes of data
  • Chk Checksum Two bytes of checksum of the whole message. It seems to be CRC-16 with polynomial of 0x1021



Responsive commands:

0x11
0x12 - Headlight controll data length 0x01. 0xF1 - Light ON, 0xF0 - Light OFF
0x13
0x14 - Returns FW version
0x18 - Returns HW version
0x20 - Some kind of ID?
0x21 - Prints "REBOOT", but does it?
0x40
0x41
0x42
0x44
0x61 - The Candy! Data length 0x01. Data 0xF1 Enables motor controller. Data 0xF0 Disables motor controller.
0x63 - "Lock" Data length 0x01. Data 0xF1 Enables lock mode of motor. And I guess this mode is disabled with motor controller enable?
0x71 - "Timer"??? Always increasing
0x72
0x81
0x90
0x93
0xB0
0xB1
0xF1
0xF2
0xF3

Combine with previous information in this topic where to connect what. Create an Immobilizer device, for example an Arduino with a button or a key (as I have done). Or maybe a bluetooth module and an Android app? Oooor a laptop stuck to the scooter with duct tape and you type in the commands. To view images REGISTER or LOGIN for full access.
Your fantasy is the limit To view images REGISTER or LOGIN for full access.


I guess I will not be updating this information soon, because I made the scooter go and had to give it back.

Happy scooting

Edit: Ok, as this got moved. I am reffering to the information posted on viewtopic.php?f=56&t=962
Last edited by ZipperZ on Thu Oct 03, 2019 2:22 am, edited 3 times in total.
fdaremi, tokala, Paul SAVOYE and 4 others liked this

#14169
What firmware is this tested on?
I would assume the latest version?

Honestly don't think like will be able to flash the firmware over GPS to combat this. Juicers would manually have to update the scooter imo.but tbh I reckon it would require a full hardware upgrade

#14178
Sa902 wrote:
Fri Aug 16, 2019 9:55 pm
What firmware is this tested on?
I would assume the latest version?

Honestly don't think like will be able to flash the firmware over GPS to combat this. Juicers would manually have to update the scooter imo.but tbh I reckon it would require a full hardware upgrade
I do not know if it is latest, i guess not. Because the scooter I was working on had to stay in impound for a while, because the battery was at ~9V

I can assure you they can To view images REGISTER or LOGIN for full access.
And they are doing updates, not to make things confusing they are doing it over LTE
Paul SAVOYE liked this

#14261
ZipperZ wrote:
Sat Aug 17, 2019 3:17 am
Sa902 wrote:
Fri Aug 16, 2019 9:55 pm
What firmware is this tested on?
I would assume the latest version?

Honestly don't think like will be able to flash the firmware over GPS to combat this. Juicers would manually have to update the scooter imo.but tbh I reckon it would require a full hardware upgrade
I do not know if it is latest, i guess not. Because the scooter I was working on had to stay in impound for a while, because the battery was at ~9V

I can assure you they can To view images REGISTER or LOGIN for full access.
And they are doing updates, not to make things confusing they are doing it over LTE

Hey,thank's for your job, to send code we just have to connect tx rx with an arduino ?

#14262
Paul SAVOYE wrote:
Mon Aug 19, 2019 5:52 am
ZipperZ wrote:
Sat Aug 17, 2019 3:17 am
Sa902 wrote:
Fri Aug 16, 2019 9:55 pm
What firmware is this tested on?
I would assume the latest version?

Honestly don't think like will be able to flash the firmware over GPS to combat this. Juicers would manually have to update the scooter imo.but tbh I reckon it would require a full hardware upgrade
I do not know if it is latest, i guess not. Because the scooter I was working on had to stay in impound for a while, because the battery was at ~9V

I can assure you they can To view images REGISTER or LOGIN for full access.
And they are doing updates, not to make things confusing they are doing it over LTE

Hey,thank's for your job, to send code we just have to connect tx rx with an arduino ?

How about using ftdi to send the code?
To view images REGISTER or LOGIN for full access.


#14265
fdaremi wrote:
Mon Aug 19, 2019 6:03 am
Paul SAVOYE wrote:
Mon Aug 19, 2019 5:52 am
ZipperZ wrote:
Sat Aug 17, 2019 3:17 am


I do not know if it is latest, i guess not. Because the scooter I was working on had to stay in impound for a while, because the battery was at ~9V

I can assure you they can To view images REGISTER or LOGIN for full access.
And they are doing updates, not to make things confusing they are doing it over LTE

Hey,thank's for your job, to send code we just have to connect tx rx with an arduino ?

How about using ftdi to send the code?
To view images REGISTER or LOGIN for full access.
Anything with TTL serial (3.3V) will work. Arduino, FTDI, CH340, CP2102, bluetooth-serial adapters.
As @tokala told two data lines and gnd. And also as it was discussed in viewtopic.php?f=56&t=962 enable signal (3.3V) will also be needed.
galaksy2001 liked this

#14267
ZipperZ wrote:
Mon Aug 19, 2019 6:25 am
fdaremi wrote:
Mon Aug 19, 2019 6:03 am
Paul SAVOYE wrote:
Mon Aug 19, 2019 5:52 am



Hey,thank's for your job, to send code we just have to connect tx rx with an arduino ?

How about using ftdi to send the code?
To view images REGISTER or LOGIN for full access.
Anything with TTL serial (3.3V) will work. Arduino, FTDI, CH340, CP2102, bluetooth-serial adapters.
As @tokala told two data lines and gnd. And also as it was discussed in viewtopic.php?f=56&t=962 enable signal (3.3V) will also be needed.
Do you mean short 36v pin with the last pin ? To enable 3.3v ?
3.3v signal is tx and rx right ?
Thank's

#14268
Paul SAVOYE wrote:
Mon Aug 19, 2019 7:31 am
ZipperZ wrote:
Mon Aug 19, 2019 6:25 am
fdaremi wrote:
Mon Aug 19, 2019 6:03 am


How about using ftdi to send the code?
To view images REGISTER or LOGIN for full access.
Anything with TTL serial (3.3V) will work. Arduino, FTDI, CH340, CP2102, bluetooth-serial adapters.
As @tokala told two data lines and gnd. And also as it was discussed in viewtopic.php?f=56&t=962 enable signal (3.3V) will also be needed.
Do you mean short 36v pin with the last pin ? To enable 3.3v ?
3.3v signal is tx and rx right ?
Thank's
No, no shorting, because you will fry the motor controller... It seems to be a bit tolerant, because it does not get damaged instantly. But you need to supply 3.3V to the enable signal. Seperate voltage step down supply could be used for that (On ebay I have found LM2596HVS which supports that high input.

#14329
This is the pins I'm using on my Nano.

PIN 3 - Motor controller Blue wire
PIN 10 - Serial RX (motor controller yellow wite)
PIN 11 - Serial TX (motor controller green wire)
GND - motor controller black wire

** NOTE!!! ** There be Dragons!
The red wire from the motor controller is 36V.
You will need to use a voltage regulator to run the Arduino
or use the 4V from the regulator in the green box.
fdaremi, Paul SAVOYE, galaksy2001 and 1 others liked this

  • 1
  • 2
  • 3
  • 4
  • 5
  • 13
Cheap Ninebot ES4 Legit or not?

I have BRand New in box Legit Fold-able ES4 but a[…]

Hello everyone, I am new here, and to scooter mo[…]

Ninebot ES4 and SN Models for sale

@ayoslim Do you have any underbody lights?

M365 dual motor

I found that the rear was a little on the flim[…]