An Electric Scooter Community on a Mission to Stamp out Transportation Mediocrity.

Changing mobility one trip at a time.
#19277
On my side I listened to the serial port between the GPS and the ESC on a running ES100.
I did this using an arduino Nano converted to a USB-Serial adapter (with this method, the data is received on the pin indicated TX, it's normal).
So I got a dump of the information sent to the ESC on a patched scooter.

This method allow to snif without cutting the link, without the risk of being unmasked. I then put the scooter back on the street and a user came to pick it up.


Here are the first frames:
A6 12 02 A0 01 6F
A6 12 02 A1 01 AB
A6 12 02 A1 01 AB
A6 12 02 A5 01 90 (x 20)
...

What I'm seeing is that every 10 seconds a "weird" sequence is sent to the ESC.
At the moment I don't share this information as it may contain scooter specific data that could betray me.
Pata27 is already working on it.

Image

On an Android device (with USB-OTG) you can use : https://play.google.com/store/apps/deta ... b_terminal
#19279
Can't really wrap my head around this. :shock:

How is it possible that you can use the TX pin for Receiving data?
Tx is Transfer pin (from Ardino)
And
Rx is Receiving pin(To Arduino), right?

https://www.arduino.cc/en/pmwiki.php?n=Reference/Serial
To use them to communicate with an external TTL serial device, connect the TX pin to your device's RX pin, the RX to your device's TX pin, and the ground
https://copperegg.zendesk.com/hc/en-us/ ... rk-Charts-
TX and RX are abbreviations for Transmit and Receive, respectively. Note that these metrics are referenced to the server being monitored; Transmit FROM this server, and Receive TO this server.
DFTC wrote:
Mon Jan 20, 2020 8:32 am
On my side I listened to the serial port between the GPS and the ESC on a running ES100.
I did this using an arduino Nano converted to a USB-Serial adapter (with this method, the data is received on the pin indicated TX, it's normal).
So I got a dump of the information sent to the ESC on a patched scooter.

This method allow to snif without cutting the link, without the risk of being unmasked. I then put the scooter back on the street and a user came to pick it up.


Here are the first frames:
A6 12 02 A0 01 6F
A6 12 02 A1 01 AB
A6 12 02 A1 01 AB
A6 12 02 A5 01 90 (x 20)
...

What I'm seeing is that every 10 seconds a "weird" sequence is sent to the ESC.
At the moment I don't share this information as it may contain scooter specific data that could betray me.
Pata27 is already working on it.

Image

On an Android device (with USB-OTG) you can use : https://play.google.com/store/apps/deta ... b_terminal
#19285
Rick Sanchez wrote:
Sat Jan 18, 2020 7:43 am
I could sacrifice a moment in my RV lab before we started our trip to the airport but things don't seem to work out for me with the ESP32 project, even with the final branch.....and something seems to be wrong in the final revision because pin 13 is running wild :shock: . The ESP32 sends signals without any loop and no codepattern i can reconice. I marked the unlock and lock event as start and stop in the pictures and included the logic record that can be opened as always with Waveforms from Digilent
Image
Image
Image
Image
Image
As soon I'm back I'll try my luck in using one of those Heltec 8266s ESPs with oled.
I'll try to follow you guys up in the next two weeks but I can't make promises at the moment, otherwhise I'll be back next month:) *lastwavebeforeliftoff*
ttl 5 v arduino / ttl 3 v esp32 ?
#19289
Aquaman wrote:
Mon Jan 20, 2020 1:37 pm
Can't really wrap my head around this. :shock:

How is it possible that you can use the TX pin for Receiving data?
Tx is Transfer pin (from Ardino)
And
Rx is Receiving pin(To Arduino), right?

:lol:

In this case, the atmel controler is shutted off (by putting the RESET pin to the Ground). The goal is to use the internal USB-Serial adapter only, the famous CH340 .
In the normal way, the CH340 chip talk with the atmel chip using serials TX/RX. If a connect something the TX pin of the atmel, i'm also connected to the RX pin of the CH340. :geek:
#19290
Bono wrote:
Tue Jan 21, 2020 2:01 am
Welcome back,
I can help you with something, what do you need to know

Let me ask you a question:
The scooters have been patched and they lock automatically every two minutes.
I've made some captures and there are unknown frames every 5s I think.
Do you have any info on those frames. Are they security related? (rolling code, MD5 hash...?)
I haven't been able to do a 2 minute capture yet, there may be other specific frames.
#19291
Bono wrote:
Tue Jan 21, 2020 2:01 am
Welcome back,
I can help you with something, what do you need to know
Well, if you are willing to share knowledge then perhaps you could look into the ES-400 thread since your Parrot tool claims to be able to unlock those. :)

[edit]
Apparently not anymore, I know I saw it yesterday on your website though :(
[/edit]
#19300
hi there!

i´ve bought the kingfisher box of scooter unlock and i have the common problem that the scooters shuts down after 2:06 minutes. i could freak out, cause i´ve bought legaly the mytier scooter - twice - for my wife too and i don't want to be tracked by TIER. that's the reason cause i want to set it free.

am i right, that there is no solution for the patched ESC yet, if i read all this?

what can i do now with my ES-200G?

thank you in advance for a answer.
#19301
DFTC wrote:
Tue Jan 21, 2020 2:42 am
Bono wrote:
Tue Jan 21, 2020 2:01 am
Welcome back,
I can help you with something, what do you need to know

Let me ask you a question:
The scooters have been patched and they lock automatically every two minutes.
I've made some captures and there are unknown frames every 5s I think.
Do you have any info on those frames. Are they security related? (rolling code, MD5 hash...?)
I haven't been able to do a 2 minute capture yet, there may be other specific frames.
Yes, I saw your dump (not sure if it was real or spoofed?), if it was real, according to my calculation it looks like different light state. So eg. 20x code without light + 1 time "frame" with light.
However I cam see that your calculation method for ES-200 HEXes is different so... WE need to check it somehow
  • 1
  • 53
  • 54
  • 55
  • 56
  • 57
  • 80

As this was a rental version whos overstock was […]

Any one got any info on beryl bikes I seen a few[…]

LH/ TF-100 Style Display.

Hi I recently converted a Bird Zero to a personal […]

How do you operate dash without button? I have[…]