An Electric Scooter Community on a Mission to Stamp out Transportation Mediocrity.

Changing mobility one trip at a time.
#20213
Ok I took an Arduino Mega and build an Serial Mitm device to quickly attach to the Tier or Dott scooter.

Image
Image
Image
Image

The Arduino recieves the TX of the IOT on Serial1(RX) and passes to the ESC connected to Serial2(TX).
Then it recieves the data from the ESC on Serial2(RX) and passes to the IOT via Serial1(TX).
It also sends recieved data on the USB Serial line seperated by a newline.
If you have any ideas feel free to let me know.

And here is the code (untested right now)
https://create.arduino.cc/editor/solarw ... e8/preview
Code: Select all
#include <Arduino.h>


void setup() {
  // initialize both serial ports:
  Serial.begin(9600); //pc
  Serial1.begin(9600); //iot device
  Serial2.begin(9600); //esc (speed controller)
  delay(250);
}

void loop() {
  // read from port 1, send to port 0 & 2:
  if (Serial1.available() > 0) {
    byte inIotBytes[Serial1.available()];
    for(int i=0; i<sizeof(inIotBytes); i++){
        inIotBytes[i] = Serial1.read();
      }
   
    Serial2.write(inIotBytes, sizeof(inIotBytes));
    Serial2.flush();
    
    // say what you got:
    Serial.println();
    Serial.write(inIotBytes, sizeof(inIotBytes));
    delay(50); //give the ESC some time for reply...
  }


  // read from port 2 (ESC), send to port 1 (IOT):
   if (Serial2.available() > 0) {
    byte inBytes[Serial2.available()];
    for(int i=0; i<sizeof(inBytes); i++){
        inBytes[i] = Serial2.read();
      }
   
    Serial1.write(inBytes, sizeof(inBytes));
    Serial1.flush();
    
    Serial.println();
    Serial.write(inBytes, sizeof(inBytes));
    
    delay(50); //give the ESC some time for reply...
  }
}
By the way this code is under the do what you want with it license. Get rich or kill people with it, you are alllowed to ;)

I am going to record the complete communication. Do you guys have wishes for special situations to record?
#20215
Great work solarwasser! That's the setup we need.

I'm mainly interested in Tiers scooter, but perhaps DOTT uses the same communication?

Anyhow, it's important to get the timestamps to match Tx commands with Rx responses for both ESC and IoT, unless you have a way of sorting them accordingly (couldn't see such a grouping in your code though).

The only way to get the information we need is to take the real data from a live rental scooter (es200 model). Any plans to do that?

The situation we want to capture is to start/unlock the scooter (already know codes) and let it run for around 5 minutes. The problem today is that it shuts down after appx 2 minute, probably due to unknown data sent from IoT to ESC on rentals.
#20219
The unlock and control codes were not encrypted, we just needed to find out what they mean.
The "security code" that is sent always changes and i read about an encryption the stm32 used that generated an output that looks exactly like the codes we see. Bu i can't find the doc right now.

About flashing the STM32, it is possible, they only have read protection level 1. no write protection. I successfully reflashed the chip of the IOT, but that doesn't do anything now.

Here are some sequences from a working Tier scooter, validated with CRC8:
Code: Select all
7A120A88D7CF933CBF6BA813281F
7A120A61C619B3A9E693590D27FF
7A120A784C86677C583F86FA1E73
7A120ADE3CD09FA2D8337585348D
7A120AA02DE9EF70F1571469004E
7A120AD958030FE53C7769471FEA
7A120A380A105B306AF311EB3E4A
7A120A008BA313B4F31FA4370038
7A120A8FF936C34B216F4DA61700
7A120AAA962A13AA6E1B8F051022
7A120AB91CAF9F451023BD830F8C
7A120A65AAAD832D4227A22E2B35
7A120ACAFDF383CEC503AB52024C
7A120AC8BB3B93CCA3E7BCE728DE
7A120A0084A69FDCF8C7D89426E8
7A120AA8613D6F7B4675FFFEA612 // invalid CRC8!
7A120A3063A7EB3CEBDB5FE40074
7A120A33ADE29F7B392F6CEB034C
funbag wrote:
Thu Mar 12, 2020 3:28 pm
Everything is encrypted in one way or another. But we were still able to retrieve the unlock codes, mainly due to the fact that communication between IoT and ESC could be read. Same can hopefully go for the keep alive challenge.

STM32 in the IoT box has read protection, but the serial flash feeding data to it has not. The STM32 probably has write protection as well so it's not just a matter of re-flashing it. Sorry, I don't believe it's the easiest solution.

I'm still highly interested in the Rx/Tx data sent between IoT box and ESC. Hopefully things can be found there.
fernlop wrote:
Thu Mar 12, 2020 10:11 am
The security codes are encrypted.
There is no way to duplicate this, the GPS Box STM32 Chip has read out protection.
You would need to write a new software for the STM32 inside the motor controller.
We should focus on this.
This way everything would get much easier.
#20222
fernlop wrote:
Fri Mar 20, 2020 11:47 am
The "security code" that is sent always changes and i read about an encryption the stm32 used that generated an output that looks exactly like the codes we see. Bu i can't find the doc right now.
Would be interesting to see the doc! Assuming that codes look exactly the same.
fernlop wrote:
Fri Mar 20, 2020 11:47 am
I successfully reflashed the chip of the IOT, but that doesn't do anything now.
Reflashed with original firmware? Do you have the firmware dump?
  • 1
  • 66
  • 67
  • 68
  • 69
  • 70
  • 80

As this was a rental version whos overstock was […]

Any one got any info on beryl bikes I seen a few[…]

LH/ TF-100 Style Display.

Hi I recently converted a Bird Zero to a personal […]

How do you operate dash without button? I have[…]