-
Taking Over The Motor Controller - Attempt
12/10/2018 at 00:04 • 0 commentsNext up, I wanted to take over the motor controller itself.
My theory, and I wasn't able to confirm it yet, is that this controller is derived of some Infineon motor controller form some electric bike. The used controllers are in fact counterfeit Infineon 8051 controllers and are being used in lots and lots of Chinese Ebay ebike controllers. For those, a config tool exists. Unfortunately, since there is not sign of a datasheet, I couldn't get it to work.
On the contrary: The manufacturer of the board even says, these chips are programmed to the specs of the customer and cannot be reflashed with a new config after shipment. Sad, dumb, and unfortunate. I couldn't prove them wrong, yet.
However, I did a lot of research on the board to identify what's going on:
On the picture above, two chips are missing as this is the slave board. To me, it looks like these chips have been removed by hand after complete assembly to make use of the slave interface.
On the master board, these chips are present. One is the aforementioned NRF chip with antenna and everything (I ripped the external antenna plug off my accident - next to connector HALL2) and the other one is the master controller communicating with the NRF and the four motor controller ICs.
All motor controllers are connected in parallel and therefore receive exactly the same signals.
My ebike theory, btw. comes from the fact that the motor controllers consume an analogue signal for the throttle value. However, I have yet to discover WHERE this analogue value is being generated. It's not connected to the primary controller and I did not see any DACs or resistor ladders on the boards.
Unfortunately, here is where the take over story currently is. I couldn't access the firmware, I don't have a JTAG adapter at the moment, I don't know if a serial protocol is available, and so on and so forth.
What I did is prepare one of my boards with headers for later, more detailed analysis.
-
​Step one: Reverse Engineer Bluetooth Protocol
12/09/2018 at 23:47 • 0 commentsThe Acton iOS app offers the boards total millage, current velocity, battery state of charge, the drive mode (beginner, normal, pro), and the state of the exterior lighting. That's it. Can't be that hard to decipher.
So I pulled out my CC2541 sniffer and quickly realized, this is a bad idea. I just wanted the data, not the Bluetooth communication protocol with some data hidden somewhere inside of it.
So I pulled out my breadboard, plugged in two USB to serial converters and soldered of RX lines straight to RX and TX of the Bluetooth module. Et voila: Communication established!
The protocol is very simple except that I could not identify where the millage is communicated.
After about an hour of poking around and testing all options with the iOS app, I reached a limit of what I could find. For some reason, I did not see the millage anywhere. The value just didn't appear to me or I'm just blind. Any ideas?
The next step was to connect my own CC2541 to the board and mimic the iOS app. Maybe I could make my own app. Maybe I could even make this board bluetooth controlled. How cool would that be?
Unfortunately, I ran into the counterfeit issue myself and even though I was able to connect to the skateboard's bluetooth controller, I wasn't able to configure my CC2541 in a way that would allow the communication mode I needed. I hate counterfeits!
I aborted at this point.
-
Making it better is easy ...
11/14/2018 at 03:28 • 0 comments... if it's so bad it can't get any worst.
Two days after I got my skateboard, I needed to take it apart.
Looking around the electronics bay revealed a nicely packaged battery of unknown brand in the center as well as two identical motor control boards with no visible receiver module anywhere. Long story short, the motor controllers are a noname component straight out of China with adjusted settings to meet the requests of the skateboard manufacturer. Up until now, I still have no idea who manufactures and maintains these boards but they are literally everywhere even though they are being pushed off the market by newer, more capable and more configurable boards with superior remotes. No surprise.
I took a large number of pictures, specifically chips on all boards and connections going to and from each board, motor, light and antenna: Turns out, the receiver is part of the motor controller and embedded into the circuit. To make things a bit more interesting, two boards can be configured in a master / slave setup by simply removing the receiver off of one of the boards and connecting a multi-pin cable in between the boards.
My search through the selection of used ICs turned out to be almost completely useless as none of these chips have any information online AT ALL. I even asked a Chinese friend of mine to dig around for a while and even he could only reveal the datasheet of one of the ICs - but not the important ones.
One chip, though, was known to me: The NRF24L01+. A transceiver IC for 2.4Ghz ultra low power communication with up to 2mbit per second. This was good news, as the datasheet for it was very easy to find and comprehensive. Some say, it's not the easiest chip to work with from a protocol point of view, and I did realize, it has it's hiccups.
A second chip I could identify was located on an add on board on top of the motor controller. A board, none of the other Chinese skateboards has. Since it had the Acton logo on it, it must have been custom. It's the Bluetooth chip on a module CC2541 which is known to be compatible with both iOS and Android and available in large quantities - but huge warning: Most of these are counterfeit! To be bought from trusted sellers ONLY! Otherwise the module will only understand the most basic AT commands and cannot be paired with the original module. Been there, done that. I hate counterfeit parts!