ES-200 Electric Scooter Unlocker

So if just if anyone at home is interested in testing out the new command injection firmware it is intended for a ESP32 (i.e. Adafruit Huzzah32) The reason being is it has 2 hardware serial ports. One of the ports is sending to the scooter the commands over Serial1. The other is being used for debugging and sending commands to the ESP32 i.e. Serial 

 You can do this with an Arduino Nano but it would need to be updated with a SoftSerial command to work.

I improved the command hunting tool so that you can input HEX Commands on the fly. I plan to make it BLE compatible so that you can send commands from your phone while riding around. Many of the commands I have found do something. for example this command 0xA6 ,0x12 ,0x2 ,0xEF ,0x14 ,0x4E makes the scooter blink the headlight and the mph on the LCD a couple of times but I have no ideas what is doing to the way the scooter actually works. It will require further testing. If anyone wants to hookup a ESP32 and Help out that would be awesome.

I have built a firmware that funs through all the possible commands into the motor controller. It would be nice if someone had the time to test this out on a scooter to find the command for increasing the top speed. Ive included the .cpp file in my files.

For this entry I got a little side tracked I created a simple firmware for the ESP32. When wired up correctly it will turn on/off the ES-200 from a remote app on a smart phone called RemoteXY. For this all the wires are connected up as per the original instructions. The exception being the enable wire (i.e. the blue wire, I believe.) Which should be connected to pin 13 LED_BUILTIN on the ESP32. It helps that its the led line to see that its working. 

Today John Lee sent me a nice link to a scooter hacking forum. The short of it is I got a nice hint to how the data structure is built. The last  byte of the data packet is CRC-8 Maxim. So to alter any packet to test other configs on the scooter you have to calculate the CRC byte for the end.

Here are some test examples I made from the know packets that I have.

Polynomial Calculator 

https://crccalc.com

Data input: A612021014

Results

Data input: A612021514

Results:

Data input: A612021114

Results:

So I can now build a CRC calculation function and create new packets to test there different Hex numbers and there functions.

Ok found out a little bit more last night. I fiddled with the Hex code the Basti plug of his scooter's GPS and there is an off code. I haven't written it into anything useful yet. But here is a sample on/off code. With these two codes you can make a simple control system for Arduino.

#include <Arduino.h>

int powerPin = 5;
byte messageOff[] = {0xA6, 0x12, 0x02, 0x10, 0x14, 0xCF}; //If the scooter is on turn it off.
byte messageB[] = {0xA6, 0x12, 0x02, 0x11, 0x14, 0x0B}; //Not sure what this does yet. It came with Basti's code.
byte messageStart[] = {0xA6, 0x12, 0x02, 0x15, 0x14, 0x30}; //This is the unlock code.

void setup() {
  // initialize Serial:
  Serial.begin(9600);

  pinMode(powerPin, OUTPUT);
  digitalWrite(powerPin, HIGH);

  Serial.write(messageStart, sizeof(messageStart));
}

void loop() {

  delay(1000);
  Serial.write(messageStart, sizeof(messageStart));
  pinMode(powerPin, INPUT); //Set to Hi-Z not needed after scooter starts
  delay(5000);
  Serial.write(messageOff, sizeof(messageOff));
}

Its been fun having a painting party to make my scooter look pretty.

I been writing little snippets to see what is important and what is not and Ive found you only really need 5 hexadecimal number to unlock the scooter.

#include <Arduino.h>

int powerPin = 5;
byte messageA[] = {0xA6, 0x12, 0x02, 0x10, 0x14, 0xCF};
byte messageB[] = {0xA6, 0x12, 0x02, 0x11, 0x14, 0x0B};
byte messageC[] = {0xA6, 0x12, 0x02, 0x15, 0x14, 0x30};

void setup() {
  // initialize Serial1:
  Serial.begin(9600);

  pinMode(powerPin, OUTPUT);
  digitalWrite(powerPin, HIGH);

  //Serial.write(messageA, sizeof(messageA));
  //delay(500);
  //Serial.write(messageB, sizeof(messageB));

}

void loop() {
  delay(500);
  Serial.write(messageC, sizeof(messageC));
}

Last night I got the scooter to run! Thankfully I found someone that had access to the GPS tracker and wrote some very simple Arduino program to make it work. All that is really required is an Arduino Nano and a buck convertor that can handle 42v from the battery.