HenryCavil
commented
1 year ago How i can eavesdrop on communication between the gps and the controller?
Open Pikokosan opened 1 year ago
HenryCavil
commented
1 year ago How i can eavesdrop on communication between the gps and the controller?
Pikokosan
commented
1 year ago Cheap logic analyzer is the easiest way. Another way would be with an arduino mega and using it as a passthrough
Pikokosan
commented
1 year ago Did some more decompiling and found it uses stm32flash on the iot to program the motor controller. looking for the command to put it into boot loader mode right now.
i can see it puts it into the bootload then call
stm32flash %s -k /dev/ttyHSL3 //Disable the flash read-protection
stm32flash %s -u /dev/ttyHSL3 //Disable the flash write-protection
stm32flash %s -w %s /dev/ttyHSL3 //Write flash from fileSj2.5 controller have freescale mke02z64 chip. Any ideas how to read and flash firmware? I have one motor controller with working commands firmware.
reuzurq
Here is some more info i learned when modding the lime 2.5. looks like the packets haven't changed much.
keep alive: 0x4643110100084C494D4542494B45BE8A light on: 0x464316120001F12B26 Show firmware version: 0x464311140000EAFB Show UART version: 0x464311150000DDCB Show hardware version: 0x4643111800009F9A Show some weird id: 0x464311200000F39E Blink front light: 0x464316130001F15D92 Blink front light stop: 0x46431613000100A2AC Lock motor wheel: 0x464316630001F11FE7 Unlock motor wheel: 0x464316630001F00FC6 turn off and lock: 0x464316610000F0D19F turn on and unlock: 0x464316610000F1C1BE
example response from controller
46 58 0C FF 00 27 11 00 00 40 00 00 41 53 6A 42 00 7B 44 4F 52 4F 61 F0 80 01 40 72 07 07 01 77 82 00 00 00 00 E0 00 0A 93 F1 45 00 00 1E BDbyte 1 is the start byte byte 2-6 are part of the header in the example byte 7 = 0x27 which in dec is 39 which is the length of the frame meaning 6(SOF and header)+39+2(the crc) is the full packet.