Biking past vendor lock-in

[Music] um so thank you all for coming thanks bsides and the volunteers for doing the doing all the work that they've done and thanks PSU for the venue you're doing a great job uh I also want to thank the speakers that have gone before me you've all done such amazing work that uh I really appreciate but I want to say that after watching all the talks I've seen yesterday and today I'm fairly confident I can say that this will be the second best talk about bicycles okay so quick word about me I'm will I'm instrum instrument rated Private Pilot I fly for Angel Flight West in elevated access they are amazing organizations that you should research

after this talk I'm currently the CTO of savant systems uh they don't know about this talk they have nothing to do with it they accept no responsibility for anything I'm going to say um and we're talking about this bike right here so my uh brother-in-law died a couple of years ago and out of his estate uh I got this bike from my father-in-law and he said hey Will we've got this bike I think it's a canondale or something do you want it I said yeah sure why not it took us a couple of years to deal with Logistics it was in Arizona blah blah blah and it showed up and it's not a canale I don't know what

it is I've never seen it before I I so I started doing this same kind of stuff that uh bastardo Grandes talked I'm like okay well what can I Google on this bike what can I search for so I searched for Flash and I didn't find a lot except that oh no I have no slide notes well this is going to be fun uh except I found out that uh well let's see what I found out I I was able to power it on eventually like it took me a long time I didn't have a charger for it it sat for like 3 years and I kept plugging in the Char charger and it wasn't really doing

anything but eventually one day I was brave enough to let it sit for a couple hours and it booted up I'm like cool uh what is that and so I like looked up the user manual and I was like oh it's some kind of a passcode so I was like texting my father-in-law saying hey what are Scott's passcodes like what does he use for stuff he sent me this like word dock of like a 100 passcodes and like none of them would fit into this these numbers right and so he's like oh well his bird birday is I don't remember what it is but his birthday is you know these numbers I'm like oh sweet

they fit so I was able to I was able to log into the bike but I'm like but now what so I found out that like you need the app for everything right that has us the app it pairs with Bluetooth but I tried it and it kept being like hey you have no internet I'm like I'm pretty sure I have internet turns out that all of their servers were down like the cloud was down the app was down nothing was working at all and so I was like okay well this is a much bigger project than I had anticipated but I was doing research about this flash company and I found out there's a venture beat article

and it's like hey this Zack Fountain guy he started flash he brought on uh Kai hang who is the uh the uh band what's the name of it um the video game or you playing a band Yes yeah he's rock band guy and then so they started this this company Flash and it was in this is their timeline right so in February 2016 they filed for incorporation in 2017 they did an Indiegogo uh they shipped in 2018 which actually June to January that's amazing for Indiegogo like six months impressive but they didn't sell anything after that they did 666 per of goal which is sus right I would have thrown in the extra 10 bucks to have that 667

but that's just me uh they didn't sell barely anything they had a huge media blitz they bought media from all all the outlets Verge everything if you could buy a paid editorial advertorial whatever they were they did it but then by December 20 uh 2021 their web store closes by January 2022 which is a Shopify landing page and by may they uh filed for a dissolution of the company now this talk is a reverse engineering talk but that's just the how the why of this talk is freedom right the why of this talk is freedom from vendor lockin Liberation from all of that crap uh reverse engineering is just a super fun way to get

there uh so while I started just after I Started Van Mo went out of business so there's like tons of press about van moof going under and I'm like oh man this is a bigger story than I thought it would be there's like this is a lot right and so all of these companies these uh other ebike companies are like well this is an opportunity and a risk right it's an opportunity because by far the biggest name in ebikes dies but it's a risk because all the customers are saying well what about you like are you going to go under am I going to be in trouble if you go under as well and you

know if van Mo goes under there's tons of people that are impacted and they're going to be hackers People Like Us that figure out how to get around it but if some Mom and Pop Shop goes under them there probably if flash goes under that's not the case right uh so uh yeah so we go back to this one so another company Cowboy bikes what they did when van Mo filed for bankruptcy is they wrote a tool that lets you SC rape the authorization key from their Cloud that they use to then unlock the bike over Bluetooth so they released a code that did that and then they also made a a a mobile app so you

could still use your V move bike with your cowboy stuff so that was pretty cool right so they're like uh making sure that people don't get stuck and they're using that as a way to say hey we've got your back but there's another company ampler and uh this their CMO had an interview about this time and she was is saying you know we're different because we're not a hypergrowth company so where vanm is all about taking VC hyper growth and then IPO exit right uh ampler was like we're not going to do that we're going to build a sustainable business that doesn't Flash and and go away um and you can rely on them but the

problem is as I was looking at their product line is this is this is the head tube not the head tube this is like the main tube of their bike and it's got this like beautiful set integrated display it's just like the flash you don't see any like ebike Parts it's just really streamlined and beautiful the problem with that is that all these parts are proprietary so if for some reason Market forces do Force ampler to go out of business as the consumer you're still in just as much trouble right okay so I want to just read this quote to you when you make a product what is your legacy what value are you producing and who's the beneficiary of

that value clearly it's important to build a sustainable business your customers are no better off if you go out of business but if you're not producing durable value for the consumer then I don't think you have a reason to exist and in a functional Market you won't anyhow I'm not saying we have a functional Market we don't but if we did right then if you're not producing value for the consumer then why are they giving you money at all okay so let's get into reverse engineering which I hope is going to be more sort of poignant for the group here again this is the bike um we're looking sort of down uh from the rear tire to the front

of the bike and there's this of end cap here right in this photo there are seven security screws okay two two there four on that charging port and then one on the you can't really see it but the headlight tube has one there now while they were doing that media blitz they sort of kingly said oh the battery is end user replaceable Now where's the battery can anybody find it inside yeah it's inside with security screws and you have to take off the back tire and I don't know if you've taken off the back tire on an ebike but is not fun it's super not fun and it gets worse so I sort of kind of

pissed me off right like why are they letting people like why are they wetting reviewers say that like it's replaceable when it is not okay so if and I I did some estimates so in my opinion a trained Tech that has done this probably five or 10 times before would take at least an hour to change the battery okay oh right so what I wanted to say also is you take off this back cover and in this back covered there are a bunch of wires so up going towards the top of the screen there is the ESC which the electronic speed controller so there's like the battery connection the motor connector the throttle or the pedal

sensor the throttle cable and the data cable from the main board is all back here and a cellular antenna okay so I got all that stuff out I started to try to pull the the battery out but it wouldn't come out so I unscrewed that charging port and this is looking into that charging port and this is little LCD module okay so we got two 10 pin jst connectors and two micro coax but we've also got two button clusters little Brak stuff like that up there so you have to remove all that stuff too then it comes out and now I've got it on the bench and so what we've got here is we've got a 4S

10p pack so that's four batteries in series 10 in series or sorry four in parallel 10 in series and then up here this is the BMS the battery management s system and then down here that's the main board so uh if you wanted to replace the battery not only do you have to get it out of the bike you also have to take it apart and then transplant the main board from one to the other it's ridiculous um so this is sort of like a diagram of the architecture of the bike right so this is all the parts of the bike the headlight the little LCD modules got the GPS antenna and a Bluetooth antenna on there the brakes

and the buttons and the charge port and the Mystery button which I didn't really get into I still don't know what the mystery button does and then the throttle and then we've got the ESC the motor and the pedal sensor there in the back so I mean that's kind of cool right like we we're starting to make progress we know how this bike is architected at least but uh our real goal is to replace the main board right because the main board's got all that cloud stuff that we can't do so we've got to figure out some kind of a plan for the main board so if we RW that diagram but this time we're

drawing it from the perspective of the main board and everything that's connected to it right we got the LCD module again those are all the like connectors on the board that we need um and it's sort of like this big Hub kind of a thing it's kind of intim dating right like are we going to have to design our own circuit board to replace all this stuff I hope not um but let's look at it and see see what we actually need uh so this is a closer up photo of it down here this is the ESC connector it's a 8 Pin jst 2 mm here goes to the brakes the brakes and then we can see I've highlighted this

wire here that goes through so we okay the brakes are just like shorted over they're just shunted to the ESC cool we can handle that we got a little transistor here's a mosfet and then that goes there as well and then we've got two serial ports two grounds like okay that's track that's starting to feel tractable like maybe like this is all that we need really for the ESC okay but then what's all this other crap doing well we've got a 36 volt input power input that's actually 36 to 42 volts that's what comes in raw from the battery these two big pins those are the headlight and the tail light we got a cellular module up there with its SIM

card slot and then we've got three channels of uart there over iqu C that's what those guys are and then down here we've got the main IC that is infinion cortex m0 it seems like it's for the automotive Market the most interesting thing about that chip I in my opinion is that it's got a peripheral architecture I haven't seen very much of it is essentially like an fpga like the main chip isn't an fpga but like the peripherals are sort of like an fpga okay and they give you like verog libraries for like common peripherals so it's kind of clever right like you're not like I don't know if you've looked at shopping for microcontrollers but

you'll be like oh I need like six uarts and three timers and whatever and like you have this huge Matrix of like chips you need so this kind of like gets away from that it's kind of a cool system uh that's a digression though and we've got the horn and then the L the LCD module connector down there in the bottom but half the board area is uh Power Supplies okay so like that's a lot of power supplies so I and I reverse engineered that too and so this is what the power sort of architecture looks like for the bike we've got a battery coming in 36 to 42 volts and then we've got tons of buck

converters we've got a buck converter for the lights the headlight and the taight they get their own Buck converter that goes to 8 volts we've got a main Buck converter that goes down to 12 that powers the horn but it also Powers three others 3.3 for the LCD module 3.3 for the logic 3.8 for the cellular and you're like why why I have theories okay so you know when you're designing Power Systems you're like trying to balance all these factors this bomb cost like how much does this cost and just Parts um can I get these chips like are they available I don't know if any of you are involved in like manufacturing but 2000 2001 even into 2002 it's hard

like TI has this huge they almost have a lock on power power ic's and so you know can we get these chips so like that's another Factor you have to think about when you're designing Power Systems but there's also efficiency like are we burning a bunch of heat in this architecture are we like maximizing the efficiency of each of these components uh but I think that most of their decisions here are really around like cross talk and Emi and what I mean by that is that these lamps they're uh they flash okay and they're really bright so they're consuming a ton of current so if you don't have those on their own sort of Supply you run the risk of uh

introducing transients on the rest of the power supplies when those lights blink okay and same thing kind of with the LCD Buck converter now I don't think that actually is powering the LCD my theory on that is that it's powering the low noise amplifier for the GPS so if you were to have this uh LCD Supply on the same as the logic Buck Supply you could actually modulate the GPS signal going into the cellular module by uh signals of varying you know intensity from the the microcontroller so anyways I think that they actually did a pretty good job designing this um but if you read the reviews of the bike a lot of them will say that it had trouble with

the battery pack getting dead if you let it sit in the garage for too long and I think that this is partially to blame uh they do talk about how they've got an accelerometer so you can detect if it's jostled and it'll power the bike up get a GPS fix and send it over cellular and you know that's going to be on this logic butt converter so that means you're running two but converters 247 just to power that accelerometer so the bike knows it's jostled and so I mean I think that partially you know the engineers are to blame but I think it's actually more likely if you want to assign blame to somebody it would be the

product designers right the product designers said oh this is the architecture we want for the bike or this is the feature set we want for the bike and so they had to design it in a way to make that work and the consequence is that it runs out of battery okay now this part of the talk is kind of a journey so we're just going to go on this journey together and what we're doing is we're looking at the battery management system we're going to have answer a couple of questions can we charge the pack remember I only charged it up a little bit to realize that I'm kind of stuck without that app I have a

rad Power Wagon Rad's in Seattle they're a Super Rad company uh um and I have a charger for them so can I make that charger work and can the pack hold a charge overnight over days over weeks and then can we communicate with it CU at this point I'm like I might need to communicate with this battery pack I might because it's got a serial connector to the main board board as well so uh I divised some tests so this is my bench again and I've got the pack I've basically like put the bike back together without the frame on my bench so we got the ESC there we got the pack the charger down on the floor um I've

got my soloscope set up like super long time scale so it's like a Data Logger basically it's like an hour per division or something and I'm measuring the voltage and the current that's my little DC uh Hallett current sensor there with the wire going through and on the first say I brought it up to 3.6 Vols I don't want to start a fire right so I want to like ease into it so I charged it up to 3.6 volts let it sit overnight and it only losts like a tenth of a volt per cell so I'm like yeah sweet so the next day I go to four volts and like still it's pretty good yeah sweet and the next

day I go all the way up to 4.2 so I turn out that yeah I can charge the pack the radwagon charger worked the pack does hold a charge but um the communication format I should have said that before because it's checked off but the communication format I hooked up my Salia to it and it's like 9600 B you so I'm like sweet what could go wrong uh and so I download all that data right because I'm like the whole time my S is just sitting there like log in packets and so I've got like my favorite reverse engineering tool it's the best you guys heard of it it's called a spreadsheet so you think it's python you

think it's wire shark no it's numbers uh so I dumped all that data into numbers and thankfully all of the packets are the same size so I just wrote a quick formula and now I've got the data that's just streaming in and it's in frames so on the right there I just got the frames and a couple of things stand out well so right in the spreadsheet you can select a column and you can go summaries and it'll say like min max average whatever so columns one 9 and 10 were always the same and uh 58 for those of you asky Tables by heart that's a colon and 13 is a Line Feed and 10 is a carriage return

so we already know one uh 9 and 10 now 9 and 10 on One Direction 8 and n on the other they're whether you're going to the BMS or back they're different sides but the point is we know the first and the last two so we're doing pretty good I just got to figure out the middle uh while I was doing this though I remember I had it all hooked up to my oscilloscope and I noticed these are the traces from the U going to and from uh this is to the BMS here see the tops are like nice and crisp and this is from you see how they kind of have like a weird

like a weird Arc to them a little bit let's zoom in so if we zoom into it this is what they look like now if you if you spend enough time looking at i s c data you'll recognize this immediately because this is an open collector output and what that means is that they have a pullup resistor going up to some voltage and then they have a transistor that shorts it right so like that soft arc when it goes up that's the resistor charging the capacitance of all those wires charging them up to a voltage and then when the trans Clips it just drops it right off so I'm like oh cool okay so that's my theory about how it was built

and then I spent some time looking at the board even closer and these these here these are um optoisolators okay so I'm like ah yes because what happens is what if you want to have like the the batteries management system in your your main board to different voltages you're going to need to have like some way to prevent those from messing each other up so I'm like okay so this is the architecture now and I'm pretty sure this is true I don't want to actually go through and probe stuff because you can't turn off a battery batteries don't have power switches and I chose life so I just I just assume that's what it was

but there's something weird about this architecture right if we have it set up this way you can actually do this and you can just chain them off each other right because each one of those can just pull the line down but is there any support for this in the packet format and like maybe I I only have one but by two is always 22 always always so I'm like well maybe that's the address like maybe an endpoint address maybe that's the BMS address not sure but I'm going to call it close enough and we're just going to check it off because why not uh but bite 4 kind of looks like it might be a

different kind of address so we've got to the BMS we've got from the BMS and always if it's going to it's 01 and always if it's coming back it's 02 so I'm like okay cool I think we've got two in from good enough for me let's just call that one good uh now we're looking at uh bite three so bite three is sort of standing there it's like kind of sticking out like a sore thumb and this is this is what happens if you just take all those byes and just plot them again numbers right spreadsheets it's all about spreadsheets so I just took all 10 bites of the packet and I just plotted them over time now it's super super

chaotic so then you start like changing the sort order and you can change the sort order order to have like you know column a first and then column b or whatever so I sorted it by by three and then by time and when you sort it by by three and then time all of a sudden that chaos settles down and we have some really interesting things pop out of the data so down here this this teal blue line every time that switches that's a different value for by three and if you look at the transitions that sort of delineates blocks where the data looks like it's um correlated or or has a similar meaning similar semantics so I'm

like yeah yeah B 3 is going to be some kind of a register address or something right so let's just call that one good enough okay now let's go back and there's one thing uh that pops out to me in this data and that's uh see this like saw too kind of thing this green one that goes up and then down and it's correlated right here with this gray one let's zoom in like that section right there so this is what that looks like so it goes up and then down down and then meanwhile that green one goes up just one tick I'm like yes I caught a bite transition and so that's what this looks

like in the table so it goes 255 to zero and then this one goes up one so now I know that 16bit integer and I find out later it's a signed 16bit integer so we can call those good okay we're actually this is cool right like it's it's coming together like we're getting there okay now I'm going to start talking about it from the back forward now okay so like I think I've got the front part of the packet figured out now I want the back so I'm going to take that not applicable and I'm going to move it sort of move it over so we have them lined up vertically um there's this is sort of a nonlinear

process so I'm just going to skip ahead and say let's look at b seven and the reason I'm going to say let's look at by seven is because if we go back to our graph we can see that by seven and by five have similarities they have like some redundancy in that data right and so what does that mean well redundancy is like literally what the r in CRC stands for right like all check sums are redundant data by definition so I'm like there's got to be some kind of a check sum and I don't know if you guys I'm skipping ah head I don't know if you guys have spent time like trying to

reverse engineer check sums but it's like kind of like you a lot of guessing right like okay what math is used to combine these numbers together which which btes are included luckily this one's really simple and it's like literally just a simple addition so you just take bytes two to two through six add them together mod 256 and like you're done so now we're done with by seven okay so if I can guess what my next slide is yes so by six and 8 going to the BMS from the main board are always the same one's always zero one's always one and so that's good enough for me to say yeah I can write my own

packets to the BMS now so like I have everything I need to write whatever whatever I need whatever commands I need and I've only got one bite left to figure out coming from from the BMS now I captured a bunch of data and I did my best to infer what this means it's almost always zero except for like 15% of the time it's one so this was my theory this is the best I came up with so this check two bite that's what I'm calling it if by six is less than b four it's one otherwise it's zero but it doesn't work so I started I I wrote a program to like talk to the BMS like over hours but

like it it doesn't work out in all cases so I had to just like abandon in it but it doesn't matter because it's from the BMS so I can just like not validate it and so that's what I ended up doing so that's fine so I just Mark that one caution and and kind of move on so now what I can do is I wrote a logger in Rust so just a really simple program it just knows how to talk to the BMS get some registers from it print them out in a CSV and then I let it sit for hours while I was charging the battery remember this is all happening like while I'm doing those initial tests

where I'm just like charging it up and so uh these are graphs that I took out from registers now even though I know the packet format I don't know what the registers mean yet I just know that like the number five gives me this graph and the number seven gives me that graph right so these are the most interesting ones now the top left and remember I already know they there're 16 bit iners so I'm like okay well what what could these possibly mean so we're starting at like 30 a little over 32,000 I know you probably can't read that and then it's shooting up to like 34250 and remember I've got like my scope running so I know like what the

pack voltage is and it like luckily it's it's got to be volts right CU it matches it's close enough we've got Mill volts technically but we've got volts okay meanwhile we've also got amps because we see it going from two Z to 2,000 and I know that at the end of charge it was doing 2 amps so that's 2,000 milliamps and then this one I think is state of charge I don't know for sure it's my best guess these ones they're just playing me for a full at this point I have no idea what's going on um so this is just the help from that logger I told you about the rust program super simple Port bod it just does its

thing now don't don't hit me up too much about the like formatting of this I was like an hour that I just threw it together so it's a it's a little Jank I'm going to say that right right up front now there's one last thing I want to talk about and this is right at the end of charge which is a super interesting point in the batteries like life cycle right like uh when you reach full charge you expect a lot of interesting things to happen and indeed they do so we see that unknown one uh is oh yeah I haven't talked about unknown one yet that was um this one this one's unknown one okay I I still have no idea what it

is but it could be uh it could be temperature so I I have it as 2.98 here but if you move the decimal point over it could be 29 which is like 85° F if you assume that's Celsius so I'm like yeah that's that's probably celsi but I'm not sure we know voltage we know current those make sense and then that so one I talked about you can see that once it gets full charge it like shoots up from 93 to 100 so I'm like that that's probably state of charge we got that one down this next one I have no idea it's like always two or three below the other so but like why

I I don't understand that one at all if you have any ideas hit me up okay and then the last one this unknown two uh you know 128 is a really suspicious number right when you see 28 you're like what's up with you and so yeah so it's like it's usually 128 except when we hit full charge we get this bit and we get these two bits and so my best guess is this this some kind of a bit field I don't know what the bits mean but I'm like I'm I'll put money down that it's some kind of a bit field and then when it comes off when it naturally comes off full charge we lose

two of the bits we lose the highest bit and I think we lose bit five something like that so I'd be fascinated to know what those are um there's a couple of registers that always do the same values uh one is always 3375 I'm pretty sure that's going to be some kind of like a low voltage like minimum voltage thing that the BMS would kill the battery on 4200 is going to be a Max voltage for a lithium ion and then 3600 is like nominal voltage so those kind of Mak sense but there's a ton of registers like that program I wrote I just like give me all the registers like up to 50 just like ask for all the

registers even way more than like the BM the main board ever asked for and like at some point it just stopped responding so I'm like okay it probably only implements up to like 25 or something or 30 I don't remember uh yeah so this is the back this is like the back of the battery so if you know have you seen this battery if you know anything about it if you've heard of it before if you know the company if you know anybody there I would love to hear from you uh this this model number that model number they they don't appear in search at all as far as I can tell so it's kind of a

mystery I I've even looked at you know smart BMS Yoku smart BMS yeah my search food just did not work out for me okay so really an ebike is like four components battery an ESC a motor and like some way to control it so we've got the battery the ESC is next now it's really important to me that I not have to replace the ESC and there's a reason for that because batter the motors are in like ESC their um pairing is really important and there's tons of like tuning parameters and like finicky things you have to get just right and they've already tuned it I don't want to have to redo it so I'm

going to do my best trying to figure out what we can do about this again I don't know anything about it they never talked about it in any of the specification seats sheets but it's got this prominent ASI debost in it so I'm like cool let's just search ASI and like it turned out that like that was super easy like it just pops up it's like oh accelerated systems cool uh so I was able to go on their site I was able to find this this is probably a back 550 they have like they're meant for OEM so they have like specification sheets online that like have pinouts and everything and so like I got the pin out and like this is the

harness that it's wired up to I toned out all of those connectors they all made they all made sense they all went to sensible places I'm like sweet I know what this thing is and um I figed well what if I just like plug it into the bike right and like see if I can and this the main board isn't in here right so this is just the ESC the motor and the battery okay so I'm like can I just like use it like what if I just short the battery Loop and what if I just like short the little enable pin on there that that transistor way earlier did and like no no dice the pedal didn't work

the battery or the throttle didn't work and then I went back to the manual and the manual says when you turn on the bike it will start on pedal assist mode zero and it's like oh if you want to use the throttle it has to be in pedal assist mode 1 through four so I'm like H well so much for that so I'm like okay well I better start researching the ASI uh display protocol and as I was searching for that um actually another company I don't know if their SEO was just super good or what but like this egg Rider company popped up as the first hit under ASI display protocol and they have a knowledge base that says oh

here's how you set up your ASI speed controller with the egg Rider I'm like yeah I don't have to make a display yes thank you uh but it's like set these parameters and I'm like what I don't know how to do that I don't what you're talking about and um so I emailed uh who did I email first I think I I emailed both of them I was super annoying I was like every sales engineer like contact us email address I just started emailing egg riter and Asi I'm like please help and um let's see okay yeah so uh I emailed ASI and then they sent this message back the controller is programmed for that specific setup and

we do not give out software to end users even if you were to gain access through other means I'm reasonably sure the parameters are locked and unreadable I'm like okay challenge [Laughter] accepted so they will sell you this this kit okay this is the eval kit now the cool thing about this kit is that it's got you know all the stuff you need like this is like a galvanic isolator for ESC so like the voltages are fine and like it's got the U little like TTL USB adapter thingy and it comes with a copy of their backd door software but it's 750 bucks I'm not going to pay that I paid zero doar for the bike this is

infinite times more cost than the bike so uh I was talking to my friend oh I'm getting ahead I was talking to my friend uh Andrew uh from work and he's like you know let me see what it was oh yeah so I need to hook it up to the computer right so um it's got this connector on the end and the nice thing about this connector is like all four pins you need to connect to the computer like right next to each other and I've got all these 2 mmst connectors I don't need anymore so like what if I just do that I'm like yeah it works it works just fine but like now I need software right so uh

that now I'm going to my friend Andrew who's told me like well there's this company grin Technologies and they make something called phase Runner and phase Runner uses the same mod bus map as ASI does so why don't you just use their phase Runner software because they'll give it to anybody and you can probably do everything you need to do and that like kind of worked I could get a snapshot of all the modb registers and um I could like look at them a little bit but then it kind of like froze up and crashed and like it wouldn't save over rebart so reboots so I was like ah God damn it but can you find a copy of

backd door online and like yeah you can so on on the forums Andrew's like oh yeah I found it and so I was like okay cool so now I have back door but what can I do with back door I can like hook it up to my saler and I can get all the communication like I can see what back door sends to the ESC I can just copy that and so this is all it does it just writes a register using modbus it verifies that write went correctly and then to write to flash you just write fffff to 0x1 FF and like that's it that's all back door does and so I'm like really like why are you restricting

access to this software tool that just implements standard mod bus like it's nuts to me and like you can if you're curious you can go online and on GitHub there's like an XML document with all the ASI modbus registers what they all mean what their values are what the enom ma to it's like it's all open like I I don't understand but one way or another we've got a program I I've got a link to it in the talk if you end up with this bike or with this speed controller you can use this program and knock yourself out um so yeah so can we just Implement mod bus hell yes we can uh but what

about those locked parameters that he talked about and like I was searching for that and I spent a ton of time in their knowledge base and I found tons of Articles and this one's really interesting so what you can do with that back door program is uh download an XML of all the registers of your ESC so that you can like update the firmware on it and then reload those those registers back or you can like take a snapshot and you can like tune the bike and you like go back to like a given snapshot so this knowledge-based article says if you took a snapshot and then you updated your firmware and then you loaded a snapshot

back from the old firmware you will brick your speed controller okay and here's how you unbrick it okay now that's cool and that's exciting uh basically what they say is you look in that XML document you look for 130 because they took an a register that was used for something else they made it a locking register and then people were accidentally overwriting that locking register with some random value so like look for the value you had in your in yours and then put it in there but it will only work for controllers that were locked inverted due to parameter install parameters that are locked by oems have their own unique password set by the OEM

and cannot be locked in this manner nice try and like really it's your tone it's the wrong tone like you're talking to my guy all wrong so I kept reading and I found that like there's this tamper proof functionality as required by ISO 13849 I'm like this starting to make more sense now it's clear to me that there's this ISO standard and they require ebike vendors to make sure that end users can't like change the speed limit or like change the power of your bike because there's like they're classified there's like class one bikes class two bikes class three bikes I'm like okay this is starting to make sense and here's that address 62 again that I

showed earlier but this part stood out to me can anybody raise your hand and tell me why that part might have stood out to me that's a 6bit integer yeah exactly that's not a lot of numbers right like we can just crack that like yeah and so it takes like an hour okay so like you just set up a mod bus thing and just like iterate through these numbers it literally takes less than an hour to like explore the key space and unlock all the parameters there's another parameter that they have though this one's user access level one and I love the name of that it seems so like I don't know it's like halflife or

something I don't know and so this one's different though this one is actually really important for safety so much so I I don't fully understand it I'm not like an ebike engineer but the reason why this one's important for safety is that it essentially changes the way that the ESC uh energizes the coils and so you can get higher uh rotational speed than would be implied by the voltage of the pack okay so like motors have this KV number and I think it's all kind of related but they're like hey you can change this parameter that will let you sort of overdrive your electric motor but uh they don't say it in here but they they say later like there's a

reason why we lock this like it's important that you use this for safety and so this parameter though like remember said the other one the access code is set by the OEM this one's set by ASI and if you are an oem and you want to change it you talk to your sales engineer at ASI and then they will give you the code you can crack it too just as easy so I mean it's like it's completely ridiculous so this is the the program I said that's online uh if you find yourself with a bike that you want to you want to deal with just set the B the port number and then if you want to

like do all the setup for egg riter you just pass it egg riter and it'll just do it but it will give you an error if it's locked it'll be able to detect if the bike is locked it'll say hey you need to give an access code and You' pass it here with access and you can say whatever number that is it's the register 62 thing but if you don't have it then you've got two options you've got crack which will give you the value of 62 and you've got crack OEM which will give you access level one and like I said it takes less than an hour for each um yeah so for the love of God please do

not do anything stupid with this information like the field weaking they're pretty serious that like you can hurt yourself with that so just don't um yeah so like really just use this if your bike was abandoned by the manufacturer and you want to be able to keep using it okay now there's another thing that came up in this and like I kind of got spooked a little bit I have friends that are in the ebike industry that have worked with ASI and so I sort of floated him the idea I was like would they are they going to be mad at me for this and he's like yeah they're going to be pissed so I I you know contacted the eff

and I like went through the whole system to like make sure that I don't have to do responsible disclosure and everything else and I found in that due diligence I found a post from 2021 where somebody else discovered how easy it was to crack that password and so uh that's good news eff said I'm clear so I do want to say great thanks to EF for all the work that they do um and let's move on so the egg riter they business model is essentially thirdparty displays for bikes that exist and that's really what it's designed for so when you try to buy one of these they go through this flow like you can get

your ASI what bike is it what connector does it have and they'll either support you or not and I emailed them I said hey I've got this other bike will you support me they said no um you no warranty no support nothing but they didn't stop me from buying it so um I just said ASI and I got the these are uh julette connectors so I got like a round jewet connector they published the pinouts online which is awfully convenient of them and then I wired it up and I sort of this kind of a same bench test right so like I put it on my 0.1 in headers used breadboard jumpers to like wire up the the egg Rider to the

rest of the bike and it worked perfect first try and the app came up and it was like over Bluetooth and everything and you can set all these parameters like the current and speed and they sort of trust you to like know your local laws and everything else uh they let you change the field weakening percent that is that access level one thing so they actually let you edit those settings through the app on the bike so in principle you could like edit that while you're writing which seems insane to me um yeah so like okay how do we actually like wrap this thing up how do we close the loop of I've got this bike

I've got a bunch of crap on my bench and so if we sort of like look back at the bike architecture and like really just focused in on the things that we need this is that old main board with the eight oops with the eight pin uh jst and the bike and those are the factory cables like we can just cut those cables and if we just cut the cables and we can have a just a commercial extension cable like those Jeet cables you can get them on Amazon they're like three bucks so I got the five pin jewet that the egg Rider needs that's the existing cable for the brake and I just sort of lashed it together uh

you know soldered them together made the thing used some glue line uh heat shrink squished it out flat because it's got to fit in the bike tube next to the U the battery there and it works it's amazing so I've put like 100 miles on the bike um it's like uh so I've got a rad wagon so the rad wagon if you don't know it's like a huge bike and it weighs like 80 pounds and I'm used to riding it around with my 10-year-old on the back so like I'm used to like 300 pounds of bike and people and so this bike is weighs so much less than that and even though it has about the same amount of power it

feels like I'm on like a Ferrari or something uh so it's been pretty fun although I can tell that like it's not as well tuned as the rad wagon the rad wagon is like so smooth uh but this one you got 20 khz switching wine and like the motor has a lot of computation noise so like eh um it's not as refined but it works really well now there's another thing that the egg riter does and that it does logging so when you have your app open while you're writing around it will give you all these cool logs this is like a 10m ride I did uh this is kind of interesting and cool too so this here

you can see there's tons more current uh out of the ESC then later on and it has something called like fold back and so like if your battery is low it will fold back the amount of current you can use if the ESC is warm it will fold back the amount of current so what I think is happening here is I'm like writing hard and then the ESC gets hot and then it folds back the current and you can see it all in the graphs it's pretty sweet um so want to get some closing thoughts uh I'm still writing about this so this is a screenshot of my blog this is the the newest post on it I there's

no way I could have fit uh the head and tail lamps reverse engineering into this talk it's probably another 10 or 15 minutes uh but it's it's online now um I have an idea like this is one of those things like I need a new project like I need a hole in the head and but I can't I can't help myself because I want to replace the main board with like something cool you know maybe esp32 C3 running rust and like using the existing LCD and uh make the horns work make the lights work uh just fun stuff like that uh there's another idea I have uh to do an interposer between the LCD and an

existing like a factory main board that could crack the PIN code using like skimming the the SPI data from the display like injecting ice gr C button presses uh I haven't thought that one through very far but it'd be kind of a fun thing to do and um so there's there's a couple of like philosophical things I want to say and I I go to a lot of wdc's at least I used to go to a lot of the Apple conferences I went to like eight and one of them Michael fronte was the Apple bash uh music act and I don't know about I really like M Michael fronte and he said something to the crowd that uh really

stuck with me and he said you all of you here have a gift right all of you here are because you either have the ability to do this work or you have a company that's willing to pay for you to like go to this talk and like learn these techniques and these tools and um you know express yourself in code and and in technology and I hope that you use that for good and I hope that you use that to make the world a better place and so as you're doing your technical work uh you know what choices are you making what's the impact of those choices what are manufacturers like what choices are manufacturers making can you as a

consumer make choices that help put pressure on manufacturers that aren't making as good a choices that aren't supporting sustainable like maintainable long-term uh value out of their goods um I want to thank everybody I want to thank my family for dealing with the torn apart bike in the garage for 4 months uh the Electronic Frontier Foundation for giving me the wonderful advice derc robot that's my friend Andrew's company he's gave me a lot of help on this project and finally besides uh PDX and these are my socials thank you all for [Music] coming