QS-S4 LCD Display MCU

Lightweight / Folding / Portable EVs - seats optional
Post Reply
raxrip   1 µW

1 µW
Posts: 1
Joined: Apr 05 2021 2:00pm

QS-S4 LCD Display MCU

Post by raxrip » Apr 06 2021 3:49pm

Hi
I just got my new Zero 10 electric scooter and in my country these scooters must be locked to a max speed of 20km/h
In the settings menu P8 (used to set max power) is locked to 39 and this value cant be changed.
(P8 needs to be locked for the scooter to be legal in my country so swapping it out with a new LCD display is not the best solution)

QS-S4 display:
Image

QS-S4 PCB:
Image

The display is using the HR8P506 MCU and my first thought was to dump the firmware, modify it to unlock P8 only when the correct combination of some keypresses (using brake and mode button etc) so if I got pulled over I could just turn the display off and back on again and P8 would be locked. Problem is that this is some China MCU that I find less to no info about and coz of this I started with a different approach.

Does anyone know of a different type of LCD panel using a different MCU like a STM32, PIC controller or atmega etc?

For now I started to look at the communication between the LCD panel and the speed controller (ESC) and my goal is to modify this data and change max speed (P8) only after a USB dongle have been connected to the display's USB port to unlock this setting.

I will share my findings in case anyone else is interested in such.

---

On the PCB there are some wires coming from the ESC (6 in my case but other LCD panels is using 5) and two of these are marked TX and RX. This is UART using TTL levels set to 8N1 1200bps (serial known as RS232 on PC)
LCD panel is sending a chunk of 15 bytes to the ESC and will then read 15 bytes back from it.

LCD send:
01 03 01 00 05 05 1A 00 35 80 00 0A 1C 0A B0 <- First chunk after power on
01 03 02 00 05 06 1A 00 35 80 6C 0A 1C 0A DC
...
01 03 16 00 05 7A 1A 00 35 00 6C 0A 1C 0A 34
01 03 17 00 05 7F 1A 00 35 00 6C 0A 1C 0A 30
01 03 18 00 05 78 1A 00 35 00 6C 0A 1C 0A 38
00 03 19 00 05 7D 1A 00 35 00 6C 0A 1C 0A 3C <- Last chunk after I pressed power off

This is what I found out about these bytes:
B00 B01 B02 B03 B04 B05 B06 B07 B08 B09 B10 B11 B12 B13 B14
01 03 18 00 05 78 1A 00 35 00 6C 0A 1C 0A 38

B00 = Power on/off (01=on. 00=off)
B01 = 03 ?
B02 = Packet Counter. (Counts from 0 to 0xFF and then restarts. 1 packet is all 15 bytes)
B03 = 00 ?
B04 = Gear (Using bit 0, 1, 2, 3. xxxx0101=1, xxxx1010=2, xxxx1111=3)
B05 = ?? rand?
B06 = P09 = Kickstart (Only bit 1 is used. xxxxxx1x=kickstart, xxxxxx0x=no kick) (Usually 0x1A for kickstart)
B06 = P17 = Cruise Control (Only bit 2 is used. xxxxx0xx=off, xxxxx1xx=on) (Usually 0x1A for off)
B07 = 00 ?
B08 = P08 = Power Limit
B09 = Lights on/off (Using 1 bit 3. xxxx0xxx=off, xxxx1xxx=on)
B09 = Brakes on/off (Using 1 bit 6. x0xxxxxx=off, x1xxxxxx=on)
B10 = 0x6D or 0x6C ??
B11 = P11 = Electronic Breaking (Using bit 3, 4, 5. xx000xxx=0, xx001xxx=1, xx010xxx=2, xx011xxx=3, xx100xxx=4, xx101xxx=5) (Usually 0x1A for 3)
B11 = P12 = Acceleration (Using bit 0, 1, 2. xxxxx000=1, xxxxx001=2, xxxxx010=3, xxxxx011=4, xxxxx100=5) (Usually 0x1A for 3)
B12 = 0x1C
B13 = P06 = Wheel Diameter
B14 = XOR checksum (That is when all 15 bytes are xor'ed the sum should be 0x00)

This display comes from an Zero 8 and is locked to 0x35 (53) and I am pretty sure that this is byte 8 on this chuck.
So I will try to connect a small MCU to intercept this block, modify this B08 byte and send it to the ESC with and updated checksum at the end. I am planning on using an Atmel 32U4 (Arduino Pro Micro) which is a pretty small board and should fit inside the LCD panel. This MCU has native USB support and I will connect this port to the LCD panels USB port which is used only to charge your phone etc.


The response from the ESC is a bit more messy:

36 09 00 2B 2B 2B 00 2B 2B 2B 2B 36 E5 2B EC
36 0A 00 24 24 24 00 24 24 24 24 33 C6 24 C9
36 0B 00 29 29 29 00 29 29 29 29 38 CB 29 CE
36 0C 00 52 52 52 00 52 52 52 52 C7 83 52 7E

B00 always start with 0x36 (Or I have not seen this byte change)
B01 is a counter going from 0x00 to 0xFF and then restarts.
B02 ? (always 00)
B03, B04 and B05 are used to signal the LCD that the brake was pressed in a very strange way.
-These three bytes seems to be random but they are all the same unless you press the brake.
-If brake is pressed then 0x20 will be added to B04. (LCD panel will verify this by setting bit 6 in B09. See above)
B06 = (always 00)
B07, B08, B08 and B10 is only changed when the rear wheel is rolling so I believe this is to set your current speed on the LCD
-I have not figured how this is decoded yet coz these bytes is also changing all the time.
..
B14 XOR checksum

The receive chunk is not important for my mod to work so I might leave this connected to the HR8P506 MCU.

If anyone have some more info about these LCD panels then that would be great.

6VyxYZ   1 µW

1 µW
Posts: 1
Joined: Sep 30 2021 3:11am

Re: QS-S4 LCD Display MCU

Post by 6VyxYZ » Sep 30 2021 3:12am

Thank you for the detailed protocol description.

teixeluis   10 µW

10 µW
Posts: 5
Joined: Dec 09 2021 11:48am

Re: QS-S4 LCD Display MCU

Post by teixeluis » Dec 10 2021 7:18pm

Hello raxrip,

Nice digging work, it served as a precursor to my own investigation on a similar LCD that is installed in my Laotie Ti30 scooter. I was able to do several findings which I believe are also useful for decoding this QS-S4 LCD.

I have created this post detailing some of the work:

https://www.creationfactory.co/2021/12/ ... ooter.html

and later (and most importantly) was able to figure out more about the frame structure in either direction. Regarding the frames
that come from the ESC, the 4th byte is a variable offset (which I believe the purpose is to generate entropy and minimize errors when the transmission contains long sequences of zeros). This value needs to be subtracted from several of the other payload bytes in order
to obtain the actual data. You can find more details along with a couple of python scripts to tap into the streams and parse the data, in this project:

https://github.com/teixeluis/escooter-lcd-esc-decode

Cheers

User avatar
amberwolf   100 GW

100 GW
Posts: 33669
Joined: Aug 17 2009 6:43am
Location: Phoenix, AZ, USA, Earth, Sol, Local Bubble, Orion Arm, Milky Way, Local Group
Contact:

Re: QS-S4 LCD Display MCU

Post by amberwolf » Dec 11 2021 2:56am

If it is helpful, casainho / stancecoke / et al have some threads about various controller and LCD custom open source firmware. They probably wont' directly work for you but they may provide a basis to build your own code on.
If you found this advice helpful, supporting contributions are accepted here.

Beginning of a New Life


Give a listen to my music!
(More here, including experimental).

teixeluis   10 µW

10 µW
Posts: 5
Joined: Dec 09 2021 11:48am

Re: QS-S4 LCD Display MCU

Post by teixeluis » Dec 11 2021 8:57am

Thanks @amberwolf,

That is interesting. I saw the project, in that case they use hardware that is based on the very popular STM32 micro-controller. Supporting FOC in the same hardware is an awesome improvement. In my ESC, the hardware seems to be slightly more "exotic" in that respect. The LCD uses the Renesas R7F0C001G micro-controller, whereas the ESC has a chip labelled as XCM-K (supposedly similar to the X8M06-C or the NEC μPD79F9211 but with 48 pins instead of 44, by crossing some information on the web..).
PXL_20211106_235948922.jpg
PXL_20211106_235948922.jpg (617.46 KiB) Viewed 1541 times
I guess it is not such an easy platform to develop, as the STM32, given the broad set of tools and community support for the latter.

teixeluis   10 µW

10 µW
Posts: 5
Joined: Dec 09 2021 11:48am

Re: QS-S4 LCD Display MCU

Post by teixeluis » Dec 11 2021 6:00pm

Fyi, I have also added a bit of further discussion around this reverse engineering of the protocol in this blog post:

https://www.creationfactory.co/2021/12/ ... er_11.html

The scripts have also been updated to decode a few more fields, and I am now accurately calculating the speed based on the value returned by the ESC:

https://github.com/teixeluis/escooter-lcd-esc-decode

Cheers

teixeluis   10 µW

10 µW
Posts: 5
Joined: Dec 09 2021 11:48am

Re: QS-S4 LCD Display MCU

Post by teixeluis » Dec 13 2021 5:52pm

Another update: figured out the encryption of the only field in the frame sent by the LCD which was yet to be understood. Updated the python scripts for allowing the decoding of this field. It turned out that this field (byte nr 5 from the frame sent by the LCD) encodes the current gear. It consists of a simple substitution cipher (i.e. like the Vigenère cipher).

It is curious why they considered so important to encrypt (or more exactly to obfuscate) this field while leaving the remaining fields in clear text. My guess is that it can be either related to speed limiter capability/legal compliance, or to prevent compatibility with hardware from other brands..

Added the changes to the same place, in my github repo:

https://github.com/teixeluis/escooter-lcd-esc-decode

Enjoy

Cheers

teixeluis   10 µW

10 µW
Posts: 5
Joined: Dec 09 2021 11:48am

Re: QS-S4 LCD Display MCU

Post by teixeluis » Dec 14 2021 4:24pm

For those who might be interested, here is also the story on how I got to decrypt these fields:

https://www.creationfactory.co/2021/12/ ... er_14.html

Cheers

brogdan   1 µW

1 µW
Posts: 1
Joined: Apr 16 2022 6:52am

Re: QS-S4 LCD Display MCU

Post by brogdan » Apr 16 2022 6:56am

Hey there,

I have a similar LCD display that uses stm8l052c6.
the ST controler was burnt due to a shorted wire.
I have bought some new stm8l052c6 and a ST-programmer, but do not have the original firmware. By any chance you have the firmware and can share it with me?
Thanks
Attachments
IMG_5209.jpg
IMG_5209.jpg (1.11 MiB) Viewed 452 times
IMG_5210.jpg
IMG_5210.jpg (1.05 MiB) Viewed 452 times

azzaalki   1 µW

1 µW
Posts: 2
Joined: May 14 2022 11:07am

Re: QS-S4 LCD Display MCU

Post by azzaalki » May 15 2022 3:12pm

A2C4B138-374E-414E-8791-B7CC4835B206_1_201_a.jpeg
hey guys
if you look into the red circle you will notice that the digital potentiometer has burnt out,i was wondering if this was repairable ?
Thanks Aaron
A2C4B138-374E-414E-8791-B7CC4835B206_1_201_a.jpeg (1.04 MiB) Viewed 72 times

Hey guys
if you look into the red circle you will notice that the digital potentiometer has burnt out,i was wondering if this was repairable ?
Thanks Aaron

User avatar
amberwolf   100 GW

100 GW
Posts: 33669
Joined: Aug 17 2009 6:43am
Location: Phoenix, AZ, USA, Earth, Sol, Local Bubble, Orion Arm, Milky Way, Local Group
Contact:

Re: QS-S4 LCD Display MCU

Post by amberwolf » May 15 2022 3:54pm

If it's just a digipot, then as long as you get the same chip p/n and can solder SMT you can replace it. Mouser, Digikey, Farnell, etc., are all good places to get most anything you need, electronics-wise.

However, for a dramatic catastrophic failure like you see there, where the chip inside turned to plasma and smoked out the side, something else would have to have caused that to happen (a digipot is a very low-power device, and wouldn't fail that way on it's own).

If you don't first troubleshoot to find out what caused that failure, and fix that, then whatever new part you put in is just going to fail the same way (probably instantly).
If you found this advice helpful, supporting contributions are accepted here.

Beginning of a New Life


Give a listen to my music!
(More here, including experimental).

azzaalki   1 µW

1 µW
Posts: 2
Joined: May 14 2022 11:07am

Re: QS-S4 LCD Display MCU

Post by azzaalki » May 16 2022 1:29am

Thanks
Well im on my 3rd screen now and they have all done it it the same spot,
How am i sapose to trouble shoot this senario ?

User avatar
amberwolf   100 GW

100 GW
Posts: 33669
Joined: Aug 17 2009 6:43am
Location: Phoenix, AZ, USA, Earth, Sol, Local Bubble, Orion Arm, Milky Way, Local Group
Contact:

Re: QS-S4 LCD Display MCU

Post by amberwolf » May 16 2022 11:19am

What conditions did the failure occur in, each time?

Is the system being run near the limits of it's voltage specification?

Is the chip actually just a digipot? Or is the chip something else (like a power converter)?
If you found this advice helpful, supporting contributions are accepted here.

Beginning of a New Life


Give a listen to my music!
(More here, including experimental).

Post Reply