S-LCD to S12S controller communication protocol hacked

Get all your technical information about electric bikes here.
obelix662000   1 µW

1 µW
Posts: 4
Joined: Oct 14 2015 1:30am

S-LCD to S12S controller communication protocol hacked

Post by obelix662000 » Oct 15 2015 12:42am

I've successfully decoded communication protocol between LCD3 display and S12S controller (both available at bmsbattery.com) in both directions. Please see attached files.
Attachments
S12SN_to_LCD3.txt
from S12S to LCD
(1.04 KiB) Downloaded 2389 times
LCD3_to_S12SN-1.txt
from LCD to S12S corr1
(2.65 KiB) Downloaded 1781 times
Last edited by obelix662000 on Jul 06 2016 10:23am, edited 1 time in total.

User avatar
flangefrog   1 kW

1 kW
Posts: 369
Joined: Jun 26 2013 10:21pm
Location: Auckland, New Zealand

Re: S-LCD to S12S controller communication protocol hacked

Post by flangefrog » Oct 15 2015 2:02am

Great work. When were the packets sent between the devices? Were they sent every 100ms or so, or for lcd to controller communication were they just sent when a button was pressed? Any special packets sent on start-up?
Last edited by flangefrog on Oct 15 2015 2:39am, edited 1 time in total.

nieles   10 kW

10 kW
Posts: 684
Joined: Jul 14 2008 5:39pm
Location: The Netherlands

Re: S-LCD to S12S controller communication protocol hacked

Post by nieles » Oct 15 2015 2:30am

awesome!! i was going to do the same thing, well for the S6P

i will let you know if it works the same.

obelix662000   1 µW

1 µW
Posts: 4
Joined: Oct 14 2015 1:30am

Re: S-LCD to S12S controller communication protocol hacked

Post by obelix662000 » Oct 15 2015 8:11am

flangefrog wrote:Great work. When were the packets sent between the devices? Were they sent every 100ms or so, or for lcd to controller communication were they just sent when a button was pressed? Any special packets sent on start-up?
Continiously, about 10 times a second in both directions. Actually this is not important, everything works fine with any rate since LCD an S12s rememeber last state.

boogieBeats   1 mW

1 mW
Posts: 18
Joined: Nov 03 2016 9:23am

Re: S-LCD to S12S controller communication protocol hacked

Post by boogieBeats » Nov 22 2016 8:21pm

obelix662000 wrote:I've successfully decoded communication protocol between LCD3 display and S12S controller (both available at bmsbattery.com) in both directions. Please see attached files.
Do you know if the controller will transmit the package without the LCD hooked up?

I'm trying to program my S06S ( which I presume to be similar ) with out the LCD as a "project" since I forgot to include the LCD in my last order from BMS. I have attempted to read its TX line at the settings described and did not get any output. Help eliminating the unknowns would be appreciated.

Thank you very much for your work so far.
Despite all logic, single speed mountain biking is a pretty good time.
V*I to the people.

User avatar
ntr   1 mW

1 mW
Posts: 16
Joined: Oct 14 2015 12:51pm
Location: Netherlands

Re: S-LCD to S12S controller communication protocol hacked

Post by ntr » May 02 2017 11:39am

In addition to the above, i found out the following:

I have an S06S, the protocol is the same.
Regarding the S12SN to LCD3 communication protocol:
B2: is the controller voltage. I have a 24/36 V controller with a 36 V battery and B2 reads 36 in my case.
B6: B0 is not included in the CRC
B8: Value is 4x controller current instead of power. The display calculates the power from this value devided by 4 multiplied with the LCD supply voltage. So if B8 is 16 and the supply voltage is 30 V then the LCD shows (16/4)*30 = 120 W. If you supply the LCD with 40 V and the same value for B8 then the power shown is 160 W.

jbs   1 µW

1 µW
Posts: 2
Joined: Jun 26 2017 11:38pm

Re: S-LCD to S12S controller communication protocol hacked

Post by jbs » Jun 26 2017 11:57pm

For the LCD to controller protocol, the crc in B5 is not always as described here, at least for my LCD5 and controller, both recently bought from bmsbattery.

The final xor 2 required in the crc calculation varies, even for exactly the same message but at different sessions/times - sometimes an even number in the final xor is required and sometimes an odd number.

Rather than attempt to work out how or why, I simply find the correct value from the first few messages sent by the LCD after powering on, and use that for the remainder of the session until the LCD is turned off.

If you're getting messages you're generating ignored by the controller, bear this in mind. I've recently added an arduino to dynamically modify the parameters (max speed / assist levels / etc) when in an internally managed "fast" mode set with a sequence of LCD buttons at startup, and this stumped me for a while, particularly as sometimes xor 2 is the correct value and so sometimes works.

casainho   10 GW

10 GW
Posts: 4493
Joined: Feb 14 2011 2:43pm

Re: S-LCD to S12S controller communication protocol hacked

Post by casainho » Jul 31 2017 11:21pm

jbs wrote:I've recently added an arduino to dynamically modify the parameters (max speed / assist levels / etc) when in an internally managed "fast" mode set with a sequence of LCD buttons at startup, and this stumped me for a while, particularly as sometimes xor 2 is the correct value and so sometimes works.
Hi guys.

This thread is really valuable!! I just shared all this information on the OpenSource firmware for the BMSBattery S Series / Kunteng KT motor controller documentation page: https://opensourceebikefirmware.bitbuck ... tocol.html
- TSDZ2 FAQ: issues and repairs, etc
- TSDZ2 OpenSource firmware

Developer of OpenSource knowledge and technology for ebikes: Wireless Ebike boar ANT+ and Bluetooth, Flexible OpenSource firmware for EBikes: TSDZ2 mid drive motor, KT motor controllers and displays: Bafang 850C color, SW102 Bluetooth and KT-LCD3.

If you like my work, please consider making a donation to help my developments: paypal.me/jorgecasa

casainho   10 GW

10 GW
Posts: 4493
Joined: Feb 14 2011 2:43pm

Re: S-LCD to S12S controller communication protocol hacked

Post by casainho » Jul 31 2017 11:32pm

Can you please please help me to understand:

"B3,B4: speed, wheel rotation period, ms; period(ms)=B3*256+B4;"
"P1 = motor gear reduction ratio×number of rotor magnet pieces, just rounding if there’s any decimal."

Considering: 1 eRPM at each 2 rotor magnets;

B3B4 = P1 * (eRPM / 2) ??
- TSDZ2 FAQ: issues and repairs, etc
- TSDZ2 OpenSource firmware

Developer of OpenSource knowledge and technology for ebikes: Wireless Ebike boar ANT+ and Bluetooth, Flexible OpenSource firmware for EBikes: TSDZ2 mid drive motor, KT motor controllers and displays: Bafang 850C color, SW102 Bluetooth and KT-LCD3.

If you like my work, please consider making a donation to help my developments: paypal.me/jorgecasa

tonywestonuk   1 µW

1 µW
Posts: 4
Joined: Nov 24 2014 6:44am

Re: S-LCD to S12S controller communication protocol hacked

Post by tonywestonuk » Sep 16 2017 1:32am

I just got one of these M5Stacks to play around with.
C4zBP0jUYAEZbbl.jpg
M5Stack
C4zBP0jUYAEZbbl.jpg (90.51 KiB) Viewed 6536 times

Though they are not specifically for an Ebike, they are fully programmable, bluetooth / wifi.

Seems to me that they could be a good candidate for an LCD meter.

They cost $16 + postage (about $4).

Im going to see if I can interface mine with the controller using the serial protocol top of this thread...

MisterMint   1 mW

1 mW
Posts: 19
Joined: Aug 12 2015 2:42am
Location: Germany

Re: S-LCD to S12S controller communication protocol hacked

Post by MisterMint » Oct 05 2017 1:27pm

I am trying to control BMS battery sinewave bottle controller in a similar way with an ESP32.
The UART on the ESP32 allows only for 3.3V input and output voltage. What are the voltages levels on controller and SLCD?
If they are 5V, what would be the easiest way to convert?

casainho   10 GW

10 GW
Posts: 4493
Joined: Feb 14 2011 2:43pm

Re: S-LCD to S12S controller communication protocol hacked

Post by casainho » Oct 05 2017 5:16pm

MisterMint wrote:I am trying to control BMS battery sinewave bottle controller in a similar way with an ESP32.
The UART on the ESP32 allows only for 3.3V input and output voltage. What are the voltages levels on controller and SLCD?
If they are 5V, what would be the easiest way to convert?
BMS Battery S/Kunteng controllers work with 5V. You can see the schematic of the controller on our project site, OpenSource firmware for that controllers.

Voltage resistor devider from 5v to 3.3v, on the line from the STM8 to the ESP.
From ESP to STM8, keep that 3.3v that STM8 should be able to read correctly the values as 1 logic.
So, just 2 resistors to adapt!!

Can you please share what do you plan?? How will the user interact on your system??
- TSDZ2 FAQ: issues and repairs, etc
- TSDZ2 OpenSource firmware

Developer of OpenSource knowledge and technology for ebikes: Wireless Ebike boar ANT+ and Bluetooth, Flexible OpenSource firmware for EBikes: TSDZ2 mid drive motor, KT motor controllers and displays: Bafang 850C color, SW102 Bluetooth and KT-LCD3.

If you like my work, please consider making a donation to help my developments: paypal.me/jorgecasa

MisterMint   1 mW

1 mW
Posts: 19
Joined: Aug 12 2015 2:42am
Location: Germany

Re: S-LCD to S12S controller communication protocol hacked

Post by MisterMint » Oct 05 2017 7:24pm

Thank you for the info, i even be should be able hide this inside cable.
So it seems this is all I need:
z5AQJ.png
z5AQJ.png (9.14 KiB) Viewed 7992 times

The project is still in early stage, did not even receive the ESP. I will try to control a 2WD bike via Smartphone. Seriously need fast 'mode switch', after this works, this is gonna be my playground for a while.. lights, brake sensor, distance sensor, alarm, anti-slip for front wheel, who knows where I will end. :-)

casainho   10 GW

10 GW
Posts: 4493
Joined: Feb 14 2011 2:43pm

Re: S-LCD to S12S controller communication protocol hacked

Post by casainho » Oct 05 2017 11:42pm

MisterMint wrote: The project is still in early stage, did not even receive the ESP. I will try to control a 2WD bike via Smartphone. Seriously need fast 'mode switch', after this works, this is gonna be my playground for a while.. lights, brake sensor, distance sensor, alarm, anti-slip for front wheel, who knows where I will end. :-)
Okok, a lot of things you are looking for :-)

Why not going with the standard UART/Bluetooth module for this motor controllers? On our project, we just started to add support for the LCD (which is the same for Bluetooth).

How do you plan to develop on ESP, which language? -- I am looking to JavaScript Reactive Native app for mobile.
- TSDZ2 FAQ: issues and repairs, etc
- TSDZ2 OpenSource firmware

Developer of OpenSource knowledge and technology for ebikes: Wireless Ebike boar ANT+ and Bluetooth, Flexible OpenSource firmware for EBikes: TSDZ2 mid drive motor, KT motor controllers and displays: Bafang 850C color, SW102 Bluetooth and KT-LCD3.

If you like my work, please consider making a donation to help my developments: paypal.me/jorgecasa

MisterMint   1 mW

1 mW
Posts: 19
Joined: Aug 12 2015 2:42am
Location: Germany

Re: S-LCD to S12S controller communication protocol hacked

Post by MisterMint » Oct 06 2017 10:40am

I want to do all the computation in one place. It should be able to run in standalone mode.
Will run Arduino firmware for ease of programming, the GUI on Android phone will most likely be TouchOSC or Lemur.

I am really looking forward to test your custom firmware, but what you are doing right now is way over my head. So I will wait for working beta.
(I have some support from a friend to solve programming and electronical issues.)

casainho   10 GW

10 GW
Posts: 4493
Joined: Feb 14 2011 2:43pm

Re: S-LCD to S12S controller communication protocol hacked

Post by casainho » Oct 06 2017 1:00pm

MisterMint wrote:I am really looking forward to test your custom firmware, but what you are doing right now is way over my head. So I will wait for working beta.
(I have some support from a friend to solve programming and electronical issues.)
I would like to understand what are the specific features needed for a 2WD -- can you please tell me?

So, I wish to have a firmware to make this controllers as a generic ones, that can be controlled by UART from Arduino or such, like sending commands to start the motor, running forward with max current of 10 amps and max speed of 30km/h.
- TSDZ2 FAQ: issues and repairs, etc
- TSDZ2 OpenSource firmware

Developer of OpenSource knowledge and technology for ebikes: Wireless Ebike boar ANT+ and Bluetooth, Flexible OpenSource firmware for EBikes: TSDZ2 mid drive motor, KT motor controllers and displays: Bafang 850C color, SW102 Bluetooth and KT-LCD3.

If you like my work, please consider making a donation to help my developments: paypal.me/jorgecasa

kappa7   100 µW

100 µW
Posts: 7
Joined: Nov 22 2016 2:22pm

Re: S-LCD to S12S controller communication protocol hacked

Post by kappa7 » Oct 08 2017 11:29am

The controller has already a 2.2kohm resistor in series with the uart lines, so a 3.9kohm on the TX line connected to ground is enough to have a 3.2V CMOS signal.

casainho   10 GW

10 GW
Posts: 4493
Joined: Feb 14 2011 2:43pm

Re: S-LCD to S12S controller communication protocol hacked

Post by casainho » Oct 30 2017 1:21pm

Can someone please help me understand how to calc xor 2?? I can calc xor ok, as I am already sending information with success to the LCD (and the motor now works pretty well as original firmware):

- TSDZ2 FAQ: issues and repairs, etc
- TSDZ2 OpenSource firmware

Developer of OpenSource knowledge and technology for ebikes: Wireless Ebike boar ANT+ and Bluetooth, Flexible OpenSource firmware for EBikes: TSDZ2 mid drive motor, KT motor controllers and displays: Bafang 850C color, SW102 Bluetooth and KT-LCD3.

If you like my work, please consider making a donation to help my developments: paypal.me/jorgecasa

jbs   1 µW

1 µW
Posts: 2
Joined: Jun 26 2017 11:38pm

Re: S-LCD to S12S controller communication protocol hacked

Post by jbs » Oct 31 2017 6:14pm

casainho wrote:Can someone please help me understand how to calc xor 2??
You should just be able to perform the calculation given your value, depending on your programming no language

E.g. 10 xor 2 = 8

In c it would be x ^ 2 = result, e.g 10 ^ 2 = 8

casainho   10 GW

10 GW
Posts: 4493
Joined: Feb 14 2011 2:43pm

Re: S-LCD to S12S controller communication protocol hacked

Post by casainho » Oct 31 2017 7:59pm

jbs wrote:
casainho wrote:Can someone please help me understand how to calc xor 2??
You should just be able to perform the calculation given your value, depending on your programming no language

E.g. 10 xor 2 = 8

In c it would be x ^ 2 = result, e.g 10 ^ 2 = 8
I got it and working, however that data I got from my LCD5, I had to do "xor 9" for having a correct CRC:

Code: Select all

    // validation of the package data
    ui8_crc = 0;
    for (ui8_i = 0; ui8_i <= 12; ui8_i++)
    {
      if (ui8_i == 7) continue; // don't xor B5 (B7 in our case)
      ui8_crc ^= ui8_rx_buffer[ui8_i];
    }

    if ((ui8_crc ^ 9) == ui8_rx_buffer [7]) // see if CRC is ok
    {
- TSDZ2 FAQ: issues and repairs, etc
- TSDZ2 OpenSource firmware

Developer of OpenSource knowledge and technology for ebikes: Wireless Ebike boar ANT+ and Bluetooth, Flexible OpenSource firmware for EBikes: TSDZ2 mid drive motor, KT motor controllers and displays: Bafang 850C color, SW102 Bluetooth and KT-LCD3.

If you like my work, please consider making a donation to help my developments: paypal.me/jorgecasa

MisterMint   1 mW

1 mW
Posts: 19
Joined: Aug 12 2015 2:42am
Location: Germany

Re: S-LCD to S12S controller communication protocol hacked

Post by MisterMint » Apr 18 2018 4:28pm

Sorry for the late reply, project got delayed for reasons.

@casainho: Why 2 WD?

Its the most stealthy way to pack some power onto a bike imho. Q100C and Q100H are really tiny & light motors, they don´t cry
"e-bike" from first glance, but if you keep watching the temps you can feed them around 1 kW for a limited time. Nylon gears will wear our for sure quickly, but this stuff is cheap. Once you manage to open your used motor you can even replace the gears by 3D printed ones: https://www.thingiverse.com/thing:2123772

One of them is already nice, running the Q100H 36V @ 48V 20A in the front right now. (I know, I most likely do magnetically saturate it, but it works like a charm..) Problem: You can easily kill it when its summer and you go up a long, steep hill. Been there, seen that. :roll:

Two of them should be strong enough to pull you up any hill without going below the magical 20 km/h - this is where efficiency on the Q100x 201 rpm versions really drop, which leads to quick overtemp.

Two light motors have better weight distribution than one large (even though I was not amused when I recognized the lower agility with such a heavy front wheel on gravel and the like - but I do not drive around gravel often..), and should also give better traction, as both wheel are "biting" into the ground. Last but not least redundancy is a good thing, when one fails you can still go home without hassle.

Time will tell if 2WD is really as good as I believe.. ;-)

about the project:

So, finally I have second motor mounted (with torque arm), second controller modded to XT60, (really expensive) bare HIGO plugs and a small arduino which runs 5V TTL on my table. (ESP32 still sucks when it comes to use the internal Wifi/Bluetooth with Arduino firmware.).

My Higo Plug (with cable already attached) has 5 pins. The cable colors do not match with anything I can find on the net.
Looking at the male plug, counting from one to five clockwise, while the nipple is at the bottom I have following colors:

1: Red
2: White
3: Brown
4: Green
5: Black

Does anybody know what is what?

Blik86   1 mW

1 mW
Posts: 10
Joined: Aug 06 2018 12:03pm

Re: S-LCD to S12S controller communication protocol hacked

Post by Blik86 » Jun 10 2019 2:16pm

KT LCD6 protocol
KT LCD6 protocol.jpg
Attachments
LCD6 to KTcontroller1.xls
(30.5 KiB) Downloaded 187 times

User avatar
flangefrog   1 kW

1 kW
Posts: 369
Joined: Jun 26 2013 10:21pm
Location: Auckland, New Zealand

Re: S-LCD to S12S controller communication protocol hacked

Post by flangefrog » Jul 28 2019 5:20am

Blik86, thanks for the chart. I'm not able to view the spreadsheet properly on LibreOffice. Can you please explain what C4S and C4% are? Also what is L1?

Edit, found what C4S and C4% are referring to in the manual:
When C4 = 2 is confirmed, "specified speed limit value of handlebar" flashes, press (UP) button or (DOWN) button for short to make selection, and the default value is 20.
When C4 = 4 is confirmed, the "percentage value of the first gear speed accounts for its full speed" of the power assist gear flashes, press (UP) button or (DOWN) button for short to make selection, and the default value is 50%. The percentage values of other gears divide automatically in equal.

zlabs67   1 µW

1 µW
Posts: 3
Joined: Nov 09 2019 7:34am

Re: S-LCD to S12S controller communication protocol hacked

Post by zlabs67 » Jan 30 2020 3:40pm

jbs wrote:
Jun 26 2017 11:57pm
...
The final xor 2 required in the crc calculation varies, even for exactly the same message but at different sessions/times - sometimes an even number in the final xor is required and sometimes an odd number.
....
to compute checksum correctly, start with crc=0x0E, and not include first byte

Code: Select all

    crc = 0x0e
    for i, v in enumerate(rxbuffer):
        if i != 5 and i != 0:
            crc ^= v

Blik86   1 mW

1 mW
Posts: 10
Joined: Aug 06 2018 12:03pm

Re: S-LCD to S12S controller communication protocol hacked

Post by Blik86 » Mar 30 2020 11:53am

zlabs67 wrote:
Jan 30 2020 3:40pm
The final xor 2 required in the crc calculation varies, even for exactly the same message but at different sessions/times - sometimes an even number in the final xor is required and sometimes an odd number.
CRC = (xor B1,B2,B3,B4,B6,B7,B8,B9,B10,B11)

Post Reply