Lishui "Open Source Firmware" project / KingMeter 5S
- Thread starter AndZab
- Start date
sensorless motor cable for a sensorless motor without hall and speed sensors
manman
10 W
That can't be true this is the cable that comes out a Bafang rear hub motor 750watt
higo L1019 then?
hi did you manage to compile the app? maybe updated it to latest flutter sdk?
bridgejumper
1 µW
Hey everyone, hope this reaches y'all well. Thanks for all the information!! I've been deep diving into this firmware and my controller. I have a rad power bike expand5 and the controller will work with the firmware but it did not come with an LCD screen so I built what was needed for the ebics flutter. I was just wanting to make sure if I flash without a dedicated screen I could use the flutter in it's place. Also is there any way other than wiping the controller then reflashing with what I'm 90% sure is the firmware I was able to rip off the controller via an exploit to see if what I extracted is the original firmware that was behind the read protection ? I've ran it through a few different decompilers to search for anything that would point me to knowing it is the whole firmware. I did burn it to a blue pill and "watched" it run inside STM cube if you could call it watching. So whatever it is actually does something lol. I would just like to ensure I captured the firmware before it's lost forever since I know I can do it, I just don't have any extra controllers or bikes to test it with. Thanks for y'all's time!
The controller was potted and I thought it was going to be worse than it was, my hot air station made quick work of softening it up to pull it apart!
Bluepill picture is just me setting up to practice the exploit before I attempted it on the controller to make sure I didn't screw anything up lol, I ended up switching to a pico rather than a rp2040 zero I have put through hell and back.
The controller was potted and I thought it was going to be worse than it was, my hot air station made quick work of softening it up to pull it apart!
Bluepill picture is just me setting up to practice the exploit before I attempted it on the controller to make sure I didn't screw anything up lol, I ended up switching to a pico rather than a rp2040 zero I have put through hell and back.
stancecoke
1 MW
Interesting, I know, that the STM32 can be hacked somehow to get the firmware even, if the ROP bit is set. You can send me your binary via PM, then I can check it with a similar controller.
I'm looking forward to see your progress!
regards
stancecoke
Last edited:
bridgejumper
1 µW
Thanks for all the work you have done on this project! I sent it over along with a bunch of unnecessary rambling and explanations for my actions along the process I have been taking lolInteresting, I know, that the STM32 can be hacked somehow to get the firmware even, if the ROP bit is set. You can send me your binary via PM, then I can check it with a similar controller.
I'm looking forward to see your progress!
regards
stancecoke
bridgejumper
1 µW
The process is pretty straight forward and I am sure with your background/knowledge it would be super easy for you, take a look at stm32f1-picopwner on github if you want to check it out, there are 2 or 3 other flavors of the attack as well on github I just chose that one after looking over them since that one uses a attack firmware that gets loaded to the SRAM then does the voltage glitch till SRAM loads the exploit firmware causing the memory to be dumped. It was so easy I wondered if it was because this 1500~ USD bike is using a freaking cloned stem32f1 lol
stancecoke
1 MW
How did you get access to the Boot0 and NRST pin? Boot0 seems to be connected to GND permanently on the Lishiu PCB?! Did you desolder the whole processor?
Last edited:
bridgejumper
1 µW
Yeah sorry, I just took a actual bluepill, removed its chip then did the same with the controller and popped it on the bluepills board and ran the attack from there. I still havent put the bluelpill back together lol
Attachments
Hello,
for those who tested these boards, how would you compare the M365 controller board, the Flipsky 75100 and the 12 FET Lishui?
In term of processing, the 75100 is way more powerful (M4@170Mhz) than the others but seem to have a lot of QC issues.
My goal is to drive a DD hub motor (max 40A).
Oh, and I want to use an open source firmware (need full control of the controller).
Thank you!
for those who tested these boards, how would you compare the M365 controller board, the Flipsky 75100 and the 12 FET Lishui?
In term of processing, the 75100 is way more powerful (M4@170Mhz) than the others but seem to have a lot of QC issues.
My goal is to drive a DD hub motor (max 40A).
Oh, and I want to use an open source firmware (need full control of the controller).
Thank you!
stancecoke
1 MW
The processing power is not relevant for a DD hub motor. The STM32F103 in the M365 and Lishui is sufficient to do (sensorless) FOC at 16kHz PWM frequency. I see no advantages in using higher PWM frequencies with the low electrical rpms of a DD hub motor.
The Lishuis have a lot of measures to meet the reqiurements of the standard EN 15194 regarding the electromagnetic compatibility. The M365 is a 6FET, you would have to solder in much better MOSFETs, if you want to go with max 40 amps battery current, I guess.
Thanks for this quick reply stancoke (and for all your shared works!).
The processing power is actually mainly for the sensorless mode. Couple of years back I played with some STM brushless driver eval board, and VESC, and I remember that the full torque standstill algorithm took a lot of processing time (even @168Mhz and with FPU).
The processing power is actually mainly for the sensorless mode. Couple of years back I played with some STM brushless driver eval board, and VESC, and I remember that the full torque standstill algorithm took a lot of processing time (even @168Mhz and with FPU).
I have an foc controller trying to get to work with egg rider but constant eff error. It’s definitely a Lishui type controller but currently working with yolin yl81f display want to swap to eggrider for more control and to release speed limiter have an Edikani build with 1000 watt hub motor. How can I reprogram no displays will work eggrider will function and connect but won’t communicate?
badboy1999
10 mW
This is the €54 Lishui integrated (into battery mount) controller from yosepower, which can be shipped from Germany or China. Not quite sure if this is a real or imitation ST microcontroller, maybe someone can shine a light on this.
I spent quite a few hours getting the potting compound off to find the programming pins, but I found them, now someone else can do the job much quicker. Although from this thread it seems the display connector can be used to flash firmware?!
Some tips for people working on this:
The whole project is abandoned for now as I fixed my other bike, but when building a new bike I know where to start.
I spent quite a few hours getting the potting compound off to find the programming pins, but I found them, now someone else can do the job much quicker. Although from this thread it seems the display connector can be used to flash firmware?!
Some tips for people working on this:
- use thin wires to connect to the programming pins on the PCB, otherwise the connection ends up having a lot of thermal mass, making it difficult to unsolder the wires or fix it when pads get bridged with solder (see 3rd attached picture, quite a mess). When I used 'thick' wires it took ages to melt the solder, even with a ts100 soldering iron and the biggest tip and fresh flux. Probably because the pad is quite small relative to the wires. Thin wires like from the cord of a computer mouse would be much better.
- I don't think it's necessary to remove the PCB from the backplate. If you use a scalpel to cut just the potting compound on top of the pads, it's feasible to solder wires on top of the pads (no need to put them all the way through)
The whole project is abandoned for now as I fixed my other bike, but when building a new bike I know where to start.
Attachments
afzal
100 W
With only a picture, authenticity of ST chip cannot be found out; it would require IC purchase paperwork, package label etc.
stancecoke
1 MW
This is not a FOC controller. The EBiCS firmware is not compatible.
There is an open firmware for this simple square wave controller to switch to power levels in PAS mode or for the integration of a bottom bracket torquesensor also, but I have only tested it with the small 6FET that is also available at Yose.
GitHub - stancecoke/Lishui9FET
Contribute to stancecoke/Lishui9FET development by creating an account on GitHub.
github.com
regards
stancecoke
Mike747
10 mW
Hi, I would like build a bike based on one of these Lishui OS controllers .
At fist I will test a bit before putting a definite bike together.
I found a motor (for now) that should work (Sanyo geared front wheel motor). I flashed the OS firmware in the controller and ran the "autodetect" sequence and the motor should be fine for use.
To put the controller in a bike for testing, I would like to add some functions (cables) to my controller. It is quite bare-bones now.
Besides battery and motor (9-pin cable) only a display connector is attached. I like to add: Throttle, PAS, brake and lights.
I would like to use the "old-fashioned" JST connectors on the controller. In the red circles are some pads that are not labeled unfortunately. What are the correct pins on the PBC to use for these functions?
*Throttle: SP ?
*PAS: TA ?
*Brake: ?
*Lights: TB ? I think I would like to use a step-down convertor to have 6V for lights. Do I use VB+ (or SW?), GND and TB to hook up a step-down convertor?
Thanks in advance!
.At fist I will test a bit before putting a definite bike together.
I found a motor (for now) that should work (Sanyo geared front wheel motor). I flashed the OS firmware in the controller and ran the "autodetect" sequence and the motor should be fine for use.
To put the controller in a bike for testing, I would like to add some functions (cables) to my controller. It is quite bare-bones now
.Besides battery and motor (9-pin cable) only a display connector is attached. I like to add: Throttle, PAS, brake and lights.
I would like to use the "old-fashioned" JST connectors on the controller. In the red circles are some pads that are not labeled unfortunately. What are the correct pins on the PBC to use for these functions?
*Throttle: SP ?
*PAS: TA ?
*Brake: ?
*Lights: TB ? I think I would like to use a step-down convertor to have 6V for lights. Do I use VB+ (or SW?), GND and TB to hook up a step-down convertor?
Thanks in advance!
Last edited:
stancecoke
1 MW
You can find the labels for PAS (TA), light (TB), brake (BKL) etc on the pinout at GitHub. PAS and brake need +5V supply and GND additionally.
The light function requires an additional light module, the pin on the PCB can not handle the necessary current, it can only be used to switch the on the module, a DC/DC converter with enable input for example.
The three unlabeled solder pads are not for cables, but for a THT component, I guess. You would have to show a photo of the opposite side of th PCB, to see what they belong to.
regards
stancecoke
The light function requires an additional light module, the pin on the PCB can not handle the necessary current, it can only be used to switch the on the module, a DC/DC converter with enable input for example.
The three unlabeled solder pads are not for cables, but for a THT component, I guess. You would have to show a photo of the opposite side of th PCB, to see what they belong to.
regards
stancecoke
Last edited:
Mike747
10 mW
Thanks Stancecoke!
. SP should be correct for Throttle then. I updated the picture!
I cannot find "BKL" on the controller-pbc. Can you see which connection it could be?
The left white wire is connected to a 2-pin higo-connector (I have to remove this one). The red wire on the right was not connected, I think it was put there like that to hold the white "housing" in place (they did this somewhere else also).
I found TA and TB on the pcb
. SP should be correct for Throttle then. I updated the picture!I cannot find "BKL" on the controller-pbc. Can you see which connection it could be?
The left white wire is connected to a 2-pin higo-connector (I have to remove this one). The red wire on the right was not connected, I think it was put there like that to hold the white "housing" in place (they did this somewhere else also).
stancecoke
1 MW
You could look at the processor, maybe PA11 and PA12 are used for CAN. You you see, where the traces of PA11 and PA12 are going to?
On the new generation controllers both pins are used for CAN and BKL is on PA15
Last edited:
Mike747
10 mW
I attached throttle and PAS connectors and flashed again (to get out of autodetect mode and to work with Kunteng display)
I can turn the wheel now using a throttle
.
observations:
-The controller housing gets warm almost right away, while only spinning up the wheel shortly for a few times.
-Batt status, motor watt. and temp is displayed, PAS level can be set.
-I do not get speed; there is no speedsensor connected. Can the controller determine speed without a sensor?
-When I "open up" the throttle, the temp stops being displayed, instead a "loop" of display segments runs. When the wheel starts spinning (a bit more power is applied by the throttle) the temp is displayed again.
What happens to the settings in the Kunteng display (I used it before to "program" (and use with) Kunteng controllers)?
Next step would be to build the wheel into a bike to do a road test.
I can turn the wheel now using a throttle
.observations:
-The controller housing gets warm almost right away, while only spinning up the wheel shortly for a few times.
-Batt status, motor watt. and temp is displayed, PAS level can be set.
-I do not get speed; there is no speedsensor connected. Can the controller determine speed without a sensor?
-When I "open up" the throttle, the temp stops being displayed, instead a "loop" of display segments runs. When the wheel starts spinning (a bit more power is applied by the throttle) the temp is displayed again.
What happens to the settings in the Kunteng display (I used it before to "program" (and use with) Kunteng controllers)?
Next step would be to build the wheel into a bike to do a road test.
stancecoke
1 MW
I can turn the wheel now using a throttle
If you set the speedsensor to INTERNAL, you will get the speed displayed as long as the motor is engaged. When freewheeling, there will be no speed signal.
The Kunteg P- and ... Settings are ignored mostly. I prefer to setup the system with the laptop, and not to fiddle with three buttons through a thousand submenues
regards
stancecoke
Mike747
10 mW
thanks! Do you mean the setting in de advanced menu: use external speedsensor for speed limit?
