NEW: We have a Discord server now. Click here to go there now!

NOTE: Why not use our List Manager to crack your lists? Its easy and enables better management.

NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - General Discussion - Panasonic Battery for bike


10 Results - Page 1 of 1 -
1
Author Message
Avatar
Ndidier

Status: n/a
Joined: Tue, 05 Feb 2019
Posts: 5
Team:
Reputation: 0 Reputation
Offline
Tue, 05 Feb 2019 @ 15:08:00

Hello Everyone,

I'm trying to repair my bike battery and there is a coded frame send with UART at the start of the bike.

Motor to battery : FFFF14C2F00A8059F37B878EDBDF8DAE7DCC8164443F9BEFA4

Battery to motor : FFFF14E26FC8C84393FF5673D8D3A9007A0A5DECDA300E2212

The first frame Motor to battery is like random, and the answer of the battery is based on the first frame.

I got many of different frame sampled on a working bike but I don't know how to calculate the second frame based on the first frame ?

If someone know how to decode this that will be very helpfull for me.

I've sampled many others frames in atached files

What I have always found is:

The FF FF is the synchronisation

The 14 mean the number of data

C2 Mean I'm the motor, and E2 I'm the battery

All the next char are DATA

The 2 last char are modulo 0x100 from 14 to the end.

Regards Nicolas


Attachments: Login to view attachments.
Avatar
Rezza

Status: n/a
Joined: Sun, 07 Oct 2018
Posts: 40
Team:
Reputation: 0 Reputation
Offline
Tue, 05 Feb 2019 @ 16:03:56

why does battery and motor need challenge/response protocol?


Avatar
Ndidier

Status: n/a
Joined: Tue, 05 Feb 2019
Posts: 5
Team:
Reputation: 0 Reputation
Offline
Wed, 06 Feb 2019 @ 07:07:15

I think the battery manufacturer don't want that people change the battery cell by themself.
So they put challenge/response protocol in order that customers by another officiel battery and pay it around 900€.
If I change cell by myself that will cost about 100€ (price of cells)


Avatar
Rezza

Status: n/a
Joined: Sun, 07 Oct 2018
Posts: 40
Team:
Reputation: 0 Reputation
Offline
Wed, 06 Feb 2019 @ 09:24:26

To make that work, manufacturer must be able to key battery to motor?
Else you could still swap batteries between bikes?

Does same challenge to battery always give same response?
What could it be keyed with? Serial number of motor?


Avatar
Ndidier

Status: n/a
Joined: Tue, 05 Feb 2019
Posts: 5
Team:
Reputation: 0 Reputation
Offline
Wed, 06 Feb 2019 @ 09:51:01

If there is not the answer of the battery to this challenge/response protocol the bike LED are blinking and bike doesn't work.

I confirm you that is possible to swap battery between bikes.

And yes the same challenge to battery always give same response

I think the key is the same from one battery to another one (I need to check to be sure).


Avatar
Rezza

Status: n/a
Joined: Sun, 07 Oct 2018
Posts: 40
Team:
Reputation: 0 Reputation
Offline
Wed, 06 Feb 2019 @ 10:05:18

No replay protection and possibly no unique key between motor/battery?
It does sound more like manufacturer monopoly than real security

The battery is surely just a group of Lithium cell like 18650?
Any security surely cannot be in the cells themselves?

What are you fitting to see the error? Some kind of generic
aftermarket battery pack?

Can you not just open a genuine battery pack and replace individual
cells and leave protocol part alone?


Avatar
Ndidier

Status: n/a
Joined: Tue, 05 Feb 2019
Posts: 5
Team:
Reputation: 0 Reputation
Offline
Wed, 06 Feb 2019 @ 10:27:50

No the security is not in the Cells 18650, the security is in the BMS in the Microcontroller (RENESAS m37512)

I know that it will be easier to just replace 18650 cell and keep the original BMS PCB with the protocol but in most case the BMS PCB is broken and it's that's why the cell are dead.
I got many PANASONIC Battery and it's why if I arrive to crack that challenge/response protocol, I'll can put my own electronic of better quality and put more capacity inside.

In order to see the error I just disconect the communication between the battery and the motor.
Or I've tried to send one challenge/response protocol and some other data send by the battery with my Microcontroller, but the Motor saw that the challenge/response protocol is wrong and the bike LED are blinking.


Avatar
Rezza

Status: n/a
Joined: Sun, 07 Oct 2018
Posts: 40
Team:
Reputation: 0 Reputation
Offline
Wed, 06 Feb 2019 @ 11:05:50

I look at your example challenge/response where you change one bit

Code:
// Here I have send frames to the battery by myself in modificated 1 bit by one bit

FFFF14C2F00A8059F37B878EDBDF8DAE7DCC8164443F9BEFA4
FFFF14E26FC8C84393FF5673D8D3A9007A0A5DECDA300E2212

FFFF14C2F00A8059F37B878EDBDF8DAE7DCC8264443F9BEFA3
FFFF14E2DA9EF07E7E16386627AD812A2778C4207A4BC281E8

FFFF14C2F00A8059F37B878EDBDF8DAE7DCC8264443F9CEFA2
FFFF14E2BEF03F3013C9A31150BD42687BD996AA3EC47EE578

FFFF14C2F10A8059F37B878EDBDF8DAE7DCC8264443F9CEFA1
FFFF14E2FD6DD64DA44F807132CDAF47BFF77E48FF4261F492

I puzzled, because you say last two bytes are checksum?

Code:
FFFF14C2 F00A8059F37B878EDBDF8DAE7DCC8164443F9B EFA4
FFFF14E2 6FC8C84393FF5673D8D3A9007A0A5DECDA300E 2212

FFFF14C2 F00A8059F37B878EDBDF8DAE7DCC8264443F9B EFA3
FFFF14E2 DA9EF07E7E16386627AD812A2778C4207A4BC2 81E8

FFFF14C2 F00A8059F37B878EDBDF8DAE7DCC8264443F9C EFA2
FFFF14E2 BEF03F3013C9A31150BD42687BD996AA3EC47E E578

FFFF14C2 F10A8059F37B878EDBDF8DAE7DCC8264443F9C EFA1
FFFF14E2 FD6DD64DA44F807132CDAF47BFF77E48FF4261 F492

Are you not changing bit in checksum here instead of last
bit of challenge? This look to battery like same 19 byte
challenge with corrupted checksum?

And last chellenge start F1 instead of F0 like others?


Avatar
Rezza

Status: n/a
Joined: Sun, 07 Oct 2018
Posts: 40
Team:
Reputation: 0 Reputation
Offline
Wed, 06 Feb 2019 @ 11:26:07

OK now see you are changing random bit in the challenge and checksum
change due to this

What make you choose bit to change and why not just change last or first
bit of challenge?

The all zero challenge and all zero with last bit set would be interesting
Looks like a hash could be part of this protocol, because one bit change in
challenge changes many bits in response, maybe even the expected 50% for a
good random hash?


Avatar
Ndidier

Status: n/a
Joined: Tue, 05 Feb 2019
Posts: 5
Team:
Reputation: 0 Reputation
Offline
Wed, 06 Feb 2019 @ 19:54:53

Code:
FFFF14C2 F00A8059F37B878EDBDF8DAE7DCC8164443F9BEF A4
FFFF14E2 6FC8C84393FF5673D8D3A9007A0A5DECDA300E22 12

FFFF14C2 F00A8059F37B878EDBDF8DAE7DCC8264443F9BEF A3
FFFF14E2 DA9EF07E7E16386627AD812A2778C4207A4BC281 E8

FFFF14C2 F00A8059F37B878EDBDF8DAE7DCC8264443F9CEF A2
FFFF14E2 BEF03F3013C9A31150BD42687BD996AA3EC47EE5 78

FFFF14C2 F10A8059F37B878EDBDF8DAE7DCC8264443F9CEF A1
FFFF14E2 FD6DD64DA44F807132CDAF47BFF77E48FF4261F4 92

There is a misenderstood, I have changed the checksum this is the 2 last octet sorry about that.

I have change some bit at random, I haden't do this for a real logic.

I thing that's a good idea to make a trying with 00000000000000000000000000000000000000000000 and with 00000000000000000000000000000000000000000001

I will try too with another battery card to check if the réponse is the same.
I'm not at home during the one week, I will make the try when I'll get back ^^



10 Results - Page 1 of 1 -
1

We have a total of 197501 messages in 24432 topics.
We have a total of 21706 registered users.
Our newest registered member is Tyler630.