By jayjay23 in Mods, Repairs, & DIY,
I've bought a generic EUC and found the speed limit to be a bit annoying, still being aware there will be any kind of hardware limitation (battery (voltage drop), motor heat, controller heat).
As a software developer being a little into hardware as a hobby I thought it would be great to have the firmware at hand and do any kind of adaptation possible (reading more of this forum also some security aspects like cut off could be tuned). So I questioned myself whether it may be possible to do it just by owning the hardware as I don't expect to find anybody at all and somebody finally willing to share the code.
When opening it for installing a bicycle computer I had a look at the controller and it uses a STM32 (F103C8T6) controller for which I could find the manual with all information like
pinout etc.
  Searching for whether the flash can be written 'and' read I found that it's possible as long as there has been no explicit read lock set by the manufacturer. As I hope that this is not the case I diged further and found that the interfaces this STM32 should have for programming is some serial interface and a JTAG (being on the same PINs and automatically switched). The spec. for the chip clearly states which PINs these are and if somebody every looked into the world of firmwares (e.g. OpenWRT) for wireless routers, it seems standard that some of the programming/debugging interfaces are just left on the board, so it's the same case for my controller board:   Fortunately I still don't own a JTAG adapter, but now one is ordered. I also found an interesting paper from blackhat conference showing available tools, JTAG finding and some more ( So this is were I'm currently, quite at the beginning, but I would like to know if anybody has some input or ideas to contribute. This could fast also be a dead end road but let's see, if the image can be read (I will first try with openOCD) it should be possible to disassemble and decompile, maybe it will be hard to recompile it, but maybe some things can be adjusted by just working on the raw image. If there is some progress I will add it here. EDIT (16.09.2015): Replaced image showing debug connector to show now used SWD (Serial Wire Debug) pin out (STM32 also has JTAG but on my board layout two of the JTAG pins are used for the power LEDs, so they are redefined as GPIO, while SWD works fine).
  • 1,184 replies