Jump to content

Knifa

Full Members
  • Content Count

    62
  • Joined

  • Last visited

Community Reputation

45 Excellent

1 Follower

About Knifa

  • Rank
    Member

Profile Information

  • Location
    Glasgow

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. FWIW I've also been riding pretty much every day near top speed on a bumpy/rough road with no problems since I posted a couple of weeks back. This is with the Ninebot S2. The alarm gives you plenty of warning to stop leaning too far forward.
  2. Good to hear you managed to measure it @Mimolette! Getting to some of them is pretty awkward without removing tape, etc. I thought I'd say as well, I've been riding on these batteries every day for like a year since (hitting 1500km+) with no issues. Worse things have happened since then like dropping the entire unit in a huge puddle and having to replace MOSFETs but it's still going!
  3. Sorry I kept misreading "reserve" as "reverse" so this and your previous post made no sense initially. I see what you're getting at --- this was a fairly obvious risk I knew going into it so thanks for a heads-up on more information! Ninebot set the stock speeds for a reason but I figure that there is some double extra safety margin in there that can be played around with.
  4. This thread is pretty difficult to grok --- do you have a summary of what the general advice is? Avoid riding at max. speeds? I'm fairly aware of the electric limitations of the wheel --- I'm mostly in it so it stops beeping at me constantly at decent cruising speeds.
  5. Just thought I'd chime in as well to say that I went for this today. 6km/h speed boost on the Ninebot S2 (24km/h -> 30km/h) is not insignificant! Cheers for your work on this, @MRN76.
  6. I couldn't find the exact replacement so I found ones that were similar from RS Components (STP110N10F7). https://uk.rs-online.com/web/p/mosfets/7863776/ I think they will ship internationally. The bolts are definitely in metric --- all of the other screws are!
  7. Fantastic work, @MRN76! With your tooling, is it possible to specify speed limits outside the normal range (e.g., above what the model would provide normally)? This looks pretty straight forward as long as you pick up the right equipment. Awesome stuff.
  8. Ninebot One A1/S1 users want to unlock the full capabilities of their unit, i.e., by using S2 firmware. Let's do that. Making a new thread for this since I've posted info elsewhere already, but not well contained. I've got an S2 here so, while I don't need the upgrade, I'm interested in making it happen and happy to help out. If we can figure out how to bump the speed up for the S2 as well along the way, that'd be pretty cool. Stuff we will definitely need: Firmware files for both A1/S1 & S2. A way to flash firmware to the unit, ideally in a way that's recoverable if it goes horribly wrong. Both direct in hardware and through software are options here. Stuff I've looked at for grabbing the firmware: I looked into downloading the firmware by either decompiling the Android app or packet sniffing during firmware upgrade. Unfortunately, the Android app is packed with SeoNet and I was unsuccessful in unpacking it using android-unpacker (at least in the ADK emulator and on my device), so this ended pretty quickly. Perhaps someone else can try this on their device? You need to be rooted and to disable SELinux. Grabbing anything useful from packet sniffing was also unsuccessful though I do have links to the endpoint (https://api4.ninebot.cn/v4/Vehicle/update_firmware). All requests are encrypted/encoded somehow and I was unable to figure out with what. It looks like Base64 but it is not. Responses are thankfully in plain text. Unfortunately, my S2 unit is up to date so I got nothing useful back. Requests to anything beyond /v4/sys/init return an invalid data response, even with the exact same request body. Requests seem to be keyed in some way. Every call to /v4/Vehicle/update_firmware is different, though only maybe 30-40 characters towards the end change. You can see in the response that, alas, there are no upgrades available. I've attached my Fiddler archive (ninebot.saz) if anyone else wants to take a crack at it. Stuff I haven't looked at for grabbing the firmware: The board has pins on the back for a UART connection. The CPU (an STM32F3) has to be flashed during manufacturing at some point --- maybe this is it? STM32 chips come with a bootloader that allows you to both download and upload firmware over these pins. Not sure if you can disable this after the fact, though, and they could also be using their own bootloader (but unlikely?) I have a board for debugging STM32 chips so I can look into this. I strongly do not want to take my unit apart again but I'm psyching myself up for doing it so stay tuned! Stuff I've thought about for flashing the firmware If we can get the firmware files, and figure out the responses from the Android app when firmware upgrades are available, we can hijack the requests from the app and replace them with our own files (similar to what was done for the MiniPro, etc) Stuff that could be looked at by other people, or in the future: If anyone has a unit that needs a firmware upgrade, or Ninebot release some new firmware, we can run the packet sniffing again and either grab the firmware file or work out where they are. This would be pretty good. Any other thoughts?
  9. The board doesn't have a JTAG but it does have UART TX/RX. Might be flashable/downloadable if they're using the stock bootloader from STM32. I've got an ST-LINK debugger board that I could try with but I'm wary of taking my whole unit apart again (mostly because it takes ages). I looked into downloading the firmware by either decompiling the Android app or packet sniffing during firmware upgrade. Unfortunately, the Android app is packed with SeoNet and I was unsuccessful in unpacking it using android-unpacker (at least in the ADK emulator and on my device), so this ended pretty quickly. Grabbing anything useful from packet sniffing was also unsuccessful though I do have links to the endpoint (https://api4.ninebot.cn/v4/Vehicle/update_firmware). All requests are encrypted/encoded somehow and I was unable to figure out with what. It looks like Base64 but it is not. Responses are thankfully in plain text. Unfortunately, my S2 unit is up to date so I got nothing useful back. Requests to anything beyond /v4/sys/init return an invalid data response, even with the exact same request body. Requests seem to be keyed in some way. Every call to /v4/Vehicle/update_firmware is different, though only maybe 30-40 characters towards the end change. I've attached my Fiddler archive if anyone else wants to take a crack at it. ninebot.saz
  10. I wonder if you stuck the S1 batteries in an S2, they'd charge to full capacity?
  11. Cheers! Yeah, it's in there fairly tight! At the very least, if it falls off again I can make another one.
  12. You could get something 3D printed? I've been looking at putting something together for mine too. Looks like there isn't anything existing on Thingiverse, though.
  13. I started having a poke at the Android APK but it's packed with Bangcle so decompiling it is a pain.
  14. If we can figure out how to pull the firmware from the app, we might be able to pull the S2 firmware files and flash them straight up. I really doubt there's any firmware signing or security stuff going on. Decompiling Android apps is straightforward but I think what you get out of it is a horrible mess, so not sure how well it would work. OR doing it fully in hardware: There's nothing like a JTAG on the board but there's a bunch of unpopulated 2.54mm pin headers. On the underside of the board there are two pins marked RX/TX, so possibly a UART? They have to flash the chip during manufacturing at some point... The microcontroller onboard is a STM32F3. If the pins underneath are indeed for the microcontroller's UART, and they're using the stock STM32 bootloader, it should be easy to both read the firmware off and write to it. I've got a STM32F3 dev board here with the ST-LINK debugger so I might be able to have a play around. I'd need to take my whole wheel apart again, though.
×
×
  • Create New...