Add Bluetooth to generic Chinese EUC

[Dmitry Key]

I've bought cheapest nameless (though, sometimes referred as Hoverbot S2 or some Airwheel) EUC for training and decided to try to add a Bluetooth feature. I'll describe my path here.

Our two main goals are software and hardware. For software I decided to stick to Wheel Log, as it is open source and I can get all UUIDs and data formats I need from the code. The hardware is a bit tricky. It consists of two parts - sensors and microcontroller. Implementing sensing circuitry is hard - high voltages and currents, small and noisy signals from shunts. I'd better avoid it. So let take a look at the controller board and see what it has.

I've marked most important components and connectors. Board name is swk02 and it is build on GD32F130C8T6 MCU and (probably) MPU6881 gyro. There are two empty connector places - F_WRITE and DEBUG. F_WRITE is definitely an SWD interface and is of no use since MCU is locked (I have not tested, though) and can only be erased. DEBUG connector could probably help us a lot. If it will provide required data, there will be no need in building sensing circuitry. Lets connect USB-UART converter and check.

Here is the dump I got at baud rate 115200. It has some patterns in it:

Quote

AA AA F1 06 00 00 00 00 00 00 4B 
AA AA F1 06 00 00 00 00 FF FF 49 
AA AA F1 06 00 00 00 00 FF FE 48 
AA AA F1 06 00 00 00 00 FF FD 47 
AA AA F1 06 00 00 00 00 FF FC 46 
AA AA F1 06 
AA AA F1 06 FF FD 00 00 FF F6 3C 
AA AA F1 06 FF FD 00 00 FF F6 3C 
AA AA F1 06 FF FD 00 00 FF F6 3C 
AA AA F1 06 FF FD 00 00 FF FA 00 00 00 08 4C 
AA AA F1 06 FF FA 00 00 00 0A 4E 
AA AA F1 06 FF FA 00 00 00 0B 4F 
AA AA F1 06 FF FA 00 00 00 
AA AA F1 06 00 00 00 01 00 37 83 
AA AA F1 06 00 01 00 01 00 38 85 
AA AA F1 06 00 01 00 01 00 3A 
AA AA F1 06 00 16 00 02 00 56 B9 
AA AA F1 06 00 16 00 01 00 57 B9 
AA AA F1 06 00 00 00 01 00 
AA AA F1 06 FF F9 FF FE FF FB 3A 
AA AA F1 06 FF F8 FF FE FF FA 38 
AA AA F1 06 FF F7 
AA AA F1 06 FF E7 00 00 FF FA 2A 
AA AA F1 06 FF E8 00 00 FF FB 2C 
AA AA F1 06 
 

I'm not sure if baud rate is correct, but at least the dump is not complete garbage like I got at 57600 or 9600. My next step is to make Bluetooth UART to dump data directly to PC for processing. Maybe I'll be able to figure out what bytes stand for what.

Two more photos attached.

Edited April 14, 2019 by Dmitry Key
typo

[Inductores]

Hello, could you please try to read the original firmware from the microcontroller? It might be under read-out protection, but it would be great to get it if possible.

[Dmitry Key]

52 minutes ago, Inductores said:

Hello, could you please try to read the original firmware from the microcontroller? It might be under read-out protection, but it would be great to get it if possible.

It will most certainly brick my controller, so no.

[Inductores]

22 hours ago, Dmitry Key said:

It will most certainly brick my controller, so no.

Why? Only if you don't erase the Flash memory you won't brick anything

[yuweng]

electric_vehicle_lover got some info regarding your controller here

[Dmitry Key]

On 4/16/2019 at 4:26 PM, Inductores said:

Why? Only if you don't erase the Flash memory you won't brick anything

An attempt to read locked MCU will erase it.

On 4/17/2019 at 5:03 PM, yuweng said:

electric_vehicle_lover got some info regarding your controller here

Thanks!

[Dmitry Key]

I've made a wireless link (stm8+nrf24) to my PC and was able to capture more data (see attached file). Wonder if I'll be able to decode it.

ewheel.log

Edited May 4, 2019 by Dmitry Key
mention attach