First trys with SPI direct interaction

Knight1 · Knight1 · commit e0485b1d16b2 · 2025-01-07T21:37:32.000+01:00
diff --git a/README.md b/README.md
@@ -1,24 +1,113 @@
-# VanMooof-Module 
+# VanMooof-Module S3
 
-### How to get started?
+This currently covers the MX25L51245GMI-08G-TR SPI Flash Chip on the SX3 and SX4 if you happen to have one of the few.
+
+This Chip features 512Megabits (64 Megabytes) of Flash capacity.
 
-You need the backside of the PCB from the Module to dump the SPI Flash which contains
+### Features
 
-- ble key
+- ble keys (read/write)
+  - bike comm
+  - bike Sharing
+  - Workshop
+  - bikecomm.vanmoof.com / ublox1.vanmoof.com
+    - /upload
+    - /ping-response
+      - 'guid':'%s','statistics':{'batt':%d,'mac':'%s','swv':'%s','dist':%d}
+    - /bike-message
+  - 
 - fmn key
 - all Firmwares
-  - Mainware
-  - Batteryware
-  - Shifterware
-  - bleware
+    - Mainware (STM32F413VGT6 LQFP100)
+    - Batteryware (STM32L072CZT6 LQFP48)
+    - Shifterware 
+    - Motorware
+    - bleware (TMS320)
 - Logs
+- Shell (UART) for the Module, BLE, 
+
+
+m2m.vanmoof.com
+ALARM_BMS_REMOVED
+SET_SHIPPING
+START_FROM_SHIPPING
+PLAY_FIRE
+RIDING_MODE
+CPU_STOP_MODE
+CPU_STOPPED
+SHOW_LOCK
+AUTOWAKEUP
+CARDRIDGE_REMOVED
+LIPOCHARGE
+RESET
+OAD_FILE_TRF
+OAD_UPDATE
+DIAGNOSE
+DIAG_RDY
+OAD_FINISH
+OAD_FAILED
+OAD_RX_SOUND
+FACTORY_TEST
+PLAY_SHTDN
+PLAY_LOCK_SHTDN
+PLAY_LOCK_FROM_SLEEP
+PLAY_SHTDN_RDY
+ALARM_DELAY_ON
+TURN_ON
+LOW_SOC
+PIN_START
+PIN_STUCK
+PIN_1ST
+PIN_2ND
+PIN_3ND
+PIN_CHECK
+PIN_OK
+PIN_SHOW_OK
+PIN_NOK
+PIN_NOK_SHOW
+UNLOCK
+EXTRA_ALREADY_UNLOCKED
+UNLOCK_COUNT
+UNLOCK_COUNT_TIMEOUT
+LOCK_PLAY_UNLOCK
+LOCK_PLAY_START
+LOCK_DIM_OFF
+LOCK_CLEAR
+LOCK_SETUP
+LOCK_PIC
+LOCK_COUNT
+COUNT_OFF
+COUNT_CLEAR
+FIND_MY_PLAY
+BIKE_SHIPPING_ACCIDENTAL_WAKE
+BIKE_SHIPPING_LIPOCHARGE
+POWERON
+SMS_INIT
+SMS_READ
+SMS_WRITE
+CTX_ACT
+CTX_DEACT
+PING_SEND
+MESSAGE_SEND
+LOCATION_SEND
+POWEROFF
+IDLE
+WST_DISCHARGE_MODE
+WST_CHARGE_MODE
+WST_BYPASS_MODE
+WST_NONE
+
+### How to get started?
+
+You need the backside of the PCB from the Module to dump the SPI Flash
 
 1. unlock bike and remove Module from the Frame
-   2. if you do not unlock the bike, the Alarm stays on and will annoy you. I used duct tape to cover the speaker.
+   2. if you do not unlock the bike, the Alarm stays on and will annoy you. I used duct tape to cover the speaker if i forgot it.
 2. open Module and unscrew all internal screws of the PCB to remove the PCB.
-3. On the backside of the PCB is a Winbond MX25L51245G with 512Mbit, so 64MB of Flash
+3. On the backside of the PCB is the Macronix 16 Pin SPI Flash Chip near the port for the back light. 
 4. Dump that Flash with an 16 Pin! SPI Flash Chip clamp and a Pi
-   5. I used an Raspberry Pi Zero v1.1. There you have to enable the SPI Interface with raspi-config 
+   5. I used an Raspberry Pi Zero v1.1. There you have to enable the SPI Interface with raspi-config
+
 ```console
 # sudo flashrom -p linux_spi:dev=/dev/spidev0.0 -r rom.rom
 flashrom v1.2 on Linux 6.1.21+ (armv6l)
@@ -28,4 +117,126 @@ Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
 Using default 2000kHz clock. Use 'spispeed' parameter to override.
 Found Macronix flash chip "MX66L51235F/MX25L51245G" (65536 kB, SPI) on linux_spi.
 Reading flash... done.
-```
+```
+
+### Bootloader
+
+Press ESC until the MCU reboots and holds itself in the Bootloader.
+
+pack-process�ÀFÀprocess pack files in external flash memory�source/monitor/cmd_packfs.c�Processing pakfs
+
+
+### Shell login
+
+Look for a HEX Value starting with 76 45 56 6A 47 46 and ending with 00 00 00
+If you search for it in a Hex Editor you will notice the end very clearly because the next line begins with "Welcome to ES3"
+
+the sha512sum of the Password is
+7edd23b1c75e070db66475bb1869bee9dc64def2cb163dfea39ef8efcb534bf44db2da9e7307590222c516875fb4b07c7450556efd6520d986c5757ce3441bdd
+
+PBNjh0V46Eev8CcfS4LPJg
+
+
+### Err 23
+
+
+### Err Sim Card
+
+The Module is looking for a SIM Card with a specific ICCID (Integrated Circuit Card Identifier).
+
+The Prefix of that is 
+89 31 44 0400 
+MM CC II N{12} C
+
+MM = 89 (Mobile Networks)
+CC = 31 (Netherlands, The)
+II = 4X Vodafone
+N{12} = Account ID
+C = Checksum
+
+
+### Firmware
+We are looking for
+50 41 43 4B BC 16 09 00 40 01 00 00 4F 41 44 20 (PACK¼	�@��OAD)
+
+rom.rom
+
+The OAD PACK is like, strings were in 108A5C
+bleware.bin (It differs for the FMI Versions. Old Bikes do support FMI, it is just not in the Firmware. Just test it out.)
+mainware.bin
+motorware.bin
+shifterware.bin
+batteryware.bin
+
+
+
+0x0002000 ?
+0x005A000 BLE Secrets (60)
+0x005af80 M-ID/M-KEY (60)
+0x007c000 
+0x0280000 VM_SOUND
+0x0300000 VM_SOUND
+0x0380000 VM_SOUND
+0x2621440 VM_SOUND
+0x3145728 VM_SOUND
+0x4194304 VM_SOUND
+0x4718592 VM_SOUND
+0x5242880 VM_SOUND
+0x5767168 VM_SOUND
+0x6291456 VM_SOUND
+0x640XXXX unknown
+0x6815744 VM_SOUND
+0x7340032 VM_SOUND
+0x7864336 VM_SOUND
+0x8388608 VM_SOUND
+0x8912896 VM_SOUND
+0x9437184 VM_SOUND
+0x9961472 VM_SOUND
+0x10485760 VM_SOUND
+0x11010064 VM_SOUND
+0x11534336 VM_SOUND
+0x12058624 VM_SOUND
+0x12582912 VM_SOUND
+0x13107200 VM_SOUND
+0x13631488 VM_SOUND
+0x14155776 VM_SOUND
+0x14680064 VM_SOUND
+0x15204352 VM_SOUND
+0x15728640 VM_SOUND
+0x16252928 VM_SOUND
+0x16777216 VM_SOUND
+0x17301504 VM_SOUND
+0x17825792 VM_SOUND
+0x66965504 LOGS?
+// WRONG?
+0x3fdd000 LOGS
+
+
+READ AND DECODE LOGS
+6 GSM power ok
+1723060256  Info ask tracking
+1723060256 GSM_CMD_SMS_INIT
+1723060256 GSM: sms= 0
+1723060256 GSM_CMD_POWEROFF
+1723060256 Poweroff g350..
+1723060261 Poweroff g350 ok
+1723060261 ES3.1 Main  1.08.02
+1723060261 ES3 boot    1.09
+1723060261 Motorware   S.0.00.22
+1723060261 BMSWare     1.14 RSOC 100 Cycles 64 HW 3.10
+1723060261 Shifterware 0.237 stored: 0.237
+1723060261 BLEWare     2.4.01
+1723060261 GSMWare     08.90
+1723060261 CMD_BLE_MAC 24:9F:89:86:A9:1F
+1723060261 PDOCP 0
+1723060261 PDSCP 1
+1723060261 iccid 89314404000979522399
+1723060261 Modem ready
+1723060261 GSM_CMD_IDLE
+1723060280
+
+
+### Important caveats.
+
+This is all based on reverse Engineering. So there might be some Versions differences. 
+So make a backup, save it in a save place like 1Password. If you compress the dump, the file gets very small.
diff --git a/dumpFlash.go b/dumpFlash.go
@@ -0,0 +1,63 @@
+package main
+
+import (
+	"fmt"
+	"os"
+)
+
+const (
+	readCommand = 0x03             // Low-speed read command
+	flashSize   = 64 * 1024 * 1024 // 64 MB
+	chunkSize   = 256              // 256 bytes per read operation
+)
+
+func dumpFlash() {
+	// MAC
+	// FRAME
+
+	macAddress := ""
+	frameNumber := ""
+
+	conn, err := spiConnect()
+	if err != nil {
+		fmt.Println("")
+	}
+
+	// Open output file
+	file, err := os.Create("VMES3-" + frameNumber + "-" + macAddress + ".bin")
+	if err != nil {
+		fmt.Printf("Failed to create output file: %v", err)
+		return
+	}
+	defer file.Close()
+
+	// Sequentially read 64MB in 256-byte chunks
+	for offset := 0; offset < flashSize; offset += chunkSize {
+		// Set up 24-bit address
+		address := []byte{
+			byte(offset >> 16),
+			byte(offset >> 8),
+			byte(offset),
+		}
+
+		// Prepare the read command with the address
+		readBuffer := append([]byte{readCommand}, address...)
+
+		// Buffer to store incoming data
+		data := make([]byte, chunkSize)
+
+		// Execute SPI read
+		if err := conn.Tx(readBuffer, data); err != nil {
+			fmt.Printf("SPI transaction failed at offset 0x%X: %v", offset, err)
+			return
+		}
+
+		// Write the data to the file
+		if _, err := file.Write(data); err != nil {
+			fmt.Printf("Failed to write data to file at offset 0x%X: %v", offset, err)
+			return
+		}
+
+		fmt.Printf("Read and saved chunk at offset 0x%X\n", offset)
+	}
+}
diff --git a/go.mod b/go.mod
@@ -1,4 +1,10 @@
 module VanMooof-Module
 
-go 1.19
+go 1.22
 
+toolchain go1.23.3
+
+require (
+	periph.io/x/conn/v3 v3.7.1 // indirect
+	periph.io/x/host/v3 v3.8.2 // indirect
+)
diff --git a/go.sum b/go.sum
@@ -0,0 +1,4 @@
+periph.io/x/conn/v3 v3.7.1 h1:tMjNv3WO8jEz/ePuXl7y++2zYi8LsQ5otbmqGKy3Myg=
+periph.io/x/conn/v3 v3.7.1/go.mod h1:c+HCVjkzbf09XzcqZu/t+U8Ss/2QuJj0jgRF6Nye838=
+periph.io/x/host/v3 v3.8.2 h1:ayKUDzgUCN0g8+/xM9GTkWaOBhSLVcVHGTfjAOi8OsQ=
+periph.io/x/host/v3 v3.8.2/go.mod h1:yFL76AesNHR68PboofSWYaQTKmvPXsQH2Apvp/ls/K4=
diff --git a/main.go b/main.go
@@ -5,15 +5,30 @@ import (
 )
 
 var (
-	moduleFileName = flag.String("f", "", "Module file name")
+	moduleFileName  = flag.String("f", "", "Module file name")
+	changeUnlockKey = flag.String("u", "", "Change unlock key")
+	debugLogging    = flag.Bool("d", false, "Enable debug logging")
+	sudo            = flag.Bool("iKnowWhatIAmDoingISwear", false, "Use sudo")
+	showBLESecrets  = flag.Bool("show", false, "Show BLE secrets")
+	//file            os.File
 )
 
 func main() {
 
 	flag.Parse()
 
+	//if *moduleFileName != "" {
 	file := loadFile()
-	readSecrets(*file)
+	//}
+
+	if *showBLESecrets && *moduleFileName != "" {
+		readSecrets(*file)
+		readLogs(*file)
+	}
+
+	if *changeUnlockKey != "" {
+		writeSecrets("unlock", *changeUnlockKey)
+	}
 
 	err := file.Close()
 	if err != nil {
diff --git a/readLogs.go b/readLogs.go
@@ -0,0 +1,18 @@
+package main
+
+import (
+	"encoding/hex"
+	"fmt"
+	"os"
+)
+
+func readLogs(file os.File) {
+
+	offset := int64(0x3fdd000)
+	length := 16 // Number of bytes to read
+
+	buf := readFromFile(file, offset, length)
+
+	// Convert to hex and print
+	fmt.Println("Logs:", hex.EncodeToString(buf))
+}
diff --git a/readSecrets.go b/readSecrets.go
diff --git a/spi.go b/spi.go
diff --git a/writeSecrets.go b/writeSecrets.go
