Hi there,

I have a STM32 that I'm trying to reprogram or replace with an arduino but to do that I need to understand how it works.
It comes with 5 connectors nearby tagged as VGCDR.
I have at my disposal a DAPLink and a logic analyser but I don't even know how to start as I never worked with STM32 before.

This is a follow up on my original post that kind of died a few weeks ago and I got stuck in the process.

 

Do you really mean reverse engineer, or just reprogram, these are completely different things.

If you have a commercial product, the chip is likely protected against reading the program.

 

Having read your previous thread, I'd reason that S is for 'Serial' and its a one-wire serial interface. Whether its bi-directional o0r not remains to be seen.

My starter for 10 would be to hook the logic analyser up to S and G (ground) and just start by trying to capture any signalling - what you're probably hoping to see is a high (5v) dropping to low for a short while.; followed by a ser5ies of transitions before returning to a high. That would be the expected way round, though it could be a normally low, going high. Either way it shows some form of serial data.; Next is capture a few of those while changing speeds and see if there']s any correlation...

 

Do you really mean reverse engineer, or just reprogram, these are completely different things.

If you have a commercial product, the chip is likely protected against reading the program.

I believe that I need to understand how it communicates with the other MCU to be able to replicate or reprogram it.

 

Having read your previous thread, I'd reason that S is for 'Serial' and its a one-wire serial interface. Whether its bi-directional o0r not remains to be seen.

My starter for 10 would be to hook the logic analyser up to S and G (ground) and just start by trying to capture any signalling - what you're probably hoping to see is a high (5v) dropping to low for a short while.; followed by a ser5ies of transitions before returning to a high. That would be the expected way round, though it could be a normally low, going high. Either way it shows some form of serial data.; Next is capture a few of those while changing speeds and see if there']s any correlation...

Thanks Irving,

I don't know what the S stands for but I don't think it is a serial comm with the other STM8. The plug also has the T and R wires that I believe is used for the serial transfer.
Also, if I disconnect the T or R wires, the top unit displays and error, but if I disconnect the S wire it works fine but the motor doesn't rotate, so I believe the S is for some kind of pwm or clock signal.

 

Thanks Irving,

I don't know what the S stands for but I don't think it is a serial comm with the other STM8. The plug also has the T and R wires that I believe is used for the serial transfer.
Also, if I disconnect the T or R wires, the top unit displays and error, but if I disconnect the S wire it works fine but the motor doesn't rotate, so I believe the S is for some kind of pwm or clock signal.

Well you could be right, R = receive, T = transmit, S = Sync/Speed? If it were a clock or PWM then C or P would make more sense. However it could be a slow speed form of the 3-wire SPI interface which is (dataIn, dataOut, Clock). You'll find out once you hook up the LA to all 3. The process I described still holds true...

Can you show a photo of the STM32 and/or the STM8 and the VTRGS connections..

 

Well you could be right, R = receive, T = transmit, S = Sync/Speed? If it were a clock or PWM then C or P would make more sense. However it could be a slow speed form of the 3-wire SPI interface which is (dataIn, dataOut, Clock). You'll find out once you hook up the LA to all 3. The process I described still holds true...

Can you show a photo of the STM32 and/or the STM8 and the VTRGS connections..

Hey Irving,
I attached a photo of the connection. The other big connector is for the buttons that controls the top unit.

I hooked up T, R and S in the logic analyzer and collected the data but I used the standard 115200 baud rate and I'm getting a framing error.
I used Logic 2 from Saleae and the baud rate estimator plugin detects a baud rate of 8mhz. I'm probably doing something wrong as it's the first time I'm using a LA. Maybe it is not UART comm in the end, I don't know.

 

No, that doesn't look so bad to start, though I doubt its 8MHz over those wires. Let's have a look at that first burst on the TX channel, adjust your time-base to just capture that first two or three bursts. Once you've successfully done that, use the trigger delay to capture just the beginning, or all, of that block of data on all 3 channels. Don't worry about decoding it for now, we just need to see the string of transitions to get an idea of its structure.

 

Hey Irving,

Sorry for the long pause, been a busy week, but I come back with some good news.
The 8mhz estimation was caused by a lot of noise in line, so I filtered faster than 250ns and that caused the line to clear up and the estimation was now 1200. First success, I can now see the message being sent from the stm32 to the stm8 in constant intervals.
The message consists of 11 decimal numbers that I believe instructs the stm8 mcu to how to control the motor.
I'm still trying to make sense of all the numbers but I think I know what some of them mean.

This is what the message looks like
170, 0, 192, 0, 0, 1, 36, 0, 17, 30, 64
1st - is always 170
2nd - state of the safety pin (11 when disconnected, 0 otherwise)
3rd - so far always 192
4th - so far always 0
5th - maybe a counter
6th - maybe a counter
7th - dunno
8th - so far always 0
9th - I really believe it is the speed
10th - so far always 30
11th - dunno

The machine also displays time, distance, calories and hear rate but I don't think this info is passed over to the stm8.

This is a session of three minutes of it running that I collect to see if I could understand the values:

170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,0,0,0,30,116
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,0,0,0,30,116
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,0,0,0,30,116
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,0,0,0,30,116
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,0,1,0,0,30,117
170,0,192,0,0,1,36,0,9,30,88 <--- motor start running (speed 1.0)
170,0,192,0,0,1,36,0,15,30,94
170,0,192,0,0,1,36,0,17,30,64
170,0,192,0,0,1,36,0,17,30,64
170,0,192,0,0,3,36,0,18,30,65
170,0,192,0,0,4,36,0,18,30,70
170,0,192,0,0,4,36,0,18,30,70
170,0,192,0,0,4,36,0,18,30,70
170,0,192,0,0,5,36,0,17,30,68
170,0,192,0,0,7,36,0,19,30,68
170,0,192,0,0,7,36,0,16,30,71
170,0,192,0,0,8,36,0,19,30,75
170,0,192,0,0,9,36,0,27,30,66
170,0,192,0,0,9,36,0,33,30,120
170,0,192,0,0,9,36,0,40,30,113
170,0,192,0,0,9,36,0,43,30,114
170,0,192,0,0,9,36,0,42,30,115
170,0,192,0,0,9,36,0,44,30,117
170,0,192,0,0,9,36,0,44,30,117
170,0,192,0,0,9,36,0,44,30,117
170,0,192,0,0,9,36,0,44,30,117
170,0,192,0,0,9,36,0,44,30,117
170,0,192,0,0,9,36,0,43,30,114
170,0,192,0,0,9,36,0,42,30,115
170,0,192,0,0,9,36,0,44,30,117
170,0,192,0,0,9,36,0,43,30,114
170,0,192,0,0,9,37,0,44,30,116
170,0,192,0,0,9,36,0,43,30,114
170,0,192,0,0,9,36,0,45,30,116
170,0,192,0,0,9,37,0,44,30,116
170,0,192,0,0,10,36,0,44,30,118
170,0,192,0,0,11,37,0,52,30,110
170,0,192,0,0,11,37,0,57,30,99
170,0,192,0,0,11,37,0,62,30,100
170,0,192,0,0,11,37,0,73,30,19
170,0,192,0,0,11,37,0,76,30,22
170,0,192,0,0,11,37,0,80,30,10
170,0,192,0,0,11,37,0,81,30,11
170,0,192,0,0,11,37,0,80,30,10
170,0,192,0,0,11,37,0,80,30,10
170,0,192,0,0,11,37,0,80,30,10
170,0,192,0,0,11,37,0,78,30,20
170,0,192,0,0,11,37,0,81,30,11
170,0,192,0,0,11,37,0,81,30,11
170,0,192,0,0,11,37,0,79,30,21
170,0,192,0,0,11,37,0,81,30,11
170,0,192,0,0,11,37,0,80,30,10
170,0,192,0,0,11,37,0,81,30,11
170,0,192,0,0,11,37,0,80,30,10
170,0,192,0,0,11,37,0,80,30,10
170,0,192,0,0,11,37,0,81,30,11
170,0,192,0,0,11,37,0,84,30,14
170,0,192,0,0,11,37,0,88,30,2
170,0,192,0,0,11,37,0,95,30,5
170,0,192,0,0,12,37,0,104,30,53
170,0,192,0,0,12,37,0,107,30,54
170,0,192,0,0,12,37,0,114,30,47
170,0,192,0,0,12,37,0,120,30,37
170,0,192,0,0,12,37,0,118,30,43
170,0,192,0,0,12,38,0,118,30,40
170,0,192,0,0,13,38,0,121,30,38
170,0,192,0,0,13,38,0,117,30,42
170,0,192,0,0,13,37,0,123,30,39
170,0,192,0,0,13,38,0,132,30,219
170,0,192,0,0,13,38,0,138,30,213
170,0,192,0,0,15,38,0,146,30,207
170,0,192,0,0,16,38,0,148,30,214
170,0,192,0,0,19,38,0,154,30,219
170,0,192,0,0,21,38,0,160,30,231
170,0,192,0,0,25,38,0,153,30,210
170,0,192,0,0,27,38,0,160,30,233
170,0,192,0,0,29,38,0,157,30,210
170,0,192,0,0,31,38,0,155,30,214
170,0,192,0,0,34,38,0,157,30,237
170,0,192,0,0,34,38,0,163,30,211
170,0,192,0,0,38,38,0,171,30,223
170,0,192,0,0,42,38,0,174,30,214
170,0,192,0,0,47,38,0,182,30,203
170,0,192,0,0,52,38,0,177,30,215
170,0,192,0,0,58,38,0,184,30,208
170,0,192,0,0,63,38,0,181,30,216
170,0,192,0,0,68,38,0,178,30,164
170,0,192,0,0,74,38,0,188,30,164
170,0,192,0,0,78,38,0,181,30,169
170,0,192,0,0,84,38,0,180,30,178
170,0,192,0,0,89,38,0,184,30,179
170,0,192,0,0,93,38,0,179,30,188
170,0,192,0,0,98,38,0,178,30,130
170,0,192,0,0,104,38,0,178,30,136
170,0,192,0,0,110,38,0,183,30,139
170,0,192,0,0,113,38,0,181,30,150
170,0,192,0,0,117,38,0,177,30,150
170,0,192,0,0,120,38,0,182,30,156
170,0,192,0,0,125,38,0,184,30,151
170,0,192,0,0,129,38,0,178,30,97
170,0,192,0,0,133,38,0,179,30,100
170,0,192,0,0,138,38,0,183,30,111
170,0,192,0,0,143,38,0,181,30,104
170,0,192,0,0,148,38,0,180,30,114
170,0,192,0,0,149,38,0,178,30,117
170,0,192,0,0,152,38,0,183,30,125
170,0,192,0,0,156,38,0,179,30,125
170,0,192,0,0,160,38,0,178,30,64
170,0,192,0,0,165,38,0,187,30,76
170,0,192,0,0,170,38,0,181,30,77,
170,0,192,0,0,173,38,0,180,30,75
170,0,192,0,0,177,38,0,185,30,90
170,0,192,0,0,183,38,0,185,30,92
170,0,192,0,0,186,38,0,177,30,89
170,0,192,0,0,190,37,0,181,30,90
170,0,192,0,0,196,38,0,187,30,45
170,0,192,0,0,200,38,0,180,30,46
170,0,192,0,0,203,38,0,179,30,42
170,0,192,0,0,209,38,0,184,30,59
170,0,192,0,0,213,38,0,185,30,62
170,0,192,0,0,217,38,0,180,30,63
170,0,192,0,0,221,38,0,178,30,61
170,0,192,0,0,226,38,0,178,30,2
170,0,192,0,0,231,38,0,184,30,13
170,0,192,0,0,235,38,0,184,30,1
170,0,192,0,0,239,38,0,179,30,14
170,0,192,0,0,242,38,0,183,30,23
170,0,192,0,0,246,37,0,181,30,18
170,0,192,0,0,252,38,0,179,30,29
170,0,192,0,0,255,37,0,183,30,25
170,0,192,0,1,4,38,0,183,30,224
170,0,192,0,1,8,38,0,178,30,233
170,0,192,0,1,11,37,0,187,30,224
170,0,192,0,1,14,38,0,181,30,232
170,0,192,0,1,18,38,0,177,30,240
170,0,192,0,1,20,38,0,185,30,254
170,0,192,0,1,23,37,0,180,30,243
170,0,192,0,1,28,37,0,179,30,255
170,0,192,0,1,32,38,0,181,30,198
170,0,192,0,1,35,38,0,185,30,201
170,0,192,0,1,40,38,0,183,30,204
170,0,192,0,1,45,38,0,179,30,205
170,0,192,0,1,48,38,0,184,30,219
170,0,192,0,1,50,38,0,177,30,208
170,0,192,0,1,52,38,0,184,30,223
170,0,192,0,1,56,38,0,179,30,216
170,0,192,0,1,59,38,0,180,30,220
170,0,192,0,1,62,37,0,184,30,214
170,0,192,0,1,66,37,0,178,30,160
170,0,192,0,1,71,38,0,184,30,172
170,0,192,0,1,75,38,0,181,30,173
170,0,192,0,1,80,38,0,178,30,177
170,0,192,0,1,85,38,0,181,30,179
170,0,192,0,1,90,38,0,178,30,187
170,0,192,0,1,94,38,0,182,30,187
170,0,192,0,1,97,37,0,187,30,138
170,0,192,0,1,102,38,0,180,30,129
170,0,192,0,1,106,38,0,181,30,140
170,0,192,0,1,112,38,0,188,30,159
170,0,192,0,1,114,37,0,183,30,149
170,0,192,0,1,117,38,0,177,30,151
170,0,192,0,1,120,38,0,180,30,159
170,0,192,0,1,124,38,0,181,30,154
170,0,192,0,1,128,37,0,177,30,97
170,0,192,0,1,130,37,0,184,30,106
170,0,192,0,1,135,37,0,179,30,100
170,0,192,0,1,139,37,0,178,30,105
170,0,192,0,1,143,38,0,188,30,96
170,0,192,0,1,146,38,0,179,30,114
170,0,192,0,1,150,38,0,178,30,119
170,0,192,0,1,155,38,0,185,30,113
170,0,192,0,1,160,38,0,181,30,70
170,0,192,0,1,162,38,0,181,30,68
170,0,192,0,1,164,38,0,184,30,79
170,0,192,0,1,169,37,0,178,30,75
170,0,192,0,1,171,37,0,177,30,74
170,0,192,0,1,175,38,0,183,30,75
170,0,192,0,1,180,37,0,184,30,92
170,0,192,0,1,183,38,0,179,30,87
170,0,192,0,1,187,37,0,178,30,89
170,0,192,0,1,192,37,0,182,30,38
170,0,192,0,1,197,38,0,184,30,46
170,0,192,0,1,201,37,0,184,30,33
170,0,192,0,1,206,38,0,179,30,46
170,0,192,0,1,208,37,0,186,30,58
170,0,192,0,1,211,38,0,177,30,49
170,0,192,0,1,215,38,0,180,30,48
170,0,192,0,1,219,38,0,183,30,63
170,0,192,0,1,222,37,0,180,30,58
170,0,192,0,1,228,37,0,183,30,3
170,0,192,0,1,229,37,0,179,30,6
170,0,192,0,1,235,38,0,177,30,9
170,0,192,0,1,240,37,0,180,30,20
170,0,192,0,1,245,37,0,188,30,25
170,0,192,0,1,248,38,0,179,30,24
170,0,192,0,1,251,37,0,180,30,31
170,0,192,0,1,255,38,0,178,30,30
170,0,192,0,2,2,37,0,185,30,232
170,0,192,0,2,7,37,0,184,30,236
170,0,192,0,2,10,38,0,177,30,235
170,0,192,0,2,14,38,0,178,30,236
170,0,192,0,2,18,38,0,179,30,241
170,0,192,0,2,21,38,0,182,30,243
170,0,192,0,2,26,37,0,183,30,254
170,0,192,0,2,27,37,0,177,30,249
170,0,192,0,2,30,37,0,188,30,241
170,0,192,0,2,33,37,0,180,30,198
170,0,192,0,2,37,37,0,181,30,195
170,0,192,0,2,41,37,0,183,30,205
170,0,192,0,2,45,37,0,180,30,202
170,0,192,0,2,49,38,0,186,30,219
170,0,192,0,2,54,38,0,177,30,215
170,0,192,0,2,58,38,0,178,30,216
170,0,192,0,2,62,37,0,182,30,219
170,0,192,0,2,65,37,0,183,30,165
170,0,192,0,2,69,38,0,180,30,161
170,0,192,0,2,74,38,0,180,30,174
170,0,192,0,2,77,38,0,181,30,168
170,0,192,0,2,80,37,0,184,30,187
170,0,192,0,2,86,38,0,181,30,179
170,0,192,0,2,89,37,0,177,30,187
170,0,192,0,2,92,38,0,184,30,180
170,0,192,0,2,96,38,0,178,30,130
170,0,192,0,2,99,37,0,180,30,132
170,0,192,0,2,104,37,0,182,30,141
170,0,192,0,2,107,37,0,180,30,140
170,0,192,0,2,111,37,0,186,30,134
170,0,192,0,2,114,37,0,179,30,146
170,0,192,0,2,115,38,0,180,30,151
170,0,192,0,2,120,38,0,184,30,144
170,0,192,0,2,123,38,0,180,30,159
170,0,192,0,2,127,37,0,182,30,154
170,0,192,0,2,132,38,0,179,30,103
170,0,192,0,2,137,38,0,179,30,106
170,0,192,0,2,141,37,0,184,30,102
170,0,192,0,2,146,37,0,185,30,120
170,0,192,0,2,149,37,0,179,30,117
170,0,192,0,2,154,38,0,178,30,120
170,0,192,0,2,158,37,0,179,30,126
170,0,192,0,2,161,37,0,187,30,73
170,0,192,0,2,166,37,0,184,30,77
170,0,192,0,2,168,37,0,177,30,74
170,0,192,0,2,173,37,0,182,30,72
170,0,192,0,2,177,38,0,176,30,81
170,0,192,0,2,183,38,0,182,30,81
170,0,192,0,2,188,37,0,181,30,90
170,0,192,0,2,194,37,0,178,30,35
170,0,192,0,2,196,37,0,184,30,47
170,0,192,0,2,200,38,0,179,30,43
170,0,192,0,2,203,37,0,184,30,32
170,0,192,0,2,207,38,0,181,30,42
170,0,192,0,2,211,37,0,184,30,56
170,0,192,0,2,216,37,0,186,30,49
170,0,192,0,2,220,37,0,179,30,60
170,0,192,0,2,223,37,0,177,30,61
170,0,192,0,2,228,38,0,181,30,1
170,0,192,0,2,234,37,0,185,30,0
170,0,192,0,2,237,37,0,187,30,5
170,0,192,0,2,243,37,0,181,30,21
170,0,192,0,2,247,38,0,177,30,22
170,0,192,0,2,252,37,0,178,30,29
170,0,192,0,2,255,37,0,179,30,31
170,0,192,0,3,3,37,0,184,30,233
170,0,192,0,3,7,37,0,180,30,225
170,0,192,0,3,12,37,0,179,30,237
170,0,192,0,3,17,38,0,183,30,247
170,0,192,0,3,21,38,0,179,30,247
170,0,192,0,3,26,38,0,184,30,243
170,0,192,0,3,30,38,0,180,30,251
170,0,192,0,3,33,37,0,180,30,199
170,0,192,0,3,35,37,0,182,30,199
170,0,192,0,3,38,37,0,178,30,198
170,0,192,0,3,42,37,0,177,30,201
170,0,192,0,3,47,38,0,178,30,204
170,0,192,0,3,51,37,0,185,30,216
170,0,192,0,3,52,37,0,186,30,220
170,0,192,0,3,56,37,0,178,30,216
170,0,192,0,3,60,37,0,177,30,223
170,0,192,0,3,62,37,0,180,30,216
170,0,192,0,3,66,37,0,185,30,169
170,0,192,0,3,69,37,0,184,30,175
170,0,192,0,3,73,37,0,179,30,168
170,0,192,0,3,76,38,0,186,30,167
170,0,192,0,3,80,38,0,180,30,181
170,0,192,0,3,85,37,0,177,30,182
170,0,192,0,3,88,37,0,187,30,177
170,0,192,0,3,93,37,0,181,30,186
170,0,192,0,3,98,37,0,178,30,130
170,0,192,0,3,102,37,0,186,30,142
170,0,192,0,3,107,37,0,180,30,141
170,0,192,0,3,110,38,0,182,30,137
170,0,192,0,3,114,37,0,187,30,155
170,0,192,0,3,119,37,0,179,30,150
170,0,192,0,3,122,37,0,179,30,155
170,0,192,0,3,127,37,0,181,30,152
170,0,192,0,3,132,38,0,180,30,97
170,0,192,0,3,135,37,0,186,30,111
170,0,192,0,3,139,37,0,185,30,96
170,0,192,0,3,143,37,0,178,30,111
170,0,192,0,3,148,37,0,177,30,119
170,0,192,0,3,154,38,0,187,30,112
170,0,192,0,3,157,37,0,179,30,124
170,0,192,0,3,159,38,0,184,30,118
170,0,192,0,3,162,38,0,180,30,71
170,0,192,0,3,167,37,0,181,30,64
170,0,192,0,3,173,37,0,186,30,69
170,0,192,0,3,176,37,0,177,30,83
170,0,192,0,3,181,37,0,180,30,83
170,0,192,0,3,186,37,0,182,30,94
170,0,192,0,3,190,37,0,177,30,93
170,0,192,0,3,195,37,0,186,30,43
170,0,192,0,3,199,37,0,181,30,32
170,0,192,0,3,202,37,0,177,30,41
170,0,192,0,3,207,38,0,177,30,47
170,0,192,0,3,210,38,0,181,30,54
170,0,192,0,3,214,37,0,184,30,60
170,0,192,0,3,218,37,0,183,30,63
170,0,192,0,3,221,37,0,180,30,59
170,0,192,0,3,226,38,0,178,30,1
170,0,192,0,3,231,37,0,180,30,1
170,0,192,0,3,240,37,0,177,30,19
170,0,192,0,3,243,37,0,171,30,10
170,0,192,0,3,245,37,0,168,30,15
170,0,192,0,3,248,38,0,155,30,50
170,0,192,0,3,248,37,0,149,30,63
170,0,192,0,3,248,37,0,143,30,37
170,0,192,0,3,248,37,0,135,30,45
170,0,192,0,3,248,37,0,125,30,215
170,0,192,0,3,248,37,0,119,30,221
170,0,192,0,3,248,37,0,114,30,216
170,0,192,0,3,248,37,0,100,30,206
170,0,192,0,3,248,36,0,91,30,240


As you see, the 7th number seems to fluctuate between 1 and 0 when the machine is not running, but fluctuates between 36 and 38 when it is running.
The 6th number grows until 255 then it increments the 5th number (I wonder if the 4th increments when the 5th reaches 255 too)
The 9th really seems to be the speed but it is never static, I don't get why it fluctuates.

I wonder if the any of these fluctuations happens because of the 250ns filtering.
Does any of this makes any sense to you?

 

Well done, that's an excellent result. This comms must be from motor controller to display unit - this is real-time data on speed and distance, recorded by the encoder on the motor shaft.. Which line is is it on? This is 1 packet of data a second?

Byte 1 is AA in hex or 10101010 in binary, this is classic as an aid to sync the data clock in the UART.

The incrementing 3 bytes represents distance. distance = ((byte 4 * 256) +byte 5)*256 +byte6, plot against speed in byte 9

Yep, that works. See if speed and distance correlate against display. When running at a constant known speed on display, what values do you get for speed? It won't be static, the motor speed isn't a constant, belt friction, gearbox friction, etc will vary with position so it will have minor fluctuations - welcome to the real world! You're interested in the average over time.

Byte 7 is a status byte. The meaning is unknown, other than bit 5 (representing 32 in the HEX) probably means motor running. while other bits relate to internal aspects of motor controller.
Last byte is a simple checksum.

 

Hey Irving,

First of all, thanks a lot for all the help, you've been an invaluable source of information and motivation.

You're absolutely right, the message is sent by the controller board, I saw it coming through the RX pin but I thought I had them inverted.
The STM32 receives the data roughly every 400ms.
For what I want to do, I just need to know the distance and speed but for that I was actually planning to install some hall sensors on the belt to calculate.
The real important part is knowing what to send to the controller board to be able to control the speed.
I realised that the S is actually a hard wire for "safety key", it needs a high signal for the motor to run. I injected this signal using an arduino and that worked, I could start and stop the motor, which means that it is not in sync with the serial communication.

I attached a picture of an interesting pattern I noticed: When the motor is running, the TX seems like a high signal with heaps of nanosecond drops which looks like noise to me, but I noticed that a few milliseconds before a package is receive, this drops stops in a strange pattern.






I thought the TX could be sending a PWM signal so I tried to send using an arduino but that didn't work.
The nanoseconds drops can be seen in the S wire as well, but when I inject the high from an arduino, it comes "clean" without drops, and some of the drops in the TX wire also disappears.

 

Those 'nanosecond drops' are just noise on the line. Make sure your LA ground is tied to something clearly grounded and close to where you're measuring.

The TX line will be transmitting a control sequence, it may be similar in structure to the RX signal - almost guaranteed to have the 170,0,192 sequence to start. It may be sent continuously as a stimulation for the RX response, or only when there is a change needed, ie speed change. More investigation needed.

 

Well observed, I checked the wire I was using for the ground and I think it was internally broken so I changed it (I changed all of them actually) and the noise is gone... now as I thought the TX displays a constant high signal.
I hooked up a multimeter in the TX and ground and it fluctuates between 3.0 and 6.6 volts, because of the packages being sent, and the LA I have has a range up to 5.5V. Can I just hook up a resistor to drop it?

Interesting thing, when I I remove the TX pin that goes to the controller board, the signal inverts and I can see a package being sent. And it shows the 170 initial byte as you mentioned.

 

Hey Irving,

After the last post I tried reading the TX using a voltage divider to see if I could drop the voltage to an acceptable level but that didn't work, the top unit would display an error and everything stops working.

So this weekend I receive an optocoupler I ordered in case I couldn't hack the uart, at least I could hack the buttons, so instead I used the optocoupler to read the TX package and voilà, there was the package, inverted as I noticed before.

Now I'm on the way of mapping all the possible speeds and try to se if I can identify a pattern so I can calculate it instead of saving all the possibilities on memory.

170,18,182,0,21,0,27
170,20,38,0,21,0,141
170,21,144,0,21,0,58
170,22,250,0,21,0,83
170,24,100,0,21,0,195
170,25,206,0,21,0,104
170,27,56,0,21,0,156
170,28,162,0,21,0,1
170,30,12,0,21,0,173
170,31,118,0,21,0,214
170,32,224,0,21,0,127
170,34,74,0,21,0,215
170,35,180,0,21,0,40
170,37,30,0,21,0,132
170,38,136,0,21,0,17
170,39,242,0,21,0,106
170,41,92,0,21,0,202
170,42,198,0,21,0,83
170,44,48,0,21,0,163
170,45,154,0,21,0,8
170,47,4,0,21,0,148
170,48,110,0,21,0,225
170,49,216,0,21,0,86
170,51,66,0,21,0,206
170,52,172,0,21,0,39
170,54,22,0,21,0,159
170,55,128,0,21,0,8
170,56,234,0,21,0,109
170,58,84,0,21,0,209
170,59,190,0,21,0,58
170,61,40,0,21,0,170

Second byte is the speed, the third one I'm trying to decipher now, and the last one is a XOR checksum.
It's probably some kind of calculation with BCD representation of float numbers, but I can't pin point exactly how it works.

 

UPDATE:
It is actually a 16bit number, no complex calculation needed.
So 170,22,250,0,21,0,83 in HEX is 0xAA,0x16,0xFA,0x00,0x15,0x00,0x53, then 0x16,0xFA is 5882 in decimal, and this number goes all the way to 52176 (CBD0), the maximum value the top unit sends. I'm not sure yet if the controller has any constraint on this value and if it is safe to go over.

So I wrote a quick arduino sketch and sent hardcoded values using the optocoupler and it worked, I can completely ditch the top unit and write a proper application to control it.

Thanks a lot, Irving, I don't think it would be possible for me to do it without your help. I learned a lot in the process.

 

That's brilliant Rafael, and glad I could help. Reverse engineering systems is, to me, one of the most interesting, yet often most frustrating, aspects of electronics; trying to guess the thought processes that went into the original design (or not ). For example, do they need that fine a resolution on the speed? after all, it comes back as a single byte. Is there any fixed correlation between the 16bit commanded value and the 8 bit response? Maybe they have a 16-bit DAC in the motor controller (there isn't one in the STM8 MCU though) or use a 16bit timer to produce a 16bit PWM to the ESC and it was convenient to send values in a given range to avoid any additional scaling or conversion down there.

 

It was an awesome journey for me but I want to go further, the stm32 has a SWD connector attached to it as Ya’akov pointed out in the original post. I want to learn how to use it so I'm trying to find what tools and softwares I need to communicate.

For example, do they need that fine a resolution on the speed? after all, it comes back as a single byte.

As a matter of fact it doesn't need it. Before I understood how it worked, I populated the second byte and sent the third as 0x00 and the machine was running ok, I only went further because I noticed a pattern between the two bytes and because I was afraid of causing some kind of overload in the motor.
I still need to run more tests to see how the RX message changes (long distances for example) to be able to completely replace the top unit. If I actually use the RX message for anything.

 

So is there a correlation between the byte in Tx and that in Rx? If you send 48 do you get 48 back?

 

So is there a correlation between the byte in Tx and that in Rx? If you send 48 do you get 48 back?

It doesn't send it back but it does impact on the response and how the motor turns.

 

OK, but is it reasonably similar? ie command 22, motor ramps up to 22-ish? In your example, you've commanded speed=18 and the motor is running at 19, that's a correlation in my book. Is it true for all speeds commanded?