​Step one: Reverse Engineer Bluetooth Protocol

A project log for Open esk8 Remote - v1

Fully open source remote control for common electric skateboards using the NRF24L01+

Timo BirnscheinTimo Birnschein 12/09/2018 at 23:470 Comments

The Acton iOS app offers the boards total millage, current velocity, battery state of charge, the drive mode (beginner, normal, pro), and the state of the exterior lighting. That's it. Can't be that hard to decipher. 

So I pulled out my CC2541 sniffer and quickly realized, this is a bad idea. I just wanted the data, not the Bluetooth communication protocol with some data hidden somewhere inside of it.

So I pulled out my breadboard, plugged in two USB to serial converters and soldered of RX lines straight to RX and TX of the Bluetooth module. Et voila: Communication established!

The protocol is very simple except that I could not identify where the millage is communicated.

After about an hour of poking around and testing all options with the iOS app, I reached a limit of what I could find. For some reason, I did not see the millage anywhere. The value just didn't appear to me or I'm just blind. Any ideas?

The next step was to connect my own CC2541 to the board and mimic the iOS app. Maybe I could make my own app. Maybe I could even make this board bluetooth controlled. How cool would that be?

Unfortunately, I ran into the counterfeit issue myself and even though I was able to connect to the skateboard's bluetooth controller, I wasn't able to configure my CC2541 in a way that would allow the communication mode I needed. I hate counterfeits!

I aborted at this point.