Next up, I wanted to take over the motor controller itself.
My theory, and I wasn't able to confirm it yet, is that this controller is derived of some Infineon motor controller form some electric bike. The used controllers are in fact counterfeit Infineon 8051 controllers and are being used in lots and lots of Chinese Ebay ebike controllers. For those, a config tool exists. Unfortunately, since there is not sign of a datasheet, I couldn't get it to work.
On the contrary: The manufacturer of the board even says, these chips are programmed to the specs of the customer and cannot be reflashed with a new config after shipment. Sad, dumb, and unfortunate. I couldn't prove them wrong, yet.
However, I did a lot of research on the board to identify what's going on:
On the picture above, two chips are missing as this is the slave board. To me, it looks like these chips have been removed by hand after complete assembly to make use of the slave interface.
On the master board, these chips are present. One is the aforementioned NRF chip with antenna and everything (I ripped the external antenna plug off my accident - next to connector HALL2) and the other one is the master controller communicating with the NRF and the four motor controller ICs.
All motor controllers are connected in parallel and therefore receive exactly the same signals.
My ebike theory, btw. comes from the fact that the motor controllers consume an analogue signal for the throttle value. However, I have yet to discover WHERE this analogue value is being generated. It's not connected to the primary controller and I did not see any DACs or resistor ladders on the boards.
Unfortunately, here is where the take over story currently is. I couldn't access the firmware, I don't have a JTAG adapter at the moment, I don't know if a serial protocol is available, and so on and so forth.
What I did is prepare one of my boards with headers for later, more detailed analysis.