Bafang M500/M600 thread
- Thread starter El_Topo
- Start date
ornias
100 W
- Joined
- Jul 18, 2021
- Messages
- 172
casainho said:
As noted in my reverse enginering thread: There is no certainty that anything is actually locked down. The security precautions (are there any?) in their BESST software are laughable and, reading the code, there might be many options that are just not enabled in the BESST UI but are actually supported by the controller.
Also it should be noted that the firmware files do not seem to be encrypted, however I need someone more competent in ARM/THUMB reverse enginering to actually reverse engineer one.
But in short: No one determined for a fact that it's impossible.
That being said: Speed unlock only takes a canbus dongle. I wouldn't call that 200$
ornias
100 W
- Joined
- Jul 18, 2021
- Messages
- 172
Waynemarlow said:
Luna never said they replaced the controller with their own controller for the M600, considering it's still fully BESST compatible and no one completely reverse engineered the CANBUS protocol yet, this is highly unlikely.
Considering they stated in the past they needed a hardware change,a firmware flash and software (BESST) to connect it to the motor unit, I expect they execute a shuntmod and adapting the assistence curve in the firmware accordingly for at least the 1500W version. Because that's all that would be needed, as technically the controller is already capable of handling 30A*48V.
All things considered, it would be nicer if Luna Cycles started to embrace opensource and DIY and share which knowhow they have about the motors and which procedures they follow to modify theirs. We donnot need any proprietary software at this stage, we mostly just need to start to learn how the product behaves.
On a completely different note:
It seems a norwegian company got BAFANG to write custom firmware for the M600 to make them EU road legal, called the M600S:
If ANYONE could get their hands on a firmware file, that would be absolutely golden.
ornias
100 W
- Joined
- Jul 18, 2021
- Messages
- 172
casainho said:
Agreed 100%... If we could dump complete firmware and reflash it, that would be easier and less DMCA prone than reverse enginering Bafangs firmware files.
Anyway, motor controllers are available here for relatively cheap:
https://flx.bike/collections/replacement-parts/products/controller-dz-multi?variant=31247163752584
As far as I can find out (because not one has posted high res overview pictures of the controller yet), it looks to be an STM32 based board.
casainho
10 GW
- Joined
- Feb 14, 2011
- Messages
- 6,045
If someone can donate to me one unit of that motor controller, I can give a look, write some notes and make them available on a public repository on github. Developing the firmware always start like this. I do not have any ebike with this motor or the motor itself.ornias said:
Tomblarom
10 W
- Joined
- Jul 20, 2018
- Messages
- 93
Thank you so so much for pointing that out! Seems like a solid company!ornias said:
So I was able to get a pair of HIGO-S5 cables and the innomaker module. Am I correct, that it's not possible to use the innomaker USB2CAN directly with the BESST tool? You have to have the original BESST hardware, even with the python-trick?
Going to provide some controllers to casainho. M500 that my be broken and a fully working M600 controller. Maybe I could also get you an M620 at some point. We're already in contact.casainho said:
ornias
100 W
- Joined
- Jul 18, 2021
- Messages
- 172
Tomblarom said:
Yeah the BESST tool actually requires the BESST device, The BESST tool is not just a CANBUS interface... It translates UART commands to their CANBUS protocol.
Quite sad actually, because it makes it a lot harder to reverse engineer their canbus protocol
Tomblarom said:
That would be super-super awesome!
I would get one in a few months, if it's still needed I could lend it to casainho or test things as required, as I do have some background in software dev
ornias
100 W
- Joined
- Jul 18, 2021
- Messages
- 172
@Tomblarom
Could share a good closeup picture and a good overview of every chip on the board, before sending them to @casainho?
And a comparison to any board difference between m500 and m600?
@casainho
It might be nice if you could create a seperate repo inside the opensource firmware github organisation to work on bafang m500 and m600 based controllers and to document any knowhow we might gain...
That would be a nice single place to document:
- My reverse enginering work (noted in the seperate thread), including code examples
- Different Bafang firmwares
- Workarounds for the BESST login
- @stancecoke his start at reverse enginering the canbus interface
- pictures of the controller(s) and chips
etcetcetc
Could share a good closeup picture and a good overview of every chip on the board, before sending them to @casainho?
And a comparison to any board difference between m500 and m600?
@casainho
It might be nice if you could create a seperate repo inside the opensource firmware github organisation to work on bafang m500 and m600 based controllers and to document any knowhow we might gain...
That would be a nice single place to document:
- My reverse enginering work (noted in the seperate thread), including code examples
- Different Bafang firmwares
- Workarounds for the BESST login
- @stancecoke his start at reverse enginering the canbus interface
- pictures of the controller(s) and chips
etcetcetc
casainho
10 GW
- Joined
- Feb 14, 2011
- Messages
- 6,045
Done: https://github.com/OpenSourceEBike/Bafang_M500_M600ornias said:
You have already reverse enginering work? where is it? better, please fork the repository, make your changes and then sub,it a pull request. But would be nice if there was some interested developer to maintain the project and accept the pull requests.
What is the most popular motor version? I would like to focus on only one since the time is so scarse...
ornias
100 W
- Joined
- Jul 18, 2021
- Messages
- 172
casainho said:
I didn't actually work out how to get a complete decompile running, But I did do a lot of research on the files and code.
The most populair is definately the m600. However: as far as i've seen mechanically the m500 is super close and I bet they use the same controller.
casainho
10 GW
- Joined
- Feb 14, 2011
- Messages
- 6,045
Are you interested to have write access to the repository? if so, please tell me your github id.ornias said:
Would be so nice to have there links to buy the frames, the motor and parts. I mean, links for popular shops and or cheap ones.
I also like they have a smaller one for road / gravel bike!!
And I wish to know more about the fix of motor to the frame, are the fix holes all equal between this 3 motor versions?
ornias
100 W
- Joined
- Jul 18, 2021
- Messages
- 172
That would be great, I've already send you a PR with some notes and code.casainho said:
I'll try to iterate and add some more information I know is out there tomorrow
Yeah, I love the idea of the m500 due to the torque and it being EU-Legal.
The only downside to the m500 is the lower current-limit as far as I know.
Between the m500 and the m600 I can confirm the holes are the same, the complete case is actually the same between those two. The mechenical parts are only slightly differnet (very small gearing change for m600 and a slightly different gear angle, but that's everything). so that's why i expect the controller being the same with mostly just firmware changes.
Tomblarom
10 W
- Joined
- Jul 20, 2018
- Messages
- 93
Yes sure. Pretty busy currently, but I can deliver exactly this, before I send anything out.ornias said:
Any chance to replicate this? Maybe collecting the UART commands using a virtual COM port and HTerm?ornias said:
M500 and M600 have the same hole-pattern, so they fit in one another's frame. Bafang support told me the M600 is wider and has metal gears. Seems to be able to take more, mechanically. If you're looking for a solid frame, checkout Dengfu or Seroxat. We have a Facebook group, with a lot experience on frames and manufacturer from china. Feel free to join.casainho said:
We're currently working on a controller version for the M600. Hope to get it into my bike soon.. Currently the Innotrace X1 is only available for Bafang M620: https://innotrace-shop.de
I got CAD models of both versions in case you guys need specific info on anything.
ornias
100 W
- Joined
- Jul 18, 2021
- Messages
- 172
Tomblarom said:
Awesome!
I'm not sure if I could simulate it, it also expects certain reposes for uart calls.
Yeah Dengfu is awesome, I just ordered a E-10 by mail from Melody aka Tony
That being said:
The mechenical differences are very small according to one youtube teardown I viewed. and even if so, the m500 would still very well be mechanically capable of handling 1500w with relative ease.
casainho
10 GW
- Joined
- Feb 14, 2011
- Messages
- 6,045
Bafang M500/M600 wireless
About the connection between the motor and the display, CANBUS is not that hard. I am being using it professional on tractors and is very popular on cars.
There are a lot of OpenSource hardware, firmware and software for CAN, since the Arduino, RaspberryPi and Linux. On Linux there is the cantools that let us receive/log and send packages/files to CAN. There is also Python cantools that makes very straightforward to read and write CAN data.
For development, I would suggest any computer with Linux (or RaspberryPi) and a USB-CAN device, that we can buy for 15€ (I use some of this professionally):
As I can understand, the display data, assist level, walk assist, etc are all done on the display with the CAN communications. Also on this same communication cable we can make the configurations to the motor controller. So, we just need to find how to communicate with the display, it is is very easy to hookup the USB-CAN on the bus and log the packages that are sent to the BUS when we change assist level or the configurations on the display or the PC software.
Then, to make our own EBike wireless, I would add this 5€ popular Arduino module (I also use this one professionally):
This module communicates between the microcontroller using SPI, each is very easy and there are a lot of firmware for it: MCP2515.
The CAN module could be added to our EBike wireless board, making it compatible with this motors:
The mobile app could quick be adapted for the specific configurations of this Bafang motors and it already shows the most common EBike variables:
And then users could also use the wireless remote (based on the 850C display keypad) and the Garmin cycling GPS displays.
Fully wireless remote:
Alternatively, adapt our OpenSource firmware for the SW102 / 850C / 860C displays, although is very hardware to develop for so I really prefer the mobile app, wireless controller and a Garmin GPS display that already includes GPS navigation and connection to other cycling sensors as also watches heart rate:
[youtube]eDENZS4pHvo[/youtube]
[youtube]q0N5W3Fgyjk[/youtube]
About the connection between the motor and the display, CANBUS is not that hard. I am being using it professional on tractors and is very popular on cars.
There are a lot of OpenSource hardware, firmware and software for CAN, since the Arduino, RaspberryPi and Linux. On Linux there is the cantools that let us receive/log and send packages/files to CAN. There is also Python cantools that makes very straightforward to read and write CAN data.
For development, I would suggest any computer with Linux (or RaspberryPi) and a USB-CAN device, that we can buy for 15€ (I use some of this professionally):
As I can understand, the display data, assist level, walk assist, etc are all done on the display with the CAN communications. Also on this same communication cable we can make the configurations to the motor controller. So, we just need to find how to communicate with the display, it is is very easy to hookup the USB-CAN on the bus and log the packages that are sent to the BUS when we change assist level or the configurations on the display or the PC software.
Then, to make our own EBike wireless, I would add this 5€ popular Arduino module (I also use this one professionally):
This module communicates between the microcontroller using SPI, each is very easy and there are a lot of firmware for it: MCP2515.
The CAN module could be added to our EBike wireless board, making it compatible with this motors:
The mobile app could quick be adapted for the specific configurations of this Bafang motors and it already shows the most common EBike variables:
And then users could also use the wireless remote (based on the 850C display keypad) and the Garmin cycling GPS displays.
Fully wireless remote:
Alternatively, adapt our OpenSource firmware for the SW102 / 850C / 860C displays, although is very hardware to develop for so I really prefer the mobile app, wireless controller and a Garmin GPS display that already includes GPS navigation and connection to other cycling sensors as also watches heart rate:
[youtube]eDENZS4pHvo[/youtube]
[youtube]q0N5W3Fgyjk[/youtube]
ornias
100 W
- Joined
- Jul 18, 2021
- Messages
- 172
brake034 said:
It's not really relevant, like @casainho explains the protocol should be quite similair.
Though I agree for speed-pedelec users the M620 would be a much beter value-for-money.
That being said: The M600 with current unlock is already capable of 1000w continuesly just fine, so I doubt there will be many technical changes inside the M620 vs the M600. This is something Bafang does all the time: They change a few firmware parameters, slightly different gearing and call it a "new product", thats basically also what describes the difference between M500 and m600 already
ornias
100 W
- Joined
- Jul 18, 2021
- Messages
- 172
casainho said:
I agree CAN isn't that hard. However a caveat:
We donnot know yet how many motor parameters are actually set-able (in contrast to get-able) using the CANBUS. Like you explained, we basically need someone to snoop the CANBUS and try to set one of the params to findout if the firmware blocks it or not.
As we can only set a few parameters of the controller using the BESST software and those have already been reverse engineered.
My suggestion for an "attack vector":
- SNOOP the GET communications on the CANBUS by the BESST hardware tool (for example lets take the max. current)
- Try to SET those same values using a CANBUS interface
If that works we can just start working on all of them in bulk.
ornias
100 W
- Joined
- Jul 18, 2021
- Messages
- 172
Tomblarom said:
I've looked that one up, the M600 has the precise same diameters in the OEM catalog as the M500:
https://bafang-e.com/en/oem-area/components/component/motor/mm-g520250c/
https://bafang-e.com/en/oem-area/components/component/motor/mm-g521500c-1/
Could you send a PR with those to the github with information me and casainho are building?Tomblarom said:
(https://github.com/OpenSourceEBike/Bafang_M500_M600)
As it might be of help for people doing hardware mods.
Tomblarom
10 W
- Joined
- Jul 20, 2018
- Messages
- 93
There appears to be a new firmware for M500 with BOOST button functionality. I don't know whether it's M600 compatible. It was privately forwarded to me. Flashable using the BESST tool. Unzip first.
Display: DPC240CI.......
Controller: CRX10NC361....
Display: DPC240CI.......
Controller: CRX10NC361....
PadreParada
10 mW
- Joined
- Jun 11, 2021
- Messages
- 24
Hi Casainho and Ornias 1993,
This are two limited to 10 Amps firmwares, for M600 that Bafang sent me a few days ago. You may upload them in the GitHub repository and compare them with the rest.
Thanks you very much for all your efforts.
This are two limited to 10 Amps firmwares, for M600 that Bafang sent me a few days ago. You may upload them in the GitHub repository and compare them with the rest.
Thanks you very much for all your efforts.
ornias
100 W
- Joined
- Jul 18, 2021
- Messages
- 172
Tomblarom said:
Thank you very much, this answers an important question:
"How many watts is the m500 controller limited at stock"
It seems the m500 is limited to a peak power consumption of 540 watts stock (36v * 15a, ignoring powerfactors), in comparison to the 864 watts for the m600.
However: I looking at the files, I suspect the m500 controller can be flashed using the m600 firmware for an easy unlock, did anyone try that already?
EDIT:
that might not work in practice actually, the m600 controller has another shuntresistor and mosfet
On another note:
The BOOST thing is very intersting, good to keep track of and also thanks for the display firmware, we didn't have that one cataloged yet
PadreParada said:
Super awesome, could you give some reasons as to why they send you these firmwares?
Similar threads
