Other Boosted Stuff Boosted App | Test Page | Reverse Engineering
Boosted Board App for Android

Background info

I bought a Boosted Board V2 Dual with both EX and SR battery in 2018. I also bought a board with a hub motor, and have only used it once because I'm so in love with my Boosted V2. I've changed a number of belts and did some maintenance with the bearings and pulleys. The simplicity of the construction brings me alot of joy when I work with it, even more so when I'm using it. Sadly, the Boosted Company is not in business anymore so getting upgrades and support will not be a thing in the future.
Riding near Square One, in Mississauga, I was clipping about 25km/h past the bus station entrance and my board stopped dead. The road was smooth, there werent any rocks, I was going down a decline and my hand was on the accelerator. I stopped to look around and analyze the belt and pulleys, the road, I even looked around to see if anyone was pranking me with a bluetooth scrambler. I remembered the video of those two guys who tried to hack his board after something similar happened to him in Australia. Wired Article, Defcon Video
I want to continue that research using my own board now that these products are not offically supported.

Deconstructing My Controller

After reading the twitter post about getting a debug dump from the V2 battery I wanted to see if I could get a similar debug port on the controller. There isn't a debug port, but there is a port for programming. Not really useful unless I have a firmware file. So I wanted to continue digging to see if I can get more insight. I checked some pics of some one else who took their controller apart. Great pics, but I wanted to know the types of ICs. On further inspection, in order to see all the traces I had to remove piezo speaker and I also removed the battery to play it safe.

Update: 05-27-20

I've made a working Boosted Board Odometer and battery tracker. It works like the boosted app did, in that it takes the odometer readings from the ESC motor revolution count. I've been posting most of my updates on reddit/BoostedBoards

Update: 06-28-20

Holy shit, where do I begin? RLOD fix, balancing, modding, Leaf device, UM232H modules, CAN bus decoders, firmware discovery and ESP32s boards.

While I had it open I cleaned things up. Here I added a water seal around the button. There are larger holes where liquids can get to the battery, but I did it anyways because I just felt it needed it. Used a balloon as a rubber seal and glued it with that clear rubbery stuff with the chinese writing on it. I pay $3 for it locally.
I damaged the piezo speaker, but I was alrady thinking of replacing it with a small vibrating motor. I'm sure the vibrator will be more noticable than the sound of the beeps. The vibrator is from some old Blackberry phone parts.

I read a post on r/BoostedBoards about packet sniffing in order to send a signal to the VESC, so I installed the latest Kali Live onto USB and booted up my Surface Pro 4, but I didn't get a signal from the controller. I probably did something wrong using bettercap since I didn't get a signal from a number of other devices in the area and I actually couldn't connect to them.

Deconstructing My Board

The board was dirty up in places of the circuitry and shit. Kindof lacking on the sealing, but I'll address that later. The mainboard was luckily fully coated with latex. I was pleasantly surprised with that. Hey, Samsung and crApple, thats how you waterproof something! So dirty I wish I could be doing this outside with a hose.

Have you ever seen that episode where Kramer makes salad in the shower? I was careful not to let water in the crevices and dried everything right away.

Bluetooth

ESC and Battery

DescriptionTypeAddressExample Value
Service Change ServiceService00001801-0000-1000-8000-00805f9b34fb
Service Change CharacteristicNotify00002a05-0000-1000-8000-00805f9b34fb
Device ServiceService00001800-0000-1000-8000-00805f9b34fb
Board NickNameReadable00002a00-0000-1000-8000-00805f9b34fbMyBoard
Device AppearanceReadable00002a01-0000-1000-8000-00805f9b34fb0xC303
Device PPC parametersReadable00002a04-0000-1000-8000-00805f9b34fb0x0800100000009001
Device Info ServiceService0000180a-0000-1000-8000-00805f9b34fb
ESC Model NameReadable00002a24-0000-1000-8000-00805f9b34fb00005678
ESC Hardware NameReadable00002a27-0000-1000-8000-00805f9b34fb0x3031384234414031
ESC Firmware ValueReadable00002a26-0000-1000-8000-00805f9b34fbv2.1.9
Manufacturer NameReadable00002a29-0000-1000-8000-00805f9b34fbBoosted, Inc.
Device PnP IDReadable00002a50-0000-1000-8000-00805f9b34fb0x01000A004C010001
OTA Update ServiceService00001016-d102-11e1-9b23-00025b00a5a5
OTA Current AppReadable, Writable00001013-d102-11e1-9b23-00025b00a5a50x01 (0x00 = Update Mode)
OTA Read CS BlockWritable00001018-d102-11e1-9b23-00025b00a5a5
OTA Data TransferReadable, Notify00001014-d102-11e1-9b23-00025b00a5a5Null
OTA VersionReadable00001011-d102-11e1-9b23-00025b00a5a50x07
Battery ServiceService65a8eaa8-c61f-11e5-9912-ba0be0483c18
Battery Level CharacteristicReadable, Notify65a8eeae-c61f-11e5-9912-ba0be0483c180x64 (0x00-0x64)
Battery Firmware ValueReadable65a8f833-c61f-11e5-9912-ba0be0483c180x02010200 (v2.1.20)
Battery ModelNameReadable65a8f831-c61f-11e5-9912-ba0be0483c180x02=XR (0x01=SR battery)
Battery ChargingReadable, Notify65a8f5d4-c61f-11e5-9912-ba0be0483c180x00 (0x01=Charging)
Battery Unknown 1Readable65a8f832-c61f-11e5-9912-ba0be0483c180x01
Battery Serial NumberReadable65a8f834-c61f-11e5-9912-ba0be0483c180x08BFDC12 (XR), 0xDE5F0000 (SR)
Battery CapacityReadable65a8f3c2-c61f-11e5-9912-ba0be0483c180xD0103D00 (XR), 0x0A0252600 (SR)
Battery RTCReadable, Writable65a8f835-c61f-11e5-9912-ba0be0483c180x00000000000000
Serial ServiceService588560e2-0065-11e6-8d22-5e5517507c66
Serial R/W StateReadable58856526-0065-11e6-8d22-5e5517507c660x00 (0x01 for God Mode)
Serial KeyReadable, Writable, Notify58856524-0065-11e6-8d22-5e5517507c660x0A61B9AFDA6669559F2F9BA13E99BB6
Odometer ServiceService7dc55a86-c61f-11e5-9912-ba0be0483c18
Odometer ValueReadable, Notify7dc56594-c61f-11e5-9912-ba0be0483c180x259f4f01
ESC ModelReadable7dc59643-c61f-11e5-9912-ba0be0483c180x01 (V2 Dual)
Available Ride ModesReadable7dc55dec-c61f-11e5-9912-ba0be0483c180x03 (Max is Expert)
Current Ride ModeReadable, Writable, Notify7dc55f22-c61f-11e5-9912-ba0be0483c180x02(Expert), (0x00=Beginner)
Motor SpeedReadable, Notify7dc56b34-c61f-11e5-9912-ba0be0483c180x0000 at rest max~0x001c? (7000)/td>
ESC Unknown 1Readable7dc56666-c61f-11e5-9912-ba0be0483c18None
ESC Unknown 2Readable7dc56986-c61f-11e5-9912-ba0be0483c18None [what does that mean?]
ESC PowerReadable, Notify7dc56bfc-c61f-11e5-9912-ba0be0483c180x00000000
ESC OTA UpdateWritable7dc573ec-c61f-11e5-9912-ba0be0483c18
ESC NameReadable, Writable7dc5bb39-c61f-11e5-9912-ba0be0483c18BoostedBoard00005678 (write Nickname)

Controler

DescriptionTypeAddressExample Value
Service Changed ServiceService00001801-0000-1000-8000-00805f9b34fb
Service Change CharacteristicNotify00002a05-0000-1000-8000-00805f9b34fb
Device Info ServiceService00001800-0000-1000-8000-00805f9b34fb
Device NameReadable00002a00-0000-1000-8000-00805f9b34fbBoostedRmt12345678
Device AppearnceReadable00002a01-0000-1000-8000-00805f9b34fb0xC303
Device PPC parametersReadable00002a04-0000-1000-8000-00805f9b34fb0x0800100000009001
Device Properties ServiceService0000180a-0000-1000-8000-00805f9b34fb
Model NumberReadable00002a24-0000-1000-8000-00805f9b34fb0x3030303030303030
Hardware RevisionReadable00002a27-0000-1000-8000-00805f9b34fb0x30303030 (v2.3.3:0x0189C741)
Firmware RevisionReadable00002a26-0000-1000-8000-00805f9b34fbv1.4.3
Manufacturer NameReadable00002a29-0000-1000-8000-00805f9b34fbBoosted, Inc.
PnP IDReadable00002a50-0000-1000-8000-00805f9b34fb0x01000A004C010001
Trigger ServiceServiceAFC05dA0-0cd4-11e6-a148-3e1d05defe78
Trigger ValueReadable, NotifyAFC0653E-0cd4-11e6-a148-3e1d05defe780x2000000 @idle
v2.3.3 OnlyReadableAFC063F4-0cd4-11e6-a148-3e1d05defe780x00000000
v2.3.3 OnlyWritableAFC0653F-0cd4-11e6-a148-3e1d05defe78-
v2.3.3 OnlyReadableAFC06540-0cd4-11e6-a148-3e1d05defe780x0103010000003F37000045360000
LED/Buzzer ServiceAdvertised ServiceF4C4772C-0056-11E6-8D22-5E5517507C66
LED Value 1WritableF4C47A4C-0056-11E6-8D22-5E5517507C66writing 1 dims blue light cycles orange lights
writing 2 starts beeping,0xF steady blue flash
LED Value 2WritableF4C47D8A-0056-11E6-8D22-5E5517507C66Writing 1 or 2 Disconnects
LED Value 3WritableF4C47E66-0056-11E6-8D22-5E5517507C660x01=1flashing light
LED Value 4WritableF4C429F3-0056-11E6-8D22-5E5517507C660x01=1flashing light 0x02=beeping
LED Value 5WritableF4C48032-0056-11E6-8D22-5E5517507C66Disconnect with anything
LED Value 6Readable, WritableF4C4293F-0056-11E6-8D22-5E5517507C66?
OTA Update ServiceService00001016-d102-11e1-9b23-00025b00a5a5
OTA Current AppReadable, Writable00001013-d102-11e1-9b23-00025b00a5a50x01 (0x00 = Update Mode)
OTA Read CS BlockWritable00001018-d102-11e1-9b23-00025b00a5a5
OTA Data TransferReadable, Notify00001014-d102-11e1-9b23-00025b00a5a5Null
OTA VersionReadable00001011-d102-11e1-9b23-00025b00a5a50x07

Deconstructing the Android App

I recently decompiled the Android app, looking for goodies. I found some pictures and values used in odometer conversion. Things are written in smali and koltin. I have a small sense of whats going on here and there, but I really cannot make sense of the overall picture. I hope someone else can take a crack at it and find out about the OTA updates and how they work.

Update information

I'm on board firmware v2.1.9, never got prompted for an update and my app always said i was up to date. This might be important in the future
XR Batteries require ESC Firmware v2.1.9
Remotes require Firmware v2.3.3 for Hyper mode control

Beams require ESC Firmware v2.7.2, which had "bug fixes"

SR Battery Firmware:1.4.1, 1.5.6
XR Battery Firmware:2.1.2, 2.1.5, 2.1.7, 2.5.1
ESC Firmware:1.3.0, 2.1.8, 2.1.9, 2.3.3, 2.5.1, 2.7.0, 2.7.1, 2.7.2
Remote Firmware:1.3.0, 1.4.3, 2.2.0, 2.3.3(Hyper Mode)

Notable websites

Saveboosted.com: Documentation and error codes

Foreverboosted.co: Repair and documentation

Dustinlieu.com/boosted-checker: Bluetooth info checker

Beambreak.org: Reverse engineering and tutorials

V3 Motor teardown: Repair and upgrade video

d1nkyy's GitHub: Reeverse engineering

Lambertofmtl's GitHub: Reeverse engineering XR Battery

Jonataubert's GitHub: RLOD FIX via Flashrom

XR Battery RLOD Fix

I'm using an Arduino Mega 2560 because I have a couple lying on my desk, also, it has 3.3v and accepts as low as 2.7v for logic. I'm just making notes in the event that I forget.
download the frser-duino mega1280 branch
$sudo git clone --recursive git://github.com/urjaman/frser-duino -b arduino-mega-1280
open directory
$cd frser-duino
make it happen
$sudo make u2 && sudo make flash-u2
Edit the Makefile :change the mcu from 1280 to 2560 and use this for the AVRDUDE settings a couple lines below
$sudo nano Makefile
change to the following, leave everything else for avrdude as is
avrdude -p m2560 -c wiring
I'm on version 6.something of avrdue, btw

MCLR gets tied to ground. Both are on the debug headder so I could probably bridge those to groung on the arduino (I could do that but then I'd need to desolder MCLR or readFlash to check if the battery was flashed)

==========================================================
Alright, after speaking with u/Jonataubert, I have been informed that the data lines on the batt mobo are pulled up to high (i thnk he said 10k to 3.3v).
Essentially, using an arduino with 5v logic and a volt reduction circuit will give messy results, if any. If I had an arduino with 3.3v logic, maybe this method would fly. I think the Arduino Due and Arduino mini might have 3.3v logic.
I've given up and will use an FT323H device when I get it and post the results.
==========================================================
Back in the game with a UM232H!
Cells are already balanced to 4.2v (Instrument error, real value was probably closer to 3.4 v)
Full pack voltage is 44.4
Hooked up wires as in diagram
Read, verify, erase, reset =GOLD!
Removed wires, plugged in to charge, everything looks good
Unplugged BMS, restarted battery, RLOD, redid process
Firmware v2.5.1
Took it for a solid 10 km ride, charged and balanced to 3.90 V
Sealed with extra strength caulking, with some advice from a pro handyman
Returning battery to donor

Second battery has dead cells, cell #11 was at 0.5v, the rest around 2v
Battery level lights show 1 flashing
Read, verify, erase, reset=RLOD, not able to charge before or after flashing
Found out I can just plug in the charger instead of holding the button
Using a Nitecore battery charger
Broke my Nitecore battery charger
Using a Yihua 853D to charge the cells with an analog ampmeter
Going cell by cell, bringing them each to a nominal voltage
Charging each cell at around 500 mA, never going higher than that
Balanced levels so far: 3.47, 3.48, 3.44, 3.44, 3.55, 3.46, 2.xx, 2.xx, 2.xx, 2.xx, 3.80, 3.88, 3.57
Tested again in order: 3.42, 3.46, 3.44, 3.42, 3.54, 3.45, 3.43, 3.46, 3.41, 3.20, 3.79, 3.88, 3.56
Battery level lights show 2+1flashing, still RLOD without flashing
Bent three pins in the BMS connector, somehow, straightened them before jamming things together
Read flash(dump0), verify, Erase, RLOD
Balance charge lowest cell: 3.37, 3.88
Read flash(dump1), verify, Erase, RLOD
Balance charge lowest cell: 3.38, 3.88
Read flash(dump2), verify, Erase, RLOD
Balance charge lowest cell: 3.39, 3.88
Read flash(dump3), verify, Erase,...
Power on, OK
Read flash(dump4), verify, OK
Connected to board and powered on, RLOD
Charge lowest cell, read flash(dump5), verify, Erase, RLOD, charge more, read flash(dump6), verify, Erase, OK
Charge battery to 100% [2 minutes from 50%-full]
Connected to charger second time, RLOD after a couple seconds
Charge lowest cell, read flash(dump7), verify, Erase, OK
Despite saying 100%, cells remain unbalanced (one cell is at 3.90, the rest are close to 3.4)
Firmware v2.1.7
BMS was not fuly plugged in and RLODed
Read flash(dump8), verify, Erase, OK
[Read Cells: unbalanced] - When balanced to 3.90, continue >>
[Read Cells: unbalanced] - When balanced to 3.90, continue >>
Seal, done

Repairs Pricelist

-RLOD Xr Battery $100
-Lost ride modes $100
-ESC Bluetooth Connection Repair $TBD
-XR Battery modchip $TBD
-Wire soldering $20
-Remote battery replacement $45

Accessories

Motor cable
Battery cable extension
Accessory cable
3D Printable risers and bashguards
3D printed skid plates
3D printed motor caps
Chop sticks
More risers
More bashguards