Navigation

    The Onewheel Forum

    Onewheel Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Popular
    • Users
    • Groups
    • Rules
    • Archive

    Gt BMS unlocking

    Mods & DIY
    2
    3
    203
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      abignoli last edited by

      So recently Avaspark released a product (avs RGB gen 3 gt) that can communicate with the factory BMS, and forward it's data to vesc. In this case I'm trying to use my gt BMS with a ubox 85. Unfortunately I think this only works if the bms hasn't been "bricked" or unplugged from the battery. However the developer of this board has also added a way to factory initialize the bms and "un-brick" it. However, it requires the factory authentication keys to be input in order to do so. I've been trying (unsuccessfully) to un-brick my BMS so that I can use it in this configuration, I was hoping that maybe someone here has the know how to be able to find the factory GT bms keys so that I can accomplish this. I found what I thought was them here, on this GitHub page.

      https://github.com/Relys/vesc_pkg/blob/float-accessories/float_accessories/lib/bms.lisp#L4

      But when I try those numbers it does not work, it looks to be wanting a hex address. Or a 16 character alphanumeric key.

      If anyone is skilled enough to help me with this, I don't mind sending some money your way. I'm at a loss. Yes I could buy an aftermarket bms, but I really want this to work as I can forward cell data to the vesc this way without buying an expensive smart BMS, or just deal with being stuck with a "dumb" charge only BMS.

      OneDanGTS 1 Reply Last reply Reply Quote 2
      • OneDanGTS
        OneDanGTS GT-S GT Pint X XR @abignoli last edited by

        @abignoli I know nothing about unlocking a BMS, LOL, but being a software developer, I do know hex, so this line:

        (def key-crc '(3141361152u32)) ;AES-128 key. Offset in 6109: 0x12009

        contains:

        3141361152, which if converting each number pair to hex is 1F29240B34 . . . so you can try that

        3141361152 converted as a full number to hex is BB3D5E00 . . . another number to try

        I've never used the lisp language, but hopefully one of those might work.

        Good Luck!

        GT-S > GT > Pint X > XR > +

        A 1 Reply Last reply Reply Quote 2
        • A
          abignoli @OneDanGTS last edited by

          @onedangts the offsets were locations within the official FM firmware. Problem is the firmware is encrypted, lol. Luckily, I found the right person who had the keys I needed and got it all to work! My factory GT bms is now reporting cell data to vesc. It's a beautiful day. Thank you for your efforts though!

          1 Reply Last reply Reply Quote 4
          • First post
            Last post