As promised im my first post about my very own 1st gen dashboard, here’s the tear-down of the 2nd gen dashboard.
I got this (broken) dashboard from my lovely local dealer in hope of getting access to a working controller and its firmware.
It’s a “Hardware V2” from an 2018-2019 N1S/NQi and the case looks very similar – but there’s a beading which makes it distinguishable from the outside:
When powered-on, the LCD display features a clock, and icons for GPS/Network reception in the upper left corner.
And finally, the sticker at the back of the case is green, and it says “N1SP – HW V2.0, SWsomeversioncode”. In my case the version is NSHDBV04.
Opening the case shows that NIU did their homework indeed:
A very improved design – actually they did nearly everything I would have done when having to redesign the previous layout.
So at what you’re looking here?
Still just 4 ICs (well 3 more or less):
- A buck converter (These are the parts to the left of the red cable saying C1, D1, U3 etc.) generating 3.3V volts for the other ICs from the 12V input)
- A Belling BL55077 LCD driver
- An STM32F0308T6 32-bit micro controller from ST
- A MaxLinear SP3072 RS-485 data-transceiver
- No thermo-resistor inside – it’s probably connected to “TP32” (orange cable) on on-board… TBC
Over all, this is well done. A buck converter needs more parts than a simple 7805 but is very efficient and does not dissipate as much heat as the 7805 does.
The system runs at 3.3V which allows more modern parts like the STM32 controller which contains an ARM CPU core like e.g. your Smartphone does.
Finally the whole design is way more tidy. CAN-bus signals routed to the left side of the board. On the right side you find
- Orange – “TP32” (Yet unknown meaning – the cable is not part of the dash-plug but routed separately.
- Pink – ACC (Adaptive Cruise Control, ACCessory, ACCelerator??)
- Yellow/Light Blue – left/right-indicator
- Blue – headlight
- Black/Red – ground and power.
There are test-points all over the place (“TPxx”) and they used a proper silkscreen print to have names to each part (e.g. R49 for the resistor at the middle/bottom). All in all, this is the work of a professional.
And still, there’s a connector to the controllers in-system programming interface (P2), and it works! I was able to successfully read the firmware (and disassemble it) 😀
If you’re fine reading assembly code, go over this github repository and dive into 12.000+ lines of machine code glory!
4 thoughts on “2nd Gen Dashboard”
hi mate im with my niu kqi3 scooter we are trying hard to hack it, can yo show me how to dump the firmware without causing read-write protection and get it broken? thanks in advance ! nice work!
I’m not aware of any memories (on-chip or external) where you trigger read-protection. This protection fuse is set during the programming process by the manufacturer. So it’s either set or not. In the case of the 2nd gen dashboard the read-protection fuse was simply not set. Pure luck.
Also I’m sure you have read this article, haven’t you? 😉
Lets say we managed to get the foc firmware, how would you go about analyzing/reversing it?
Well, identify the type of CPU used and disassemble the binary. Then bring the diassebled code into a readable form and start interpret…