ElectricMotorcycleForum.com
Makes And Models => Zero Motorcycles Forum | 2013+ => Topic started by: stargazerinwg on July 10, 2019, 01:03:25 AM
-
I built an OBD II connector to access the MBB on my 2017 FX according to this https://zeromanual.com/wiki/How_to_build_a_cable_to_access_the_MBB (https://zeromanual.com/wiki/How_to_build_a_cable_to_access_the_MBB) and it appears to be communicating as expected. The commands display the output as expected, e.g., status, inputs, dumpall produce the text expected. I'm using putty on a linux laptop and set the CR/LF parameters so the output is displaying correctly.
I am trying to disable the kickstand switch and the abs. When I enter set ov_kickstand yes and set abs_disable on, it says invalid parameter for both ov_kickstand and abs_disable. I tried enclosing parameters and values in <> and also all upper case with no success.
Thanks if anyone knows what I am missing or doing wrong ...
Also tried the ISO 8859-1 character set translation rather than UTF-8 - no apparent difference.
I wonder if there is an admin/root password to use with the login command ...
-
There is probably really minimal security for the MBB since so far the zero hacking scene is nonexistent. I'm interested in what you find out here, but in the meantime, pull the ABS fuse to disable. It's under the seat in a big holder by itself.
-
Thanks flattetyre - that will be better than having to disable the abs each time the bike is turned on. For the kickstand, until I figure out the MBB set command problem, a magnet attached to the sensor is doing the trick.
-
Those commands are not available unless logged in. I don't know what the passwords are though.
-
I am also working on disabling my kickstand sensor in this thread
https://electricmotorcycleforum.com/boards/index.php?topic=9052.msg79275#msg79275
and am currently blocked by needing the MBB login password.
I got the impression folks knew them but just preferred not to post them publicly. So far I haven't been able to find anyone who can help, and my bike is stuck. I'll follow this thread and let you know if I have any luck
-
I talked to the dealer where I purchased the bike and he did not know the MBB could be accessed in this manner. So I called Zero and the person that answered was also not familiar with it, put me on hold to talk to someone else, and then returned to tell that she could not and would not provide the password. I (politely) asked if I could talk to someone else who might be more technical or knowledgeable in this area and she said there was no one else. She said the dealer would have to do this for me (although I am not certain she understood what I want to do) and said I should contact them. I explained that I had and that he did not know how to do it and was not aware of a way to access the MBB or change settings in this manner. She said she was sorry and wanted to end the conversation so I said goodbye. I am sure she was following procedure, but it seems to me the procedure should accommodate all levels of users.
I called the dealer again and told him what happened. He is reviewing the pertinent links I sent about building the connector, accessing the MBB and using the set command to change settings. He is going to call Zero and see if they will tell him and then maybe he will share with me. I am not really hopeful about this.
I wonder if anyone knows someone at zero in the engineering or technical area. Right now, I don't see how I (we) will get this information going through the front door.
-
I don't think Zero is going to tell you the password to access low level MBB settings and disable safety systems.
If you don't want ABS, why not just remove the ABS fuse? That'll disable the ABS system permanently and doesn't require a password
-
Zero customer service lady called back to tell me the dealer won't be able to use the set command.
Maybe Zero contracts production of the MBBs and they don't know what the password is or the login command may just be a ruse. Oh well.
Yes, I can pull the ABS fuse and attach a magnet to the kickstand sensor - just wanted to do it this way since it seemed possible and less kludgey.
-
I don't think Zero is going to tell you the password to access low level MBB settings and disable safety systems.
This has nothing to do with it. They don't want you in their MBB. Anyway I can all but guarantee it's super easy to hack. Think about it: at the very LEAST you could put a buspirate on the line and sniff the password when the dealer logs in. Duh?
-
This has nothing to do with it. They don't want you in their MBB. Anyway I can all but guarantee it's super easy to hack. Think about it: at the very LEAST you could put a buspirate on the line and sniff the password when the dealer logs in. Duh?
+1
Sniffing it out should be pretty trivial even without special hardware: run the Zero software in a VM, and record the traffic through the serial interface on the Linux host.
-
Well, customer service called back to tell me the dealer couldn't do this, i.e., they apparently don't routinely have the password. My dealer did not and didn't know there was one. But he didn't know about the MBB console, either. So maybe only when an MBB needs to be replaced would zero assist or whatever.
I'm fairly handy with computers and been using Linux for years. When I connect to the MBB with putty, it writes all the traffic to a file. AFAIK all the traffic is plain text. I don't see any special or unreadable characters in the log files. Not sure what you mean by zero software. From what I have found out, the MBB console is firmware. When I connect, I am "logged in" at level 0, without having used the login command. This is shown when you use the login command with no parameters. I tried a few passwords with the login command with no success. So it appears to me the password is never in the stream until you enter it. So, it seems like it is a guessing game.
Would there be one password for all MBBs or is it specific to each MBB? I tried the serial and vin numbers as passwords with no success. It would be great to have it but I don't know where to go from here other than keep guessing ...
I am definitely open to suggestions.
-
Not sure what you mean by zero software.
I assumed Zero has some kind of proprietary software that interfaces with MBB provided to authorized dealers. Even though the underlying protocol is all text, it is unlikely they'd be using it by hand - instead some GUI-driven application writes those commands as the user clicks the buttons. I also was thinking that the password may be embedded in the software and never actually provided to the dealer, that's where sniffing it out could work. Those are just assumptions though.
-
There are more than a few people who can send a hack file, reprogram or disable. I understand the Israel dealership has decided to distribute all user passwords and all firmware updates since 2013. It's apparently on line now behind a paywall. I'm told there's also a detailed overview of numerous defects they reported that have not been addressed, there with the hope that those who have experienced unknown and unexplained events, especially those resulting in injury, will better understand what likely occurred and be enabled to take action, legal or otherwise. There will likely be a press release when the site launches.
-
I have connected to the MBB successfully. The MBB time is way off, thinks it is 2022. How do I correct this? Also, I had a problem with the zero app trying to download the logs. It would only work for the "Motorcycle Logs Only" option. The "Motorcycle and Battery Logs" option never finishes. I suspect that the issue is that the battery log is too big. I have about 36k miles on the bike and the firmware is probably about 30k miles old. I'm guessing the logs get cleared when there is a firmware update but don't know. I have saved the logs with the computer using a terminal session file save. Should I clear the logs on the MBB? How would I do that? Thanks!!
-
Relevant unofficial manual reference for this command:
https://zeromanual.com/wiki/Gen2/MBB_Console#Settings
Click the "Expand" link to see the full settings. By default, I set up the wiki to show only the no-security output by default.
Zero indeed does not want anyone to know the MBB passwords, and the dealer tools supply the password invisibly, so technicians never see it, only selecting what modifications to make.
I don't appreciate Zero's attitudes and coercion over service departments and owners. I think it actually harms them, and they only react to the downsides/risks of access by shutting off access rather than trying to design a better system and relationship.
-
Thanks Brian, I didn't notice the expand link before. Any idea how to change the MBB clock?
-
I don't see a command for updating the MBB timestamp. The dash clock is available but obviously settable by the physical controls. So, I don't have an answer. Ask your dealer.
-
Thanks Brian. I suppose a firmware update may be in order but hopefully that doesn't make things out of order...
I do question dealers level of competencies in general when it comes to power electronics and such but they should be able to follow software program prompts for a firmware update without trouble. Sucks that I can't just do it myself while even being a skilled electrical engineer.
-
Has anyone posted the PASSWORDS? One of the former technicians shared logs which had a password. It started with "thomas". One garage here has cables (they want $250 to loan them to me) but they said they don't have the new passwords and the dealer changed mine after updating software. I asked them not to update.
-
Has anyone posted the PASSWORDS? One of the former technicians shared logs which had a password. It started with "thomas". One garage here has cables (they want $250 to loan them to me) but they said they don't have the new passwords and the dealer changed mine after updating software. I asked them not to update.
Nope (aside from the level 1 password which is embedded in the mobile app because that's what it uses to sign in). Zero does NOT like people even sharing the passwords privately. The Level 3 password changed as of MBB firmware from 2017, and Zero dealers and their service technicians don't even see the passwords any more, since they're embedded in the GUI tools used to service the bikes.
There's more going on in this area that I don't like, but I need a strategy and reason to publish any details.
-
Probably a good idea to install a miniature hidden packet sniffer / logger on the data lines before getting the next firmware update. Does anyone have any low cost favorites to recommend?
-
This one looks like it might be good:
https://www.amazon.com/SparkFun-LYSB00ADSNLMI-ELECTRNCS-OpenLog/dp/B00ADSNLMI
-
There is also the CSS Electronics range of loggers. I'm using a CL2000 on my bike. But I haven't had a dealer touch it. It does require some wire splicing to make work, though, and although I have a decoder working, some of the details of the decoding need a little cleanroom work for me to release responsibly.
https://www.csselectronics.com/screen/page/can-logger-products
-
I got the https://www.sparkfun.com/products/13712 and it looks great!! Going to hook up a couple coin cells and should be good to go. Total package should be about the diameter of a quarter and less than half an inch thick. Should be easy to stuff in a hidden location. I'm assuming I can connect to the UART lines to pickup the programming computer handshake / login with the bike the same way as hooking up the laptop for consol command prompt access. Make sense?
-
When the dealer logs in to update the firmware, is the login done through UART or is it done through CAN?
-
the FW update may be "hacked" for multiple password reveals.