EC-What? NIU itself says about the ECU (short for “Electronic Control Unit “)

 The ECU is the brain of the scooter. It is the most important computer-designed part that sits in the front of the bike and is looking at everything that going on inside the bike. It sends 200 different diagnostic pieces of data up into a cloud every 5-6 seconds, monitoring the GPS, speed, health of the battery and the health of the motor, and more.

So it sits in the middle of everything. The “official” (rough) diagram doesn’t do it justice.
Can you spot the ECU in here?

Yes, it’s the tiny rectangle tagged “Central controller” having just 3 connections: Power (12v), Ignition and the CAN-bus (green).
Internally, there are many more functions:

• Getting the ignition signal, it “initializes” all other devices on the bus (Speedometer, motor controller, battery management system (BMS))
• Handling the GPS system
• Handling the internet connection via mobile GPRS network – that’s 2.5G for those born after 2010 😉

Being nosy as I am, I was tempted to dig deeper into this thing since day one… oh boy, that’s been 2017 😱
Because of warranty (seals) I decided to wait until mine would expire… then due to changes with NIUs online services(?), the ECU was swapped for a new one (v2) and the warranty time started afresh.
After that I sort of forgot about that pending project – and honestly wasn’t too keen on destroying a vital part of my scooter just for the sake of research.

But last week I stumbled across a salvaged ECU from an N1s (~2018) which didn’t survived a crash.

Dissection time!

The warranty seal was broken… mhh, so someone already had a look into it.
4 standard Philipps screws later the ECU was opened and revealed it’s innards. At first you’re looking what is the backside of the mainboard which sits next to a big blue 3.7V/220mAh battery.

Ok, in my case (pun intended) firstly it looked like someone had removed not just the SIM card needed for the GPRS connectivity, the removed it including the SIM card holder.
Anyhow. Above where the SIM card holder should be is the GPRS antenna (the black/silver thing) and below sits the GPS antenna, so both are facing forward when the ECU is mounted in the scooter.
The rest is boring. Fat through-hole capacitors and SMD resistors here and there. Ah, see the revision number below the GPRS antenna? Mine says:

N1+_MC_V2.0
2016,07,16 WHL

So this N1 series MicroController board(!) is version 2 and was probably designed on June 16th in 2016. So I’d assume it’s the first public release.

So let’s flip it around and have a look at the frontside. Ahh, there’s a lot more happening – Because that’s much more interesting, here’s a bigger photo of it:

And as luck stroke, the micro-controller isn’t fully capsuled! So I can see & access everything.
But what exactly do we see? These are the main parts marked by colored arrows:

• Red: This ist the main controller. It’s a STM32F103T8 – that means it’s an Arm Cortex-M3 MCU with 64 Kbytes of Flash memory, 72 MHz CPU, motor control, USB and CAN-bus interface.
• Yellow: The ublox MAX-7Q – a GPS (and GLOSNASS) receiver/controller. Connected via UART.
• Blue: The Neoway M590E – a GPRS module handling the connection to the cloud. Also connected via UART. Mind the option for external antenna.
• Purple: MAX3485 – RS-485/RS-422 Transceiver – connects to the CAN-Bus
• Green: 25P40 – 4 Mbit (=512KB) of Flash Memory – connects via SPI serial bus.
• White: “Mysterious Chip” next to the Neoway… marked with just numbers. More on that later…
• Light-Blue frame: This is the power regulator (Buck converters 12V to 3.3V) and battery management for the ECUs own backup battery.

Besides the STM32 CPU all parts are more or less EOL (End-of-Live)… AFAIK many carriers are considering to switch off their GSM (of which GPRS is a part of) frequencies. For example SwissCom of Switzerland had it switched off at the end of 2021.

V2.0

Ok, before I started to dig deeper into matters, I had to check my personal ECU which was called the “V2.0” when replaced by my dealer.
I was in a hurry, so it was just rip-it-out, open, take pictures, close, put-it-back.

Surprisingly  the PCB is 99% identical!
It has the very same version number (plus a sticker telling the firmware version “TRA01T03”) and same parts all totally same-same…

…but wait! While I do have a SIM card and the corresponding card slot, it misses the “Mysterious Chip” on the front side!
THAT explains its function! It’s a SIM-Chip! So the initial ECU versions used hard-mounted SIM chips which cannot replaced so easily. So when NIU changed the mobile carrier to Vodafone they had to replace the whole ECU… and they learned from it. So they used a SIM card from there on.
The other obvious difference it the closed shielding of the MCU… but I’m very sure everything is the same in there, too.

Talk-talk

This is how the different components of the ECU are connected and talking to each other and the outside world.
The Flash ROM is connected by an SPI bus. GPS and GPRS using good ol’ serial connections and the MAX3485 has a simple serial connection controlled by an additional read/write enable line. And from there it goes out onto your NIU’s CAN bus.
The Letter/Number combos on the arrows are the pins on the STM32F013.

Opening Pandora’s box

Soooooo… like the V1 and V2 dashboards, this thing has a in-system programming interface. With that and some fiddling, I was able to pull the contents of the internal Flash-ROM and feed it into the Dragon, aka the very NSA’s Ghidira disassembler.

This is a work-in-progress project. Every now and then I’m taking a piece of the code and try to decipher what it’s actually doing. But some strings within the code are really tempting, e.g. when there’s an TCP connect opened to fk-ecu.niu.com or commands like ‘lock’, ‘unlock’ or ‘setmilage’ 😉

As usual, you’ll find the assembly code in my Github repo… if you know how to ride the Dragon and like to join forces, give me a shout.

☝ Ah, and before you ask: It’s just about the N1S ECU, maybe the NQI up to ~2023, but surely not the “All-New V36 ECU with Keyless start, keyless seat lock, and more!” All other NIU models (N1, NQI GT, MQI etc.) have different ECUs which I do not own.