Brandbase Nissan Formula E Gen 2 Car.md

Shell Motorsport Bluetooth Remote Control

Shell Motorsport collection

Shell Oil Company in its gas station offers loyalty program under name Shell ClubSmart. Members collect points which can be later used to get rewards. In 2020 they have offered a collection of die-cast car models under name Shell Motorsport. All models of the colletion are equipped with electrical motor. One of the models - Nissan Formula E Gen 2 Car - contains a battery that can be used to control a model remotely over Bluetooth. In some markets a battery with a remote controller is available separately.

Shell Racing application

Shell offers an application for smart phones named Shell Racing on Google Play for Android and App Store for iPhone and iPad. It primarily offers a game to race with a cars. In Shell Racing Club section of the application ClubSmart members can add their membership card which will allow them race to get reward points. The same application can be used to remote control cars. The application is available by third party company BrandBase that provides very good explanation how Shell Motorsport Bluetooth Remote Control Collection is used as a campaign tool.

Shell Racing application requires internet connection for the first start:

and even later for any subsequent start:

Motivation to take a control

The car cannot be controlled if internet connection is not available or game server is not reachable. The application collects information about use of remote control that is tied to device and could be connected to person who owns membership card.

I believe a player should be able to control models they own in a way they desire without being monitored.

Lastly it is interesting to look into the hardware that I have in the possesion.

Remote Control Battery

Dimmensions:

• 28mm wide
• 40mm height
• 5mm width

Hong Kong regional Shell website provides following additional information:

Bluetooth® remote control distance: 8-10m

Battery charge time (full charge): approx. 30mins

Battery life: 20mins

Front side

Has Shell and Bluetooth logos.

Components:

• on/off switch
• green/orange/blue LED

Back side

Components:

• two white LED
• two pairs of connectors - each with + and - sign underneath

Text:

Brandbase
Bluetooth Remote
Control Battery
3.7 Volt 86mAh
Follow instructions
Made in China

FCB0880
MSBT LIPO

Bottom side

Components:

• micro USB connector

USB Connection

USB port is used only for charging. Data lines are not connected.

Bluetooth LE Interface

Devices use MAC Addresses with OUI 00-3C-A0.

hcitool leinfo provides following information:

Handle: 3585 (0x0e01)
LMP Version: 4.0 (0x6) LMP Subversion: 0x709
Manufacturer: RivieraWaves S.A.S (96)
Features: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00

The most useful service and characteristics:

Handles	Service > Characteristics	Properties
0010 -> 001c	fff0
0012	d44bc439-abfd-45a2-b575-925416129600	WRITE
001b	d44bc439-abfd-45a2-b575-925416129601	NOTIFY

---

For completeness other services and characteristic:

Handles	Service > Characteristics	Properties
0010 -> 001c	fff0
0015	d44bc439-abfd-45a2-b575-92541612960a	WRITE
0018	d44bc439-abfd-45a2-b575-92541612960b	WRITE
001d -> 0022	fd00
001f	fd01	WRITE
0021	fd02	WRITE, NOTIFY

And standard Bluetooth LE services and characteristics for with data of hyphotetical device with address 00:3C:A0:AA:BB:CC.

Handles	Service > Characteristics	Properties	Data
0001 -> 0009	Generic Access (1800)
0003	Device Name (2a00)	READ, WRITE	QCAR-AABBCC
0005	Appearance (2a01)	READ, WRITE	Unknown
0007	Peripheral Preferred Connection Parameters (2a04)	READ	Connection Interval: 300 -> 320
			Slave Latency: 4
			Connection Supervision Timeout Multiplier: 600
0009	2aa6	READ	00
000c -> 000f	Generic Attribute (1801)
000e	Service Changed (2a05)	READ, INDICATE	0100ÿÿ

Bluetooth LE Advertising packet format

After power on a device sends advertising packets.

Primary advertisement

There are two advertising packet types of type LE Meta (0x3e), LE Advertising Report (0x00) that differs in Event Type.

Payload format of Event type: Connectable Undirected Advertising (0x00):

Type Flags:

Byte offset	Length in bytes	Value	Description
0	1	0x02	Length
1	1	0x01	Type
2	1	0x01	Single mode device, non-connectible, undirected

Device Name (shortened):

Byte offset	Length in bytes	Value	Description
3	1	0x0c	Length
4	1	0x08	Type
5	11		Device Name - string "QCAR-" followed by 6 upper case hex suffix of MAC address

Manufacturer Specific:

Byte offset	Length in bytes	Value	Description
16	1	0x05	Length
17	1	0xff	Type
18	2	0x5452	Manufacturer ID
20	2	0x003c	Data

Scan response

Payload format of Event type: Scan Response (0x04):

Service Class UUIDs (incomplete)

Byte offset	Length in bytes	Value	Description
0	1	0x02	Length
1	1	0x06	Type
2	16	0000fff0-0000-1000-8000-00805f9b34fb	UUID

Bluetooth LE Control protocol

Control packets are written by client to characteristic handle 0012. It needs to be sent every 10 miliseconds.

Each mesage is 16 bytes long. Before sending to a device it is encrypted (see Encryption section bellow). Structure of messages in clear text:

Byte offset	Length in bytes	Value	Description
0	1		Unknown purpose
1	3	0x43544c (string "CTL")
4	1		1 to move forward, otherwise 0
5	1		1 to move backward, otherwise 1. Ignored if byte at offset 4 is non-zero.
6	1		1 to turn wheels left, otherwise 0
7	1		1 to turn wheels right, otherwise 1. Ignored if byte at offset 6 is non-zero.
8	1		0x50 for normal speed, 0x64 for fast
9	6	0	Padding

Typical message to keep device steady is: 0xe1055f54d880f49c2ce547267f930bf2

Bluetooth LE Battery notifications

If a client subcribes to characteristic handle 001b it will get notification with level of battery charge every 60 seconds.

Each mesage is 16 bytes long. After receive from a device it needs to be decrypted (see Encryption section bellow). Structure of messages in clear text:

Byte offset	Length in bytes	Value	Description
0	1		Sequential number increased with each notification since power on, starts with 1
1	3	0x564254 (string "VBT")
4	1		Percentage level of a battery
5	11	0	Padding

Encryption

Both commands messages and battery notifications are encrypted with Advanced Encryption Standard (AES) with key size 128 bits.

Encryption key: 0x34522a5b7a6e492c08090a9d8d2a23f8.

Hey @scrool

Many thanks for your great writeup!

I opened my battery unit and extended you description here with some HW info:
https://gist.github.com/martonmiklos/e960f17d7ba0f08327b0b588f9aae04b

What do you think would not be useful to move this gist to a github repo to being able to PR?
I am thinking about this to being able to keep information in one place it in the case if someone would start some HW reverse engineering (ie. FW dump alternative FW whatever.)

What do you think would not be useful to move this gist to a github repo to being able to PR?

@martonmiklos Originally I wasn't sure if this could be even public. I'm not sure what law applies here for reverse engineering that I did.

I am thinking about this to being able to keep information in one place it in the case if someone would start some HW reverse engineering (ie. FW dump alternative FW whatever.)

Having FW dump would be interesting, indeed. I wasn't able to find any useful interface how that could be achieved though.

Hi @scrool

@martonmiklos Originally I wasn't sure if this could be even public. I'm not sure what law applies here for reverse engineering that I did.

I do not see any problem in documenting the HW and the BLE details.

For the rest let's say you gathered this with clean room reverse engineering ;)

Having FW dump would be interesting, indeed. I wasn't able to find any useful interface how that could be achieved though.

There is a device called PAN link which is available from chinese sources like:
https://www.aliexpress.com/item/1005003135486401.html

It should be capable of flashing the PAN1020 and it is possible that the read out protection is not active.

Hmm by reading the PAN-link manual it looks like they are shipping the device's firmware with their tool, and using the ATMEL's own bootloader:
http://bbs.panchip.com/forum.php?mod=attachment&aid=Mzc2fDU5ZjgwMzRlfDE2Mzg4ODk3ODN8MHw2NA%3D%3D

I will look after if I have eval board with similar MCU because I might be able to "emulate" a PAN link with that.
I do not see anything relevant on the PCB board (other than a SPI flash and a voltage level translator) of that the LCD and other stuff is useless anyway 😆

How did you figure out the AES128 encryption key?

Is anyone aware of any custom made application for controlling these battery modules? . I have no idea on how to implement an android application, and i don't want to use the whole motorsport app for the reasons mentioned on top.

@Glarovich I created an app for Sailfish OS for this Brandbase and the never Bburago branded cars what you can find it here:
https://github.com/martonmiklos/sailfish-ble-rc
It is based on Qt+QML+Silica, the Silica part is only a few pages which could be easily replaced with Qt widgets allowing it to be compiled for Android and iOS.
I have to note that under SFOS it does not work properly: I got random disconnects, but I think it is an issue with the underlying libraries: https://forum.sailfishos.org/c/app-development/5

@martonmiklos
Hello,
I saw your github project with remote control form Shell RC cars for Sailfish. I have android device, but i hate the need of internet connection for controling RC cars. Are you able to build the app for Android? No matters the gui or anything, i just need the way to control my car somehow by using mobile phone without internet connection.

Thanks.

Are you able to build the app for Android? No matters the gui or anything, i just need the way to control my car somehow by using mobile phone without internet connection.

Hi @jenkings
I have no Qt for Android toolchain installed, but that could be solved I think.
Two pages need to be ported away from silica (the discovery and connecting page).
The rest of the UI is pure QML so that should not be an issue.

@martonmiklos It would be awesome to have such app and get rid of both of Shell apps, which are (as you mentioned) bloatware. I think lot of people will be grateful to you, if you would release version for Android too.

@scrool / @martonmiklos - Hello from Aus! I’ve had a good read through your data and bravo! I’ve gone a slightly different way. I’m working on a complete replacement smart battery utilising an ESP8266. Goal is to have an open source hand controller with physical buttons and no app. I’d be happy to collaborate if you are keen. Board design is almost done then I will start on firmware. We may be able to make it do both direct to controller and connect to an app.

@xyz8858 Hey thanks for your effort, I just got one of these and learned about the batteries.

Quick question would not this work better under a ESP32?

@xyz8858 Hey thanks for your effort, I just got one of these and learned about the batteries.

Quick question would not this work better under a ESP32?

Yes most likely would be more flexible under a 32. I’m using an 8266 as it’s slightly lower power than the 32 and I’ve already got the chips on hand. I will be using ESP-NOW to control (hopefully).

If all goes well with basic things such as drive control and lights etc a version 2 with a 32 won’t be too hard. Boards are being made now and I’ve designed the plastics for the case. Few things to tweak but this is a prototype.

I’ll post a link to my GitHub and put all the files up for everyone to look at.

@xyz8858 Hey thanks for your effort, I just got one of these and learned about the batteries.

Quick question would not this work better under a ESP32?

Maybe you can write it as library. If so, i would like to join you and use it in my nodemcu (esp8266) devkit and some joystick modules and make my own controler

Maybe you can write it as library. If so, i would like to join you and use it in my nodemcu (esp8266) devkit and some joystick modules and make my own controler

Add me on discord if you like.

XYZ#9809

I made a Qt dekstop app for this, where we can use any game controller to control the car. I ue my stadia controller over bluetooth.
I based my work on @martonmiklos martonmiklos's work.
https://github.com/csabigee/shell-rc

I am working on an android app now, it works so far.

I made a Qt dekstop app for this, where we can use any game controller to control the car. I ue my stadia controller over bluetooth. I based my work on @martonmiklos martonmiklos's work. https://github.com/csabigee/shell-rc

I am working on an android app now, it works so far.

Nice job buddy!

I have implemented it on ESP32 and i have hardware controller now. It is going to be able to control both Brandbase and BBurago cars.

This is my WIP
Now i have to 3D print the case

I have implemented it on ESP32 and i have hardware controller now. It is going to be able to control both Brandbase and BBurago cars.

This is my WIP Now i have to 3D print the case

Nice!

I have implemented it on ESP32 and i have hardware controller now. It is going to be able to control both Brandbase and BBurago cars.

This is my WIP Now i have to 3D print the case

Do you mind sharing the esp32 code ?

it probably shouldn't be a problem to share the source code, but I don't want to scare you that much :D

it probably shouldn't be a problem to share the source code, but I don't want to scare you that much :D

Haha i think i can handle it . I'll try it out on arduino nano + hc04 that i have lying around.

it probably shouldn't be a problem to share the source code, but I don't want to scare you that much :D

Haha i think i can handle it . I'll try it out on arduino nano + hc04 that i have lying around.

https://github.com/jenkings/BLE-RC-Car-ESP32

Awesome reverse engineering! Here is my botched ESP32 controller implementation https://github.com/krisstakos/ShellRacingRemote

Hello i make a remote page with javascript to remote this rc

https://gist.github.com/DarkNikGr/76bcf9bfbb34857bfa04ff4efdda768c

use keyboard arrows to controll rc

Thanks for the detailed explanation, here I bring you the python library I compiled using this GIST. One small catch the new models with USB C the position of the forward /backwards byte is shifted one byte down compared to the micro-usb models.
Shell Motorsport RC Python Library