Reverse Engineering Shimano Bike Electronics

ANT+ is a wireless protocol specifically designed for use with sensors, and has similar functionality in some respects to Bluetooth Low Energy. It’s found a place among various bicycle equipment manufacturers, to connect smartwatches, cycle computers and electronic gear shifters. Of course, as soon as something becomes a defacto standard someone has to start coloring outside the lines. In this case, Shimano went off book with their DI2 groupset, leaving [kwakeham] with a reverse engineering job on his hands.

[kwakeham] gives us a great example of how to approach reverse engineering. Researching the Shimano hardware by its FCC ID shows that the device communicates using an NRF24AP2 chip, common in ANT+ devices. The Shimano device is then opened, and a logic analyser attached to various test points until the SPI interface between the transceiver and microcontroller is found. At this point, it’s a simple matter of putting the hardware through its paces and capturing data until the protocol can be pulled apart, piece by piece.

The work is documented on Github for anyone wishing to interface with the Shimano DI2 groupset. Reverse engineering is a powerful skill, that can teach you about everything from Pokemon to botnets. Video after the break.

24 thoughts on “Reverse Engineering Shimano Bike Electronics

  1. Ooh, this could be used for automatic shifting and then we can replicate features from other e-shift systems. I like rohloff’s downshift on halt feature, it shifts down to a user-programmable gear when the bike comes to a stop (e.g. for traffic lights) so it’s easy to get going again. it wouldn’t work on the Di2 derailleur systems but iirc there’s an 11 speed hub gear offering.

    1. >but iirc there’s an 11 speed hub gear offering.

      Yup. There’s a Di2 Alfine 11 speed gear hub. There’s no Di2 Nexus (rim brake or roller brake) version of the hub, so you’re limited to disc brake frames.

  2. Wait…. electronic shifters? for road bicycles right? Is there really an efficiency gain from electronic shifters over regular cable shifters?

    Note: i ride cross country so all of my electronics are decoupled from the frame.

      1. …Or you just buy a new battery online (also, you do know they’re rechargeable, right?), pull out the seatpost, and swap them yourself. Or in the case of external battery units: just pull the battery out and put the new one in. Don’t talk about what you don’t understand, kid.

        It’s not a gimmick. Mechanical cables SUCK. They stretch, just with normal use. They get gummed up with road grit. They rust. The freeze from water inside them. Joy is “my bike is in a low gear and won’t shift and I still have 20 miles to get home and now I can’t pedal hard enough to keep warm AND it’s going to take forever to get home.” 10 speed systems are pretty sensitive, and 11 speed systems are ridiculously so.

        Electronic shifting systems are so good that the automatically detect failed shifts and recalibrate their adjustment. They can provide better shifting by optimizing the shift point for the rear derailleur for whatever position the front DR is in; the angle of the chain affects ideal final shift point. And the front DR can be automatically trimmed for the rear DR’s position.

        The rear DR can purposefully overshoot the ideal resting place for a particular gear, in order to complete the shift faster, and then center itself in the proper resting position.

        Integrated road shift levers are surprisingly complicated, even with excellent care they wear down and break (and in the case of Shimano, they are not serviceable – you’re expected to throw them away and buy new ones.) The electronic shifters are a set of buttons and the brake actuator – far simpler and lighter.

        Wireless systems go even further by eliminating almost all cables, which reduces the total shift system weight even more, makes installation/service faster especially on aero bikes where cables are routed inside the frame and this takes much more time than external routing.

      2. Don’t be silly. The battery lasts easily 3000km (depending on how much you shift) and is easy to charge. Electronic shifting is not a gimmick, as the system is faster and more accurate than manual. I have had Ultegra DI2 for three summers and it has worked perfectly every single gear change.

    1. The electronic sifters have a few advantages. Faster with accuracy (humans can shift faster mechanically but misshifts constantly happen at those speeds, overshift, undershift, etc). They can apply more shifting force so they work significantly better under load (pedaling up a hill). They are immune to cable stretch and cable friction. They can more readily be adjusted on the fly while riding. They operate more repeatedly in poor conditions, and generally require way less maintenance than cables. Kind of gimmicky, but I won’t be going back to mechanical on main bikes.

    1. As mentioned in the video, there is no BLE shifting profile. BLE compatibility in sports is still a joke. HRM is sorted almost. but Powermeters are still a mess. And with the rise of indoor cycling software BLE is a problem. You can only have one connection per sensor. So if you connect your bike stuff to your apple tv or computer for Zwift, you cannot connect it to a cycle computer or a phone at all. ANT and ANT+ (the plus is the sports controlled profiles) still amazingly own the sports market due to it’s higher quality documentation, free testing software, low entry level costs, and they don’t even have a document that threatens you if you don’t give the BLE consortium a lot of money (50k/year membership, 8k to list a certified device, about 40k to certify a device… ANT+ 1500/year or 0/year, 500 -1000 to certify a device). Bluetooth literally has a document that explains how they’ll go after you! Niche markets like cycling and sports sensors have a hard time playing in the ble field since it’s so far behind sadly. It’s where ANT was in cycling over 10 years ago.

    2. Because ANT+ runs on the bluetooth chip; it’s just a bit of extra firmware for the radio module. Dynastream offers it for fairly cheap, and many phones even have ANT+ capable firmware but it’s not activated. Copying over the necessary libraries and tweaking one or two things gets you ANT+ on a slew of Nexus phones for example.

      1. Thinking outside the box…even if your not messing with their gears, being able to see the competition’s info (i.e. heart rate or power) could be enough to give you an advantage in a race.

  3. ANT (and I think ANT+ as well) is even implementable on the cheap nrf24l01, did that in the past and I was able to communicate with my samsung smartphone. Never made anything out of it, let alone documenting it, but if anyone is interested I might be able to find the files.

  4. Wanting to know more about the actual electrical signalling (guess this is what shimano calls etube) i cut the cable on a SW-R600 Remote Satellite Shifter. There are two wires, red and black, inside the cable. Btw. the red wire goes to the centre of the little barrel connector. After some fiddling around i got half a result.

    Setup: lab supply set to 7.4V, GND on black wire, 7.4V in series with 40 Ohm resistor to the red wire. Oscilloscope probe on the red wire.

    With this i can see a series of three negative pulses (1V drop from supply) repeating every 37ms. The pulses are approx 1.5ms wide. There is no activity when i press a button or both buttons for that matter… All i can see is this repeating pattern. Nothing special on power up. It seems the button needs some kind of setup sequence in order to do anything.

    I don’t own any other components than the button i took apart. It was brand spanking new out of the box. If whole system is distributed with intelligence in every component, i suppose a “used” button might have a configuration that makes it behave differently. Or the central “thingie” that the buttons connect to, sends a config on power up.

    Would be really cool if anybody would probe a complete functioning system and share the results

  5. Its known that the key electronics module in a Di2system is in the battery for the internal battery and in the battery mount for the external battery as updating the software on these modules is can brick the system, or make certain configurations unusable. At the launch of 11 speed Di2 it used to be possible to use an older 10speed groupset front mech with the newer 11 speed front mech. Shimano in one of the later battery module firmware updates stopped this, and it bricks the system so nothing functions, it is currently not possible to revert back to a previous level. This reverse engineering might be useful for those making custom systems. I Believe fairwheel bikes had a sequential shift system long before Shimano on the older 4 wire pre-canbus Di2 system.

Leave a Reply to Jason Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.