Page 2 of 4

Re: MiM: Tricking the inverter for better performance

Posted: Fri Oct 03, 2014 7:20 pm
by miscrms
Forgive my complete Leaf newbness, but has anyone tried just rebroadcasting CAN messages with modified values to see what happens? It was discovered on the old Gen2 Prius that when a message was modified and rebroadcast very quickly to the CAN bus each time it was heard, the receiving controller would ignore the first (unmodified) message and act in response to the second (modified) message. This had the really nice benefit of not having to break the CAN bus and insert a device in between controllers, IE all other traffic was untouched by the spoofing controller.

This was used in some of the early Prius PHEV conversions for spoofing the SOC, to keep the Prius HV Controller in a state where it would maximize EV drive usage while the PHEV pack still had available charge.
http://www.eaa-phev.org/wiki/Prius_PHEV ... poofing.29

I have no idea if the leaf controllers would respond to a rebroadcasted message in a similar way, but if so this might be a much simpler way to spoof the requested torque value?

Rob

Re: MiM: Tricking the inverter for better performance

Posted: Fri Oct 03, 2014 8:18 pm
by Turbo3
Most important CAN messages include a sequence number and control messages are continuously sent every xx msec. So if you tried to insert an extra message it would easily be detected as a duplicate and probably both would be discarded.

Its not like a signal message is sent so you just need to send another to override it. You would need to keep sending them to try to cancel out the flow of real messages.

Best is to insert logic between as suggested and replace the normal messages with ones of your own. That way you keep the same timing between messages (just delayed) and preserve the sequence numbers.

Re: MiM: Tricking the inverter for better performance

Posted: Fri Oct 03, 2014 8:38 pm
by LeftieBiker
OK, got it. Are you sure it's a good idea to trick the system into ignoring an overheat message, or is this just for very short intervals?

Re: MiM: Tricking the inverter for better performance

Posted: Fri Oct 03, 2014 9:08 pm
by JeremyW
LeftieBiker wrote:OK, got it. Are you sure it's a good idea to trick the system into ignoring an overheat message, or is this just for very short intervals?

I'm not tricking anything to ignore an overheating condition. I'm tricking the inverter to output more torque during acceleration than what the main computer (VCM) calls for. I will back off if things get too hot. The most important thing to *not* overheat is the rotor.

The inverter and motor (stator) temperatures are available on the EV CAN bus, so I can keep an eye on things.

Re: MiM: Tricking the inverter for better performance

Posted: Fri Oct 03, 2014 9:41 pm
by turbo2ltr
Most important CAN messages include a sequence number and control messages are continuously sent every xx msec.


Yes I have tried rebroadcasting the messages. Nothing happens. There are safeguards in place so this cannot be done without completely isolating the messages. (i.e. it's not like the dash, where you can send fake messages and the display will change until the next "real" message is sent)

If I remember right (I did this in 2011) the "sequence number" in each message doesn't just increment. I think it's some sort of checksum. So in order to do a MiM type box you'd have to be able to know how to properly sign each message. I never dove in to that. It's definitely not as easy as a sequential number.

The other thing is you have to know what is doing the limiting... the inverter or the VCM. Maybe you know this already.

And the third thing, if the VCM is doing the rate limiting, and you somehow figured out the checksum and implemented a MiM box, how does one go about figuring out what to change the torque message to? You'd have to monitor the TPS, identify when limiting was taking place, and make your own torque decisions (Better hope you can write good code) You'd also render the stability control system unable to cut torque (which wouldn't be a big deal in a racing environment).

Just my $.02. I'll be following your progress.

Re: MiM: Tricking the inverter for better performance

Posted: Fri Oct 03, 2014 10:20 pm
by turbo2ltr
Hmm, just saw the other thread on the topic.. seems like you got the hard part out of the way already.

Re: MiM: Tricking the inverter for better performance

Posted: Fri Oct 03, 2014 11:47 pm
by gbarry42
Hey, great ... you go first! :lol:

You might want to unbolt that battery disconnect and tie a pull rope to it. Just in case something bad happens.

Re: MiM: Tricking the inverter for better performance

Posted: Sat Oct 04, 2014 12:02 am
by JeremyW
turbo2ltr wrote:Hmm, just saw the other thread on the topic.. seems like you got the hard part out of the way already.
Yes! Luckily the "golden post" HERE was right around the time I started diving deep into the inverter messages and found GregH (and others) had made a MiM box for the RAV4EV to isolate messages sent from the onboard charger (in preparation for adding quick charging). Good timing! :)

Glad to see you tried sending your own messages but I'm guessing that at the time you didn't try replicating the CRC and thus your messages were rejected by the inverter. I probably won't go the injecting messages route at any rate.

turbo2ltr wrote:The other thing is you have to know what is doing the limiting... the inverter or the VCM. Maybe you know this already.
Sort of. I've logged a few "stomp on the throttle" from a dead stop and there's an obvious hold back of the torque message as it ramps up for the first two-ish seconds. I've also read in the service manual that the inverter sends torque limitations to the VCM so while I know the VCM is limiting the torque command message, I'm not sure if it's acting on what the inverter is telling it, or if it's deciding on it's own what to do.

I do know that if you come to an almost complete stop (like 2mph) and then punch it, you get quite a kick in the pants. I want that from stopped, too.

Also a lot of this could be applied to regen. I'd like to have B mode, if possible. I watch the available regen message on the CAR CAN bus with the CANary, and in eco with my foot off the throttle there's usually a good amount of regen-ability available. I have to lightly tap the brake to get it, and it would be nice to not have to do that, too.

how does one go about figuring out what to change the torque message to?
Essentially, my MiM box would have to have it's own control system code. I didn't like my control systems class in college, and here we're essentially dealing with a discrete time control system. I'm definitely going to need help on that one... :?

Re: MiM: Tricking the inverter for better performance

Posted: Sat Oct 04, 2014 12:38 pm
by miscrms
How about trying to spoof the wheel speed sensor to trick the VCM/Inverter into thinking the car is already rolling at a few mph to get the system into this "kick in the pants" acceleration mode? Then you could tie it to a "launch" button :) IMHO tricking the controllers into using code routines / modes that are already present is often much more practical/feasible (if perhaps less elegant) than trying to break the bus and insert your own controller.

Rob

Re: MiM: Tricking the inverter for better performance

Posted: Sat Oct 04, 2014 7:31 pm
by JeremyW
Wheel speed is used by ABS to detect lockups and I don't want to mess with that. There would be substantially more "trick" going that route since quite a few things use wheel speed. Further, the motor RPM is sent from the inverter to the VCM and it's probably that speed that is used in the VCM control code.

This is a mod that is meant for a "serious" enthusiast and the inverter can lines are not hard to splice into. I already added a tap for my second onboard charger (it's controlled over CAN).