lorenfb
Posts: 1776
Joined: Tue Dec 17, 2013 10:53 pm
Delivery Date: 22 Nov 2013
Leaf Number: 416635
Location: SoCal

Re: LEAF CANbus decoding. (Open discussion)

Mon Dec 11, 2017 9:54 am

JeremyW wrote:As far as I know, Bosch doesn't make anything in the leaf. The main ECU is made by Hitachi. TCU is by Continental. My guess is the inverter is designed by Nissan in house.

celeron55, some great work there. Can you post the EEPROM contents? What are you using the motor for?

Maybe a new thread is necessary for your project. :)


Never implied that the ECU was made by Bosch! Only that use of a serial EEPROM is 20+ year old technology now that most
processors have flash.
Leaf SL MY 9/13: 66K miles, 50 Ahrs, 5.2 miles/kWh (average), Hx=70, L2 charges to 100% > 1000, max battery temp < 95F, min discharge point > 20 Ahrs

celeron55
Posts: 19
Joined: Fri Dec 08, 2017 2:52 pm
Location: Finland

Re: LEAF CANbus decoding. (Open discussion)

Mon Dec 11, 2017 3:27 pm

JeremyW wrote:celeron55, some great work there. Can you post the EEPROM contents? What are you using the motor for?


Here are the links again (same data, different formats): https://pastebin.com/Vb3WGWks https://pastebin.com/dUAREEvr (don't have a real serial EEPROM reader so just dumped it with an arduino)

The motor is going to be used in a DIY EV project. But, there's a full protocol reverse engineering effort to be done between now and that, otherwise it's useless! All the work done for monitoring tools is grossly inaccurate for actually trying to control this thing, but it's a start. The messages I need to focus on are the ones that people have overlooked as "not interesting, seems to only do something at startup"!

A look at the DTC list for the inverter (as published by Nissan) tells me it's picky enough to make this a real challenge.

These are the DTCs that specify "Stops drive control of traction motor" as vehicle behavior:
P0A2F, P0A3F, P0A44, P0A78, P0A8D, P0BE5, P0BE6, P0BE9, P0BEA, P0C79,
P318E, P3197, P3199, P31A2, P31A4, P31AD,
P3240, P3241, P3242, P3243, P3247, P3249, P324A, P324D

Turbo3: Does Leaf Spy Pro support all of the inverter DTCs listed in the manual's TMS section?

Turbo3
Gold Member
Posts: 1961
Joined: Mon Jul 19, 2010 8:34 pm
Delivery Date: 12 May 2011
Leaf Number: 002191
Location: San Jose, CA

Re: LEAF CANbus decoding. (Open discussion)

Mon Dec 11, 2017 4:36 pm

celeron55 wrote:
JeremyW wrote:celeron55, some great work there. Can you post the EEPROM contents? What are you using the motor for?


Here are the links again (same data, different formats): https://pastebin.com/Vb3WGWks https://pastebin.com/dUAREEvr (don't have a real serial EEPROM reader so just dumped it with an arduino)

The motor is going to be used in a DIY EV project. But, there's a full protocol reverse engineering effort to be done between now and that, otherwise it's useless! All the work done for monitoring tools is grossly inaccurate for actually trying to control this thing, but it's a start. The messages I need to focus on are the ones that people have overlooked as "not interesting, seems to only do something at startup"!

A look at the DTC list for the inverter (as published by Nissan) tells me it's picky enough to make this a real challenge.

These are the DTCs that specify "Stops drive control of traction motor" as vehicle behavior:
P0A2F, P0A3F, P0A44, P0A78, P0A8D, P0BE5, P0BE6, P0BE9, P0BEA, P0C79,
P318E, P3197, P3199, P31A2, P31A4, P31AD,
P3240, P3241, P3242, P3243, P3247, P3249, P324A, P324D

Turbo3: Does Leaf Spy Pro support all of the inverter DTCs listed in the manual's TMS section?

The list of DTC's is created by the motor/inverter ECU. LeafSpy Pro requests that list. The list will contain all the DTC's that have occurred with a flag indicating if it is still active. So replace "support" with "read and clear" and the answer is yes.

carrott
Posts: 18
Joined: Tue Jan 03, 2017 2:53 pm
Delivery Date: 03 Feb 2015

Re: LEAF CANbus decoding. (Open discussion)

Tue Dec 12, 2017 3:32 am

Does anyone know of a gen2 EV CAN capture for a "switch on, switch to D, drive, stop, switch off" sequence?


I made a capture from my car. I have a 2016 Leaf which is a little different from the 2013-2015 Leafs but hopefully this part hasn't changed.

https://carrott.org/pcaps/2016-24kWh-ev ... k-off.pcap

What format would you like? I normally use pcaps to store my recordings and wireshark or custom scripts to analyse them. I've tried Kayak but it's pretty buggy. I haven't tried Colin Kidder's http://www.savvycan.com/ yet but I hear good things.

You can pipe the pcap into https://carrott.org/git/leaf-can-dissec ... -binary.py to convert to linux-can's canplayer binary format if that helps.

If I was attempting this project I'd really want a fully working set up with all the original Nissan modules. I'd insert a man in the middle in the can bus between the car and the inverter so I could identify which messages are important and then modify them to discover what they do. I did this between the car and the LBC -- see https://carrott.org/blog/archives/159-N ... iddle.html and also https://carrott.org/git/leaf-can-utils.git for the man in the middle and .kcd bus definition and https://carrott.org/git/leaf-can-dissector.git for a Wireshark dissector. Both of these are mostly focused on the battery rather than the motor.

A friend of mine had more luck reversing the LBC by disassembling it's firmware. Doing this may be necessary in addition to or instead of a MitM to understand how the can bus messages are interpreted.

BTW, at less than 5kB, the serial EEPROM you read must only hold configuration data, not the programme that runs the inverter's cpus.

celeron55
Posts: 19
Joined: Fri Dec 08, 2017 2:52 pm
Location: Finland

Re: LEAF CANbus decoding. (Open discussion)

Wed Dec 13, 2017 9:03 am

carrott wrote:I made a capture from my car. I have a 2016 Leaf which is a little different from the 2013-2015 Leafs but hopefully this part hasn't changed.

If I was attempting this project I'd really want a fully working set up with all the original Nissan modules. I'd insert a man in the middle in the can bus between the car and the inverter so I could identify which messages are important and then modify them to discover what they do. I did this between the car and the LBC -- see https://carrott.org/blog/archives/159-N ... iddle.html and also https://carrott.org/git/leaf-can-utils.git for the man in the middle and .kcd bus definition and https://carrott.org/git/leaf-can-dissector.git for a Wireshark dissector. Both of these are mostly focused on the battery rather than the motor.

A friend of mine had more luck reversing the LBC by disassembling it's firmware. Doing this may be necessary in addition to or instead of a MitM to understand how the can bus messages are interpreted.

BTW, at less than 5kB, the serial EEPROM you read must only hold configuration data, not the programme that runs the inverter's cpus.


This inverter is, in fact, from a 2016 Leaf. I'm not aware of what changes they've done between 2015 and 2016, but's very nice to have this capture of yours!

Any format works just fine, converting between formats is the least of my problems. My tooling is so DIY it really doesn't matter.

I think reversing this is possible without a full system, the EV CAN bus traffic is simple enough. My current plan is to get feedback from the inverter via DTCs and play a modified capture (synced to a precharge circuit and a power-on signal) to it until I know which changes cause which DTCs. One of the first things the inverter expects to go smoothly is the precharge. It's where I'm starting from once I have my tools set up.

The inverter actually has incredibly few inputs: The only things it connects to is the high voltage bus, 12V power, a 12V power-on signal, the CAN bus and the motor sensors. Nothing else. Literally nothing else!

Yes, the serial EEPROM obviously only contains configuration data. Most likely all of it.

User avatar
JeremyW
Posts: 1540
Joined: Sun Nov 13, 2011 12:53 am
Delivery Date: 23 Jun 2012
Leaf Number: 19136
Location: San Gabriel, CA

Re: LEAF CANbus decoding. (Open discussion)

Wed Dec 13, 2017 10:33 am

That’s really encouraging. Assuming the CAN side can be completely mapped out, the leaf motor/inverter combo could be used in a lot of conversions.
Former 2012 SL leasee 6/23/12 - 9/23/15
Now driving Honda Fit EV, License plate: CHADEMO
2000 Honda Insight for long trips

carrott
Posts: 18
Joined: Tue Jan 03, 2017 2:53 pm
Delivery Date: 03 Feb 2015

Re: LEAF CANbus decoding. (Open discussion)

Wed Dec 13, 2017 12:02 pm

This inverter is, in fact, from a 2016 Leaf. I'm not aware of what changes they've done between 2015 and 2016, but's very nice to have this capture of yours!


Let me know if you need anything else.

Any format works just fine, converting between formats is the least of my problems. My tooling is so DIY it really doesn't matter.


The convert to canplayer binary python script I linked to you should give you a starting point to convert to what you need.

I think reversing this is possible without a full system, the EV CAN bus traffic is simple enough. My current plan is to get feedback from the inverter via DTCs and play a modified capture (synced to a precharge circuit and a power-on signal) to it until I know which changes cause which DTCs. One of the first things the inverter expects to go smoothly is the precharge. It's where I'm starting from once I have my tools set up.


Reversing this way is certainly possible.

Looking at the LAN and TMS sections of the manual it does look like the inverter manages the precharge system -- perhaps because it has a voltage sensor. It could signal it's ok to precharge and then compares it's voltage with the LBC voltage from the CAN bus and signal it's ok to close the main contactors when the two differ by less than some amount.

You probably want to re-write the LBC frames in the recording I sent you to signal the voltage you actually have. You probably only need to hold the "right" voltage on the inverter rather than actually pre-charge from a low voltage as it probably isn't looking for a rising voltage during pre-charge but rather a small voltage difference across the "contactors". The LBC's 0x1db frame containing the voltages has a checksum which you'll need to re-calculate if you change it, see https://carrott.org/git/leaf-can-utils. ... itm.py#l21 for how to do that.

I found the car worked fine with a "one way" man in the middle between the battery and the car (ie the battery could send to the car but the car could not send to the battery). A DTC was logged by the the car complaining that the battery was not sending the correct response to a challenge, this did not illuminate the check engine light. The car would go into turtle mode immediately when I disturbed the LBC communications too much, but return to normal mode as soon as I restored the communications, no restart required. I'd expect tighter coupling between the inverter and the components that read the throttle pedal and cruise control -- it's a highly safety critical system where a probably can launch the car into whatever is in front of or behind it. If I was designing it I'd want a counter or challenge to be passed back and forth between the inverter and the throttle commanding component.

Maybe start a new thread for this project?

celeron55
Posts: 19
Joined: Fri Dec 08, 2017 2:52 pm
Location: Finland

Re: LEAF CANbus decoding. (Open discussion)

Fri Dec 15, 2017 6:06 pm

carrott wrote:Maybe start a new thread for this project?


New thread started: viewtopic.php?f=44&t=25027

celeron55
Posts: 19
Joined: Fri Dec 08, 2017 2:52 pm
Location: Finland

Re: LEAF CANbus decoding. (Open discussion)

Sat Feb 03, 2018 3:46 pm

carrott wrote:Let me know if you need anything else.

Now I'd like to start looking at the charger!

I intend to charge a rather large battery pack using the 2016 Leaf charger with a non-Leaf BMS.

This means, I need an EV-CAN capture of some sort of a succesful charging session, or at least the beginning of one.

EDIT: To be exact, one from an AC power source - not quick charging at this time. But that will definitely come later.

Any help?

carrott
Posts: 18
Joined: Tue Jan 03, 2017 2:53 pm
Delivery Date: 03 Feb 2015

Re: LEAF CANbus decoding. (Open discussion)

Wed Feb 07, 2018 2:51 am

This means, I need an EV-CAN capture of some sort of a succesful charging session, or at least the beginning of one.


My car has the 3.3kW charger and I have the charge timer turned on. https://carrott.org/pcaps/2016-24kWh-ev-plug-in-charge-timer-causes-sleep.pcap records what happens when you plug in. I believe the EV system and charger activate briefly and then it all goes to sleep.

https://carrott.org/pcaps/2016-24kWh-ev-plugged-in-charge-timer-override-pressed-charge-unplug.pcap records what happens when you press the charger timer override button on the dashboard. After a short charging session I pressed the release button on the charging plug, paused briefly and then unplugged.

Supply voltage is nominally 240V and the EVSE reports 10A available.

Return to “LEAF CANBus”