NocturnalWalt
Posts: 21
Joined: Wed Dec 02, 2015 1:50 am
Delivery Date: 02 Dec 2015

Re: Reverse Engineer the Leaf and making it work good (tm)

Tue Jul 26, 2016 5:07 am

caederus wrote:It would be very helpful to have a candump log of a dealer doing a firmware upgrade - does anyone already have one they'd be willing to share, or a way to obtain one?


Sorry I don't have a firmware update log, but I have observed how the security check works that collink referred to on at least one of the control modules on the Leaf. To be allowed to access protected functions, first the diagnostic tool must pass a test that the ECU gives it. To start the test the ECU sends a pseudo-random number. Based on that number and a 'secret' algorithm, the diagnostics tool generates a 64-bit key which must be correct before access is granted. Apparently other vehicles in the early 2000s used a similar security system but with a 32-bit key which could be cracked by brute force. But with a 64-bit key brute force isn't an option. Also, because the ECU generates a different pseudo-random number each time, a single log of a firmware update wouldn't help with getting past the security - but it still would be very interesting to see. So it isn't exactly going to be easy, but all is not lost.

Also, I'm pretty confident that the Leaf isn't UDS compliant, although many of the commands are shared with UDS.

nickandre
Posts: 17
Joined: Wed Jan 06, 2016 11:10 am
Delivery Date: 09 Jan 2015
Leaf Number: 407073

Re: Reverse Engineer the Leaf and making it work good (tm)

Tue Jul 26, 2016 8:26 am

Yeah that smells like RSA/asymmetric cryptography which will be difficult to crack unless you're the NSA. Easiest way to do that would not be sniffing but instead disassembly of code on the programmer itself to find the key, which perhaps is easier than hardware extracting the code off the ECU.

Anyone know if the firmware upgrade uses the Consult tool?

NocturnalWalt
Posts: 21
Joined: Wed Dec 02, 2015 1:50 am
Delivery Date: 02 Dec 2015

Re: Reverse Engineer the Leaf and making it work good (tm)

Wed Aug 03, 2016 12:07 am

nickandre wrote:Anyone know if the firmware upgrade uses the Consult tool?


Yes - Consult definitely can perform firmware updates on various control modules in the Leaf. Supposedly the following modules can have firmware upgrades:

VCM, LBC, Inverter, Instrument Cluster, High voltage A/C, Electric P/S, AV System, BCM, ABS, IPDM, airbag and head light leveller.

As far as I'm aware there are currently no other tools other than Consult that have the ability to perform firmware updates on any of the control modules in the Leaf.

User avatar
FalconFour
Gold Member
Posts: 319
Joined: Wed Sep 19, 2012 12:07 pm
Delivery Date: 14 Sep 2012
Leaf Number: 008681
Location: San Jose, CA
Contact: Website Facebook

Re: Reverse Engineer the Leaf and making it work good (tm)

Tue Nov 01, 2016 12:09 am

I can at least pop in with my findings on the Jetsons noise question. :lol:

I dug through the VSP (Vehicle Sound for Pedestrians - or I've also seen Vehicle Sound Processor) module and made some discoveries. See here: viewtopic.php?t=20339

What I found was that, while the interior sounds (the little power-button sounds I call "Japanese Utopia sounds") are stored on the easily-accessible EEPROM chip, the exterior sounds appear to be entirely synthetic - generated by the sound chip's CPU and firmware. So, hacking those sounds is significantly more difficult than hacking the interior sounds - which I couldn't even get working. I think the CPU and EEPROM are chained together, by the CPU validating the checksum of data in the EEPROM before playing it. Making even a couple bytes' modification causes it to not play the sound at all. :(

Yeah, the security in the Leaf is pretty intense. Much of it stems not from Nissan trying to keep people from hacking it, but from the decades of experience they have in engineering and production - you want to be sure things are intact and functional before going to use them. They want suppliers and parts to work perfectly together, and they want their huge network of dealers and service centers to do things properly. Things need to be authorized, negotiated, and play nicely together all across the board. Making something break protocol would be a mess.

You practically have to be a Nissan ZEV engineer, one that actually worked on the LEAF team, to even scratch the surface of most of those wishlist items :( It was way easier on older cars that weren't so overly secure, but with so many little independent microcontrollers - no doubt there's at least one, maybe two, in the Guess-O-Meter alone - it's really hard to even get started on a simple thing like tweaking the exterior sound. :/

(though, granted, you could totally redesign & replace the VCM box... but... well, yeah.)
100% gas-free since September 2012
2011 LEAF SL - Sep 2012~Sep 2014 - 35,737 miles
2013 LEAF S+Charge - Jan 2014-Feb 2017 - 68,065 miles
2014 LEAF SV+Premium+QC - Feb 2017-present

Durandal
Posts: 264
Joined: Wed Sep 21, 2016 8:55 am
Delivery Date: 22 Sep 2016
Leaf Number: 025018
Location: Central Arkansas

Re: Reverse Engineer the Leaf and making it work good (tm)

Tue Nov 01, 2016 8:02 am

NocturnalWalt wrote:Sorry I don't have a firmware update log, but I have observed how the security check works that collink referred to on at least one of the control modules on the Leaf. To be allowed to access protected functions, first the diagnostic tool must pass a test that the ECU gives it. To start the test the ECU sends a pseudo-random number. Based on that number and a 'secret' algorithm, the diagnostics tool generates a 64-bit key which must be correct before access is granted. Apparently other vehicles in the early 2000s used a similar security system but with a 32-bit key which could be cracked by brute force. But with a 64-bit key brute force isn't an option. Also, because the ECU generates a different pseudo-random number each time, a single log of a firmware update wouldn't help with getting past the security - but it still would be very interesting to see. So it isn't exactly going to be easy, but all is not lost.

Also, I'm pretty confident that the Leaf isn't UDS compliant, although many of the commands are shared with UDS.


Do you think this is really an asymmetric key situation, or something more simple that you see in a lot of Cisco devices for securing common password encryption like a 1 way function hash? So, (some key) + (psudeo random from ECU) -> Hash. This means also that the key that is combined with the pseudo random number is likely stored on the ECU somewhere, in addition to likely being in memory on the Consult tool temporarily. It makes me wonder if there is a way to get the chips from an older ECU and do a dump of the EPROMS. The easier method is likely doing a memory dump from the laptop that has the Consult tool loaded on it at the point it performs the authentication.

Anyhow, I found a bunch of what look like bootleg tools for Consult III Plus on eBay.
http://www.ebay.com/itm/new-Nissan-Cons ... 1559333940

http://www.ebay.com/itm/Latest-V34-11-C ... 2300048309

I'm certainly interested to see what can be accomplished with the Leaf through some innovation by people a little smarter than me on the subject. :)
Pulled the trigger on going EV on 10/2016 with a 2012 Leaf, and a Tesla Model 3 reservation expected to receive in June 2018.

triflic
Posts: 26
Joined: Tue Jan 10, 2017 2:03 pm
Delivery Date: 10 Jan 2017
Leaf Number: 026057

Re: Reverse Engineer the Leaf and making it work good (tm)

Thu Jan 12, 2017 3:15 pm

Telematics Question for those technically inclined.

I am a Canadian 2012 SL Leaf owner, but the car is AMERICAN. Even though I can talk to the Rogers Canada 2G cellular service, it was sending the information back to AT&T via 'roaming' 2G. When AT&T cut off 2G service, my telematics / App access has stopped working (i.e. no more updating SOC, or preheating vehicle, or capturing any other data in the system.)

I am wondering, if I can just move over to a completely CANADIAN access, my NISSANCONNECT app is already working in Canada as I was getting full service up until recently despite being no where near USA cellular towers. But the loss of the AT&T 2G has definitely broken the chain.

I'm trying to get in touch with a Nissan Telematics Engineer, but NISSAN-USA is putting up roadblocks to direct communication.

Have done a number of searches in this forum, and I've only found that there are at least 2-3 others with the same problem since Jan1, 2017.

Thoughts?

Return to “Engineering”