nickandre
Posts: 17
Joined: Wed Jan 06, 2016 11:10 am
Delivery Date: 09 Jan 2015
Leaf Number: 407073

Reverse Engineer the Leaf and making it work good (tm)

Fri May 06, 2016 8:31 am

I am a thoroughly geeky computer and electrical engineer interested in doing some reverse engineering work on my 2013 SV Leaf. To that end, it's probably worthwhile to identify the overall modules at work within the system and which can be replaced. For the intents and purposes, we can group modules by their interface to the main (CAN) bus as that is the level at which we can physically disconnect them using my crowbar and replace them with an open source component (FreeRTOS or Linux-based etc).

Assuming that we can't split the software for a single component without a fair amount of todo, we need to identify the entire set of required (drivetrain etc.) functions that any block implements at the CAN bus level before tinkering can begin. I think the first question to contend with is which portion of the Vehicle data is sent via the CAN bus. I'm going to assume (perhaps incorrectly) that, like in other vehicles, the CAN bus is relatively insecure, a lot (if not most) of the vehicle information is sent over it, and once access is granted we can snoop on the messages and figure out what does what:

  1. What information is accessible via the CAN bus? Can we, for instance, read accelerator pedal position? Can we compile these functions into a big document? :)
  2. What are the overall modules within the Leaf system that transmit each relevant type of information and how can they be grouped? Take (1) above and group them under their device, tally which are required for vehicle operation and which (if any) are superfluous.

Anyways, here is my list of hypothetical crazy ideas to make the leaf a really cool car (tm):

  1. (probably "pretty easy" given the limited drivetrain-required functionality and lack of integration to other system components) Replace the entertainment system with a custom OS that can play FLAC files off the second SD card. Remove useless functionality (nav system). Replace the cellular modem with a 4G unit and network software that isn't implemented in such a fashion that it takes literally 3 days to download a JSON list of charging stations. Remove the polite voice that indicates the TCP connection state (what is this, 1980?). (Also I refuse to pay money to "upgrade" to a 2006-era cellular modem.)
  2. Provide limited integration between the HUD and the main screen (why are there two entirely independent sets of settings?). Make the HUD useful (see 4).
  3. Modify the drivetrain control. I'm not talking down to the SVM level - ideally we could simply alter the mapping of accelerator/break pedal input, eco, and B mode so that it wasn't absolutely and entirely foolish. B mode enables max regen down to a full stop, D mode doesn't enable regen without break pedal, and no god damn creep. Avoid destroying traction control and ABS in the process. Bonus points if we can alter the D mode break pedal behavior to engage maximum regen before mechanical breaks activate.
  4. Provide real information on the HUD. Replace the GOM with kWH. Provide a single HUD display box that does efficiency, % charge remaining, KWh remaining, miles to empty for a CONFIGURABLE and not VOODOO MAGIC DERIVED miles/kwh. (Why the hell, despite there being plenty of room to display all parameters on one window, do we have to click through 17 of them to see what we want to see?)
  5. Implement Cruise Control to match an efficiency requirement.
  6. For the main system, use a cool API like google maps to attain estimated range given terrain for a route. Tie this into the above cruise control efficiency attainer to use altitude info.

Some of this is definitely easier than others. I would hazard to guess the modularity is less-than-ideal at a physical CAN bus level and that the embedded software would be hard to split apart, but I know others have done a fair amount of work at that level so we can at least ascertain the difficulty before I break out the crowbar, soldering iron, and JTAG programmer.

EDIT: I almost forgot: modify the vehicle sounder to make my car do the Jetsons noise.

Reddy
Posts: 1412
Joined: Fri Feb 11, 2011 3:09 pm
Delivery Date: 18 Aug 2011
Leaf Number: 006828
Location: Pasco, WA

Re: Reverse Engineer the Leaf and making it work good (tm)

Fri May 06, 2016 10:36 am

Welcome. FYI, many of the real geeks have left the forum or post only sporadically. You should go back and read historical threads from 2010-2012. There are/were a lot of smart people working on their Leafs back then. Good luck.
Reddy
2011 SL; 9 bar, 46.44 AHr; 40,067 mi; rcv'd Aug 18, 2011
Long: http://www.mynissanleaf.com/viewtopic.p ... al#p226115"
Cold: http://www.mynissanleaf.com/viewtopic.p ... 60#p243033"

NocturnalWalt
Posts: 21
Joined: Wed Dec 02, 2015 1:50 am
Delivery Date: 02 Dec 2015

Re: Reverse Engineer the Leaf and making it work good (tm)

Tue May 10, 2016 3:14 am

Hi nickandre. I haven't been following this forum for a very long time myself but looking back through old posts I would have to agree with Reddy that there was a lot more interesting reverse engineering work (particularly on CAN bus messages) going on in this forum back in 2010-2012 than there is now. It is a bit of a shame as there still is plenty of potential to make what I consider a good car much better. But the work done back then is still a solid base for any of us wanting to take it further.

I like some of your ideas (the Jetson's one made me laugh), but the projects you've got in mind are a bit different to the areas I've been researching and focussing on. However there is some overlap of common stuff. My main interest lies around the VCM and the LBC and the CAN bus interaction between these two devices. I haven't made any progress worthy of posting yet as I have mostly been looking at the work done here in the past as well as info in the factory service manuals. Actually, I can think of one interesting thing I've learned recently worthy of posting. Playing around with Consult 3+ which I've got access to, it appears that when the car is at full throttle and between 0-30mph the VCM doesn't ever ask the inverter for the maximum possible torque. So faster acceleration in that speed range is quite possible with just VCM remapping and that that is exactly what Nissan has recently done in their top spec JDM Aerostyle models.

http://ev.nissan.co.jp/LEAF/AERO/

I figure that if you, me and others get back into Leaf reverse engineering and share any interesting results then that will tend to suck in more people with a similar interest which would be great.

nickandre
Posts: 17
Joined: Wed Jan 06, 2016 11:10 am
Delivery Date: 09 Jan 2015
Leaf Number: 407073

Re: Reverse Engineer the Leaf and making it work good (tm)

Tue May 10, 2016 10:31 pm

Interesting. I've noticed, for instance, that if you hold the accelerator pedal static that the power applied and indicated increases quite drastically with speed.

The one caveat with tweaking such parameters is that it's quite possible for the Space-Vector-Modulation Inverter to apply sufficient power to reap havoc downstream, so sometimes those limits are placed in there for good reason. Some of it is definitely traction-control related (have you tried examining the behavior while toggling that setting?).

I've been going over the CAN protocol and I think the Telematics/Nav system is probably the best place to start. Few actual required functions for the

I wonder how protected their system is/how easy it would be to start dumping firmware off some of these modules. You have to wonder if they can't secure an API how they possibly know to code protect their microcontrollers ;)

Can you elaborate on the Consult III+ functionality? Has anyone tried to poke around with a reverse engineering suite in that software package? How about sniffing the bus to see what messages it transmits?

--Nick

NocturnalWalt
Posts: 21
Joined: Wed Dec 02, 2015 1:50 am
Delivery Date: 02 Dec 2015

Re: Reverse Engineer the Leaf and making it work good (tm)

Tue May 10, 2016 11:50 pm

Hi Nick. Quite a bit was done a few years ago with sniffing the CAN bus and monitoring Consult 3+ commands and responses. You can check out the following thread on that here:

viewtopic.php?f=44&t=11676&hilit=EV+CAN+active+sampling#p269432

I think a lot of that info went into making LeafSpy Pro what it is today. Actually, searching to find that link for you I noticed it's under Board index -> LEAF Ownership Accessories / Mods / LEAF CANBus which isn't somewhere I normally look. There is still more happening in there than I thought which is good to see.

I haven't seen much of anything regarding people getting firmware out of the micros in various modules, but that would be really cool when/if we got to that point.

grandizer52
Posts: 130
Joined: Mon Oct 26, 2015 10:30 pm
Delivery Date: 27 Oct 2015
Leaf Number: 001089
Location: Pearl City, HI

Re: Reverse Engineer the Leaf and making it work good (tm)

Wed May 11, 2016 9:05 pm

So on top of geekdome...anyone notice the antenna looks like the reflex gun from star blazers when they battled the gamilons on pluto...

Brenthasty
Posts: 51
Joined: Tue Dec 23, 2014 6:24 pm
Delivery Date: 13 Nov 2014
Leaf Number: 023724
Location: Near portland oregon
Contact: Website

Re: Reverse Engineer the Leaf and making it work good (tm)

Sun Jun 05, 2016 1:53 pm

Please hack away, I just stripped one down to its uni body chassis! Put the parts up for sale on ebay to pay for the very educational experience of upcycling a leaf...

It appears the motor and drive could be actuated with a standard off the shelf inverter drive in place of the existing nissan built unit.

Thanks for helping to open source the world...

nickandre
Posts: 17
Joined: Wed Jan 06, 2016 11:10 am
Delivery Date: 09 Jan 2015
Leaf Number: 407073

Re: Reverse Engineer the Leaf and making it work good (tm)

Sun Jun 05, 2016 3:26 pm

There's no question that I could use an off the shelf three phase SVM inverter, which might be fun.

But tbh Nissan has done a lot of good work (just botched a few really annoying things).

I've recently debated reaching out to Nissan to see if I can chat with an engineer on the leaf.

PS any chance I can get the vehicle control system or entertainment system for my hackery? I think the best bet for a first project is a new entertainment system or at a minimum new firmware with Apple car stuff in it.

--Nick

collink
Posts: 5
Joined: Sun Oct 12, 2014 11:19 am
Delivery Date: 12 Oct 2014

Re: Reverse Engineer the Leaf and making it work good (tm)

Mon Jul 25, 2016 7:54 am

NocturnalWalt wrote:I haven't seen much of anything regarding people getting firmware out of the micros in various modules, but that would be really cool when/if we got to that point.


I haven't gotten there yet (so many projects...) but I thought about using UDS to try to extract firmware. UDS has specific provisions to allow for firmware upload and download. That's how an automaker can update the firmware on the various vehicle systems without having to take things apart. I know that several UDS speaking devices exist on the Leaf because I've queried them. But, I haven't actually gotten to trying to get any of the devices to agree to a firmware offload. I think it might be possible but generally the ECU will require a security check before allowing this. So, it depends on how hard they locked down the security.

caederus
Posts: 8
Joined: Sun Mar 20, 2016 9:34 am
Delivery Date: 01 Mar 2016

Re: Reverse Engineer the Leaf and making it work good (tm)

Mon Jul 25, 2016 12:02 pm

collink wrote:... I thought about using UDS to try to extract firmware. UDS has specific provisions to allow for firmware upload and download. That's how an automaker can update the firmware on the various vehicle systems without having to take things apart. I know that several UDS speaking devices exist on the Leaf because I've queried them.
This is something I've been meaning to try doing too, but my early attempts did not go well. Just sending what I thought would be the innocuous 0x3E "Tester Present" seemed to cause major confusion to some devices! I see some UDS SIDs that do work:
  • 0x10 Diagnostic Session Control
  • 0x14 Clear Diagnostic Information
  • 0x19 Read DTC Information
  • 0x22 Read Data By Identifier
But other messages follow the form of UDS but have a unknown SIDs, e.g. 0x3B/0x7B:

Code: Select all

(1468765774.946770) can0 RX - - 71D#023B00FFFFFFFFFF
(1468765774.964385) can0 RX - - 72D#067B0040014003FF

collink wrote:But, I haven't actually gotten to trying to get any of the devices to agree to a firmware offload. I think it might be possible but generally the ECU will require a security check before allowing this. So, it depends on how hard they locked down the security.
It would be very helpful to have a candump log of a dealer doing a firmware upgrade - does anyone already have one they'd be willing to share, or a way to obtain one?

Return to “Engineering”