TheEvKid
Posts: 6
Joined: Mon Mar 19, 2012 1:33 pm
Delivery Date: 15 May 2011
Leaf Number: 4789

Re: Anybody mess with the CAN Commanded Torque Message ID 0x

Wed Mar 21, 2012 9:16 am

how would you read the memory without destorying the VCM?

User avatar
garygid
Gold Member
Posts: 12439
Joined: Wed Apr 21, 2010 8:10 am
Delivery Date: 29 Mar 2011
Leaf Number: 000855
Location: Laguna Hills, Orange Co, CA

Re: Anybody mess with the CAN Commanded Torque Message ID 0x

Wed Mar 21, 2012 9:28 am

Good question, Grasshopper. :)

How did the uP get written and verified the very first time?
See SOC/GID-Meter and CAN-Do Info
2011 LEAF, sold in 2015
2010 Prius, 2014 silver Tesla S
Nissan EVSE, mod to 240/120v 16A
PU: SDG&E
Solar PV: 33 x 225W -> 7 kW max AC
To Sell: X-treme 5000Li EV motorcycle

User avatar
TickTock
Posts: 1701
Joined: Sat Jun 04, 2011 10:30 pm
Delivery Date: 31 May 2011
Leaf Number: 3626
Location: Queen Creek, Arizona
Contact: Website

Re: Anybody mess with the CAN Commanded Torque Message ID 0x

Thu Mar 22, 2012 12:36 pm

TheEvKid wrote:I have logged the CAN traffic while applying a load to the vehicle, and wide open throttle. I watched the torque command increase to the maximum as long as there was a heavy load. When the load decreased, the torques command decreased as well. I have reverse engineered most of this command (0x1D4). But I cannot solve the byte 8 (last byte). I know there is a rolling counter, and with nothing else changing, as the counter steps, the checksum(CRC)...the last byte changes too.

Here is some examples(torque not determined), the only changes are the counter(0,1,2,3) which is located in the two MSBs of lower nibble :

F7 07 00 00 07 44 00 D0
F7 07 00 00 47 44 00 17
F7 07 00 00 87 44 00 DB
F7 07 00 00 C7 44 00 1C

F7 07 00 00 07 44 30 70
F7 07 00 00 47 44 30 B7
F7 07 00 00 87 44 30 7B
F7 07 00 00 C7 44 30 BC

Any suggestions regarding the calculations of the last byte?

Does anyone have a binary image of either the VCM, or the motor controller with a communication log involving the controller image?


Before spending a lot of time trying to crack the algorithm, did you try to see if you are even able to insert a message and get a response? You can just record a message at some torque setting, then send the exact same message later to see if you launch the car into you garage wall. I suspect even if successful, it will only be for a ms or two before the VCM sends it's next update.

Smidge204
Posts: 940
Joined: Wed Nov 24, 2010 1:42 pm

Re: Anybody mess with the CAN Commanded Torque Message ID 0x

Thu Mar 22, 2012 1:18 pm

I know next to nothing about CAN messages, but those don't look like full messages to me... and doesn't a full message already have a checksum field? Why would they waste data bandwidth adding an 8-bit checksum to a message that already has a 16-bit checksum?

Plus, looking at those numbers, I see some fun patterns (Just the last 4 bytes shown);

00000111 01000100 00000000 11010000
01000111 01000100 00000000 00010111
10000111 01000100 00000000 11011011
11000111 01000100 00000000 00011100

00000111 01000100 00110000 01110000
01000111 01000100 00110000 10110111
10000111 01000100 00110000 01111011
11000111 01000100 00110000 10111100

Doni't ask me what it means, though! :lol:
=Smidge=

User avatar
garygid
Gold Member
Posts: 12439
Joined: Wed Apr 21, 2010 8:10 am
Delivery Date: 29 Mar 2011
Leaf Number: 000855
Location: Laguna Hills, Orange Co, CA

Re: Anybody mess with the CAN Commanded Torque Message ID 0x

Thu Mar 22, 2012 11:19 pm

It is not a checksum of the message, but is probably a rolling "security" value that is intended to make it difficult to tamper with these critical messages.
IMO
See SOC/GID-Meter and CAN-Do Info
2011 LEAF, sold in 2015
2010 Prius, 2014 silver Tesla S
Nissan EVSE, mod to 240/120v 16A
PU: SDG&E
Solar PV: 33 x 225W -> 7 kW max AC
To Sell: X-treme 5000Li EV motorcycle

weber
Posts: 6
Joined: Mon Aug 04, 2014 7:33 pm
Delivery Date: 04 Sep 2013

Re: Anybody mess with the CAN Commanded Torque Message ID 0x

Tue Sep 30, 2014 1:26 am

In case anyone still cares about the 8-bit CRC in the Leaf's ID 0x1D4 CAN packets, my colleague Coulomb and I have reverse-engineered it. We used the excellent method described in New Zealander Greg Ewing's awesome paper, "Reverse-Engineering a CRC Algorithm".
http://www.cosc.canterbury.ac.nz/greg.ewing/essays/CRC-Reverse-Engineering.html

The polynomial is 0x85 using left shifts. It takes the bytes in little-endian order [Edit: in the order transmitted] and the initial value and final XOR are both zero. The only place that I can find that this polynomial has been used before is in a Nintendo game controller.

We'd be very interested to know if anyone has any evidence that this actually contains a torque command from VCM to TMI. It looks to us like telemetry going the other way. We'd also be interested if anyone has any theories about what ID packet does contain the torque command.
Last edited by weber on Sat Oct 25, 2014 3:11 pm, edited 1 time in total.

User avatar
JeremyW
Posts: 1540
Joined: Sun Nov 13, 2011 12:53 am
Delivery Date: 23 Jun 2012
Leaf Number: 19136
Location: San Gabriel, CA

Re: Anybody mess with the CAN Commanded Torque Message ID 0x

Tue Sep 30, 2014 9:52 am

weber wrote:In case anyone still cares about the 8-bit CRC in the Leaf's ID 0x1D4 CAN packets, my colleague Coulomb and I have reverse-engineered it. We used the excellent method described in New Zealander Greg Ewing's awesome paper, "Reverse-Engineering a CRC Algorithm".
http://www.cosc.canterbury.ac.nz/greg.ewing/essays/CRC-Reverse-Engineering.html

The polynomial is 0x85 using left shifts. It takes the bytes in little-endian order and the initial value and final XOR are both zero. The only place that I can find that this polynomial has been used before is in a Nintendo game controller.

We'd be very interested to know if anyone has any evidence that this actually contains a torque command from VCM to TMI. It looks to us like telemetry going the other way. We'd also be interested if anyone has any theories about what ID packet does contain the torque command.


Thank you so much for this. Seriously. I'm going to use it to "tune" my leaf. Oh yes. :)
Former 2012 SL leasee 6/23/12 - 9/23/15
Now driving Honda Fit EV, License plate: CHADEMO
2000 Honda Insight for long trips

Flashman
Posts: 68
Joined: Wed Oct 23, 2013 7:26 am
Delivery Date: 30 Sep 2013
Location: Central Florida

Re: Anybody mess with the CAN Commanded Torque Message ID 0x

Tue Sep 30, 2014 9:55 am

I don't know about the rest of you guys but....
Please let this discovery and or research lead to DIY performance changes.
:mrgreen:
Tinted 2013 Silver SV 6kwChg, Hella Horns, All-SuperBrightLED's, Switchable VSP Relay Cutout, LeafDD
Self installed BOSCH Power Max Level 2 Charging Station.

User avatar
JeremyW
Posts: 1540
Joined: Sun Nov 13, 2011 12:53 am
Delivery Date: 23 Jun 2012
Leaf Number: 19136
Location: San Gabriel, CA

Re: Anybody mess with the CAN Commanded Torque Message ID 0x

Tue Sep 30, 2014 10:09 am

Flashman wrote:I don't know about the rest of you guys but....
Please let this discovery and or research lead to DIY performance changes.
:mrgreen:

I'm on it! :twisted:
http://www.mynissanleaf.com/viewtopic.php?f=44&t=18120
Former 2012 SL leasee 6/23/12 - 9/23/15
Now driving Honda Fit EV, License plate: CHADEMO
2000 Honda Insight for long trips

camasleaf
Posts: 630
Joined: Sun Sep 26, 2010 5:20 am
Delivery Date: 17 Jun 2011
Location: Camas, WA

Re: Anybody mess with the CAN Commanded Torque Message ID 0x

Tue Sep 30, 2014 6:09 pm

If we have enough information to make an inverter go to regen mode, then one could buy a used Leaf motor and inverter drive it with an ICE engine to quick charge at up to 30kW. I have seen motor/inverter for around $1500, with small ICE engine at $500 it would possible to have emegency/portable quick charge for under $3000. A connection to the HV lines will be needed on that Leaf, plus a way to trick the Leaf into believing it is OK to regen.
2011 SLe 06/17/11 Over 79000 miles 70%SOH 15.2kWh
2018 Honda Clarity PHEV $120 gasoline in 4800 miles
5.7kW DC System

Return to “Engineering”