vvitecd
Member
Hello guys, can I please get the original binary to speak with you in the same language? ))
I'm interested. Please let me know next steps.Hey! I'm looking for 20 testers for an android app I'm coding...
I can help with testing. I have quite a few Leafs, from 2011 to 2017. I have one with a 62KWH battery and a Dala 2 port can bridge. The cars have a range of SoH. Please add me to the list of testers and send me the link to your app in the play storeHey! I'm looking for 20 testers for an android app I'm coding - right now it'll just read and allow you to reset SOH and charge stats (AC and DC charge cycles etc) but I'm working on adding cell voltages in a graph, balancing, serial recoding etc. If you're interested, pm me and i'll add you to the tester list and you can download it from the play store
View attachment 5816
"10 85" //Set Diagnostic Session 85
"21 F0 " //Read BMS data, type F0
"21 F1 " //Read various BMS datas
"21 FF " //Read number of reflashes and other non volatile data
0x27 81 //Request Seed, reply with Key
"31 81 82 F0 5A" //Erase Flash Sectors -- 82 possibly means the area to erase/write (flash), 83 is Nonvolatile flash area below 0x10000, could be others (eeprom?)
"31 81 01 " //Is flash finished erasing? keep polling until returns OK
"34 82 " //34 82 aaaaaa ll [128byte data] [16byte CRC] - This is the actual write to flash command - aaaaaa is a 24bit address, ll is the length of the data (0x80)
"31 82 00 " //Check for write errors?
"31 82 01 " //Check for write errors?
"38 34 83 00 00 00 30 " //Write flash - update results to bootloader area ? 34 83 aaaaaa ll [0x30byte data] the 40th byte in the data payload is number of reflashes, increments every time. This is also the packet that 21 FF will pull from the ecu. Interesting huh!?!?
"10 81 " //Revert to normal session
The stuff supposedly stored in that 0x21 FF packet are:
"ROMDeletionInputParameters"
"SecuritySeed"
"SecurityKey"
"SupplierNumber"
"ManufactureNumber"
"CRCReprog"
"ReprogCount"
disappeared the user? in any case he was suggesting his sw https://forum.kolyandex.su/viewtopic.php?f=23&t=1112@kolyandex thankyou for sharing!! did you code this? Could I pm you some questions?
What is it you're after?Hello guys, can I please get the original binary to speak with you in the same language? ))
Packet CRC solved! I can technically now sign my own modified firmware and flash it to the BMS via the nissan app (USD$50 per day subscription) There'll be a few other checksums of the flash that are performed by the BMS and if i miss one i'd have bricked my bms so if anyone have a Gen1 BMS they'd be willing to donate or sell, hit me up!
Plan is to modify can message 0x21 to dump the full bms firmware over the canbus, then we can fully see what is going in the bootloader to guarantee we won't be bricking anything from a bad guess of a packet structure.
Still looking for the 0x27 81 crypto algorithm...
Did you find the function? I've found the same text strings as you have there, and also the functions they are used in but the code calls an unknown dll via an unknown IID and that's as far as I could get...GOOD NEWS, next step for flashing BMS is here.
After some RE I found that consult is loading lib for security approach 0x27. This lib is located in file system or downloaded from server. Lib is different for each ECU. Its packed in encrypted archive. I have already decrypted/unpacked it but there is another encryption after analysing this dll file in hex editor.
EDIT: At the moment I found algo for decryption.
Yes I am working on the decryption tool now.Did you find the function? I've found the same text strings as you have there, and also the functions they are used in but the code calls an unknown dll via an unknown IID and that's as far as I could get...
There's no CAN commands that'll allow executing code from RAM, at least not in the user code area. Possibly in the bootstrap where all these bootloader commands reside but we won't know until we have access to it.Hi, one possibility as dump bootloader is write some loader to ram and execute it. I dont have binary of the bms firmware so I cant help with this. So question is there some command to execute code in ram ?
Ok, I have it decrypted. There is only one exported function GetKey. This lib is for another ecu, I dont have access to pc with consult, tomorrow I will check lib for LBC. But its some interface. Each ecu has different key.Great news! If you find the 27 81 function, please share and i'll see if my BMS's accept the key
0x27 81 - seed request
0x27 82 - key response
seed length is 4Bytes