Reverse engineering BMS Firmware / Reflashing BMS

My Nissan Leaf Forum

Help Support My Nissan Leaf Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
Hey! I'm looking for 20 testers for an android app I'm coding - right now it'll just read and allow you to reset SOH and charge stats (AC and DC charge cycles etc) but I'm working on adding cell voltages in a graph, balancing, serial recoding etc. If you're interested, pm me and i'll add you to the tester list and you can download it from the play store

View attachment 5816
I can help with testing. I have quite a few Leafs, from 2011 to 2017. I have one with a 62KWH battery and a Dala 2 port can bridge. The cars have a range of SoH. Please add me to the list of testers and send me the link to your app in the play store
 
OK! so the basic structure of a flash update:
"10 85" //Set Diagnostic Session 85

"21 F0 " //Read BMS data, type F0
"21 F1 " //Read various BMS datas
"21 FF " //Read number of reflashes and other non volatile data

0x27 81 //Request Seed, reply with Key

"31 81 82 F0 5A" //Erase Flash Sectors -- 82 possibly means the area to erase/write (flash), 83 is Nonvolatile flash area below 0x10000, could be others (eeprom?)
"31 81 01 " //Is flash finished erasing? keep polling until returns OK

"34 82 " //34 82 aaaaaa ll [128byte data] [16byte CRC] - This is the actual write to flash command - aaaaaa is a 24bit address, ll is the length of the data (0x80)

"31 82 00 " //Check for write errors?

"31 82 01 " //Check for write errors?

"38 34 83 00 00 00 30 " //Write flash - update results to bootloader area ? 34 83 aaaaaa ll [0x30byte data] the 40th byte in the data payload is number of reflashes, increments every time. This is also the packet that 21 FF will pull from the ecu. Interesting huh!?!?

"10 81 " //Revert to normal session

Code:
The stuff supposedly stored in that 0x21 FF packet are:

"ROMDeletionInputParameters"
"SecuritySeed"
"SecurityKey"
"SupplierNumber"
"ManufactureNumber"
"CRCReprog"
"ReprogCount"

What I still need to work out is the 0x27 81 Seed/Key algorithm and the CRC Reprog algorithm so I can sign my own code and flash it to the BMS.

once we have the last two functions, we can then reflash your BMS with updated firmware (30kwh fix etc), change things like max charge current limiting vs cell temp, cell voltage vs SOH profiles, cell capcity for CATL mods, we can even change the can messages the BMS sends out to be compatible with off grid inverters so no middle man is needed.

We just need those last two algorithms...
 
I had a look at that app, it doesn't support Flash writing so perhaps they don't know

Edit: I was PM'd by another member who has used Kolyandex to reflash their BMS, the story goes kolyandex says it is not possible to reflash a BMS over the canbus and they must be sent to him to do the reflash manually, at a price, and sent back.

I know this to be untrue so it's either his source of income, or he doesn't know how to reflash a BMS over the can bus. Either way, I don't suspect he'll be willing to help with the x27 81 security algorithm.
 
Last edited:
Packet CRC solved! I can technically now sign my own modified firmware and flash it to the BMS via the nissan app (USD$50 per day subscription) There'll be a few other checksums of the flash that are performed by the BMS and if i miss one i'd have bricked my bms so if anyone have a Gen1 BMS they'd be willing to donate or sell, hit me up!

Plan is to modify can message 0x21 to dump the full bms firmware over the canbus, then we can fully see what is going in the bootloader to guarantee we won't be bricking anything from a bad guess of a packet structure.

Still looking for the 0x27 81 crypto algorithm...
 
Packet CRC solved! I can technically now sign my own modified firmware and flash it to the BMS via the nissan app (USD$50 per day subscription) There'll be a few other checksums of the flash that are performed by the BMS and if i miss one i'd have bricked my bms so if anyone have a Gen1 BMS they'd be willing to donate or sell, hit me up!

Plan is to modify can message 0x21 to dump the full bms firmware over the canbus, then we can fully see what is going in the bootloader to guarantee we won't be bricking anything from a bad guess of a packet structure.

Still looking for the 0x27 81 crypto algorithm...

Hi, one possibility as dump bootloader is write some loader to ram and execute it. I dont have binary of the bms firmware so I cant help with this. So question is there some command to execute code in ram ?
 
I cannot get it to connect to my BT dongle, I will try again this morning to see if I can make it work. I will upload photos of the dongle I am using.
 
GOOD NEWS, next step for flashing BMS is here.
After some RE I found that consult is loading lib for security approach 0x27. This lib is located in file system or downloaded from server. Lib is different for each ECU. Its packed in encrypted archive. I have already decrypted/unpacked it but there is another encryption after analysing this dll file in hex editor.

EDIT: At the moment I found algo for decryption.
 

Attachments

  • security.jpg
    security.jpg
    201.2 KB
Last edited:
GOOD NEWS, next step for flashing BMS is here.
After some RE I found that consult is loading lib for security approach 0x27. This lib is located in file system or downloaded from server. Lib is different for each ECU. Its packed in encrypted archive. I have already decrypted/unpacked it but there is another encryption after analysing this dll file in hex editor.

EDIT: At the moment I found algo for decryption.
Did you find the function? I've found the same text strings as you have there, and also the functions they are used in but the code calls an unknown dll via an unknown IID and that's as far as I could get...
 
Hi, one possibility as dump bootloader is write some loader to ram and execute it. I dont have binary of the bms firmware so I cant help with this. So question is there some command to execute code in ram ?
There's no CAN commands that'll allow executing code from RAM, at least not in the user code area. Possibly in the bootstrap where all these bootloader commands reside but we won't know until we have access to it.

I've just finished modifying Can message 21 82 to accept a 2 byte address and it'll dump out 0x50 bytes of the data at that address. I've also bypassed the checksum functions which performs a full flash checksum at boot so hopefully it'll run my code without any issues. I've signed the code with their CRC and it's being accepted by nissan consult software. I just need a spare BMS of this type to flash it to...
 
Great news! If you find the 27 81 function, please share and i'll see if my BMS's accept the key
Ok, I have it decrypted. There is only one exported function GetKey. This lib is for another ecu, I dont have access to pc with consult, tomorrow I will check lib for LBC. But its some interface. Each ecu has different key.
 

Attachments

  • sec_lib.png
    sec_lib.png
    5.4 KB
There are keys for families of ECU, if you find the algorithm for 27 81 it'll work with all BMS's. I suspect the ECU family may be passed to the function too if it can decode more than one. I'm not sure which files you're looking in but if you see one with RNDS in the name, that'll be the BMS algorithm. Or search for the string 81

The BMS has 4 security levels, 61, 63, 65 and 81 which are unique to the BMS. 02, 03 etc are unique to the VCM and other ECU modules in the leaf.

If you wanted to share what you've found in the function, I can compare it with the functions i've already reversed to check if we're looking at the right code. Or if you wanted to pm me and explain how you've decrypted the function, I can reproduce it here in the files I'm working with. Two sets of eyes on this might help.
 
@safetyuggs
Could you send me some seed request ? I see some hardcoded values in decrypted sec. lib for LBC. This lib is only for security level 81. I found where is called (GetKey) function from security lib. One param is seed request.

Code:
0x27 81  - seed request
0x27 82 - key response

seed length is 4Bytes
 

Attachments

  • calling_function_GetKey.jpg
    calling_function_GetKey.jpg
    93.9 KB
Last edited:
Back
Top