craftywoodworks3
Member
Well done guys, keep going I’m sure you’ll crack it.
There are keys for families of ECU, if you find the algorithm for 27 81 it'll work with all BMS's. I suspect the ECU family may be passed to the function too if it can decode more than one. I'm not sure which files you're looking in but if you see one with RNDS in the name, that'll be the BMS algorithm. Or search for the string 81
The BMS has 4 security levels, 61, 63, 65 and 81 which are unique to the BMS. 02, 03 etc are unique to the VCM and other ECU modules in the leaf.
If you wanted to share what you've found in the function, I can compare it with the functions i've already reversed to check if we're looking at the right code. Or if you wanted to pm me and explain how you've decrypted the function, I can reproduce it here in the files I'm working with. Two sets of eyes on this might help.
Yes. But they know it is possible and provide sw for others to do thatevutil was posted here just above, the version they released on their forum doesn't support BMS flashing
Have 50kWh modules waiting to be merged with my sandbox LeafProbably not, everything has been reversed now, just waiting on the key algorithm and if it can't be extracted, once we find a spare BMS i'll flash my updated firmware to it using the nissan tool and i'll extract it from the BMS - then you can update firmwares via an android phone.
All of those firmwares they show on the vivne video, and a heap of extras were emailed to me by a few different people that somehow gained access to them. Once we have the key algorithm their $650 flashing service for 30sec of work will be over
please share photos of the internal of the ariya BMS with detail of the eeprom and main chip code.I have 3 bms’s available to test, 1 from a 63kwh Nissan Ariya, 2 from 2 30kwh Nissan leaf’s if you want me to test, all batteries have been stripped and I have all the parts in my workshop, I would like to use the proprietary bms’s but have bought 6 jk-bms’s as didn’t know how to wire up the proprietary ones, so if I can help I’m available, I have an android phone I can use as well, just don’t know how to wire up if out of the traction battery, so may need guiding to do that, there here anyway, if it’s to much hassle out of the traction battery I’m willing to post both to you to test. You can have them if it helps.
Which is? Don’t keep us hangingSo I have the Christmas gift for all, especially for @safetyuggs. (The last missing piece of the puzzle)
Hi, I don't know if I'm too late, but I have aHey!
I'm looking for a couple of cheap BMS's to extract the firmware and set up an open source tool to reflash them, hopefully via the canbus but worst case via the Jtag/swd/whatever renesas calls their programming port on the PCB. Non working is fine as long as there's is life from the can bus.
We know three things:
Ghidra, Renesas's CS+ tool and IDA pro can be used to dissasemble the firmware which should speed up the reverse engineering, and knowing the main CAN commands will quickly help identify where the GID's and pack capacity is stored. This *should* be a fairly simple and quick project.
- Vivne claims to be able to reflash the BCM
- Nissan can push firmware updates to it over the CAN bus
- The datasheet says there is no read-protect function of the Flash ROM in the MCU.
The only problem is there are no BMS's avaialble on eBay, wreckers won't split the packs open to sell a BMS and I only have the one BMS here and I'd rather not brick mine just yet.
As for my background, I've done a fair bit of reverse engineering, mostly ECU's and game consoles including a full reverse engineer and re-write of Bosch ME7 code to convert it into an open source dirt cheap stand alone ECU (https://github.com/WillItBoost/M744-Stand-Alone-ECU).
If anyone has a cheap BMS or would like to donate one to the cause, let me know!
Ben
Hi, lurker here. I have a bms from an env200 24 that I would gladly donate to the cause. I am in France, but if it is of interest to you please let me know. I'll get a picture tomorrow. Great work incidentally.I've had two offers for the exact BMS I need to flash my firmware to, but they've gone silent so I guess they've changed their mind. I'll keep looking.
The BMS I need is one beginning with 293A0-3NA0, the white plug Gen1 BMS.
In the meantime @explorer232 is doing amazing work reversing the dll's containing the crypto. It's just a matter of time before this nut is cracked!