Reverse engineering BMS Firmware / Reflashing BMS

My Nissan Leaf Forum

Help Support My Nissan Leaf Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
There are keys for families of ECU, if you find the algorithm for 27 81 it'll work with all BMS's. I suspect the ECU family may be passed to the function too if it can decode more than one. I'm not sure which files you're looking in but if you see one with RNDS in the name, that'll be the BMS algorithm. Or search for the string 81

The BMS has 4 security levels, 61, 63, 65 and 81 which are unique to the BMS. 02, 03 etc are unique to the VCM and other ECU modules in the leaf.

If you wanted to share what you've found in the function, I can compare it with the functions i've already reversed to check if we're looking at the right code. Or if you wanted to pm me and explain how you've decrypted the function, I can reproduce it here in the files I'm working with. Two sets of eyes on this might help.

I sent you to PM package with some decrypted RNDS descriptors, found CRC16 algorithm used in 0x81 security approach and dll library with algo. Check Generic_Function_1 and Generic_Function_2.
 
Hi.
Just found new video from Chinese battery reworkers. looks they use russian app evutil, but version is 1.0. it shows how app loads new firmware file to BMS.


Last evutil version i find in Telegram is 0.5b
As we know russians are in close realationships with china battery suppliers, this version might be delivered only to them.

Update: Yes, video comment confirms that the app is not available "The program is unable to be purchased separately."
 
Last edited:
evutil was posted here just above, the version they released on their forum doesn't support BMS flashing
Yes. But they know it is possible and provide sw for others to do that :)
I think i read somewhere that their free version allows to pay for one time function use. Would it help for development?
 
Probably not, everything has been reversed now, just waiting on the key algorithm and if it can't be extracted, once we find a spare BMS i'll flash my updated firmware to it using the nissan tool and i'll extract it from the BMS - then you can update firmwares via an android phone.

All of those firmwares they show on the vivne video, and a heap of extras were emailed to me by a few different people that somehow gained access to them. Once we have the key algorithm their $650 flashing service for 30sec of work will be over
 
Probably not, everything has been reversed now, just waiting on the key algorithm and if it can't be extracted, once we find a spare BMS i'll flash my updated firmware to it using the nissan tool and i'll extract it from the BMS - then you can update firmwares via an android phone.

All of those firmwares they show on the vivne video, and a heap of extras were emailed to me by a few different people that somehow gained access to them. Once we have the key algorithm their $650 flashing service for 30sec of work will be over
Have 50kWh modules waiting to be merged with my sandbox Leaf :)
 
I've had two offers for the exact BMS I need to flash my firmware to, but they've gone silent so I guess they've changed their mind. I'll keep looking.

The BMS I need is one beginning with 293A0-3NA0, the white plug Gen1 BMS.

In the meantime @explorer232 is doing amazing work reversing the dll's containing the crypto. It's just a matter of time before this nut is cracked!
 
I have 3 bms’s available to test, 1 from a 63kwh Nissan Ariya, 2 from 2 30kwh Nissan leaf’s if you want me to test, all batteries have been stripped and I have all the parts in my workshop, I would like to use the proprietary bms’s but have bought 6 jk-bms’s as didn’t know how to wire up the proprietary ones, so if I can help I’m available, I have an android phone I can use as well, just don’t know how to wire up if out of the traction battery, so may need guiding to do that, there here anyway, if it’s to much hassle out of the traction battery I’m willing to post both to you to test. You can have them if it helps.
 
I have 3 bms’s available to test, 1 from a 63kwh Nissan Ariya, 2 from 2 30kwh Nissan leaf’s if you want me to test, all batteries have been stripped and I have all the parts in my workshop, I would like to use the proprietary bms’s but have bought 6 jk-bms’s as didn’t know how to wire up the proprietary ones, so if I can help I’m available, I have an android phone I can use as well, just don’t know how to wire up if out of the traction battery, so may need guiding to do that, there here anyway, if it’s to much hassle out of the traction battery I’m willing to post both to you to test. You can have them if it helps.
please share photos of the internal of the ariya BMS with detail of the eeprom and main chip code.
 
Ok, not sure if your aware but with the Ariya the bms(LBC) works in a master slave setup, it has 8 6.1kwh and 4 4.2kwh Catl batteries, each one has its own mini BMS so 12 in total and then there is the master BMS, I have for reference also included a bms from my 30kwh leaf
 

Attachments

  • IMG_0586.jpeg
    IMG_0586.jpeg
    1.9 MB
  • IMG_0589.jpeg
    IMG_0589.jpeg
    1.3 MB
  • IMG_0590.jpeg
    IMG_0590.jpeg
    1.2 MB
  • IMG_0591.jpeg
    IMG_0591.jpeg
    1.1 MB
  • IMG_0592.jpeg
    IMG_0592.jpeg
    1 MB
  • IMG_0593.jpeg
    IMG_0593.jpeg
    1.7 MB
  • IMG_0594.jpeg
    IMG_0594.jpeg
    1.7 MB
  • IMG_0595.jpeg
    IMG_0595.jpeg
    1.4 MB
  • IMG_0597.jpeg
    IMG_0597.jpeg
    1.4 MB
  • IMG_0585.jpeg
    IMG_0585.jpeg
    1.6 MB
Hey!

I'm looking for a couple of cheap BMS's to extract the firmware and set up an open source tool to reflash them, hopefully via the canbus but worst case via the Jtag/swd/whatever renesas calls their programming port on the PCB. Non working is fine as long as there's is life from the can bus.

We know three things:

  1. Vivne claims to be able to reflash the BCM
  2. Nissan can push firmware updates to it over the CAN bus
  3. The datasheet says there is no read-protect function of the Flash ROM in the MCU.
Ghidra, Renesas's CS+ tool and IDA pro can be used to dissasemble the firmware which should speed up the reverse engineering, and knowing the main CAN commands will quickly help identify where the GID's and pack capacity is stored. This *should* be a fairly simple and quick project.

The only problem is there are no BMS's avaialble on eBay, wreckers won't split the packs open to sell a BMS and I only have the one BMS here and I'd rather not brick mine just yet.

As for my background, I've done a fair bit of reverse engineering, mostly ECU's and game consoles including a full reverse engineer and re-write of Bosch ME7 code to convert it into an open source dirt cheap stand alone ECU (https://github.com/WillItBoost/M744-Stand-Alone-ECU).

If anyone has a cheap BMS or would like to donate one to the cause, let me know!

Ben
Hi, I don't know if I'm too late, but I have a
I've had two offers for the exact BMS I need to flash my firmware to, but they've gone silent so I guess they've changed their mind. I'll keep looking.

The BMS I need is one beginning with 293A0-3NA0, the white plug Gen1 BMS.

In the meantime @explorer232 is doing amazing work reversing the dll's containing the crypto. It's just a matter of time before this nut is cracked!
Hi, lurker here. I have a bms from an env200 24 that I would gladly donate to the cause. I am in France, but if it is of interest to you please let me know. I'll get a picture tomorrow. Great work incidentally.
 
@tomhanman thanks for the offer! Once we get the basics down, we can send you an app (if you have an obd2 adapter) and you can try run a firmware update on your end.

Now that @explorer232 has cracked the 0x27 81 crypto algorithm, I can add a firmware update option in my android app (You'll still need genuine firmware files which are available from Nissan - unless someone that has purchased one wants to share it).

I'll have more info once I get the code up and running on the android
 
Back
Top