Reverse engineering BMS Firmware / Reflashing BMS

My Nissan Leaf Forum

Help Support My Nissan Leaf Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
Can we get original FW from BMS and play with it? How we can buy FW from Nissan?
I know VAG flash files are available online in different pirate sites.. how are Nissan flash files called?

Also i would agree to test process on my sandbox Leaf (24kWh, gen2).
 
You can go to nissan-tech website, and pay $USD50 per firmware file (some bms's have two CPU's and need two firmwares). To use a nissan consult to flash, it costs USD$50 per day.

The firmware files aren't single use so once they've been purchased, they can be used over and over.

The firmware data itself is packed in a .KWP file, and it'll come with a CSV file that says which BMS's are supported to use the firmware, and the updated firmware ID code
 
You can go to nissan-tech website, and pay $USD50 per firmware file (some bms's have two CPU's and need two firmwares). To use a nissan consult to flash, it costs USD$50 per day.

The firmware files aren't single use so once they've been purchased, they can be used over and over.

The firmware data itself is packed in a .KWP file, and it'll come with a CSV file that says which BMS's are supported to use the firmware, and the updated firmware ID code
do you mind that the app are you developed could upgrade firmware for 30/40/62 BMSs too?
I just two heavily degradated 62kWh packs with the same firmware version. I know about other 62kWh packs not degradated with higher firmware version. Probably they need other than module repair also firmware upgrade.
 
do you mind that the app are you developed could upgrade firmware for 30/40/62 BMSs too?
I just two heavily degradated 62kWh packs with the same firmware version. I know about other 62kWh packs not degradated with higher firmware version. Probably they need other than module repair also firmware upgrade.
I'd say you can update them all with the right firmware, but testing would be needed first
 
OK, so!

You get ONE failed attempt at 0x27 81 before you get no more attempts :-(

I should have dumped the eeprom out of these before attempting, I've now got 3 BMS's that won't accept an 81 security request :-(

Anyone have eeprom dumps handy?
 
Are mine any good for you?
The 30kwh would be very useful if it is pre updated? (Hasn't yet been reflashed). I think this would be the most common use of the new app, to reflash the faulty 30kwh BMS Nissan shipped out. Did you have the part number or an obd2 adaptor?
 
¡Todo listo! Solo necesito un BMS para flashear un firmware y si no falla, enviaré la versión beta de la aplicación para Android para que otros la prueben. ¡No podría haberlo hecho sin la ayuda de todas ustedes, buenas personas! (¡especialmente @Dala @explorer232 @ramdoor y Liam en Discord!). Verdaderamente un esfuerzo de grupo.

View attachment 6016

¿El de 30kwh sería muy útil si se actualiza previamente? (Aún no se ha actualizado). Creo que este sería el uso más común de la nueva aplicación, actualizar el BMS de 30kwh defectuoso que envió Nissan. ¿Tenías el número de pieza o un adaptador OBD2?
esperando la aplicación para probarlo en un leaf 2011 con batería de 24kw
 
The 30kwh would be very useful if it is pre updated? (Hasn't yet been reflashed). I think this would be the most common use of the new app, to reflash the faulty 30kwh BMS Nissan shipped out. Did you have the part number or an obd2 adaptor?
This is on the top, I’m waiting for a Bluetooth obd2 and a cable to arrive, I will need some help wiring it up or I could post both to you? Either way I can help you
 

Attachments

  • IMG_0601.jpeg
    IMG_0601.jpeg
    1.2 MB
We can recalculate the signature but there may be other checksums done in code to detect a corrupted (modified) firmware. Once we dump the bootloader we'll know what other checks are being done, if any.

There is currently no way to dump a BMS firmware but im hoping that will change very soon
 
We can recalculate the signature but there may be other checksums done in code to detect a corrupted (modified) firmware. Once we dump the bootloader we'll know what other checks are being done, if any.

There is currently no way to dump a BMS firmware but im hoping that will change very soon
Do you want me to post, I’ll pay shipping don’t worry about that.
 
All done! Just need a BMS to flash a firmware to and if it doesn't brick, I'll send the beta version android app out for others to test. Couldn't have done it without the help of all you good people! (especially @Dala @explorer232 @ramdoor and Liam in the discord! ) Truly a group effort

View attachment 6016
Great news i have some 24Kwh bms boards i can test one Black and White connector included as well as a 40Kwh and 62Kwh Lbc we can use for further testing .
 
If you have a second, and an obd2 device, could you please post your Firmware version and CRC Reflash IV? I suspect they're tied to the firmware and not random (based on the limited number of BMS's I've checked)

Reason being, we can only generate the re-flashing seed/key pairs on a PC right now, so if the CRC IV's are tied to the firmware version, we can pre-calculate a seed-key pair file to distribute with the android reflash app - otherwise we'll need to use a web server to provide keys (which is fine, I'd just prefer it stand alone & offline) - once we get the right BMS to reflash, we can extract the full stand alone C function but right now, we're tied to the PC.

Android 12 or higher only for now.
 

Attachments

  • Leaf BMS Tools v007.zip
    3.8 MB
Back
Top