Reverse engineering BMS Firmware / Reflashing BMS

My Nissan Leaf Forum

Help Support My Nissan Leaf Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
Longer cell taps has been a question for the better part but again these can be compensated by doubling the wire thickness to the longer runs reducing resistance on them and mitigating voltage drop.

I have part no's for the Crimps on the stock connectors if any one wants ( hence why we can make up different harness cables into the stock LBC connectors)

Perfect timing! I’m just completing a battery box right now that will take half my 60kWh Leaf modules, with a 2nd box about a meter away, so yes would appreciate the connector info please so I can extend the LBC wiring.
What size wire did you find worked successfully for you on your harness?

Apologies to everyone for diverting the thread, but I had to grab this info :)
 
Is it possible to flash a 30kw BMS with the 40kw firmware for a battery upgrade (24 x module replacement)?
 
Very intersting! Thank you for sharing :) This will give me a good place to start looking when the time comes for accurate HX calcs.

I don't suppose you have the offsets and structures of these maps?

And would you know which can message Ah is transmitted on? It'll help me track down where it's coming from - the available docs both in the wiki and dala's are not for the ZE0 and the frame structure isn't even close
No problem. For 3NA0D that you're working on, have a look at 0x0003EF10 for the 6x20 table values.
X axis at 0x0003EEE0
Y axis at 0x0003EEE8

As for Ah, if you're looking for the Present Capacity in Ah then that isn't transmitted on CAN. There is a Ah related variable in CAN ID 0x5C0, but that's like a counter of Ah charged/discharged. To get the Present Capacity in Ah then you need to request that from LID 0x01, The response includes a bunch of interesting data, but most of that data is also already available in transmitted CAN messages. Excluding the first two bytes in the response which are flow control (0x61, 0x01), the Present Capacity in Ah should be at data bytes 32-35 (dword). Scaling is 10000 units = 1Ah.
 
Massive thanks to @NocturnalWalt for the Ah can message details. Searching backwards from that CAN packet, I've found the constants for cell capacity and my ze0 24kwh BMS is now reflashed for 62kwh.

@LKA has found various tables and maps in the firmware, and with the info NocturnalWalt shared I think we are starting to get a good idea of where everything is.

There's still a LOT of testing and no doubt I've missed some functions to patch but we're well on our way to eliminating the can bridge or the need for a $1000 Chinese/Russian BMS reflash, which I'm told is just as buggy as the bridge. One local EV workshop is currently removing a flashed BMS to get the car operating again.
 

Attachments

  • Screenshot_20250117-171300.png
    Screenshot_20250117-171300.png
    86.1 KB
Чи має 30 кВт/год aze0 bms, подібний до ze1 bms? Є один сірий і один чорний роз'єм у цьому 30kWh bms, як ze1 bms.

Якщо хтось має ці прошивки LBC для AZE0, ми можемо порівняти відмінності (таблиці пошуку...). Остання буква може бути різною.

4NP2A -- 24 кВт/год
4NP4A -- 30 кВт/год
4NP6A -- 40 кВт/год
3NA0A -24 кВт/год (без батареї обігрівача)
3NA1A - 24 кВт (обігрівач від батареї)
9RB3A - 24 кВт ( 2015 м/р )
4NP2A - 24 кВт ( 2016 м/р )
4NP4A - 30 кВт (стара версія)
4NP4C - 30 кВт (нова версія)
5SA2B - 40 кВт
6SH1A - 62 kWt

6WX2A - 40 кВт e-NV 200
 
Massive thanks to @NocturnalWalt for the Ah can message details. Searching backwards from that CAN packet, I've found the constants for cell capacity and my ze0 24kwh BMS is now reflashed for 62kwh.

@LKA has found various tables and maps in the firmware, and with the info NocturnalWalt shared I think we are starting to get a good idea of where everything is.

There's still a LOT of testing and no doubt I've missed some functions to patch but we're well on our way to eliminating the can bridge or the need for a $1000 Chinese/Russian BMS reflash, which I'm told is just as buggy as the bridge. One local EV workshop is currently removing a flashed BMS to get the car operating again.
Thanks for the great news! I have a Consult, and the BMS test bench too. When will the KWP files be available for local testing?
 
3NA0A -24 кВт/год (без батареї обігрівача)
3NA1A - 24 кВт (обігрівач від батареї)
9RB3A - 24 кВт ( 2015 м/р )
4NP2A - 24 кВт ( 2016 м/р )
4NP4A - 30 кВт (стара версія)
4NP4C - 30 кВт (нова версія)
5SA2B - 40 кВт
6SH1A - 62 kWt

6WX2A - 40 кВт e-NV 200
Hi, and do you have these firmwares?
 
Vous pouvez mettre un Ardunio avec CanBus en ligne pour enregistrer toutes les commandes.
Vous
Hi ! So for information if this can help the cause I recently bought a Vivne 62kwh battery and I had some problems with the BMS fimeware (charging and regeneration problem) They could not find the solution to my problem and I later learned that it was a Russian hacker who cracked their BMS.
I was able to reflash mine with the correct firmware FYI.
I also have at my disposal 2 BMS 30 and 24 I can leave one with you for a good cause!
Let me know
pouvez mettre un Ardunio avec CanBus en ligne pour enregistrer toutes les comman
 
Last edited:
Hey!

I'm looking for a couple of cheap BMS's to extract the firmware and set up an open source tool to reflash them, hopefully via the canbus but worst case via the Jtag/swd/whatever renesas calls their programming port on the PCB. Non working is fine as long as there's is life from the can bus.

We know three things:

  1. Vivne claims to be able to reflash the BCM
  2. Nissan can push firmware updates to it over the CAN bus
  3. The datasheet says there is no read-protect function of the Flash ROM in the MCU.
Ghidra, Renesas's CS+ tool and IDA pro can be used to dissasemble the firmware which should speed up the reverse engineering, and knowing the main CAN commands will quickly help identify where the GID's and pack capacity is stored. This *should* be a fairly simple and quick project.

The only problem is there are no BMS's avaialble on eBay, wreckers won't split the packs open to sell a BMS and I only have the one BMS here and I'd rather not brick mine just yet.

As for my background, I've done a fair bit of reverse engineering, mostly ECU's and game consoles including a full reverse engineer and re-write of Bosch ME7 code to convert it into an open source dirt cheap stand alone ECU (https://github.com/WillItBoost/M744-Stand-Alone-ECU).

If anyone has a cheap BMS or would like to donate one to the cause, let me know!

Ben
With wich software we can read and modify BMS fimeware?
 
First test drive on the new firmware.

First thing I noticed is the increased acceleration. By a noticable amount. I wonder why the Yaste bridge limits available KW? With Yaste it'll jump up to 80kw but will quickly fall to around 60kw, not the case with the bridge removed.

Time Until Charged - I need to find and correct these tables, it is still assuming a 24kw pack and the hours until 100% align with that.

GID's, GID's are internally being calculated correctly but there is a function in the BMS that compares it against an upper limit and will cap it at that - So any more charge than ~24kwh in the pack and GID's will stay fixed at that value. This should be an easy one to track down and raise the cap.

SOH and Ah appears to be calcuated correctly, HX is ~123-130, likely due to the lower IR of these CATL cells. We'll need to adjust the table for these so SOH can be accurately determined.

An hours drive with no DTC's, no turtle. Range is pretty much always reported at 152km's due to the GIDs being capped at that particular value.
 
First thing I noticed is the increased acceleration. By a noticable amount. I wonder why the Yaste bridge limits available KW? With Yaste it'll jump up to 80kw but will quickly fall to around 60kw, not the case with the bridge removed.

If you can find a datasheet for the CATL cells you're using, I suspect the answer will be in there. The original LEAF cells were kind of special in that they could handle surprisingly high currents from such a small Ah cell. I think I remember someone even mentioning doubts about how these Chinese aftermarket packs could use CATL cells, when none of the known CATL cells would be able to meet the specifications of original LEAF cells.

The Yaste bridge may be making an effort to meet CATL's specifications. If you read the datasheet, you might find some specs that allow for brief high current and moderate sustained current. You might want to do the same, if you hope to keep your cells in good condition.
 
Back
Top