Reverse engineering BMS Firmware / Reflashing BMS

My Nissan Leaf Forum

Help Support My Nissan Leaf Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
My feeling is
Temp sensors would be enough. If someone is going to open the pack to be able to do a reset, there is little they will not do to deceive.
That is a ton of work to do just to change the SOH.

Further more, a good long test drive should show if that had been done on a Leaf with a severely degraded battery.

If I understand things, being able to change the BMS to any new cell configuration should now be in reach of the resident smart guys.
Way to go!
 
Should this source be shared? As it stands the only way to do this is with a Consult3 device (prohibitively expensive for most people) or using that defunct russian app. If it finds its way into leafspy or another app there'll be a whole lot of Leaf's on the market with 12bars of health and artifically high used leaf prices. I was considering adding code to test that the temperature sensors are unplugged before allowing the SOH reset, that'll somewhat prevent people resetting SOH when selling a car, but still allow Off-grid or CATL upgrades to reset their SOH. Thoughts?

soh reset is easy and available with free Car Scanner program

I have a CANable Pro adapter and 2x Leaf 2013r aze0 USA and EU
and a battery in the process of being rebuilt to 44kwh on CATL modules
so I am very interested in the topic if I can help in any way please let me know
 
Last edited:
Hi team! Joined late to the party, but still on time. Great discussions here, very interested and willing to help.
Yes… I do have a can bus interface.

Will take a few pictures on Monday for the BMSs at hand.!

I have access to several types of BMS for the leaf in my company. Do you need any help with them? I'm not an expert in eprom reading, or JTAGing but can learn quickly if needed.

Please let me know ig you need anything from my side!
 
Hi, ramdoor.
We do solar/battety installations for residences and have had both a new 2016 LEAF and more recently we swapped it in for a 2023 model LEAF with the hopes of accessing the very good traction battery system to power some of our solar houses so that we may interface with local grid needs.

The cost of the LEAF compares very favorably to high quality renewable energy batteries and you get a car along with the battery!

We have purchased a SETEC unit direct from China which promised to access the traction battery and it did for about 30 seconds before I believe the LEAF disconnected due to factory installed software preventing such ability in the good ole USA.

Seemed to work overseas they say.

We only need the Chademo port to stay connected to the traction battery so that we may connect to that high voltage source with our normal solar Charge controllers which we usually connect to 300vdc to 500vdc solar strings.

We would love for the car battery protection software to stay active do that overdischarging could not happen but we could work around that if necessary.

Our little lab could pay a reasonable fee for good help in this matter as it is the future but as of now Nissan does not like the idea in USA FOR SOME READON.

Thanks, God bless you and let’s do something good for people.

Jon Sprinkle
SolarTechs
UNIVERSALNANOGRIDS
Jon this is totally unrelated to the BMS reverse engineering. If you need to use LEAF batteries, checkout the Battery-Emulator , and make a new thread for your project.
 
Should this source be shared? As it stands the only way to do this is with a Consult3 device (prohibitively expensive for most people) or using that defunct russian app. If it finds its way into leafspy or another app there'll be a whole lot of Leaf's on the market with 12bars of health and artifically high used leaf prices. I was considering adding code to test that the temperature sensors are unplugged before allowing the SOH reset, that'll somewhat prevent people resetting SOH when selling a car, but still allow Off-grid or CATL upgrades to reset their SOH. Thoughts?
My thoughts are the SOH is overrated, my eNV200 shows a SOH of 80% when in reality I measured less than 60% on every cell. I don't know how the SOH is calculated but it's definitely bad.
If I should buy a used Leaf today I would never trust the soh, I would drive it till it reaches low state of charge to see how much km it can drive.
 
Crypto Cracked! Tested on 24kwh Gen1 (white socket), 24kwh grey socket, 30kwh, and I can't see a reason it wouldnt work on other BMS's too. We can now reset EEPROM parameters including SOH and HX instantly. Still working on the firmware update code but now we have full security access, that shouldn't be too compilcated.
Remember, Hx (Gen1) is not a percentage as SOH, it's a nominal value for battery conductance.
 
Last edited:
Very impressive, even though I am not qualified to know how impressive this is!

I think there is a strong moral obligation to withhold the ability to adjust SOH on a car. The implications for people on lower incomes (if you’re buying a 13 year old Leaf, that’s a reasonable assumption) to lose a large amount of their money, is high.

Similarly, someone’s first adventures into owning an EV could turn very sour if they find it only has a 30 mile range.

So if you’re canvassing opinions, I’d like to cast my vote strongly against this knowledge escaping into the wider world. How you do that I’ll leave to you!

So, a related question - what is your objective when you do reach the end? What will you be able to do for people?

I’m watching with great interest!
My end goal for this project is to be able to reflash the stock BMS, with a stock firmware with only the capacity variables changed to allow CATL upgrades without some sketchy can bridge which forces a 100% SOH and never reflects the actual battery capacity or degredation.

Dala is interested in the SOH reset for off-grid usage, I think to allow a greater capacity of energy being used from the pack? That is completely reasonable, the only issue is Dala's project is open source so it'll just be a matter of time until someone uses the code to reset leaf SOH for re-sale. I'd like to have an app ready before the source is released to check if a leaf's BMS has been tampered with. Most people use a leafspy when buying a leaf and having a big warning pop up on screen makes this source almost useless to people looking to exploit others.

Dala mentioned in other posts that using a stock BMS with a bridge with a CATL upgrade can allow greater than 4.3v per cell which is incredibly unsafe. Looking at the source, at least in this 30kwh source, this isn't possible as cell voltages are constantly monitored and flags are generated if they exceed hard coded levels. This may not be the case in earlier BMS's so that is something I'd like to address - and if the PCB's are identical (Thanks everyone for sending pics of the various revisions!) I can't see a reason why a modified 30kwh firmware couldn't be loaded to these earlier BMS's
 
My great hope is that you and those that follow in your footsteps will be able to make these cars remain viable as newer and better cells become available, with factory like safety from the BMS.
The Chinese cells are all over the map, but I hope with a good BMS available that could make a reliable battery pack, that could warrantied, and open up the possibility of reconditioning and selling older Leafs for a 2nd life.
I may be dreaming, but the work being done here must be the 1st step, without it, the rest is not possible.
I knowth, what I knowth not, but glad those that do know are doing the work.
 
My end goal for this project is to be able to reflash the stock BMS, with a stock firmware with only the capacity variables changed to allow CATL upgrades without some sketchy can bridge which forces a 100% SOH and never reflects the actual battery capacity or degredation.

Dala is interested in the SOH reset for off-grid usage, I think to allow a greater capacity of energy being used from the pack? That is completely reasonable, the only issue is Dala's project is open source so it'll just be a matter of time until someone uses the code to reset leaf SOH for re-sale. I'd like to have an app ready before the source is released to check if a leaf's BMS has been tampered with. Most people use a leafspy when buying a leaf and having a big warning pop up on screen makes this source almost useless to people looking to exploit others.

Dala mentioned in other posts that using a stock BMS with a bridge with a CATL upgrade can allow greater than 4.3v per cell which is incredibly unsafe. Looking at the source, at least in this 30kwh source, this isn't possible as cell voltages are constantly monitored and flags are generated if they exceed hard coded levels. This may not be the case in earlier BMS's so that is something I'd like to address - and if the PCB's are identical (Thanks everyone for sending pics of the various revisions!) I can't see a reason why a modified 30kwh firmware couldn't be loaded to these earlier BMS's
Yes the 24kWh 2011-2012 BMS has tons of bugs in it. Most likely only happens on some 24kWh BMS. Some of my favourite bugs:

- If turtle mode is active to protect battery from discharging, you can override it by turning on cruise control!
- If battery is extremely cold, the allowed charge power underflows and full regen/power output is possible!
 
Message 0x2162 (Read EEPROM stats)
This is what you expect to see on a "non-zero'd" BMS:

t79B80221620000000000
t7BB81076616201E50694
t79B830000A0000000000
t7BB82139B301B7002400
t7BB82200000000000000
t7BB8230000083F003600
t7BB82400000000000000
t7BB8250000000038E402
t7BB8265D004D00000000
t7BB82700000000000007
t7BB828A100AB00290000
t7BB82900000000000000
t7BB82A00001101DD067E
t7BB82B096A0C5F0C8E0B
t7BB82CE904E3002D0142
t7BB82D031E027700AA00
t7BB82E0A0004001D0000
t7BB82F00000000000000
t7BB82000000000030175


and after a SOH / LxCx Reset:
t79B80221620000000000
t7BB81076616200000000
t79B830000A0000000000
t7BB82100000000000000
t7BB82200000000000000
t7BB82300000000000000
t7BB82400000000000000
t7BB82500000000000000
t7BB82600000000000000
t7BB82700000000000000
t7BB82800000000000000
t7BB82900000000000000
t7BB82A00000000000000
t7BB82B00000000000000
t7BB82C00000000000000
t7BB82D00000000000000
t7BB82E00000000000000
t7BB82F00000000000000
t7BB82000000000000000

I expect a lot of this will be populated after a few cycles. I can't find any info on Group 62 data but if enough people can report this dump at various states after a SOH clear, we might be able to identify something common to all BMS's
 
Hi, ramdoor.
We do solar/battety installations for residences and have had both a new 2016 LEAF and more recently we swapped it in for a 2023 model LEAF with the hopes of accessing the very good traction battery system to power some of our solar houses so that we may interface with local grid needs.

The cost of the LEAF compares very favorably to high quality renewable energy batteries and you get a car along with the battery!

We have purchased a SETEC unit direct from China which promised to access the traction battery and it did for about 30 seconds before I believe the LEAF disconnected due to factory installed software preventing such ability in the good ole USA.

Seemed to work overseas they say.

We only need the Chademo port to stay connected to the traction battery so that we may connect to that high voltage source with our normal solar Charge controllers which we usually connect to 300vdc to 500vdc solar strings.

We would love for the car battery protection software to stay active do that overdischarging could not happen but we could work around that if necessary.

Our little lab could pay a reasonable fee for good help in this matter as it is the future but as of now Nissan does not like the idea in USA FOR SOME READON.

Thanks, God bless you and let’s do something good for people.

Jon Sprinkle
SolarTechs
UNIVERSALNANOGRIDS
A chademo connector is around AUD$1000, a crazy amount of money for something so simple and for that reason I probably won't be trying to access HV via the chademo socket on my Leaf. It would be easier and cheaper to use the Aircon or heater HV DC bus and add in an off the shelf HV connector and use that for Off-grid HVDC. That also bypasses the issue you are seeing with the charger disconnecting the HV contactors after 30 seconds.

AFAIK, the VCM must have a compatible firmware if you plan on pulling power from the battery for off-grid use. The protocol needed for this isn't included in the Australian delivered models (Gen1 anyway) though it is included in the Japan imported models. I suspect it is the same for your USA models? Another option is to use a canbridge and have it report a charge current while you are discharging, this will satisfy the Charge module and keep its contactors closed. I don't know how unsafe this would be.

I'm sure the Chinese have captured the JP Chademo protocol and have implemented it on your SETEC unit, but if the car won't support it it just won't work. Perhaps if a firmware update becomes available you could update your VCM and it should be supported. I know Australia has finally decided to allow vehicle-to-grid and that should come into effect later this year. I doubt a 12yr old leaf would be supported though.

All that said, I have a consult3 arriving today and if there are any hardware test functions that can make and break contactors, it would be fairly simple to reproduce these 'test' signals to allow HV access from the Chademo port. If i find anything I'll make a new post and detail it there. I'd like to keep this thread on track with BMS reverse engineering.
 
A little more info on the EEPROM, it does have multiple checksums. Here's the checksum algorithm: (just a simple loop to add the values of all the byptes in the array)

1731355261957.png

And here is where the cheksums are stored. The checksum is calculated, then shifted right and stored, so it isn't exactly an addition of bytes.

1731355374979.png

These checksum functions are called initally at power up when it downloads the eeprom data, and then whenever eeprom data is modified
 
I believe the firmware update CAN commands reside in 0x21 (Read BMS Data), and 0x3B (Write Data to Memory)

In particular, these 3 sub-commands:

1731355490182.png

There are two functions that will let you write a whole lot of data into RAM, and then you can call a function which sets a flag. I suspect Consult would write a small piece of code here and execute it out of RAM to do the erase/write procedure.

I'll install a BMS into the car and connect consult and get some logs. Only problem is my USB-Can adaptor didn't power up yesterday so I'm waiting for new ones to arrive...
 
A chademo connector is around AUD$1000, a crazy amount of money for something so simple and for that reason I probably won't be trying to access HV via the chademo socket on my Leaf. It would be easier and cheaper to use the Aircon or heater HV DC bus and add in an off the shelf HV connector and use that for Off-grid HVDC. That also bypasses the issue you are seeing with the charger disconnecting the HV contactors after 30 seconds.

AFAIK, the VCM must have a compatible firmware if you plan on pulling power from the battery for off-grid use. The protocol needed for this isn't included in the Australian delivered models (Gen1 anyway) though it is included in the Japan imported models. I suspect it is the same for your USA models? Another option is to use a canbridge and have it report a charge current while you are discharging, this will satisfy the Charge module and keep its contactors closed. I don't know how unsafe this would be.

I'm sure the Chinese have captured the JP Chademo protocol and have implemented it on your SETEC unit, but if the car won't support it it just won't work. Perhaps if a firmware update becomes available you could update your VCM and it should be supported. I know Australia has finally decided to allow vehicle-to-grid and that should come into effect later this year. I doubt a 12yr old leaf would be supported though.

All that said, I have a consult3 arriving today and if there are any hardware test functions that can make and break contactors, it would be fairly simple to reproduce these 'test' signals to allow HV access from the Chademo port. If i find anything I'll make a new post and detail it there. I'd like to keep this thread on track with BMS reverse engineering.
Thank you so much for your reply!
This situation seems to be wasting a lot of good potential in the renewable field and I would like to work with you if possible. Please suggest what I/we may do.
 
A chademo connector is around AUD$1000, a crazy amount of money for something so simple and for that reason I probably won't be trying to access HV via the chademo socket on my Leaf. It would be easier and cheaper to use the Aircon or heater HV DC bus and add in an off the shelf HV connector and use that for Off-grid HVDC. That also bypasses the issue you are seeing with the charger disconnecting the HV contactors after 30 seconds.

AFAIK, the VCM must have a compatible firmware if you plan on pulling power from the battery for off-grid use. The protocol needed for this isn't included in the Australian delivered models (Gen1 anyway) though it is included in the Japan imported models. I suspect it is the same for your USA models? Another option is to use a canbridge and have it report a charge current while you are discharging, this will satisfy the Charge module and keep its contactors closed. I don't know how unsafe this would be.

I'm sure the Chinese have captured the JP Chademo protocol and have implemented it on your SETEC unit, but if the car won't support it it just won't work. Perhaps if a firmware update becomes available you could update your VCM and it should be supported. I know Australia has finally decided to allow vehicle-to-grid and that should come into effect later this year. I doubt a 12yr old leaf would be supported though.

All that said, I have a consult3 arriving today and if there are any hardware test functions that can make and break contactors, it would be fairly simple to reproduce these 'test' signals to allow HV access from the Chademo port. If i find anything I'll make a new post and detail it there. I'd like to keep this thread on track with BMS reverse engineering.
Great. Thank you. It would mean a lot to get access to the hv battery.😎
 
Great. Thank you. It would mean a lot to get access to the hv battery.😎
It's been asked i think 3 times now, please do not hijack this thread with posts with no relation to the topic. We're already 7 pages long and I expect It'll be much longer before we're done. Keep this thread on track with as little irrelevant discussion as possible. Start your own thread and tag me if you want. I will not respond further about this in this thread. Start a new thread if you want help.
 
Back
Top