Reverse engineering BMS Firmware / Reflashing BMS

My Nissan Leaf Forum

Help Support My Nissan Leaf Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
Are you offering to help?
I thought I found a knowledgeable and aggressive tech Eng and was conversing.
It's been asked i think 3 times now, please do not hijack this thread with posts with no relation to the topic. We're already 7 pages long and I expect It'll be much longer before we're done. Keep this thread on track with as little irrelevant discussion as possible. Start your own thread and tag me if you want. I will not respond further about this in this thread. Start a new thread if you want help.
Sorry. I obviously do not know my way around.
I suppose you are an official arbiter of this site so thank you for your help.

I really desire the info on the can bus connections with the battery invivo.
 
Sorry. I obviously do not know my way around.
I suppose you are an official arbiter of this site so thank you for your help.

I really desire the info on the can bus connections with the battery invivo.
By continuing to post here you are cluttering the thread. PLEASE STOP, and make your own thread by pressing the "Post thread..." button.
1731683857893.png
If I was a moderator on this site I would start issuing warnings.
 
Yes the 24kWh 2011-2012 BMS has tons of bugs in it. Most likely only happens on some 24kWh BMS. Some of my favourite bugs:

- If turtle mode is active to protect battery from discharging, you can override it by turning on cruise control!
- If battery is extremely cold, the allowed charge power underflows and full regen/power output is possible!
Do we know the versions of the BMS that have tons of bugs and what are the features of different BMSs ?
It would be nice to know which one is safe to use and their minimum and maximum voltage etc.
 
Not even a little undeservedly arrogant are we?
In every social space there are habits and normal expected behaviours. If someone is new to that space and inadvertently does something that is frowned upon, it’s reasonable for others to point it out so that the new person learns what is acceptable. No harm done.

When someone is politely asked several times to behave nicely, the person should stop for a moment and consider why they keep getting asked to change how they act. Is it possible the new person is not listening?

In your case you’ve repeatedly ignored polite requests and even example screenshots as guidance, and then accused one of the most generous and deeply respected experts in this area of being arrogant.

Please stop and have a think about this. You are out of line.
 
In every social space there are habits and normal expected behaviours. If someone is new to that space and inadvertently does something that is frowned upon, it’s reasonable for others to point it out so that the new person learns what is acceptable. No harm done.

When someone is politely asked several times to behave nicely, the person should stop for a moment and consider why they keep getting asked to change how they act. Is it possible the new person is not listening?

In your case you’ve repeatedly ignored polite requests and even example screenshots as guidance, and then accused one of the most generous and deeply respected experts in this area of being arrogant.

Please stop and have a think about this. You are out of line.
Well, maybe. Like I said, I am lost here and maybe I do not like being bullied due to my ignorance. I will take your advice and think about it.
 
Update on the Aliexpress Consult3+ VCI... Don't waste your time or money on the clones. They can't even read the VIN, I'm just glad it fails programming BEFORE it erases the BMS, not after like many of the forum posts I've just found... Wasted a day installing VM's (The supplied software is full of trojans and viruses), it can't even Reset SOH. It says 'complete' but zero change to the BMS. Pretty sure the software is just an empty shell going through the motions but not actually doing anything. It also triggers a whole bunch of new and exciting DTC's, which it can't seem to clear (Leafspy cleared them fine).

I might try my luck with VXDIAG which is said to be able to reflash via Consult3+... At least the refund process is relatively straight forward.
 
Update on the Aliexpress Consult3+ VCI... Don't waste your time or money on the clones. They can't even read the VIN, I'm just glad it fails programming BEFORE it erases the BMS, not after like many of the forum posts I've just found... Wasted a day installing VM's (The supplied software is full of trojans and viruses), it can't even Reset SOH. It says 'complete' but zero change to the BMS. Pretty sure the software is just an empty shell going through the motions but not actually doing anything. It also triggers a whole bunch of new and exciting DTC's, which it can't seem to clear (Leafspy cleared them fine).

I might try my luck with VXDIAG which is said to be able to reflash via Consult3+... At least the refund process is relatively straight forward.
Hi,
main problem with clones and consult app is with number of active cans. Nissan cars up to 2018 doesnt have can GW so in OBD conn (for LEAF ZE0) are populated 3 cans (CAR_CAN, EV_CAN, MULTIMEDIA_CAN), by ecu type CONSULT select correct canbus and If diag tool has only one canbus and switching it between obd pins there are too much problems. Before reflash/configuration procedure consult is scanning all ecus (via active polling) by vehicle type and need active all 3 cans in real time. Its problem.

I am very interrested if LBC from Nissan Leaf ZE1 can be configured as ZE0 (if in eeprom is some CANDB version switch, possible to switch ZE1 LBC to direct communication with ZE0 car - without canbridge)
 
Last edited:
Looking at the can activity, the Consult issues 'silence' commands to the various other systems on the bus which is why all these new DTC's get set (multiple can bus failures). I also noticed on the VXDIAG page, it says nissans from 2012-2013 need 'luck' to work. Not too sure what that means...
 
At the beginning of programming, Can command 0x85 is issued to the BMS. Looking at the source this modified the WDT and the internal clock source for the WDT (A watchdog timer is a module in the CPU that counts down to zero and will reset the CPU - it is the code's job to keep this value topped up and if the code should crash, it'll guarantee a reset of the BMS).

The bench supply shows an increase of current consumption from 30mA to 100mA, suggesting it is no longer idling/running interrupt driven code but rather processing code in a loop (likely executing from RAM which would be a necessity for flash manipulation)

While in this mode, standard can commands are not recognised or acknowledged. This mode lasts for approximate 5 seconds and will then revert back to normal BMS operation, unless commands are issued.

I would expect there would be some form of security (similar to 0x27) that needs to be granted before allowing erase/write/read access but just in case there isn't, it might not be the best idea trying to brute force all possible commands.
 
Finally I was able to dump both eeprom memories from a 40 and 62 kwh bms, thanks to the help of the master ECU programmer that is borrow me his garage.
His is expert in ECU programming ans super skilled. We desoldered both eeprom of the two processors available in each BMS and read them. The eeprom chip is a A640 for both processors. Memory dumps differ from the two processors. Not clear to me when both processor are used.
Main processor is a common fast processors used in many dashboards, the second processor is still unknown. We'll be able for sure to dump code from the main processor of the 40kWh BMS (not sure we have time to do it for the 62kWh one).

Attached a zip with two dumps for each BMS. dump 1 is from eeprom used by the main processor and dump 2 from the secondary processor eeprom.
 

Attachments

  • NissaLeaf_40_62_eeprom_dumps.zip
    9.3 KB
Nice!

how does your friend plan to dump the firmware out of the MCU?
he knows well that chip, he did already dump and reprogram many times because it is a garage specialized in this. Tomorrow I'll ask him to show me the pin that have to be soldered and what program he uses. BTW direct chip reading!
 
Last edited:
he know well that chip, he did already dump and reprogram many times because it is a garage specialized in this. Tomorrow I'll ask him to show me the pin that have to be soldered and what program he uses. BTW direct chip reading!
Hi, I tried dump firmware from Renesas V850 cpu in Nissan Leaf TCU via uart debug interface, but without success. Connection OK but read protected CPU so I think it will be similar in BMS/LBC
 
@safetyuggs - although I’m nowhere near techy enough to do memory dumps, I have just acquired a 62kWh battery in the uk. Are you still interested in photos of BMSs?

I don’t know if this useful, but actually mine seems to be a ‘60’ not ‘62’. I did find another forum thread which indicated there could have been a subtle chemistry change in the final year. No idea if that meant BMS changes also. The exterior label says 60, and Leapspy says 60+. An example I saw on eBay (uk) was labelled 62. Image attached for what it’s worth.

Yes I do know about cell 55! I’m be taking the lid off (full hazmat and watching @Dala ’s 62kWh battery videos, of course) to see what can be done with that.

I don’t have the lump in my possession yet, so don’t expect any images for a week or 2 if they are of use.
 

Attachments

  • IMG_1157.png
    IMG_1157.png
    269.9 KB
It is also read protected in the BMS but there should be a can message 0x85 that'll dump the flash - Just need to get a log of an update to work out the packet structure.
Hmm, I think reading/writing eeprom/flash via canbus is similar for each ECU.
For LBC can id 0x79B and response 0x7BB

For slow reading you dont need known packet structure (extended protocol)

If I remember correctly:

For simple read 4 bytes from offset 0x20 in flash
Message id: 0x79B , length: 0x07, data: 23 00 00 00 20 00 04

.
.
.

For simple read 4 bytes from offset 0x05FFF4 in flash
Message id: 0x79B , length: 0x07, data: 23 00 05 FF F4 00 04

You need to known flash size and read each 4bytes from 0x00 to 0xFFFFFF (size of flash)
 
Back
Top