Reverse engineering BMS Firmware / Reflashing BMS

My Nissan Leaf Forum

Help Support My Nissan Leaf Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
@safetyuggs eagerly following your findings, I'm from Sri Lanka and have upgraded my Leaf battery with 40kWh Chinese CATL cell, tried using a 3 port CAN bridge but the Turtle warning comes up on the first start always and charging only to about 90 to 94% even though it is set to charge upto 100%
Then I was advised to replace it with Russian CAN bridge, this CAN bridge sorted all the problems that I faced with the 3 port can bridge, however the hardware have failed on me. Currently I'm using my 3rd Russian CAN bridge that I perched from my Chinese battery supplier.
 
Hmm, I think reading/writing eeprom/flash via canbus is similar for each ECU.
For LBC can id 0x79B and response 0x7BB

For slow reading you dont need known packet structure (extended protocol)

If I remember correctly:

For simple read 4 bytes from offset 0x20 in flash
Message id: 0x79B , length: 0x07, data: 23 00 00 00 20 00 04

.
.
.

For simple read 4 bytes from offset 0x05FFF4 in flash
Message id: 0x79B , length: 0x07, data: 23 00 05 FF F4 00 04

You need to known flash size and read each 4bytes from 0x00 to 0xFFFFFF (size of flash)
Unfortunately there is no such command (0x23) in the BMS
 
Unfortunately there is no such command (0x23) in the BMS
You're probably not using the right diag session.

For reprogramming there is special diag session "10fa" and probably after this command ECU is switched to canbus bootloader mode (no bootloader dumped to check it)
I dont have LBC for test but I have solution to direct connection/communication with ECU "on the table" if someone provides LBC for testing.
 
Hey! I'm looking for 20 testers for an android app I'm coding - right now it'll just read and allow you to reset SOH and charge stats (AC and DC charge cycles etc) but I'm working on adding cell voltages in a graph, balancing, serial recoding etc. If you're interested, pm me and i'll add you to the tester list and you can download it from the play store

1732826861395.png
 
Last edited:

@safetyuggs

OK but its disassembled from user code section.
Check if there is routine for switching device to bootloader mode if programming session is required.
Command 0x23 can be only in bootloader code then.
 
command 0x85 puts the BMS into the bootloader mode but so far none of the commands I've given it have given a reply while in this mode. This mode is also triggered if the checksum of the user flash area fails. My consult3 fails right before reflashing so I can't log an update to see the commands sent and received.
 
command 0x85 puts the BMS into the bootloader mode but so far none of the commands I've given it have given a reply while in this mode. This mode is also triggered if the checksum of the user flash area fails. My consult3 fails right before reflashing so I can't log an update to see the commands sent and received.
Aaah I undrestand now what do you mean by command 0x85 There was some ecus with 0x1085 session for programming
 
Ahh i see what you mean. I just googled 1085 and found a few references to a hitachi brand transmission but can't see any protocols.

Looking in the code,

1732827554300.png

there is code to parse 0x1085 though it'll always return 0x22 (conditions not correct), and aside from clearing a flag it doesn't do anything else.

but looking a little deeper...

1732827749394.png

So it IS command x021085 to enter this mode. Surprisingly it doesn't appear to check diag mode or security mode flags. This could be checked in the bootloader code.

The code also enters an infinite loop which would require the WDT to trigger a reset, it'll likely check data in some of the ram locations involved after a reset and enter the bootloader mode. This explains why I get no response after issueing the 85 command, until the bms resets and resumes normal code execution.

There are 3 0x27 security modes, each with their own cryptograpic functions (all 3 reversed and tested and all 3 are working). I suspect one of the other two would need to be enabled to enter bootloader mode. I could try all 3 before sending 0x021085 and see if i get a response that way.

Thanks for the tip!
 
but looking a little deeper...

View attachment 5819

So it IS command x021085 to enter this mode. Surprisingly it doesn't appear to check diag mode or security mode flags. This could be checked in the bootloader code.

The code also enters an infinite loop which would require the WDT to trigger a reset, it'll likely check data in some of the ram locations involved after a reset and enter the bootloader mode. This explains why I get no response after issueing the 85 command, until the bms resets and resumes normal code execution.

There are 3 0x27 security modes, each with their own cryptograpic functions (all 3 reversed and tested and all 3 are working). I suspect one of the other two would need to be enabled to enter bootloader mode. I could try all 3 before sending 0x021085 and see if i get a response that way.

Thanks for the tip!
No problem, I will help when I know.

0x02 in the byte[0] is only length of the command

if you send command 1085 to 0x79b then correct response from 0x7bb is 5085
 
Last edited:
Hey! I'm looking for 20 testers for an android app I'm coding - right now it'll just read and allow you to reset SOH and charge stats (AC and DC charge cycles etc) but I'm working on adding cell voltages in a graph, balancing, serial recoding etc. If you're interested, pm me and i'll add you to the tester list and you can download it from the play store

View attachment 5816
I don't mind installing this app and be a tester
 
Hi, I'm watching at the new video from EV Clinic and here is a picture from the Kangoo ZE BMS, it looks very much like Leaf's BMS and at the time Renault and Nissan worked very much together

Link to the video :
Capture d’écran 2024-11-30 à 12.56.46.png
 
I spent yesterday reverse engineering the .KWP protocol the nissan firmwares come in. Attached is a small command line tool to covert the kwp into a raw binary flash file. This puts us one more step closer to being able to update your BMS using a genuine nissan firmware (or a CATL patched firmware) without a $6000 set of hardware. Just need a log of a bms update to fill in the last missing pieces...

Also! Gen1 BMS's are missing a bunch of CAN commands that Gen2 and 30kwh firmwares have, including re-writing serial numbers etc... Response packet lengths are also different between models which explains why that PDF of the LBC CAN frames is completely wrong compared to the data I'm getting from my BMS's
 

Attachments

  • kwp_stripper.zip
    5.8 KB
Back
Top