majbthrd
Member
- Joined
- Jun 30, 2023
- Messages
- 8
To gain some insight into the Nissan LEAF TCU, I bought a couple of cheap Nissan/Infiniti TCU (Telemetry) modules off eBay to take apart and examine. It seemed worthwhile to do a write-up here in case someone eventually looks for this kind of information in the future.
[rant]NHTSA encouraged Nissan to de-provision the SIM card for cybersecurity reasons, and I suspect this is going to be an ever-growing problem with these infernal cellular-connected cars where the owners get stuck mopping up the consequences of security holes past the end of warranty.[/rant]
The three Hirose connectors are: gray, white, and a coax antenna.
There are two cables associated with the gray connector: one is a shielded (also with foil wrap) USB cable, and one is a shielded audio cable for hands-free phone Bluetooth audio.
The FCC ID (LHJGNOV1N) filings provided the clue that the gray connector has a third purpose; it turns out there are pins for a +5V TTL console UART at 57600,n,8,1. Its function seems to be a software pass-through of AT commands for the cellular module to allow FCC compliance testing. Pin 43 is the +5V TTL UART TX out of the module; pin 51 is the +5V TTL UART RX into the module.
The white connector consists of power and ground, inputs to detect whether the vehicle is in IDLE, ACC, or ON mode, an output to wake up the vehicle (for remote control), and a CANbus (EV-CAN) interface.
This connector allocation should confirm the observations in this forum's existing thread "TCU Disconnect Service". Disconnecting the gray connector disrupts the infotainment's USB connectivity to the cellular module as well as the Bluetooth hands-free audio. Disconnecting the white connector leaves the module unpowered, which prevents the gray connector functionality as well as preventing the module from responding to EV-CAN traffic. The car is just too dependent on the module to allow anything to be disconnected without errors and/or loss of functionality.
The antenna connection appears to serve double duty both for cellular service and Bluetooth.
The USB implementation is nominally an USB CDC-ACM serial port, but the implementation is very amateur hour. The USB descriptor is not standards compliant, and so it is not recognized by Linux, Windows, etc. I've provided the USB descriptor below for completeness. (That the FCC backdoor provides command access to the cellular modules limits the added utility that would be achieved by getting the non-standard USB implementation working with a host PC.)
I presume that most, if not all, interactions between the infotainment system and the TCU happen via USB. However, I have not built the cables to sniff the traffic in a working LEAF to confirm this.
The CANbus-connected processor is a Freescale HCS12X family processor (MC9S12XEQ512VAL). IMHO, it has an obscene (512kBytes!) of flash memory for this sort of processor, which puzzles me as to why a cost-conscious manufacturer would think it necessary to choose it. The processor has a Freescale BDM connector (it appears to be the standard pinout) for factory programming. Depending on how diligent the developers were, they may or may not have secured the code. I may eventually have the right BDM adapter to verify this, but regardless, I am NOT volunteering to reverse engineer 512kBytes of firmware object code.
The other processor is integral to the cellular / Bluetooth functionality, and this is what provides the USB device implementation. The USB VIDID is 1519:0015, which reveals that the design was supplied by Comneon GmbH. A Google search of the chip markings did not conclusively confirm the supplier, although there is a PMB6812 for Bluetooth plus DRAM and flash under the shield can.
There is a mystery UART packet protocol between the HCS12X processor (UART4) and the cellular module where each message is sent as a handful of bytes with the NUL (0x00) character utilized as both the first and last byte of the message.
Using the hidden console on the gray connector, it was possible to issue some AT commands to probe for additional details on the cellular module, and these are further below.
The module-side gray connector header appears to be a Hirose GT17HN-16DP.
The module-side white connector header appears to be a Hirose GT25-40DP-2.2H.
[rant]NHTSA encouraged Nissan to de-provision the SIM card for cybersecurity reasons, and I suspect this is going to be an ever-growing problem with these infernal cellular-connected cars where the owners get stuck mopping up the consequences of security holes past the end of warranty.[/rant]
The three Hirose connectors are: gray, white, and a coax antenna.
There are two cables associated with the gray connector: one is a shielded (also with foil wrap) USB cable, and one is a shielded audio cable for hands-free phone Bluetooth audio.
The FCC ID (LHJGNOV1N) filings provided the clue that the gray connector has a third purpose; it turns out there are pins for a +5V TTL console UART at 57600,n,8,1. Its function seems to be a software pass-through of AT commands for the cellular module to allow FCC compliance testing. Pin 43 is the +5V TTL UART TX out of the module; pin 51 is the +5V TTL UART RX into the module.
The white connector consists of power and ground, inputs to detect whether the vehicle is in IDLE, ACC, or ON mode, an output to wake up the vehicle (for remote control), and a CANbus (EV-CAN) interface.
This connector allocation should confirm the observations in this forum's existing thread "TCU Disconnect Service". Disconnecting the gray connector disrupts the infotainment's USB connectivity to the cellular module as well as the Bluetooth hands-free audio. Disconnecting the white connector leaves the module unpowered, which prevents the gray connector functionality as well as preventing the module from responding to EV-CAN traffic. The car is just too dependent on the module to allow anything to be disconnected without errors and/or loss of functionality.
The antenna connection appears to serve double duty both for cellular service and Bluetooth.
The USB implementation is nominally an USB CDC-ACM serial port, but the implementation is very amateur hour. The USB descriptor is not standards compliant, and so it is not recognized by Linux, Windows, etc. I've provided the USB descriptor below for completeness. (That the FCC backdoor provides command access to the cellular modules limits the added utility that would be achieved by getting the non-standard USB implementation working with a host PC.)
I presume that most, if not all, interactions between the infotainment system and the TCU happen via USB. However, I have not built the cables to sniff the traffic in a working LEAF to confirm this.
The CANbus-connected processor is a Freescale HCS12X family processor (MC9S12XEQ512VAL). IMHO, it has an obscene (512kBytes!) of flash memory for this sort of processor, which puzzles me as to why a cost-conscious manufacturer would think it necessary to choose it. The processor has a Freescale BDM connector (it appears to be the standard pinout) for factory programming. Depending on how diligent the developers were, they may or may not have secured the code. I may eventually have the right BDM adapter to verify this, but regardless, I am NOT volunteering to reverse engineer 512kBytes of firmware object code.
The other processor is integral to the cellular / Bluetooth functionality, and this is what provides the USB device implementation. The USB VIDID is 1519:0015, which reveals that the design was supplied by Comneon GmbH. A Google search of the chip markings did not conclusively confirm the supplier, although there is a PMB6812 for Bluetooth plus DRAM and flash under the shield can.
There is a mystery UART packet protocol between the HCS12X processor (UART4) and the cellular module where each message is sent as a handful of bytes with the NUL (0x00) character utilized as both the first and last byte of the message.
Using the hidden console on the gray connector, it was possible to issue some AT commands to probe for additional details on the cellular module, and these are further below.
The module-side gray connector header appears to be a Hirose GT17HN-16DP.
The module-side white connector header appears to be a Hirose GT25-40DP-2.2H.
Code:
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 255 Vendor Specific Class
bDeviceSubClass 255 Vendor Specific Subclass
bDeviceProtocol 255 Vendor Specific Protocol
bMaxPacketSize0 64
idVendor 0x1519 Comneon
idProduct 0x0015
bcdDevice 3.26
iManufacturer 1 Comneon GmbH Co KG
iProduct 2 Comneon: 2 CDC and 1 MS.
iSerial 3 352199041160544
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 103
bNumInterfaces 3
bConfigurationValue 1
iConfiguration 4 cfg1: ACM w/ BULK and Dbg/Trc
bmAttributes 0xc0
Self Powered
MaxPower 100mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 136
bInterfaceProtocol 1
iInterface 5 CDC Communication Interface
CDC Header:
bcdCDC 1.10
CDC Union:
bMasterInterface 0
bSlaveInterface 1
CDC Call Management:
bmCapabilities 0x00
bDataInterface 1
CDC ACM:
bmCapabilities 0x0f
connection notifications
sends break
line coding and serial state
get/set/clear comm features
** UNRECOGNIZED: 06 44 11 01 01 c0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 16
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 10 CDC Data
bInterfaceSubClass 0 Unused
bInterfaceProtocol 0
iInterface 6 CDC Data Interface
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 1
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 2
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 136
bInterfaceProtocol 1
iInterface 7 CDC Communication-only Interface
CDC Header:
bcdCDC 1.10
INVALID CDC (Union): 04 24 06 02
** UNRECOGNIZED: 05 44 11 05 02
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x87 EP 7 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 16
Device Status: 0x0001
Self Powered
Code:
AT+CGMI
+CGMI: Continental Automotive Systems
AT+CGMM
+CGMM: "GSM900","GSM1800","GSM1900","GSM850","MODEL=SGOLD2 NAD"
AT+CGMR
+CGMR: "02.13R_56R_V26"
AT+GCAP
+GCAP: +FCLASS,+CGSM