TCU Teardown

[majbthrd]

To gain some insight into the Nissan LEAF TCU, I bought a couple of cheap Nissan/Infiniti TCU (Telemetry) modules off eBay to take apart and examine. It seemed worthwhile to do a write-up here in case someone eventually looks for this kind of information in the future.

[rant]NHTSA encouraged Nissan to de-provision the SIM card for cybersecurity reasons, and I suspect this is going to be an ever-growing problem with these infernal cellular-connected cars where the owners get stuck mopping up the consequences of security holes past the end of warranty.[/rant]

The three Hirose connectors are: gray, white, and a coax antenna.

There are two cables associated with the gray connector: one is a shielded (also with foil wrap) USB cable, and one is a shielded audio cable for hands-free phone Bluetooth audio.

The FCC ID (LHJGNOV1N) filings provided the clue that the gray connector has a third purpose; it turns out there are pins for a +5V TTL console UART at 57600,n,8,1. Its function seems to be a software pass-through of AT commands for the cellular module to allow FCC compliance testing. Pin 43 is the +5V TTL UART TX out of the module; pin 51 is the +5V TTL UART RX into the module.

The white connector consists of power and ground, inputs to detect whether the vehicle is in IDLE, ACC, or ON mode, an output to wake up the vehicle (for remote control), and a CANbus (EV-CAN) interface.

This connector allocation should confirm the observations in this forum's existing thread "TCU Disconnect Service". Disconnecting the gray connector disrupts the infotainment's USB connectivity to the cellular module as well as the Bluetooth hands-free audio. Disconnecting the white connector leaves the module unpowered, which prevents the gray connector functionality as well as preventing the module from responding to EV-CAN traffic. The car is just too dependent on the module to allow anything to be disconnected without errors and/or loss of functionality.

The antenna connection appears to serve double duty both for cellular service and Bluetooth.

The USB implementation is nominally an USB CDC-ACM serial port, but the implementation is very amateur hour. The USB descriptor is not standards compliant, and so it is not recognized by Linux, Windows, etc. I've provided the USB descriptor below for completeness. (That the FCC backdoor provides command access to the cellular modules limits the added utility that would be achieved by getting the non-standard USB implementation working with a host PC.)

I presume that most, if not all, interactions between the infotainment system and the TCU happen via USB. However, I have not built the cables to sniff the traffic in a working LEAF to confirm this.

The CANbus-connected processor is a Freescale HCS12X family processor (MC9S12XEQ512VAL). IMHO, it has an obscene (512kBytes!) of flash memory for this sort of processor, which puzzles me as to why a cost-conscious manufacturer would think it necessary to choose it. The processor has a Freescale BDM connector (it appears to be the standard pinout) for factory programming. Depending on how diligent the developers were, they may or may not have secured the code. I may eventually have the right BDM adapter to verify this, but regardless, I am NOT volunteering to reverse engineer 512kBytes of firmware object code.

The other processor is integral to the cellular / Bluetooth functionality, and this is what provides the USB device implementation. The USB VIDID is 1519:0015, which reveals that the design was supplied by Comneon GmbH. A Google search of the chip markings did not conclusively confirm the supplier, although there is a PMB6812 for Bluetooth plus DRAM and flash under the shield can.

There is a mystery UART packet protocol between the HCS12X processor (UART4) and the cellular module where each message is sent as a handful of bytes with the NUL (0x00) character utilized as both the first and last byte of the message.

Using the hidden console on the gray connector, it was possible to issue some AT commands to probe for additional details on the cellular module, and these are further below.

The module-side gray connector header appears to be a Hirose GT17HN-16DP.

The module-side white connector header appears to be a Hirose GT25-40DP-2.2H.

Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass          255 Vendor Specific Class
  bDeviceSubClass       255 Vendor Specific Subclass
  bDeviceProtocol       255 Vendor Specific Protocol
  bMaxPacketSize0        64
  idVendor           0x1519 Comneon
  idProduct          0x0015 
  bcdDevice            3.26
  iManufacturer           1 Comneon GmbH Co KG
  iProduct                2 Comneon: 2 CDC and 1 MS.
  iSerial                 3 352199041160544
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength          103
    bNumInterfaces          3
    bConfigurationValue     1
    iConfiguration          4 cfg1: ACM w/ BULK and Dbg/Trc
    bmAttributes         0xc0
      Self Powered
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         2 Communications
      bInterfaceSubClass    136 
      bInterfaceProtocol      1 
      iInterface              5 CDC Communication Interface
      CDC Header:
        bcdCDC               1.10
      CDC Union:
        bMasterInterface        0
        bSlaveInterface         1 
      CDC Call Management:
        bmCapabilities       0x00
        bDataInterface          1
      CDC ACM:
        bmCapabilities       0x0f
          connection notifications
          sends break
          line coding and serial state
          get/set/clear comm features
      ** UNRECOGNIZED:  06 44 11 01 01 c0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval              16
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass        10 CDC Data
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 
      iInterface              6 CDC Data Interface
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        2
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         2 Communications
      bInterfaceSubClass    136 
      bInterfaceProtocol      1 
      iInterface              7 CDC Communication-only Interface
      CDC Header:
        bcdCDC               1.10
      INVALID CDC (Union):  04 24 06 02
      ** UNRECOGNIZED:  05 44 11 05 02
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x87  EP 7 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval              16
Device Status:     0x0001
  Self Powered

AT+CGMI
+CGMI: Continental Automotive Systems

AT+CGMM
+CGMM: "GSM900","GSM1800","GSM1900","GSM850","MODEL=SGOLD2 NAD"

AT+CGMR
+CGMR: "02.13R_56R_V26"

AT+GCAP
+GCAP: +FCLASS,+CGSM

 

[Stanton]

If you can build some, there's a market for those coax cable-->SMA connectors to use the existing antenna cable (when disconnected from the TCU) as a GSM/LTE antenna for the OVMS module that can replace the functionality of the (now disconnected) TCU. The parts are cheap (a 10ft+ length of coax terminated with an SMA is the most expensive part); the problem is assembling/terminating the GT16C Hirose connector (that mates with existing cable) to the other side.
I have a parts list if you want it; I even have a coax cable I was never able to successfully terminate the Hirose connector to--even with the proper crimping tool!

 

[majbthrd]

If you can build some, there's a market for those coax cable-->SMA connectors

The existing coax connectors are GT16C-1P-H on the PCB and GT16C-1S-HU on the cable side, right?

It does look like Hirose already sells an SMA adapter; if I'm reading the Hirose datasheet right, I *think* GT16GP-HRMJ is the right part. However, the $167 price is high; moreover, it doesn't seem to have a physical latch like the plastic housings do.

Is a 10ft cable needed. or does that just happen to be a readily available length of cable to buy? Previously, I would have just assumed that the OVMS might be placed nearby the TCU, but now looking online, it seems it may be sold as a kit with a OBDII cable, so perhaps it is more straightforward to put the OVMS near the OBDII connector?

I don't have the relevant coax crimping tools, and won't claim to be that skilled with the assorted crimping tools that I do have. I wonder whether the most straightforward solution might be a PCB with the GT16C-1P-H and an SMA?

 

[MikeinPA]

This OVMS? https://www.myeva.org/blog/add-ovms-to-your-nissan-leaf

 

[Stanton]

This OVMS? https://www.myeva.org/blog/add-ovms-to-your-nissan-leaf

Yes (I wrote that). Here's a link to an OVMS thread I created on this forum as well (https://mynissanleaf.com/viewtopic.php?t=32715).
It would be good to talk about this "adapter cable" there...or at least link the threads.

 

[Stanton]

If you can build some, there's a market for those coax cable-->SMA connectors

The existing coax connectors are GT16C-1P-H on the PCB and GT16C-1S-HU on the cable side, right?

It does look like Hirose already sells an SMA adapter; if I'm reading the Hirose datasheet right, I *think* GT16GP-HRMJ is the right part. However, the $167 price is high; moreover, it doesn't seem to have a physical latch like the plastic housings do.

Is a 10ft cable needed. or does that just happen to be a readily available length of cable to buy? Previously, I would have just assumed that the OVMS might be placed nearby the TCU, but now looking online, it seems it may be sold as a kit with a OBDII cable, so perhaps it is more straightforward to put the OVMS near the OBDII connector?

I don't have the relevant coax crimping tools, and won't claim to be that skilled with the assorted crimping tools that I do have. I wonder whether the most straightforward solution might be a PCB with the GT16C-1P-H and an SMA?

That $167 Hirose part doesn't sound right.
You need to get from where the TCU was (on the right side of the car) to the where the CAN connector is (on the left side of the car); the antenna cable stub isn't long enough (on the right side), and the OVMS cable length requires it to be near the CAN port (on the left side). Something like this 10ft SMA-to-SMA cable assembly is where you start (https://www.mouser.com/ProductDetail/Amphenol-Cables-on-Demand/CO-316SMAX200-010?qs=BA62vJVifGr7fwYGDdWumg%3D%3D); just cut one of the ends off to terminate the Hirose connector.

The manufacture part number for the Hirose plastic connector is: GT16C-1PP-HU
The bits and pieces that go into that termination (which is the hard part) are:
GT16-2428PCF
GT16C-/1.6-2.9PC
GT16-PC
GT16C-1P/S-R(23)

There is an assembly diagram somewhere (probably from the crimping tool), but I can't put my hands on it right now; it's been over a year since I tried (and failed) to make the termination on the cable currently in my car (waiting for another attempt).

 

[majbthrd]

There is an assembly diagram somewhere (probably from the crimping tool), but I can't put my hands on it right now

Just in case someone is looking for the tech specs, I believe what you are referring to is on page 55 of the datasheet:

https://www.hirose.com/product/docu...menttype=Catalog&lang=en&documentid=D49384_en

All the part numbers mentioned above and their details should be in that document.

 

[kamil1987]

Hello, my question is, are tcu modules "plug and play"?
Can U exchange them in car as U wish?
Question is based on idea of making US version of carwings works in europe.

 

[cwerdna]

Hello, my question is, are tcu modules "plug and play"?
Can U exchange them in car as U wish?

Seems unlikely. https://static.nhtsa.gov/odi/tsbs/2018/MC-10152513-9999.pdf was the procedure to swap out the 2G TCU in '11 to '15 Leafs for a 3G-capable one. And now, the 3G version doesn't work in the US anymore since AT&T shut off 3G.

C-III plus refers to Consult III plus: https://www.nissan-techinfo.com/dept.aspx?dept_id=25.

 

[Stanton]

Question is based on idea of making US version of carwings works in europe.

Definitely not possible.
If you want remote monitoring for Gen1 Leafs (any country), try an OVMS solution. Search for my name and/or "ovms" for the thread on this forum.