On Mon, Jan 23, 2017 at 3:18 AM, Tom Parker via EV <[email protected]> wrote: > Is anyone trying to reverse engineer the handshake between the Leaf BMS and > the rest of the car?
I haven't yet. I haven't had any need to swap batteries in a Leaf. Instead I've added some to the existing pack but externally so I didn't need to mess with the BMS in the car. > > As I understand it, the Leaf BMS is quite happy to work on it's own but some > other part car authenticates the BMS and is not happy if the BMS is swapped. > A friend tried swapping the whole battery including the BMS he says the car > was not happy, it worked but only in Turtle mode, regardless of state of > charge. Yes, it sounds as if it is validating the pack somehow. I don't know which messages might be responsible for this. I'm working on firmware that can run on a board with two can buses and then monitor both sides to determine which frames a device outputs and which it accepts. This would make it easy to determine the messages actually coming from the BMS and when they occur but requires cutting the wiring and inserting the device in between. Though, presumably one needn't keep sending the validation over and over so it probably occurs early in the process. Because of that, it might be possible to find the validation message just by looking at a power train CAN capture and seeing which frames are sent only early in the process. That's a potential avenue for attack. Also, the security validation bytes for the Leaf seem to always use the same algorithm so if there's a security byte it should already be possible to generate it. > > Has anyone identified the CAN bus messages that contain the authentication > handshake? I've been collecting information at > https://carrott.org/emini/Nissan_Leaf_OVMS#Leaf_Can_Bus but I haven't seen > information about the BMS authentication. I looked at your site. As you found, the big spreadsheet of knowledge on the Leaf is pretty far off from reality all too often. There are many falsehoods in there but it's a start. > > Could you put a man in the middle between the BMS and the rest of the car > which allows the original BMS board to authenticate, but replaces all the > battery status messages with "everything is fine"? Obviously the man in the > middle would need to talk to the BMS on the new battery (either another > Nissan or a whole new BMS or whatever) and tell the car everything is not > fine if the new battery is in trouble. > It's certainly possible. A lot of BMS messages have been decoded (kind of... see above for how much I trust that spreadsheet) but you need to really thoroughly emulate it in order to do a convincing job of emulation. _______________________________________________ UNSUBSCRIBE: http://www.evdl.org/help/index.html#usub http://lists.evdl.org/listinfo.cgi/ev-evdl.org Read EVAngel's EV News at http://evdl.org/evln/ Please discuss EV drag racing at NEDRA (http://groups.yahoo.com/group/NEDRA)
