On 24/01/17 03:09, Collin Kidder wrote:
Yes, it sounds as if it is validating the pack somehow. I don't know which messages might be responsible for this. I'm working on firmware that can run on a board with two can buses and then monitor both sides to determine which frames a device outputs and which it accepts. This would make it easy to determine the messages actually coming from the BMS and when they occur but requires cutting the wiring and inserting the device in between.
That sounds like a nice piece of hardware. Can you put two CAN shields on an arduino at the same time?
From what I read, SocketCan's cangw utility can do this if you have two interfaces. I have a friend with a complete leaf system on the bench, I'll see if I can put my laptop between the battery and the rest of the system.
Though, presumably one needn't keep sending the validation over and over so it probably occurs early in the process. Because of that, it might be possible to find the validation message just by looking at a power train CAN capture and seeing which frames are sent only early in the process.
On my car, there is only one frame that isn't repeated continuously after startup (0x603 is sent once, with a single byte payload which is 00 in my captures).
I'll try disconnecting the 12v battery tomorrow and see if anything different happens at when it's connected, or during the first startup.
That's a potential avenue for attack. Also, the security validation bytes for the Leaf seem to always use the same algorithm so if there's a security byte it should already be possible to generate it.
Are you referring to your https://github.com/collin80/CRC_Nissan ? Which frames have this checksum?
_______________________________________________ UNSUBSCRIBE: http://www.evdl.org/help/index.html#usub http://lists.evdl.org/listinfo.cgi/ev-evdl.org Read EVAngel's EV News at http://evdl.org/evln/ Please discuss EV drag racing at NEDRA (http://groups.yahoo.com/group/NEDRA)