LEAF CANbus decoding. (Open discussion)

My Nissan Leaf Forum

Help Support My Nissan Leaf Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
JeremyW said:
As far as I know, Bosch doesn't make anything in the leaf. The main ECU is made by Hitachi. TCU is by Continental. My guess is the inverter is designed by Nissan in house.

celeron55, some great work there. Can you post the EEPROM contents? What are you using the motor for?

Maybe a new thread is necessary for your project. :)

Never implied that the ECU was made by Bosch! Only that use of a serial EEPROM is 20+ year old technology now that most
processors have flash.
 
JeremyW said:
celeron55, some great work there. Can you post the EEPROM contents? What are you using the motor for?

Here are the links again (same data, different formats): https://pastebin.com/Vb3WGWks https://pastebin.com/dUAREEvr (don't have a real serial EEPROM reader so just dumped it with an arduino)

The motor is going to be used in a DIY EV project. But, there's a full protocol reverse engineering effort to be done between now and that, otherwise it's useless! All the work done for monitoring tools is grossly inaccurate for actually trying to control this thing, but it's a start. The messages I need to focus on are the ones that people have overlooked as "not interesting, seems to only do something at startup"!

A look at the DTC list for the inverter (as published by Nissan) tells me it's picky enough to make this a real challenge.

These are the DTCs that specify "Stops drive control of traction motor" as vehicle behavior:
P0A2F, P0A3F, P0A44, P0A78, P0A8D, P0BE5, P0BE6, P0BE9, P0BEA, P0C79,
P318E, P3197, P3199, P31A2, P31A4, P31AD,
P3240, P3241, P3242, P3243, P3247, P3249, P324A, P324D

Turbo3: Does Leaf Spy Pro support all of the inverter DTCs listed in the manual's TMS section?
 
celeron55 said:
JeremyW said:
celeron55, some great work there. Can you post the EEPROM contents? What are you using the motor for?

Here are the links again (same data, different formats): https://pastebin.com/Vb3WGWks https://pastebin.com/dUAREEvr (don't have a real serial EEPROM reader so just dumped it with an arduino)

The motor is going to be used in a DIY EV project. But, there's a full protocol reverse engineering effort to be done between now and that, otherwise it's useless! All the work done for monitoring tools is grossly inaccurate for actually trying to control this thing, but it's a start. The messages I need to focus on are the ones that people have overlooked as "not interesting, seems to only do something at startup"!

A look at the DTC list for the inverter (as published by Nissan) tells me it's picky enough to make this a real challenge.

These are the DTCs that specify "Stops drive control of traction motor" as vehicle behavior:
P0A2F, P0A3F, P0A44, P0A78, P0A8D, P0BE5, P0BE6, P0BE9, P0BEA, P0C79,
P318E, P3197, P3199, P31A2, P31A4, P31AD,
P3240, P3241, P3242, P3243, P3247, P3249, P324A, P324D

Turbo3: Does Leaf Spy Pro support all of the inverter DTCs listed in the manual's TMS section?
The list of DTC's is created by the motor/inverter ECU. LeafSpy Pro requests that list. The list will contain all the DTC's that have occurred with a flag indicating if it is still active. So replace "support" with "read and clear" and the answer is yes.
 
Does anyone know of a gen2 EV CAN capture for a "switch on, switch to D, drive, stop, switch off" sequence?

I made a capture from my car. I have a 2016 Leaf which is a little different from the 2013-2015 Leafs but hopefully this part hasn't changed.

https://carrott.org/pcaps/2016-24kWh-ev-on-drive-park-off.pcap

What format would you like? I normally use pcaps to store my recordings and wireshark or custom scripts to analyse them. I've tried Kayak but it's pretty buggy. I haven't tried Colin Kidder's http://www.savvycan.com/ yet but I hear good things.

You can pipe the pcap into https://carrott.org/git/leaf-can-dissector.git/blob/HEAD:/pcap-to-canplayer-binary.py to convert to linux-can's canplayer binary format if that helps.

If I was attempting this project I'd really want a fully working set up with all the original Nissan modules. I'd insert a man in the middle in the can bus between the car and the inverter so I could identify which messages are important and then modify them to discover what they do. I did this between the car and the LBC -- see https://carrott.org/blog/archives/159-Nissan-Leaf-CAN-Bus-Man-In-The-Middle.html and also https://carrott.org/git/leaf-can-utils.git for the man in the middle and .kcd bus definition and https://carrott.org/git/leaf-can-dissector.git for a Wireshark dissector. Both of these are mostly focused on the battery rather than the motor.

A friend of mine had more luck reversing the LBC by disassembling it's firmware. Doing this may be necessary in addition to or instead of a MitM to understand how the can bus messages are interpreted.

BTW, at less than 5kB, the serial EEPROM you read must only hold configuration data, not the programme that runs the inverter's cpus.
 
carrott said:
I made a capture from my car. I have a 2016 Leaf which is a little different from the 2013-2015 Leafs but hopefully this part hasn't changed.

If I was attempting this project I'd really want a fully working set up with all the original Nissan modules. I'd insert a man in the middle in the can bus between the car and the inverter so I could identify which messages are important and then modify them to discover what they do. I did this between the car and the LBC -- see https://carrott.org/blog/archives/159-Nissan-Leaf-CAN-Bus-Man-In-The-Middle.html and also https://carrott.org/git/leaf-can-utils.git for the man in the middle and .kcd bus definition and https://carrott.org/git/leaf-can-dissector.git for a Wireshark dissector. Both of these are mostly focused on the battery rather than the motor.

A friend of mine had more luck reversing the LBC by disassembling it's firmware. Doing this may be necessary in addition to or instead of a MitM to understand how the can bus messages are interpreted.

BTW, at less than 5kB, the serial EEPROM you read must only hold configuration data, not the programme that runs the inverter's cpus.

This inverter is, in fact, from a 2016 Leaf. I'm not aware of what changes they've done between 2015 and 2016, but's very nice to have this capture of yours!

Any format works just fine, converting between formats is the least of my problems. My tooling is so DIY it really doesn't matter.

I think reversing this is possible without a full system, the EV CAN bus traffic is simple enough. My current plan is to get feedback from the inverter via DTCs and play a modified capture (synced to a precharge circuit and a power-on signal) to it until I know which changes cause which DTCs. One of the first things the inverter expects to go smoothly is the precharge. It's where I'm starting from once I have my tools set up.

The inverter actually has incredibly few inputs: The only things it connects to is the high voltage bus, 12V power, a 12V power-on signal, the CAN bus and the motor sensors. Nothing else. Literally nothing else!

Yes, the serial EEPROM obviously only contains configuration data. Most likely all of it.
 
That’s really encouraging. Assuming the CAN side can be completely mapped out, the leaf motor/inverter combo could be used in a lot of conversions.
 
This inverter is, in fact, from a 2016 Leaf. I'm not aware of what changes they've done between 2015 and 2016, but's very nice to have this capture of yours!

Let me know if you need anything else.

Any format works just fine, converting between formats is the least of my problems. My tooling is so DIY it really doesn't matter.

The convert to canplayer binary python script I linked to you should give you a starting point to convert to what you need.

I think reversing this is possible without a full system, the EV CAN bus traffic is simple enough. My current plan is to get feedback from the inverter via DTCs and play a modified capture (synced to a precharge circuit and a power-on signal) to it until I know which changes cause which DTCs. One of the first things the inverter expects to go smoothly is the precharge. It's where I'm starting from once I have my tools set up.

Reversing this way is certainly possible.

Looking at the LAN and TMS sections of the manual it does look like the inverter manages the precharge system -- perhaps because it has a voltage sensor. It could signal it's ok to precharge and then compares it's voltage with the LBC voltage from the CAN bus and signal it's ok to close the main contactors when the two differ by less than some amount.

You probably want to re-write the LBC frames in the recording I sent you to signal the voltage you actually have. You probably only need to hold the "right" voltage on the inverter rather than actually pre-charge from a low voltage as it probably isn't looking for a rising voltage during pre-charge but rather a small voltage difference across the "contactors". The LBC's 0x1db frame containing the voltages has a checksum which you'll need to re-calculate if you change it, see https://carrott.org/git/leaf-can-utils.git/blob/HEAD:/nissan-leaf-mitm.py#l21 for how to do that.

I found the car worked fine with a "one way" man in the middle between the battery and the car (ie the battery could send to the car but the car could not send to the battery). A DTC was logged by the the car complaining that the battery was not sending the correct response to a challenge, this did not illuminate the check engine light. The car would go into turtle mode immediately when I disturbed the LBC communications too much, but return to normal mode as soon as I restored the communications, no restart required. I'd expect tighter coupling between the inverter and the components that read the throttle pedal and cruise control -- it's a highly safety critical system where a probably can launch the car into whatever is in front of or behind it. If I was designing it I'd want a counter or challenge to be passed back and forth between the inverter and the throttle commanding component.

Maybe start a new thread for this project?
 
carrott said:
Let me know if you need anything else.
Now I'd like to start looking at the charger!

I intend to charge a rather large battery pack using the 2016 Leaf charger with a non-Leaf BMS.

This means, I need an EV-CAN capture of some sort of a succesful charging session, or at least the beginning of one.

EDIT: To be exact, one from an AC power source - not quick charging at this time. But that will definitely come later.

Any help?
 
This means, I need an EV-CAN capture of some sort of a succesful charging session, or at least the beginning of one.

My car has the 3.3kW charger and I have the charge timer turned on. https://carrott.org/pcaps/2016-24kWh-ev-plug-in-charge-timer-causes-sleep.pcap records what happens when you plug in. I believe the EV system and charger activate briefly and then it all goes to sleep.

https://carrott.org/pcaps/2016-24kWh-ev-plugged-in-charge-timer-override-pressed-charge-unplug.pcap records what happens when you press the charger timer override button on the dashboard. After a short charging session I pressed the release button on the charging plug, paused briefly and then unplugged.

Supply voltage is nominally 240V and the EVSE reports 10A available.
 
Hello everyone,

thanks for this brilliant post, i read it all but i cannot understand how to read data that comes out of the EV can.

I have understood the message id 5BC is the SOC.
I have my Leaf with 2 bars out of 12 on the display and the can gives me these values for id 5BC

5D C0 28 64 C2 10 1F FF
5D C0 F0 64 C3 11 03 DE
5D C0 28 64 C2 10 A1 86
5D C0 F0 64 C3 11 66 72
5D C0 28 64 C2 11 03 DE

and so on...

So it looks like 5D C0 does not change, but i cannot convert the into any reasonable way, even reading the canmsg file, anyone can help me?

Thanks

I'll edit this to add that today was trying again to decode it and i have full charge and ID5BC keeps saying me

Code:
can1  5BC   [8]  5D C0 F0 64 C3 11 00 3C
  can1  5BC   [8]  59 80 F0 64 C3 01 60 5A
  can1  5BC   [8]  5D C0 F0 64 C3 12 5F FF
  can1  5BC   [8]  59 80 F0 64 C3 02 BF FF
  can1  5BC   [8]  5D C0 F0 64 C2 13 1F FF
  can1  5BC   [8]  59 80 F0 64 C2 00 1F FF
  can1  5BC   [8]  5D C0 F0 64 C2 10 A0 28
  can1  5BC   [8]  59 80 F0 64 C2 01 00 3C
  can1  5BC   [8]  5D C0 F0 64 C2 11 60 5A

so it really makes me mad to understand how this should be taken as SOC...
 
Hi,

I would like to program a new key fob as we lost one of ours. Does anyone know how to do that using an OBD interface ?

The "stealer" -ship wants $200 just to program a new FOB. I would love to do this myself but have no clue how. I do have my existing pin code for the one fob I have.

Thanks,

Neal :)
 
nealm said:
Hi,

I would like to program a new key fob as we lost one of ours. Does anyone know how to do that using an OBD interface ?

The "stealer" -ship wants $200 just to program a new FOB. I would love to do this myself but have no clue how. I do have my existing pin code for the one fob I have.

Thanks,

Neal :)
To do that with a Consult 3+ you need a special security card to do the programming.
 
Hello all,

Firstly, thank you to all for an excellent thread here. I have just started working on a datalogger for my Leaf to support my research at Loughborough University. http://elevateproject.co.uk/

I have two CAN bus interfaces from Race Technology. https://www.race-technology.com/gb/racing/products/ecu-interfaces/can-interface

These are hooked up to my laptop using a standard serial to USB dongle, with the CAN interfaces reading off the Car CAN and EV CAN.

So far, decoding has been a pain, as is obvious from other posts here. I am finding this spreadsheet very useful though; https://docs.google.com/spreadsheets/d/1EHa4R85BttuY4JZ-EnssH4YZddpsDVu6rUFm0P7ouwg/edit#gid=1

Question regarding the message structure. I am guessing it isn't the intel standard, instead it is Motorola backward for the byte ordering??? Page 16 here; http://www.race-technology.com/upload/PDF manuals/CAN Interface Manual v2.3_25 May 2010.pdf

Thanks in advance for any help or suggestions.

Note, being a research project I will be making all my work open source when it is done in the next 12 months, including a python model of the Nissan Leaf which is still work in progress here; https://github.com/howroyd/ELEVATE

Cheers

Simon
 
Is there any existing library out there to do basic LEAF canbus/evbus decoding over bluetooth? I'd really like to teach OpenEVSE to be able to monitor state of charge for example (by using an ESP32 in place of the ESP8266 it currently uses, to get the built in bluetooth support...)
 
sandeen said:
Is there any existing library out there to do basic LEAF canbus/evbus decoding over bluetooth? I'd really like to teach OpenEVSE to be able to monitor state of charge for example (by using an ESP32 in place of the ESP8266 it currently uses, to get the built in bluetooth support...)

This question is very close to mine. I am working on a CAN Bus shield for an Arduino shield I purchased from EVTV. My project is a V2H interface to my Nissan Leaf. I am just starting out so I apologize for my ignorance, but working with the Users Manual and programming the CAN interfaces I need to set up the CAN_FRAME Data Type Structure. Here i set the Frame size and structure.

Can anyone share with me what the basic frame size and structure of the CAN_FRAME is for Nissan Leaf?

Thank you in advance if you are able to help.

Regards,

Kelly Sidener
 
Project update: I was unable to reverse the charger CAN protocol to an extent that would have made it do any... well, charging. I did get the DC-DC converter to operate, but that was it.

Basically I found out bit 0x04 in the 0x1f2 frame disables the converter (set low to enable, just spam 0x1f2 00 64 00 a0 00 00 00 00 or so every 10ms). You might also need 50b, 1d4 and maybe 55b (probably not). Anyway, that's worthless without the charging working.

I'm now in the process of developing the necessary hardware mods to get it to charge without any co-operation of Nissan's original software. This is actually going fairly well (I already have full control in a lab setup), but making this reproducible or to be something that I can use daily is more difficult.

EDIT: I've basically reverse-engineered enough of the connections to the Renesas R5F35MEEJFE chip that controls the PDM in order to write a new program from scratch for it to do regular charging and dc-dc conversion. Not sure if I'll do that, I'd need a E8a emulator ($150) and basically IAR Embedded Workbench for M16C ($2000? $4000?) to program it. Also, nobody sells these chips for a hobbyist if the one on board is somehow locked. I can find different ones with the same pinout though, eg. R5F35L2EJFE.
 
Hi!

I got a nissan leaf from 2018 (40kwh) and using LeafSpy I'm trying to decode the CAN Bus messages. I found the odometer already that is in the last bytes of the request "743". Now I'm trying to find the SOC so I can use in a system that I'm developing. I know that the request is the "79b" and the SOC is returned in the ID "7bb", but it returns seven messages with these IDs. Below there are the messages returned when I make the request "79b". Note that the battery represented in the LeafSpy at that moment was 82.2%. Can someone understand where it comes from?

79b 3000000000000000 ----> request

7bb 2102af0001073600 ------> answer 1
7bb 220363300a6030d4 ------> answer 2
7bb 239890334e039100 ------> answer 3
7bb 2401032c27ce000d ------> answer 4
7bb 25752300116bc580 ------> answer 5
7bb 2600050001073600 ------> answer 6
7bb 2701070501aeffff ------> answer 7

Regards
 
Back
Top