openinverter forum

openinverter Community
https://openinverter.org:443/forum/

Tesla Model 3 Battery Hacking

https://openinverter.org:443/forum/viewtopic.php?t=577

Page 6 of 13

Re: Tesla Model 3 Battery Hacking

Posted: Wed Aug 05, 2020 9:22 pm
by Kevin Sharpe
Model 3 BMS Update and Explanation;

https://www.patreon.com/posts/model-3-bms-and-40130062

Re: Tesla Model 3 Battery Hacking

Posted: Thu Aug 06, 2020 6:47 am
by Jack Bauer
Yeah I'll rig up the Teensy to send some requests and log the responses. Should be interesting.

Re: Tesla Model 3 Battery Hacking

Posted: Thu Aug 06, 2020 10:22 am
by Jack Bauer
Well given my programming skills I'm probably asking it for elons favorite breakfast cereal but we get :

Code: Select all

6E9F

CE9F

DC9F

29DD

EB

9FE5

9FDC

9F35

86FF

6E9F

CE9F

DC9F

29DD

EB

9FE5

9FDC

9F35

86FF

6E9F

CE9F

DC9F

29DD

EB

9FE5

9FDC

9F35

86FF

6E9F

CE9F

DC9F

29DD

EB
from this program which I think is sending request 0x47 :

Code: Select all


// inslude the SPI library:
#include <SPI.h>
#define SS 10
uint16_t send1=0x2ad4;
uint16_t send2=0x0000;
uint16_t req47_a=0x4700;
uint16_t req47_b=0x7000;
uint16_t padding=0x0000;
uint16_t receive1=0;
uint16_t receive2=0;
byte count1=0;
byte count2=0;


void setup() {
  // put your setup code here, to run once:
SPI.begin();
pinMode(SS,OUTPUT); //select pin
SerialUSB.begin(115200);//normal port

}

void loop() {
  for(count1=0; count1<=8; count1++)
  {
SPI.beginTransaction(SPISettings(1000000, MSBFIRST, SPI_MODE3));//1mhz clock,msb first, mode 3
digitalWrite (SS, LOW);        // assert Slave Select
receive1 = SPI.transfer16(send1);  // do a transfer
receive2 = SPI.transfer16(send2);  // do a transfer
//if (receive2!=65535) SerialUSB.println(receive2,HEX);
digitalWrite (SS, HIGH);       // de-assert Slave Select
SPI.endTransaction ();         // transaction over
delayMicroseconds(20);

  }


SPI.beginTransaction(SPISettings(1000000, MSBFIRST, SPI_MODE3));//1mhz clock,msb first, mode 3
digitalWrite (SS, LOW);        // assert Slave Select
receive1 = SPI.transfer16(req47_a);  // do a transfer
receive2 = SPI.transfer16(req47_b);  // do a transfer

for(count2=0; count2<=36; count2++)
{
 
receive1 = SPI.transfer16(padding);  // do a transfer
if (receive1!=0xffff) SerialUSB.println(receive1,HEX);
}
  digitalWrite (SS, HIGH);       // de-assert Slave Select
  SPI.endTransaction ();         // transaction over
delayMicroseconds(35);

}

Re: Tesla Model 3 Battery Hacking

Posted: Thu Aug 06, 2020 11:11 am
by Jack Bauer

Code: Select all

0x47 Request:

6E9F

CE9F

DC9F

29DD

EB

9FE5

9FDC

9F35

86FF

0x48 Request:

FC9F

D39F

FB9F

2E03

D8

9FCD

9FEA

9F19

8BFF

0x49 Request:

DE9F

F09F

7C9F

2E80

D9

9FD9

9FDE

9F30

5FF

0x4A Request:

A0

FA9F

84A0

14DC

8C

9FE7

9FED

9F38

83FF

0x4B Request:

0x4C Request:

200

A481

ECD

2

C5

7703

3EFF

0x47 Request:

6E9F

CE9F

DC9F

29DD

EB

9FE5

9FDC

9F35

86FF

0x48 Request:

FC9F

D39F

FB9F

2E03

D8

9FCD

9FEA

9F19

8BFF

0x49 Request:

DE9F

F09F

7C9F

2E80

D9

9FD9

9FDE

9F30

5FF

0x4A Request:

A0

FA9F

84A0

14DC

8C

9FE7

9FED

9F38

83FF

0x4B Request:

0x4C Request:

200

A481

ECD

2

C5

7703

3EFF
From :

Code: Select all

// inslude the SPI library:
#include <SPI.h>
#define SS 10
uint16_t send1=0x2ad4;
uint16_t send2=0x0000;
uint16_t req47_a=0x4700;
uint16_t req47_b=0x7000;
uint16_t req48_a=0x4800;
uint16_t req48_b=0x3400;
uint16_t req49_a=0x4900;
uint16_t req49_b=0xdd00;
uint16_t req4a_a=0x4a00;
uint16_t req4a_b=0xc900;
uint16_t req4b_a=0x4b00;
uint16_t req4b_b=0x2000;
uint16_t req4c_a=0x4c00;
uint16_t req4c_b=0xe100;
uint16_t padding=0x0000;
uint16_t Request_A=0x0000;
uint16_t Request_B=0x0000;
uint16_t receive1=0;
uint16_t receive2=0;
byte count1=0;
byte count2=0;


void setup() {
  // put your setup code here, to run once:
SPI.begin();
pinMode(SS,OUTPUT); //select pin
SerialUSB.begin(115200);//normal port

}

void loop() {

StartUP();
Request_A=req47_a;
Request_B=req47_b;
SerialUSB.println("0x47 Request:");
GetData();

StartUP();
Request_A=req48_a;
Request_B=req48_b;
SerialUSB.println("0x48 Request:");
GetData();

StartUP();
Request_A=req49_a;
Request_B=req49_b;
SerialUSB.println("0x49 Request:");
GetData();

StartUP();
Request_A=req4a_a;
Request_B=req4a_b;
SerialUSB.println("0x4A Request:");
GetData();

StartUP();
Request_A=req4b_b;
Request_B=req4b_b;
SerialUSB.println("0x4B Request:");
GetData();

StartUP();
Request_A=req4c_a;
Request_B=req4c_b;
SerialUSB.println("0x4C Request:");
GetData();

}

void GetData()
{
SPI.beginTransaction(SPISettings(1000000, MSBFIRST, SPI_MODE3));//1mhz clock,msb first, mode 3
digitalWrite (SS, LOW);        // assert Slave Select
receive1 = SPI.transfer16(Request_A);  // do a transfer
receive2 = SPI.transfer16(Request_B);  // do a transfer
for(count2=0; count2<=36; count2++)
{
 
receive1 = SPI.transfer16(padding);  // do a transfer
if (receive1!=0xffff) SerialUSB.println(receive1,HEX);
}
  digitalWrite (SS, HIGH);       // de-assert Slave Select
  SPI.endTransaction ();         // transaction over
delay(75);
}

void StartUP()
{
  for(count1=0; count1<=8; count1++)
  {
SPI.beginTransaction(SPISettings(1000000, MSBFIRST, SPI_MODE3));//1mhz clock,msb first, mode 3
digitalWrite (SS, LOW);        // assert Slave Select
receive1 = SPI.transfer16(send1);  // do a transfer
receive2 = SPI.transfer16(send2);  // do a transfer
//if (receive2!=65535) SerialUSB.println(receive2,HEX);
digitalWrite (SS, HIGH);       // de-assert Slave Select
SPI.endTransaction ();         // transaction over
delayMicroseconds(20);
}

SPI.beginTransaction(SPISettings(1000000, MSBFIRST, SPI_MODE3));//1mhz clock,msb first, mode 3
digitalWrite (SS, LOW);        // assert Slave Select
receive1 = SPI.transfer16(0x4f00);  // do a transfer
receive2 = SPI.transfer16(0x5f00);  // do a transfer
digitalWrite (SS, HIGH);       // de-assert Slave Select
SPI.endTransaction ();         // transaction over
delayMicroseconds(35);

  
}
But hey, at least we're talking....

Re: Tesla Model 3 Battery Hacking

Posted: Thu Aug 06, 2020 11:29 am
by Jack Bauer
Given the amount of emails and other contacts over the past few days it seems we have quite a few lurkers on this thread. Don't be shy. Join up and help.

and just to remind quite a few of those people as to why we don't just use an LTC6820 :

In this previous video I explain the difference between Tesla ISO-SPI and commercial LTC chips :

Re: Tesla Model 3 Battery Hacking

Posted: Thu Aug 06, 2020 11:47 am
by Kevin Sharpe
Jack Bauer wrote: Thu Aug 06, 2020 11:29 am Given the amount of emails and other contacts over the past few days it seems we have quite a few lurkers on this thread. Don't be shy. Join up and help.
Please do not contact Damien directly... I've seen his email inbox and it's crazy... the only sustainable way of maintaining this development is through this forum :)

Re: Tesla Model 3 Battery Hacking

Posted: Thu Aug 06, 2020 12:33 pm
by tom91
Jack Bauer wrote: Thu Aug 06, 2020 10:22 am Well given my programming skills I'm probably asking it for elons favorite breakfast cereal but we get :

Code: Select all

6E9F

CE9F

DC9F

29DD

EB

9FE5

9FDC

9F35

86FF

6E9F

CE9F

DC9F

29DD

EB

9FE5

9FDC

9F35

86FF

6E9F

CE9F

DC9F

29DD

EB

9FE5

9FDC

9F35

86FF

6E9F

CE9F

DC9F

29DD

EB
from this program which I think is sending request 0x47 :

Code: Select all


// inslude the SPI library:
#include <SPI.h>
#define SS 10
uint16_t send1=0x2ad4;
uint16_t send2=0x0000;
uint16_t req47_a=0x4700;
uint16_t req47_b=0x7000;
uint16_t padding=0x0000;
uint16_t receive1=0;
uint16_t receive2=0;
byte count1=0;
byte count2=0;


void setup() {
  // put your setup code here, to run once:
SPI.begin();
pinMode(SS,OUTPUT); //select pin
SerialUSB.begin(115200);//normal port

}

void loop() {
  for(count1=0; count1<=8; count1++)
  {
SPI.beginTransaction(SPISettings(1000000, MSBFIRST, SPI_MODE3));//1mhz clock,msb first, mode 3
digitalWrite (SS, LOW);        // assert Slave Select
receive1 = SPI.transfer16(send1);  // do a transfer
receive2 = SPI.transfer16(send2);  // do a transfer
//if (receive2!=65535) SerialUSB.println(receive2,HEX);
digitalWrite (SS, HIGH);       // de-assert Slave Select
SPI.endTransaction ();         // transaction over
delayMicroseconds(20);

  }


SPI.beginTransaction(SPISettings(1000000, MSBFIRST, SPI_MODE3));//1mhz clock,msb first, mode 3
digitalWrite (SS, LOW);        // assert Slave Select
receive1 = SPI.transfer16(req47_a);  // do a transfer
receive2 = SPI.transfer16(req47_b);  // do a transfer

for(count2=0; count2<=36; count2++)
{
 
receive1 = SPI.transfer16(padding);  // do a transfer
if (receive1!=0xffff) SerialUSB.println(receive1,HEX);
}
  digitalWrite (SS, HIGH);       // de-assert Slave Select
  SPI.endTransaction ();         // transaction over
delayMicroseconds(35);

}
Mind creating a capture of this? I will then smash some code together, first just standalone to get voltages and such then possibly port it into SimpBMS.

Re: Tesla Model 3 Battery Hacking

Posted: Thu Aug 06, 2020 12:46 pm
by Jack Bauer
Yep will do. Made a few changes and seem to be getting more data :

Code: Select all

0x48 Request:

FC9F

D39F

FB9F

2E03

D8

9FCD

9FEA

9F19

8BFF

0x49 Request:

DE9F

F09F

7C9F

2E80

D9

9FD9

9FDE

9F30

5FF

0x4A Request:

A0

FA9F

84A0

14DC

8C

9FE7

9FED

9F38

83FF

0x4B Request:

0x4C Request:

200

A481

ECD

2

C5

7703

3EFF

0x4D Request:

0x4E Request:

0x4F Request:

0x50 Request:

0x47 Request:

6E9F

CE9F

DC9F

29DD

EB

9FE5

9FDC

9F35

86FF

0x48 Request:

FC9F

D39F

FB9F

2E03

D8

9FCD

9FEA

9F19

8BFF

0x49 Request:

DE9F

F09F

7C9F

2E80

D9

9FD9

9FDE

9F30

5FF

0x4A Request:

A0

FA9F

84A0

14DC

8C

9FE7

9FED

9F38

83FF

0x4B Request:

0x4C Request:

200

A481

ECD

2

C5

7703

3EFF

0x4D Request:

0x4E Request:

0x4F Request:

0x50 Request:

0x47 Request:

6E9F

CE9F

DC9F

29DD

EB

9FE5

9FDC

9F35

86FF

0x48 Request:
From :

Code: Select all

// inslude the SPI library:
#include <SPI.h>
#define SS 10
uint16_t send1=0x2ad4;
uint16_t send2=0x0000;
uint16_t send3=0x21f2;
uint16_t send4=0x4d00;
uint16_t send5=0x0008;
uint16_t sendX=0x0000;
uint16_t sendY=0x0000;
uint16_t req47_a=0x4700;
uint16_t req47_b=0x7000;
uint16_t req48_a=0x4800;
uint16_t req48_b=0x3400;
uint16_t req49_a=0x4900;
uint16_t req49_b=0xdd00;
uint16_t req4a_a=0x4a00;
uint16_t req4a_b=0xc900;
uint16_t req4b_a=0x4b00;
uint16_t req4b_b=0x2000;
uint16_t req4c_a=0x4c00;
uint16_t req4c_b=0xe100;
uint16_t req4d_a=0x0100;
uint16_t req4d_b=0x2700;
uint16_t req4e_a=0x0100;
uint16_t req4e_b=0x3300;
uint16_t req4f_a=0x0100;
uint16_t req4f_b=0xda00;
uint16_t req50_a=0x0000;
uint16_t req50_b=0x9400;

uint16_t padding=0x0000;
uint16_t Request_A=0x0000;
uint16_t Request_B=0x0000;
uint16_t receive1=0;
uint16_t receive2=0;
byte count1=0;
byte count2=0;


void setup() {
  // put your setup code here, to run once:
SPI.begin();
pinMode(SS,OUTPUT); //select pin
SerialUSB.begin(115200);//normal port

}

void loop() {

StartUP();
sendX=0x21f2;
sendY=0x4d00;
Generic_Send_Once();

sendX=0x0800;
sendY=0x0000;
Generic_Send_Once();

sendX=0x2ad4;
sendY=0x4d00;
Generic_Send_Once();

sendX=0x0800;
sendY=0x0000;
Generic_Send_Once();

Request_A=req47_a;
Request_B=req47_b;
SerialUSB.println("0x47 Request:");
GetData();

StartUP();
Request_A=req48_a;
Request_B=req48_b;
SerialUSB.println("0x48 Request:");
GetData();

StartUP();
Request_A=req49_a;
Request_B=req49_b;
SerialUSB.println("0x49 Request:");
GetData();

StartUP();
Request_A=req4a_a;
Request_B=req4a_b;
SerialUSB.println("0x4A Request:");
GetData();

StartUP();
Request_A=req4b_b;
Request_B=req4b_b;
SerialUSB.println("0x4B Request:");
GetData();

StartUP();
Request_A=req4c_a;
Request_B=req4c_b;
SerialUSB.println("0x4C Request:");
GetData();

StartUP();
Request_A=req4d_a;
Request_B=req4d_b;
SerialUSB.println("0x4D Request:");
GetData();

StartUP();
Request_A=req4e_a;
Request_B=req4e_b;
SerialUSB.println("0x4E Request:");
GetData();

StartUP();
Request_A=req4f_a;
Request_B=req4f_b;
SerialUSB.println("0x4F Request:");
GetData();

StartUP();
Request_A=req50_a;
Request_B=req50_b;
SerialUSB.println("0x50 Request:");
GetData();

}

void GetData()
{
SPI.beginTransaction(SPISettings(1000000, MSBFIRST, SPI_MODE3));//1mhz clock,msb first, mode 3
digitalWrite (SS, LOW);        // assert Slave Select
receive1 = SPI.transfer16(Request_A);  // do a transfer
receive2 = SPI.transfer16(Request_B);  // do a transfer

for(count2=0; count2<=36; count2++)
{
receive1 = SPI.transfer16(padding);  // do a transfer
if (receive1!=0xffff) SerialUSB.println(receive1,HEX);
//SerialUSB.println(receive1,HEX);
}
  digitalWrite (SS, HIGH);       // de-assert Slave Select
  SPI.endTransaction ();         // transaction over
delay(75);
}

void StartUP()
{
  for(count1=0; count1<=4; count1++)
  {
SPI.beginTransaction(SPISettings(1000000, MSBFIRST, SPI_MODE3));//1mhz clock,msb first, mode 3
digitalWrite (SS, LOW);        // assert Slave Select
receive1 = SPI.transfer16(send1);  // do a transfer
receive2 = SPI.transfer16(send2);  // do a transfer
digitalWrite (SS, HIGH);       // de-assert Slave Select
SPI.endTransaction ();         // transaction over
delayMicroseconds(20);
}
}

void Generic_Send_Once()
{

SPI.beginTransaction(SPISettings(1000000, MSBFIRST, SPI_MODE3));//1mhz clock,msb first, mode 3
digitalWrite (SS, LOW);        // assert Slave Select
receive1 = SPI.transfer16(sendX);  // do a transfer
receive2 = SPI.transfer16(sendY);  // do a transfer
digitalWrite (SS, HIGH);       // de-assert Slave Select
SPI.endTransaction ();         // transaction over
delayMicroseconds(20);
}

Re: Tesla Model 3 Battery Hacking

Posted: Thu Aug 06, 2020 1:20 pm
by Jack Bauer
Captures and code now up on the repo :
https://github.com/damienmaguire/Tesla- ... nsy_Master

Re: Tesla Model 3 Battery Hacking

Posted: Thu Aug 06, 2020 8:32 pm
by tom91
Have a go with this code: https://github.com/tomdebree/Tesla-Mode ... t_1tdb.ino

'd' should toggle debugging and SPI dump on and off. let me know if it works, also mind capturing the SPI traffic it generates.

Re: Tesla Model 3 Battery Hacking

Posted: Fri Aug 07, 2020 2:57 am
by retrEVnoc
Jack Bauer wrote: Thu Aug 06, 2020 11:29 am Don't be shy. Join up and help.
Wish I knew how to help but programming and EE are unfortunately not my forte; so please accept the humble funds I sent to your patreon instead. Really inspired by the collaboration and excited by the progress, guys!

Re: Tesla Model 3 Battery Hacking

Posted: Fri Aug 07, 2020 4:30 pm
by Jack Bauer
Right so from that code we get :

Code: Select all

0x47 Request:

0x48 Request:

0x49 Request:

0x4A Request:

0x4B Request:

0x4C Request:

0x4D Request:

0x4E Request:

0x4F Request:

0x50 Request:



Module 1 : | 4231mV| 4231mV| 0mV| 4334mV| 4334mV| 0mV| 4927mV| 4927mV| 0mV| 5132mV| 5132mV| 0mV| 12mV| 12mV

Module 2 : | 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV



0x47 Request:

0x48 Request:

0x49 Request:

0x4A Request:

0x4B Request:

0x4C Request:

0x4D Request:

0x4E Request:

0x4F Request:

0x50 Request:



Module 1 : | 4231mV| 4231mV| 0mV| 4334mV| 4334mV| 0mV| 4927mV| 4927mV| 0mV| 5132mV| 5132mV| 0mV| 12mV| 12mV

Module 2 : | 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV

and with debug on :

Code: Select all

0x48 Request:

FC9F

D39F

FB9F

2E03

D8

9FCD

9FEA

9F19

8BFF

0x49 Request:

DE9F

F09F

7C9F

2E80

D9

9FD9

9FDE

9F30

5FF

0x4A Request:

A0

FA9F

84A0

14DC

8C

9FE7

9FED

9F38

83FF

0x4B Request:

509F

0

200

2B9E

0

2

2

24

A2FF

0x4C Request:

200

A481

ECD

2

C5

7703

3EFF

0x4D Request:
Capture up on the github :
https://github.com/damienmaguire/Tesla- ... nsy_Master

Re: Tesla Model 3 Battery Hacking

Posted: Fri Aug 07, 2020 5:09 pm
by tom91
Stupid me, arrays start at o and not 1. :)

New code for testing, now ever improved to try and populate both of the ICs.

Code online now: https://github.com/tomdebree/Tesla-Mode ... _Test_1tdb

Re: Tesla Model 3 Battery Hacking

Posted: Fri Aug 07, 2020 5:51 pm
by Jack Bauer
You sir are a steely eyed bms man:)


IC 1 : | 3265mV| 3265mV| 3265mV| 3276mV| 3276mV| 3276mV| 3274mV| 3274mV| 3274mV| 3276mV| 3276mV| 3276mV| 3262mV| 3262mV

IC 2 : | 3275mV| 3275mV| 3275mV| 3273mV| 3273mV| 3273mV| 3273mV| 3273mV| 3273mV| 3267mV| 3267mV| 3267mV| 0mV| 0mV

Re: Tesla Model 3 Battery Hacking

Posted: Fri Aug 07, 2020 6:02 pm
by Jack Bauer
We don't seem to be reading changes in voltage for some reason. I bet we are missing a "read cells" command somewhere but yeah, fantastic progress Tom:)

Re: Tesla Model 3 Battery Hacking

Posted: Fri Aug 07, 2020 6:41 pm
by tom91
Did you also notice my other rookie mistake.

Read in the first voltage, but the second run of the 'FOR' statement do the samething again, dammit. :P

Now once again updated. Which voltages are you varying? They might have been excluded do to my mistake.

Code online now: https://github.com/tomdebree/Tesla-Mode ... _Test_1tdb

Re: Tesla Model 3 Battery Hacking

Posted: Fri Aug 07, 2020 6:51 pm
by muehlpower
it doesn't have to be " g <= 14" for usb printing to see the last value?

Re: Tesla Model 3 Battery Hacking

Posted: Fri Aug 07, 2020 7:39 pm
by tom91
muehlpower wrote: Fri Aug 07, 2020 6:51 pm it doesn't have to be " g <= 14" for usb printing to see the last value?
Dammit, yes that mistake remained. If we get confirmation of the voltages working we can move on, otherwise we got to dig to find out why the voltages are not updating.

Re: Tesla Model 3 Battery Hacking

Posted: Sat Aug 08, 2020 4:24 pm
by Jack Bauer
Latest code is sort of acting weird :

0x50 Request:



IC 1 : | 3258mV| 3268mV| 3269mV| 4158mV| 184mV| 3187mV| 3453mV| 299mV| 5240mV| 0mV| 0mV| 0mV| 0mV| 0mV

IC 2 : | 3270mV| 3270mV| 3269mV| 1476mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV

3265

3265



0x47 Request:

0x48 Request:

0x49 Request:

0x4A Request:

0x4B Request:

0x4C Request:

0x4D Request:

0x4E Request:

0x4F Request:

0x50 Request:



IC 1 : | 3258mV| 3268mV| 3269mV| 4158mV| 184mV| 3187mV| 3453mV| 299mV| 5240mV| 0mV| 0mV| 0mV| 0mV| 0mV

IC 2 : | 3270mV| 3270mV| 3269mV| 1476mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV| 0mV

3265

3265

Re: Tesla Model 3 Battery Hacking

Posted: Sat Aug 08, 2020 4:26 pm
by Jack Bauer
Video update though a little out of date already:)

Re: Tesla Model 3 Battery Hacking

Posted: Sat Aug 08, 2020 4:46 pm
by tom91
Jack Bauer wrote: Sat Aug 08, 2020 4:24 pm Latest code is sort of acting weird :
......
Please run it with debug on, I need to check the moving of certain bytes.

Shit found it, was a messy mistake on my part. was using variables in multiple places and not accounting for it.

Code online

Re: Tesla Model 3 Battery Hacking

Posted: Sat Aug 08, 2020 5:55 pm
by Jack Bauer
Good news is we are getting voltages :
IC 1 : | 3258mV| 3268mV| 3269mV| 3315mV| 3269mV| 3271mV| 3269mV| 3270mV| 3264mV| 3272mV| 3271mV| 3278mV| 3260mV| 0mV| 0mV

IC 2 : | 3270mV| 3270mV| 3269mV| 3277mV| 3268mV| 3270mV| 3269mV| 3269mV| 3269mV| 3264mV| 3270mV| 3270mV| 0mV| 0mV| 0mV

3265

3265


Bad news is they don't seem to want to update. I reckon we are missing a command somewhere.

Re: Tesla Model 3 Battery Hacking

Posted: Sat Aug 08, 2020 6:44 pm
by tom91
found a command

Code: Select all

0x2BFB
Now added into the loop. And its online for testing.

Re: Tesla Model 3 Battery Hacking

Posted: Sun Aug 09, 2020 4:14 pm
by Jack Bauer
Still no updates sadly :

IC 1 : | 3258mV| 3266mV| 3269mV| 3283mV| 3268mV| 3271mV| 3269mV| 3270mV| 3301mV| 3278mV| 3271mV| 3276mV| 3259mV| 0mV| 0mV

IC 2 : | 3342mV| 3269mV| 3268mV| 3271mV| 3268mV| 3270mV| 3269mV| 3268mV| 3269mV| 3264mV| 3269mV| 3270mV| 0mV| 0mV| 0mV

0x47 Request:

179F

7B9F

A39F

5F2

3D

A3A8

9F9E

9F2D

5FFF

17

9F

7B

9F

A3

9F

3D

A3

A8

9F

9E

9F

0x48 Request:

Re: Tesla Model 3 Battery Hacking

Posted: Sun Aug 09, 2020 6:59 pm
by tom91
Okay, so have shuffled some of the SPI frames to match the logs better.

It seems like the slaves need to be told to log the voltages / measure. Can you please provide a capture with the latest software version.
All times are UTC
Page 6 of 13

Powered by phpBB® Forum Software © phpBB Limited