Page 1 of 2
Is300H Inverter Hacking
Posted: Fri Aug 12, 2022 12:17 pm
by Jack Bauer
Decided to start a separate thread for hacking the OEM Toyota/ Lexus IS300H inverter. Hooked it up to the VCU today and surprise surprise the serial protocol is different to both GS450h and Prius Gen3. How much so am unsure as yet. Grabbed a few MTH logs for analysis. Have also got a line on a GS300h hvecu which I hope to have in a few days for more analysis as I doubt it will be possible to get a log from a running car.
Re: Is300H Inverter Hacking
Posted: Fri Aug 12, 2022 12:19 pm
by Jack Bauer
GS300h hvecu location.
Re: Is300H Inverter Hacking
Posted: Fri Aug 12, 2022 12:38 pm
by nkiernan
How invasive is it getting logs from a running car? Does it required much hacking! I park beside an IS300H in work every day and the owner could be on for helping but would be protective of his good car!
Re: Is300H Inverter Hacking
Posted: Fri Aug 12, 2022 12:53 pm
by Jack Bauer
Quite easy I could send you a cable. Would require connecting to 4 data wires on the inverter plug. Could be done with piercing probes so no cutting required.
Re: Is300H Inverter Hacking
Posted: Fri Aug 12, 2022 12:54 pm
by Jack Bauer
sorry back probing the connector wold be quite easy also
Re: Is300H Inverter Hacking
Posted: Fri Aug 12, 2022 5:39 pm
by Jack Bauer
Got this on the way so with a bit of luck will give us the HTM data format. Then I guess its time to put my non existant programming skills to use...
Re: Is300H Inverter Hacking
Posted: Fri Aug 12, 2022 7:48 pm
by nkiernan
Jack Bauer wrote: ↑Fri Aug 12, 2022 12:54 pm
sorry back probing the connector wold be quite easy also
Will see if he can help so. Would be something like saleae logic, four data channels and a ground channel? Am I correct there is a video on one of the builds of the same process on a GS450H or prius?
Re: Is300H Inverter Hacking
Posted: Sat Aug 13, 2022 9:32 am
by Jack Bauer
You could do it that way but I would make up a litle board for you with two can transcievers and two ftdi cables. Then you would need a laptop with a terminal program to log the data. I'm not sure if such a video exists but happy to make one if required.
Re: Is300H Inverter Hacking
Posted: Sat Aug 13, 2022 10:47 am
by nkiernan
Jack Bauer wrote: ↑Sat Aug 13, 2022 9:32 am
I'm not sure if such a video exists but happy to make one if required.
He just asked if there was something to look at so he could see what was involved to give peace of mind it wouldn't do anything to the plugs/seals or car was all
Re: Is300H Inverter Hacking
Posted: Sat Aug 13, 2022 12:26 pm
by Jack Bauer
Lets see how far I get with the hvecu on the bench and then we can make a call.
Re: Is300H Inverter Hacking
Posted: Sat Aug 13, 2022 12:50 pm
by Jack Bauer
First glimpse looks like an MTH packet of 140 bytes:
Code: Select all
40 00 02 00 00 00 00 00 00 04 00 01 00 12 14 00 00 00 00 00 1D 1A 00 00 F9 01 00 04 00 00 00 FF 00 CE 00 00 55 00 00 CB 07 00 02 00 00 00 00 00 20 0E 00 00 00 00 00 00 00 06 08 00 00 1B 00 30 00 B8 13 02 00 00 00 00 00 00 00 00 10 41 00 00 00 00 80 00 00 00 00 00 00 00 00 00 A6 02 00 00 1C 1F 00 00 00 00 00 00 30 00 00 B8 13 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Re: Is300H Inverter Hacking
Posted: Mon Aug 15, 2022 2:59 pm
by Jack Bauer
Got hte gs300h hybrid ecu today. Looks like a HTM packet of 105 bytes and MTH 140 bytes. Seems quite similar to here :
viewtopic.php?p=37578#p37578
Re: Is300H Inverter Hacking
Posted: Tue Aug 16, 2022 6:10 pm
by Jack Bauer
Made a little bit of progress. Confirmed HTM is 105 bytes and MTH 140 bytes. DC bus voltage in MTH 117,118. Obviously the HTM data I can get here on the bench from the hybrid ecu is not going to bring up the inverter but its a start.
Re: Is300H Inverter Hacking
Posted: Wed Aug 17, 2022 5:46 pm
by Jack Bauer
Guess I'll continue talking to myself... Making some very slow incremental progress. Sadly we don't have a Savvycan like tool for analysing the toyota data so I've engaged a developer to write a tool that will do some basic data parsing. Have seen some references to some others working on this type of a thing but nothing I can use. Still might need to get a log from a car and to that end have ordered some back probes and I'll make up a logger device.
Re: Is300H Inverter Hacking
Posted: Thu Aug 18, 2022 6:07 pm
by Jack Bauer
Updating the Github repo with logs and a tool for organising them into a more readable form :
https://github.com/damienmaguire/Lexus-IS300H-Inverter
Re: Is300H Inverter Hacking
Posted: Thu Aug 18, 2022 6:58 pm
by Jack Bauer
Tool now working. Use example : python3 main.py HTM_Ecu1.log 105
Will spit out a .csv with the data broken into 105 byte lines ready for import into a spreadsheet.
Re: Is300H Inverter Hacking
Posted: Fri Aug 19, 2022 3:17 pm
by Jack Bauer
I'll let this speak for itself while I go clean up the oil spill. More details to follow.
Re: Is300H Inverter Hacking
Posted: Fri Aug 19, 2022 4:24 pm
by Ev8
Awesome awesome work. I wish I was able to do the same with an rx450h inverter
Re: Is300H Inverter Hacking
Posted: Fri Aug 19, 2022 5:55 pm
by Jack Bauer
Thanks:) I have an Rx450h inverter waiting on the bench. So just found the MG1 and MG2 torque commands. With a bit of luck will have code released next week for the Zombieverter VCU and the original Lexus gs450h vcu for running this system. Biggest hurdle was my python script seemed to be one column out with the data sorting. Once I realised that the inverter woke up:)
Re: Is300H Inverter Hacking
Posted: Fri Aug 19, 2022 6:41 pm
by nkiernan
This is class
Re: Is300H Inverter Hacking
Posted: Fri Aug 19, 2022 8:28 pm
by Alibro
This makes me want to convert my old diesel Merc to leccy.
Maybe I can create a website called EVMERC.
Re: Is300H Inverter Hacking
Posted: Sun Aug 21, 2022 8:46 am
by evbuilder
Jack Bauer wrote: ↑Wed Aug 17, 2022 5:46 pm
Guess I'll continue talking to myself... Making some very slow incremental progress. Sadly we don't have a Savvycan like tool for analysing the toyota data so I've engaged a developer to write a tool that will do some basic data parsing. Have seen some references to some others working on this type of a thing but nothing I can use. Still might need to get a log from a car and to that end have ordered some back probes and I'll make up a logger device.
Are you limited to reading only one of MTH or HTM at a time? I made a sniffer out of a ESP32-S2 board ($6 on AliEx) and a couple of can transceiver chips. Code is here:
https://github.com/evbuilder/ToyotaSniffer
It pulls in both messages at once. I then use
https://github.com/evbuilder/SnifferParser to turn it into csv file.
I set the ESP32 up as a wifi basestation, and connected to it to get the datastream. It runs off a 9V battery (with 5V regulator)
Re: Is300H Inverter Hacking
Posted: Mon Aug 22, 2022 8:45 am
by Jack Bauer
That looks ideal. I am using the dual ftdi method. Still have quite a bit of data to pour over but at least with the unit moving its a lot easier.
Re: Is300H Inverter Hacking
Posted: Mon Aug 22, 2022 5:38 pm
by Jack Bauer
Ev8 wrote: ↑Fri Aug 19, 2022 4:24 pm
Awesome awesome work. I wish I was able to do the same with an rx450h inverter
You mean like this one:)
Full throttle control of MG1 and 2 now working with the GS450h vcu. Porting to Zombi on the way.
Re: Is300H Inverter Hacking
Posted: Mon Aug 22, 2022 6:21 pm
by Ev8
Yeah that’s the one! I’m thinking it could be used to give me oem quality drive on my linked mg1 and mg2 rx400h transaxle,