Reverse engineering OEM Hardware

[Jacobsmess]

Ok I'm breaking this out from my project thread as I'm hoping there might be some useful general guidance for other newbs like me.
I'm jumping in the deep end with trying to reverse engineer a Lexus UX300E BMS and suspect there are simpler systems to reverse engineer to cut your teeth.
So the Lexus UX300E BMS controls everything in the battery pack and it is split into two units. The "Battery Computer Assembly" (BCA) and the "Battery Voltage Sensor" (BVS).
The BVS monitors only the battery module cell taps and the thermistors (33 in the entire pack 3 per module).
The BCA communicates with the BVS then controls the battery heaters, air cooling, coolant solenoids and possibly some other things I can't remember off the top of my head.
The BMS system uses 2 CAN networks, CAN 1 with a lot of CAN IDs and CAN 2 with only 5 IDs.
So far, I've setup an ESP32-S3 with Uhis wifican and using Savvycan, I've been making logs of things.
I've identified CANIDs that appear with the BVS only (by logging can logs of the BCA with and without the BVS connected), this should narrow down the CANIDs that are relevant to the voltage and thermisors of the cells only.
I've then looked at these CANIDs and saved logs of each one that showed a variation in the bytes (or bits?) as I unplugged each cell module as well as any cumulative changes (unplugging several cell modules).
From this I think i've got a god starting point but i'm unsure of where to go next. I guess Identifying the difference between cell voltage readings and cell temperature readings would be a good start. Perhaps I need to remove the thermistor from the cell modules and heat one with a heair dryer or something whilst watching the relevant CANIDs, or I could apply a small charge voltage across the cell modules one by one and observe the change in CANIDs, if doing so, would a benchtop current limited power supply be safe to apply across the 30ishV cell module, I feel like it should be ok but it's worth checking.
Finally, so far I've leaft each cell module disconnected from one another, am I right in doing this or is the BMS likely to want to monitor the difference across the entire pack voltage?
Heres a dropbox link to all the CAN info I've logged so far. https://www.dropbox.com/scl/fo/1u1v28ob ... kw7n9&dl=0
I've looked for Toyota and Lexus CAN DBC/Logs but nothing seems to be useful so far (some of the current CAN logs may have incorrect DBC definitions applied)

Thanks y'all

[Jacobsmess]

from the CAN IDs so far two seem to be very stable (data does not change at all), would it be save to assume these are some form of handshake/wakeup? if so I might try playing these pack to just the BVS unit and seeing if it starts sending CAN at me as so far when I tried it with just a few powered pins using the wiring diagram I didn't can anything on the CAN lines.

[Jacobsmess]

Another thought, is it likely I can just hook up the bench PSU to the BVS cell taps with no cells connected and use this to see what happens at different cell voltages on the CAN or is it likely the BMS will just go into fault mode or something.
I guess the only surefire way of knowing is testing.

[Jacobsmess]

What I'm not sure on and what I'm hoping someone might be able to help with is interpreting the values. Are there any rules of thumb? if I find a CANID that responds to voltage changes on a particular cell I can work out the scaling etc. but is it likely that a CANID will contain one cell voltage? multiple volatges? to what resolution? from what I've seen, BMS report differences to mV?
Hopefully this should become clearer as time goes on but any help in understanding and centralising this sort of knowledge would be great.

[tom91]

Have a look at some DBC files for variaous decoded BMSes to gain a bit of an understanding what info you would be looking for and how it is organised by other OEMS.

Some explanition on DBC files: https://www.csselectronics.com/pages/ca ... base-intro
CANdb from vector is available as freeware and is a good way of editing and viewing dbc files https://www.vector.com/int/en/download/candb-31-sp3/

A module based example is the VW Egolf can: https://github.com/Tom-evnut/VW-bms/blo ... VWtest.dbc

Nissan Leaf CAN bus, including battery info: https://github.com/dalathegreat/leaf_can_bus_messages
Some various including BMW I3 Logs and dbc files: https://github.com/dalathegreat/EV-CANlogs

[Jacobsmess]

Have a look at some DBC files for variaous decoded BMSes to gain a bit of an understanding what info you would be looking for and how it is organised by other OEMS.

Some explanition on DBC files: https://www.csselectronics.com/pages/ca ... base-intro
CANdb from vector is available as freeware and is a good way of editing and viewing dbc files https://www.vector.com/int/en/download/candb-31-sp3/

A module based example is the VW Egolf can: https://github.com/Tom-evnut/VW-bms/blo ... VWtest.dbc

Nissan Leaf CAN bus, including battery info: https://github.com/dalathegreat/leaf_can_bus_messages
Some various including BMW I3 Logs and dbc files: https://github.com/dalathegreat/EV-CANlogs

Thanks, I've gone through a lot of information, some which is currently over my head and I'll have to re-read a few times, other than I understand but am not sure how best to apply it.
My aim is to be able to interpret information from the BMS and then display it and understand the limits of its responses to environmental conditions (the temperature it uses for turning on a cooling fan). I'm not sure there will be a helpful DBC file, I've not found anything so far as I suspect no one else is looking at Toyota/lexus BMS systems from what I've seen so far.
I do have some PIDs for a Prius I will compare with things but as I'm new to CAN I may be misinterpreting what a PID is.
I messed around a bit more today hoping to identify canIDs that changed with conditions (hair dryer on a thermistor) but couldn't find anything specific but feel this simplistic approach might actually be the most fruitful albeit time consuming approach.

[Jacobsmess]

So... I'm cross posting this here as it might be a bit more widely read than my project thread....
I managed to blow up the BMS, or at least 7 diodes of the BMS. I'm looking to replace them and I've identified the parameters of the diodes with the help of a friend. The breakdown voltage is 8V and the voltage drop across the diode is 0.78V. the footprint is around 2.2mm (measured with cheap calipers and by eye).
I believe they are zener diodes. Anyone able to advise on what may or may not be a suitable replacement? Is any diode with those rough parameters suitable or is it likely that it'll need to be exact this?
Secondly, is it likely that other parts of the BMS may also be broken? Visually everything except the diodes is fine, given the issue (pop) happened upon plugging in one of the modules that I believe then shorted to the BMS casing via a bus bar, potentially around 300V but I'm not certain. Is it likely other components (ICs?) are also broken?
Thanks

[tom91]

If the diodes fail, it means they are outside of their design operational window. Thus any other components on those sense lines will be hit hard by what ever voltage caused that failure.

She if fubar, you never gotten it reverse engineered to a point where you understood what it was saying. So this clearly is a time and money pit.

My advice chuck it in the bin.