Tesla Model 3 Battery Hacking

Topics concerning the Tesla front and rear drive unit drop-in board
User avatar
muehlpower
Posts: 570
Joined: Fri Oct 11, 2019 10:51 am
Location: Germany Fürstenfeldbruck
Has thanked: 12 times
Been thanked: 96 times

Re: Tesla Model 3 Battery Hacking

Post by muehlpower »

what do you think of HX1188NL as indicated in the data sheet of analog divices. At mouser 3100 in stock. The isolation voltage is only 1500V instead of 2900. But it should be more than sufficient for our purposes.
User avatar
Jack Bauer
Posts: 3563
Joined: Wed Dec 12, 2018 5:24 pm
Location: Ireland
Has thanked: 1 time
Been thanked: 87 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by Jack Bauer »

Yeah looks good thanks.
I'm going to need a hacksaw
User avatar
Jack Bauer
Posts: 3563
Joined: Wed Dec 12, 2018 5:24 pm
Location: Ireland
Has thanked: 1 time
Been thanked: 87 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by Jack Bauer »

BatMan Forever................
Attachments
EVBMW_BMS_V1 - Schematic.pdf
(277.68 KiB) Downloaded 268 times
2020-09-12 14.10.47.jpg
I'm going to need a hacksaw
User avatar
mdrobnak
Posts: 692
Joined: Thu Mar 05, 2020 5:08 pm
Location: Colorado, United States
Has thanked: 1 time
Been thanked: 5 times

Re: Tesla Model 3 Battery Hacking

Post by mdrobnak »

Jack Bauer wrote: Sat Sep 12, 2020 1:14 pm BatMan Forever................
:D
More like BatMan-be-gone?
User avatar
Jack Bauer
Posts: 3563
Joined: Wed Dec 12, 2018 5:24 pm
Location: Ireland
Has thanked: 1 time
Been thanked: 87 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by Jack Bauer »

Yeah now to clean up the pads and work out the rest of the pin connections:) In case anyone is guessing the aim here is to transplant the Batman into my own design and see if will work as a Tesla iso spi controller. No i'm not giving up on the fpga that is still in the pipeline I just need a solution asap for the guy who loaned me the battery.
I'm going to need a hacksaw
collin80
Posts: 110
Joined: Sun Aug 30, 2020 3:28 pm
Location: United States, Michigan
Been thanked: 4 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by collin80 »

Jack Bauer wrote: Sun Sep 13, 2020 7:56 am Yeah now to clean up the pads and work out the rest of the pin connections:) In case anyone is guessing the aim here is to transplant the Batman into my own design and see if will work as a Tesla iso spi controller. No i'm not giving up on the fpga that is still in the pipeline I just need a solution asap for the guy who loaned me the battery.
It sure should work that way. The only catch is that they do seem to use the exact same "batman" chip on both the master and slave devices so it seems there might be a special way to tell the chip it should be in pass through mode instead of measurement mode. I have never seen anything special on SPI to suggest that you can do that through SPI so my guess would be some sort of physical pin that is set high or low. But, I dunno which one.

Early on I thought that batman might have been an LTC6813. It seems a lot like one, even the pin out seems... similar. Not the same by any means, but similar. So, I'd suggest looking at the LTC6813 and keeping an open mind. It's something like that pin out, only with changes. I have every reason to think that they took the LTC6813 design and modified it to make batman. That's kind of weird in a way because the comm protocol looks very dissimilar on first and second glance. That's kind of deceptive as the comm protocol isn't really different insomuch as it's just been modified in terms of how commands are encoded. A deeper dive seems to suggest that perhaps not as much has changed as one might think. They're a sneaky bunch!
User avatar
Jack Bauer
Posts: 3563
Joined: Wed Dec 12, 2018 5:24 pm
Location: Ireland
Has thanked: 1 time
Been thanked: 87 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by Jack Bauer »

Looking at the pinout I did earlier almost all the pins are pulled to ground on the hv controller. I suspect one or two of those put it in "Batman" mode. I'll verify this by pulling one off a slave board once I get some pcbs. Might be a useful source of those chips as a lot of people have been pulling off those boards to use 3rd party bms.
I'm going to need a hacksaw
collin80
Posts: 110
Joined: Sun Aug 30, 2020 3:28 pm
Location: United States, Michigan
Been thanked: 4 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by collin80 »

Just a note, the code posted so far posited that 0x0E would request temperatures. That's wrong. Those values aren't the temperatures. Temperatures are found in 0x0D instead. Both 0x0D and 0x0E are requests for ADC data though. I think you'll find that the six bytes returned per module from 0x0D are temperature, voltage reading, temperature, each 16 bits. So, T1, V, T2. The V I think is used to double check that the voltage matches the other readings. It's seemingly a redundant reading system. I'm not getting good results with decoding that voltage just yet. In theory it was supposed to be just like the others but scaled up 10x. Doesn't seem that way to me with my pack.

The proper CRC for 0x0D is 0x6A.

Now, the readings you get for temperature are raw ADC readings from a thermistor. Anyone who has had the "pleasure" of dealing with such knows that it kind of sucks. There's non-linear response there. As luck would have it, the firmware has a table for looking this up. The first value is the ADC value and the second is temperature in degrees centigrade but scaled up 10x and with a 40C offset. So, 0 is really -40C, 250 is really -15C, etc. For instance, I have captures where the reading I got was 0x129E. That's close to the entry for 550 so divide by 10 and subtract 40 and you get 15C. If your value falls in between entries you have to interpolate or just plain use the nearest value and call it good. Chances are you don't really need more than 5C accuracy anyway. The pack is either too cold, just right, or too hot. Anything else is merely for your amusement. But, in theory you could get 0.1C accuracy for temperature readings.

0x01B7, 0
0x023C, 50
0x02E1, 100
0x03AE, 150
0x04A9, 200
0x05DA, 250
0x0747, 300
0x08F7, 350
0x0AF0, 400
0x0D39, 450
0x0FD3, 500
0x12C1, 550
0x1601, 600
0x198E, 650
0x1D61, 700
0x2170, 750
0x25AE, 800
0x2A0D, 850
0x2E7D, 900
0x32EE, 950
0x3753, 1000
0x3B9D, 1050
0x3FC0, 1100
0x43B4, 1150
0x4771, 1200
0x4AF2, 1250
0x4E37, 1300
0x513B, 1350
0x5403, 1400
0x568E, 1450
0x58E0, 1500
0x5AFB, 1550

Oh, another tidbit, the difference between asking for 0x07 and 0x47 is that 0x47 requests that the modules all return a sort of data identifier. For instance, on my module the BMS sends 0xA1 after 0x47 and before the CRC. Now all the modules preface their replies with 0xA1 as well. This doesn't happen if you use 0x07 instead. I guess it was some sort of scheme to allow it to keep better track of things? Or something? I don't see why you'd need to have it send back the identifier you specified. It seems easier to just use 0x07 and such like Muehlpower and save the bandwidth.
User avatar
Jack Bauer
Posts: 3563
Joined: Wed Dec 12, 2018 5:24 pm
Location: Ireland
Has thanked: 1 time
Been thanked: 87 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by Jack Bauer »

Fantastic info. Thank you:) I'm going to try and get another slave board and swap the bms ic onto the hv controller and see if it becomes Batman........sorry I can't help this:)
I'm going to need a hacksaw
User avatar
muehlpower
Posts: 570
Joined: Fri Oct 11, 2019 10:51 am
Location: Germany Fürstenfeldbruck
Has thanked: 12 times
Been thanked: 96 times

Re: Tesla Model 3 Battery Hacking

Post by muehlpower »

collin80 wrote: Sun Sep 13, 2020 7:21 pm Just a note, the code posted so far posited that 0x0E would request temperatures. That's wrong. Those values aren't the temperatures. Temperatures are found in 0x0D instead. Both 0x0D and 0x0E are requests for ADC data though.
I cannot agree with you on this point. When heating with a hair dryer, the values ​​of 0x0E were the only ones that changed significantly! I'm not sure about the scaling. It seems that there are 1/10 steps in degrees kelvin with a starting point of 160 degrees kelvin. At 1360 this results in a temperature of 23 degrees Celsius. In the screen shoot, the temperatures are marked with B1.1 to B4.2.
Attachments
slave1+2+3+4.png
collin80
Posts: 110
Joined: Sun Aug 30, 2020 3:28 pm
Location: United States, Michigan
Been thanked: 4 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by collin80 »

muehlpower wrote: Mon Sep 14, 2020 9:36 am
collin80 wrote: Sun Sep 13, 2020 7:21 pm Just a note, the code posted so far posited that 0x0E would request temperatures. That's wrong. Those values aren't the temperatures. Temperatures are found in 0x0D instead. Both 0x0D and 0x0E are requests for ADC data though.
I cannot agree with you on this point. When heating with a hair dryer, the values ​​of 0x0E were the only ones that changed significantly! I'm not sure about the scaling. It seems that there are 1/10 steps in degrees kelvin with a starting point of 160 degrees kelvin. At 1360 this results in a temperature of 23 degrees Celsius. In the screen shoot, the temperatures are marked with B1.1 to B4.2.
Well, it is perhaps possible that the temperature sensors are in the liquid path and don't respond to temperature differences in the pack itself too well. If I remember correctly, I think the two temperatures are usually listed as input and output temperature - probably of the coolant loop for that section of the pack. But, the reading you are looking at is actually a voltage from a diode. Since many electrical components do change value based on temperature I suppose it might be able to be used as a sort of temperature - one that even works without coolant flow. But, I do not believe it was meant to convey temperature, that's just a happy coincidence. Still, if people are using these modules without coolant then the normal temperature readings might not work well. So, your solution might actually be better in that case. But, you might consider trying to find the calibration a bit more precisely. It doesn't matter if it's precise but maybe try to get some independent measurements where you record the temperature of the PCB with an IR gun and record the value of the second entry from 0xE and see if your estimates match reasonably well. Or, if the pack is somewhere reasonably exposed to the open air then see if the readings you get across a few days match the outside temperature. I'm perfectly willing to believe that your readings can be used as temperature, at least of the BMS PCB. Did you heat the pack itself with the hair dryer or around the PCB?
User avatar
Jack Bauer
Posts: 3563
Joined: Wed Dec 12, 2018 5:24 pm
Location: Ireland
Has thanked: 1 time
Been thanked: 87 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by Jack Bauer »

So little more progress. Got the board layout done. In theory this thing could take to M3 slaves, M S/X slaves and any slave that uses CAN. Still to do is reverse engineer the little filter circuit on the chip side of the iso spi transformer and double check the pinout now the batman chip is removed.
Attachments
EVBMW_BMS_V1 - Schematic.pdf
(274.97 KiB) Downloaded 195 times
EVBMW_BMS_V1 - PCB.pdf
(168.61 KiB) Downloaded 171 times
I'm going to need a hacksaw
User avatar
muehlpower
Posts: 570
Joined: Fri Oct 11, 2019 10:51 am
Location: Germany Fürstenfeldbruck
Has thanked: 12 times
Been thanked: 96 times

Re: Tesla Model 3 Battery Hacking

Post by muehlpower »

it looks like that, have no idea about the values.
Attachments
Filter.png
User avatar
Jack Bauer
Posts: 3563
Joined: Wed Dec 12, 2018 5:24 pm
Location: Ireland
Has thanked: 1 time
Been thanked: 87 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by Jack Bauer »

Thats great thanks. So updated the Batman pinout. Seems we have a connection to BOTH the BMB transformers! and a 2k7 pullup to 3v3 on the miso line.
Attachments
2020-09-15 14.16.45.jpg
Batman_pinout.ods
(16.05 KiB) Downloaded 146 times
I'm going to need a hacksaw
User avatar
Jack Bauer
Posts: 3563
Joined: Wed Dec 12, 2018 5:24 pm
Location: Ireland
Has thanked: 1 time
Been thanked: 87 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by Jack Bauer »

Cap connected to atc = 200pF
Inductor between U5 and U6 = 43uH approx
I'm going to need a hacksaw
collin80
Posts: 110
Joined: Sun Aug 30, 2020 3:28 pm
Location: United States, Michigan
Been thanked: 4 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by collin80 »

Jack Bauer wrote: Tue Sep 15, 2020 2:19 pm Thats great thanks. So updated the Batman pinout. Seems we have a connection to BOTH the BMB transformers! and a 2k7 pullup to 3v3 on the miso line.
yeah, it's definitely bi-directional. If it thinks there is a break going one way it tries to reach the rest of the modules by transmitting from the other direction. That will allow for reading all modules so long as there is one one break in the wiring. Pretty cool stuff.
User avatar
muehlpower
Posts: 570
Joined: Fri Oct 11, 2019 10:51 am
Location: Germany Fürstenfeldbruck
Has thanked: 12 times
Been thanked: 96 times

Re: Tesla Model 3 Battery Hacking

Post by muehlpower »

Jack Bauer wrote: Wed Sep 02, 2020 1:26 pm Some initial reverse engineering on the "Batman" chip on the hv controller. Pinout up on the repo :
https://github.com/damienmaguire/Tesla- ... pinout.ods

Next move is to harvest the little guy. I also noted some interesting RC networking going on around the pulse transformer primary.
Please check again "Enable". I think it's on 55 not 54. And 47 is 5V, not GND.
Attachments
Batman.png
User avatar
Jack Bauer
Posts: 3563
Joined: Wed Dec 12, 2018 5:24 pm
Location: Ireland
Has thanked: 1 time
Been thanked: 87 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by Jack Bauer »

Decided to throw together a simple test / breakout board for batman before going with the full design. Up on Github for those interested :
https://github.com/damienmaguire/Tesla- ... n_Breakout
I'm going to need a hacksaw
User avatar
Jack Bauer
Posts: 3563
Joined: Wed Dec 12, 2018 5:24 pm
Location: Ireland
Has thanked: 1 time
Been thanked: 87 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by Jack Bauer »

Well I'm pleased to announce success with the little test board. Of course it has a few problems. I had a pin at 0v that should have been at 5v but managed to bodge it. Then turned out miso and mosi were flipped. Getting very clean isospi out of the little generic ethernet transformer and just a 120r resistor on the primary side. Running Tom's code on a Teensy and reading from my little bench battery just fine.

Next thing we need to know is will the "batman" chips on the slave boards work as transcievers. I've had a bit of a struggle finding someone willing to give me some m3 slave boards. Good news is a youtube viewer has stepped up and we should have a few boards to play with shortly. In the meantime I'll clean up the test board and publish the designs. Then we'll pull a batman off a slave and see what happens....
Attachments
2020-09-24 13.21.16.jpg
2020-09-24 13.21.04.jpg
2020-09-24 12.43.07.jpg
2020-09-24 08.57.39.jpg
I'm going to need a hacksaw
User avatar
Jack Bauer
Posts: 3563
Joined: Wed Dec 12, 2018 5:24 pm
Location: Ireland
Has thanked: 1 time
Been thanked: 87 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by Jack Bauer »

Updated schematic with corrections from today.
Attachments
batman_test_v1 - Schematic.pdf
(82.67 KiB) Downloaded 167 times
I'm going to need a hacksaw
User avatar
Jack Bauer
Posts: 3563
Joined: Wed Dec 12, 2018 5:24 pm
Location: Ireland
Has thanked: 1 time
Been thanked: 87 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by Jack Bauer »

JLCPCB have this transformer in stock :
https://datasheet.lcsc.com/szlcsc/YDS-1 ... 115949.pdf
Any thoughts on compatability?
I'm going to need a hacksaw
tom91
Posts: 1278
Joined: Fri Mar 01, 2019 9:15 pm
Location: Bristol
Has thanked: 97 times
Been thanked: 205 times

Re: Tesla Model 3 Battery Hacking

Post by tom91 »

Some good progress there. I wonder what the change over is from the coding reported by other and what you are seeing. It clearly has to do with the removal of the other chips of the slave boards i believe.
Founder Volt Influx https://www.voltinflux.com/
User avatar
Jack Bauer
Posts: 3563
Joined: Wed Dec 12, 2018 5:24 pm
Location: Ireland
Has thanked: 1 time
Been thanked: 87 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by Jack Bauer »

New dev boards arrived for batman. Will see what happens when we pull one from a slave board and drop him on here.
Attachments
2020-10-07 18.17.17.jpg
I'm going to need a hacksaw
User avatar
Jack Bauer
Posts: 3563
Joined: Wed Dec 12, 2018 5:24 pm
Location: Ireland
Has thanked: 1 time
Been thanked: 87 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by Jack Bauer »

I'm going to need a hacksaw
User avatar
Jack Bauer
Posts: 3563
Joined: Wed Dec 12, 2018 5:24 pm
Location: Ireland
Has thanked: 1 time
Been thanked: 87 times
Contact:

Re: Tesla Model 3 Battery Hacking

Post by Jack Bauer »

As mentioned in the video the "Batman" breakout board is now fully opensource including JLCPCB build files :
https://github.com/damienmaguire/Tesla- ... attery-BMS

Also available as a kit from the webshop but DOES NOT INCLUDE BATMAN CHIP!
https://www.evbmw.com/index.php/evbmw-w ... bms-batman
I'm going to need a hacksaw
Post Reply