HELP WANTED …. EV Battery Meister Mind.


The heart of the issue of electric automobiles has always been the energy storage cell or battery and it remains ever so today and into the future. Moving from the crude lead acid batteries, the limitation on electric cars has always been the weight and size of the battery necessary to power it to any specific distance.

We measure this using two metrics, energy density and power density.

Energy density is a measure of storage capacity – how much energy can be stored for a given weight/volume of battery cell. We usually state this in terms of Watt-hours per kilogram (Wh/kg). If it will store enough energy to produce 1 amp of current at 1 volt for one hour, a Watt-hour. English physicist James Prescott Joule (1818–1889) would consider 1 amp through 1 ohm to be 1 volt and if performed for 1 second, a Joule. So 3600 Joules per Watt-hour if it’s an English physicists car.

Power density is similarly the measure of how much POWER a cell can deliver instantaneously. Forget the hours. How many WATTS can be produced from a given weight (W/kg) or volume (W/ltr) of a cell. And as a practical matter we think of this as max current output.

A 100 amp-hour 12 volt lead acid battery can easily weight 35 kilograms. And so it’s energy density is 12×100/35 or 34Wh per kilogram. Our CALB LiFePo4 cells are more like 105 Wh/kg or over three times the energy density of the lead acid batteries. If you think of this another way, if you need 300 lbs of lead acid cells, you can replace them with 100 lbs of LiFePo4 cells. And because your car is 200 lbs lighter, it goes further on a charge.

The NCR18650GBA cells currently used in the latest Tesla are 3.7Ah x 3.75v in 48 grams. That’s about 265 Wh/kg. And so 252 lbs of CALB cells is the equivalent in energy density to 100 lbs of NCR18650GBA cells, used in the latest Tesla Model 100D.

So the cells Tesla uses are nearly eight times the energy density of lead acid cells (7.79). So 775 lbs replaced by 100 lbs. And that is the key to Tesla’s long range. You don’t QUITE get 7.75x because to package all those little camera batteries, it takes a lot of structure just in aluminium and plastic and copper and so forth surrounding the cells. But energy density is the name of the game. More stored energy in less weight and space.

But storing energy is not inherently a safe thing to do. And the more energy you pack into a smaller package, the more explosive it becomes. And in some cases, the less stable it becomes as well.

Our video this week garnered a good bit of attention as we talked about batteries in general, always a popular topic, and the Tesla battery pack specifically. I would say the two most intense areas of interest in EVdumb/land/world are the Tesla Motor/Inverter drive unit and the Tesla battery pack.

Tesla has simply engineered an electric car beyond any other. And so they have sold a relatively large number of them. And so the owners have of course wrecked a relatively large number of them. And so they are readily available for parts.

This gives rise to an interesting paradox. And after all Elon Musks posturing about being open and hoping to foster more electric vehicle development, the paradox hangs on the fact that they have in fact been very CLOSED about any details of basic CAN communication in their vehicles or how anything works.

The Volkswagen Beetle and Bus et al became very very popular in America and sold many millions of vehicles. It was actually not because they were ever very good cars. In fact, they were widely viewed as very BAD cars and of terrible manufacture. They rusted in front of you on the show room floor. But they were very simple and could be worked on by anyone without much in the way of special tools. A “tribe” emerged with “tribal knowledge” of the VW platform, third party parts flourished, making repair parts sinfully inexpensive.

Tesla is SO closed, you can’t actually repair one. The costs to resurrect a crashed Tesla Model S are just totally unapproachable. They have produced the world’s first “disposable” car and at a price well north of a hundred grand, no matter what Elon was quoted as saying.

If you do repair one mechanically, you will most likely find that it is impossible to clear the codes and electronically get it back in operation. And so the $100k Tesla, in some cases two months old and with 1000 miles on it, goes for a fraction of the price in the salvage auction because it is basically irreparable. So to speak.

But then we actually have hundreds of DIY guys actually buying expensive Tesla drive units and batteries, without a clue how to use them when they get them. Kind of hopefully buying them and then casting about to find who might have a solution to their actual use.

So as the garages slowly fill with useless drive units and batteries, the price of those batteries and drive units slowly falls and so the value of the salvaged cars. Inevitably this leads to all sorts of fallouts. One I expect soon is a greatly ENHANCED price of Tesla auto insurance. That is dramatically higher rates.

Electric cars already have the highest depreciation of any cars ever built. Fiat 500e’s are now readily available for $6000 on eBay in perfect working order. They are small, with a top range of 80 miles, but still very cute. They are suffering the same “off-lease” Tsunami as the Nissan Leaf, though they were never manufactured in nearly the number.

So I expect the next hammer to fall to be skyrocketing INSURANCE rates for electric cars that simply have little or no residual value in the salvage market. Disposable cars.

That’s kind of where we went with Television sets when they became non-repairable.

In any event, I find it surprising that after all this time so little has been done to make these devices more useful. What work has been done seems to be centered on profit motive and self aggrandizement and I’ve found it discouraging working with the few people in the space.

In any event, in this episode we did discuss the Tesla battery in particular. They are readily available as entire battery packs for less than $15,000. They consist of 16 22vdc “modules” that each go for about $1000-$1200 each. They provide a little over 5kWh of storage capacity and so the pricing is very attractive – about $200 per kWh.

The problem of course is that the Tesla battery pack is very high energy and in a very highly engineered system to allow their safe use. It doesn’t make a whole lot of sense re-engineering what has already been done. But no one has made much progress reverse engineering what is there.

There are two levels to play here. One is to treat it as a whole battery pack. The second is to deal with the individual modules.

As a pack, it’s a little unclear how you would wedge this monster into a car. It is 1150 lbs and larger than most of the cars we do. 250 lbs of the package is an armored tank like container for the modules. But as a solar energy storage device, it would be awesome just the way it is. I wouldn’t want one in my house, or near my house, without the ability to monitor pack voltages and temperatures and automatically take it offline if anything went amiss. Indeed a core eject system as featured on Star Trek’s USS Enterprise might be in order.

But in any event, we need to learn how to work the battery pack. It has an internal master BMS circuit board that in turn talks to each of the 16 module BMS circuit boards and can readily report all 96 individual cell voltages along with 32 temperatures – two for each module. Indeed, Arthur Hebert of Corvallis Oregon had worked out the CAN code for this data (0x62F) and based on his work we wrote a little open source Arduino program that works with our Tesla Can Monitor. You load the program on the device. It plugs right into the Tesla diagnostics connector under the console, and you can view every cell voltage and module temperature. We added some other codes showing battery pack total voltage and current. All these CAN codes originate IN the battery.

If you click on the photo of the device, it will take you to our web description that contains a link to the source code for this program. It is relatively trivial. Interestingly, Arthur Heber at one time worked for Cafe Electric, developer of the Zilla motor controller.

In any event, if we can decode messages from the battery IN the car why can’t we do so OUT of the car. It turns out we rather can. But without the car, we are struggling to get the battery to close its internal contactors and actually provide power. We can get it to come up and make the CAN messages.

The battery features two control connectors, X035 and X036, and one large high voltage connector.


The High Voltage connector is kind of interesting in that I have no idea where you would get one.  We got ours off a wrecked Tesla of course.  And it is kind of necessary.  The battery pack has an unusual blade format for pack high and low.  But note there is also a round hole in the middle of the connector.  A metal pin inserts here to connect the pack to ground.  A second smaller pin is above and left of this.   This is a High Voltage Interlock  (HVIL) and it is a key element to completing the high voltage interlock loop that runs through the inverter, both chargers, the high voltage junction box, and the DC-DC converter.  Two wires in the battery pack apparently use this pin to make contact completing the loop.  We know it won’t close the contactors without a complete HVIL loop and indeed the battery pack contains a circuit termed the HVIL Generation and Detection circuit

The two control connectors are of course how the car actually communicates with the battery pack. I’ve made a little simplified schematic diagram of the connections that is some improved over the one flashed on screen in the video.

What we have tried thus far has mostly failed. 12v for contactor power comes from a simple 10A fuse in the vehicle fuseblock. The 12v Drive power seems to be the activating or wake up signal although we can also get the BMS to wake up and start transmitting CAN simply by sending CAN data to it.

The problem is getting the contactors to close. There are several requirements. First, the battery is not going to close contactors until the vehicle is assembled. That means the lid on the High voltage junction box, all the HV cables connected to it, the charger in place with the lid on and an inverter plugged in. This is the HVIL loop. As I said, part of this loop (not shown) is actually in the high voltage connector and so it also needs to be plugged in.

After that, it gets a little fuzzy. The DC-DC ENABLE signal is a little fuzzy. I don’t know if the battery enables the DC-DC converter or if the DC-DC converter enables the battery. But on the schematic diagram for battery control, it shows a ground to the DC-DC converter and then this enable signal. I’m guessing we have to apply ground to this pin to signal the battery that a DC-DC converter is actually making 12v and we are not just using the 12v battery to power the contactors.

After that, we are probably dealing with precharge issues. The High Voltage connector is wired into the high voltage junction box and so is the inverter. Indeed they are tied directly together with no contactors or anything between them. So we do need to precharge the capacitors in the inverter before closing the contactors in the battery pack.

Now I would just do this with a timer. But overkill seems always appropriate at Tesla motors, flush with thousands of young engineers looking for something to do. I think the BMS is looking for a CAN signal from the inverter to indicate a voltage that is pretty close to pack voltage before closing the contactors. It could send voltage through the high voltage connector through a resistor to charge the caps at a low level. Then wait for the CAN message from the inverter to indicate a voltage pretty close.

I like message 0x126 for this work. Why? I’m not sure it does ANYTHING apparently but indicate battery pack voltage measured in the inverter. And it does so in a very cavalier manner. Most CAN messages indicate voltage in a two byte integer with the assumption that the voltage represents hundredths of a volt. Therefore, you see the number 37245 you would assume a voltage of 372.45vdc. But CAN message 0x126 looks for all the world like a 16-bit integer representing pack voltage x2. And so you see something like 744 representing 372 volts. Why such a lack of precision? And why have it at all? Bytes 3 and 4 similarly look like current, but again, an absolute unsigned value and a little vague.

So we may be able to get a little something going from a CAN 0x126 simply repeating back the voltage coming from the BMS in its message 0x102 broadcast. BUT, we’ve never seen any sign of the precharge voltage on the high voltage connector AT ALL. So something is missing here to start the whole process.

We tried playing back the startup CAN traffic from my Model S, but to no avail. Of course, we have a 14 module 60kWh pack on the floor, and a 16 module 85kWh pack in the car. So there may be a basic problem from the get go. I’ve ordered an 85kWh pack that should arrive this week. But so far we struggle.

Beyond entertaining me, the whole pack approach just isn’t going to work for most DIY EV builders. If they could cram that much battery into a car, they probably couldn’t do it that way. But many are buying modules and trying to use them in their builds at lower voltages.

I get it. They are cheaper. And of course they are good batteries, if you use them the way designed. Fortunately, the modules come with their own BMS board attached. Unfortunately, we don’t know how to talk to those either.

I have examined them briefly and I’ll attach photos of what I found.

The heart of the beast is a Texas Instruments bq76PL536AQ1 chip designed specifically for monitoring lithium cells – 3 to 6 cells per chip. One of the issues with BMS design is isolation. The TI chip is powered by the cells it measures, though it uses very little power. It will also measure two thermistor temperature sensors.

The chip communicates via the Serial Peripheral Interface bus (SPI) and it rather cunningly has THREE busses per chip. North, south, and host. Normally the NORTH bus is used to communicate with the chip ABOVE it in the pack while the SOUTH bus is connected to the chip BELOW it in the pack. THe HOST bus communicates with a microcontroller. The chips can be assigned addresses individually, and so a single host microcontroller would physically connect to a single BMS board and by directing a read command to a specific chip ID, read any voltage from any cell in the stack. Or temperature sensor.

That’s all pretty good, but not what Tesla did at all. Perhaps the noise on the SPI bus between modules was too high for all this to work. But it would be odd for Ti to have such a scheme if it wouldn’t work at all.

They use an 8501 multicontroller from Silabs called the 530A. So EACH module BMS board has its own host MCU.

This 8051 MCU is then isolated by an RF isolator – another SiLabs chip the Si8642 and this is routed to a connector J1.

And so it would appear that Tesla is using some kind of serial bus, USB, RS-232, or RS-485 to communicate with 16 BMS modules on a single serial bus that daisy chains all the BMS boards together. That goes through the MCU and then to the Ti BMS chip using SPI.

Since the 8051 is programmable, we don’t know WHAT Tesla is using to talk to them. But we DID trace out the basic SCLK, MOSI, MISO and CS lines from the TI bq76 chip and they also route to a series of lands that are unpopulated but marked J2. Since the TI chip addressing and requests are pretty well documented, it MAY be possible to rig up an Arduino to these pins and talk to the bq76 chip directly if we don’t wake up the 8051. It was probably a test connector.

And of course, IF we get the battery pack working as a whole, we might be able to pop the lid and splice into that Serial bus and see what’s passing there for traffic.

Jarrod of Melbourne Australia hackaday project. Last updated April 17, 2016. That’s the ONLY reasonable work we’ve found on this at all and that essentially abandoned without conclusion. I scarce believe it. With 4.7 billion people on the Internet and 100,000 Tesla owners out there, surely EVTV and Jarrod of Melbourne can’t be the only savages on the buffalo hunt here.

EVTV has become a target rich environment at a point where the fearless leader can barely put in a 20 hour work week without a nap and a blanky. We could use any help offered.

Jack Rickard

175 thoughts on “HELP WANTED …. EV Battery Meister Mind.”

  1. Had downloaded the smaller (iphone) archive version of the current (2017-01-13) show only to find the link and download are actually the previous show (2016-12-02). Please find a moment to resolve the issue with the archive version.

  2. Wouldn’t Tesla’s closed and secretive design ethos call for steganographic keys not readable by the usual CAN sniffing? That is what I would do if I were paranoid or even just strongly concerned about proprietary and safety matters in my designs. Like an ancient Greek king who shaved his messenger’s head, wrote a message on the shaved head to another king, waited for the messenger’s hair to regrow, and then sent the messenger to the recipient king. There the messenger shaved his head and the recipient king got the message without its detection by others.

    That implies a “stripping” of received data at intended transit or receptor points. The remainder is the true message, which escaped “enemy” detection. The true message here would complete the loop and cause the contactors to close.

    You folks and Professor Jack in particular likely know this well beyond my mild experience with embedding secret messages. But if it was good enough for the machinations of Cardinal Richelieu, Mary Queen of Scots, and porn-sharing jihadis then perhaps its Tesla’s tactic too.

    You never know until you do.

    1. Reading messages from God in cloud formations. Tesla isn’t doing anything particular to protect their control scheme. They just aren’t doing anything to share it either. Everything I’ve seen has been normal CRC checks and quite ordinary verifications. I haven’t seen any evidence of “hardening” out on the devices. Obviously they have protected the MCU in various ways to prevent intrusion.

      1. Interestingly, they haven’t protected the MCU in each BMS at all, it’s firmware is readable, they didn’t bother setting the read protect bit!
        I reckon the decision to ‘harden’ an isolated system like a car is based on what is easy to implement and how the engineering manager feels about it. Wireless comms are a different story obviously.

        1. I was referring to the center console unit, also termed MCU, not the BMS 8051 chip. It runs Ubuntu and has a GSM gateway so I assume they have at least done ordinary Linux security type stuff to it.

          Throughout the car, everything else pretty much makes sense after you figure it out. No special trickery. A couple of items are kind of cunning but look to me to be legitate data verification of critical issues.

          I just haven’t seen much spy vs spy stuff going on so far that I can think of.

  3. Let’s work together to take down this beast!
    So I haven’t updated the hackaday project in a while but some progress has been made.. I’ve got a fellow hacker working on the assembly code with a commercial decompliler, progress is slow (due to lack of time/motivation) but we have worked out that Tesla is using a daisychain UART at a strange baud rate (612,500 bps, easily interfaced with another silabs 8051 dev board) However we don’t know the high level protocol, aside from knowing there must be a ‘golden key’ that makes the module talk and/or start BMS funtionallity. The assembly code is quite complex, it seems to handle this daisychained protocol.

    BUT if you have a model S and an open pack, can you chuck an oscilloscope or logic analyser on one of the BMS boards/wiring? If you can record the input and output signals (J1, pin 3 and 7) of the first BMS board this would give me a LOT to go on with hacking these things.

    Once we know the set of bytes which make up this ‘golden key’ I suspect the rest will just fall into place, and we can design a simple CAN interface board to talk to a string of standalone modules!

    1. Welcome Jarrod. Very pleased to learn you are still on the case.

      I do have a Model S.

      I do have a battery pack, which could be opened.

      They are not one and the same. There is no way to open the battery on the operating car and without getting the battery pack on the floor working, it does little good to open it.

      I think Golden Key is kind of overanalyzing. I would look to the formats of the commands in the bq76 communication data sheets and picture those being passed through the 8051 with little alteration. There are only 0x3E id’s available for the chips themselves. And I would view the 8051 as mostly an SPI to UART converter.

      1. Is it possible to extend the data and power cables to reach an external, opened pack? Or run the required communications wires out of a pack through a hole, then put it in the car?

        The 0x3E address range is only assigned when the bq76 is used in a stack (using the north/south comms interface) the address defaults to 0x00 otherwise. Since the Silabs 8051 MCU is addressing the bq76 using it’s Device-to-host interface, it must contain extra logic to allow addressing multiple devices.
        In fact, the default behavior is to simply pass all bytes down the chain, the MCU appears to be waiting for a ‘golden key’ to actually do anything outside of the UART interrupt code. I have tested this by sending bytes to a module at 612,500bps, it repeats them after a short delay. No single byte (0x00-0xFF) causes any other behavior, so the key must be multiple bytes..
        I suspect the MCU contains all code required to program the bq76 with a stored configuration and spit out the voltages and temperatures.

        1. Jack a good thing to test, when the Pack sends back canbus data, what is the internal serial bus doing? I would suspect it runs checks to see if all the cells are present and with in spec, so a capture on the internal serial bus would be very helpful.

          Kind regards, Tom

          1. I like this idea. Yes, I can kick it now and get it sending 0x6f2.

            So it is probably live on the UART bus getting voltages.

            I’d have to pop the lid and splice into the bus, but not really a biggie.

            Jack Rickard

          2. No. I’m in a Texas Race Riot right now with some Chinese wire harnesses for the Tesla drive train and I have two I have to get out by the end of last month.

            Collin is going to come down from Michigan in March to work on a couple of issues. He’s trying to decompile the firmware you provided now. I have a new 85kWh pack coming next week.
            I think we’ll work on some things to get the whole pack in operation then and pop a lid on one of them to see what traffic is on the UART bus to the module boards. Being a very odd bus speed, apparently, I’m not sure I can work out
            what to connect to it at this point.

            If you are in country you’re welcome to join us. He hasn’t given me an exact date yet, but I’ve asked him to come for a week. I have found some 4 inch casters that fit the battery frame perfectly so we can freely roll them around and
            I have one at waist level on a roll around table we built for it.

            I have a daughter at the University of Flinders in Adelaide.


          3. Curious, is “Texas Race Riot” an idiom?
            So you are based in Cape Girardeau? Bit of a trek from the west coast :/
            The uart speed won’t be a problem if you have a logic analyser or oscilloscope with deep memory?
            Ideally probe the input and output of one module, then the output of the next module too (so we can see how messages get passed along). plus the shared bus on the grey wire.
            Save it all to CSV and we can run a protocol decoder on that.

            Alternatively we could look into making a native 612.5kb speed UART bridge to some synchronous serial protocol than can interface with an arduino or something.

          4. Yes, I am planning to come down to the Cape in March, hopefully the middle of March. I’ve got to plan it around some personal stuff.

            The speed of the UART is odd but I have a Saleae Logic so I can grab the serial data at pretty much any speed and interpret it. The processors we like to use (ARM Cortex M3) run at 84Mhz but the peripherals are clocked from the 12Mhz crystal instead which is a shame. Unfortunately, 612500 bits per second doesn’t divide cleanly enough into 12Mhz but does into 84Mhz. It’s not terribly likely to match the baud with most processors – that .5Mhz on the end of the 8051 speed really makes it an oddity. 24Mhz would be fine, 25Mhz would be fine, 24.5Mhz sucks. I could probably bit bang that speed on an 84Mhz processor if I didn’t do much else, at least for testing. Or, grab a 8051 test board with the same basic processor as on the BMS and then remote control that over SPI or something. I have some other boards as well, maybe one of them can match that baud rate.

            I’ve found that many disassemblers for the 8051 architecture seem to let me down. Quite often they can disassemble but they also interpret data as code because they don’t actually trace through code paths. I found radare2 which is an absolutely awesome open source IDA Pro clone (of sorts) but the 8051 disassembler in there needs some work. I might have to fix it so that I can use radare2 for further analysis. When it works it looks really nice. But, I can’t trust it with the disassembly issues. If the disassembly where fixed then Radare2 can trace through the code, show you where jumps go, follow them, etc. It’s a lot like Ida Pro but not $600. I think there are only two types of instructions that are broken in radare2 but I can’t believe that a 37 year old architecture has such poor support everywhere I look. It isn’t as if people haven’t had the time! The instruction set hasn’t changed since it was released in 1980.

            I haven’t looked at the code in days (been out in the world of bluetooth low energy) but I’m back to it again. I think I’ll fix radare2 and then use it to aid in tracing all the paths. In theory it can emulate operation so that I can see where in memory it is reading more easily. I’m starting to suspect that the XDATA usage might really be a weird way to access the hidden 128 bytes of RAM that must be indirectly accessed since they overlap with the 128 SFR bytes. I cannot find any reference to this chip actually having external RAM or any way to access it so the instructions that seem to do it either are not really instructions (rather, they might be data) or XRAM accessing instructions can access the 256 bytes of internal RAM (though I don’t see anywhere in the reference document that says this). I think you’re right Jarrod, I think the code has stored in FLASH a data byte sequence it can play back to the bq76 chip to tell it to spit out voltages, etc and then it can grab that data back and spit it out on the serial wires where it gets sent up the chain until it reaches the main MCU. Perhaps I should search the rom dump for byte sequences that look like bq76 commands.

          5. Collin, you can use an FTDI chip to do the 612500 baud UART natively. Just open up PuTTY, click serial, set the corresponding serial port (COM6 was channel A for me) Set the speed to 612500. That easy!
            It works on an FT2232HL with stock windows driver, should work for FT232 also. I confirmed the frequency is correct with an oscilloscope and I can listen to the silabs 8051 I programmed to output bytes at 612.5k for testing.

        2. My understanding of the data sheet and a couple of communication addendums was that 00 is broadcast. You can assign any id you want with a simple WRITE command on the SPI bus.

          So if it was me doing it, I would just assign IDs in the 0x01 to 0x3E range, actually 0x01 through 0x0F for that matter. Then address ALL of the bus with a series of eight register read commands right out of the book to get 6 voltages and two temperatures under a single ID. Then bump the ID and do it again. The only bq76 to respond would be the one with that ID. And the 8051 would basically serve as a UART to SPI converter. The MCU and isolator chip then kind of sorta/make sense if they were getting too much noise pickup on the North/South SPI busses or just wanted a more EMI hardened system.

          612 kbps though? What’s that about? I guess a compromise between UART speeds and SPI speeds so they don’t have to do too much buffering?

  4. Trying to reverse engineer the board from pictures, almost got the spi bus mapped. However The SDO pin 41 on the BQ76 goes to the IC named U6 and not to the F530A, can anyone tell me what chip this is?

    1. Turns out that indeed everthing is hooked to the J2 for direct spi for the BQ76, however SDO or slave data out is NOT connected to the F530A it connects to u6 and eventually u5, would tesla really run the SDO bus all the way out through the pack?

      1. Could be a wake-up signal in case of a fault. I was wondering what CH4 on the isolator chip was doing.
        I suspect SDO/MISO is connected to pin 20 (P0.1) on the 8051 via an internal PCB layer, I’ll check this out tonight.

        1. I’ve been looking at the disassembled code (I ran a few other disassemblers too). It appears that it somewhat extensively uses external RAM. I don’t know whether the chip in use has such XRAM on die or if it is talking to some external chip. It does do SPI reads and writes so one would think that both pins would have to be hooked up to the 8051 chip. There’s really only one SPI write routine and one SPI read routine so that makes it a little simpler than the UART where it seems there are multiple code sections that work with the UART – sometimes with interrupts and sometimes without. The SPI is never interrupt driven. I’m still trying to figure out exactly how it all works but mostly the original disassembly file was pretty good. There are a few sections in there where I’m about 90% sure it’s a data table or something and not actual code. There are MOVC instructions in there so it does read bytes out of FLASH space.

          So, I guess it’s kind of complicated for 5k of code – there’s XRAM usage, flash reading for data tables, UART being accessed in multiple places, and spaghetti optimized code everywhere. But, it’s possible to decode it all. It just takes time.

          1. I had a shot at decoding the assembly, I didn’t get much further than the serial ISR, (which seems to handle message forwarding through the chain of modules) None of the free 8051 emulators handled it very well, so the spaghetti code had my head in.
            A bloke on, Jason is helping out reverse engineering the firmware. He is using his copy of IDA to reverse it, last I heard he’s done the startup code and state machine paths and is working on the communication protocol.
            Both SPI pins are hooked up, the MISO just passes through a logic gate and resistor first. the wake-up logic is involved somehow, I suspect this allows the bq76 to wake up the MCU in case of a fault (why they didn’t use the dedicated fault pins I don’t know)
            There are 256B of ram, 128B of it is indirectly addressed RAM. and program memory/flash. I don’t think there is any XRAM on board, perhaps the bq76 is memory-maped and accessed as XDATA?

          2. I’m quite perplexed at the XRAM usage. I can find no reference to there being any on-die and the spec sheet for the processor is very vague on how one would even connect external RAM to the processor. But, all assembly listings I’ve been able to grab show MOVX instructions that use the data pointer registers. I didn’t ever try to decode where in XRAM it is loading and saving things. That requires tracing around through lots of jumps. It’s been an interesting challenge but it sounds like Jason is farther along than me so perhaps I’ll wait it out a bit and see what he finds. I wanted to use IDA to do the reverse engineering but I don’t have it and none of their free or demo products support the 8051 (naturally…)

    1. From the TMC forum, and a guy who lives in MA where the service manuals are supposed to be available….

      In this post he explains that he does not have high hopes for the opening of the service and parts for the DIY crowd.

      This thread is very entertaining if you have the time. I’ve been following since the start and I can’t imagine reading from the beginning at this point.

  5. When reverse engineering CAN buses for other EV projects I’ve always hacked up a CAN proxy. Two back to back CAN adapters that go inline and repeat data from one to the other. With some simple capture software you can grab data as well as detect which direction the data went. The tricky part with CAN is that everything is more or less a broadcast and it is not obvious who transmitted it. I would splice a proxy in between the pack and the car on a working vehicle and get a capture. Then splice into the CAN bus by the inverter. Repeat captures for every CAN device you suspect is part of the transaction. Then take a battery that isn’t connected to a car and try replaying bus messages to it and see what happens. If you succeed in faking it out, start eliminating messages until you figure out which ones are required. This technique worked well on reverse engineering several vehicles in past conversion projects.

    1. It’s a good technique. But we’ve rarely needed it. In this case, I can simply connect the EVTVDue to the CAN lines on the battery and apply 12vdc. The BMS comes up spewing CAN in all directions. Including the following message ID’s.


      If you notice, they all end in 2. Further, if I compare this list with a full Model S CAN capture, I don’t find any messages ending in 2 that aren’t on this list. So this is the list of BMS OUT CAN messages.

      These are the little deductions you have to supply. If a single device puts out 25 messages all ending in 2, the conceptual leap that all messages ending in 2 most likely come from that device is not something requiring Einstein.

      So we don’t have much of a problem with direction. And while it can be a puzzle sometimes, and we have considered your technique as our CANDue shield already HAS two ports and could easily act as a proxy, in practice we’ve never really needed it.


    2. Welcome Mark! It’s always interesting to see another GR native on here. We’ve at least tangentially meet at various west Michigan maker’s and embedded developers meetings. I didn’t know you were into electric vehicles as well. What a small world!

      The EVTV CANDue 2.0 has two CAN buses and I’ve started to write up firmware support for making it a man in the middle device and then determine which messages are sent on which sides and which messages are accepted (ACK’d) on each side. That way it becomes simpler to determine what is required to get a given device to operate. So, it’s on the docket of things to do.

      1. I’m sure you have bigger fish to fry, but I hope you will have a look at the GEVCU code related to the random State of Charge/Amp Hour display for the EVIC. I pointed this out last year and now Jack has experienced it with his green Thing. Everything else on the EVIC agrees with the web dashboard and the Energy Gauge resets properly after a charge. As I may be one of only a few GEVCU/EVIC users I understand this may be low priority. I’m running GEVCU 5.220 code on GEVCU-4 hardware. Thanks

        1. Fred:

          I’m thinking Andromeda Systems changed the CAN id for those two items. I’ve just gotten the latest from them and I’ll inquire. You’re right we need to address it. But yes, it’s not real high on the list at the moment. I have to flash one for another customer and I will try to see what’s what then.

      1. Yes, interesting idea. There actually do exist can devices that can do this. It allows for remote diagnostics or monitoring so that someone can connect to cars situated somewhere else and see what is going on. I built a system like this for another design I did. I had Zigbee connected devices. Zigbee runs on the same 2.54GHz spectrum as wifi but with limited range. I had them installed into vehicles which were not always within range of my computer with a dongle sticking out of it. So, I wrote a problem that connects to the dongle and tunnels the traffic over TCP/IP to a second computer where the monitoring takes place. In fact, the C# program that was the basis for SavvyCAN was itself based on the C# program that did the Zigbee monitoring.

  6. Jack, one doesn’t have to believe in Climate Change to understand that the same things cause bad air. When I was growing up I lived in Birmingham, Al and there was no air quality issue. Today I live in North Alabama and I have to go to Birmingham monthly for work and unless there has been a several day rain, air quality warnings are broadcast and displayed most of the time. In the ’80s I used to go to Las Angeles for work a lot and you couldn’t see the sky until you got to the beach. Seeing as how we need clean air, it would seem to a reasonable person to do everything you can to preserve our air and if that too help the climate, well that would be a good thing too. Simply Google how much CO2 is released into the atmosphere per second and the common agreed upon amount seems to be about 2.4 million pounds per second. Seeing as how there are over 1.2 billion motor vehicles running world wide I would say that the 2.4 million pounds a second would be a fair estimate. Now whether a person believes in Climate Change or not, it is hard for me to understand how law makers can know these facts and not want to do something to help protect the available clean air for their children and grand children. Living in Alabama I have Sessions, Shelby and Brooks, they get paid by oil companies and no longer even seem to hide the fact and seeing as how Alabama has now become the 6th most corrupt state I don’t expect anything to change for a while to come. You can’t even buy a Tesla here and nor can you watch porn on you TV from Dish Network nor do we have the lottery. Freedom, right? They seem to think they have to protect us from ourselves except where things like air quality is concerned and then forget it.

    You keep up the electric cars because we badly need this as this will solve many problems we face, air quality, water quality, oil dependency and on and on, What you are doing is important while I don’t agree with your politics I do agree with what will become the result of your efforts and that will be a reliance on wind and solar and less on oil and the end results will be the same.


    1. I don’t know anyone who doesn’t believe in Climate CHange. The climate changes. Moment to moment, day to day, and eon to eon. But the old saw still holds: Everybody talks about the weather but nobody does anything about it. The question dujour seems to be if we are effecting it with CO2 emissions. I think that’s a dubious proposition but I’m willing to listen. I am not willing to listen to nonsense. I detect little debate. And a lot of religious chanting of nonsense. What I do think I know about it involves a massively complex system subject to enormous forces that imply we could have little effect on it if we strove mightily to do so. But give me a lever….

      Nasty air I can deal with. And I am haunted by Chai JIng’s documentary Under the Dome

      And so again, there are many reasons to protect the environment and end dependence on fossil fuels. I do not need fantasies for motivation.

      Jack RIckard

      1. Yes, we are (strongly) affecting the climate with CO2 emissions. 97% of climate scientists see the evidence and don’t think it is nonsense. This sort of consensus is about as good as it gets on a topic so political. It’s not religion, it’s heavily scrutinized science.
        And unless there is some groundbreaking reason to ignore all the current evidence and break all the theories and best models, the only debate required is what we are going do about it.

        1. Ok, I’ve heard this so many times I have to address it. It is NOT accepted. There IS NO 87% consensus among scientists.

          There IS an ongoing joke among those in the field regarding the supposed “survey” generating this nonsense. But the American public doesn’t get it. This is another one of those fake news bullshit items derived from a comically manipulative survey designed to produce exactly what it did. But it has been amazingly effective
          But if by some miracle 97% of all “scientists” agreed, the history of scientific discovery is pretty much absolute on this one. Whatever 97% of all scientists believe ALWAYS turns out to be in error – or at least 97% of the time.

          There are NO scientists that believe we are strongly effecting the climate with C02 emissions. In the past 20 years sea levels have risen 23 mm. Average temperature has risen 0.7C and that is a bit controversial as the measurement places have changed during that time. And at least two studies aiming to prove the assertion that weather patterns have become more violent in the past 10 years have failed utterly to prove that and instead indicate an unusually calm period with regards to notable weather event.

          The claim is that it WILL strongly affect climate in the future and it is ALWAYS in the future. If you review Al Gores original documentary it predicted pretty much a disastrous 2016, which just didn’t happen. At all. He is currently releasing a new updated documentary, pushing everything again off into the future and I have no doubt his predictions will be equally comical by the expired timeline.

          The gullibility is disheartening. The lack of science is disheartening. And the DROVES of scientists who have proven they will do anything and say anything for a grant is disheartening. What I don’t understand is the absolute passion of ordinary citizens in grasping this nonsense to their breast with such fervor.and passion. What? Why? CO2? It’s a very nice and very useful gas, absolutely necessary for all plant life planet wide and it is at a historical high of 400 parts PER MILLION in our atmosphere – a record high. I might be alarmed if you could show me it was DECREASING as our food supply is rather dependent on its presence.

          That the predictions issued over the past 20 years have 100% proven to NOT be true, does not seem to dissuade believers that the new predictions WILL be true? This absolutely defies logic. If your sea level rise didn’t happen, and your temperature rise didn’t happen, and your violent weather didn’t happen, then why should I believe you now?

          Because the “sources”, the scientific community, the press, and the alt-left libtards have proven SO whorish on this topic in the past, I would examine any future evidence very very skeptically at this point. But I could be persuaded.

          But it just isn’t necessary as a motivator for decreasing our dependence on fossil fuels. And while it would be handy and self-serving obviously for me to jump on the bandwagon, I simply refuse to do it. It appears to be nonsense and I have an extremely low tolerance level for nonsense. The adoption of electric vehicles addresses an impressively wide range of otherwise disconnected problems as the most effective solution to all of them entirely ignoring climate change. In fact, it is actually elegant in being totally effective on air quality, health, economics, international trade, military adventurism, personal financial issues, geopolitical conflict, and so much more. These are all easily provable, demonstrable effects on real issues and real problems. We don’t need 97% of “scientists” to aid us in this. Any moron knows that suck starting an Oldsmobile through the tailpipe is not good for the lungs. Or that spending $50 million PER DAY on importing oil is not going to turn out well for our economy. Or that relying on totally unreliable unstable strife-torn areas of the world as a source for that oil is not prudent public policy. CO2? Have you had a peek at nitrous oxide? Carbon monoxide?

          1. Ok we’re doing this eh? It’s off topic (although I did see you made a blog post previously about this) but it’s important that we get this right. So please allow me to rebut.

            At one point I believed what you do, I knew a man who wrote a book on the topic, why man-made climate change is all a great swindle. But I looked further into it and realized many flaws in the argument (basically the same argument you made in your earlier blog post, warming due to increased solar intensity etc) The facts simply don’t align, and the motive to fake this doesn’t exist.
            BTW I grew up, studied physics and engineering and worked in Australia, recently moved to America. So clearly immune to your american news cycle 😉 Not that Australia is much less insane..

            On to the science!

            Who are these scientists that are joking about the consensus? Are they serious climate scientists publishing serious research? because that is the 97% we are talking about here. The survey (and multiple others before it) rightly ignore non-experts because guess what? Non-experts don’t know what they are talking about!
            “We define domain experts as scientists who have published peer-reviewed research in that domain, in this case, climate science.”
            Here is the latest survey for those who haven’t seen it:

            >>Whatever 97% of all scientists believe ALWAYS turns out to be in error – or at least 97% of the time.
            I don’t understand your premise here. So more or less of a consensus is better? What are you talking about, the scientific community moves towards consensus when something becomes better tested and predictions hold true. Like the laws of thermodynamics, or Special Relativity or Quantum Mechanics. THEY ARE THEORIES. They are incomplete/inaccurate but they provide excellent predictions of the universe when applied appropriately. And most scientists agree!

            As you mention, the earth’s climate is an extremely large and complex system, as such it is hard to predict how an increase in retained heat will affect land temperature and heat flow through the oceans. But it’s easy to measure the heat from the sun, we’ve been doing it accurately with satellites for decades. It’s easy to measure the heat in the atmosphere, and how much heat is being retained. weather satellites RELY on the fact that CO2 retains heat to make measurements (it’s well proven science and it provides the basis of weather forecasting.) We find that solar intensity hitting the atmosphere is actually falling, the heat being retained by the atmosphere is increasing (greenhouse effect) and global temperatures are rising as a result. Proof of the greenhouse effect increasing doesn’t get any more obvious than this!
            See the NASA FAQ.
            Plus measurements of the atmosphere reveal warming at the surface and cooling in the stratosphere, consistent with a greenhouse effect.

            >>In the past 20 years sea levels have risen 23 mm.
            Is that an alternative fact? NASA says 81mm, with a rate of 3.4mm/year
            >>Average temperature has risen 0.7C
            0.77C is a huge anomaly for such a large system in such a short period of time. Consider that 84% of the heat from global warming has been absorbed by the oceans.
            And they science the shit out of these numbers! Taking as many factors as possible into account. Including variation in measurement sources. Why do people always assume scientists don’t take X into account? They would get blasted by reviewers if they didn’t. That part of the scientific community works very well.

            Land temperatures are rising, ocean temperatures are rising, ice sheets are shrinking, record climate events are happening yearly, farming seasons are changing. How is this not the predictions coming true? Sure the models from 2006 may not have been 100% accurate but the science continues to evolve. Earth’s climate is a complex system!
            But the trend holds true, and more recent models provide far more accurate predictions.
            How much evidence will it take? Another few degrees of warming? Another few decades of record weather? Displacement of a billion people? Starvation of billions of people?

            It’s happening, it’s just slow enough not to be spectacularly alarming to our strange little minds.

            Ok I agree that there are reasons other than reduction of CO2 to shift to electric cars, but I wholly disagree that reduction of CO2 isn’t important. If that were the case then there would be no reason to shift away from gas and ‘clean coal’ for electricity production, of which we have plenty. And according to you, CO2 seems to be good for the environment.. so why would we stop using this plentiful cheap energy source? So there are arguments that renewables are approaching, if not already dropped below the cost of coal, but there is a lot of momentum in the mining/burning business and a lot of politicians-in-pockets, and as the science clearly shows, we can’t afford to continue burning.

          2. Paranoia being endemic. No, WordPress just sort of randomly requires me to approve some messages and not others. Not sure why. Sometimes I have to approve my own. Probably length or perhaps links. Its a spam filter.

            23 mm is from the NOAA. They’ve been monitoring since 1992. NASA doesn’t know shit about it though they put the satellites up. But if I grant you 81 mm in that period, what? 25 years and 3.18 inches on an ocean level that has varied +/-400 feet? What am I supposed to do with such nonsense? Yah. Read another book. It’s a cottage industry…

            You’ve drank the koolaid and I’m not going further with it. It becomes a religious argument with you guys and I just can’t do it. Believe as you like. Not my circus. Not my monkeys.

            Jack Rickard

          3. Just when I thought we were getting back to electric cars and such, politics and climate rear their ugly heads again!

          4. Yeah these threads should have a minimise option. What can I say, I’m new here..
            Jack, where is my reply from this morning? “awaiting moderation” hmm.

          5. I always find it interesting how lay people question the work of subject matter experts and contend that they know better.
            You seem to have quite a strong opinion on it Jack based on non-scientific hand-waving arguments. Unfortunately it seems to be the way people argue against climate change – ignore the science, ignore the experts and generally insult people who are trying to do something about it.

          6. Is there anything pertinent to any of the discussions here? Or just a hater “look at me” message to alert us that you exist?

            I always find it interesting how lay people buy into the awesome godlike qualities of subject matter “experts”. Having been in the same room with an almost all encompassing number of subject matter “experts” on a very wide number of fields, I can assure you that 85% of them are totally incompetent, in the same way that 85% of everybody else is totally incompetent. And particularly the American idolization of “scientists” and experts is inexplicable. And what is necessary to become a “subject matter expert” is truly discouraging. Your shock and awe at popular science, as opposed to actual science, is evident.

            Pardon me for seeming to have quite a strong opinion on it, but I think this is more your read than my write. I do NOT have a strong opinion on it if “it” is climate change. I DO have a strong opinion on YOU and your propensity to ape/repeat nonsense gleaned from news sources who have no idea what they are reporting, but a lot of idea on why they are reporting it. And you fall in line like a lemming. It actually angers me to observe people checking their brains at the door and eating spoonfed nonsense in place of thought or investigation.

            So yes, having busted the “science” giving blowjobs in the alley, I do ignore the “self appointed self aggrandizing” version of experts, and I do generally insult the morons that buy into this crap. None of them are actually trying to do something about “it.” We do more “about it” without even drinking the koolaid than 99% of the religious zealots who advocate it so vocally. As I’ve said, there are many very good reasons for action without relying on pathetically childish religious dogma as a reason to do so.

            That position IS going to offend your religion Ben.


            Jack Rickard

          7. In any event, actually doing and testing is much more important than my airmchair quarterbacking, theorizing, and attempts to type myself smart. Again, brilliant work.

            I guess you are Jarrod.

            And that is indeed the difference. Your global warming religion is rife with people typing themselves smart. And very few doing very much testing and demonstrating. At this point, the system of experts in the field is almost completely whored out by two things, grant money and career pressure and that is simply demonstrable fact. There have been dozens of complaints of actual scientists who have done studies and published, or attempted to publish, who found it a career ending event because it did not support a political narrative. In many cases this was someone who DID buy into the global warming narrative, but the specific data studied did not support it and there were powerful forces attempting to actually suppress this information. At that point, and by this I mean at the point that that is happening AT ALL, they essentially discredit the entire field and any of its findings. Good with the bad. They are all dirty by association and cannot be trusted to report scientific findings reliably.

            So you have an almost incomprehensibly complex system, studied with very meager means, but in any event it is demonstrably dishonest. We are in a new dark age in this area. Heretics are burned at the stake career wise and it is indeed no longer a field fo study but a religion.

            Science is a process. Postulate. Gather data. Hypothesis. Test against data. Theory. Confirm against data repeatedly. And in a very few cases, a law. That is the belief that there can be no data that will not prove it. This is a linear and rigorous process.

            Global warming is at the Postulate state. And they not only don’t need data. They actually suppress any that don’t support the postulate. The train has jumped the tracks before it left the station. And a hypothesis would indicate we can predict outcomes from data. So far, we demonstrably cannot. And virtually all predictions from the last 20 years have failed utterly. So they simply keep making them and pushing them farther out into the future. It is pop science. Driven by environuts who have siezed on it as the ultimate lever for control, and a news media hopelessly enamored of the concept of being viewed as intellectually superior by adopting the song. In truth, moronic 28 year chicks with big tits and microphones miming things mindlessly.

            As I have said, the ultimate irony is that global warming and at least anthropologic climate alteration could still be true. But it’s unlikely that we will know soon in this environment. Indeed, it would appear climate research is essentially halted in any useful form by political forces, and good people are abandoning the field in droves and in disgust. Meanwhile, the religious zealots and pop science fans are linking each other with Googled links by the pound in a frenzy of what they think is information. It is noise.

            An impossible situation. Annoying, but not particularly important or pertinent to me or my life.

            So who do I trust? I trust you. You have tested. You have published. And I can fairly readily verify your data. Have to get an FTDI chip and somehow get an Arduino Due to do 612kbps, but it looks pretty straightforward and a Teensy already does it. Collin has already passed data and gotten a response.

            I on the other hand postulated. That apparently keyed you to success. But it was just a postulation. It was not a theory. It wasn’t even a hypothesis. It is now. And if we find we can reliably predict cell voltages and temperatures by reading messages on a serial connection, and can verify that with known good Fluke meters and temperature probes, it may be a good one.

            Jack Rickard

  7. Yea, I am not happy when. 95 F-250 pulls along side me at a red light. With its Bullydog tuned stovepipe aimed right at my face. I do get a little nervous when I hear about polar ice melt. I remember as a kid, the strange and nasty smells coal stoves make. So, I am sold on solar and electric vehicles.

    But it really pisses my off to see the waste of our time and efforts in-fighting about why we are sold on ev’s, when we are already sold.

    When so many Musk fans are pissed about what he is doing with Trump is beyond me. He should be applauded for what he is doing. And I bet he is holding back a lot of frustration. But hey, this whole deregulation thing might just work for solar instalations, direct sales, new construction, rocket launches, and on and on.

    We should be creatively thinking what we can do to sell the idea of alt energy ev’s, instead of fighting over it. Its our job. I am working on a project now to do solar shed. It will be 120 sq ft and produce just about 2000 watts. Over the course of 7 hrs in to 24KW battery pack I plan on taking few circuits off the grid, specifically constant usage and high importance, like refrigerator data coms, lighting. I tell my redneck doomsday preppers about keeping beer cold during apocalypse and THEY ARE SOLD. I tell my penny pinching misers about how I can recover my investment in 1 year, and THEY ARE SOLD, to have free power after recouping.

    Can’t we all just get along?

    1. I agree Jack P, we need to learn how to get along with each other. It appears that we are on the cusp of breaking the code on the Tesla battery pack and it would be a shame to have a little disagreement on why it is important to do so, come in the way of actually doing it.

      It appears we all agree that coal fired electric generation and fossil fuel exhaust in cars and trucks at least has a local air quality impact, so it is quite plausible that if the local air quality is impacted a lot then the total air quality of the planet is being impacted at least a little.

      Maybe rising average temperatures, melting glaciers, detaching ice shelves, and rising sea levels is just a natural phenomena that occurs naturally through out history but it does seem to be occurring now at an abnormally accelerated pace.

      Hopefully the Tesla reverse engineering can keep moving forward regardless of the reason those involved are engaged in it.

  8. The Daimler Smart ForTwo Electric has Tesla DNA, that is, the 2nd Gen model Smart Electric was a joint design with Tesla, with a Tesla HV battery pack. I and a friend are currently working on a 3rd Gen unit pack to understand how it works in an effort to resurrect a salvage Smart. Therefore, I pretty well know my way around the HVIL circuit and the battery pack, and, based on what Jack as described, it appears some Tesla design concepts have passed on to the 3rd Gen Smart BMS design. The following information may assist you with the Tesla HV pack.

    1. The HVIL two wire circuit in the Smart loops in and out of all the units that are connected to the HV circuit, that is, HV pack, electric motor, a/c compressor, PTC heater, inverter, charger, DC/DC converter. Its two wire circuit is built into the HV connector between the HV units. If you disconnect any HV component, you break the HV safety loop and the contactors break and the HV electrical system is discharged. The HVIL has a 88 Hz frequency superimposed on the 12v dc voltage on the HVIL circuit. The various HV components offer differing dc terminating resistance values, so the system can tell, electrically, what unit is not in circuit or is bypassed. The HVIL signal appears to originate in the pack central BMS. The pyrofuse (triggered by the restraint system or the crash sensor in the event of a crash) and a manual high voltage disconnect are connected in series in the HVIL circuit. You therefore may need to simulate a HVIL circuit external to the pack.
    2. The pack low voltage connector has connections for CAN signal lines, battery ground and BAT voltages. There is also a Battery (KC) enable line. KC can be considered an emergency line that tells the pack to shut down due to crash event signaled by the restraints system or crash sensor. It comes from the Pyrofuse circuit. The KC line is also connected to the charger low voltage connector. The contactors will not close if KC is not pulled high to BAT.
    3. The BMS passive balance boards in the Smart (there are 3 of them managing 31 cells each) use the same Texas Instrument chip (bq76pl536-q1), however the MCU is different, a S12G. A Texas Instrument MCU, the MSP430F5529 is used in Tesla. You will find all you ever need to know about the balance chip and the MCU at the Texas Instrument website, COMPLETE with an evaluation board (approx $400) and SOURCE CODE for balance chip and MCU.
    So right away, you have control at balance board level ; – ).
    4. The MCU in the Smart connects via SPI to isolators and to two CAN transceivers to the central BMS unit. This means that CAN msgs can be sent and received from each balance board directly. Is this different for the Tesla?
    5. The balance board draws its power for the balance chips and MCU from the pack cells. If the pack voltage drops below a certain point, the central BMS cannot communicate with the balance chip and MCU. You will in this case, need to charge up the cells in the pack to a nominal voltage.
    Hope this helps.

    1. Thanks for the info.

      4. The MCU on the module boards is different and there does not appear to be any CAN transciever chips. It is isolated. But it appears to be some sort of UART.

      3. Yes, we have that data. But it is unclear whether we can talk to the chip with the 8051 onboard also trying to be a master.

      2. I’m assuming you are referring to 12v as BAT. If so, yes it is the same.

      1. HVIL is most probably where we are going awry. I have been trying to simulate this loop, but so far, haven’t gotten anything to close. Most of the loop doesn’t have resistors, but the inverter and charger each have a 60 ohm. Anyway, so far, nothing has worked.

      There is also an ENABLE signal from the DC-DC converter to the BMS. Do you have any idea what this is or what it is supposed to be?

      Jack Rickard

      1. I have one of the Smart motors, the interlock circuit appears to be current sensing, and the loop current is nominal 20mA. The smart motor has a 60ohm sensing resistor with two comparators, one upper and one lower threshold. To spoof the current loop for the motor I use a 200ohm resistor and a 5V supply. (5/260=19.2mA)
        However in-system the HVIL loop must be supplied from somewhere, perhaps in the Tesla the BMS is the source and it tests the rest of the loop resistance and won’t start if it doesn’t see the correct resistance. Can you measure the loop resistance of your car from the BMS connector?

        Regarding the enable signal, is the Tesla DC-DC converter connected to a 12V battery? maybe it sends an enable signal to ensure the 12V battery is ok before HV is applied. Since a lot of the HV components require 12V also..

        1. That’s interesting. For the Smart, If you take a nominal 12v dc supply and chop with a 88hz square waveform, what is the average resulting voltage? If you then divide by a loop resistance of 120 ohms, might result in 20 mA. Anyway I take it that to enable the Smart pack I should arrange for the external network to result in a loop current of 20mA. Thanks ; – ).

          1. Can we scope the HVIL output from the pack, when power is applied and confirm output if output is DC or chopped? Can also then try adjusting for 20mA loop current.

          2. The 88hz thing is strange. It doesn’t seem to be required to get the motor to spin though. Did you measure this on a working Smart car? The guys over at illuminatimotorworks didn’t pick up on it in their reverse engineering efforts.
            It’s not going to be an averaging thing, it’s too slow frequency and doesn’t really work with a current interlock loop. It could be the pack retrying to get a good interlock sense if you measured it on a non-working system..

          3. The 88 Hz signal is described in Daimler WIS. That is the way the car is engineered. I have also scoped it.

          4. Daimler is the parent company and owner of the Mercedes Benz and Smart vehicle brands. WIS is their Workshop Information System.

          5. Access to WIS subscription service is available to all at the STAR TekInfo website. STAR TekInfo is an official Mercedes-Benz USA, LLC site for hosting service and repair technical documentation for Mercedes-Benz vehicles.

            There are brief mention of CAN bus and LIN access points and such information in functional descriptions, but no actual details of structure or actual CAN instructions in WIS. This is not necessary, as Daimler technicians have access to diagnostic tools that can read proprietary CAN data at the OBD2 port. Access to CAN instructions in the public domain can also lead to unintended but grave consequences. StarTekInfo subscription is very pricey ($60/day or $3098/annum). If you do a lot of MB or Smart work, consider getting a MB diagnostic tool, Star C4. This comes with WIS and is available on EBay. I think your methods (live data capture and later analysis) are the only options available to us all.

            I still believe the chopped 12v dc at 88Hz results in an average voltage of approx 2.3V and corresponding 20mA current sensed by motor and charger used in published hacks of the Smart motor and charger. I will put a high impedance multimeter on HVIL to get actual voltage readings. Same can be tried on the Tesla if an appropriate and safe access to HVIL can be identified.

          6. I have measured HVIL on the Smart Electric. The chopped waveform resulted in a reading of 9.8v relative to ground, and 2.2v relative to the 12v rail on a Fluke meter. Test were done at the X26 connector. HVIL is available on pins 9 and 10. Ground is on pin 11, and 12 V (BAT) at pin 12. So you do get 2.2V but it is relative to the 12V(BAT) and thus determines direction of current injection. If similar chopped waveform is on the Tesla HVIL lines, I recommend that the current source be pulled up to 12V (BAT), rather than to Ground.

        2. The Tesla motor has the same thing. It’s a 60 ohm resistor, but I don’t think there is any detection circuit in the motor itself. I apply nothing to the HVIL pins and the motor seems to work fine.

          My conclusion was that the 60 ohm resistor in the Motor inverter, and another in the charger, formed part of a large loop that included wiring through most of the HV connectors, the DC-DC converter HVJB, and so forth that all led back to the battery. The battery had both ends of this loop terminated there. And so my working theory is that the battery monitors this LOOP by injecting some voltage and measuring the resulting current through it. If you pop the lid on most things, or disconnect any HV connection, the loop is broken and the battery will not close the contactors.

          That is my understanding of the HVIL loop. Sam seems to indicate he has measured this as a 88Hz square wave. And so by varying the duty cycle, the battery can get any current level it wants to find. 20ma keeps coming up.
          The latest schematics show a 151.4k resistor to GROUND as well inside one of the chargers. I thought that peculiar.

          Jack Rickard

          1. Jack is right in the description of the HVIL circuit.

            I have just now noticed a key statement in WIS that, ‘ The interlock circuit is also LED SWITCHED in a series over the 12 V control units plug connection of the high-voltage components’. LED was written in small case in original document and is easily overlooked. This will account for the 20mA constant current used in some documented hacks of the motor and charger.

            Please see extract on the battery pack from WIS below.

            GF54.10-P-3004ED MODEL 451.390 /490
            Interlock circuit:
            The interlock circuit is intended to protect persons against inadvertent contact with high-voltage components. A 12 V/88Hz interlock signal is looped here through all high-voltage system components that are to be dismantled or opened.
            To do this there is a contact bridge in each removable high voltage plug connection which interrupt the interlock circuit during removal of the high voltage plug connection. The interlock circuit is also led switched in a series over the 12 V control units plug connection of the high-voltage components.

            The high-voltage battery is installed underneath the passenger cell on the underfloor.

            The high-voltage battery is divided into three blocks with a total of 93 series-connected cells. The individual cells are monitored by electronic modules (temperature, voltage, current). The battery management system control unit is integrated in the high-voltage battery module. It reads in the individual signals from the electronic modules directly.
            To allow the high-voltage on-board electrical system to be disconnected from the power source, a contactor is installed on components positive side and on the negative side. A precharging circuit breaker is installed to allow precharging of the capacitors of the high-voltage battery. The positive and negative contactors are not closed until this capacitor is fully charged.
            The high-voltage battery is cooled by a cooling circuit. On vehicles with code (V03) Battery cooling system, this cooling circuit can additionally be cooled by the air conditioning system via a heat exchanger. To heat the high-voltage battery, the cooling circuit can be heated by means of the high-voltage battery heater (R101). A desiccant cartridge is installed to dehumidify the air.
            The high-voltage battery serves as an energy accumulator for the energy supplied during the charging process or during regenerative braking in driving mode. The high-voltage battery makes the stored the energy available to provide power for the high-voltage and the 12 V on-board electrical system.

  9. Yeah, an FTDI device could work. I actually have both a 3.3v and 5v FTDI usb dongle. But, I’m not sure what the serial comm voltage is for these boards. I think I might be getting a Tesla module in today and that’ll make it a bit easier to test. If it isn’t 3.3v or 5v ttl serial then I’ll probably have to breadboard something to convert it. If it is one of those I could talk to it with the USB dongle.

    I kind of ended up writing my own disassembler because all the open source options sucked. Also, I found that it is almost certain that the code is using XDATA as a way to access the onboard RAM. It turns out you apparently can do that. Normally one would use indirect addressing to access RAM bytes 0x80 through 0xFF but I think they might be using the DPTR interface to do it instead. Also, in all the disassembles I’ve seen there is a jump to 0x463 but the disassembled code has an instruction starting at 0x462 and 0x464 so that’s in between. It turns out the reason is that they stored jump tables or something right in the middle of code at random intervals. So, it is true that the real instruction starts at 0x463. Because of this my disassembler actually works by walking through code and following branches to make sure it knows what is executable code and what is data. I also create a bitfield so the program knows for sure which bytes are decoded as instructions and which never were (and thus must be data). This has been complicated by the fact that jump tables are in code space and so to really follow those paths I’d have to emulate code to get the values in registers and such (especially important to track the value in DPTR). I haven’t done that part yet. Unfortunately, there are “JMP @A+DPTR” instructions in there. That looks like a jump table if I ever saw one. Those instructions are impossible to follow without determining the values that A and DPTR could take. That’s kind of complicated. But, I’ve got pretty good assembly dumps of the program and a partial view of the call graph and which bytes are actual instructions. It gets better all of the time.

    1. The RF isolator is only rated 2.7V-5.5V so your FTDI chips will be fine. Since you have a Saleae Logic as well, should be set. tomdb is making some progress with a set of master and module boards. we’re collaborating on the project page. feel free to join that project, it’s a pretty good place to share our results.
      I never understood why all disassemblers don’t step through the code as per 8051 spec. seems like the obvious way to implement it. I guess they trip up when they get non standard implementation. Nice work though I look forward to hearing more. The other bloke with IDA has gone silent for the last few months btw.

      1. Great work Jarrod. Great skills and intuition On the Smart SMS cell balance board (CSE) isolation side, there is an Infineon ITS 4140N current drive that is capable of driving an inductive contactor directly. A low on its input drive a contactor. Is this the type of open aggregating fault line (grey wire) you referred to in your note?

        The beast is wounded but is not yet down. Jack, do please send Jarrod one Master BMS board for reverse engineering of the firmware before he sets to work building his own. We can also stir him up a bit with comments on ‘climate scientists’ to get him going ; – ). But we do need the full HV pack working! Why you may ask? Apart from use in EV projects as envisaged by your good self, we need them for home PowerWall type solar projects.

        Imagine a 100KwHr Tesla ‘PowerFloor’ straight out of a salvage car. All safely packaged complete with internal BMS and coolant connections. All that one will need do is connect the solar panel inputs of a 350-500V dc SMA SunnyBoy Inverter with the output of this HV pack for clean mains output, and you then have this huge reserve of power available for use. Use dual Tesla HV chargers (low tariff off peak mains) as necessary to recharge pack. You can stack the SMA SunnyBoy inverters for more power. You can also AC Couple a Schneider Conext Inverter to the SMA SunnyBoy for solar harvest, as I have not yet conceived how to charge a 400V HV pack directly off solar panels in a controlled manner.

        This idea of Jack’s on the use of a complete HV pack straight out of the car may just change the whole economics of Power Packs for home use to something more affordable to the public, especially in the third world where energy remain a big challenge. This should also benefit the concept of a greener world. Expect the price of salvage Tesla cars to go through the roof.

        Back to the main topic – Have the Tesla pack contactors closed yet? I have wondered how to reverse engineer (or even understand) the English sentence “LED switched in a series over the 12 V control units plug connection of the high-voltage components”, into an electric circuit simulating the HV loop, and failed woefully. I can simulate the HVIL output of the pack if I use a 88 Hz signal to modulate a typical current sink circuit (comprising a zener diode biased npn bipolar junction transistor with the HVIL loop in the open collector as load. However what is a ‘LED switched in a series circuit’ ? Does anyone have diagrams for the circuitry of the HVIL loop in the other HV connected components, or know how it might look like? A decode of the main Tesla BMS may offer some answers to these questions.

        1. >>A low on its input drive a contactor. Is this the type of open aggregating fault line (grey wire) you referred to in your note?
          I doubt it. The common fault line probably initiates a shut down process.
          My understanding is that opening a contactor with DC current flowing shortens it’s lifespan so the BMS would most likely send CAN commands to shut down the motor/charger first. Perhaps it hard-opens the contactor after some delay no matter what.

  10. While I am still only about halfway through the January 13th episode of EVTV I just finished watching a new episode of NOVA with David Pogue titled “Search for the Super Battery”. It aired on Public Broadcasting Stations on 2017-02-01 and it gives a good primer on why the world needs energy storage and a variety of storage methods including pumped hydro, ice, flywheel, flow batteries and chemical batteries including a much safer solid electrolyte lithium battery at Tufts University with a lithium metal anode. I think Jack has mentioned this development in the past but the show give a good practical demonstration of its safety. Even though it starts by showing how flammable lithium batteries can be without differentiating the levels of risk in the various lithium chemistries, I still consider it a worthwhile watch.

    1. Brilliant work. That is just what I thought/hoped. The MCU and RF Isolator are just passing bq76 SPI commands over an isolated UART bus.

      “My understanding of the data sheet and a couple of communication addendums was that 00 is broadcast. You can assign any id you want with a simple WRITE command on the SPI bus.
      So if it was me doing it, I would just assign IDs in the 0x01 to 0x3E range, actually 0x01 through 0x0F for that matter. Then address ALL of the bus with a series of eight register read commands right out of the book to get 6 voltages and two temperatures under a single ID. Then bump the ID and do it again. The only bq76 to respond would be the one with that ID. And the 8051 would basically serve as a UART to SPI converter. The MCU and isolator chip then kind of sorta/make sense if they were getting too much noise pickup on the North/South SPI busses or just wanted a more EMI hardened system”.

      This is brilliant work Jarrod. And I think it will really make a difference in that individuals will now be able to use these modules outside a battery pack with sufficient information to do so safely and without reinventing the wheel. We’ll try to adapt our EVTVDue to perform this and open source the code to make it work.

      Congratulations on a brilliant piece of reverse engineering.

      1. Yep, you were not far off the mark.
        I initially rejected your idea because the code that I extracted from the uC is way more complex than expected for a simple UART SPI bridge, so something else is definitely going on in there.. Collin seems to think there is a serial bootloader, probably other functionality to in there. However the SPI access mode does make them fully functional.

        1. Jah. It doesn’t take much 8051 code to pass commands back and forth and Collin has been finding lots of interesting bits as well in the code. I would guess it goes to Tesla’s update philisophy. They want to be able to update software from the GSM. And that implies replace the firmware in the BMS. And THAT implies that the BMS in turn can replace the firmware in the module boards. And so a bootloader.

          There are also some hardwire faults put out by the blq76 that have seem oddly ignored. On a multilayer board, I think you might find connections to the 8051 and code to deal with all that as well. But we probably don’t need it in any practical sense. If we can get voltages and temperatures, we’re kind of good to go. Although it would be nice to know they were VALID voltages and temperatures.

          For example, there is overvoltage setting and an undervoltage setting you can modify. I think it generates a hardware fault. So between the hardware faults and the bootloader, it’s possible to get to 4-5k. But it’s a lot of code.

          But we can do all that in software on the top level controller.

          In any event, actually doing and testing is much more important than my airmchair quarterbacking, theorizing, and attempts to type myself smart. Again, brilliant work.

          Jack Rickard

          1. I suspect some of these fault outputs make their way to the RF isolator, there is a shared ‘open collector’ style line (the grey wire) which seems perfect for fault detection.
            All the faults are available via the SPI registers too so that could be how it’s done. Also means we can check for faults/alerts manually by polling each board. We can also compare the module voltage (an ADC channel is set to measure Vss-Vbat – all 6 series cells) against the sum of all cell voltages to ensure they are valid.
            Will continue investigating these unknowns and completing the reverse engineered board schematic.

          2. The other thing to note is that cell balancing requires SPI commands to manually turn on/off the balancing resistors/FETs. There is no built in algorithm to do this.
            Now this could be built into the uC.. We really need to see the UART and maybe SPI bus during charging to be sure.

        2. I am a bit confused about J1. Is the daisy chain physical or logical as the enable signals to the isolator are tied to Vcc, Could the routing be done on a daughter board or in the wiring harness between the modules?

          1. Both physical and logical I guess? the isolator is part of the daisychain, so the TX of the master connects to the RX of the uC in the first module, the TX of the uC in the first module connects to the RX in the uC of the second module, and so on until it gets back to the RX of the master.
            physically, the harness going into J1 goes like so: Pins 1,2,3,4,5 go to the previous module (the TX side of the master). Pins 6,7,8,9,10 go to the next module (toward the RX pin of the master)

  11. bigSam et all,

    I have the 2nd Gen battery pack for the the Smart ForTwo EV. Or at least, I believe I have the 2nd gen version. I’d like to keep it as intact as possible with as much, if not all of the functionality that Tesla built into them. Ideally, I’d just like to charge them up and operate autonomously without the full HVIL intelrlock. So I’m wondering the following:
    – do the 2nd gen packs have the HVIL circuit, or is it only in the 3rd gen packs
    – what were the years the various packs we manufactured, and any identifying marks, configurations, different data ports that set them apart?

    I’ll try to upload a picture of the unit that I have, but it appears to the more common version that you see on the web when googling Tesla Smart ForTwo battery pack

      1. the Tesla battery pack that i have is from a Smart ForTwo, so it’s likely (but I’m trying to confirm) from circa 2009-2010 before Daimler switched over to their own battery platform – which might be the 3rd Gen system that BigSam is referring to??

        what’s interesting is that the HV connector on the Smart ForTwo battery pack that I have appears to only have two contact points – there doesn’t appear to be a third contact point for the HVIL loop. Moreover, the Smart ForTwo battery pack that I have uses a separate – safety plug that is inserted to manually enable/disable HV for either maintenance or storage.

        (note: I will attach photos once I’ve figured that out)

        1. Here’s the images that I could find. as noted, there only seems to be 2 connection points vs. the 3 that you would at least need to enable/disable the HVIL loop.

          Smart ForTwo Battery Pack Connector

          Smart ForTwo Safety Disconnect

        2. The Gen 2 packs have HVIL, same as Gen 3. As mentioned by Jack, it is a standard safety practice. Just as you have mentioned, the Gen 1/2 have the 6 of Tesla 57v modules inside the HV pack.

          Various models of the Smart Electric were released at different times in different countries but generally the Gen1/2 were released in 2011-2012, and the Gen 3 was released in 2013 through to early 2017 in the US. The new Gen 4 will be released later in 2017.

          am not familiar with the Gen 2 pack. As a matter of fact, when I got the Smart ForTwo at auction, I expected to find the Gen 2 Tesla modules inside the HV pack. I had hoped to use the 57v modules for my solar system if the salvage restore was unsuccessful. I ended up a Gen 3 with the Daimler HV pack with t 3 of 130V modules. Tesla modules have balancing circuits built into them but I am not familiar with them. There are a couple of posts on the Tesla forum on Tesla modules that will give you an idea of how to use the Tesla modules. I am however not sure that the Tesla modules in the Smart Gen 1/2 are the same as are used in Tesla cars. The most probably are not the same modules. Same batteries, not same modules.

          You indicated that you’d like to keep it as intact as possible … charge them up and operate autonomously…The challenge you will face is that there is no hack of that particular battery pack that I am not aware of. Many DIYers use the individual modules without the main BMS unit, which can posse lots of challenges from a safety, control and management point of view. If you desire a big complete pack that is safe and manageable, I suggest that you wait for the results of Jack’s current effort on the Tesla HV pack.

          Daimler technical description of the Smart ForTwo Electric Gen1/2 and Gen 3 car (whole vehicle including HV battery system) can be found in the links below.

          1. Thanks kindly.

            fwiw. Aside from the HVIL loop, the Smart ForTwo and Model S battery packs are indeed very similar in terms of architecture. The Smart ForTwo delivers 57V in a 15s22p configuration for a total of 330 cells, while the Model S batteries delivers around 22.8V in 6s74p configuration, while others still (like the RAV4) deliver the same amount in a 6s53p configuration with 318 cells – but all the building blocks are there. everything else in this thread suggests they run in a similar fashion – the BMB and BMS modules have very much the same schematic being described here by Jack et al

            That said, I’ve yet to locate the HVIL circuit on my packs – but I’ve yet to fully dismantle the pack, they are heavy!! So it may yet show up!

            Again thanks tons.

  12. full disclosure: I recently purchased a Siemens / DMOC 645 drive from Jack and the crew at EVTV and the end goal is to convert an old ’78 911 Targa that I have in my garage. We’ll see if we can get there, but my goal is a ‘zero compromise’ approach with regards to performance and operation with a strong bias toward best in class OEM parts wheeler possible (i.e. Tesla batteries, Siemens drive, Volt charger, etc). So this thread is of particular interest to me 😉

    And one (hopefully) final note. The Smart ForTwo battery pack that I currently have is the 6 x 57V module version (each module is 22p15s at 3.8V). If I can get it up and running, I will run a second pack in parallel in order to take full advantage of the performance provided by the Siemens / DMOC 645 drive.


      1. Bryan Inkster (bielec)

        I have been following the decoding of the BMS module with great interest and am particularly inpressed with the work of Jarrod. There is one small issue which I can’t get to add up which is the scaling of the cell voltage readings. A glance at the Texas data sheet tells us that the readings are 14 bit scaled at 0.3815 mV per step (giving a full scale of 6.25v) Now , on the other hand, the EVTV CAN reading software uses 0.305mV at the suggestion of WK057. I reallise that the BMS modules are inside of the Tesla battery pack and communicate CAN to the outside world via the master BMS pcb. So does this pcb rescale the readings? Jack suggested that the messages are simply passed through. This is potentially very important if we don’t want to overcharge/undercharge our cells.

        1. Excellent question. You ARE following us closely. I ran the program this week with the battery open and checked a module voltage with a Fluke. As I recall, it was within a hundredth. But I am going to rerun this. No, the scaling on the SPI bus and the registers doesn’t have to be the same as what the BMS board presents in 6F2. But on the other hand, I can’t imagine why they would change it unless it was to correct for something. I’ll try to set up next week to measure it with each value in the program to see. But as I say, I did a measurement with the battery opened and on one module and it was very very close.

          I know we tried several scale factors in the program originally, and I don’t recall wk057 having much input other than some suggestions. Heber came up with the basic 14 bit array concept to decode it and I did the code.. But the truth is, the number was just made up. Looked right.

          I’ll try to check it this week with both values and see which is closer.

          Jack Rickard

          1. I can’t beleive they are scaling either, the TI chip is very accurate. I can’t beleive wk057 made a mistake either – he is very thorough. I notice that his number is being used by TM-Spy too. We really dont want a false value to persist until it becomes fact, the some poor soul melts his pack because he thinks he has a voltage that is safe.

            In reply to the post below, the TI datasheet uses the factor 6250 / 16383 which of course is 0.3815 or thereby.

            And Jack, in case you are wondering, I am similar vintage to yourself, similar background, semi retired, sitting in rural scotland with nothing better to do than pick thru the work of others. I had hoped I might contribute (I have tens of years of 8051 assembly programming experience) but others keep getting there first.

          2. I am having difficulty posting comments, the last one went into cyberspace via Facebook so try again.
            I can’t beleive they change the scaling, the TI chip is very accurate. Nor can I beleive wk057 made an error because he is thorough. We don’t want the wrong voltage becoming accepted as truth because someone will destroy their battery pack if they keep charging when they shouldn’t. I notice that the TM-Spy app is also using 0.305mV I agree with TomdB above, TI are using a factor of 6250/16383 = 0.3815mv or thereby. Something strange here.
            And Jack, I am a similar vintage to you with similar background and I have nothing better to do than to sit here in rural Scotland and check the work of others. With tens of years of 8051 assembly programming experience and analog abilities too, I had hoped I might contribute, but others keep getting there first..

        2. It’s very likely that the master BMS board does voltage averaging and smoothing and perhaps they believe that they can get a little better precision by taking the running average of the voltage readings. The BMS allows up to 6.25V per cell which is stupidly high. The lithium batteries would be in open flames at that voltage. Perhaps Tesla decided to lower their range by about 25% down to a range of 0-5V per cell instead of 0-6.25v per cell. Personally I find the 0-5 range to be much more sensible. It allows them better precision while still representing the entire range a lithium cell could ever take.

          1. This is an extremely common approach when sampling frequency isn’t a concern. With enough white noise in the ADC measurement, oversampling can achieve many extra bits of resolution. SAR ADCs usually contain nothing but noise in the last couple of bits anyway.
            BTW do we know what processor they have running the master BMS?

          2. Bryan Inkster (bielec)

            I agree that a 0-5v range would be more sensible and give better resolution and precision, indeed the step size of 0.305mV is from a 5v scale. Was this a guess and is this wrong? I have studied the datasheet of the bq76PL536A (as amended Oct.2016) at some length and cannot see any way of altering the a/d reference to produce a 0-5v range. I fail to see any other easy method of producing a 0-5v scale. The datasheet is quite explicit. The range is 0-6.25v and the step size is thus 0.3815mV .
            The internal reference is central to this chip being trimmed and temperature corrected to a high precision. Could it be that Tesla got a special version made with 0-5v range?
            Averaging and smoothing, of course, do not influence the scale and are irrelevent to the discussion.

          3. That all may be Brian, but it appears not to matter. We measured them over and over today using the .305 and in all cases against a Fluke 233 we were within 1/100 or a couple of place 2/100 of a volt between the program and the Fluke meter with the probes directly on the terminals of the modules. That’s summing 6 cells 22.89 or 22.90 in most cases and remarkably consistent accept for the damaged module at 19.14 volts. The .305 is certainly close enough for government work.

            So good question and your theory makes sense, but the .305 proves out too close to improve upon.

            Jack Rickard

          4. Bryan Inkster (bielec)

            So, Jack, you are measuring a module voltage of 22.9v and then simultaneously seeing individual cell voltages of 3.816v in the CAN message from the Master BMS pcb? If that is the case then the master BMS unit is possibly messing with the scaling. I would like to ask Jarrod if he might be so kind as to do a similar test and look at the CAN values coming out of the SLAVE BMS module and compare them with actual cell voltages.

          5. Actually, I am measuring the voltage of the module directly at the terminals and summing the reported cell voltages for that module. And coming to 0.01 volts.

            I would be astounded if the difference didn’t happen in the main battery BMS board. I’m sure we will have to retrieve individual cell voltages using the scaling in the data sheet. But the main BMS converts this to a 14 bit integer to bit pack the maximum number of cell voltages in the eight available CAN bytes. I would think that is where we will find the conversion. It retrieves the voltages and has them in a float, and then translates that into a 14 bit integer for presentation and the scaling is simply .000305 when we unpack THAT.

            So our software is getting CAN from the main BMS, not from individual module BMS boards directly. I would certainly think they come from the boards on the UART bus as you described. We’ll know soon enough.

          6. Just did a measurement, 4.12V on cell 1, ADC measures 0x2A26, which according to the datasheet converts to 4.116
            Vbat is 24.52 on my multimeter, the Vbat measurement comes back as 0x2ED8 = 24.401. My multimeter may be limiting the accuracy of this one, it’s a chinese fluke (17B)
            In any case, scaling is definitely not done on the module boards, as expected from all the observed SPI/UART behavior.

          7. Bryan Inkster (bielec)

            Thanks Jarrod for the confirmation/clarification. That cell voltage of 4.12v matches the BMS reading of 4.116v (0x2a26 x 0.3815mV) near enough for government work, as Jack would say. The scaling would be 0.305mV if it were read by CAN from the master BMS module. Who knows why, but at least we hackers know it to be the case. So we know to use differing scales if we are working with a complete Tesla battery as opposed to a module.

          8. Well, I’d say that it isn’t even weird that there is a different scale. The BMS scales 0 to 6.25v which worked for them but it’s too large a range. There are no lithium cells that would tolerate 6.25v. They all burn up well before then. The switch to 0.305 changes the range to 0 to 5v which is more sensible. As a bonus, it is also about 20% better resolution. In reality, the fact that 0.305 makes the range 0 to 5v almost perfectly validates this guessed value. It confirms that the value makes sense by showing that it causes the cell range to be a nice round number.

  13. Jack – Great segment on the Tesla batteries. Your comment that lithium-manganese cells bounce back higher and more often than lithium iron phosphate is certainly my experience.

    I have however successfully bottom balanced most of the common chemistries using a resistor and MOSFET to hold the voltage at 2.7 or whatever: you just have to leave some types of cell hooked up for much longer (many hours).

    All the best

    1. When discussing cell voltage scaling factors, should we be measuring module/brick voltages, VBatt? The primary purpose of the balance module is to balance the cells. This is a dynamic process and cell voltages will change all of the time. The other purpose is module/pack protection – hence the uC chip output fault signal line. The module/brick voltages (VBatt) are independently measured by the balance chip and are available to the main BMS uC. So measured brick voltage and thus pack voltage should be the aggregated VBatts, not individual cell voltages. Of course individual cell voltages are available, but why add cell voltages when you can add module/brick voltages (they use the same band gap reference). The average of the sum of cell voltages will approximate brick voltage of course, but they are not the same value. There is another voltage reference (a value contained in REG50) but it is not used for cell or VBatt measurements.

      What is the effect of the number of cells in the stack against cell voltage resolution? Why does Texas Instruments restrict cell stack to a minimum of 3 to 6 cell stacks per module/brick? What is the actual stack count on each brick in the actual configuration of the Tesla pack? Are they all the same module/brick voltage?

      1. Kind of a block grant of questions there Big Sam. The one that stands out is the concept that Tesla balances the cells constantly. Actually I think this event is quite rare, happening only above certain voltages near the top of the charge range, and when charging.

        It does not turn on any of the FETs in normal operation driving the car. Perhaps in certain regen regimes with a full SOC.

        Jack Rickard

      2. We don’t really measure at all. We receive 6F2 CAN messages that provide 96 cell voltages and 32 temperatures. We can sum those into module voltages and we can compare that to actual meter measurements at the module terminals.

      3. TI chip can do 3 to 6 cells in the stack and note that it powers teh BMS board from this entire stack. The issues in BMS design generally the bain of the DIY BMS designer are all about isolation and common mode voltages. TI has a scheme here to address that and Tesla opted to do it entirely differently for some reason. But the more I look at it, the better I like Tesla’s approach here. Totally isolate each module and BMS board using a very fast 5kv resistant chip to form an isolated UART bus that is really pretty simple. TX/RX/VCC/gnd. Essentially USB. With a fault line thrown in.

      4. The balancing algorithm is handled by the master, it could be doing mid balancing, but top balancing seems to be most common with lithium.
        BTW, it’s only a 40ohm balance resistor, so the cell voltage isn’t going to change quickly
        UART is generally more noise tolerant than a clocked serial line, This would be why tesla went for that approach over the level shifted SPI bus built in to the TI chips.

        1. I just heard from Paulo Jorge Pires de Almeida at ISEL in Portugal. He says the north/south thing works ok if all the bq76 chips are on the same board, but over wires it is simply not robust. That kind of explains it.

          Jack Rickard

  14. Jack,

    I too am using the Better Place modules to power my conversion, are you planning on doing any work on the BMS for that module? My cells were bottom balanced and like John Hardy pointed out, they can be bottom balanced but it takes quite a bit of time on each cell and they do want to drift back up quite a bit more than the LiFePo4s. There seems to be some interest on the Better Place BMS on the Forum but it does not appear there has been much progress. Wasn’t too concerned until I saw the aftermath of your fire at the shop so probably should use some sort of BMS.



    1. I’m not Randy. Despite using them myself. The problem with the Better Place modules and the Smart EV Tesla modules is they are orphans. There are no more of them in production and commonly available here in the U.S. Bettery Place went bankrupt. And Smart has moved to an entirely different system with batteries from Germany.

      The attraction of the Tesla components is that they are making a LOT of Tesla’s, they are wrecking a lot of Tesla’s and Tesla components are highly desirable. It is very difficult to do this level of research for a single car or project. If we have some hope of developing a small device that is saleable and accomplishes this, and MANY people need it, it is possible to recoup. But even for my own cars, I can’t take the time to work out how to drive the Escalade’s instrument panel even.

      The truth of the matter is that we are in a target rich environment. And we can’t do dead end projects. Tesla’s components are available and give all appearance of being available for some time. No doubt they will change over time. But I think there will be ongoing interest in them for some time to come. I don’t personally see how they work in electric cars generally, because of size. But people are buying these modules and using them for all sorts of projects, most notably home solar. The DIY powerwall. And so it is kind of pressing that they be able to use the Tesla designed and already available monitoring and safety devices that are there.

      Doing an entire BMS winds up the same way each time $1200-$2000. I see a $350 device that lets you string as many modules as you like. And perhaps another one that lets you just fire up an entire battery pack dealing with the master BMS.

      Doing this for Renault or Smart/Tesla packs doesn’t make a lot of sense unless they are very very similar.

      Jack Rickard

      1. I agree, the Better Place pack is an orphan but the cells are the same as the Nissan Leaf and people are currently wrecking them everyday. Development on a BMS that would work on the Better Place pack would be of interest to anyone wanting to re-purpose the Leaf batteries. There would be a market for a BMS for Leaf modules and of course the EVTV hardware that makes it possible.

        1. I find it interesting that the BP pack and the first generation Leaf that used lithium use the same part number BMS module
          . Nissan sold off their interest in the company some time ago.

  15. I am having niggles in rural Scotland again. I am looking at the simplified HV control circuit diagram above and it doesn’t look right to me in that it does not show any source current for the High Voltage Interlock Loop (HVIL). My information is that this is a 20mA “source” loop. The source starts in the HV battery and comes out on connector HV1 pin 3 links straight back in on 4 (when the connector is mated) then it is connected inside the battery from this pin to connector X036 pin 11 where it passes to the outside world. In the outside world, it passes through a couple of 60R resistors and eventually comes back to X035 pin 10 which simply has a final 60R to ground. That is not at all how Jack has it on his diagram. So there is no yellow block “Generation and detection”
    In fact the 02mA is generated within the battery HV1 connector, looped through its pins 3 and 4 out on X036,11, round the car via 120R back in on X035,10 then to deck through 60R

    Please check this out and see if the contactors close.
    One more thing which might come in to it…….. the ac/dc chargeport reports its safety cover closure over the CAN bus so maybe the main BMS pcb is listening for this ??

    1. You can of course confirm the existence of the 20mA source on HV1,3 by measurement, indeed you could provide your own from an external source . The link between HV1,4 and X036,11 can be confirmed by a continuity meter . The final terminating resistor on X035,10 can also be measured and my bet is that this is the sensing element within the master BMS pcb. If so, then you could simply pump 20mA into X035,10. I unfortunately don’t have a pack to try. For me this is a mental exercise at the moment.
      One final “niggle” – the diagram above shows X035,7 as Vstby out. I suspect it is an input, for service purposes, to bypass the contactor, active low. Wouldn’t that be handy?

      1. Glad that talk is back to closing the contactors. Jack’s yellow circuit inside the pack looks good to me based on what was done by Tesla with the Smart ForTwo Electric 2nd Generation. As described, Jacks circuit is simplified and does not show the physical HVIL connector closure detection details. However, the simulation of the HVIL circuit outside the pack may still be uncertain.

        The main design criteria for a pack is safety and isolation of the high voltage tension from chassis and low voltage electronics (that is the convention vehicle 12 volts circuitry). Bearing this in mind, the check/detector that a HV connector is properly connected will be a simple electrical loop at the outside of the HV connector. No low voltage cables and signals, including the HVIL signals, will be routed into a HV pack or device through its HV voltage connectors.

        To protect and isolate the pack in an accident, there will be a signal generated in external crash detection circuits that will disable the pack by opening the main contactors in the pack. That same kill line will also disable or enable the mains charger (which is another source for generation of lethal high voltages). It may be any of the lines shown tied to 12V BAT in Jack’s circuit or even Vstby. Such a disable circuit will come from a pyrofuse circuit triggered by the restraints system and/or crash detector(s). Confirmation that this kill or enable signal (depending on logic, that is, active high or low) is available, and sequenced as necessary, and if necessary, with the timing of ignition enable. The power for the enable signal may very well be initiated via vehicle CAN signal originating in the HV pack, after checks of pack health, HV system isolation etc.

        To protect the HV pack, the main BMS within the pack will be responsible for generating and detecting the HVIL signal. In Jack’s simplified diagram, put a 60 ohm and associated detection circuit inside the yellow box going to XO35/10. Then put a HVIL signal generator inside the yellow box with output going to XO36/11. I suspect it is a 20 mA current sink rather than a current source.

        One other safety protective feature alluded to above is that of HV line (positive and negative lines) isolation from chassis, called Loss of Isolation, LOI. The main BMS will be responsive for the circuitry and signals that will continuously measure the value of the HV line resistance to chassis. DC checks when vehicle is switched ON, and low frequency AC checks for LOI when vehicle is OFF. If for some reason the HV pack has lost its minimum isolation, the contactors will not close. So use a 500v isolation tester to check each HV line to pack chassis as a general chack of LOI.. Typically values greater than 2 mega ohms are required.

        The HVIL loop does not have to be physically continuous galvanically. You can have opto-isolation in the HVIL circuit with frequency locked regeneration of the signal in anther active device such as the mains charger. This will provide further isolation capability for the HVIL line if any of them fail and arc over to HV in the connector closure detection system.

        Many things can prevent the contactors closing –

        – Simulation of HVIL circuit
        – Sequencing of ignition and HV pack enable line
        – Loss of Isolation (LOI)
        – Bad cell or module
        – CAN enable signals able from outside the packXO35

        Still some ways to go. I agree with Bryan to do the continuity,resistance and output signal checks on the HV pack HIVL pins on the HV pack high voltage connector after taking all necessary personnel safety precautions.

        1. We have contact closure. And we had HVIL correct all along. In fact, yesterday, we measured the minimum and maximum resistance values that would work 160-210 ohms. I have had 180 and 120 ohms variously on the diagrams. It appears 180 ohms is closest.

          Bryan is correct that at one time Vstby appears to have been a maintenance test override in the early schematics. Later versions all seem to indicate Vstby. I’m actually using it to power the Arduino that displays all the voltages and temperatures interpreting 6F2.

          I’m embarassed to report the real culprit all along. A precharge check. I had thought to do this with CAN message 126 from the inverter. This is a very basic voltage with no decimal place, so would seem designed for it. The battery is connected DIRECTLY to the input of the inverter. The cables are tied together in the HVJB but actually are bolted to the same terminals. And of course there is an input capacitance to the inverter. We have to do precharge on all inverters to prevent impossibly high current spikes when we close the contacts.

          Except that’s not how its done. The BMS does its own check and if either too little capacitance or too much capacitance is found, it shuts down. I had thought a dozen times to put a capacitor across the output as we had NOTHING connected to the output in all this time. Yesterday we put a 15000 uF 600v electrolytic across the output. The contactors DID close and immediately reopened. But we found about 74 volts on the capacitor, leaking off slowly of course. We hit it again with the 12v ignition switched input and got contact closure AGAIN and immediately they opened. But the voltage had bumped to 120v. I continued this about 10 times until the voltage reached 315 volts at which point it “latched” and the contactors stayed closed.

          I tried to replace the capacitor with our accessory test bench which has a Volt DC-DC converter, a Delphi DC-DC converter, and a Volt Charger connected to it. No go. I didn’t get the contactors to close AT ALL.

          I found an 1132 uF capacitor from a Toyota Prius inverter out back. Using this, it only takes two bumps to bring the contactors to latch. And once it has a bit of charge on it, you can turn contactors off and on at will. So I’m thinking a 1000uF 600v would be ideal. And I think we’ll find that’s about what Tetsla’s inverter exhibits, though for physical size reasons it uses a series of smaller film capacitors. But our thinking is that this is about 1000 uF at this point.

          And once it is “latched” we can connect the accessory test bench. Indeed we charged the battery using a Volt charger. Starting at 3.2v per cell, indeed you can charge this pack a LOT at 3.3kw and 8.1 amps without getting very much charged very quickly. I guess at 8 amps it would take about 32 hours to full charge this pack.

          This is all very unfortunate. Because after the Tesla pack has done its precharge and turned on, you still need to do a precharge to apply the voltage to your equipment, meaning in most cases two MORE external contactors and a precharge resistor. Again, this is an example of the highly integrated nature of Tesla’s components. Their battery pack really only works with their inverter and its 1000 uF input capacitance. Of course, that’s all it NEEDS to work with.

          So lots of good news this week. I understand Tom DeBree has a battery module working with Teensy and Collin has one basically working with our EVTV Due. We want to use EVTV Due because it has CAN built into the board, and we make them 100 at a time for all sorts of controllers and monitors here. And we already have an enclosure for it. Indeed I’m using it for the battery pack. And now we can turn on the battery pack and get full 6F2 output of voltages and sensors continuously without the reset.

          You’re all admitted to the EVTV Hack Team. You’ve made this the most productive episode/blog entry we’ve ever done. Both modules and pack. And I think it’s going to be a big deal.

          Oddly, not really for the electric vehicle crowd. The Tesla battery pack is just impossibly huge for use in a conversion car. I think the battery module controller might make it possible to use the individual modules in a HPEVS or Brammo level system at 120 or 160volts say. That would be six or eight modules and 300-400 lbs. But for a modern OEM style drive unit, Tesla, Leaf, Volt, UQM, Siemens, etc you reallly need all 16 modules with 14 as a minimum. That still makes for a very large pack as we are not divisible below the 255 Ah of the basic module. We need something more like 80-100Ah.

          But for solar, this is huge. And there is already a world of DIY Powerwall guys that are just going to go berserk. We are already at the point where we will almost immediately be able to wheel this pack across the shop, easily enough done with the swivel casters we installed, and hook it up to our earlier work for CHAdeMO. We already have a high voltage solar charge controller and a high voltage 10 kw inverter. So we don’t need no stinking 24 or 48v stuff. Instant 85kw solar storage. It would take our little 13kw solar installation two full days of sunshine to charge it, but it would then provide 10kw continous for 8 hours. The average US home uses 970kWh per month or 32 kWh per day which is more like a 1340 watt average. So one Tesla 85kWh pack could power the average U.S. home for over 60 hours continuously with no solar input at all. Married to about a 24kW solar panel array, you are basically off grid forever – the home solar dream actualized.

          Good work all around.

          1. Bryan Inkster (bielec)

            Congratulations! Never, in the field of electrical engineering, has so much been achieved, by so many, in so short a time, with so little information.
            To summarise Jack, you are saying there has to be some capacitance, maybe 1000uF, across the battery output to enable the contactors to close. How do you think this works? The simplest would be to check current surge on closure, but that would not prevent closure being attempted when disconnected or when excessive C was present. More complex would be to have a sensing circuit checking the output side of the contacts for capacitance. This, presumably, is what is happening because you say you get no closure at all with open circuit.
            As an aside, does the CAN message from the chargeport cover come in to this at all?
            Great and interesting work by all.

          2. Well I’m not sure how it works, but measuring capacitance is unlikely as it is a bit more of a challenge. Most precharge works by bypassing the contactors through a precharge resistor. I would imagine they measure the voltage directly on the output side of the contactors and while applying a voltage there through a resistance value that dramatically limits current. Then they time how long it takes to bring it up to that voltage on the contactor side of the resistor. If you have any resistive load at all it slows the charge time to beyond the window. If you have no capacitance it instantly goes to the voltage before the acceptable time delay. And so by timing this precharge they can tell what level of capacitance is connected to the output, and indeed if you are connected to anything at all.

            Once it does rise to a matching voltage within the time window, it closes the contactors. After that, it doesn’t care what it is connected to.

            We do this normally by having a precharge resistor across the terminals of the positive contactor. We close the NEGATIVE contactor completing the circuit. Once precharge is achieved, we close the postive contactor bypassing the resistor.

            I’m sure that’s what they are doing here. I can distinctly hear two contactors closing and if they closed simultaneously I would probably not be able to hear that. At 1000 uf it happens pretty quickly. So at 15000 uF I’m hearing the negative contactor closing, and then opening when the voltage doesn’t reach 315v within the allotted time. I do this repeatedly until it reaches 315v at which time the positive contactor closes and we are good to go. Each time I repeat, we get a higher voltage stored on the capacitor within the time window. About the 10th time, we get to 315 v within the allotted time.

            At 1132 uF it only takes twice. So I’m guessing 1000uF would do it. We go to about 275 volts on the first whack. So we appear to be about 15% high at 1132uF.


          3. As I can drive down the road with my Charge Port door wide open, and unfortunately, am wont to do, I don’t think a CAN message from the charge port door has much to do with it.

            Indeed, if we needed charge port closure to turn the contactors on, how would we charge the car????

            Jack Rickard

          4. My guess is that the BMS is doing nothing but watching the voltage. It’s pretty easy to read the pack voltage and they know the proper capacitance of the inverter and the value of the precharge resistor(s). So, it’s a simple matter to scan the voltage and see if it rises at the appropriate rate. It it rises too slowly or too quickly then something isn’t right. This would make sense as Jack said that he could see the voltage on the capacitor change but not get up to full. So, the BMS did a precharge for X milliseconds and then checked the voltage. It wasn’t where it should have been so it faulted. I’m further guessing that the actual capacitance of the Tesla inverter is probably 680uF just because I’ve got a ring capacitor of that value and it’s a pretty common capacitance for ring caps in an inverter. But, who knows? Maybe they used a different value. I suppose someone with a multimeter and an inverter could check.

          5. Jack, i wanted to better understand your comment about needing a second pre-charge and connector set. two questions:

            1) if the battery pack were connected up to an inverter (in my case, the DMOC 645) and other HV equipment (e.g the Volt DC-DC converter, Volt charger, etc.) AND IF these match the capacitance/pre-charge time expected by the Telsa BMS is should just work, correct? or were you suggesting that even with the battery pack connected to an inverter that matches the capacitance/pre-charge time expected by the BMS, you would still need a second pre-charge connector set. that part wasn’t clear to me.

            2) in the event of a capacitance/pre-charge timing mismatch in the HV circuit (for example if the capacitance of the DMOC 645 doesn’t match the capacitance/pre-charge timing that the Tesla BMS is expecting) would it be possible to simply vary the resistance of the pre-charge resistor (within some reasonable limit of course) in order to match the timing that the BMS is expecting? full disclosure: I only play an electrical engineer on TV, my day job is in software.

            as an aside, it appears that ZEVA’s pre-charge module offers a similar pre-charge timing and fault detection logic being described here. nothing more than calling that out as folks continue to sort through solutions.

          6. oh, and one more comment/question/thought. In the absence of a solution to a capacitance/pre-charge mismatch, would it be not possible to simply push the ignition N times to get everything ‘latched’ and online. think of an old car that take 2-3 times before it turns over. yes, this is suboptimal/less desirable, I’m just trying to better understand the mechanism and the need for a second pre-charge and connector set.


          7. and finally (hopefully) I wouldn’t be surprised to learn of the fault tolerance for the capacitance/pre-charge time could be relatively small (but some amount greater than zero). for example, if you’ve just turned of the ignition after coming home for the day (thus opening the contactors and disconnecting the HV circuit) and then you or a family member standing in the driveway plugs-in the charger, it would seem that if the capacitors in the inverter are still charged, the pre-charge timing needed to get them back to full capacity would be some indeterminate amount of time less than normal, otherwise it would fault(?) and never reconnect until the inverter is fully discharged. (unless of course the inverter discharges very rapidly, measured in a few seconds, and/or or the pack goes through an automatic disconnect-dischage-pre-charge-reconnect cycle before enabling the charger).

            I’m still new to the HV boot-up, charging process and timing, so apologies in advance for any ignorance.

          8. Jack, totally understood that the capacitance will not match exactly, but it is still possible to latch the connectors, as you experimentation shows. Perhaps there is a range – between 680uF and 1000uF as Collin has suggested, perhaps even lower that 680uF. Or, perhaps would it be possible to use a different (yet still safe) resistance value in these packs if the capacitance doesn’t fit within the Tesla Pre-Charge timing parameters.

            also it might be perfectly reasonable for someone to want 2-3 pushes of the ignition to engage the connectors – makes a simple/poor man’s theft deterrence. or in a home solar scenario, it might be very similar to lighting a pilot light on a water heater — using a capacitor of xx value will require you to push the ‘ignitor’ 2-3 times until the connector is latched then you’re good to go until your next maintenance downtime.

            again, just trying to understand the options and mechanism better, or if there is simply no other choice but to use a second pre-charge and connector set in an EV (your original comment suggested there are no other options)

            thanks tons

          9. Keep something in mind when thinking about routinely having to do multiple starts to make it click – the precharge resistor in most packs is very much under rated for continuous use. Let’s say they’re using a 50 ohm precharge resistor. I’m not kidding when I say I’ve seen the precharge resistor be a 5W continuous resistor with a surge rating of like 20x that much. 400V / 50 = 8 Amps and 8 Amps * 400 = 2.4kW. A resistor would have to be really, really large to be rated that high. So, they use 5w or 20W or some small number like that. That’s all well and good when you’re only charging 680uF anyway. But, as the capacitance increases and the number of starts becomes larger you start to ask more and more of the resistor. 1000uF wouldn’t be a big issue but if you start to get crazy and go up to 10,000uF like most older motor controllers then you will find that the 10 starts it takes to pump it up is probably way more than the precharge resistor can take. It probably won’t fail the first time you do it or the 10th but murphy’s law says it’ll do it when you’re in a hurry and 80 miles from home.

            My point is, I’d think it a bit safer to use the secondary precharge contactor and resistor idea. That way you can tailor the precharge to your car and you have a better chance of not frying the pack’s precharge resistor.

          10. As always you’re all over it Collin. Worse, MOST inverters not only have a large input capacitor, but a bleed resistor that bleeds it down fairly quickly. The 10k resistor in the DMOC645 actuallly provides a significant source of drain on the batteries if you leave the ignition on and the contactors closed. Don’t ask of course.

            You may find it interesting to note that we hooked up the Tesla battery to our new rebuilt UQM test bench. No amount of toggling would induce it to latch the contactors. BUT IT GETS WORSE.

            I had assumed that once the contactors were latched, you were good to go. As it turns out, when we fired up the bench and ran the motor, the contactors immediately disengaged. And our meter across the output capacitor jumped to 405volts even though the battery was charged to about 322v.

            Working theory is that it ran the motor fine, but on regenerative braking, the output capacitor jumped up to 405v exceeding some voltage threshold monitored by the BMS. We have about 8 feet of cable between the capacitor and the test bench providing significant inductance to such spikes apparently.

            The only solution that suggests itself is that not only do you have to do an external precharge, but then you have to DISCONNECT the capacitor from the circuit.

            The good news is we found some flat copper bar stock that is perfect for the HV slots and we think we found a copper round rod size that will work for the HVIL pin. The actual HV connector used by Tesla is impossible to source and would be extremely expensive if we could. So the kit BOM just keeps on growing.

            Jack Rickard

          11. perfect description thanks Collin.

            curious to know whether varying the resistance to speed/slow the pre-charge duration is an option — given the rating issue you’ve described, perhaps not so much? but if it buys you a second or two…

            regardless, it will be interesting to find out if the pre-charge duration is dynamic

          12. If you pull the cover off and get at the contactor circuitry I’m sure you could modify it to suit any capacitor just by choosing an appropriate precharge resistor. But you may not want to do that given the extremely dangerous voltages involved.
            Someone with a pack will have to test and find out if any of our other musings are true.

            btw, KW’s in a 5W resistor may seem like a lot, but it’s really about the energy of the pulse, not the power (to a limit). ie the I^2*t. for charging a capacitor, E=1/2*C*V^2. The energy a resistor can take as a short pulse has everything to do with the thermal mass of the resistive element, as the pulse is too fast for the heat to get out of the element even into the case of the resistor. Pulse rated resistors have physically larger elements specifically to cope with such energy
            For slower pulses, or repeated pulses, the mass of the case and the thermal resistance come into play. . You can really only get this info from the datasheet (if it’s a good datasheet), if someone wants to get the part number…
            I do agree that it could be too much to charge a 10mF cap when the circuit is designed for 680uF, but 1 or 2mF will probably be within their margin.. don’t trust me, trust the datasheet.

          13. I will like to suggest that the HVIL and HV connections, looking out of the pack, are investigated and modeled by checking the Impedance of these ports with a LCR meter. We can then get actual figures for inductance, capacitance and resistance as seen by the pack looking out. This test is non hazardous as the HV pack as been removed from the circuit under test.

          14. I am in awe of the detective work: just amazed that you, Jarrod and the wisdom of crowds figured out such obscure behaviour with so little relevant documentation

          15. Yes, John. Your theory of the wisdom of crowds is proving true. That the Internet enables all that so easily and globally is amazing. My first rodeo and second rodeo melded. It has been a hell of a ride and a privilege to live it.


    2. Our diagram is a bit simplified and doesn’t show the output connector at all. Indeed, there is a small pin on the high voltage connector. Internally, there are two contacts and the pin bridges them when inserted. Yes, about a 3.75 volt signal exits then at X036 pin 11. It loops through the car, not only two 60 ohm resistors, but other high voltage connectors, lid switches, etc in a big loop that includes the inverter, chargers, the DC-DC converter, the high voltage connector to the air conditioning compressor, the high voltage junction box, and more. Then back in X035 pin 10.

      Obviously we don’t want to hook all that up. So we are trying to simplify this to a single $0.02 resistor.

      I doubt the “current detection” circuit amounts to very much. An optoisolator probably with the HVIL loop on the LED side and the detector transistor basically acting as an on/off switch. But I haven’t examined the BMS board so I don’t know.

      In any event, we experimented with this a bit yesterday and we fail below 160 ohms and we fail above 210 ohms. So the 180 ohms is “juuuuuuussst riiiiight” as noted by Goldilocks in the Tale of the Three Bears.

      1. Bryan Inkster (bielec)

        I think you are “just right” with 180 ohms because on a recent trip to Massachusetts where Tesla documents are available, I noticed the Tesla HV battery Charge/discharge tool has a switch called “HVIL select” with two positions 120 and 180 ohm. I also notices another switch called “CTR SRV BYP” with two positions 6v on and 12v on. What do you think?

        1. I think that’s very interesting. ANd potentially a problem. Tesla’s can have on charger or two. The chargers have a 60ohm resistor in them. So if you have one charger, likely 120 ohms and if two, 180 ohms as there is also a 60 ohm in the inverter.

          This could get worse with D models as it has two INVERTERS and I think both have 60 ohm resistors. So depending on what car the battery came out of…..

          Jack Rickard

          1. Two motors, two inverters thus two capacitors, double the charge time.. Is the battery pack hard wired with a capacitor charge delay specific to the car it is in, or is it able to be modified over the CAN bus? I’d guess the latter.

          2. or perhaps the resistance is configured in the factory, either in flash memory, or set with dip-switches?

          3. riffing on this even further – perhaps it is possible to glean/set the pre-charge delay time based on the voltage drop in the loop. for example, if for each HV device with a set of capacitors, there’s a 60 ohm resistor, while non capacitive HV devices have no resistor – just a simple continuity connector. for example, in the same way the the J1772 spec allows the vehicle to establish the charge state with a public charger – e.g. voltage drop from 12, 9, 6, 3V, perhaps the BMS is able to do the same thing – setting the pre-charge parameters based on a given voltage drop…

          4. But the packs must be able to swap and go, since the model S had that ‘battery swap’ feature. I doubt they had a bunch of differently configured packs ready to swap in, surely it would have been set by software, or by reading the resistance. Whether that software is still in place, or if the later generation packs were designed to be swappable is another question entirely.

          5. yes, two thumbs up on that.

            a resistance/voltage drop approach (or something similar) would allow automagic swap and go.

        2. Bryan Inkster (bielec)

          Jack, that is bad news on the contactor opening under mild regen. It doesn.t make any sense at all when you consider that in normal use, the Model S regens hundreds of amps. There is obviously more to this contactor sensing circuit. I had been busy theorising about avoiding further external contactors and the best I could come up with was to use a tiny step-up converter to precharge the external circuit prior to switch on. This could be a simple one transistor transformer circut as used in cheap photo flashguns. It could sit connected to the HV through a blocking diode and would avoid the need for any other power devices. However, you now tell me that there are typically 10k bleed resistors so this little boost converter would need to be bigger.
          Another loose end……. I mentioned previously that the chargeport cover reports its state over CAN. I was refering to the back cover of the terminals, inside the car, which should have been part of the HVIL.

          1. Oh, it’s not terrible. Regen isn’t causing it. It’s showing it up. The problem is the added capacitor. It means we need an extra step to then take it OUT of the circuit. I’m sure regen will work fine then.

            As to the rest, we do contactors and precharge on all our batteries and all our cars now. It’s just a shame it’s being done twice as it is already in the Tesla battery module. We have to trick THAT and then do our own.

            Jack Rickard

          2. Jack, are you sure both the precharge and then main contactors are closing?
            It doesn’t make sense that more capacitance at the battery would cause any issues, if anything it would absorb any energy from the inductive wires, preventing the BMS from seeing the spikes. I don’t think removing the cap will fix whatever is going on.

          3. Yes of course I’m sure. We are charging the battery and running a motor.

            I’m also pretty sure its thet capacitor. Batteries can absorb quite a bit of regen before the voltage climbs precipitiously. BUt capacitors can’t. Especially if they are already full. I saw 405 volts on the cap and the pack disconnected.

            Jack Rickard

          4. Capacitor, inductor capacitor; that’s a pi filter, you would get larger oscillations without the capacitor on one end.
            While it’s true that capacitors don’t have the same energy capacity as batteries, they have far lower ESR and ESL, so they can absorb higher frequency energy when a battery can’t. In any case, the capacitor isn’t going to cause a voltage spike, it will help damp it. If you are seeing 405V at the capacitor, it can’t be connected to the batteries so you have a bad connection or the main contactor in the pack is already open for some reason.

          5. Actually we are seeing it spike from 325 volts up to 423 volts momentarily and the contactors open.

            But you were quite correct. The cap had nothing to do with it. We removed it after closing contactors and got the same result.

            On the Fluenze battery, we have 390 v and about the same amount of regen causes 405v.

            I think I have a connection problem. We’ll check today. We have a growing list of switches and bus bars and connections going on here.

            We DRIVE the motor fine. This occurs only when we back off and we have to back off sufficiently suddenly to cause some regen. The motor isn’t connected to a load so it isn’t all that much regen. But if we back off really gently minimizing the regen then it does not kick off the battery.


          6. Solved. WE had used a CAN message to turn on the contactors which had teh advantage of allowing us to turn them off in software. But it put it in a mode where the voltage and current limits were very narrow and if it received more than 10 amps of regen, it would close contactors. We could CHARGE at 8 amps fine, but regen from the UQM was going as high as 163 amps.

            If we use the SW Ignition 12v input on pin 6 to turn on the contactors, it does not exhibit this behavior. But we cannot then turn off the contactors in software.

            It probably doesn’t matter. Because of the very narrow range of capacitance that it allows to turn them on, we have to have a second set of external contactors and do our own precharge anyway.

            We’re going to build a box with copper bars that fit in the HV connector and a copper rod for the HVIL pin with contactors in it, a precharge resistor, and our little controller. I think this will work. But the complexity keeps growing.

            Jack Rickard

          7. Bryan Inkster (bielec)

            Something is not right here. The added cap, which I presume is right on the battery terminals could not have a higher voltage than the battery when the contactors are closed there is no inductance or any impedance between the C and the battery. Furthermore, both the C and the battery would absorb any fast noise type spikes too – they are both a dead short to high frequency. I accept that there could be overvoltage at the far end of the wires near the inverter, because of inductance in said wires. I have to sway toward Jarrods suggestion that both contacts are not closed or “something else”

      1. As for a Suitable BMS for Nissan Leaf cells or Better Place cells, there are many BMS’s available through many manufacturers. Just looking through the latest “Electric & Hybrid vehicle technology international” magazine, I count no less than 3 companies advertising their BMS. The big question is which ones are actually for sale, which ones will work reliably and which ones will burn down your house…
        However IF, you are wanting to use the ENTIRE LEAF pack, there should be a way to use the BMS that’s already inside the battery pack. Right now Jack is working on the Tesla battery pack, trying to do the same thing. I believe that if Jack were to attempt the same task with the Leaf battery he would find it much easier. I believe the LEAF BMS does not control the contactors or precharge, All that would be needed would be an EVTV Due that would simply read the BMS CAN data, and close and open the contactors. and open the contactors if the BMS reported a problem (high or low cell voltage, temperature, etc.). The leaf BMS cannot be used if the entire pack isn’t being used because if the BMS detects a missing cell, it considers this a major battery fault, does not balance, and communicates a major pack fault.
        On the topic of the Tesla battery pack precharge, I’ve seen similar methods of precharge in OEM battery packs that I’ve worked with before. The controller that is doing the precharge closes one contactor to start precharging through a resistor, and measures the output voltage. It then calculates the capacitance by measuring the dV/dT (change in voltage with respect to time). If the calculation is outside of a range (caused by too little to too much capacitance, or too much leakage) then precharge is aborted. This is one level of protection to protect the precharge resistor from damage. By measuring the dV/dT a controller can determine if the voltage is going to rise to the proper level to complete precharge before the resistor pulse ratings are exceeded, even before enough time elapses to exceed it’s ratings. If I had to guess, I’d bet that Tesla has that dV/dT window set such that it protects the resistor from overheating, but can still precharge either a single or dual motor Tesla, but also if no motor is connected, it faults on low capacitance.
        What I would recommend is to precharge a Tesla front and rear inverter through a known resistance. Hook an _isolated_ storage scope up and measure the voltage (or current). Knowing the voltage, current, time, precharge resistance, you can calculate the internal capacitance of the inverter. Then you’ll know the range of capacitance that will work for the Tesla battery.
        There are other ways to protect a precharge resistor including a exactly sized fuse in series with the resistor and or thermal fuses that open if the external resistor case temperature is exceeded. In my experience, those methods are used for smaller production packs, and the larger OEM’s use the Dv/DT method likely because there’s no extra hardware cost involved, just software.
        Brian C

        1. The Nissan Leaf BMS I saw listed on EBAY said it was for 96 cells so wouldn’t that be the same number of cells as the Better Place Module? (16 cells X 2 connections/cell x 3 modules =96 connections) Also the one listed on Ebay was made by Calsonic Kansei Corporation and the one in Byron Izenbaard’s Better Place disassembly video was also made by Calsonic Kansei Corporation. In fact they look the same in the pictures. Not sure if the plugs in the battery modules are the same but it looks like if the number of cell connections are the same, the Leaf BMS could be made to work on the Better Place module. In my case though, probably not, as I have my modules connected in parallel instead of series.

      2. With the last video post from Jack, I wonder if the new size of batteries will actually give them a one half more power, or energy, or turtles? I mean if it is one third bigger does it really have one half again more spit?

        1. Stanley Cloyd

          With a few mile years of data, thermal and otherwise, Tesla was in a very good place for optimizing their advanced battery design. When re configuring their cell radius and length they have the data to know that the cooling system can keep up. Surface to volume ratios are a really big deal from nuclear fuel rods to polar bears lumbering through the arctic.

  16. Joe Sidebottom

    Great work everyone
    What is the status on everything

    Im cautiously running at 48v on a 70kwh pack
    Living off grid since jan and have been nervous ever since i charged a module (extra one was damaged by a tree or pole and shorted in the hump of the pack) that was at 1.2 v up to 24.4v. It started popin like black cats. I cut the wires and its been outside ever since.
    Its hard to get all the cell voltages with a multi meter lol

  17. Just circling back on this thread. Given the subsequent investigation/work on the Tesla battery pack controller, did anyone sort out the role of the DC-DC Converter enable signal? Given the subsequent architecture of the current pack controller, it would appear that the Tesla battery pack/BMS does not require any signal from the DC-DC Converter. It is simply used to let the DC-DC converter know that the contacts are closed and power is available, correct?

    And the Vstby always reads 12V, no matter what the state of the contractors, correct? (I’m assuming that as soon as 12V is provided to the contactor inputs, this pin provides 12V at all times?

    And lastly, perhaps I missed it, what is the FC CAN? What does it stand for, what does it get used for?

  18. so an interesting update to this thread — or at least perhaps interesting to some… have spent a week or so going through the Smart FourTwo battery pack documentation available from Daimler, and have been able to power up the Smart FourTwo Tesla battery pack and get CAN data off of the BMS, along with various other functions (cooling/heating, charge enable, etc.) – though no success so far in getting the contacts to close. At least not yet.

    Further, I was able to reverse engineer the CANBus data (the FourTwo uses 74E ID vs. 6F2 on the MOdel S) and have been able to get full voltage and temperature data based on the Tesla CANBus/CANDue program that Jack and Colin wrote. All in all pretty cool – individual access to 90 cells split between 6 modules (vs. 96 and 16 for the Model S).

    If anyone is interested I can post the updated source code, etc.

    note: the SmartCar packs uses a somewhat more convoluted data scheme – relatively straightforward to reverse engineer (read: guess) the schema — it’s a straight double byte message (vs. the 14-bit packed messages used on the Model S), but requires considerably more acrobatics to parse through the data since it’s not all in one clean row – there’s 4 double byte pairs, but only 7 bytes to place it in… not nearly as compact and clean as the 7 byte (four by 14-bit) scheme used by the Model S packs.

    anyway, an interesting adventure. will post screen shots, but not quite sure how to do that here.

    much thanks to all. this is a fantastic thread.

      1. will do. for folks wanting to see what the CAN data looks like, there are 30 some odd rows – 0x4C through 0x69 – that contain voltage and temperature info.

        the second and third bytes in the 0x4C row are some other data elements I’ve not decoded yet, and I ignore rows 0x0 through 0x4B, for now. the next 90 byte pairs (e.g. C576 in row 0x4C and so on) are 16 bit voltage, followed by 12 byte pairs (e.g. D2A in row 0x66) are 16-bit temperatures. what’s cool is that the data elements use the same scaling factors as the Model S code, but divided by 4 — which makes sense since the Model S uses 14-bit and the Smart FourTwo uses 16-bits. and like the Model S data, the values coming off the CAN Bus have even greater resolution/accuracy than my Fluke meter will provide.

        now, the acrobatics come in when having to carry over the trailing byte in the next message to complete the last byte pair every other row – it makes for some clunky code (or at least mine is in it’s current form)

        but hey, it works… 😀

        {0x4C, 0x5A, 0x99, 0x5A, 0x62, 0xC5, 0x76, 0xC5},
        {0x4D, 0x5D, 0xC5, 0x53, 0xC5, 0x82, 0xC5, 0x67},
        {0x4E, 0xC5, 0x6A, 0xC5, 0x75, 0xC5, 0x84, 0xC5},
        {0x4F, 0x93, 0xC5, 0x88, 0xC5, 0x7A, 0xC5, 0x65},
        {0x50, 0xC5, 0x6A, 0xC5, 0x75, 0xC5, 0x84, 0xC5},
        {0x51, 0x93, 0xC5, 0x88, 0xC5, 0x7A, 0xC5, 0x65},
        {0x52, 0xC5, 0x6A, 0xC5, 0x75, 0xC5, 0x84, 0xC5},
        {0x53, 0x93, 0xC5, 0x88, 0xC5, 0x7A, 0xC5, 0x65},
        {0x54, 0xC5, 0x6A, 0xC5, 0x75, 0xC5, 0x84, 0xC5},
        {0x55, 0x93, 0xC5, 0x88, 0xC5, 0x7A, 0xC5, 0x65},
        {0x56, 0xC5, 0x6A, 0xC5, 0x75, 0xC5, 0x84, 0xC5},
        {0x57, 0x93, 0xC5, 0x88, 0xC5, 0x7A, 0xC5, 0x65},
        {0x58, 0xC5, 0x6A, 0xC5, 0x75, 0xC5, 0x84, 0xC5},
        {0x59, 0x93, 0xC5, 0x88, 0xC5, 0x7A, 0xC5, 0x65},
        {0x5A, 0xC5, 0x6A, 0xC5, 0x75, 0xC5, 0x84, 0xC5},
        {0x5B, 0x93, 0xC5, 0x88, 0xC5, 0x7A, 0xC5, 0x65},
        {0x5C, 0xC5, 0x6A, 0xC5, 0x75, 0xC5, 0x84, 0xC5},
        {0x5D, 0x93, 0xC5, 0x88, 0xC5, 0x7A, 0xC5, 0x65},
        {0x5E, 0xC5, 0x6A, 0xC5, 0x75, 0xC5, 0x84, 0xC5},
        {0x5F, 0x93, 0xC5, 0x88, 0xC5, 0x7A, 0xC5, 0x65},
        {0x60, 0xC5, 0x6A, 0xC5, 0x75, 0xC5, 0x84, 0xC5},
        {0x61, 0x93, 0xC5, 0x88, 0xC5, 0x7A, 0xC5, 0x65},
        {0x62, 0xC5, 0x6A, 0xC5, 0x75, 0xC5, 0x84, 0xC5},
        {0x63, 0x93, 0xC5, 0x88, 0xC5, 0x7A, 0xC5, 0x65},
        {0x64, 0xC5, 0x6A, 0xC5, 0x75, 0xC5, 0x84, 0xC5},
        {0x65, 0x93, 0xC5, 0x88, 0xC5, 0x7A, 0xC5, 0x65},
        {0x66, 0xC5, 0x6F, 0xD, 0x2A, 0xD, 0x92, 0xD},
        {0x67, 0x2A, 0xD, 0x92, 0xD, 0x2A, 0xD, 0x92},
        {0x68, 0xD, 0x2A, 0xD, 0x92, 0xD, 0x2A, 0xD},
        {0x69, 0x2A, 0xD, 0x92, 0xD, 0x2A, 0xE9, 0x6}

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Verified by MonsterInsights