Thursday, October 1, 2015

EVCCON 2015 - Day 2

Session: John Hardy - Battery Testing

Day 2 kicked off, surprisingly on time, with John Hardy from the UK.  John returns again as our overseas battery testing expert.   He reviewed his earlier battery testing methodology and cell types.


The Headway 38120S cell had no detectable voltage drift but the first cell failed after 600 discharge / charge cycles.

He tested a shunt balancing product which simply destroyed the pack in under 100 cycles.  He is a fan of bottom-balancing your pack before assembly.

His CALB CA40fi cells lived beyond 2000 charging cycles and each of the 8 cells showed nearly identical voltage profile on the 2000th cycle, which is exactly what we want in our batteries.

John's full testing history shows that Lithium Ion batteries have no discernable drift and an extremely long charging cycle life.

John then moved to his current (no pun intended) testing of the Tesla-style 18650 LiFePO4 cells.  He has developed a new charging algorithm so has asked us to not talk about his ideas until they're protected.  I will say it's very sophisticated and looks very good!  Hoping to hear good things in the future.

Session: Collin Kidder – CAN Bus Hacking Hardware And Software
Collin's work writing software to collect and analyze CANbus traffic of existing OEM automotive components has formed the cornerstone of the reverse-engineering innovation of the world-wide EVTV team.  Due to his efforts we now can control the charger and DC-DC converters from Chevy Volts, the motor and controller for UQM/Coda vehicles, the motor and controller from Siemens/Azure Dynamics DMOC and the motor and controller from the Tesla Model S.


Collin recommends the EVTV CANDue 2.0 board as it has two complete isolated 2-wire and 1-wire CANbus connections, a temperature sensor, a MicroSD memory card slot for massive data logging and a 256kb EEPROM for persistent data storage.  It is a standard Arduino shield, meant to be stacked on top of a standard Arduino Due processor board.

Another option is the  EVTV Due board, which combines the features of an Arduino Due and a CANDue 2.0, but does not have a 1-wire CANbus port.  It has a much stronger USB port and screw terminals for power and CANbus wiring.

Jack has developed a plug-and-play device in a box to plug directly into a Tesla Model S diagnostic port which is native CANbus and Tesla cannot disable it.

GVRET is Collin's CANbus sniffing tool, driving the hardware to capture all CANbus traffic.  It is Arduino firmware and is flashed into one of the above boards.

SavvyCAN is a QT5-based app which is used to analyze the CANbus data captured by the hardware and GVRET.  QT5 supports Windows, Linux and MacOS.  It has sophisticated tools to visualize and filter messages and can also play back messages onto a live CANbus.  This is critical to fast development of an independent controller for an OEM CANbus device with no manufacturer documentation.

DBC files are used to define signals that flow on a CANbus.  As you reverse-engineer a device, DBC files save the knowledge gained and help SavvyCAN interpret the format of specific messages.

The reverse-engineering process is as follows:
- Find a convenient place to plug into the CANbus.
- Capture some bus traffic to see if it's working
- Go for a drive and capture real bus traffic
- Perform small discrete functions and save the traffic into separate small files, such as open the door lock, close the door lock, shift into neutral, press the brake pedal, etc.
- Launch SavvyCAN and isolate the meaningful messages
- Define newly discovered messages in a DBC file
- Play captured or synthesized messages back on the bus and see what happens
- Write software in a controller to perform that specific function.

Note that this is *not* easy and you will get better at message analysis as you see more devices and more ways of representing data.

Collin gave us a guided tour of SavvyCAN.  There are many, many ways to visualize the data to help you find patterns and values leading to your solution.

We have to break for lunch, Collin will continue again later this afternoon.

Session: Craig Smith - Car Hacker's Handbook 2014. – Politics and Legal Environment of Automotive Security

Next up is Craig Smith, a new EVTV speaker.  He's an expert in vehicle computer systems.  Cars are basically rolling computer networks.  He started out by talking about the current legality of vehicle hacking.  He says to always talk about "hardware".  We all know software is running inside all of these computers, but in the eyes of the law, it's all hardware.  We are already protected in law to reverse engineer components to add 3rd party devices, so the line is blurry.



Who Owns Your Car?  GM, John Deere and the Auto Alliance.  GM claims they retain copyright on the software inside and we are not allowed to look at it.  The basis of their opinion is the DMCA - Digital Millennium Copyright Act - which was originally intended for movie and music piracy.  People have proposed new Class 21 and 22 exemptions to DMCA about reverse engineering for security research and the right to understand and update firmware.  The Copyright Office has not decided on these two exemption requests yet. We are a small voice against the large corporations and their lobbyists.  No one has been sued yet though, and the industry is worried about losing the suit so the only tool they have is threatening people with potential litigation.

What can we do to help?  Share information.  Share stories.  Share data.  Collaborate.  Check out the Open Garages group and the I Am The Cavalry group.

Craig talked about other CAN sniffing hardware, from $60 open source to $5000 proprietary Kvaser and software such as SocketCAN and the Linux Can-utils package that you match up with them.  The LAWICEL protocol is a network protocol under Arduino that handles CANbus traffic like any other network device.  There are 3 CAN interfaces: Can0, SIcan0 and Vcan0.

Craig showed a demo that he created.  It uses a Playstation controller to drive a virtual car with speedometer, left and right turn signals and door locks via CAN traffic.

There are additional software layers available that run on top of CAN such as UDS that provides higher-level functions such as ECU reset, diagnostic codes, VIN number and data upload and download.  

There is an important packed called TesterPresent.  It is issued every 2 or 3 seconds and tells the car a diagnostic tool is connected.  Some functions may require this.

SecurityAccess tokens are required to update firmware.  It's a multi-step handshaking protocol to prevent easy hacking.  

Craig showed up pictures of his test bench with a junkyard dashboard and ECU and pots for changing simulated data values such as fuel level and RPM.  

We had a good Q&A session to wrap up before Craig had to leave for the airport.

Jack gave Craig an EVTV Due board to see if he can use it in his research.  Big thanks to Craig!

More Cars!










Session: Jack Rickard - Tesla Drivetrain Demonstration

We moved into the workshop area where Jack's Tesla drivetrain test bench is located.  He showed us the control panel which operates contactors and simulated the brake pedal.  He showed us the Arduino code that drives commands to the motor controller, and then he engaged drive and spun the unit up.  He demonstrated forward, reverse and neutral and creep mode.


Here is a short video from his demonstration.



For longer video and a far more detailed description of the reverse engineering of the Tesla drivetrain, please see the relevant EVTV videos here.

Now we're packing up to go to the BBQ at Jack's house.  It looks like this will be the first year we don't get rained out.