1. Attachments are working again! Check out this thread for more details and to report any other bugs.

SOC Spoofing, how fast must it go?

Discussion in 'Prius PHEV Plug-In Modifications' started by mani9876, Aug 15, 2011.

  1. mani9876

    mani9876 Junior Member

    Joined:
    Jun 18, 2011
    25
    0
    0
    Location:
    Austria
    Vehicle:
    Other Hybrid
    Model:
    N/A
    Hello!

    I've read the article about SOC Spoofing in the Prius Wiki and I wonder how fast the controller has to put the new message on the bus?

    I mean the message is sent out every 100ms, but the question is, if the controller has to send the new message IMMEDIATELY ( few ns ) after the old one? Or is it okay if it is a ms or 2 later ?

    Thanks a lot

    Manuel
     
  2. mani9876

    mani9876 Junior Member

    Joined:
    Jun 18, 2011
    25
    0
    0
    Location:
    Austria
    Vehicle:
    Other Hybrid
    Model:
    N/A
    Hello again!

    When I understand this article Prius PHEV TechInfo - EAA-PHEV right, I just have to change the original message and send it out again, and the Hybrid ECU takes the last message. But how do I know, that the Hybrid ECU don't take the first message ( when there are 1ms between the original and the altered message )

    Can anybody help?

    Thanks
    Manuel
     
  3. coulomb

    coulomb Junior Member

    Joined:
    Sep 28, 2009
    25
    19
    0
    Location:
    Australia
    Vehicle:
    2007 Prius
    Model:
    N/A
    I think that the idea is that you break the bus between the battery ECU and the other ECUs (especially the hybrid ECU), and put a small computer with two CAN interfaces between the two buses. Like a networking switch (or is it a router? I can never remember which is which) you check each CAN identifier. If it is for anything other then the SOC message, you let it through to the other side unchanged. If it is the SOC message, you send yours in place of the one from the battery ECU. All CAN messages going the other way (to the battery ECU) you also leave unchanged. That way, the hybrid ECU never sees the wrong SOC message. I think it might get quite confused and possibly might start emitting error codes if it sees the SOC changing erratically. Even if you have the CAN messages one right after the other on the bus, the hybrid ECU will probably see both messages. A CAN message is something like 25 bits, which is at least 25 uS (I don't know the CAN bus speed in a Prius, but the maximum is one megabit per second), so the closest two messages on the same bus can be is that amount of time. [ Edit: between them -> between the two buses ] [ Edit: it seems from later posts that conflicting messages 25 uS apart doesn't cause a problem. ]
     
  4. mani9876

    mani9876 Junior Member

    Joined:
    Jun 18, 2011
    25
    0
    0
    Location:
    Austria
    Vehicle:
    Other Hybrid
    Model:
    N/A
    Hello!

    I know that this would be possible, but I asked, because in the link is written that it has to go the way I want it to do. Do you know someone how has tried this?
    If I would trie this, how do I know if the SOC Spoofing was done right and all is going right?

    best regards
    Manuel
     
  5. mani9876

    mani9876 Junior Member

    Joined:
    Jun 18, 2011
    25
    0
    0
    Location:
    Austria
    Vehicle:
    Other Hybrid
    Model:
    N/A
    Hello!

    This is how the BMS+ works:
    "[FONT=Arial, Helvetica, sans-serif]The BMS+ does this with two high speed microprocessors working in tandem: one on the BMS bus and one on the CAN bus with the two busses connected via a high speed semiconductor switch. As soon as one of these 2 critical packets is detected by decoding the address (which comes first), the link between battery ECU and the CAN bus is opened and the 2nd microprocessor replaces the data that would end PHEV mode with new data, together with the new CRC code that is needed. Meanwhile, the 1st microprocessor talks to the battery ECU as if it were the HV ECU in order to keep the battery ECU happy."

    But I can't imagine that this is so good, becuase, when the first µC detects de interesting ID, it is already written on the CAN Bus from the vehicle, and when the Message stops anywhere in between this is not CAN conform I think.
    What would you say?

    Manuel
    [/FONT]
     
  6. coulomb

    coulomb Junior Member

    Joined:
    Sep 28, 2009
    25
    19
    0
    Location:
    Australia
    Vehicle:
    2007 Prius
    Model:
    N/A
    You can tell I didn't read the linked article. It seems that when they detect one of two CAN IDs of interest, they switch from one processor to the other mid-message. If they synchronize both processors carefully and switch at a known point (when the know the bus is going to be high or low), then this can presumably be done seamlessly. This seems too much trouble to me, but I'm not aware of all the constraints. [ Edit: it seems that this is indeed not necessary; see later posts. ]
     
  7. mani9876

    mani9876 Junior Member

    Joined:
    Jun 18, 2011
    25
    0
    0
    Location:
    Austria
    Vehicle:
    Other Hybrid
    Model:
    N/A
    Hello, yes I think that must it be, I can't imagine any other way.

    The problem I think is, that when I use 2 CAN Controller, they have to let through all messages, and this would be way to much for the Controllers, because of the 1000 Messages per Second in the Prius.

    But back to the article:
    "The OEM battery broadcasts a message on the CAN bus approximately every 100ms which includes the SOC. It has been discovered that the Prius's HV ECU listens to the last message received. Simply rebroadcasting that message immediately after it was originally sent with an altered value for the SOC (and altered checksum), causes the car to believe that the SOC is the altered value without intercepting the original message. This allows a conversion to spoof the SOC in a low cost and simple method which does not require altering the OEM battery's ECU or taps. The agent doing the rebroadcasting can be a computer with a device such as CANUSB or a small embedded system with a CAN interface. Any system which uses SOC spoofing must be careful not to over discharge or overcharge the OEM battery."


    , why do they write that SOC Spoofing is possible this way, when it is'nt?

    Best regards
    Manuel
     
  8. vertex

    vertex Active Member

    Joined:
    Mar 27, 2009
    672
    143
    0
    Location:
    new york
    Vehicle:
    2018 Prius Prime
    Model:
    Prime Plus
    eePF built his own battery computer, so he sends out what he wants for SOC. What I read about spoofing, was that is sends out a higher SOC right after the battery cpu sends out the SOC, so the rest of the car ignores the first, and used the second #.
     
  9. kiettyyyy

    kiettyyyy Plug-In Supply Engineer

    Joined:
    Sep 17, 2008
    205
    167
    0
    Location:
    West Covina, CA
    Vehicle:
    2009 Prius
    Model:
    N/A
    I think I've posted on these forums regarding SOC spoofing previously.

    On the gen 2 models, the SOC message is broadcasted every 100ms. The HV ECU stores this message on receive within its own registers for use. On any incoming CAN frame that contains the correct ID and checksum, the HV ECU will go ahead and store the message for use.

    The "easiest" way of handling spoofing on a gen 2 is to do the following:

    1. Listen to the CAN bus for the SOC frame.
    2. On detection of the SOC frame, pull the SOC frame in as a 12 bit value(I believe that's what I did, last time I did this was over a year or two ago...the product has reached maturity :))
    3. Modify the SOC and repack the frame with the recalculated checksum
    4. Broadcast the new SOC frame to the same CAN ID with a high priority.
    5. The car should accept this new frame.
     
    3 people like this.
  10. mani9876

    mani9876 Junior Member

    Joined:
    Jun 18, 2011
    25
    0
    0
    Location:
    Austria
    Vehicle:
    Other Hybrid
    Model:
    N/A
    Hello kiettyyyy!

    That sounds fine, but are you sure that there is no problem?

    Because I think, when the HV ECU get e.g. an SOC of 50% and 2ms after that an SOC of 80%, how can you get sure that the HV ECU don't "see" the SOC of 50% in this 2ms?

    Manuel
     
  11. kiettyyyy

    kiettyyyy Plug-In Supply Engineer

    Joined:
    Sep 17, 2008
    205
    167
    0
    Location:
    West Covina, CA
    Vehicle:
    2009 Prius
    Model:
    N/A
    The only way of ensuring that the HV ECU doesn't "see" the SOC message is by physically isolating it on a bus. This can be tricky and very dangerous if you don't know what you're doing.

    Otherwise, letting the HV ECU see the 60% SOC frame for a millisecond or so is fine. The HV ECU has hysteresis built into the software.
     
    1 person likes this.