can we replicate BTH data gs450h/prius?... Unlocking the PHEV

[Bigpie]

Any of these captures from HTM from stationary to moving off in EV mode?

[0tik]

Stationary car in a P gear and the battery is charging. It's HTB, not HTM btw.

[Bigpie]

ah, if you're able, would you grab a HTM when going from stationary to driving forward a little?

[0tik]

>Start recording, run to the driver seat, start the car straight away with depressed brake, change gears from P to D, accelerate and brake, switch from D to P, push start button to turn car off, run to the laptop in trunk to turn off recording.

[Bigpie]

Awesome. Thank you very much

[0tik]

I'm suspecting that data speed is faster than 24mhz, given that bit time is 62/42 for 16/24ms/s sampling speed. Also the start pattern makes me think there could be glitches because it's the only place with both channels sending (almost) the same signal at the same time.

[lastphaseofthis]

amazing work! really this is one step closer to simulating the hybrid battery computer and thus achieaving the goals.

I have continue pursuing the other direction keeping the battery ecu and lying to it or modifying its firmware.

this is my 20ah(can do 100a , 150a for 5 second) 70 cell lipofe4 battery. hooking it into the prius this morning and will test mpg and eletric only range, try and see how much SOC it will use of the 20a. i have enough space in the box for 84 cells . 5 vs 6 cells per voltage block, 18.5 vs 21.9v fully charged per voltage block. the computer firmware will have to be modified to use 6 cells, but 5> we are about to find out!

[0tik]

In all honesty it looks like madness. How are you going to get an alarming notification when one of your cells goes under/overvolted? Cant wait to see data log from dr.prius and hybrid assistant app.
Meanwhile here's another log by different kind of a crappy dongle captured by PulseView. 2 sessions differing by trigger up/down hence the missing first 1.6us high state part in "sesja 2" file. Starting sequence makes me thing again that logic 2 knockoff dongle is trash. This parts highlits glitching in logic 2 too.
https://drive.google.com/drive/folders/ ... tW9YKrj4Sf
edit: I started reading about modbus and want to cry and drop all of this to hell. This looks way over my head. How many hours of learning are we talking here?

[lastphaseofthis]

this is my first test, driving out, voltage block 11 looks to be .2 volts lower at times then the rest, so i will charge up the battery by holding the pedals and then see what the difference is at the cell level, by removing the battery and taking off the top and bottom and if one cell is found very off then it gets charged and we will repeat. for now

the test shows 105!

[0tik]

Now it came to me that if you already have the battery on the bench, is it possible for you to open up its brain and trace from which chip the signal lines are coming from?

[lastphaseofthis]

yes, i have already done so, but didnt post the damn pic lol.

edit: oh ya you want the data lines not the voltage block signals. those are in CAN on this prius ecu, but will take out my gs 450h ecu and report back in a few!

[0tik]

Yes. It must be something different than CAN on GS. I edit my findings on the 1st page. Ha! I wish they kept CAN there. Would make all of this hella easier.

[0tik]

Finally some progress. Here are screenshots from osciloscope and new dump from pulseview. It seems I was doing half assed job like before, like always. Although used an option for 1us glitch filter this time. Picture 5 and 6 shows red and green wires. Capture files taken separately obviously. I didn't want to damage capture device. Will do more capturing tomorrow and acquire second probe for the scope. Also important thing - engine was off, so hv battery voltage readings should be kinda stable.

https://drive.google.com/file/d/1GC9-Vn ... sp=sharing

Given bit time asymmetry it seems i'd have to butcher battery ecu and tap between transceiver and the actual IC. Otherwise there's no way to to read this crap. Unless someone figures out which transceiver should be connected there.

Attached images are green wire first, then red. Red wire is lower voltage.

After powering up this little wireshare transceiver, no signal on any UART side pins. Perhaps it needs a wake up call from another device on UART side.
Funny thing is, After hooking up RS485 side to the car, both signals are shorted to ground (No matter polarity. Switched A and B and same result). If i unplug a single wire, either red or blue, then signal voltage range goes back to normal. There's still 200mv signal between red/green that i have captured. I guess that's enough for car to work since it did so. I have captured them without transcevier connected so +1,8/-1,8 v range.
below is my full folder. "differential 1 24mhz" and "differential 2 24mhz" files are captures with swapped GND/D0.

https://drive.google.com/file/d/1XbyO9z ... sp=sharing

NOW THE MAD PART!!!
- "differential 1 24mhz" 9600baud rate and invert RX gives frame errors... BUT "differential 2 24mhz" at 9600 baud works perfectly, as in not a single frame error across a hundred packets... BUT bit timing is off, like "50/50 kinda random" off. Like literally some bits are less than half of this baud rate. BUT I have compared 3 packets and they have the same amount of data AND a lot of values are the same for all of those 3 packets.

Why i think its mad? Because i have established that the baud rate must be 38400 or 28800 based on previous captures.

Edit: Scratch that boys. We're going places! You know the saying about placing in a room an infinite number of monkeys and infinite number of typewriters? Amazing things are bound to happen. 19200 baudrate with an odd parity bit fits like a glove! Turns out Oscilloscope was unnecessary after all. But I do not regret buying it all. Will be useful when shit hits the (Taiwanese) fan.

Edit: Added a screenshot of different decodings. Perhaps someone notices something at first glance.

Edit: Made proper data gathering. Samples + dr prius screenshots. If this doesn't work, then the next step is to mess physically with temp and voltage sensors to get boundary values. I don't really have a place for this
https://drive.google.com/file/d/1mwW_1t ... sp=sharing

Edit: Another idea - Someone could inject this data stream on a loop to the Hybrid Vehicle Control ECU while having obd dongle with dr. prius running on a phone. Would this show my battery parameters in the app? Or straight away look for CAN PIDs that dr. prius uses to gather data. Buy rs485 dongle for arduino and send data on loop through bth. Listen on can pins of HVC ECU. Although it seems kinda pointless when you don't know which bytes to change to change data.

Edit: https://rs485.com/rs485spec.html This website rules out RS422 by its minimum of 2V signal level. But I don't think it changes anything. I had a talk with an IT guy who encouraged me to make my own UART/rs385 relay with arduino since, as he told, even a monkey could do it with the help of cyber monkey called ChatGPT, before paying someone to write the code for me.

Code: Select all

#include <Arduino.h>

const byte data[] = {
  0x28, 0xD7, 0xFF, 0x6B, 0x6C, 0x00, 0x68, 0x00, 0xFF, 0x00,
  0x6C, 0x6E, 0x48, 0x00, 0x25, 0x7E, 0x29, 0xD6, 0xFF, 0x69,
  0x6B, 0x5D, 0x6A, 0x00, 0xFF, 0x6A, 0x6B, 0x00, 0x68, 0xBF,
  0x66, 0xF4, 0x2A, 0xD5, 0xFF, 0x6C, 0x69, 0x9A, 0x6A, 0x00,
  0xFF, 0x6B, 0x6A, 0xA1, 0x6A, 0x9C, 0xA7, 0xF2, 0x2B, 0xD4,
  0xFF, 0x6B, 0x6A, 0x8A, 0x6A, 0x00, 0xFF, 0x00, 0x6C, 0x00,
  0x48, 0x00, 0x25, 0x9A
};

const int RSE_PIN = 10;
const unsigned long FRAME_DELAY_US = 1019;  // 573 (frame) + 446 (desired delay)
const unsigned long LOOP_DELAY_MS = 9;

void setup() {
  pinMode(RSE_PIN, OUTPUT);
  digitalWrite(RSE_PIN, HIGH); // Always in transmit mode

  Serial1.begin(19200, SERIAL_8O1);  // 8 data bits, Odd parity, 1 stop bit
}

void loop() {
  for (byte b : data) {
    unsigned long t_start = micros();
    Serial1.write(b);
    
    // Wait until full frame duration (573 us) + 446 us inter-frame gap
    while (micros() - t_start < FRAME_DELAY_US) {
      // Busy wait to ensure spacing
    }
  }

  delay(LOOP_DELAY_MS);  // Wait before repeating the whole transmission
}

This code seems to work although timing between bytes literally oscillates between 2 timings. Probably due to low clock of DUE. Loop delay is even worse as it can be timed only to milliseconds. When trying microseconds, DUE simply ignores loop delay. Voltages of my WaveShare SP3485 dont match car's too. Hope i won't fry anything.

Edit: now look at that. A screenshot from 15.05 data packet sent by Arduino. Sure I still got plenty of DTC errors on the dashboard but temp, 12v batt, max charge)/discharge, 8.51v (whatever it means), resistance is the same as per captured frame. Charging amps sometimes changed for a second to 6.30amps, and voltage did flip sometimes too.
Now I have to figure out how to send boot up handshake, as there's an unique signal at the start.- That's obsolete idea from when I captured data with glitches. There's no start-up code.

Changing any byte makes most values go default. Apart from max chrg and max dchrg, soc, 12v bat. Have to find CRC.

Picture with 8.6v12 bat corresponds to 12.52 picture. Car even goes into ready with "check hybrid system" message. All values stables and nothing changes. Although I'm afraid of damaging my car. Engine sounded odd. Perhaps something to do with real HV voltage being off from truth.