Академический Документы
Профессиональный Документы
Культура Документы
First let's remember when this started on ICE cars. We first encountered those programmed
obsolescence (pre-programed failure) and programed counters to trigger failure on
Mercedes vehicles back in 2003 on W211, W219 and R230 SBC (ABS units) computers, if
you press brake pedal for 250000 times, SBC decreases counter from 250k to 0 and
activates 1 type of READ-ONLY error and in service center they didn't have in their
diagnostic tool DAS/Xentry function to reset this. Later whitehat hackers discovered
“Developer mode” LVL9 authorization to send commands for SBC Software counter Reset
and to clear that counter and use same old SBC unit. New SBC was around 5000€. More
than 1.5 Million vehicles were produced and let's say every car changed at least 2 units
during its lifetime and that is about 10 billion € additional cost for all owners. Errors C249F &
C2498
2nd less known issue was on W221 Parking brake unit, if it decreases programmed
obsolescence (pre-programed failure) error counter to unknown number, even if you repair
that failed small DC motor which runs parking brake on and off that same parking brake
starts making a phantom problem on the car. IT STARTS TO DRAW 12V battery overnight.
3rd very well known is ESL or ELV fatal error 0xAA on W204, W207, W212, W246, W176,
W205 vehicles. Electronic steering lock module is located under the steering wheel and it
contains a small DC brush motor, it was produced to hold around 5000 ignitions or 80000km.
This one had really deviant new type of error counter, if it detects aggravated steering unlock
for any possible reasons (could be 12V Battery under voltage, bad brushes on DC motor)
and you try to put key into ignition to start car for 10 times and lock fails, on 11th attempt ELV
runs executable code for self erase and permanent read-only error which cant be reactivated
anymore and OEM Service center must change ELV, service costs in beginning around
1600€ later was decreased to 700€. Even if you try to change that small DC motor which
costs 10€, ELV doesnt work and you can't start the vehicle. This ELV used NEC microchip
technology which was never cracked to read full internal code and manually clear errors.
More than 4 Million cars produced and let's say every car changed at least 4 units and that is
about a minimum of 10 billion € additional cost for all owners. Errors 0xAA , Fault memory:
A25464 - steering lock control unit.
2nd and last MOUNT EVEREST or MOTHER of all deviant programmed obsolescence
counters is Smart 451 EV (which had open source aftermarket repair solution) and Smart
453 EV EQ (which didn't have any solution to start a car).
We received car with with bricked HV Battery and BMS after car was left at 0% for 2 or 3
days. All of 3 blocks with 115Volt modules inside battery were depleted to 0V and one top
secret engineer from top tier EV factory repaired HV Battery bricks and some cells were
changed but car didnt start. After 14 months of wondering from OEM Workshops to 3rd party
workshops it ended up in our lab and we were stunned what was implemented into BMS. If
Cell is Undervoltage below 2.5 Volts or Overvoltage above 4.2 for any possible reasons BMS
runs internal "safety" code to locks BMS and contactors to OFF state for all time till eternity.
OEM Service center cannot help it with online SCN or Flashing to recover previous battery
state. Car don't start and they offer only new battery for 116000Kn or 15000€. Then we
contacted TOP SECRET Stuttgart development engineer to check if he could help us to
reset BMS or to extract executable code from XENTRY Developer for CANBUS Service
seed key lvl3 access function... and at our surprise there was none, that means someone
implemented code/instruction to kill BMS but never made backdoor to revert that function.
That was clear proof of intent to generate income by selling new battery pack. But that was
not end of our story, later we discovered there is one more loop of executable code which
triggers BMS "safety" after crash. BMS enters discharge state and deplete cells to 0V and
locks BMS in error state till eternity and again OEM doesn't have diagnostic function to reset
it even if you recharge or change cells. You must buy new battery. But again, that wasn't the
end of our story, there was that COUNTER for Contactors. If you enter your EV and turn
ignition to ON and OFF for 200000 times and counter hits 0 you will need to change battery,
because again there is no hidden or developer backdoor diagnostic function inside OEM
Xentry diagnostic Tool/Software to reset or repair battery software LOCK. Error is P0DE71C -
Part number of BMS is A7899014200 and firmware version is 7899026401.
W212 Hybrid
VIN: WDD2120981A******
Example of diagnostic error code: “P0A7F00 The age limit of the high-voltage battery
module has been reached. Hybrid system doesnt work, new battery costs more than 6000€ .
Old battery is at 8% degradation only.
BMS Board inside battery pack.
Example of 2 battery packs inside 2 different cars, upper one still works, and counter is high.
Lower one counter is 0 and SCN Code is deleted.
To get source code of TC19XX and Eeprom must contact owner of this post.
BMS 453 EV EQ 2018
VIN: WME4533911K******
Example of OEM Diagnostic code readout : P0DE71C - The cell voltags of the
hybrid/high-voltage batter module are too high. The voltage valuse is outside permissible
range. Vehicle doesnt start, OEM Service center cant repair software, asking for new battery.
15000€
Example of AGE COUNTER on this vehicle, still counting to 0.
To get source code of 2 SPC564 microcontrollers and Eeprom 95640 must contact owner of
this post.
---
I will preface all of this with a bit of a disclaimer
First, 99.9% of the information here is derived from first hand reverse engineering of
Mercedes and Smart BMS, BMS firmware, and other aspects of the Daimler vehicles.
Reverse engineering is not an exact science, as in, you don’t get the exact code used to
create the software out of the process, and obviously the developer’s
commentary/comments are not available either. Much of what is derived relies on some
logical interpretation to determine the intended functionality of particular code. While there is
a lot of human-readable text in some parts of the code, this isn’t always the case.
I’ve been working on hardware and software design, including reverse engineering of the
same, for the better part of 8 years now. While I have extensive knowledge and experience,
I don’t personally consider myself to be an expert in the field. Many others definitely
disagree, and do consider me to be an expert.
All of that said, what I’m mainly trying to convey is that I’m definitely not perfect. It’s quite
possible my interpretation of how all of this works has flaws, and my speculation as to the
intention of the developers may also be flawed. I do believe this information is as correct as
possible given the information available, however, and is likely the most complete picture
that will be available.
I’ll also note that this is a pretty technical explanation of the situation, and some background
knowledge of the general topic and technology will be needed to fully understand. I’ll go
over some of the background info that is situation-specific, but you’ll likely have to do your
own research to fill in any gaps in your knowledge.If I jump around a lot, my apologies. I'm
also not the best writer, overall. I have a lot of information I'm trying to condense into a
single writeup here, with lots of connections between the various content