Automotive BMSGATE (programmed obsolescence)

*BMS - Battery management system

Smart EQ is great EV and Mercedes Hybrid is great engineering marvel but the topic is not
to dissuade you from buying it, but to let you know that your user and owner rights are
probably being violated, or maybe not?! You decide.
Short version of expert evaluation->
SMART and MERCEDES in electric and hybrid vehicles (451, 453, W212, W221 for now,
and possible inside new EQC EQS EQB lineup) implemented into BMS software part of
executable code which in 3 different cases deactivated or destroyed completely healthy
lithium batteries.
First is "NUMBER OF IGNITIONS - Contactor Counter - BMS Self erase",
Second is "Cell undervoltage or overvoltage BMS battery LOCK",
Third is "Crash accident self discharge".
In all 3 discovered cases if we trigger those errors with intent during lab test, OEM Service
center didn't have capability to solve this software programmed obsolescence
(pre-programed failure) and they asked owners to CHANGE COMPLETE BATTERY PACK
(and charge it 13000-16000€). If you are interested to know more, keep reading because
this type of eMobility battery production we do not support👇.

First let's remember when this started on ICE cars. We first encountered those programmed
obsolescence (pre-programed failure) and programed counters to trigger failure on
Mercedes vehicles back in 2003 on W211, W219 and R230 SBC (ABS units) computers, if
you press brake pedal for 250000 times, SBC decreases counter from 250k to 0 and
activates 1 type of READ-ONLY error and in service center they didn't have in their
diagnostic tool DAS/Xentry function to reset this. Later whitehat hackers discovered
“Developer mode” LVL9 authorization to send commands for SBC Software counter Reset
and to clear that counter and use same old SBC unit. New SBC was around 5000€. More
than 1.5 Million vehicles were produced and let's say every car changed at least 2 units
during its lifetime and that is about 10 billion € additional cost for all owners. Errors C249F &
C2498

2nd less known issue was on W221 Parking brake unit, if it decreases programmed
obsolescence (pre-programed failure) error counter to unknown number, even if you repair
that failed small DC motor which runs parking brake on and off that same parking brake
starts making a phantom problem on the car. IT STARTS TO DRAW 12V battery overnight.

3rd very well known is ESL or ELV fatal error 0xAA on W204, W207, W212, W246, W176,
W205 vehicles. Electronic steering lock module is located under the steering wheel and it
contains a small DC brush motor, it was produced to hold around 5000 ignitions or 80000km.
This one had really deviant new type of error counter, if it detects aggravated steering unlock
for any possible reasons (could be 12V Battery under voltage, bad brushes on DC motor)
and you try to put key into ignition to start car for 10 times and lock fails, on 11th attempt ELV
runs executable code for self erase and permanent read-only error which cant be reactivated
anymore and OEM Service center must change ELV, service costs in beginning around
1600€ later was decreased to 700€. Even if you try to change that small DC motor which
costs 10€, ELV doesnt work and you can't start the vehicle. This ELV used NEC microchip
technology which was never cracked to read full internal code and manually clear errors.
More than 4 Million cars produced and let's say every car changed at least 4 units and that is
about a minimum of 10 billion € additional cost for all owners. Errors 0xAA , Fault memory:
A25464 - steering lock control unit.

Now lets "back to the future".

First encounter with deviant and really wrong practice of programmed obsolescence counter
was found in W221 (FBS3) and W212 (FBS3 and FBS4) hybrid vehicles with BMS part
number A7893406602 with error "P0A7F00 - The age limit of the high-voltage battery
module has been reached." Then we opened BMS and read internal processor TC19xx and
eeprom 95256 with software version 2129027206_001. We discovered that they
implemented number 200000 which decreases for every ignition or HV contactor loop
closing. That means if you enter your MB or EQ hybrid, and you turn ignition 200000 times,
you must change completely healthy lithium battery pack because BMS decided that RELAY
or CONTACTOR is too old to work properly and it was designed that way that you cant
change only that "failed" part or reprogram BMS again. Our customer/owner of that car
ended up in hospital after OEM Service center said that new battery and installation costs
around 8000€. In our case W212 was with FBS4 system which has SCN Coding
authorization tied to unit Serial Number and not tied with VIN like FBS3 system. After that
counter hits 0 there is one more deviant BMS executable code which erases the secret SCN
Code which is tied to BMS Serial Number which is erased too. We can get that SCN code
from mercedes server but only if we know BMS SN. In our case we dont know SN or SCN
and inquiry for SCN not possible. If you get new BMS, blank, we must have that lost SN to
get remote SCN. If you get used BMS with another SN, you cant get SCN for your car, you
will get SCN from that other car where that second hand BMS previous was in the begining
and BMS or Battery wont work again. And we end up with no solution, you MUST BUY NEW
BATTERY. We didnt crack this one to start the car till today.

2nd and last MOUNT EVEREST or MOTHER of all deviant programmed obsolescence
counters is Smart 451 EV (which had open source aftermarket repair solution) and Smart
453 EV EQ (which didn't have any solution to start a car).
We received car with with bricked HV Battery and BMS after car was left at 0% for 2 or 3
days. All of 3 blocks with 115Volt modules inside battery were depleted to 0V and one top
secret engineer from top tier EV factory repaired HV Battery bricks and some cells were
changed but car didnt start. After 14 months of wondering from OEM Workshops to 3rd party
workshops it ended up in our lab and we were stunned what was implemented into BMS. If
Cell is Undervoltage below 2.5 Volts or Overvoltage above 4.2 for any possible reasons BMS
runs internal "safety" code to locks BMS and contactors to OFF state for all time till eternity.
OEM Service center cannot help it with online SCN or Flashing to recover previous battery
state. Car don't start and they offer only new battery for 116000Kn or 15000€. Then we
contacted TOP SECRET Stuttgart development engineer to check if he could help us to
reset BMS or to extract executable code from XENTRY Developer for CANBUS Service
seed key lvl3 access function... and at our surprise there was none, that means someone
implemented code/instruction to kill BMS but never made backdoor to revert that function.
That was clear proof of intent to generate income by selling new battery pack. But that was
not end of our story, later we discovered there is one more loop of executable code which
triggers BMS "safety" after crash. BMS enters discharge state and deplete cells to 0V and
locks BMS in error state till eternity and again OEM doesn't have diagnostic function to reset
it even if you recharge or change cells. You must buy new battery. But again, that wasn't the
end of our story, there was that COUNTER for Contactors. If you enter your EV and turn
ignition to ON and OFF for 200000 times and counter hits 0 you will need to change battery,
because again there is no hidden or developer backdoor diagnostic function inside OEM
Xentry diagnostic Tool/Software to reset or repair battery software LOCK. Error is P0DE71C - 
Part number of BMS is A7899014200 and firmware version is 7899026401.

Conclusion. This programmed obsolescence or programmed failure must stop because EV

battery pack is not 1 little cheap part. If this continues it will kill any passion or desire for EV
owners to ever buy EV again, maybe this is averted plan or maybe just desire of OEM's to
generate income. People must know they are being robbed, not from yesterday, they are
being robbed for years but in EV it will end. This is a violation of few consumer rights, one of
the most important RIGHT TO REPAIR.

W212 Hybrid
VIN: WDD2120981A******

Example of diagnostic error code: “P0A7F00 The age limit of the high-voltage battery
module has been reached. Hybrid system doesnt work, new battery costs more than 6000€ .
Old battery is at 8% degradation only.
BMS Board inside battery pack.
Example of 2 battery packs inside 2 different cars, upper one still works, and counter is high.
Lower one counter is 0 and SCN Code is deleted.
To get source code of TC19XX and Eeprom must contact owner of this post.
BMS 453 EV EQ 2018
VIN: WME4533911K******
Example of OEM Diagnostic code readout : P0DE71C - The cell voltags of the
hybrid/high-voltage batter module are too high. The voltage valuse is outside permissible
range. Vehicle doesnt start, OEM Service center cant repair software, asking for new battery.
15000€
Example of AGE COUNTER on this vehicle, still counting to 0.
To get source code of 2 SPC564 microcontrollers and Eeprom 95640 must contact owner of
this post.
---
I will preface all of this with a bit of a disclaimer
First, 99.9% of the information here is derived from first hand reverse engineering of
Mercedes and Smart BMS, BMS firmware, and other aspects of the Daimler vehicles.
Reverse engineering is not an exact science, as in, you don’t get the exact code used to
create the software out of the process, and obviously the developer’s
commentary/comments are not available either. Much of what is derived relies on some
logical interpretation to determine the intended functionality of particular code. While there is
a lot of human-readable text in some parts of the code, this isn’t always the case.
I’ve been working on hardware and software design, including reverse engineering of the
same, for the better part of 8 years now. While I have extensive knowledge and experience,
I don’t personally consider myself to be an expert in the field. Many others definitely
disagree, and do consider me to be an expert.
All of that said, what I’m mainly trying to convey is that I’m definitely not perfect. It’s quite
possible my interpretation of how all of this works has flaws, and my speculation as to the
intention of the developers may also be flawed. I do believe this information is as correct as
possible given the information available, however, and is likely the most complete picture
that will be available.
I’ll also note that this is a pretty technical explanation of the situation, and some background
knowledge of the general topic and technology will be needed to fully understand. I’ll go
over some of the background info that is situation-specific, but you’ll likely have to do your
own research to fill in any gaps in your knowledge.If I jump around a lot, my apologies. I'm
also not the best writer, overall. I have a lot of information I'm trying to condense into a
single writeup here, with lots of connections between the various content

(wk057 thanks for great note, i used it)