At this point in the tech dystopia cycle, it’s no surprise that the initial purchase price of a piece of technology is likely not the last payment you’ll make. Almost everything these days needs an ongoing subscription to do whatever you paid for it to do in the first place. It’s ridiculous, especially when all you want to do is charge your electric motorcycle with electricity you already pay for; why in the world would you need a subscription for that?
That was [Maarten]’s question when he picked up a used EVBox wall mount charger, which refused to charge his bike without signing up for a subscription. True, the subscription gave access to all kinds of gee-whiz features, none of which were necessary for the job of topping off the bike’s battery. A teardown revealed a well-built device with separate modules for mains supply and battery charging, plus a communications module with a cellular modem, obviously the bit that’s phoning home and keeping the charger from working without the subscription.
After some time going down dead ends and a futile search for documentation, [Maarten] decided to snoop into the conversation between the charger boards and the comms board, reasonably assuming that if he knew what they were talking about, he’d be able to mimic the commands that make the charger go. He managed to do exactly that, reverse engineering enough of the protocol to do a simple replay attack using a Raspberry Pi. That let him use the charger. Problem solved, right?
Not so fast — this is a “Fail of the Week,” after all. This is where [Maarten] should have called it a day, but he decided to keep poking enough to snatch defeat from the jaws of victory. He discovered that the charging module’s firmware was only doing limited validation of messages coming from the comms module, and since he’d only found fourteen of the commands in the protocol, he thought he’d take advantage of the firmware’s openness to explore all 256 possible commands. Scanning through all the commands proved fatal to the charger, though, bricking the poor thing right after he’d figured everything out. Ouch!
To his credit, [Maarten] was only trying to be complete in his exploration of the protocol, and his intention to make it easier for the next hacker is laudable in the extreme. That he took it a byte too far is unfortunate, but such is the price we sometimes pay for progress. Everything he did is thoroughly documented, so if you’ve got one of these chargers you’ve got all the tools needed to make it a standalone. Just make sure you know when to stop.
Maarten might want to replace the communication module with an open source alternative (https://github.com/OpenEVSE/OpenEVSE_PLUS).
I doubt there’s anything wrong with the power and charging circuits. I’m sure removing the brains and hardwiring the charger circuit to a switch, as it should have been manufactured in the first place, should allow this expensive brick to avoid the parts bin and continue to be useful for it’s intended purpose.
I suppose the bricked part probably did charge monitoring and cut-off, important for lithium chemistries. But open-source substitutes exist, they would have to be adapted to the specific power electronics here
Isn’t the charging logic in the vehicles? As far as I understand, the box tells the vehicle to start charging and with how much current, otherwise it just switches on the power.
I have an open source charger which most certainly doesn’t contain anything that could limit or control charging current.
What it can do is check the EV SOC (via API and measure how many kWh have been consumed via an energy counter to tell the car to stop charging but that’s done completely separately.
You’d hope so, right? That the internal battery BMS would be wise enough to keep a bad charger from turning it into a waterfall of molten lava? Not always. I assume you’re talking about an electric car? Motorcycles are anarchy compared to the rigorous regulation for cars
An EV “charger” is only a 220v or 110v relay that is controlled by the car. It also can tell the car it’s max power rating. The car does all of the conversion from AC to DC and battery monitoring.
You are right, the only thing buggered is an eeprom value. All the power circuits are fine. I’m thinking of a “brain transplant” to get the charger up and running again. EV charging is quite simple, really. I think I can replace the brains with a 555 timer :)
Haha, I just realized that “I can replace your brain with a 555 timer” is quite an insult :)
That’s why I bought a Grizzly Charger. All it does is charge. No phoning home. No subscription.
Same here, though I did add an induction usage tracker, to see what the wall power compared to what my car thinks feels dystopian in how far off they disagree.
I have the same charger but ripped out the potted module and rewired to use an open-source SmartEVSE DIN-rail module from https://www.smartevse.nl/
Ahh. Discovered the Self-Distruct Command..
Note to Self, Do not use!
Cap
In an old term: don’t tickle the dragon? OP got what he needed initially, he pushed his luck and woke the dragon that bricked his charger
Well, he has identified the EraseFlash() command. Now, restore the firmware backup and try identifying the other ones.
Back…up? Huh??
Yeah companies these days are really something else; You pay for a product, you pay for a subscription and they still sell your personal info and/or still serve you ads (looking at you Samsung)
I can’t get behind that for hardware ( I understand subscriptions for say Netflix etc).
and I can’t get behind selling someone’s info unless they explicitly and knowingly opt in (no hiding it in the TOS, etc)
Not to mention that everything smart and connected will cease to work far before its intrinsic service life.
Because the technology, development cost, and overhead of the business is too high for the customers to pay up-front and they would never buy the product if you told them what it really costs and how much you want for it.
So you have to obfuscate the real price of the product and take the money by the back door, and by that I mean butt-f**king the customer with extra payments and other “mandatory” purchases to subsidize the entry price.
You could use the term “anal raping” as a possible less offensive description.
B^)
“rear-end reaming” perhaps?
:D
Having worked in R&D, only some of it is that. Some of it is mid-level managers trying to look good by intentionally locking consumers into an on-going profit model. As one slimy boss described it to me: “systems” are profit. Which is why everything seems intentionally designed not to interoperate.
Many people would know better and you can get folks to buy stupidly overpriced for what it is crap for no good reason if the adverts or brand are good anyway (looking at you many times over recent years Apple). So to get folks to pay more for a solid, long lasting and cheaper total cost of ownership is easy.
You buy into a service model when it it actually does something for you in an ongoing way or more commonly these days when the company completely fails to actually tell you about it clearly… For instance a home security system with the human monitors might be worth the ongoing cost for the peace of mind that brings (if it brings any for you), and it actually has an ongoing cost to support. But if you just want the camera and alarm and don’t feel the need to effectively employ people to monitor it for you then you should not have to pay the subscription for all the functionality the hardware actually has.
https://en.wikipedia.org/wiki/Confusopoly
“marketing designed to prevent the buyer from making informed decisions”
You do realize that, for decades before this subscription shite became the accepted norm, that is exactly how progress worked? Early adopters paid for that privilege which allowed further development and dropping prices as demand grew. e.g. VHS, BluRay, TVs, tuntables, radios….
The subscription model is nothing but greedy corporations being greedier.
I’ll stick with “stupid” tech that I actually own outright over “smart” tech that requires an ongoing subscription any day.
The enshittification of technology marches forward.
All the more reason to stick to a gas powered vehicle.
How do you figure ICE vehicles are better ?
From what I’ve seen they are as bad or worth. With boatloads of comm issues, requiring special diag tools to figure out error codes, undocumented boot up procedures, and making it impossible to swap modules btwn cars bc serial numbers don’t match, blah blah blah.
See the $5000 F150 bumper fix vid on yt…
So.. Technical question
Is there really that much to a EV charger?
I looked into one that had been removed from service recently and it seemed like there wasn’t much in there that was actually related to charging.
It looked like when you plugged the thing into the cars port it had a short conversation to validate the fact that a car was actually attached and then closed a big relay that connected the large charging conductors to the AC line.
Electrically, it looked like the car took it from there.
I’m assuming that more information is exchanged for billing purposes, but all the advanced circuitry in the box seemed to exist for the user interface, not the actual act of charging a car.
I guess what I’m getting at is that if you’re reverse-engineering one of these to charge something next to your house, and you’re the only user, I don’t see why it needs to be any more complicated than a keyswitch that makes the relay close.
And maybe a 555 to turn the thing off after a few hours, because you gotta have a 555 in there somewhere. Rules are rules.
They are glorified contactors
Yes, that’s exactly what lvl1 & lvl2 chargers are.
They still need to talk to the car to make sure the car is happy, though. You can’t just close the contactor and expect the car to charge.
The electronics are also there for safety. They check for presence of a proper ground (and a few other things) before closing the contactor.
You can absolutely buy dumb EVSE though.
Ironically, the 555 is no good for hours long delays.
You’re right there isn’t much to an EV charger, in fact we tend not to call them chargers. They’re EVSEs or ‘charge points’ or something like that.
Think through what you’d need to be present to power a big mains load stored outside. Starting with a mains cable attached to a wall socket and dangling free, there’s an electrocution risk there so it’s better to have something to keep the cable dead until it’s safely plugged into a car. Humans make mistakes, so let’s make this electronic. Add a couple of pins, have the charge point put out a low voltage on one and try to the read the resistance between the pins. If it’s a specific value (not a dead short, not infinite) then energise the cable.
Now make the cable removable or configurable, here in the UK we use cables with a Type 2 connector on each end so I can plug a 16A rated cable into a 32A rated socket and try to draw 32A causing a fire, let’s have the cable report maximum allowable current to stop that. Likewise my charge point might be rated for 16A not 32A so that needs to report capacity. The car’s the one with the charger though so we need to signal the maximum capacity to the car somehow and it can slow down its charging. That’s done with a PWM signal from charge point to car though I don’t know how the cable’s current rating is indicated.
There might be a temperature sensor so if the charge point overheats it can tell the car to slow down charging, or in the UK because our electrical system is weird we need additional checks to make sure ground isn’t floating. We should probably check for shorts or leakage between live and ground while in use.
Indicator lights, wifi connections, RFID readers to secure access and identify a user for reporting etc are all optional but often included.
Oh another optional bit, current sensing for the connection from home to grid. If the rest of the house is drawing 80A on a 100A supply the charge point needs to tell the car it can draw 20A maximum.
The cable rating is encoded with a resistor in the plug. This article gives a nice description of the protocol: https://en.m.wikipedia.org/wiki/SAE_J1772.
Implenting the EVSE-side of the protocol is fairly straightforward, just genrate a 1kHz PWM signal with the right amplitude and duty cycle.
Well, that’s why I’m thinking of building a replacement controller module from of a 555 timer :)
“So.. Technical question
Is there really that much to a EV charger?”
When I worked at Bosch ~4 years ago, we threw out several of their EV chargers.
I have no idea what was wrong with them (customer returns).
With their covers off, I was surprised how little was inside them, large pretty much straight through conductors, with loop current sensors around them and a smallish circuit board.
At least petrol pumps don’t have subscriptions…
They always seem to offer a subscription in order to get a 5 cent/gal discount, though.
Fortunately, it’s not mandatory.
sigh.. Not a big fan of having the Govt coming in and mandating things.
But batteries and connectors are sorely in need of an intervention.
I’m talking about hand tools and cameras, all the way up to ATVs, mowers and motor vehicles. This penis measuring contest (of connector types) amongst the manufactures is killing us the consumers, re-enforces “range anxiety” and just keeps a steady stream of our still working tools headed to a landfill.
AIUI, Tesla charging stations allow other makes to charge as well.
just need to cut through the potting in just the right place to access the eeprom that stores the configuration, and write back a valid ID
I’m afraid it could be the PIC internal eeprom. But you’re right, I haven’t used a bright light to see if I can identify components under the layer of potting material. That’s worth a try.
Cars (E.V. , ICE ) , security cameras, home automation all seem to rely on a server some place to get all the functions to work, some times for a fee sometimes its a free service by the company making the device in question. The problem comes when the company drops the product or changes management or ownership the server that lets me see my security camera on my cell phone and worked for many months or years may operate for a time after it becomes a unsupported or the company puts out a end of service date now my camera is not as functional as what I paid for and there is no way to continue using it! The big case of this was when the old company X10 which sold camera, remote control switches & outlets , motion detectors, computer interfaces and much more went belly up, not only did the servers act as a way to use the devices from your phone or other internet devices but when you installed the software they had an authorization function on the servers as well so if you changed the computer running things or had to reinstall something it was brick city for the stuff!
I think when companies do use servers to make devices work they should be required to make sure the devices can live beyond the company that made them either by keeping the servers active for a reasonable time after the company ends like 10 years for cheap cameras or 25 years for more elaborate or widely used devices like X10. set aside some of the sale price to fund it , or make it possible to let users move to either a server owned and operated by the users on a home based or web server company including software keys. Side note whats this crap about cars coming with one key of the Super Stupid priced security fob that cost hundreds of dollars to replace or get spares for? I have set myself a point I will not ever buy a car that only has 1 key, if the car dealer wants to sell the car, they had best have or get 2 or more working keys and yes I will walk from a deal for the reason the dealer thinks he wont provide more than 1 key! If they have a problem with that they should talk to the mfg. and get this under control because this is not nor will it be a problem for me any car I buy comes with 2 keys! No electronics that depend on a server to function is harder to do but I try.