Oops, just like that and six months goes by! Still, there has been steady progress on simplifying the "Bench Kona" project down to something that could be transplanted into a car.

Smart Key Module

A couple of posts ago I wrote about having to wire up my wrecked Hyundai Kona Electric's Smart Key Module in order to get the motor to turn on the bench:

The smart key module performs a lot of functions in the car, so wiring it up also meant attaching:

• The steering wheel with its electronic lock mechanism.
• A whole second CAN bus, BCAN. This meant spoofing CAN messages sent by the Body Control Module to indicate things such as the doors being closed.
• Antennas for the short range RFID keyfob transponder system.¹
• The "Engine Start/Stop button", which also contains the fallback antenna for the keyfob.

It adds up: modules connected only to keep the Smart Key Module happy are a substantial portion of the total mess on the bench:

Internally, the Smart Key Module also contains two radio systems: a close range RFID-like system which tracks whether a key is present in the vehicle, and a long range 433MHz receiver that receives the signal to remotely lock and unlock the doors when a button is pressed.

Ideally, if we're adapting the Kona's electric powertrain into another car then we want to remove the Smart Key Module entirely. Dozens of wires run into the module, but we only need one: the IMMO wire.

"IMMO" is the immobiliser signal, used to coordinate between the Vehicle Control Unit (VCU) and the Smart Key Module. The VCU sends a challenge over this wire, and if the Smart Key Module doesn't provide a valid response then the motor won't turn. Most auto manufacturers implement some version of this. I believe Hyundai's name for the system in the Kona is SMARTRA 4.

Although useful for discouraging casual theft, immobilisers are a major barrier for reusing OEM EV powertrains and prolonging their useful lives. The immobiliser protocols aren't documented, and the immobiliser binds otherwise unrelated parts of the vehicle together.

This is one reason why many OEM repurposing efforts have focused on completely replacing the circuit board in the motor controller, to bypass all this complexity. They might be onto something, but I still hope to reuse as much of Hyundai's engineering investment as possible...

Getting Mobile

Turns out, it's not that difficult to provide a valid immobiliser response to the VCU. Although I don't know of any specific reason not to, I'm choosing not to post technical details about the signal at this time.

I will note that a class of products called "immobiliser emulators" exist in the market. These emulate the immobiliser signal of a particular vehicle. There are legitimate looking websites overseas advertising an immobiliser emulator that's "plug and play" on all Hyundai/Kia "smart key" systems. At least one product has been on the market since 2019. I believe anyone who reverse engineers the Hyundai IMMO signal is only repeating a discovery that has been well known for at least five years, and that Hyundai must be well aware of by now.

Regarding the security implications for Kona owners: emulating only the IMMO signal doesn't appear to be a huge aid for would-be Kona thieves. In a real car, the Smart Key Module is wired into half a dozen modules that would all need to co-operate for the car to drive away. Before the Smart Key module initiates any of those other functions then it would need to see a valid cryptographic response from the RFID transponder inside the car key, and this algorithm appears totally separate from the "IMMO" signal.

This does beg the question, though: who are these "immobiliser emulator" products for? As far as I can figure, the most likely uses on a modern vehicle will be engine swaps and the like - where a swapped ECU may not recognise a new "Frankensteined" vehicle to be valid.

Here, the goal is to remove all the other systems attached to the Smart Key Module. Emulating the immobiliser signal is perfect for this.

Smart Key Module - Out!

With the immobiliser signal emulated, all of the modules mentioned at the start of this post could be removed from the bench:

Svelte and minimalistic? No...

Less overwhelming? Very much so!

In the photo above, the Smart Key Module's many functions have been replaced with:

• A switch to power the IG1 ignition relay, to turn the "car" on.
• A momentary pushbutton to send a 12V "start" signal to the VCU, allowing the high voltage battery contactors to close and motor to start.
• Immobiliser signal emulation.

This part turned out simpler and more successful than I ever imagined when starting out.

Of course there's still a very long way to go before another car can drive with a Hyundai electric drivetrain swapped in.

Charging

The next milestone was to verify that the bench Kona can charge. This wasn't too difficult, one additional CAN message needed spoofing as it turns out the missing Integrated Gateway Power Module (IGPM) is responsible for locking and unlocking the charge connector into the port. It provides a "locked" signal to the Onboard Charger signalling that it's OK for electrons to start flowing.

I don't have any exciting videos, but here's my EVSE charging away:

Weirdly, I was able to AC charge from a 15A EVSE without an issue and with no fault codes reported - but only at much reduced charge power (1.1kW, less than 5A). What I saw matches pretty well with the "Minimum" charge current setting in the Kona's UI:

Is it possible that I left my Kona set to minimum charge current before I tore it apart? D'oh!

Taking some additional CAN logs from Oli's intact car, we were able to capture a CAN message that appears to change this setting. Unusually, this isn't a continuously transmitted message ID - the infotainment system seems to send a short burst of this message any time you change the setting on the infotainment display.

However, just injecting this message didn't increase the charge rate of my bench setup. Further log analysis suggests my 2019 model might use a different CAN message for this purpose than Oli's 2021 model, each message is only present on one of our vehicles. I haven't had time to try this again, yet...

Clearing codes

Using the process that worked pretty well reversing the BMW gear selector, I've been using the Bench Kona modules' own reported DTC fault codes as a feedback signal to figure out which spoofed CAN messages they're listening for. Basically: clear fault codes, change the spoofed messages, read fault codes again to see if anything changed.² Then repeat many, many times.

Optimising this process led to this somewhat intense looking UI for turning on and off each spoofed CAN message:

By messing around with this I was able to turn each message on and off individually, and gradually eliminate faults on some Bench Kona modules. Clearing the fault code doesn't mean the module will necessarily behave correctly, of course. The remaining task is to figure out which signals in each spoofed message are important and how to inject correct values there. Finding the messages is a good start, though.

There are still two residual fault codes showing on the VCU, but it's getting there!

I've published the desktop bench_kona emulation program for reference on GitHub - as per the disclaimer there I don't recommend anyone uses it, though!

Wiring Cleanup

Now "driving" and charging both work, it was necessary to remove unused wires from the bench Kona's monstrous rats nest. I've been doing this quite cautiously, one wire at a time, in case I cut something out of the loom that I need and can't find later.

Nevertheless, the boxes are filling up:

Next up

Until recently, I'd been sticking with my flexible but hacky desktop Python program for "running" the bench Kona. It's well past time to move to a proper real-time embedded system that can interact in other ways with the Bench Kona modules and the rest of the "car". More to tell about this in the next post, planned for release much sooner than six months' time!