[angusgr]

Hey! Post author here.

I appreciate the insight from someone who's worked on this kind of thing formally, thanks.

> Most likely what’s happening is that the creep torque is applying a constant small torque and the wheel sensors are reading 0 continuously, so it continues to apply a constant small torque.

This was also my hypothesis at the time of the post. Turned out it's less constrained than this, a fully operational car with the drive wheels off the ground will also run away to high rpm (even in Neutral): https://www.projectgus.com/2024/04/unremarkable/#on-car-test...

There's still minimal torque, as you say, so a small press on the car's brake pedal is all it takes to stop. However I think if a driveshaft broke on a real car then it'd be spinning fast for a minute or two... It kind of makes sense that the control loop is tuned for a heavy car with a fixed drive ratio, though.

I am still hopeful there will be a way to stop this behaviour via a control signal (rather than pulling the safety interlock and slamming the contactors open). Have left the problem aside until I have a mechanical brake to use for testing! If that doesn't work out then it's still usable I think, provided any EV conversion is single speed fixed gear just like the Kona.

If you have any other insights on this then I'd be very interested to hear them, though.

[aetherspawn]

It won’t happen on a real car because the speed probably comes from the ABS wheel speed sensors, and in that case they would read the correct speed of the wheels (unless the motor shaft is proper broken).

If the ABS is properly plugged in it will detect a fault with the sensors (which probably causes the creep to stop) however it won’t detect a mechanical fault with the encoder wheel (such as sensor not bolted to wheel) — such a fault is indistinguishable from the wheel not spinning, thus zero speed.

I think you were emulating the ABS module right? In that case, the spinning out of control is actually probably your fault. If you had not emulated this, the system would realise there is an ABS fault (from the messages not being present) and not use the ABS reported speed. It might even fall back to motor speed automatically.

Re: shaft scenario, if the motor shaft is broken the safety risk is pretty minimal because the torque wont actually cause the car to move.

I guess this is what they arrived to in the FMEA.

[aetherspawn]

Funnily enough I noticed recently that Japanese and Korean engineers usually argue against using checksums and random magic rolling bytes on these messages (“it will never happen”), in contrast Euro engineers use them everywhere. In this case the Euro method although more complex would have let the system know you are spoofing the ABS and no such motion would have happened.

[tanjtanjtanj]

My European car (2013 Volvo) had no checksum or even identifier for the firmware as I found out when my car would just randomly cut all power at speed. I brought it back to the dealership and they found it had a completely different car’s update (2017 different model) installed!

[jeffreygoesto]

Well. Reading out failure memory from ECUs couple of years old showed us that all chechsums failed several times over that time...

[Bluecobra]

It makes we wonder if they have to do it that way, after what happened with VW lying about their diesel emissions.

[angusgr]

> I think you were emulating the ABS module right? In that case, the spinning out of control is actually probably your fault. If you had not emulated this, the system would realise there is an ABS fault (from the messages not being present) and not use the ABS reported speed. It might even fall back to motor speed automatically.

That's a reasonable expectation, and this got left out of the follow-up post I linked, but in the "full car with wheels off the ground" tests we actually tried unplugging the brake module of an otherwise working car and it didn't change anything (including the gradual constant rpm increase in Neutral). If anything the behaviour might have gotten a little more aggressive with the brake module missing.

Have now observed similar behaviour for all three of "spoofed brake messages with 0 wheel speeds and emulated checksums", "fully operational car with wheels off the ground", and "car with wheels off the ground and ABS/brake module unplugged". ¯\_(ツ)_/¯

> Re: shaft scenario, if the motor shaft is broken the safety risk is pretty minimal because the torque wont actually cause the car to move. > > I guess this is what they arrived to in the FMEA.

Fair enough, that makes sense. I guess if that's the case then the other behaviour is outside of the scope of what they need to care about.

[aetherspawn]

If you lifted a working car off the ground and it did it anyway I’ll admit that I’m a little concerned. It should stop creeping around 15km/hr.

[angusgr]

If you're interested then click the link in my first reply (which is to a newer post). The first video shows the working car reaching 8000rpm (about 80km/h) around six seconds after the accelerator was released. The second video shows the speed creeping steadily from 38km/h to 44km/h (~2600rpm) after switching to Neutral (before we got nervous again and touched the brake).

(I don't really understand it, but I also haven't managed to think of a safety issue here for normal car use: the broken driveshaft is just a bit scary as the motor spins unloaded at >10,000rpm for a while. The only other time this seems likely to happen is if a mechanic puts the car in Drive on a hoist, and it'll stop as soon as they tap the brake.)

[dzdt]

Accident modes for car on a lift in a repair shop, or car gets high-centered with drive wheels in the air?

[Dylan16807]

> I think you were emulating the ABS module right? In that case, the spinning out of control is actually probably your fault. If you had not emulated this, the system would realise there is an ABS fault (from the messages not being present) and not use the ABS reported speed. It might even fall back to motor speed automatically.

If the ABS unit getting stuck causes that kind of acceleration then I'm going to point most of the fault at the control logic.

[formerly_proven]

ABS faults can do way more dangerous things than indirectly command 5 Nm of torque in a no-load situation.

[Zak]

I have experienced a spurious ABS activation while braking from highway speed on an offramp. It was terrifying, and would have led to a crash had there been any traffic when I rolled through the stop sign at the bottom with the ABS still chattering.

That vehicle got its ABS fuse pulled.

[aetherspawn]

Not really.. it will only be applying 5Nm or so which is such a small amount of torque that you could likely stop the wheel with your hand (equivalent to holding up 500g object with 1m ruler)

He is spoofing an ABS message from a working vehicle that says “no faults present” on a vehicle that is clearly full of faults.

[aetherspawn]

ABS are usually ASIL D rated (ISO 26262) which means they have an on board watchdog, redundant processor with voting system, etc. so this failure mode (locked up and still sending) is considered impossible by design.

[Szpadel]

sure, but I would think some special case when we expect car to have 0 speed to not request any torque from its motor. IMO three is no case where car should request any torque when been in neutral

[aetherspawn]

If I had to take a guess why… it probably thinks that you’re sitting on a hill and doesn’t want you to roll back.

[Dylan16807]

> Not really.. it will only be applying 5Nm or so which is such a small amount of torque that you could likely stop the wheel with your hand (equivalent to holding up 500g object with 1m ruler)

It's good that it's small but I'm still not thrilled about this control loop.

> He is spoofing an ABS message from a working vehicle that says “no faults present” on a vehicle that is clearly full of faults.

My point is that the same messages would happen if you had a fully working vehicle and then the ABS unit locked up in a way that didn't interrupt sending.

[numpad0]

It's not acceleration, it's torque application. There is a slight difference in nuances between those.

[Dylan16807]

The problem is that it's doing both when it's only supposed to do one.

[numpad0]

No, constant torque against nothing is infinite RPM. Imagine a space capsule with a stuck roll thruster.

[Dylan16807]

Please explain how that is a "no". You just described a situation where it would be doing both when it's not supposed to. In the analogy, the thruster is supposed to turn off once it starts spinning, but it doesn't.

The entire reason this mechanism exists is that resistance can be significantly nonzero and needs to be adjusted for. It's just doing the adjustment in a flawed way.

[rightbyte]

Interesting. Sounds like really bad software.

There should be some sort inertia estimation turning off the motor if the inertia don't include the wheels or whatever.

There should also be some check that output axis speed (abs sensors) and motor speeds match.

The behaviour sounds kinda dangerous and not up to ECU standards.

[aetherspawn]

We don’t implement stuff like this because it would go off when you’re going down a slight incline for example, and the more bandaids you slap on it to get it to work, the more complex testing the failure scenario would be.