Looking for ports in a Tesla Model 3 #1
A few weeks ago I finally got the Model 3. It’s fun.
The battery temperature is an issue on the track which was expected. What I’m disappointed about is the lack of information that is shared with the user, for example voltage of each cell or battery temperature. I found a nice thread about accessing the CAN bus over at the Tesla Owner forum: https://teslaownersonline.com/threads/diagnostic-port-and-data-access.7502/
The vehicle CAN would be accessible with a reasonable amount of modification, you just need to remove some trim. However, just when I started to look into it, EVTV discovered that the information that I would be interested in was just removed with a recent Tesla update. Bummer.
softool.cn Notes:
trim 英 [trɪm] 美 [trɪm] vt.修剪; 整理; 装饰;adj.整齐的,整洁的; 修长的; 苗条的;n.整齐; 修剪; 健康状态; 装束;vi.削减;
Speaking of useful things, we uploaded this video last Saturday and on Wednesday night I was pleasured to receive the latest software update from Tesla for the Model 3. IT features a whoopi cushion easter egg you access by pressing the Tesla symbol and once activated, you can cause a stunningly accurate fart noise to emit from the passenger seat by simply pressing the left steering wheel control button unobtrusively. The wife got in the car and we were soon in hysterics.
Unfortunately, it came at a price. The bastards deleted message 0X401 from the vehicle CAN bus ENTIRELY. It’s just no longer there. Gone. Saturday to Wednesday. These over the air updates allow you to do some marvelous things very quickly don’t they?
I like this guy ? Anyway, while CAN sniffing would still be an option (there is more than the Vehicle CAN which most likely will contain the wanted information), why not… more?
ssh ? access ? everywhere ?
On a general note I don’t like having devices in my home network that can’t be accessed remotely, e.g. via SSH. This is not the case with the Model 3 connected to my WiFi. Well, not quite true: With your Tesla account you can access your car remotely, and retrieve some general information about the state of the car and you can do some controlling, like turning on the climate control. Let me give you some examples I wanna do with my car that aren’t possible with said API:
- Get more details of the battery state as mentioned above.
- Enable debug view of autopilot. Snoop around what it captures, i.e. I want to see the material that gets uploaded to the Tesla servers.
- Since a couple of updates there is an integrated dashcam feature and “Sentry mode” that captures video on an attached USB device. If I want to go through it, I’ve to unplug the USB drive from the car, bring it to my computer, browse/copy the videos and return it to the car. That’s cumbersome. Instead I want a nightly rsync job that copies the recordings to my NAS. You know, I could wait for a Tesla update, but I think it’s fair to assume that such feature will never be shipped ? There are other solutions to that problem, e.g. attach a RaspberryPi instead and let it do the work. But why? There is already a powerful computer in the car.
- Watch YouTube, Netflix etc. It isn’t possible with the browser shipped by Tesla, due to the lack of codecs/DRM.
- …
- PROFIT obviously.
softool.cn Notes:
retrieve 英 [rɪˈtri:v] 美 [rɪˈtriv] vt.取回; 恢复; [计]检索; 重新得到;vi.找回猎物;n.恢复,挽回; 取回; [计]检索;
climate 英 [ˈklaɪmət] 美 [ˈklaɪmɪt] n.气候; 氛围; 状况; 局势;
Unfortunately you can’t just ssh into your car because of security blah. Of course I did some research upon the state of “jailbreaking” the car. Let me tell you the good news first: Tesla does a pretty good job to keep their cars secure from an InfoSec point of view.
At the same time this is bad news for me: All the low-hanging fruits are gone. Also a lot of stuff happens in secrecy as hobbyist are reluctant to share their findings in public, as they don’t want Tesla to fix it right away. I haven’t found the inner circle of those cool hax0rs yet.
softool.cn Notes:
blah 英 [blɑ:] 美 [blɑ] n.废话; 空谈; 胡扯; 浮夸的文章;adj.无聊的; 枯燥的;int.废话;
secrecy 英 [ˈsi:krəsi] 美 [ˈsikrɪsi] n.保密; 保密能力; 秘密(状态); 守秘密;
hobbyist 英 [ˈhɒbiɪst] 美 [ˈhɑbiɪst] n.沉溺于某种癖好者,嗜某爱好成癖的人;
reluctant 英 [rɪˈlʌktənt] 美 [rɪˈlʌktənt] adj.不情愿的,勉强的; 顽抗的; 难处理的; 厌恶的;
Of course there are always ways to get into computers when you have physical access. I’m really bad with hardware so I didn’t want to go that route at first, you know, new car and stuff. Now, a couple weeks later I feel more comfortable ripping some stuff out of the car ?
softool.cn Notes:
rip 英 [rɪp] 美 [rɪp] n.裂口; 废物; [美国俚语]偷窃; 浪子;vt.& vi.扯破,撕坏;vt.撕成; 锯; 猛地扯开; 拆(衣服);vi.裂开,绽线;
stuff 英 [stʌf] 美 [stʌf] n.材料,原料,资料; 〈俚〉钱,现金; 填充物; 素材资料;vt.塞满; 填塞; 让吃饱;vi.吃得过多;
So I didn’t know where the MCU (media control unit) is located in the Model 3. I know where it’s located in the Model S: Right behind the touch screen. So I started to rip off the wooden dash:
softool.cn Notes:
wooden 英 [ˈwʊdn] 美 [ˈwʊdn] adj.木制的; 木头的; 僵硬的; 呆板的;
Spoiler alert: That was unnecessary ? It got more interesting on the passenger-side behind the glovebox:
softool.cn Notes:
Spoiler 英 [ˈspɔɪlə(r)] 美 [ˈspɔɪlɚ] n.气流偏导器; 剧透; 阻流板; 选举中的搅局者;
glovebox 英 [ɡ’lʌvbɒks] 美 [ɡ’lʌvbɒks] n.手套箱。(汽车前座,乘客座位对面,通常会有一个储物箱);
Uh-oh, what’s that? Looks like an ethernet port. I had a cable around so I was like “I should plug that in there”. Unfortunately it was really hard to access, so I had to** rip off** some more trim:
softool.cn Notes:
rip off 英 [rip ɔf] 美 [rɪp ɔf] v.撕掉;敲竹杠;
Now it was somewhat easier to access. Also I could sneak in my phone for slightly more informative view:
softool.cn Notes:
somewhat 英 [ˈsʌmwɒt] 美 [ˈsʌmwʌt] adv.稍微; 有点; 达到某种程度;n.少量; 某些数量; 某种程度;
sneak 英 [sni:k] 美 [snik] vi.潜行; 偷偷溜走; (儿童向成人)打小报告; 告状;vt.偷窃;n.鬼鬼祟祟的人; 溜走,偷偷摸摸的举动; 小偷; 告密的人;adj.鬼鬼祟祟的,诡秘的,偷偷摸摸的;
So there are two ethernet ports and one USB-C (?) port next to it on the lower board labeled with “Tegra debug”. Well, at this point I didn’t even know what I was looking at: I assumed that it must be the APU (autopilot unit), because that one is located behind the glovebox in the Model X (and I believe in the Model S as well). However, in the Model 3 both, the MCU and APU, are located together in a nice package behind the glovebox. Now I know that the board with the USB-C port is the APU. I managed to jerk the ethernet cable into the board of the MCU. Unfortunately I had to wrap up, so I didn’t attempt connecting a second ethernet cable and also no USB-C cable. Yet ?
Obviously I don’t feel comfortable to get out the whole unit. I kinda need to keep the car in a working condition. But I found some nicer pictures of it from some guy selling it on Ebay:
So what’s going on at this Ethernet port?
This is how it looks like on the passenger side:
I wired up a router and looked what’s going on. Unfortunately I couldn’t even figure out the MAC address ? Looks like a dead-end, and presumably it’s the same diagnostic port that needs some magic unlock sequence based on a secret that changes every 30 (?) seconds. Hopefully it will be useful at some point.
softool.cn Notes:
wire up 英 [ˈwaiə ʌp] 美 [waɪr ʌp] (为…)接通电源;
Next steps
I’ll try to get my hands on a used MCU/APU and poke around in a more safe environment. I’m naive enough to hope that there is some unencrypted eMMC that allows me to dump the firmware. Another thought I’m having is “Tegra”: There is a well-known bug in the bootloader discovered and exploited by different Nintendo Switch hax0rs. Chances are that the APU does not ship yet with a fixed boot ROM.