Looking for ports in a Tesla Model 3 #1
Description
A few weeks ago I finally got the Model 3. It's fun. Watch the YouTube video 🙂
The battery temperature is an issue on the track which was expected. What I'm disappointed about is the lack of information that is shared with the user, for example voltage of each cell or battery temperature. I found a nice thread about accessing the CAN bus over at the Tesla Owner forum: https://teslaownersonline.com/threads/diagnostic-port-and-data-access.7502/
The vehicle CAN would be accessible with a reasonable amount of modification, you just need to remove some trim. However, just when I started to look into it, EVTV discovered that the information that I would be interested in was just removed with a recent Tesla update. Bummer.
Speaking of useful things, we uploaded this video last Saturday and on Wednesday night I was pleasured to receive the latest software update from Tesla for the Model 3. IT features a whoopi cushion easter egg you access by pressing the Tesla symbol and once activated, you can cause a stunningly accurate fart noise to emit from the passenger seat by simply pressing the left steering wheel control button unobtrusively. The wife got in the car and we were soon in hysterics.
Unfortunately, it came at a price. The bastards deleted message 0X401 from the vehicle CAN bus ENTIRELY. It’s just no longer there. Gone. Saturday to Wednesday. These over the air updates allow you to do some marvelous things very quickly don’t they?
I like this guy 😄 Anyway, while CAN sniffing would still be an option (there is more than the Vehicle CAN which most likely will contain the wanted information), why not... more?
ssh 👏 access 👏 everywhere 👏
On a general note I don't like having devices in my home network that can't be accessed remotely, e.g. via SSH. This is not the case with the Model 3 connected to my WiFi. Well, not quite true: With your Tesla account you can access your car remotely, and retrieve some general information about the state of the car and you can do some controlling, like turning on the climate control. Let me give you some examples I wanna do with my car that aren't possible with said API:
- Get more details of the battery state as mentioned above.
- Enable debug view of autopilot. Snoop around what it captures, i.e. I want to see the material that gets uploaded to the Tesla servers.
- Since a couple of updates there is an integrated dashcam feature and "Sentry mode" that captures video on an attached USB device. If I want to go through it, I've to unplug the USB drive from the car, bring it to my computer, browse/copy the videos and return it to the car. That's cumbersome. Instead I want a nightly
rsyncjob that copies the recordings to my NAS. You know, I could wait for a Tesla update, but I think it's fair to assume that such feature will never be shipped 😛 There are other solutions to that problem, e.g. attach a RaspberryPi instead and let it do the work. But why? There is already a powerful computer in the car. - Watch YouTube, Netflix etc. It isn't possible with the browser shipped by Tesla, due to the lack of codecs/DRM.
- ...
- PROFIT obviously.
Unfortunately you can't just ssh into your car because of security blah. Of course I did some research upon the state of "jailbreaking" the car [1] [2] [3] [4]. Let me tell you the good news first: Tesla does a pretty good job to keep their cars secure from an InfoSec point of view.
At the same time this is bad news for me: All the low-hanging fruits are gone. Also a lot of stuff happens in secrecy as hobbyist are reluctant to share their findings in public, as they don't want Tesla to fix it right away. I haven't found the inner circle of those cool hax0rs yet.
Of course there are always ways to get into computers when you have physical access. I'm really bad with hardware so I didn't want to go that route at first, you know, new car and stuff. Now, a couple weeks later I feel more comfortable ripping some stuff out of the car 😄
So I didn't know where the MCU (media control unit) is located in the Model 3. I know where it's located in the Model S: Right behind the touch screen. So I started to rip off the wooden dash:
Spoiler alert: That was unnecessary 😅 It got more interesting on the passenger-side behind the glovebox:
Uh-oh, what's that? Looks like an ethernet port. I had a cable around so I was like "I should plug that in there". Unfortunately it was really hard to access, so I had to rip off some more trim:
Now it was somewhat easier to access. Also I could sneak in my phone for slightly more informative view:
Obviously I don't feel comfortable to get out the whole unit. I kinda need to keep the car in a working condition. But I found some nicer pictures of it from some guy selling it on Ebay:
So what's going on at this Ethernet port?
This is how it looks like on the passenger side:
I wired up a router and looked what's going on. Unfortunately I couldn't even figure out the MAC address 🙁 Looks like a dead-end, and presumably it's the same diagnostic port that needs some magic unlock sequence based on a secret that changes every 30 (?) seconds. Hopefully it will be useful at some point.
Next steps
I'll try to get my hands on a used MCU/APU and poke around in a more safe environment. I'm naive enough to hope that there is some unencrypted eMMC that allows me to dump the firmware. Another thought I'm having is "Tegra": There is a well-known bug in the bootloader discovered and exploited by different Nintendo Switch hax0rs. Chances are that the APU does not ship yet with a fixed boot ROM.