TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC

Let the hacking begin... (Model S parts on the bench)

Discussion in 'Model S' started by wk057, Dec 14, 2015.

Tags:
  1. garygid

    garygid Member

    Joined:
    Aug 11, 2014
    Messages:
    620
    Location:
    Laguna Hills, Orange County, CA
    #101 garygid, Dec 17, 2015
    Last edited: Dec 17, 2015
    I wrote a program to capture CAN data, save in log files, and load logs for
    later examination. It allows one to easily graph data from bytes in the messages,
    in an attempt to understand the data. The program is called CAN-DO and is
    a work in progress (in Visual Basic), but a number of serious investigators
    worldwide have used it to examine their CAN data.

    We made a CAN capture card using the AVR-CAN board, passively listening
    to the LEAF's 500k CAN bus on the OBD connector. We wanted to find a value
    for "remaining fuel", which would be more helpful than the "tank fullness"
    data that was displayed in 12 coarse steps on the dash.

    We were successful, and we created an energy meter that was known as
    the SOC-Meter, but more accurately became known as the GID-Meter.
    Eventually it displayed Energy, SoC, pack Voltage, Amps, and Power,
    and tire pressures, all of which were not available on the LEAF's dashboard.

    We could use CAN-DO to investigate the Tesla data. See
    GaryG's CAN-Do Program Page for more info.

    If I had some Tesla logs, preferably in my 12-byte per message
    format, I could do some testing. The 1st 2 bytes contain
    second and millisecond, the next two are the msgid and
    data length, and then 8 data bytes.

    If you are interested, I will provide the exact format of the
    SS MS MM LM D1 ... D8 bytes.

    Oh well, ...

    The time stamp:
    MS is the low 8 bits of the 10-bit milliseconds (0 to 999 values),
    and the two low bits of SS are the two high bits of the milliseconds.
    The top 6 bits of SS are seconds (0 to 59) of the current minute.

    The LMMM two bytes is one nibble (L) for the data length (0 to 8)
    and the remaining 3 nibbles (MMM) for the hex MessageID (usually
    0 through 7FF hex values).

    I use MMM 800 to FFF and L > 8 for some special uses
    in the log file, like a date-time message at the zero second,
    zero millisecond point (so, once a minute, helpful, but optional).

    Merry Christmas to all, wishing for a miracle of communication,
    understanding, sharing, and peace worldwide. What is the
    alternative, just continued war, and perhaps extinction.
     
  2. garygid

    garygid Member

    Joined:
    Aug 11, 2014
    Messages:
    620
    Location:
    Laguna Hills, Orange County, CA
    If you wish to try CAN-DO, you are welcome to do so as long as
    you are willing to share your results with the rest of us.

    Download it along with a log file or two,
    and a Recipe file, which holds the decoding details for
    discovered or suspected one-byte or two-byte data.

    Sharing Recipe files allow others to easily graph data
    values that have been discovered.

    There are at least 6 sources of CAN type data in the Tesla.
    Perhaps someone can post pictures of their access points,
    give a link to compatible connectors, and specify the details
    of each pin in the connector?

    Also, a description of the type of data found on the connection,
    along with a list of MsgIDs and data byte locations (D1 - D8)
    that have been identified, or are suspected.

    If you can send me some logs, please Message me.
     
  3. smac

    smac Active Member

    Joined:
    Aug 4, 2013
    Messages:
    1,745
    Location:
    Nottinghamshire

    I'm all up for a project like this!

    Never done any CAN stuff, though I certainly have done reverse engineering of wire protocols, and more than happy to help with front end viewing or statistical analysis.
     
  4. wk057

    wk057 Senior Tinkerer

    Joined:
    Feb 23, 2014
    Messages:
    5,599
    Location:
    Hickory, NC, USA
    Game over.

    2015-12-18%2022.39.52-1920.jpg

    2015-12-18%2023.01.33-1920.jpg

    2015-12-18%2023.18.43-crop.jpg

    Please do not ask me how to do this just yet... while Tesla isn't patching my bench setup, I'm sure they'll patch cars in an OTA if I released how to do it publicly.
     
    • Like x 1
  5. Cyclone

    Cyclone Cyclonic Member ((.oO))

    Joined:
    Jan 12, 2015
    Messages:
    5,056
    Location:
    Charlotte, NC
    Sweet job wk! I knew it was only a matter of time before you got into the diagnostics system. I look forward to seeing what else you find in there.
     
  6. _TTT_

    _TTT_ Member

    Joined:
    May 19, 2015
    Messages:
    98
    Location:
    US
    Oh now THIS is awesome! Can't wait to see what you find in there....
     
  7. wk057

    wk057 Senior Tinkerer

    Joined:
    Feb 23, 2014
    Messages:
    5,599
    Location:
    Hickory, NC, USA
    Worth noting this is a dismantle-the-car exploit...... so not super useful for non-bench stuff. I'm not taking my car apart to do this on my own vehicles... lol. But I can play CAN data to my bench and let it decode it for me. :)
     
  8. HankLloydRight

    HankLloydRight No Roads

    Joined:
    Jan 18, 2014
    Messages:
    12,648
    Location:
    Connecticut
    Wow.

    "Achievement Unlocked!"
     
  9. Andyw2100

    Andyw2100 Well-Known Member

    Joined:
    Oct 22, 2014
    Messages:
    6,542
    Location:
    Ithaca, NY
    And I believe you made this discovery on the eve of the one-year anniversary of the date your car reached the service center. (I remember this because I briefly thought our P85Ds may have been on the same truck. They weren't, though they did reach their respective service centers on the same day--Friday, December 19, 2014.)

    Congratulations!
     
  10. islandbayy

    islandbayy Active Member

    Joined:
    Feb 25, 2013
    Messages:
    2,604
    Location:
    Greendale, Wisconsin
    You Sir, Have won the Internet.


    Just be aware, that Tesla does now have a fleet of vehicles that "Could" autonomously drive. You won't hear them knock, but they will silently sneak up and get you when your sleeping.

    - - - Updated - - -

    Would have been awesome if the battery was full to 100% and recorded the info before the accident. I'd like to see what Voltage Limit Tesla is putting on the cells (or in other words, what they call "FULL". Or on the other end of the spectrum, what they consider "Empty". Seems that pack was a bit out of balance before the pull.
     
  11. wk057

    wk057 Senior Tinkerer

    Joined:
    Feb 23, 2014
    Messages:
    5,599
    Location:
    Hickory, NC, USA
    Oh, I'm going to figure all of that out now. Only a matter of time. :)
     
  12. Andyw2100

    Andyw2100 Well-Known Member

    Joined:
    Oct 22, 2014
    Messages:
    6,542
    Location:
    Ithaca, NY
    I wonder if Tesla is going to regret backing out on their deal to sell you the new 90 pack and let you keep your 85. (Right or wrong, they're probably going to assume that if they had just gone through with the deal, you wouldn't have found this stuff to play with.)
     
  13. dirkhh

    dirkhh Middle-aged Member

    Joined:
    Jul 7, 2013
    Messages:
    3,638
    Location:
    Portland, OR, USA
    You, Sir, are doing amazing work.
     
  14. FlasherZ

    FlasherZ Sig Model S + Sig Model X + Model 3 Resv

    Joined:
    Jun 21, 2012
    Messages:
    7,024
    *pictures Jason locking himself in the test bench room and not emerging for ... at least a few days ...*
     
  15. mwulff

    mwulff Member

    Joined:
    Jan 15, 2015
    Messages:
    348
    Location:
    Danmark
    Awesome. That is some cool work right there. I think many owners would like to monitor our vehicles more closely and access to the diagnostic screen would be great to have.
     
  16. darthy001

    darthy001 Love my car, hope Tesla can get as great!

    Joined:
    Oct 29, 2012
    Messages:
    726
    Location:
    Bærum, Norway
    wow, I've been "fearing" that I already had a somewhat disturbing/geeky man-crush in the making towards you before this thread, but now there exists no doubt anymore. You are my new Tesla Sith Lord :love:

    The force is strong with this one!

    PS! Sorry for the maybe lame SW-references, but its way to easy these days with "The force awakens"-euphoria:)
     
  17. tom66

    tom66 Member

    Joined:
    Dec 17, 2013
    Messages:
    625
    Location:
    United Kingdom
    Yep...you win.
    Can you see a kWh figure anywhere showing remaining capacity?
    Maybe that "mythical" reset button for the range estimation that Tesla SCs will use when selling CPOs?
     
  18. kennybobby

    kennybobby Member

    Joined:
    Sep 14, 2014
    Messages:
    478
    Location:
    Heart o' Dixie
    i wonder what the yellow and green blocks indicate on the Cell voltage readings from the BMB's?
     
  19. msnow

    msnow Active Member

    Joined:
    Jul 14, 2015
    Messages:
    4,951
    Location:
    SoCal
    Congrats! This is some great stuff right here.
     
  20. ScepticMatt

    ScepticMatt Member

    Joined:
    Nov 5, 2014
    Messages:
    453
    Location:
    Austria
    Well done.

    "You must spread some Reputation around before giving it to wk057 again."
     

Share This Page

  • About Us

    Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.
  • Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


    SUPPORT TMC