Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Let the hacking begin... (Model S parts on the bench)

This site may earn commission on affiliate links.
I've confirmed the wiring is correct and I tried another device made by kufatec that doesn't need the canm8 to get the pulse signal, and it also does not work on the MX. I think you are dead on accurate that the devices I am trying that work on the S must not be reading the MX data correctly. Kufatec in Germany is super helpful and willing to reprogram their module with the data I provide (they don't have an Mx to test), so I should probably get an analyzer. Do you have one you suggest. Ps. I know just enough to be dangerous!

If you know a little python I would highly suggest the CANtact it's about $60 and can be found at cantact.io, I also have scripts on Github that I wrote for logging. If you want something more plug and play (but a bit pricey) than the CANdue from EVTV works well and has a companion GUI app for logging and such.
 
If you know a little python I would highly suggest the CANtact it's about $60 and can be found at cantact.io, I also have scripts on Github that I wrote for logging. If you want something more plug and play (but a bit pricey) than the CANdue from EVTV works well and has a companion GUI app for logging and such.[/QUOTE

thanks. Probably candue is more up my alley! I am waiting to hear back from the CANm8 people, as they seem to really know there stuff. The diagnostic LED on the device is telling me that it can't find the car id, so it might simply be a programming issue. I'll know more this week. thanks for all the help.
 
Reviving my thread here post-holidays.

I've rebuilt my little test setup. Little easier to work with now.

View attachment 162612

(Yes, the "Driver Assist" app icon is Lightning McQueen... lol)

I have the IC and CID ethernet's connected to a Raspberry Pi 2 that has some USB ethernet controllers connected to it and bridged. This was I can watch and get in on that traffic easily.

I have the diagnostic ethernet port out to a cable that I have connected to a NIC on my dev PC. I can open and close this port from the shell on the CID if desired. I also dropped some security so that I can ssh in via WiFi now, and have the setup prevented from contacting the outside world.

Long story short, what I can do with the CID and IC once I'm on the CID/IC ethernet network is pretty much everything that the CID can do, as expected.

I worked on the camera interface a bit, but I haven't been able to get the display to show the cam input at all yet. I've ordered another camera to try some more with. For for details, it appears that the camera is controlled by an FPGA in the CID unit that sits between the display and the main processor. Then it overlays the camera feed as directed directly to the display output. The video from the rear cam never goes through the OS of the CID. This would explain why Tesla can't utilize the rear camera video for anything related to driver assistance/autopilot. It will also make this particular goal of my project more difficult since there isn't any code or anything I can look at and disassemble to make things easier.

I managed to unlock all of the "Apps" that are available in Developer and Diagnostic mode. The software makes it pretty tricky to enable the "VehicleConfig" app... presumably because this lets you change anything you want about the car. I'm actually unsure how this particular one is ever legitimately enabled. I changed my bench setup from a base S85 to a Signature Red P85D with every option. :p Things like enabling/disabling supercharging ability, the 40->60 pack setting, autopilot enabled, etc are all configurable here. Most of the settings are for whether hardware for the option is present or not, but some things are software-based when the hardware is there.

I'm sure Tesla knows what their VehicleConfig app can do, so, not like I'm doing anything crazy by posting about it.

Anyway, I'm focusing my efforts on trying to find a way into the system without dismantling parts of the car. Ideally I want to enable factory mode, which opens up the diagnostic port... and thus would let me get root on the CID and IC. Physical access to the car still needed. I might be able to carry my parrot exploit further and make a scarier exploit, but probably not. Looks pretty locked down. Additionally, I reported that vulnerability to Tesla and they're closing that particular hole. No sense leaving step one of a potential exploit chain open, even if it looks like it's pretty benign.

Secondary goal is to decode more CAN data and make a standalone parser program that interprets as much as possible. At least this way I can get lots of the diagnostic info available in the diagnostic screens without needing to modify the car at all. I think that's a worthy goal.

More to come...
Hello,
Can you tell how you can modify, add squashfs partitions on /dev/mmcblk0p1 and ...blk0p2 mounted ro on /usr how i understand that partition are swap
I working too with tesla on bench :)
how i contact with You.?
tesla bench.jpg
 
Hello,
Can you tell how you can modify, add squashfs partitions on /dev/mmcblk0p1 and ...blk0p2 mounted ro on /usr how i understand that partition are swap
I working too with tesla on bench :)
how i contact with You.?
View attachment 228389
Well that's a terrifying pairing if I've ever seen one..... I can't wait for them to buy an evil island together.

In all seriousness though, regarding the camera input. Have you two seen the device that claims to be able to hijack and inject different input sources to the touchscreen? For example, adding additional cameras and/or phone mirroring. Our impression in another thread was that since the front parking camera switch guys couldn't get that to work, then it wasn't possible.
 
  • Funny
Reactions: lunitiks
What a
Well that's a terrifying pairing if I've ever seen one..... I can't wait for them to buy an evil island together.

In all seriousness though, regarding the camera input. Have you two seen the device that claims to be able to hijack and inject different input sources to the touchscreen? For example, adding additional cameras and/or phone mirroring. Our impression in another thread was that since the front parking camera switch guys couldn't get that to work, then it wasn't possible.
What about camera i have no expierence becouse at this moment are more things who are at first place.
I access to network using token who get from nand flash from MCU, make configuration from terminal to GTW and many more but i are not linux user so i don't know how do something :),now i wan't modify /usr files who are mounted /dev/mmcblk0p1 or /dev/mmcblk0p2 (it is boot partitions and how i understand swapped and compresed to squasfs).
 
What a
i wan't modify /usr files who are mounted /dev/mmcblk0p1 or /dev/mmcblk0p2 (it is boot partitions and how i understand swapped and compresed to squasfs).
Hi, to modify a squashfs filesystem, you need to copy all the files to a Linux machine, make the modifications then use mksquashfs to create a new squashfs file, which you can then use instead of the original file.

http://tldp.org/HOWTO/SquashFS-HOWTO/creatingandusing.html

Please be careful when transferring the files, because some Linux files have special attributes that don't allways get transferred by all transfer methods.
I recommend using tar to transfer the files: tar zcpvf backup.tar.gz <files to backup>

Edit: working with squashfs in this way is quite time consuming, if you can, it would be a lot faster to use a filesystem that you can read and write to directly. So if you have a sdcard, or perhaps a network fileserver that you can use, that would make it a lot faster to work on.
 
Last edited:
Hi, to modify a squashfs filesystem, you need to copy all the files to a Linux machine, make the modifications then use mksquashfs to create a new squashfs file, which you can then use instead of the original file.

http://tldp.org/HOWTO/SquashFS-HOWTO/creatingandusing.html

Please be careful when transferring the files, because some Linux files have special attributes that don't allways get transferred by all transfer methods.
I recommend using tar to transfer the files: tar zcpvf backup.tar.gz <files to backup>

Edit: working with squashfs in this way is quite time consuming, if you can, it would be a lot faster to use a filesystem that you can read and write to directly. So if you have a sdcard, or perhaps a network fileserver that you can use, that would make it a lot faster to work on.
something strange with squashfs
at tesla partition 1 and 2 (mmcblk0p1 and mmcblkp0p2) are same directories and files but if i load raw i cant see anything and cant see anything file on HEX editor. cant find squashfs file xxxx.squashfs (archived file) i try to reformat partitions for ext3 and extract /usr files for both partitions directly and after CID reboot (reboot now) no boot and dead i recovered directly programmed nand flash over D0-D3,CLK.CMD so maybe WK057 can help with that ;-)
maybe who can hint where are boot dev config.

regards Bacila
 
Hi, to modify a squashfs filesystem, you need to copy all the files to a Linux machine, make the modifications then use mksquashfs to create a new squashfs file, which you can then use instead of the original file.

http://tldp.org/HOWTO/SquashFS-HOWTO/creatingandusing.html

Please be careful when transferring the files, because some Linux files have special attributes that don't allways get transferred by all transfer methods.
I recommend using tar to transfer the files: tar zcpvf backup.tar.gz <files to backup>

something wrong with squashfs i tryed to reformat both mmcblk0p1 and 2 partitions for ext3 and copy before backuped to usb archivied /usr files and after ( reboot now :) ) CID dead and recovered programming eNAND Hynix so maybe can have expierence with that. I beleave WK are know maybe can take me on right way.
Thanks
mmc.jpg
 
  • Like
Reactions: GeorgeCM and Kalud
Can anyone explain i try to remount but without success :(


root@cid-TESLAMODELS000001# mount -o remount -rw /dev/mmcblk0p1
mount: can't find /dev/mmcblk0p1 in /etc/fstab or /etc/mtab
root@cid-TESLAMODELS000001# mount -o remount -rw /dev/mmcblk0p2
root@cid-TESLAMODELS000001# mount
..
/dev/mmcblk0p2 on /usr type squashfs (rw,nodev)

root@cid-TESLAMODELS000001# chmod 777 /usr
chmod: changing permissions of `/usr': Read-only file system

root@cid-TESLAMODELS000001# mount
...
/dev/mmcblk0p2 on /usr type squashfs (rw,nodev)
root@cid-TESLAMODELS000001#

wtf ? squashfs
 
There is no way in hell that Navtool will work on a Tesla as they claim. As best I can tell it's generic hardware and even if you look at the claimed specs it won't work on a screen as large as Tesla's. Basically the claims are bull.
That was our general consensus in the other thread and we figured you of all people would know. One guy decided to buy one just for kicks and giggles so we'll see what happens..... It won't be good.
 
squashfs is compressed and all. I don't believe you can actually fit the current /usr directory into mmcblk0p1 or 2 in an uncompressed format (uncompressed > 1GB) like ext3. You'd have to make modifications and then replace the whole image.

hi WK057 can You put on right way ?
what i do and what i get:
remount usb with rw
1.mount -0 remount,rw /dev/sda1 (in my cid are my usb stick)
2.i backuped mmcblk0p1 with use dd if=/dev/mmcblk0p1 of=/disk/usb.xxx/backupblk0p1.img
3.i unsquashfs /..../backupblk0p1.img /tmp (with my ubuntu on PC and get directory )
4.i chmod -R 777 /tmp (shanged mode with subdirectories for acces modify files
5.maked my modifications
6.mksquashfs /usr and get smaller image 740mb not 1.1gb maybe there problem
7. restored dd if=/my new image of=/dev/mmcblk0p1
8 i repeated same with mmcblk0p2
and cid dead :)
i readed with external mmc programmer both partitions and that not same how i put on terminal
can anyone help.
Thanks.
 
4.i chmod -R 777 /tmp (shanged mode with subdirectories for acces modify files

That is not a real good thing to do. It would probably work, but now every file in every directory is executable and writable by everyone.

2.i backuped mmcblk0p1 with use dd if=/dev/mmcblk0p1 of=/disk/usb.xxx/backupblk0p1.img
6.mksquashfs /usr and get smaller image 740mb not 1.1gb maybe there problem
The image is probably smaller than the partition that it is on, dd copies the whole partition, including the random junk that is after the squashfs image. So it is understandable that the recreated image that you made is smaller than the dd backup.

-Try unsquashfs-ing your new image on your Ubuntu pc and comparing that with the original.
-Start with really small changes, or even with no changes, in the new image.