Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Let the hacking begin... (Model S parts on the bench)

This site may earn commission on affiliate links.
Hey all,

I have been reading for some time and learned a lot from this board. So thank you everybody who is contributing!

I have been tinkering with a spare MCU for a few weeks already and I understand more and more each day, but one thing I still couldn't figure out is how to get specific clean firmware images. I mean, I read that some have them and I somewhere read about a mysterious archive that some people have access to.

Can we trick the MCU into downloading whichever firmware we need (to service other cars) from the tesla server? Can somebody shed some light on this?

Greetings!
Jabbah
 
Can we trick the MCU into downloading whichever firmware we need (to service other cars) from the tesla server?
AFAIK, no. The cid sends a handshake to mothership and is given a current firmware download for that vehicle in diff or in full. Those who have had root for some time have been able to assemble an archive over time.
If you have a firmware on hand you can tell cid-updater to download and install it.
Public info on installing firmware images can be found here Lunars/tesla
and at @rooter ’s wiki here Upgrading the Firmware - Unofficial Tesla Tech.
 
Shot in the dark here, but any chance anyone has an updated PID for the brake pedal? Seems like 0x168 no longer comes across. Will be looking into other PID's in the next few days to see if I can find it, just hoping to save some time.
 
AFAIK, no. The cid sends a handshake to mothership and is given a current firmware download for that vehicle in diff or in full. Those who have had root for some time have been able to assemble an archive over time.
If you have a firmware on hand you can tell cid-updater to download and install it.
Public info on installing firmware images can be found here Lunars/tesla
and at @rooter ’s wiki here Upgrading the Firmware - Unofficial Tesla Tech.

Hey Dave. Thanks for the answer. So what do I do if I have a Unit with a damaged firmware partition on the bench?

For example, I now have a unit that had 2020.16.2.1 e99c70fff409 last active according to the app. The emmc is dead and I need to rebuild the two firmware partitions.

is there any way i can download this particular firmware from the server to flash it to the new emmc?

or is there any source where I can get this firmware?
 
Ok, i'm makeing quite some progress with the drive-unit controls, but guess what: The driveunit (DI) has an IMMOBILIZER.
If i'm correct USA models didn't have it / not activated. What i observe is that the IMMO state is sensitive for some messages so i'm poking in the right direction. Now the big question is which bytes does it need to get? How are they calculated?
I bought the DI with official bill at quality yard. I have VIN of the donor car to.

Who can help me out with some info on european Drive Units? I feel that with a last bit of info i get it running.
Right now the situation is that it 'pops' out of gearrequest! But i think its that IMMO state which needs to be disarmed.
Is that the correct state you all guys read in the DI?
 
Anyone have a set of the mcu1 screen legs for sale. Maybe you have a dead or cracked screen. I need the 6 legs and the 12 screws. Will pay.
 

Attachments

  • IMG_20200713_071658.jpg
    IMG_20200713_071658.jpg
    377.9 KB · Views: 224
@Krash
Yes you can probably buy a refurbished one, at about $1800, I never tried.
Just know that the unit is supposedly working, and I am guessing the SC, could make it work in your car for a fee.
Or if your a tinkerer then on the work bench. Just saying.

@Trebek1762
Yes, I did not notice the vesion but if you could keep it at that, or root it to force it to stay pre batterygate, :)
 
Ok, i'm makeing quite some progress with the drive-unit controls, but guess what: The driveunit (DI) has an IMMOBILIZER.
If i'm correct USA models didn't have it / not activated. What i observe is that the IMMO state is sensitive for some messages so i'm poking in the right direction. Now the big question is which bytes does it need to get? How are they calculated?
I bought the DI with official bill at quality yard. I have VIN of the donor car to.

Who can help me out with some info on european Drive Units? I feel that with a last bit of info i get it running.
Right now the situation is that it 'pops' out of gearrequest! But i think its that IMMO state which needs to be disarmed.
Is that the correct state you all guys read in the DI?

Anyone of you can comment?
Just looking for some model S , D version log files. Willing to compensate? If that would help?
 
I think the drive unit is crypto paired to the body control module. Can you get the BCM from the same donor car?

Nope thats impossible.
What i do have the version of the DU firmware. (when it boots its the first thing it resports).
It matches with the UDS's version memory location.

When the drive unit receives an 5A8 message it check it. I have been told they are more firmware tight then anything else.
Would be cool if someone could look up the 8bytes missing for this tesla fan :)
 
Can you provide me with a bit more info?
Hello EV builder. I don’t have firsthand experience with this. I’ve heard it referenced I think on this forum and in Jack Rickard and Rich Benoit’s YouTube videos.

Jason Hughes (https://twitter.com/wk057, http://skie.net, https://hsrmotors.com)
developed a motor controller but afaik he only sells it bundled with drive units he has tested and paired to the controller.

Damien Maguire (http://www.evbmw.com, https://www.youtube.com/c/Evbmw) designed and built open source LDU and SDU controllers. They are now available through the openinverter project. John Volk (https://instagram.com/tesla_bimmer, https://www.youtube.com/c/TeslaBimmer) used Damien’s motor controller in his conversion project.

I believe Damien went the route of a replacement logic board to bypass any current or future firmware restrictions Tesla put in place. Theory being that even if you figured out what was needed to get the drive unit in front of you going, Tesla could change the entire game with a firmware update down the line and all your hard work would not benefit anyone else.

If it is a cryptographic challenge and response, you'd theoretically need the BCM on the CAN bus every time you engage the DU. If you were to reverse engineer what the BCM is doing and share the details with the readers here, you would have an audience of grateful TMC members.
 
  • Helpful
Reactions: croman