Let the hacking begin... (Model S parts on the bench)

[EV_Builder]

I pulled the two EEPROM contents on the BCM someone any directions to share how to modify them so it will spit out the long saught code . Else i will need a key programmed to it and i even have no clue how to manage that and if i send it that code if it then will spit out the code...

 

[EV_Builder]

If it is a cryptographic challenge and response, you'd theoretically need the BCM on the CAN bus every time you engage the DU. If you were to reverse engineer what the BCM is doing and share the details with the readers here, you would have an audience of grateful TMC members.

Well my findings upto now are that it isn't this. it's just one code 8 bytes which are indeed paired / teached.
Offcourse this could be software version dependent.
I know that my solution won't cut it for everyone and yes there are aftermarket controllers available but those controllers dont pass
EMC certificate testing and that's mandatory.

What you see is that the drive unit spits out :

0x276 8 02 00 00 00 00 00 00 00 (request for IMMO)
0x256 8 yy yy yy ay yy yy yy yy (a has IMMO state in it -- ((data[3] & 0x70) >> 4) --)
0x5A8 8 xx xx xx xx xx xx xx xx (answer coming from somewhere i guess BCM through gateway) with the code.
0x256 8 yy yy yy ay yy yy yy yy (a has IMMO state in it -- ((data[3] & 0x70) >> 4) --)

The code repeats each 10/100ms (not sure yet).

The 0x276 and 0x256 with immo locked are normally not / not always seen.

If some people feel to contribute i fear/think the code is VIN related.
But a nice start would be to compare 5A8's and atleast we learn if that one is unique.

Uptil now i know that over the years it stays the same for the same vehicle.
(but i only have one vehicle sample)

 

[wk057]

They're generated based on the BCM's internal certificate (from the factory) and paired with the DU at install. So, unique to the car, but nothing to do with the VIN per se.

I spent years developing hardware and software that allow the use of the Tesla drive units without any physical modifications to the drive unit. Also developed this process to work with any variation of Model S/X drive unit from day 1 to present, including the front versions.

The controller replacement setups are pretty terrible. I've tried every one of the ones I'm aware of on my test bench... I mean heck, one of them uses a hobbyist WiFi module for primary control... like seriously.

Anyway, getting full control over the units and refining that to the point where they can be used outside of a Tesla vehicle without hardware modifications has taken years to get perfect. Best of luck if that's the route you're going. Some hurdles are easier than others, but there's some doozies in there.

 

[EV_Builder]

Hi wk057,

I'm up to the point of almost victory so the last hurdle is the IMMO code.
With-out it won't engage gear, can you confirm that?

Of Course then i need to ditch dozens of errors etc. so i can get out LIMB mode.
I even don't know if that will be needed for just passing the MOT of the car.
After i have the license plate and paperwork done i still could swap to something else.

Since i have the BCM i will try to get it to the point to spit out my teached immo code.
I was lucky that they still had it, and un-lucky that it came without the keyfob...

Thank you, and everyone for the input, very much appreciated.

 

[wk057]

Unfortunately on the latest firmwares it won't enable any "gear" without the immobilizer satisfied.

The BCM won't unlock it without a key, either... and unfortunately it won't program a key without some other headaches (as in, getting other related modules in place for it to talk to), even if you can get someone who can do it.

After you get it in gear you've got about ~100 signals across dozens of messages to properly emulate in order for it to work correctly with no faults or alerts.

Best of luck.

 

[EV_Builder]

Thank u wk057 for your info much appreciated if i could i would have bought an controller, but the point is they don't comply with EMC (certified); so either i make this work or i wont get my EV on the road...

One question: on the SDU Board there is an EEPROM 24C32F have you read its contents?

 

[EV_Builder]

The BCM won't unlock it without a key, either... and unfortunately it won't program a key without some other headaches (as in, getting other related modules in place for it to talk to), even if you can get someone who can do it.

Wouldn't it be possible to use the EEPROM contents to my advantage?

Does anyone know if a BCM on the bench with no antenna's detects its keyfob? Will it work with just +VDC and GND?
(at close distance)?

 

[DaveBC]

If some people feel to contribute i fear/think the code is VIN related.
But a nice start would be to compare 5A8's and atleast we learn if that one is unique.

Hi @EV_Builder, do you have a running and driving Tesla as well as your DU for transplant?

What are you using to capture and analyze the CAN traffic? Do you know if it is possible to do with an OBDLink LX connected to PT CAN?

 

[EV_Builder]

Hi @EV_Builder, do you have a running and driving Tesla as well as your DU for transplant?

Nope else i already would have it fixed/running honestly its this difficult because i just bought a drive with matching BCM but no key and no car to grab known working recordings and with a working BCM you would have the password (or other replayable logs that should work). I hoped it would be enough to get this running but it looks/seems that the info i hoped to find is difficult to obtain.

I think you should be able to make logs with the OBDLink LX what i do see is that the poorer the device the less accurate the capture is.
So depending the quality of log you are looking for the more quality the CAN device needs to be (like often really).

 

[EV_Builder]

Progress!!! obtained IMMO Code, so that's solved

Now the next hurdle getting it to spin...someone has a model S D version canbus log and can share?
I need a big chunk of 0x108...

come on WK057 you know it...as a small present ...

 

[EV_Builder]

I think the drive unit is crypto paired to the body control module. Can you get the BCM from the same donor car?

You deserve some beers , thank u!
If you PM me a Crypto account, i will donate some beers to you

 

[EV_Builder]

OK next hurdle. Can someone help with 0x396? The bit definition?

I need to know: 1,6 and 12

Hope someone can contribute.

 

[JWardell]

OK next hurdle. Can someone help with 0x396? The bit definition?

I need to know: 1,6 and 12

Hope someone can contribute.

For S or 3?

 

[EV_Builder]

For S

Thank u! For a MODEL S

 

[EV_Builder]

Ok i got it running!

Very nice throttle response.

Offcourse still some signals to figure out to get out of limb-mode

Question: What is the max rpm / speed in limb-mode?

(i would like to know, but i don't have cooling and oil in the unit right now so don't fancy maxing it out right now..)

 

[gwxfer]

Why not use toolbox to pair immobilizer?

 

[EV_Builder]

Don't had access to it and couldn't get access to it only if paying big sums of money.

 

[Zeemo]

Hello All.

Jason, thank you for sharing all the information with us, it is very kind and helpful of you.

The IC and MCU seem to be a pair based on everything I've gathered. Firmwares would have to match and all. I'll see what else I can come up with on that front later.

I am trying to find a way to power up and make the Central screen to work on a bench without anything connecting the IC to it. I read in your very early posts that they are paired up so MCU wont come on unless the IC with at least similar firmware is connected to it. Did you manage to find a way around it? Thank you

 

[apacheguy]

@Zeemo - you should definitely be able to power on the MCU on your bench without the IC. I would check your cabling and try again. The other possibility is of course that the eMMC is dead on your MCU.

 

[Zeemo]

@Zeemo - you should definitely be able to power on the MCU on your bench without the IC. I would check your cabling and try again. The other possibility is of course that the eMMC is dead on your MCU.

I have connected the power on the black connector, I also had pins 5/15 connected to oscilloscope. I am looking for the screen to display something. I had it also connected to a working car but the screen was still black and I thought it stays dark due to some combability issue