The front louver flap actuators are also LIN bus too.
Right. I think that LIN bus is behind another CAN connected device, though, and not LIN directly to the MCU. I could be wrong though.
There are some that want as much of a direct (hard wired) connection as possible. BT, while great for most, can still add distortion.
Yeah, I think it would be pretty trivial to actually utilize the radio inputs to the MCU.... but getting to them would be the challenge that would probably make it not worth it for an aux port.
Any chance you've found a way to take an image of the OS / hard drive?
I fear the SSD is integrated into the board, but hoping it is something like an mSATA that can be removed and copied / imaged.
There are a couple of SD cards, but they don't contain anything too useful. (See below)
The one of those errors that intrigues me is:
The question of which maps are currently installed and whether an update has been received has long been a bit of a mystery; here we seem to have the maps missing altogether. Possibly they have simply become corrupt, or one of the SD cards has fallen out of the unit? Or maybe maps are stored in some third piece of hardware separate from the two screens?
The maps are generally on a 16GB microSD card. For some reason this 16GB card is damaged on this unit. It's showing up as a 32MB card when I try to read it and I can't get it to really do anything. I have a dump of the maps from another unit that I may try to put on a new SD card, but honestly... I don't think this setup will be navigating anywhere.
There is a second SD card that has the "carkeys" VPN keys and such, like the folks at DEF CON mentioned, but that's about the limit of it's usefulness. I don't plan on accessing Tesla's VPN with these credentials, even if they are still valid, since I feel that would be crossing a line here.
There is a 64MB flash chip on each of the IC and MCU that I have a dump of from an earlier unit (a while back, over the summer) where the two displays were already badly damaged in a salvage. They contain the root file systems of the two units in an obfuscated and compressed manner. Last night I actually finally figured out the encoding method on them and dumped those file systems (more on that later)... but unfortunately the bulk of the data seems to be somewhere else that I haven't located yet. The fs dumps I made reference the /usr /var and /home directories, which appear to be mounted from some other storage.
There doesn't appear to be any removable memory besides the two SD cards.
Now that I've nailed down how this flash dump is encoded, I think a potential last resort attack vector could be to modify one of these root fs flash chips directly (and painfully), probably on the MCU since it has a private key to ssh into the IC, to insert some nasties (like some poison /root/.ssh/authorized_keys and maybe a few other methods of gaining access after it boots up). I have confirmed that the MCU's private ssh key from the older unit I have a flash dump from is not the same as the ssh key on my bench setup, so that's good from a security perspective. The passwords in the two shadow files didn't crack after an overnight run either, so Tesla must have fixed that issue mentioned at DEF CON independent of firmware updates since my bench setup firmware predates that firmware fix. I didn't expect them to match up with my unit's passwords anyway, was just an exercise in good fun.
Let's see.
I've identified a few useful CAN frames for controlling some status outputs on the IC. So far just the speedometer readout, the power gauge, and the range meter.
I've also figured out, thanks to a tidbit in one of the flash dumps, how to change the panels displayed on the left and right of the IC via ethernet and http. I haven't tested this yet, but it looks pretty simple. Here's the line from a "factory reset" script in the flash dump:
Code:
curl -s -m 10 "http://ic:4130/setWindows?left=3&right=4"
Overall... making progress. Unfortunately I'm going to have to dial back my time on this project to tend to some other things, but should pick back up on it soon.