Reviving my thread here post-holidays.
I've rebuilt my little test setup. Little easier to work with now.
(Yes, the "Driver Assist" app icon is Lightning McQueen... lol)
I have the IC and CID ethernet's connected to a Raspberry Pi 2 that has some USB ethernet controllers connected to it and bridged. This was I can watch and get in on that traffic easily.
I have the diagnostic ethernet port out to a cable that I have connected to a NIC on my dev PC. I can open and close this port from the shell on the CID if desired. I also dropped some security so that I can ssh in via WiFi now, and have the setup prevented from contacting the outside world.
Long story short, what I can do with the CID and IC once I'm on the CID/IC ethernet network is pretty much everything that the CID can do, as expected.
I worked on the camera interface a bit, but I haven't been able to get the display to show the cam input at all yet. I've ordered another camera to try some more with. For for details, it appears that the camera is controlled by an FPGA in the CID unit that sits between the display and the main processor. Then it overlays the camera feed as directed directly to the display output. The video from the rear cam never goes through the OS of the CID. This would explain why Tesla can't utilize the rear camera video for anything related to driver assistance/autopilot. It will also make this particular goal of my project more difficult since there isn't any code or anything I can look at and disassemble to make things easier.
I managed to unlock all of the "Apps" that are available in Developer and Diagnostic mode. The software makes it pretty tricky to enable the "VehicleConfig" app... presumably because this lets you change anything you want about the car. I'm actually unsure how this particular one is ever legitimately enabled. I changed my bench setup from a base S85 to a Signature Red P85D with every option.
Things like enabling/disabling supercharging ability, the 40->60 pack setting, autopilot enabled, etc are all configurable here. Most of the settings are for whether hardware for the option is present or not, but some things are software-based when the hardware is there.
I'm sure Tesla knows what their VehicleConfig app can do, so, not like I'm doing anything crazy by posting about it.
Anyway, I'm focusing my efforts on trying to find a way into the system without dismantling parts of the car. Ideally I want to enable factory mode, which opens up the diagnostic port... and thus would let me get root on the CID and IC. Physical access to the car still needed. I might be able to carry my parrot exploit further and make a scarier exploit, but probably not. Looks pretty locked down. Additionally, I reported that vulnerability to Tesla and they're closing that particular hole. No sense leaving step one of a potential exploit chain open, even if it looks like it's pretty benign.
Secondary goal is to decode more CAN data and make a standalone parser program that interprets as much as possible. At least this way I can get lots of the diagnostic info available in the diagnostic screens without needing to modify the car at all. I think that's a worthy goal.
More to come...