-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
green1
Active Member
That may or may not be an issue, with that level of access you may be able to build your own app. or maybe just find a way to lock down software changes (somehow write protect important files, and deny any upgrades?)
In the end, I'm going to want full control of the device I own, but I'm not going to want to give up the daily convenience features to get it.
I'm not sure. In my experience FPGA stuff is nearly impossible to reverse engineer anyway, so probably not going to try. I'm actually reasonably certain I have the FPGA binary, actually, from an update file.
My guess as well... just not sure exactly how that gets handled.
I suppose you could allow it to connect to the VPN for the remote app, and just squash the updater, ssh access, etc. Locking out software updates would be simple. *shrugs*
Just would depend on what the actual goals are. I'm actually considering pretty much replacing the instrument cluster display software with something custom... as a down the road project. Would be pretty simple, overall. Just a matter of interpreting the flood of UDP messages (basically CAN messages) that come from the gateway and CID and displaying them in a useful fashion.
I'm still trying to determine the purpose of the body CAN connection that the IC has connected directly...
My guess is when we get the point of complete pwn3rship, the talent of people like you and the other tech types that gravitate to Tesla vehicles could probably come up with a pretty bad-ass replacement for it. With a LOT more functionality the masses probably would never care about.
As a former nuclear power plant operator, I'm very disappointed I can't see the coolant loops diagnostic screen as my normal display. Would make me... feel more at home in the car.
Perhaps AT commands (since its GSM). That's a known published command set and it supports SMS I think.
Huh, really? I thought it was done all via SMS since the LTE drops out when the car sleeps.
Edit: Oops, already suggested up thread.
Oh, hell yeah! I'd love to get access to the thermal screen.
My guess is when we get the point of complete pwn3rship, the talent of people like you and the other tech types that gravitate to Tesla vehicles could probably come up with a pretty bad-ass replacement for it. With a LOT more functionality the masses probably would never care about.
As a former nuclear power plant operator, I'm very disappointed I can't see the coolant loops diagnostic screen as my normal display. Would make me... feel more at home in the car.
Yeah, most of this stuff is pretty benign. If Tesla made a version of this diagnostic mode that was read only (as in, no buttons to push that actually do anything) I don't see what the harm would be... and it would satisfy most.
I'm going to go ahead and go through some of it any take some screenshots. Most of the fields are blank on my bench setup because the rest of the car is "MIA" (actually used in the error codes)... but at least it gives an idea of the type of data available. Some of it is completely broken on my setup, too... unless I play some real CAN logs into the CAN buses. Then stuff pops to life.
Plus there is the panel on the IC (in my photo above) that has a bunch of cool data that would be awesome to activate. Heck, I'd be happy with just that.
Since you now have an "in" it would be awesome if you could gently hint that read-only diagnostic access would essentially halt all desire to break-in to the software. I honestly can't imagine that there are blackhat hackers out there wanting to root the CID of the Model S. They've got much bigger targets in mind. I really think diagnostic access is a win-win.
Yeah, that widget on the IC is kinda cool. What data actually populates battery temp? I thought the battery had a total of like 16 sensors, so do they all get averaged when reported as pack temp or is one randomly selected?
Yeah, that widget on the IC is kinda cool. What data actually populates battery temp? I thought the battery had a total of like 16 sensors, so do they all get averaged when reported as pack temp or is one randomly selected?
My guess is when we get the point of complete pwn3rship, the talent of people like you and the other tech types that gravitate to Tesla vehicles could probably come up with a pretty bad-ass replacement for it. With a LOT more functionality the masses probably would never care about.
As a former nuclear power plant operator, I'm very disappointed I can't see the coolant loops diagnostic screen as my normal display. Would make me... feel more at home in the car.
I would really like to see cooling information as well as cooling fan speed and real-time kW usage from pack heater.
I did talk briefly about a "geek mode." Seems there are, rightfully, things with higher priority.
I think the "Battery" one is an average of all of the sensors, and the "Batt Outlet" one is the sensor at the end of the cooling loop. Brick min and max are the lowest and highest individual cell group voltages from the whole pack. BMS is the full pack voltage. All of this gets populated when I play CAN recordings to the power train CAN of my bench setup.
Me too. Lots of data here.
And here is the part where some people will get angry at me for some reason... (maybe because I'm using too much bandwidth?
)(Click to get full quality versions)
All shots taken with the screenshot save program the car uses when sending bug reports and such... and a few of them somewhat sanitized to scrub potentially identifying info, obviously, and added my little watermark.
The DOCS tab isn't interesting... just has some images of a few of the manual pages describing the under-hood fuses... nothing important. The APPS tab you see in my earlier photo.
The cool thing is, when I play back CAN data this info is updated in near real-time. This is how everything looks with just the CID and IC connected. I didn't get a shot of the BMS screen since it doesn't work until I play some CAN data and I didn't have that set back up yet.
The CAN tab is awesome. I mean, pretty much EVERYTHING the car does can be monitored from there. There are hundreds... perhaps thousands of variables that can be shown.
There is nothing really secret in these screenshots, so I really don't see any harm in posting them. Enjoy.
Cyclone
Cyclonic Member ((.oO))
What in the world are "Grasshopper mode" and "Quiet HVAC" ?? I look forward to whatever else you end up learning/sharing. Thank you!
Johan
Ex got M3 in the divorce, waiting for EU Model Y!
Since the goal is power savings, my guess is the radio/cellular module has a signal line to the CID that changes state upon receiving an SMS to wake it up. This way only the radio module has to stay powered. "Always connected" keeps the CID powered and the VPN up, and energy savings OFF keeps everything powered.
Have you found a way to determine the car's mobile number? It would be interesting to test if the receipt of any SMS causes it to wake up, or only from a specific sender, or if the payload itself has an authenticator.
Looks like the mobile number, IMEA, etc are on the MCU screenshot but obfuscated.
Johan
Ex got M3 in the divorce, waiting for EU Model Y!
The IMEI nr is there, but not the phone number... at least when I had a chance to look in my car's diagnostic menu all it said after "Phone number" was: "----"
