Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Let the hacking begin... (Model S parts on the bench)

This site may earn commission on affiliate links.
@HankLloydRight @artsci

I'm shocked that no one has looked into the CAN2 body bus, it was the second thing I played around with after I got started with all this, the lower speed coupled with low message/sec count make it pretty easy to figure out. Almost everything on the wish list is present on that bus. I think Danal was doing the electronics for the appliqué but if you want to put me in touch with whoever does the programming I will gladly help them integrate the CAN side of things, I also may have a lead on which trunk wires to tap into to get access to the CAN2 bus. Plus we only need to look at maybe 3 ID's on one bus so with hardware ID filtering an 8-bit micro should work fine.

Link to my CAN2 decodes Tesla Model S CAN IDs - CAN2 - Body.csv

Awesome. Danal did the Arduino hardware and the onboard firmware for the Applique controller. He'd be the best one to figure out what's needed to take a CAN bus inputs to filter and use as triggers. If he can't help out, I'm sure what he did was pretty straightforward -- although the programming for the Applique itself is pretty complex with the timing and colors. As a last resort, we could have a second Arduino to read the CAN bus and then trigger the +12v inputs to the Applique controller.

Actually... this was discussed back when the Applique controller was developed. See post #192 in the original thread. The concern was that tapping the CAN bus was "too intrusive" and would "raise the ire" of Tesla, possibly even voiding the warranties of vehicles where this was done. Please note, I am not the person who said any of that... there was a lot of discussion on the boards, and several 2+ hour phone calls between the principals where all but a few minutes of the call were discussing just exactly how we wanted to interface to the car. Intellectual property lawyers were consulted, and so forth. Furthermore, please remember it was a VERY different climate among owners and Tesla (the company) at that time... WK057 didn't have his bench setup, there were no threads about CAN on the forums, Tesla had recently shut down an owner for doing something on the Ethernet, and many other things.

That was then, this is now.

I am very open to going to the CAN bus for interfacing the applique. In fact, I'd strongly prefer the CAN bus. At this moment, I have not kept up with all the research that others have done, so let me ask a couple of questions:

1) Where is the "Can2" bus physically available toward the rear of the car?

2) Which bus does the Tire Pressure interface controller use? It happens to be the thing that we are picking 12V from right now, and that would certainly make it easy to get to a CAN bus...

3) I've looked at the "CAN2 Body.CSV" file. I see message 504, with various bit patterns for LT, RT, Brake, and so forth. Here is the absolutely key question: Do those messages appear in "real time" as the turn signals flash??? This is required to keep the "zip light" effect in sync.

I'm sure I'll have more questions, let's start with those three.


Thanks,

Danal (electronics and programming)
 
Actually... this was discussed back when the Applique controller was developed. See post #192 in the original thread. The concern was that tapping the CAN bus was "too intrusive" and would "raise the ire" of Tesla, possibly even voiding the warranties of vehicles where this was done.

Yeah, now that you mention it, that does sound vaguely familiar, and I now remember the arguments against it.

But say we tap the CAN bus connector under the touchscreen and run one cable back to the controller, it would be very easy to open up the panel and disconnect the CAN connector and hide the other end before going in for any service. No taps, no problem, and the Applique could still work with just the mobile app.

Or even better (and more expensive) have a BT-LE connection between wherever the CAN tap is, and the Applique module, and then we can just pull the CAN sending unit before any service visit.
 
Yeah, now that you mention it, that does sound vaguely familiar, and I now remember the arguments against it.

But say we tap the CAN bus connector under the touchscreen and run one cable back to the controller, it would be very easy to open up the panel and disconnect the CAN connector and hide the other end before going in for any service. No taps, no problem, and the Applique could still work with just the mobile app.

Or even better (and more expensive) have a BT-LE connection between wherever the CAN tap is, and the Applique module, and then we can just pull the CAN sending unit before any service visit.

Let's find one in the back of the car. The current install instructions say to pick up 12V from "pin 8" of the liftgate control module, a RD-GY wire. This module is in the starboard side of the trunk area.

A little birdie just told me this same module's Pin 3, WT-BR, is CAN+ and Pin 13, BR, is CAN- for the body control can bus. I'm just not absolutely certain that the little birdie's nomenclature of "Body Control CAN Bus" is the same as CAN2 referenced in this forum. If it is, this will be trivially easy.

I will probably not be able to take my car apart and physically verify until about 3 days from now, if anyone wants to check in the meanwhile.
 
Let's find one in the back of the car. The current install instructions say to pick up 12V from "pin 8" of the liftgate control module, a RD-GY wire. This module is in the starboard side of the trunk area.

A little birdie just told me this same module's Pin 3, WT-BR, is CAN+ and Pin 13, BR, is CAN- for the body control can bus. I'm just not absolutely certain that the little birdie's nomenclature of "Body Control CAN Bus" is the same as CAN2 referenced in this forum. If it is, this will be trivially easy.

I will probably not be able to take my car apart and physically verify until about 3 days from now, if anyone wants to check in the meanwhile.

I to have a little "birdie", he gave me some more specific information, it looks as though everything you need is available in a spot that you are already tapping into. To answer your question, yes CAN2 is the body bus (which runs at 125kb/s).

Power Connector: molex_31372-1000
CAN2 Signal Connector: jae_mx34020sf1

CAN2+ = Pin3 BR/WH
CAN2- = Pin13 BR
12V Fused at 30A (cabin fuse box 2) = Pin8 RD/GY
GND = Pin7 BK
 
  • Informative
Reactions: LuckyLuke
What are the chances of obtaining the male and female versions of the connector to build a tap cable that can be put in without having to physically tap any of the wires?

Pretty simple. Most of Tesla's connectors are pretty standard. I was actually going to suggest this until I saw you had already suggested it. :)

Also, it's worth noting, for the record, that tapping a line or anything like that can not legally void your warranty. You're quite literally allowed to do whatever modifications you want to your car. It is your car (unless you leased). If those modifications don't cause any problems, then there are not any legal warranty problems. The only time warranty issues come into play would be if your modification were the cause of damage/failure of a part that is under warranty. I think Tesla would be pretty hard pressed to prove that tapping a couple of lines and reading some CAN data would cause damage to something that is under warranty, especially if it were done with a male and female connector in front of a minor module like suggested.
 
What are the chances of obtaining the male and female versions of the connector to build a tap cable that can be put in without having to physically tap any of the wires?

Connectors? Dead easy. I already have the connectors for the under-panel CAN bus. I just need to look at the ones I'm thinking about on the Liftgate Controller.

- - - Updated - - -

Pretty simple. Most of Tesla's connectors are pretty standard. I was actually going to suggest this until I saw you had already suggested it. :)

Also, it's worth noting, for the record, that tapping a line or anything like that can not legally void your warranty. You're quite literally allowed to do whatever modifications you want to your car. It is your car (unless you leased). If those modifications don't cause any problems, then there are not any legal warranty problems. The only time warranty issues come into play would be if your modification were the cause of damage/failure of a part that is under warranty. I think Tesla would be pretty hard pressed to prove that tapping a couple of lines and reading some CAN data would cause damage to something that is under warranty, especially if it were done with a male and female connector in front of a minor module like suggested.

Yeah, I actually pointed out the Magnuson-Moss warranty act back when this was all first discussed. The group consensus was still "don't", including that of a couple of IP attorneys who were also Tesla owners.

Anyway, that's all history. I've already ordered a couple of different CAN chip breakout boards for some experimentation. :) Since the module is likely to be interested in a very small subset of messages, I want to go cheap, yet still with something that can filter before events hit the MCU.

- - - Updated - - -

I to have a little "birdie", he gave me some more specific information, it looks as though everything you need is available in a spot that you are already tapping into. To answer your question, yes CAN2 is the body bus (which runs at 125kb/s).

Power Connector: molex_31372-1000
CAN2 Signal Connector: jae_mx34020sf1

CAN2+ = Pin3 BR/WH
CAN2- = Pin13 BR
12V Fused at 30A (cabin fuse box 2) = Pin8 RD/GY
GND = Pin7 BK


Yummy!

As mentioned, I have some chips on the way. Probably going to run something much "less" that you guys who are trying to read entire buses, maybe inject someday, etc. Keep it cheap, simple, and filtered, for the applique module.

The original is/was an Adafruit Trinket Pro. This is an Arduino clone, although the software was all developed in Atmel Studio (not the Arduino IDE) to make development and debugging easier on me. The main reason for the Trinket was the built in USB interface, that does NOT require an end-user to understand how to find a serial port. This is/was to allow much easier re-flashing, should that ever become necessary and/or optional upgrades.

I see I'm being my typical long winded self. Where I was headed: I'm not at all married to Arduino clones, or even Atmel processors, if CAN bus interface requires we go elsewhere. However, looking at the info so far, well, this all looks pretty darn straight forward, including modifying the existing firmware. In fact, I may (barely) have room to make it "universal" and "auto-sensing" on the existing platform. Maybe.
 
Anyway, that's all history. I've already ordered a couple of different CAN chip breakout boards for some experimentation. :) Since the module is likely to be interested in a very small subset of messages, I want to go cheap, yet still with something that can filter before events hit the MCU.

Yay! Go Danal!

Yeah, I think the landscape has changed a little bit. I think the previous fervor came from one or two users who had installed the Mobile-Eye unit, which did tap the CAN bus, but not to just read messages, but inject them as well (at least that was my understanding). That is a lot more invasive and cause of potential damage (and hence warranty issues) that just reading the CAN messages for triggers. As long as we're not injecting anything, and not impeding the network in any way, I don't think we would have an issue. Also, if the module is easily removed during service, there's even less risk.

On my two previous hardtop convertibles (MB SLK and BMW Z4 -- both now sold),I had installed a "SmartTop" controller, which did read and inject messages into the CAN and provide other convenience features related to raising and lowering the top. Since it changed the way the open/close buttons work, it included a "service" mode that disabled all features for when the car was to go in for service, so the dealers' computers wouldn't detect it, and the buttons would operate to OEM spec. Unless the service center popped open the remote areas where the units were installed, they'd never know it was there.
 
Oh, and until my "lesser" chips get here, I have a CANbusTriple in hand. I'll be tapping and sniffing soon. Maybe within the next few days.

- - - Updated - - -

I think the previous fervor came from one or two users who had installed the Mobile-Eye unit...

Most of it came from an individual, an attorney who had a very low serial number (don't remember if it was a signature or just after) who'd had to have several things flat out replaced. I seem to remember the whole charge port was replaced twice. Anyway, apparently the service center gave him more than a little grief about some factory parts that were shipped on later versions of the car, and "retro-fitted" to his car. Seemed a bit strange.

Anyway, all ancient history.

- - - Updated - - -

On my two previous hardtop convertibles (MB SLK and BMW Z4 -- both now sold),I had installed a "SmartTop" controller, which did read and inject messages into the CAN and provide other convenience features related to raising and lowering the top. Since it changed the way the open/close buttons work, it included a "service" mode that disabled all features for when the car was to go in for service, so the dealers' computers wouldn't detect it, and the buttons would operate to OEM spec. Unless the service center popped open the remote areas where the units were installed, they'd never know it was there.

That's pretty cool!! I believe the Applique will be entirely passive, but if it isn't... well, there will certainly be a service mode!
 
Most of it came from an individual, an attorney who had a very low serial number (don't remember if it was a signature or just after) who'd had to have several things flat out replaced. I seem to remember the whole charge port was replaced twice. Anyway, apparently the service center gave him more than a little grief about some factory parts that were shipped on later versions of the car, and "retro-fitted" to his car. Seemed a bit strange.
Tesla can say anything they want, but they don't write the laws they have to follow.
We all know that Tesla is extremely hostile to anyone who wants to do ANY work whatsoever on their car, be it simple maintenance, or major retrofit. It WILL come back to haunt them once there's competition, but for now we just have to deal with it and point out (strongly) every time they step over their legal limits.
 
Whew, took me 3 days of reading this thread off and on to get through it all. Major props to everyone contributing as this was one thing I was really looking forward to finally happening on someone's car. I'm a bit surprised it took 3.5 years before the flood gates were opened on this subject. It reminds me of console hacking and there is a correlation with those that Tesla should learn from.

Excluding current generation consoles, because I honestly haven't kept up, all the consoles starting with the PS1 carried forward to the PS3/Wii/Xbox360 were hacked for similar reasons that you all are doing to your cars. To do things to it that you want to do, but not really trying to cross the obvious legal lines (pirating in the case of consoles). The interesting parallel is the PS3 vs all the others. Every other console has typically been hacked within 6-9 months of them being on the streets except the PS3 which lasted something like 2-3 years. Why? Because at first Sony allowed people to have their own Linux kernel and do pretty much what people wanted to do without prirating software. Sony patched out the kernel and didn't ship with it starting with the slim Model and what do you know within 6 months of that happening it was hacked.

I say this on the off chance that Tesla is reading this thread that you would do more for the security of the car if you just allowed people access to what they want, which is largely harmless things (modding their displays to show custom content, readouts of all the various network data, and putting custom visual mods on their cars). What did you actually end up with because people didn't have this? We have at least two people who have implanted malicious code on their own cars, with access to technically do things that would be illegal (e.g. enabling of disabled features not paid for... Although at least here on the forums I haven't seen that) and for what? So they can see what their power guage is doing, or their battery readouts... Really Tesla? It is on the freaking screen if you have the password... Or otherwise available on the CAN. Instead, these people were so inclined they could sell off or otherwise profit from screwing the company over... Not that they would do that, or that I am at all suggesting they do that (I am an investor after all)

So in the end, and I think someone else said it as well, hopefully this pushes Tesla down the road of releasing this information on their own. Based on recent interviews it would appear that they are entertaining the whole screen mirroring idea for your phone through an in car app... All they need to do on top of that is give access to the dev/service screens in a read only mode. As others have stated this is already there... Just make it accessible.

In the meantime, carry on with what all you beautiful people are doing with your cars. If I hadn't just bought a new car in Dec. I might be more willing to tear apart my own dash and root the OS... So I am certainly looking forward to a jailbreak that requires minimal removal of dash pieces (and also the proper instructions on what to do after you have physical access that hopefully doesn't involve removing NAND or a pair of tweezers to short your memory blocks into leaking information, or some other obtrusive hack. I don't want to ruin my 100k car, I just want to have a little more freedom on the content those gorgeous displays can put out!!!
 
Last edited:
OK So I've pulled some logs and just had a quick mess through some stuff.

First thing was to have a poke around the lifetime stats. Some of it is quite interesting!

- Battery total miles is 13,708 miles however my car only has 12,291 miles on the clock (weird!!)
- Lifetime discharge is at 6,539 kWh (vs. 6,977kWh charged). This puts total Wh/mi at 530Wh/mi vs my lifetime average on the display which is 350Wh/mi.

Message ID 0x0382 has the following data: 4D 72 67 9D 76 0 70 24
Which if my code is right equates to my 60 having 59.8kWh of battery (So pretty much as advertised, unlike the 77kWh figure we've seen reported from the 85kWh packs ;) )
Interestingly all the remaining figures tally with 77-78% of the 59.8kWh figure which is what the dash was reading. Energy buffer seems set at 2.8kWh.

I did a 0-60 run, but it certainly won't be as impressive as the PxxD cars ;) Will look to pull the graph up later.
 
OK So I've pulled some logs and just had a quick mess through some stuff.

First thing was to have a poke around the lifetime stats. Some of it is quite interesting!

- Battery total miles is 13,708 miles however my car only has 12,291 miles on the clock (weird!!)
- Lifetime discharge is at 6,539 kWh (vs. 6,977kWh charged). This puts total Wh/mi at 530Wh/mi vs my lifetime average on the display which is 350Wh/mi.

Message ID 0x0382 has the following data: 4D 72 67 9D 76 0 70 24
Which if my code is right equates to my 60 having 59.8kWh of battery (So pretty much as advertised, unlike the 77kWh figure we've seen reported from the 85kWh packs ;) )
Interestingly all the remaining figures tally with 77-78% of the 59.8kWh figure which is what the dash was reading. Energy buffer seems set at 2.8kWh.

I did a 0-60 run, but it certainly won't be as impressive as the PxxD cars ;) Will look to pull the graph up later.

I'm curious to know is the battery total miles are the amount above rated wh/mile. In other words, if you drive above EPA rated, does Tesla have an alogorithim that says this battery has been treated "harder" than EPA rated range?

Also, is lifetime discharge no including regen put into the battery while driving?

Lastly, if total wh/mi at 530 is also without regen thrown in to make it 350wh/mi.?
 
I'm curious to know is the battery total miles are the amount above rated wh/mile. In other words, if you drive above EPA rated, does Tesla have an alogorithim that says this battery has been treated "harder" than EPA rated range?

Also, is lifetime discharge no including regen put into the battery while driving?

Lastly, if total wh/mi at 530 is also without regen thrown in to make it 350wh/mi.?

All good questions, and I was wondering the same things. (esp. the whole issue of regen being the discrepancy).

I guess at least in part this is why Tesla are less than keen on showing some of these figures, it potentially opens up a barrage of questions from owners.
 
Keep in mind that the battery total charge and discharge includes regen. So while the dash Wh/mi numbers will show the net result after regen, the battery total numbers do not. For example, if you start at a stop, accelerate until you utilize 1 kWh, then regen to a stop, both the charge and discharge lifetime values will increase accordingly, while your dash will show the net of discharge minus regen. The lifetime counters only count up, never down.

Additionally, the BMS appears to keep track of its mileage on its own based on messages from the rear drive unit for speed. Mine is actually pretty accurate compared to the dash (+/- 1%), so unsure why yours is so far off. Wonder if your battery was in fact partly used. That'd be interesting.

Seeing a 60 pack report a full capacity at 59.8 kWh and the 85 kWh packs reporting ~77 kWh does kind of make me a bit angry, admittedly, and fits my original predictions/assumptions from earlier almost exactly.
 
Seeing a 60 pack report a full capacity at 59.8 kWh and the 85 kWh packs reporting ~77 kWh does kind of make me a bit angry, admittedly, and fits my original predictions/assumptions from earlier almost exactly.

Me too. The real world range and performance reports also support this fact: the the difference between the "85" vs "60" battery is quite a bit less than 85/60=1.42 would suggest. More like 77/59.8=1.29. Worth the $$$? It's a subjective choice but one easier to make correctly if we were given fair and correct info (just like the 691 hp and what-not).