My adventures in gaining control of my car

[johnnyO]

endurance?? you do realize that EV's have limited range capabilities? at track like speeds you'd spend more time charging than driving. have you really thought this idea through?

Well kinda yes we did. It's sort of a nerdy Tortoise vs. Hare race and dependent on battery capacity, vehicle weight (stripped down) and driving skill. Sure you could go really fast and flat out or you could crawl and make use of the track to regen et al. The key thing here is to have more detailed data at the instrument cluster so you could win by using the electrons wisely. We have access to a private track so we are free to make/use any mods we deem geeky without endangering the public at large.

We got the idea from the Tesla drivers who are pushing their street legal cars beyond published range capabilities.

Thanks for the reply.

 

[J1mbo]

Sounds like you need to hook up with @mgemmell, who is one of the guys behind the Electric GT

 

[johnnyO]

Sounds like you need to hook up with @mgemmell, who is one of the guys behind the Electric GT

Yes, yes, yes..so it can be done! This is awesome! EV competitions albeit in Europe means the sport is real.

Thank-you J1mbo

 

[GeorgeCM]

Hi guys, really interesting topic, thank you @green1 for the technical info.

I wish I had read this 6 month ago when I started myself playing with raspberry pi in the model S LAN. Instead, I took the hard way: I purchased a broken CID and got the flash image out of it. Then I found interesting scripts there very well documented and many of them (written in perl and bash) ready to be copied, a little bit edited and run on the pi. Also the URL format for setting and reading variables was clearly written there.

This is great because even without root access one who knows a little bit of bash and is familiar with linux, can locally control anything on the car through raspberry pi wifi, without depending on tesla servers and vpn. I am able for example to start the car and drive it without key by setting the value of a single variable, without even root access. I tested this by first unlocking the doors with the key, still have to figure out how to wake up gw and CID and then unlock the doors, but I guess it shouldn't be so difficult. It was mentioned that wake-up signal comes by sms, then there should be a hardware signal, like an interrupt pin, which goes from the modem to the CID. If anybody figured this up, please confirm.

I totally agree with @green1 that the owner should be able to do whatever he wants with his car. It is about the right of ownership, but also about privacy. I was shocked when I saw how easy any data from this car is remotely accessible to tesla, including browsing current page, history, current playing song, and all GPS related data. The owner has no control and information about this.

The first thing I did when I've got this car was to route all internet traffic through the raspberry pi and drop all traffic on the ports used for tesla VPN. Now I am on the way to replace all the functionality of the Tesla app with a local raspberry pi web page.

@green1, keep posting updates, specially if you found a way to root the CID without messing up with BGA flash memory chips. I don't expect a tutorial, but small clues for people who know what they are doing, as you previously posted.

Have a wonderful Christmas guys !

 

[Dr. Smoke]

Hats off to @green1, who has put up with the ninnies like I never could.



PS - Where there's a plug, there's always a jack.

 

[GeorgeCM]

Hats off to @green1, who has put up with the ninnies like I never could.

View attachment 268814 View attachment 268815 View attachment 268816

PS - Where there's a plug, there's always a jack.

But that port is disabled, you need to repeatedly send an UDP packet with a token and "salted" to activate it. It is easier to put a switch between IC and CID.

 

[Dr. Smoke]

Notice that I put up the jack for the ICU first. The diag port is just a more convenient and cleaner way to jack in, once cleared of its hurdles.

The HSD jacks and plugs are in 3 other places in the car. Fab a cable from a spare to an RJ45 for the switch. I have in mind buying this switch since, although it is larger than others, it also has 2 PoE ports which can power tiny fore and aft IP dashcams. (!) (My front $800 dashcam was stolen recently -- no, it was far better than the popular BlackVue)

Implicitly though, your question is has the diag jack been compromised? Not by me, but with a dd dump and some examination, it can be with slight alterations to the firmware. Same goes for the VPN. One person has set to allow VPN traffic to both Tesla and himself, and Tesla is none-the-wiser, although his way is remotely run.

I don't yet know the details of Tesla's particular VPN nor VLAN(s), but --
eh, belay that. We can discuss it offline.

Personally, I have just never liked RPi. It seems ragged and basic to me (1.5 amps?!), but again that is my opinion. American Hate will come what will. My preference is Arduino, although, time is limited for all of us.

 

[BigD0g]

There’s a link on my thread that has the fakra end with Ethernet on the other end, a bit more portable and far easier to play around with. Just google fakra hsd or look in the other thread with links.

 

[DragonRider]

Very very interesting, thank you for leading the way and leaving a bread crumb for those that come behind you to follow.

 

[oklona]

Thanks, guys, and especially @green1! This has been a very interesting read, although I am not sure I dare venture into this myself.

For making it hard for Tesla to detect that you have changed some values, would it be possible to use a squid proxy server in the Pi, and perform content rewrites, in order to replace the values you have changed with values that are "Tesla-approved"? Using a proxy server could be forced through changing the default route on the CID (assuming you have achieved root). This way, when a new image is downloaded, you could possible open it up, and change stuff in the image file system before passing it on to the CID, so that your modifications can be kept.

 

[nemSoma]

Thanks, guys, and especially @green1! This has been a very interesting read, although I am not sure I dare venture into this myself.

For making it hard for Tesla to detect that you have changed some values, would it be possible to use a squid proxy server in the Pi, and perform content rewrites, in order to replace the values you have changed with values that are "Tesla-approved"? Using a proxy server could be forced through changing the default route on the CID (assuming you have achieved root). This way, when a new image is downloaded, you could possible open it up, and change stuff in the image file system before passing it on to the CID, so that your modifications can be kept.

Firmware packages are signed with a private key. The cid-updater checks if the package is valid before performing the update

 

[oklona]

Firmware packages are signed with a private key. The cid-updater checks if the package is valid before performing the update

Yes, of course. I would expect as much. However, if you gain control of the OS, you could probably either bypass that, or write your own cid-updater implementation. My impression is that (at least for now), the downloaded image itself is not encrypted in any way, based on reports of people looking through the image (for instance when @wk057 discovered the P100D badge in firmware long before the 100 battery was available).

When updating an image, the "updater" application normally just puts the image's filesystem in the right place, and points the bootloader to boot it. From there on, the rest is normally done by init-scripts in the image, although some updaters do actually create the init-scripts (but that would be ineffective, so I don't expect it to be the case here.)

So, a worst-case scenario here would be to see what the cid-updater actually does, and replicate that through a script. -But of course, I am only at a theoretical level here. I have no working experience with the Tesla image, nor the guts to start playing with this on my ~$90.000 car, which is still on warranty

 

[XBS9]

Green1 and wk057,

I dont understand how people don’t get it. Thank you for your contributions to this forum, I have been lurking for years but now that I finally have a tesla I’m ready to mod! Disappointed with how this community reacts to people like us.

Is there any other place for hardcore tesla enthusiasts that understand how things actually work?

Thanks!

 

[davidc18]

Bump

 

[fiveangle]

Rooted Tesla Model 3 running Ubuntu and Youtube : teslamotors

 

[supratachophobia]

Rooted Tesla Model 3 running Ubuntu and Youtube : teslamotors

Awesome, congratulations.

 

[davidc18]

Great news and great work!

 

[XBS9]

Great job! Which port did you use? PM Please

 

[DigAdrenaline]

There will be demand later though as people realize they have a worthless paper weight because of something really silly, but they don't have the funds to pay Tesla for an easy fix. To fix the Tesla you really have to have the ability to load firmware onto it. You also need to know how to diagnose things.

Or Tesla refuses to fix it at any price, which is where we are several years after this post.

My thanks, retroactively, to Green and Ingineer and others I don’t know, for blazing this path for the rest of us.

 

[Mjsais]

Lets hope no one shares that rooting process with Tesla at Zero Day Initiative — Pwn2Own Returns to Vancouver for 2020