TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker or making a Paypal contribution here: paypal.me/SupportTMC

Successful connection on the Model S internal Ethernet network

Discussion in 'Model S: User Interface' started by nlc, Mar 2, 2014.

  1. nlc

    nlc Member

    Joined:
    Jul 1, 2013
    Messages:
    652
    Location:
    Nantes, France
    Almost everyone knows that there is a white 4 pin connector on the left of the dashboard :smile:

    Today I susscefully connected to this connector, with a 2 row 4 contact male header (2mm pitch)

    20140302_174732.jpg

    The ethernet network of the car contains 3 peripherals :
    - The center console, IP Address 192.168.90.100
    - The dashboard/navigation screen, IP Address 192.168.90.101
    - An unknown peripheral, IP Address 192.168.90.102

    These 3 peripheral send of lot of data in broadcast UDP, to 192.168.90.255 broadcat address. Different UDP ports are used depending of data type.

    In fact they use the same principle a CAN bus use :

    - Everyone send data on the network
    - Anyone who need it listen for this data.

    The data shared on the netword seem to be in clear. I can see a Ascii header which define the type of the frame. Some data are in binary format thus it will need some reverse engineering to understand the data.

    I also tested the openeds ports of the 3 peripherals :

    - Central console :

    PORT STATE SERVICE
    22/tcp open ssh
    53/tcp open domain
    80/tcp open http
    111/tcp open rpcbind
    2049/tcp open nfs
    6000/tcp open X11
    MAC Address: FA:9E:70:EA:xx:xx (Unknown)

    - Dashboard screen :

    PORT STATE SERVICE
    22/tcp open ssh
    111/tcp open rpcbind
    6000/tcp open X11
    MAC Address: 36:C4:1F:2A:xx:xx (Unknown)

    - Unknown device :

    PORT STATE SERVICE
    23/tcp open telnet
    1050/tcp open java-or-OTGfileshare
    MAC Address: 00:00:A7:01:xx:xx (Network Computing Devices)
     
  2. araxara

    araxara S-P85#3,218 X-90D#3,299

    Joined:
    May 11, 2012
    Messages:
    650
    Location:
    Tucson, AZ
    Thank you so much for doing this. I was wondering what the exact pinouts are for the pin-header? Since most ethernet chips these days are auto-mdix, I suppose that it doesn't matter which is RX or TX and I noticed you wired it using the standard green-white/green & orange-white/orange, so I think this is easy to duplicate.
     
  3. dave

    dave Member

    Joined:
    Sep 21, 2012
    Messages:
    451
    Location:
    Greater Cincinnati
    And thus it begins... network access and open ports means someone is going to hack in there eventually...
     
  4. HankLloydRight

    HankLloydRight Fluxing

    Joined:
    Jan 18, 2014
    Messages:
    5,092
    Location:
    Connecticut
    And brick their car. Should be fun to watch.
     
  5. howardc64

    howardc64 Member

    Joined:
    Oct 19, 2013
    Messages:
    108
    Location:
    Seattle
    SC tech told me the ethernet port is the Model S's diagnostic port like OBDII for other cars. Also told me diagnostic equipment/manuals will be eventually available for purchase by law to support independent repair shops. I've seen many copies of factory diag equipment+software for other cars I've owned (Volvo, Toyota, VW), would be great to have a Tesla diag tool :) Given the high percentage of tech tinkerers that owns Tesla, we might develop our own tool :) The VW tool (very capable and complete) I have is built completely aftermarket by a diag tool enthusiast.
     
  6. tom66

    tom66 Member

    Joined:
    Dec 17, 2013
    Messages:
    622
    Location:
    United Kingdom
    Open SSH? Does that mean you can ssh into the centre console? That is a pretty good point to start. Username: elonmusk1, Password: tesla1 ;)

    Note: if Tesla have any brain cells to rub together (and they sure have shown a large number so far) they will have made the flash on the consoles squashfs or similar, with a bootloader and fail over partition. This would reinitialise any body modules which have had firmware updates fail. Which would essentially make the car unbrickable. This is so if a software update gets interrupted (dead 12V is a good one) the car will not require service. The major boot partitions will be read only to the userlevel. I've also heard from someone who has had a look that they statically link all linux modules so that the only way to update the configuration is to replace it all at once.

    However, there's a chance they haven't done this, so until it's know for sure, tread carefully!
     
  7. nlc

    nlc Member

    Joined:
    Jul 1, 2013
    Messages:
    652
    Location:
    Nantes, France
    #7 nlc, Mar 2, 2014
    Last edited: Mar 2, 2014
    For now what I just want to do is extract useful data from this port. I was looking for the CAN bus but everything seem to be here so it's great this connector is easy to access.
    For example I want the exact power value, and I seen a frame called PowerStatus, I think it will contains what I am looking for.
     
  8. HankLloydRight

    HankLloydRight Fluxing

    Joined:
    Jan 18, 2014
    Messages:
    5,092
    Location:
    Connecticut
    Voiding my iPhone warranty by jailbreaking -- not to concerned.

    Voiding my Model S warranty by jailbreaking -- very concerned.

    But the idea of third-party apps on the console -- sounds awesome.
     
  9. apacheguy

    apacheguy Sig 255, VIN 320

    Joined:
    Oct 21, 2012
    Messages:
    3,359
    Location:
    So Cal
    The unknown 3rd device is likely the gateway that controls access to the drivetrain components. I bet if you change the suspension height from the 17" then you will see network packets flying between those two devices.

    Regarding hacking, I don't see much risk of bricking the car. The infotainment systems are firewalled against the drivetrain components likely by that third device. It would be very difficult to brick a Model S through hacking.
     
  10. tom66

    tom66 Member

    Joined:
    Dec 17, 2013
    Messages:
    622
    Location:
    United Kingdom
    Perhaps you could retrieve that so-wanted kWh of battery capacity remaining for all of the folks in the "decreasing rated range" topic. And individual cell voltages, to see if they are balanced properly...
    (This information is all available from the console in service mode, but the access to that has since been removed.)

    Wonder what the port 80 open is - web interface to some diag stuff?
     
  11. nlc

    nlc Member

    Joined:
    Jul 1, 2013
    Messages:
    652
    Location:
    Nantes, France
    Yes a web server is running, but serves only one file : the image of the radio or media currently played.

    - - - Updated - - -

    Very concerned too. But I only connected to ethernet diagnostic port, and will only read data on this port, will never try to do more, it will not void my warranty
     
  12. tom66

    tom66 Member

    Joined:
    Dec 17, 2013
    Messages:
    622
    Location:
    United Kingdom
    Ah - I suppose that's how the dashboard console gets what media is currently playing then :). Kinda unexciting but it makes sense if you have to send some large amount of data like an image. I'd expect there's some API for volume controls/track/etc unless the centre console handles that all and the dashboard is a "slave" as such.
     
  13. nlc

    nlc Member

    Joined:
    Jul 1, 2013
    Messages:
    652
    Location:
    Nantes, France
    Don't know for kWh of battery, but for cell voltages I am pretty sure they are not here from what I seen in the data frames.
     
  14. tom66

    tom66 Member

    Joined:
    Dec 17, 2013
    Messages:
    622
    Location:
    United Kingdom
    Hmm - maybe you have to request the packet, for example by entering the charge status screen? I thought though that the consoles only ever listened to data, they cannot send it, but that doesn't make sense, since then you could not control things like suspension and creep mode.
     
  15. markb1

    markb1 Active Member

    Joined:
    Feb 17, 2012
    Messages:
    2,305
    Location:
    San Diego, CA
    Hmm.. I wonder how easily this could be used to display stuff on the 17" display. This could make for some awesome third party accessory integration, such as parking sensors or front camera.
     
  16. nlc

    nlc Member

    Joined:
    Jul 1, 2013
    Messages:
    652
    Location:
    Nantes, France
    You are probably right for the 3rd device. The open telnet port can be to send instruction and read value from the drivetrain components. When I was connected, just see 2 different frame sent from this device. A very high rate frame (~1000Hz) with data len between 5 and 12 byte, and a 1412 byte frame at approx. 5Hz.

    - - - Updated - - -

    Cell voltage comes from BMS, I think these data comes from CAN bus
     
  17. HankLloydRight

    HankLloydRight Fluxing

    Joined:
    Jan 18, 2014
    Messages:
    5,092
    Location:
    Connecticut
    Oh, I know... but it won't be long until other people start peeking and poking around to see what settings they can change or if they can load third party apps, etc into the console system. Not that TSLA engineers don't know what they're doing, but I suspect they've spent a lot less time into system security than Apple has put into their iOS over the last 7 years (since the iPhone was launched) and people can *still* hack into those devices.
     
  18. fmezz

    fmezz Member

    Joined:
    Jul 15, 2013
    Messages:
    6
    Location:
    Los Angeles
    I had tried this a year ago and when I connected the car went into some diagnostic mode, also could not see any traffic. Sounds like things have changed. Sorry for the list of questions but -- When you connected, what bit rate were you connected at 10/100/1 gig? Did you have to do anything else to start seeing this traffic? When connected did the main display display anything different? What IP address if any did you assign yourself.
     
  19. nlc

    nlc Member

    Joined:
    Jul 1, 2013
    Messages:
    652
    Location:
    Nantes, France
    #19 nlc, Mar 2, 2014
    Last edited: Mar 2, 2014
    Curious because it seems that's the only way of communication between central consol and dash board console.

    Mar 2 16:51:56 localhost klogd: sky2 eth0: Link is up at 100 Mbps, full duplex, flow control both
    Mar 2 16:51:56 localhost klogd: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready


    Nothing specific, message I seen are broadcast message for data exchange between the 3 embedded ethernet peripheral

    Edit : display has not changed because I just connected to ethernet. I assigned 192.168.90.1 to my computer

    - - - Updated - - -

    Now I need to write a UDP client software to receive data frame and begin the content analyzing
     
  20. Plug Me In

    Plug Me In Member

    Joined:
    Nov 29, 2012
    Messages:
    580
    Location:
    Central Virginia
    Wow, I would have about the same level of comprehension for this thread if it were in Finnish.
     

Share This Page