TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC

Successful connection on the Model S internal Ethernet network

Discussion in 'Model S: User Interface' started by nlc, Mar 2, 2014.

  1. rdrcrmatt

    rdrcrmatt Member

    Joined:
    Jun 27, 2013
    Messages:
    598
    Location:
    Milwaukee
    sorry if this was already mentioned, I read this thread over two days.

    regarding the NFS stuff.. try showmount -e <ip address> using the IP of the system that has the NFS port open.

    (so long as you're on a linux / mac / whatever that has everything running that is needed to mount NFS file systems)
     
  2. neroden

    neroden Model S Owner and Frustrated Tesla Fan

    Joined:
    Apr 25, 2011
    Messages:
    14,676
    Location:
    Ithaca, NY, USA
    Congratulations on getting this far.

    If you find some evidence of what (third party) software they're running, I'd like to know. I'm expecting to see a copy of Busybox.

    Frankly I think we might be able to figure out some of the vampire power drain problems if we understand what Tesla's using.
     
  3. widodh

    widodh Model S 85 and 100D

    Joined:
    Jan 23, 2011
    Messages:
    6,732
    Location:
    Venlo, NL
    So I just connected to my Model S and I can see the same as nlc found. The connection is 100Mbit and I used the B schematic for my own cable.

    NFS
    I ran a 'showmount -e' against 192.168.90.100 and there is one NFS mount: /opt/navigon

    Mounting it was no problem. I chose 192.168.90.254 as my IP-address.

    A simple "ls -al" in the NFS mount:

    The VERSION file contained some information which might be interesting:

    So Yzadik build this navigation ext3 filesystem for the EU about 1 year ago :)

    It's probably a loopback device on the center screen, but I can't be sure.

    SSH
    Afterwards I tried to SSH in, but all the combinations I could think of this time didn't work, so I gave up the SSH for now.

    But I did do a quick telnet to get some version information:

    So it seems to be Ubuntu which is running on there? Well, at least a modified version of Ubuntu.

    192.168.90.100 and 192.168.90.101 are both running the same version of OpenSSH.

    DNS
    On 192.168.90.100 there is also a DNS server running on port 53. It's a recursive nameserver which is open for me:

    I also queried to find out which DNS server it's running:

    So that seems to be dnsmasq 2.58

    That's weird. Since Ubuntu 10.04 (previous LTS) has dnsmasq 2.52 and the current one, 12.04 has 2.59. So this has to be a homebrew version of Ubuntu OR a non-LTS version of Ubuntu.

    HTTP
    So 192.168.90.100 is running a webserver which serves one file only: nowplaying.png:

    We can assume that 192.168.90.101 (the dashboard) downloads this file to display the same image on the dashboard. I tried a couple of HTTP urls, but they all failed.

    mini_httpd 1.19 seems pretty old though! 19 dec 2003? But the website says it's the latest version: mini_httpd

    I still would have gone for something like nginx or lighttpd, but hey, it's up to them. It's also available as a package on Ubuntu: Ubuntu – Details of package mini-httpd in precise

    X11 / XDMCP
    Using remmina in Ubuntu I was able to set up a X11 connection on port 6000, but it only showed me a blank screen, nothing else.

    This was on both .100 and .101. Could be that I did something wrong.

    IPv6
    I tried to connect to the internal IP's using IPv6, but all three hosts didn't respond on the link-local address I calculated based on their mac address.

    Broadcast UDP traffic
    I also see all this UDP traffic. I ran tcpdump for about 2 minutes and I'll try to see what it actually contains.
     
  4. aviators99

    aviators99 Model S - R140

    Joined:
    Jan 1, 2010
    Messages:
    1,463
    Location:
    Weston, Florida, United States
    Great stuff.
     
  5. gelden

    gelden Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    5,564
    Location:
    Breda, Netherlands
    Thsi must be the guy who worked on the navigation system:
    Yair Zadik | LinkedIn
    3f9e262.jpg
     
  6. aviators99

    aviators99 Model S - R140

    Joined:
    Jan 1, 2010
    Messages:
    1,463
    Location:
    Weston, Florida, United States
    How about an ls -alR of the NFS mount? I assume that the EU subdirectory has the navigation data for the EU. I guess the sound subdirectory is the voices.

    No NFS mounts on .101?
     
  7. widodh

    widodh Model S 85 and 100D

    Joined:
    Jan 23, 2011
    Messages:
    6,732
    Location:
    Venlo, NL
    I'm not connected anymore, but what I saw:

    The EU directory is about 3GB in size and has two subdirectories:
    - maps
    - data

    In all has some .pfs and .nfs files

    The sounds directory indeed has the voices. For every different language there is a .pfs file.

    Nope, only .100 does NFS.
     
  8. RomanG

    RomanG New Member

    Joined:
    Oct 17, 2013
    Messages:
    2
    Location:
    Switzerland Zurich
    Hi everyone,

    from a discussion with a TM employee I can confirm that they run a modified version of Ubuntu.
    He further told me, that they use Qt.
    But even more interesting (may not for this thread but in general) they use 6 CAN-Buses (AFAIK other Cars use maximum 3).

     
  9. rdrcrmatt

    rdrcrmatt Member

    Joined:
    Jun 27, 2013
    Messages:
    598
    Location:
    Milwaukee

    Maybe that's why there's such a limited selection of things that we can go to via the smartphone app / "REST API"
     
  10. apacheguy

    apacheguy S Sig #255

    Joined:
    Oct 21, 2012
    Messages:
    5,055
    Location:
    So Cal
    Nice detective work on the versions, widodh. That http server does indeed seem quite old. Might provide a way in through exploits?
     
  11. widodh

    widodh Model S 85 and 100D

    Joined:
    Jan 23, 2011
    Messages:
    6,732
    Location:
    Venlo, NL
    Maybe indeed. Not sure yet.

    A Quick google brought me to a remote execution exploit though: Acme Mini Httpd version 1.19 : Security vulnerabilities

    Couple of things which are on my TODO list:

    - Reboot main screen and see if it tries a PXE boot or does any DHCP requests
    - Reboot both screens and check the same
    - Cause a IP-address conflict and see what traffic I get in or what happens (Keep the frunk open to pull any fuses if a reboot is required)
    - Try to exploit the HTTP server
    - Try a brute-force on the SSH (probably won't work..)
     
  12. nlc

    nlc Member

    Joined:
    Jul 1, 2013
    Messages:
    655
    Location:
    Nantes, France
    Great Widodh ! Actually in hollidays I will be able to continue investigation the next week. From my reboot test, I remember no dhcp or pxe request. But you can also try if I missed them.
    Will try to concentrate on the 3h device which seems to countain data from powertrain
     
  13. DEinspanjer

    DEinspanjer Member

    Joined:
    Apr 1, 2013
    Messages:
    189
    Location:
    Salem, NH
    This is great stuff and very interesting, but I just want to toss in a word of caution, maybe paranoia. :) Given that the car is always connected and definitely phoning home, it is very possible that even the basic investigation work you've done so far, something as simple as registering a new client on the LAN might be reported back in the form of a syslog somewhere. Exploit attempts on the HTTP server or brute forcing the SSH daemon are even more likely to show up in auth logs and such that might work their way back, if not as actual text dumps, then possibly as audit counters such as reporting the number of failed logins or 404 requests, etc. I have no idea how Tesla will react to this information if they do collect and notice it, especially coming from a curious owner, but I think it is a possibility because they might be interested in how and what their competitors are reverse engineering from the cars, not to mention being prepared to react to the eventual likelihood of someone cracking into the cars for nefarious purposes such as being able to enable a high-tech theft ring.
     
  14. lolachampcar

    lolachampcar Well-Known Member

    Joined:
    Nov 26, 2012
    Messages:
    5,131
    Location:
    WPB Florida
    I suspect that is why this work is being done out in the open......
     
  15. FlasherZ

    FlasherZ Sig Model S + Sig Model X + Model 3 Resv

    Joined:
    Jun 21, 2012
    Messages:
    7,024
    ...and I can pretty much guarantee that Tesla already knows about this happening. :)
     
  16. WarpedOne

    WarpedOne Supreme Premier

    Joined:
    Aug 17, 2006
    Messages:
    3,998
    Location:
    Slovenia, Europe
    Even more: they knew this will be happening long time ago.
     
  17. widodh

    widodh Model S 85 and 100D

    Joined:
    Jan 23, 2011
    Messages:
    6,732
    Location:
    Venlo, NL
    I'm not hiding anything. If I can find a vulnerability in Model S, somebody else can as well. I'm doing it in public so Tesla can learn from it.

    Somebody else might do it without Tesla knowing and could be stealing cars from the owners.

    Exactly. If I find something which is very serious I'll contact Tesla to make sure they can fix it.

    That can only help them to make Model S and the upcoming models even better.
     
  18. dsm363

    dsm363 Roadster + Sig Model S

    Joined:
    May 17, 2009
    Messages:
    18,278
    Location:
    Nevada
    I think that is the right way to do it. If you find anything serious let Tesla know in private first and give them opportunity to address it in a timely manner.
     
  19. strider

    strider Active Member

    Joined:
    Oct 20, 2010
    Messages:
    3,376
    Location:
    NE Oklahoma
    Enjoying the thread. I hung up my Unix hacking years ago but I can tell you that Navigon is the company that provides the turn-by-turn navigation system for the dashboard screen. That is the filesystem location of the street database where they will upload new maps/databases - same as when you update your handheld Garmin, Tom Tom, etc GPS unit. Navigon is owned by Garmin.
    | NAVIGON - a Garmin company.
     
  20. gelden

    gelden Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    5,564
    Location:
    Breda, Netherlands
    Would be nice if we could upload our own poi file (charging points for example)
     

Share This Page

  • About Us

    Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.
  • Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


    SUPPORT TMC