TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC

Successful connection on the Model S internal Ethernet network

Discussion in 'Model S: User Interface' started by nlc, Mar 2, 2014.

  1. wk057

    wk057 Senior Tinkerer

    Joined:
    Feb 23, 2014
    Messages:
    5,386
    Location:
    Hickory, NC, USA
    Interesting. This DNS uses the 3G service I assume?

    Use of http://code.kryo.se/iodine/ comes to mind... (IP over DNS...)
     
  2. widodh

    widodh Model S 85 and 100D

    Joined:
    Jan 23, 2011
    Messages:
    6,728
    Location:
    Venlo, NL
  3. Pollux

    Pollux Active Member

    Joined:
    Jul 16, 2013
    Messages:
    1,542
    Location:
    Merry land / District of Confusion
    Lost count of the number of times I've said things like this. :biggrin: What's Latin for, "I read therefore I must write?"
     
  4. Musterion

    Musterion 18h 03m 37s −24° 23′ 12″

    Joined:
    Jan 10, 2013
    Messages:
    579
    Location:
    M8
    Speaking of which, is it possible to re-write the "now playing" image? If so, this is a means to have a custom dash display.
     
  5. Lloyd

    Lloyd Well-Known Member

    Joined:
    Jan 12, 2011
    Messages:
    6,121
    Location:
    San Luis Obispo, CA
    I would like it if Escort Live would place their data points on the moving map.
     
  6. rlang59

    rlang59 Member

    Joined:
    Feb 27, 2013
    Messages:
    945
    Location:
    US
    The now playing image is probably just the pic that pops up for the song on the radio.
     
  7. widodh

    widodh Model S 85 and 100D

    Joined:
    Jan 23, 2011
    Messages:
    6,728
    Location:
    Venlo, NL
    I sniffed the WiFi again yesterday. If I send a DNS query to 192.168.90.100 I see that the car sends out the DNS query to the resolver it got from my DHCP server.

    I have two pretty large capture files from both the WiFi and internal network. Will go through them in the weekend.
     
  8. DEinspanjer

    DEinspanjer Member

    Joined:
    Apr 1, 2013
    Messages:
    189
    Location:
    Salem, NH
    I understand you aren't trying to hide anything and that you have noble intentions in addition to your curiosity.

    I think my goal in pointing this out was more around the possibility that it could lead to significant financial risk and repercussions for you. If you do something that ends up forcing a service call or, even more unfortunate, if something completely unrelated to your exploration necessitates a service call, and they determine that there is software corruption or hardware damage that could be blamed on your exploration, then it is very likely that they would decline to honor the warranty and service plans.

    I take that risk every time I go dabbling in one of my Android smart phones, but that is because I am content with the possibility of having to replace them out of pocket. The idea of losing the ability to drive my car or even worse, have an investigation into an accident cause Tesla and/or my insurance company to decide that they shouldn't cover me... I'm personally not comfortable with that right now. If you are, then I remain happy and interested to read about your exploration.
     
  9. brianman

    brianman Burrito Founder

    Joined:
    Nov 10, 2011
    Messages:
    17,465
    This is probably better directed at nlc (as the OP) but quoted widodh for context. Regarding the data analysis, your approach is good and I agree with it.

    The only sticking point for me is that I would have contacted Tesla directly before publishing "how to" information. I have no idea if nlc (or others) already did that.

    The difference is "here's how to hack someone's xyz device" vs. "when I hacked my own xyz device here's what I found." The latter is great. The former I would get clearance from Tesla first.
     
  10. apacheguy

    apacheguy S Sig #255

    Joined:
    Oct 21, 2012
    Messages:
    5,052
    Location:
    So Cal
    I'm not sure I understand the need to involve Tesla. First off, there is essentially no security concern here. You need physical access to the diagnostic port in order to execute any exploits discussed here. By the way, we haven't even gotten to the exploits stage so there is absolutely no "hacking" that has been detailed here. Hence, no need to involve Tesla.

    IMO, it's like telling evad3rs that they need to make Apple aware before publishing a tool to hack a device. You all should be more concerned about your iPhone being hacked because unlike the Model S, there is no physical lock between a USB cable and the port on your iPhone. Someone would have to break into your MS in order do anything malicious, but if that happened I know I'd certainly have bigger concerns on my mind than the possibility of someone crashing my touchscreen.

    Now, if we were discussing remote exploits that can be executed over 3G, then I would be very concerned.
     
  11. hans

    hans P631

    Joined:
    Sep 27, 2012
    Messages:
    1,132
    Location:
    Menlo Park
    If Tesla doesn't give clearance for the REST API then why in hell would they give their clearance to snooping in on the internal bus? Seems silly to formally ask the question when you already know the answer. In fact, it makes it worse to ask.
     
  12. apacheguy

    apacheguy S Sig #255

    Joined:
    Oct 21, 2012
    Messages:
    5,052
    Location:
    So Cal
    Exactly, and just to add to that why do we feel so compelled to communicate our hacking efforts to Tesla when they have repeatedly demonstrated their inability, and general lack of interest, to communicate with us?
     
  13. nlc

    nlc Member

    Joined:
    Jul 1, 2013
    Messages:
    655
    Location:
    Nantes, France
    This evening I got a call from service center :crying:
    They told me Tesla USA engineers seen a tentative of hacking on my car...
    I explained it was me because I tried to connect the diagnosis port to get some useful data (speed, power, etc...). They told me it can be related to industrial espionage and advised me to stop investigation, to not void the warranty....
    Don't know if they really seen something in the log, because I just sniffed the network. Or maybe they seen the port scanning with nmap ? Or maybe they just read this topic ? :eek:
     
  14. Johan

    Johan Funds for M3 secured. Contingent on wife aproval.

    Joined:
    Feb 9, 2012
    Messages:
    7,192
    Location:
    Drammen, Norway
    Ooh they read the forums... Don't think otherwise.
     
    • Helpful x 1
  15. Kalud

    Kalud Active Member

    Joined:
    May 7, 2013
    Messages:
    1,055
    Location:
    Montreal, QC
    Totally make sense, I would certainly have some staff doing this full time to seek information as fast as possible... Probably the same staff that manage the twitter / Facebook accounts...
     
  16. cinergi

    cinergi Active Member

    Joined:
    Sep 17, 2010
    Messages:
    2,176
    Location:
    MA
    From the MVPA I signed way back when ...

    photo.JPG
     
  17. apacheguy

    apacheguy S Sig #255

    Joined:
    Oct 21, 2012
    Messages:
    5,052
    Location:
    So Cal
    The exception being "save only to the extent permitted by applicable law." And consider that there have been some interesting precedents that have been set to this end:

    1. TMC reverse engineered the remote API without TM raising a hoot.
    2. The law allows for tampering with and jailbreaking an iPhone.
    3. Tesla is required to provide diagnostic tools to third party service centers. In the absence of this, the case could be made that we are merely gathering data to diagnose our own cars.
    4. Lolachampcar could probably chime in here, as he has extensive experience reverse engineering and modifying ECUs on other cars.

    TM has no legal basis to void your warranty just for connecting to a diagnostic port and reading data. If that were true, all my previous ICE cars would have their warranty voided just by me connecting a diagnostic tool to the OBD port.
     
  18. nlc

    nlc Member

    Joined:
    Jul 1, 2013
    Messages:
    655
    Location:
    Nantes, France
    I agree with you. But this ethernet port is probably not only a diagnosis port, we seen that we can access some internal communications, and maybe change some internal parameters. That's the problem, they explained me let's imagine I am able to remove the speed limitation, or boost the power. If my motor die, it will be my fault, not Tesla fault, and they will not change my motor under warranty.
    It's an extreme case, but we don't know (and the Tesla employee who called me too), what can be done through this diagnosis tool, with or without hacking exploit.

    I think if we just connect the port, and just capture data, they cannot do anything because I think they cannot see the connection. Or they can see the ethernet connection going "up" somewhere.
     
  19. lolachampcar

    lolachampcar Well-Known Member

    Joined:
    Nov 26, 2012
    Messages:
    5,131
    Location:
    WPB Florida
    Tesla is on the wrong side of this by reaching out to people with warnings. They need to find a way to work with their customers that have legitimate curiosity WRT MS and not against them. We own the car and there are people that will want to tinker. There must be a sane way to allow the curious to feed their need to learn while still protecting Tesla's interests.


    This issue of providing tools to work on their cars is going to start cropping up more and more as time goes by. They can hold it off for a few years with their excellent warranty work but it will crop up. Unlike the dealer thing, they will be on the wrong/loosing side of that argument.
     
  20. widodh

    widodh Model S 85 and 100D

    Joined:
    Jan 23, 2011
    Messages:
    6,728
    Location:
    Venlo, NL
    No, I'm looking at this from another perspective.

    Sooner or later somebody, somewhere in a black hole would have gotten his hands on a Model S and started doing the same "hacking" as we are doing right now.

    That person might find a serious exploit in Model S and never tell us nor Tesla about it. So again, yes, I'm trying to find ways to exploit the car, but just to make sure "we" find them first instead of "them" (The people not telling anybody).

    In the end somebody will find a exploit in Model S. Better be "us" then "them".

    Don't forget that over the diag port you can access the central screen which also does the 3G/WiFi.

    Maybe we are able to learn something through the diag port which also works via the WiFi. You never know. I'm keeping all options open.

    Don't forget that we are protected by the European laws and the US laws do not apply here.

    I'm not a lawyer, but I'm pretty sure that I'm allowed the connect to any cable in my own car.

    The last part applies here. Tesla can say anything they want in the MVPA, but in the end it's the law which applies.

    Exactly. They can try to push this away as hard as they want, but sooner or later people will find a way to exploit the vehicle.

    It's a pretty expensive car, so I'm not going to do very weird things, but imagine taking out the center screen and trying to access the filesystem/storage device of it directly by connecting it to a different Linux machine.

    If Tesla gives me a call like they did with nlc I'll tell them how I think about it. I'm just trying to find a weakness which potentially might hurt Tesla.

    It can never hurt for them to have a couple extra pairs of eyes looking at what they've build.

    I don't want to "go to war" with Tesla either. I have good intentions and probably everybody here, but security by obscurity does NOT work.


    I however doubt that the ethernet network is a essential part in safety. Yes, it can control various things, but I think that the .102 device is our gateway to the real important buses inside the car. We can read and probably set parameters, but that's all.
     

Share This Page

  • About Us

    Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.
  • Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


    SUPPORT TMC