TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC
Start a Discussionhttps://teslamotorsclub.com/tmc/tags/

Time to crack her open and get inside the network for AP2

Discussion in 'Model S' started by BigD0g, Sep 18, 2017.

  1. BigD0g

    BigD0g Member

    Joined:
    Jan 12, 2017
    Messages:
    847
    Location:
    Somewhere
    I'd like to start with, my plan with this thread is to update this excellent thread :
    My adventures in gaining control of my car
    and describe my journey to get access to my car.

    My goal is to update current information as best as possible for AP2 cars, my car being a model S as somethings
    have changed with 8.0 and some things no longer exist as described in @green1 very good thread. I have no idea if things are the same for the X/S, but I strong suspect they are based on my poking around, but I make no warranties impressed or implied.

    Also, just like Green and others, I won't be giving away and keys to the kingdom, but hopefully pointing people in the right direction so that they can go back to Green's thread and figure things out. I don't have a spoon to give you, so don't ask.

    I will also try to point out some pitfalls to be aware of as I learn them.
     
    • Like x 9
    • Love x 2
  2. BigD0g

    BigD0g Member

    Joined:
    Jan 12, 2017
    Messages:
    847
    Location:
    Somewhere
    The journey begins!!

    I had several hours free on Sunday, so I decided to grab my coffee and see what I can see!
    Prior to cracking her open I purchased one of these to make my life easier:
    Tesla Service Cable Ethernet-FakraHSD for Toolbox – Maxwell Automotive Technologies

    I also closely read this post in terms of gaining access:
    su - tesla

    And I watched this video by our very own @wk057 to figure out the disassembly.


    First here we go!
    it-begins.JPG

    Next, this is the first piece that needs to be updated, the diagnostic port is no longer behind that back left panel on the dash as seen in the picture above. Instead it is now moved to underneath the CID and accessed by giving a hard push on that little cubby under the CID. However, I will save you some pain and suffering and tell you to not bother, you won't get access through that port, we'll unless someone gives you a rangers laptop, but short of that, it's way to secure and even was back with AP1.0 days.

    To remove the dash the first part is to remove the side panel which simply pry's out with a set of automotive pry tools I used these:
    https://smile.amazon.com/Radio-Panel-Audio-Removal-Installer/dp/B00T5ZYF0W/ref=sr_1_1?ie=UTF8&qid=1505740139&sr=8-1&keywords=automotive+pry+tools

    Next you need to remove that huge white (for me) trim piece under the wheel. You do this by removing a single screw on the left side above the footwell and then prying and pulling on trim piece. This requires some force, it really feels like your going to break it, but don't worry it's a heavy duty set of automotive clips, your not going to break it.

    Next, you remove the little trim piece directly above the steering wheel, this will reveal to silver screws that must be removed so you can push up the dash piece. I suggest moving the steering wheel to it's lowest position and forward as far as possible.

    Once those two screws are removed, you need to push up on that curved lip which gives you access to the vent screws. underneath
    I used a screw driver to make it easier to hold it up while removing the screws.
    left-vent.JPG

    The left vent came out very easily (Note: there is also a screw on the left side of the vent in that access panel that needs to be removed to get the vent out.

    Next, this was the hardest part for me and took far longer then I car to admit and it's the right vent! UGH this was a PITA to remove.
    It has a screw on the top underneath that dash and also a screw on the bottom left. Then it has a series of automotive clips near the chrome piece on the CID making it a PITA to remove, at least for me. Just be patient, and try to pull as "straight" out as you can, that chrome piece on the right side connecting to the CID is a POS and will bend and scratch very easily!
    right-vent-pita.JPG

    The little leather piece above the steering wheel is just held on with 2 automotive clips under the IC on either end and a series of cheap plastic clips underneath. very easy to remove, just be careful with the plastic clips they break easily, I broke one removing it, but it's got 4 others, so no worries.

    The little octagon piece that outsides the CID is just held on with 4 screws and very easy to remove.

    Oh baby here she is, to me this was exciting for the first time I could see the end goal!
    there-she-is.JPG

    At this point it's just four screws and a patch cable preventing you from getting on the network! I placed a towel on my steering wheel to have something soft to lay my IC on and be warned in advance the cables behind are not nearly as long as I thought they might be, just long enough to lay that IC on the steering wheel.

    Once you have it removed just take out that plug on the left side of the back of the IC and behold your internal network access!
    network-access.JPG

    Now, here's my first "LESSON LEARNED FOR YOU"
    You'll note by removing the network cable going to the IC to access the internal network the IC is obviously no longer on the network, we'll that's not good, because that's let's call it 50% of the devices we want to gain access to! So, if someone else was to follow my footsteps, i'd hold off on cracker her open until I had a second cable to connect the IC to the hub/switch, so that's available to play with as well.
    I'm trying to find/source a cable with a Fakra HSD Female end to do this, but so far I haven't found it, however I have a request out to Maxwell to see if they will make a few =).

    Note: If anyone has a link to a female end for a Fakra i'd love to have it. I'm really trying to avoid splicing the wires behind the dash!

    However, the CID is still on the network, so let's do some port scanning!
    begin-scans.JPG

    So, I don't know if this next part is new with 8.0, or it was existing before, but using NMAP to scan the network, I found what I thought I would find and that's 80 and 443 are open, as I know 80 serves up now_playing.jpg and I know it's a JSON payload traveling across the internal network. However, the CID didn't like me scanning the network and shut it self down, which I assuming because it lost connectivity to the IC to authenticate the session and simply told me to F-ck off, this is not your network, LOL!

    For now that's my progress, i'm sourcing the cable for building that bridge with the IC/CID.
     
    • Informative x 7
    • Love x 6
    • Like x 4
    • Helpful x 1
  3. BigD0g

    BigD0g Member

    Joined:
    Jan 12, 2017
    Messages:
    847
    Location:
    Somewhere
    #3 BigD0g, Sep 18, 2017
    Last edited: Sep 18, 2017
    Next steps!

    I'm currently working on that female connectivity issue, I should have that figured out by today, and my plans are as follows:

    1. Get the female wired up for the IC connectivty
    2. Extend the wires behind the IC to the access panel on the left hand side, for easy access in the future.
    3. Get a coupler to keep the connectivity when i'm not playing around that doesn't require power.
    4. Install a rasberry pi between the IC and the CID to start sniffing the traffic and injecting payloads to start to gain access.

    #4 is importing for obvious reason, but it will also allow me to SSH in to the local network without sitting on my garage floor =).

    To be continued!
     
    • Love x 5
    • Helpful x 1
    • Like x 1
  4. BigD0g

    BigD0g Member

    Joined:
    Jan 12, 2017
    Messages:
    847
    Location:
    Somewhere
    Oh one other note: I have a wife and 3 kids, so progress will be very slow on this thread as I don't get a whole lot of play time with my car :eek:. However, once I have my PI in place, that should give me A LOT more flexibility to play with things, as I won't be hunkered down in the garage. ;)
     
  5. croman

    croman Active Member

    Joined:
    Nov 21, 2016
    Messages:
    1,837
    Location:
    Chicago, IL
    I've disassembled and rebuilt and built from scratch so many computers but I don't have the heart to even attempt what @BigD0g is doing to Jarvis (his car). Jeez, it looks so scary without its clothes on.
     
    • Like x 2
    • Funny x 2
  6. boonedocks

    boonedocks Member

    Joined:
    May 1, 2015
    Messages:
    828
    Location:
    Gainesville, GA
    +1 Not just "I don't have the heart" but I just don't have the b*lls to do that either.

    Thank you BigD0g for your bravery!!!!!
     
    • Like x 1
  7. BigD0g

    BigD0g Member

    Joined:
    Jan 12, 2017
    Messages:
    847
    Location:
    Somewhere
    @croman @boonedocks Hah! thanks guys, but really i'm standing on the shoulders of giants, the pioneers are @wk057 @green1 and several others, and a current one is obviously @verygreen and all the work he's been contributing. I just want do my part and add back to the collective with hopefully some new updated information, and who knows what else, I have some ideas once I gain access, but first things first.
     
    • Love x 2
  8. apacheguy

    apacheguy S Sig #255

    Joined:
    Oct 21, 2012
    Messages:
    4,572
    Location:
    So Cal
    Subscribed.
     
    • Like x 1
  9. verygreen

    verygreen Curious member

    Joined:
    Jan 16, 2017
    Messages:
    1,260
    Location:
    TN
    They used to make them in the form of "MiTM cable" but stopped due to lack of demand, I think (I have one).
    That said if you get this: FAKRA HSD LVDS "Z" female Connector 1.2M Shielded Dacar 535 4-Core for BMW、Benz | eBay
    you can plug one end of it into cid and another end of it into the Maxwell cable (obviously you need two of the diag cables from maxwell if you want to be able to have both cid and ic accessible at the same time)
     
    • Helpful x 1
    • Informative x 1
  10. BigD0g

    BigD0g Member

    Joined:
    Jan 12, 2017
    Messages:
    847
    Location:
    Somewhere
    Thanks!! Perfect !!
     
  11. BigD0g

    BigD0g Member

    Joined:
    Jan 12, 2017
    Messages:
    847
    Location:
    Somewhere
    Cabled ordered, appears there wont be any meaningful updates until:
    "Estimated delivery: Oct 31 – Nov 21"

    Compared the maxwell cable that arrived in about two days....

    Ahh, the joys of shipping electronics from China....
     
    • Like x 1
  12. gabeincal

    gabeincal Enjoying Napa life the electric way

    Joined:
    Jul 5, 2016
    Messages:
    581
    Location:
    Napa, CA, USA
    Subscribed. Thank you BigD0g for paving the path!
     
  13. verygreen

    verygreen Curious member

    Joined:
    Jan 16, 2017
    Messages:
    1,260
    Location:
    TN
    Actually that was just first hit, when I ordered some sellers had faster shipping for about the same price that arrived here in a couple weeks.
     
    • Informative x 1
  14. appleguru

    appleguru Member

    Joined:
    Mar 15, 2017
    Messages:
    301
    Location:
    US
    Just a note that technically the car's Ethernet ports are HSD key B (The white connectors). But Z will also work (is the "universal" connector with no keying).

    Related, on AP2 cars, I believe the diagnostic Ethernet cable is connected through the autopilot module (which is accessible behind the glovebox, to the left of the cabin air filter I think?). This might be an easier way in to the internal network than from behind the IC.
     
    • Informative x 1
  15. AnxietyRanger

    AnxietyRanger Well-Known Member

    Joined:
    Aug 22, 2014
    Messages:
    8,380
    Location:
    EU
    I am adding @BigD0g to my personal TMC Hall of Fame - Greatest Members of All Time list.
     
    • Like x 1
  16. BigD0g

    BigD0g Member

    Joined:
    Jan 12, 2017
    Messages:
    847
    Location:
    Somewhere
    The diagnostic cable on my AP2 (February build) is directly under the CID. You press down on the little cubby hole and it pops off to reveal it, but it's completely locked down, you can't get in. There's all sorts of security guarding the "easy" port, I won't get into it here, but look @green1 thread I reference above and they talk all about the security and that port. Regardless your not getting into that port without a ranger / service center laptop.
     
  17. verygreen

    verygreen Curious member

    Joined:
    Jan 16, 2017
    Messages:
    1,260
    Location:
    TN
    Yes, the benefit of key-less Z connector is you can plug it anywhere in the car, otherwise IC and diag ethernet and such have different keys.
     
  18. u00mem9

    u00mem9 Member

    Joined:
    Jun 8, 2016
    Messages:
    791
    Location:
    USA
  19. BigD0g

    BigD0g Member

    Joined:
    Jan 12, 2017
    Messages:
    847
    Location:
    Somewhere
    Good point, and if anyone is interested here is a B version of the cable I ordered if you rather have the keyed version:
    New Vehicle FAKRA HSD B LVDS 1.2m Shielded Dacar 535 4-Core Cable For BMW、Benz | eBay
     
  20. apacheguy

    apacheguy S Sig #255

    Joined:
    Oct 21, 2012
    Messages:
    4,572
    Location:
    So Cal
    Agreed. Don't have the ape, but based on what I've seen, it should be easier to access than the IC port.
     

Share This Page