Looking for ports in a Tesla Model 3 #1
Comments
|
Might find this interesting; Rich normally covers the physical parts of disassembling/servicing Teslas, but I didn't know they switched to Intel recently.... or that they stress the eMMC too much. |
|
Yes, this video is very interesting. I wish I would have seen this before my little adventure 😅 The mentioned wearing on eMMC only seems to be an issue on earlier generations, and doesn't apply to the Intel based MCUs: https://www.reddit.com/r/RealTesla/comments/blyhd0/tesla_hacker_highlights_major_issue/emsrbc1/ |
|
Hi, any news about your finding? also maybe the Ethernet you found is an console port? did you try any USB to Console cable and see ? |
|
@mikealanni nope. I've some experiments going on, but no success yet. Anyway, I should post another update soon. Thanks for the hint with the Ethernet console. I just ordered one that is ethernet<>FTDI<>USB 🙂, something like this: https://www.amazon.com/Cable-Matters-Console-Compatible-Rollover/dp/B078PVJ5ZQ/ |
|
Cool, please keep me posted as I'm so interested |
|
I definitely wouldn't say the eMMC wearout issue "doesn't apply". The only replies in that thread said the same thing from the video: that it is still a thing, but that it'll take longer - 30 years instead of 4 years. That is still not a solution, as the reason for the problem is merely bad coding, and it could last 5000 years if they just weren't spamming irrelevant kernel logs to Flash. |
Unless they've addressed the board internal (i.e. MCU board) temperatures being >30 C higher than outside ambient temperature, I suspect heat failure will still kill the eMMC about the same amount of time as now. |
|
You can use "scan my Tesla" to get battery info, temperature & pretty much all CAN data |
A few weeks ago I finally got the Model 3. It's fun. Watch the YouTube video 🙂
The battery temperature is an issue on the track which was expected. What I'm disappointed about is the lack of information that is shared with the user, for example voltage of each cell or battery temperature. I found a nice thread about accessing the CAN bus over at the Tesla Owner forum: https://teslaownersonline.com/threads/diagnostic-port-and-data-access.7502/
The vehicle CAN would be accessible with a reasonable amount of modification, you just need to remove some trim. However, just when I started to look into it, EVTV discovered that the information that I would be interested in was just removed with a recent Tesla update. Bummer.
I like this guy 😄 Anyway, while CAN sniffing would still be an option (there is more than the Vehicle CAN which most likely will contain the wanted information), why not... more?
ssh 👏 access 👏 everywhere 👏
On a general note I don't like having devices in my home network that can't be accessed remotely, e.g. via SSH. This is not the case with the Model 3 connected to my WiFi. Well, not quite true: With your Tesla account you can access your car remotely, and retrieve some general information about the state of the car and you can do some controlling, like turning on the climate control. Let me give you some examples I wanna do with my car that aren't possible with said API:
rsyncjob that copies the recordings to my NAS. You know, I could wait for a Tesla update, but I think it's fair to assume that such feature will never be shipped 😛 There are other solutions to that problem, e.g. attach a RaspberryPi instead and let it do the work. But why? There is already a powerful computer in the car.Unfortunately you can't just ssh into your car because of security blah. Of course I did some research upon the state of "jailbreaking" the car [1] [2] [3] [4]. Let me tell you the good news first: Tesla does a pretty good job to keep their cars secure from an InfoSec point of view.
At the same time this is bad news for me: All the low-hanging fruits are gone. Also a lot of stuff happens in secrecy as hobbyist are reluctant to share their findings in public, as they don't want Tesla to fix it right away. I haven't found the inner circle of those cool hax0rs yet.
Of course there are always ways to get into computers when you have physical access. I'm really bad with hardware so I didn't want to go that route at first, you know, new car and stuff. Now, a couple weeks later I feel more comfortable ripping some stuff out of the car 😄
So I didn't know where the MCU (media control unit) is located in the Model 3. I know where it's located in the Model S: Right behind the touch screen. So I started to rip off the wooden dash:
Spoiler alert: That was unnecessary 😅 It got more interesting on the passenger-side behind the glovebox:
Uh-oh, what's that? Looks like an ethernet port. I had a cable around so I was like "I should plug that in there". Unfortunately it was really hard to access, so I had to rip off some more trim:
Now it was somewhat easier to access. Also I could sneak in my phone for slightly more informative view:
So there are two ethernet ports and one USB-C (?) port next to it on the lower board labeled with "Tegra debug". Well, at this point I didn't even know what I was looking at: I assumed that it must be the APU (autopilot unit), because that one is located behind the glovebox in the Model X (and I believe in the Model S as well). However, in the Model 3 both, the MCU and APU, are located together in a nice package behind the glovebox. Now I know that the board with the USB-C port is the APU. I managed to jerk the ethernet cable into the board of the MCU. Unfortunately I had to wrap up, so I didn't attempt connecting a second ethernet cable and also no USB-C cable. Yet 🙂Obviously I don't feel comfortable to get out the whole unit. I kinda need to keep the car in a working condition. But I found some nicer pictures of it from some guy selling it on Ebay:
So what's going on at this Ethernet port?
This is how it looks like on the passenger side:
I wired up a router and looked what's going on. Unfortunately I couldn't even figure out the MAC address 🙁 Looks like a dead-end, and presumably it's the same diagnostic port that needs some magic unlock sequence based on a secret that changes every 30 (?) seconds. Hopefully it will be useful at some point.
Next steps
I'll try to get my hands on a used MCU/APU and poke around in a more safe environment. I'm naive enough to hope that there is some unencrypted eMMC that allows me to dump the firmware. Another thought I'm having is "Tegra": There is a well-known bug in the bootloader discovered and exploited by different Nintendo Switch hax0rs. Chances are that the APU does not ship yet with a fixed boot ROM.
The text was updated successfully, but these errors were encountered: