Tesla runs a bug bounty program that invites researchers to find security vulnerabilities in their vehicles. To participate, I needed the actual hardware, so I started looking for Tesla Model 3 parts on eBay. My goal was to get a Tesla car computer and touchscreen running on my desk, booting the car’s operating system.

The car computer consists of two parts - the MCU (Media Control Unit) and the autopilot computer (AP) layered on top of each other. In the car, the computer is located in front of the passenger seat, roughly behind the glovebox. The part itself is the size of an iPad and the thickness of a ~500 page book and is covered in a water-cooled metal casing:

By searching for “Tesla Model 3 MCU” on Ebay, I found quite a lot of results in the $200 - $300 USD price range. Looking at the listings, I found that many of these sellers are “salvaging” companies who buy crashed cars, take them apart, and list all parts for sale individually. Sometimes, they even include a photo of the original crashed car and a way to filter their listings for parts extracted from the same vehicle.

To boot the car up and interact with it, I needed a few more things:

• A DC power supply capable of providing 12V
• A touchscreen module from a salvaged Model 3
• The display cable to connect them together

For the power supply, I went with an adjustable 0-30V model from Amazon. There was a 5 ampere and a 10A version available, at the time, I figured it’s safer to have some headroom and went with the 10A version – it was a very good decision, as it later turned out, the full setup could consume up to 8A at peak times. The Model 3 screens were surprisingly expensive on Ebay, I assume that is because it is a popular part to replace. I found a pretty good deal for 175 USD.

The last and most difficult part to order was the cable which connects the MCU to the screen. I needed this because both the computer and a screen were being sold with the cables cut a few centimeters after the connector (interestingly most sellers did that, instead of just unplugging the cables).

This is when I discovered that Tesla publishes the wiring “Electrical Reference” for all of its cars publicly. On their service website, you can look up a specific car model, search for a component (such as the display), and it will show you exactly how the part should be wired up, what cables/connectors are used, and even what the different pins are responsible for inside a single connector:

Turns out the display uses a 6-pin cable (2 for 12V and ground, 4 for data) with a special Rosenberger 99K10D-1D5A5-D connector. I soon discovered that unless you are a car manufacturer ordering in bulk, there is no way you are buying a single Rosenberger cable like this. No Ebay listings, nothing on Aliexpress, essentially no search results at all.

After digging around a bit, I found that this cable is very similar to a more widely used automotive cable called “LVDS”, which is used to transfer video in BMW cars. At first sight, the connectors looked like a perfect match to my Rosenberger, so I placed an order:

The computer arrived first. To attempt to power it on, I looked up which pin of which connector I needed to attach 12V and ground to using the Tesla schematics & the few pictures online of people doing the same desk-MCU setup. Since the computer included the shortly cut cables, I was able to strip the relevant wires and attach the power supply’s clips to the right ones:

I saw a couple of red LEDs start flashing, and the computer started up! Since I had no screen yet, there were not many ways to interact with the car. Reading @lewurm’s previous research on GitHub I knew that, at least in older car versions, there was a network inside the car, with some components having their own webserver. I connected an Ethernet cable to the port next to the power connector and to my laptop.

This network does not have DHCP, so you have to manually set your IP address. The IP you select has to be 192.168.90.X/24, and should be higher than 192.168.90.105 to not conflict with other hosts on the network. On Reddit, I found the contents of an older /etc/hosts file from a car which shows the hosts that are normally associated with specific IPs:

192.168.90.100 cid ice # mcu 
192.168.90.100 ic # only in Model X/S | IC = instrument cluster
192.168.90.102 gw # gateway
192.168.90.103 ap ape # ap = autopilot
192.168.90.104 lb # no clue
192.168.90.105 ap-b ape-b # also autopilot
192.168.90.30 tuner # Also no clue
192.168.90.60 modem # this has the ftp server

@lewurm’s blog mentioned that SSH on port :22 and a webserver on :8080 was open on 192.168.90.100, the MCU. Was this still the case on newer models? Yes!

I had already found 2 services to explore on the MCU:

• An SSH server which states “SSH allowed: vehicle parked” - quite funny given the circumstances
  • This SSH server requires specially signed SSH keys which only Tesla is supposed to be able to generate.
  • Interestingly, Tesla offers a “Root access program” on their bug bounty program. Researchers who find at least one valid “rooting” vulnerability will receive a permanent SSH certificate for their own car, allowing them to log in as root and continue their research further. – A nice perk, as it is much easier to find additional vulnerabilities once you are on the inside.
• A REST-like API on :8080 which returned a history of “tasks”
  • This service is called “ODIN” (On-Board Diagnostic Interface Network), and is intentionally exposed to be used by Tesla’s diagnostics tool “Toolbox”.

Around this time, I also removed the metal shielding to see exactly what the boards look like inside. You can see the two different boards which were stacked on top of each other:

Once the screen and the BMW LVDS cable arrived, it unfortunately became clear that the connector is not going to fit. The BMW connector was much thicker on the sides and it was not possible to plug it into the screen. This led to some super sketchy improvised attempts to strip the two original “tail” cables from the MCU and the screen and connect the individual wires together. The wires were really sensitive and thin. The setup worked for a couple of seconds, but caused wire debris to fall on the PCB and short it, burning one of the power controller chips:

It was extremely hard to find the name/model of the chip that got burned, especially since part of the text printed on it had become unreadable due to the damage. To be able to continue with the project, I had to order a whole other car computer.

In the meantime, my friend Yasser (@n3r0li) somehow pulled off the impossible and identified it as the “MAX16932CATIS/V+T” step-down controller, responsible for converting power down to lower voltages. We ordered the chip and took the board to a local PCB repair shop, where they successfully replaced it and fixed the MCU. Now I had two computers to work with.

So I really did need that Rosenberger cable, there was no getting around it.

After having no luck finding it online and even visiting a Tesla service center in London (an odd encounter, to say the least), I had to accept what I had been trying to avoid: buying an entire Dashboard Wiring Harness.

Back in the Tesla Electrical Reference, in addition to the connectors, one can find every part number. Looking at the cable which connects the MCU to the screen, the number 1067960-XX-E shows. Searching for it on Ebay brings up this monstrosity:

Turns out that actual cars don’t have individual cables. Instead they have these big “looms”, which bundle many cables from a nearby area into a single harness. This is the reason why I could not find the individual cable earlier. They simply don’t manufacture it. Unfortunately I had no other choice but to buy this entire loom for 80 USD.

Despite how bulky it was, the loom worked perfectly. The car booted, the touch screen started up, and I had a working car computer on my desk, running the car’s operating system!

Having the system running, I can now start playing with the user interface, interacting with the exposed network interfaces, exploring the CAN buses, and perhaps even attempting to extract the firmware.

Mary Cunningham, CBS News:

Tesla was found partly liable in a wrongful death case involving the electric vehicle company’s Autopilot system, with a jury awarding the plaintiffs $200 million in punitive damages plus additional money in compensatory damages.

[…]

“What we ultimately learned from that augmented video is that the vehicle 100% knew that it was about to run off the roadway, through a stop sign, through a blinking red light, through a parked car and through a pedestrian, yet did nothing other than shut itself off when the crash was unavoidable,” said Adam Boumel, one of the plaintiffs’ attorneys.

I continue to believe holding manufacturers legally responsible is the correct outcome for failures of autonomous driving technology. Corporations, unlike people, cannot go to jail; the closest thing we have to accountability is punitive damages.

⌥ Permalink

Elon Musk se je ponovno znašel na prvih straneh osrednjih medijev. Tokrat ne zaradi njegove pojavnosti v bližini Donalda Trumpa, temveč zaradi medijske kampanje za izpustitev britanskega skrajnega desničarja Tommya Robinsona. Zakaj je Muskov medijski angažma spravil na noge predvsem liberalce in naletel na obsodbo pri političnih voditeljih, ki so se v tednih pred tem ob rokovanju z njim še nasmihali v kamere?

Musk je že dobro poznan po radodarnih finančnih vložkih na politični desnici. Liberalni politični establišment z mediji na čelu pa se z obsojanjem Muskovega financiranja nazadnjaških strank obnašajo hinavsko in ignorantsko, saj načelno nimajo nič proti takšnim oblikam financiranja političnih strank. Ravno nasprotno.  Tudi sami rade volje sprejemajo ogromne donacije iz strani lastnikov kapitala, nepremičninskih lordov, fosilnih magnatov. S tem, ko poudarjajo, da Musk podpira »skrajno« desnico, utrjujejo predstavo, da sicer obstaja »normalna« desnica, ki pa bi jo lahko finančno podprl brez dviganja prahu in kontroverznosti. 

Muskovo financiranje ni samo podpora določenim političnim strankam, kot sta na primer AfD v Nemčiji in Reform UK, stranka Nigela Faraga v Veliki Britaniji, ki sta obe prejeli izdatne zneske iz njegovega žepa. Gre za podporo politični opciji, ki najbolj koristi pripadnikom njegovega razreda: lastnikom kapitala ali najbogatejšim vladajočim slojem. Muskovo financiranje ni samo spogledovanje s skrajno desnimi politikami, ampak je premišljen vložek v politiko, od katere bo za vladajoči razred »izboril« davčne odpustke in dodatne subvencije kapitalu na račun delovnih ljudi.

Zakaj torej ne smemo verjeti Olafu Sholtzu, ki je v svojem novoletnem nagovoru izrazil zaskrbljenost zaradi Muskovega vmešavanja v nemško politiko? Zato ker tudi evropski politični vrh že tako ali tako vodi politiko, ki je naklonjena takšnim, kot je Elon Musk. Vodi politiko davčnih odpustkov na račun siromašenja javnih storitev, socialnih transferjev in družbenih potreb na sploh. Tudi zato, ker je celoten vladajoči razred v medijih utrjeval predstavo o »genialnem podjetniku«, ki bi naj bil vzgled mladim generacijam. 

Elon Musk je nedvomno velika nevarnost za delavski razred. Z največjo donacijo v zgodovini ameriških volitev v znesku 277 milijonov dolarjev se je zavezal, da bo v vlogi svetovalca na ameriškem “Ministrstvu za vladno učinkovitost” še dodatno »pospešil« proces razgradnje javnih sistemov, s tem ko je že napovedal korenite spremembe v davčni politiki ZDA. 

Njegove tovarne avtomobilov Tesla so znane po tem, da delavci in delavke psihično in fizično izgorevajo, omedlevajo od izčrpanosti, delajo dolge nadure in vikende. Tesla je po številu varnostnih kršitev na delu daleč presegla povprečje drugih ameriških avtomobilskih tovarn. Kršitev je zagotovo mnogo več, saj so zaposlene in zaposleni  podvrženi njegovim grožnjam glede ustanovitve sindikata. Tesla je edina avtomobilska tovarna brez sindikata.  

Kljub svojemu bogastvu na račun ameriških delavk in delavcev Elon Musk leta 2018 ni plačal niti centa zveznih davkov na dohodek. Ko je leta 2021 vendarle poravnal davčne obveznosti, je znesek predstavljal zgolj 10 odstotkov povečanja njegovega premoženja v tistem letu. Rast vrednosti naložb – glavni vir dohodka najbogatejših – je namreč obdavčena bistveno nižje od običajnih plač in dohodkov. Za primerjavo, povprečna ameriška družina je istega leta plačala 14,9-odstotno davčno stopnjo na svoj zaslužek.

Nedavno je obljubil zmanjšanje proračunskih izdatkov ZDA za kar 200 milijard dolarjev, kar bi prizadelo širok spekter javnih storitev – od socialne varnosti in zdravstvenih programov, kot sta Medicare in Medicaid, do izobraževanja ter pomoči pri hrani in stanovanjih. Prihajajoča Trumpova administracija bo še bolj očitno vlada bogatih, ki jo bodo bogati vodili za bogate. 

Bolj očitno zaradi tega, ker bodo v njej sodelovali tudi demokrati, ki so mesece poprej svarili pred  fašizmom. Nedavno smo takšen politični konsenz videli tudi v primeru Francije, kjer je Macron samo potrdil znani rek: ko ima liberalec izbiro med podporo komunizma ali fašizma, se bo zmeraj odločil za fašizem. Zato ne smemo verjeti političnim voditeljem, ko svarijo pred Elonom Muskom medtem ko v isti sapi dajejo koncesije najbogatejšim, pospešujejo podnebni zlom in uničujejo javne storitve. Uslužnost kapitalistične države je namreč tista, ki je omogočila in celo vzpodbudila vzpon Elonov Muskov.

The post ELON MUSK: SOVRAŽNIK DELOVNIH LJUDI first appeared on Rdeča Pesa.

Jonathan M. Gitlin, Ars Technica:

Last night, after a wait of roughly an hour after the official start time, Elon Musk spoke to a crowd of Tesla fans and some journalists on a film studio backlot in California to give us an update on the company’s much-talked-about pivot to robotics. […]

[…]

After promising that “unsupervised FSD” is coming to all of Tesla’s five models — “now’s not the time for nuance,” Musk told a fan — he showed off a driverless minibus and then a horde of humanoid robots, which apparently leverage the same technology that Tesla says will be ready for autonomous driving with no supervision. These robots — “your own personal R2-D2,” he said — will apparently cost less than “$30,000” “long-term,” Musk claimed, adding that these would be the biggest product of all time, as all 8 billion people on earth would want one, then two, he predicted.

These announcements are almost certainly bullshit, and correctly contextualized by Gitlin. Mix the axiom “what can be asserted without evidence can also be dismissed without evidence” with the boy who cried “wolf!”, and the result is this media event — and that is without factoring in the usual Tesla sloppiness. These are three brand new products, all of which are purportedly future-defining, rambled about in the span of about thirty minutes on a random Thursday in October. Nothing is finished. Musk called two of the products “Cybercab” and “Optimus Robots”, but the company’s website refers to them as “Robotaxi” and “Tesla Bot”. Everything is hypothetical until proven otherwise.

The robot is particularly galling. The automotive industry has a long history of building humanoid robots: Honda’s ASIMO, Toyota’s Partner series, and General Motors’ work on NASA’s Robonaut 2. Some of these perform more specialized tasks. All of them have been around for a while. None of them are in widespread use. Tesla’s should be treated as an elaborate fiction until anyone outside the company can confirm even the most fundamental qualities it is claimed to possess.

Oh, and speaking of claims on the website, I want to address this:

To create a sustainable future, we must democratize transportation. We do this by making driving more efficient, affordable and safe. Autonomy makes this future possible, today.

Musk — for the featherweight of his words — said the Robotaxi would cost “less than $30,000” and be available “before 2027” — that is, to be clear, not “today”. If this thing ever ships, it will still require car-like infrastructure and ample space, even though it carries only two people.

Public transit, which is available today, is the very definition of democratized transportation, especially if it has been carefully considered for the needs of people with disabilities. It is inexpensive for end users, requires less space per person than any car, and has a beneficial feedback loop of safety and usage. I am not arguing the two cannot coexist; perhaps some of this stuff makes sense in low-density sprawl. But I have little confidence the future will look like Musk’s vision, or that Tesla will be delivering it. Why would anyone still believe this too-rich carnival barker who lies all the time?

⌥ Permalink

In my flat they have installed these new digital door phones running on two wires manufactured by Tesla:

I wanted to be notified when someone rings when we are not at home so I decided to reverse engineer it.

During idle, there is a voltage of about 23V which is there to power the phones as they don’t have any other power supply; during a call, the voltage drops to about 12,6V and current goes to 47mA. So I took my scope and started to measure the signal. In short, I have found, that there is some sort of digital signal and analog voice modulated on top of the DC component (timeframe of one call):

On first sight, it didn’t remind me of any common line encoding and my scope has a short buffer so I decided to convert it to logic levels and use a logic analyzer.

It also didn’t make more sense but then I played with zoom and suddenly saw it there:

The data is encoded using symbols consisting of 4 PWM pulses. There are 3 symbols – logical 0, logical 1 and stuffing (‘-‘). Each frame starts with several dozens of stuffing symbols. Then bit symbols are sent each one followed by one stuffing symbol. On the picture above, “A” marks the start of 1 then follows: -, 1, -, 0, -, 0, … Each frame consists of 48 bits where the last 8 bits are checksum. They are being sent in MSB first order. The checksum is computed using this formula.

Once I got the frames decoded, it was just a matter of watching the communication. I managed to decode following structure:

| dst address (16b) | src address (16b) | command (8b) | checksum (8b) |

Addressing

Some facts from installation manual:
– each phone has assigned “system number” (SN) in range 000-999
– only numbers 000-323 can be called from another phone (due to addressing scheme)
– there can be one “main phone” (MP) and up to 3 “secondary phones” (SP) for each SN
– there can be up to 8 “electronic gatekeepers” (GK)
– each phone has it’s own “intercom number” (IN) which can be computed like this:

IN1 = ((SN x 4 + X) / 216) + 1
IN2 = (((SN x 4 + X)mod 216) / 36) + 1
IN3 = (((SN x 4 + X)mod 36) / 6) + 1
IN4 = ((SN x 4 + X)mod 6) + 1
where X = 0 for MP and 1-3 for SP

Considering these facts, I was able to decode the address format:

000GSSSSSSSSSSXX – 16bits
– G – is_gk – if address belongs to GK it equals 0
– S – system number for MP/SP, zeroes for GK
– X – number of MP/SP or number of GK

Commands

There is 1 byte space for commands so theoretically there can be 256 commands. I was able to decode these ones.

The call from GK always starts with “ping” to check if the called MP exists, MP needs to respond with OK. Then GK sends “call_from_eg” and the MP starts ringing. When an user picks up, MP sends “accepted_call_from_eg”, GK responds with OK and voice communication is established. The you can also see open_lock and hangup commands with pretty clear meaning. Here is the whole communication between MP with SN 7 and GK 1:

src:{sn:0 mn:1 is_gk:1} dst:{sn:7 mn:0 is_gk:0} cmd:ping(64) cs:147
src:{sn:7 mn:0 is_gk:0} dst:{sn:0 mn:1 is_gk:1} cmd:OK(0) cs:211
src:{sn:0 mn:1 is_gk:1} dst:{sn:7 mn:0 is_gk:0} cmd:call_from_eg(10) cs:201
src:{sn:7 mn:0 is_gk:0} dst:{sn:0 mn:1 is_gk:1} cmd:OK(0) cs:211
…
src:{sn:7 mn:0 is_gk:0} dst:{sn:0 mn:1 is_gk:1} cmd:accepted_call_from_eg(12) cs:199
src:{sn:0 mn:1 is_gk:1} dst:{sn:7 mn:0 is_gk:0} cmd:OK(0) cs:211
…
src:{sn:7 mn:0 is_gk:0} dst:{sn:0 mn:1 is_gk:1} cmd:open_lock(14) cs:197
src:{sn:0 mn:1 is_gk:1} dst:{sn:7 mn:0 is_gk:0} cmd:OK(0) cs:211
…
src:{sn:7 mn:0 is_gk:0} dst:{sn:0 mn:1 is_gk:1} cmd:hangup_from_eg(16) cs:195
src:{sn:0 mn:1 is_gk:1} dst:{sn:7 mn:0 is_gk:0} cmd:OK(0) cs:211

Hardware

I have used a transformer to isolate my device from the bus. The middle section is simple and is used for transmit. For receive, I was first using the bottom part but then I replaced it with the transistor behind the transformer. Audio is sent/received from pins 3,4 on the transformer.

Audio signal goes to integrated soundcard on OrangePI, digital signal from transistor is received by STM32F1, the pulse widths are measured and sent via virtual serial port over USB. The software then checks the pulse widths and counts and decodes into bits and frames. The transmit path also goes via the virtual COM, but it is sent as full frames and line encoded on the MCU. When the software detects incoming call to specified MP, it will start a SIP call to defined number in PSTN and the call can be normally answered, you can talk or open lock using DTMF.

You can find the complete software on https://github.com/danielkucera/tesla-2bus – there is both the control software and firmware for the STM32.

This project is still a work in progress, I am thinking about implementing it completely in an MCU and make the calls using SIM800 GSM module and power everything from the bus.

Feel free to ask in the comments if you have any questions.