Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Successful connection on the Model S internal Ethernet network

This site may earn commission on affiliate links.
Almost everyone knows that there is a white 4 pin connector on the left of the dashboard :smile:

Today I susscefully connected to this connector, with a 2 row 4 contact male header (2mm pitch)

20140302_174732.jpg


The ethernet network of the car contains 3 peripherals :
- The center console, IP Address 192.168.90.100
- The dashboard/navigation screen, IP Address 192.168.90.101
- An unknown peripheral, IP Address 192.168.90.102

These 3 peripheral send of lot of data in broadcast UDP, to 192.168.90.255 broadcat address. Different UDP ports are used depending of data type.

In fact they use the same principle a CAN bus use :

- Everyone send data on the network
- Anyone who need it listen for this data.

The data shared on the netword seem to be in clear. I can see a Ascii header which define the type of the frame. Some data are in binary format thus it will need some reverse engineering to understand the data.

I also tested the openeds ports of the 3 peripherals :

- Central console :

PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
6000/tcp open X11
MAC Address: FA:9E:70:EA:xx:xx (Unknown)

- Dashboard screen :

PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
6000/tcp open X11
MAC Address: 36:C4:1F:2A:xx:xx (Unknown)

- Unknown device :

PORT STATE SERVICE
23/tcp open telnet
1050/tcp open java-or-OTGfileshare
MAC Address: 00:00:A7:01:xx:xx (Network Computing Devices)
 
Thank you so much for doing this. I was wondering what the exact pinouts are for the pin-header? Since most ethernet chips these days are auto-mdix, I suppose that it doesn't matter which is RX or TX and I noticed you wired it using the standard green-white/green & orange-white/orange, so I think this is easy to duplicate.
 
SC tech told me the ethernet port is the Model S's diagnostic port like OBDII for other cars. Also told me diagnostic equipment/manuals will be eventually available for purchase by law to support independent repair shops. I've seen many copies of factory diag equipment+software for other cars I've owned (Volvo, Toyota, VW), would be great to have a Tesla diag tool :) Given the high percentage of tech tinkerers that owns Tesla, we might develop our own tool :) The VW tool (very capable and complete) I have is built completely aftermarket by a diag tool enthusiast.
 
Open SSH? Does that mean you can ssh into the centre console? That is a pretty good point to start. Username: elonmusk1, Password: tesla1 ;)

Note: if Tesla have any brain cells to rub together (and they sure have shown a large number so far) they will have made the flash on the consoles squashfs or similar, with a bootloader and fail over partition. This would reinitialise any body modules which have had firmware updates fail. Which would essentially make the car unbrickable. This is so if a software update gets interrupted (dead 12V is a good one) the car will not require service. The major boot partitions will be read only to the userlevel. I've also heard from someone who has had a look that they statically link all linux modules so that the only way to update the configuration is to replace it all at once.

However, there's a chance they haven't done this, so until it's know for sure, tread carefully!
 
For now what I just want to do is extract useful data from this port. I was looking for the CAN bus but everything seem to be here so it's great this connector is easy to access.
For example I want the exact power value, and I seen a frame called PowerStatus, I think it will contains what I am looking for.
 
Last edited:
The unknown 3rd device is likely the gateway that controls access to the drivetrain components. I bet if you change the suspension height from the 17" then you will see network packets flying between those two devices.

Regarding hacking, I don't see much risk of bricking the car. The infotainment systems are firewalled against the drivetrain components likely by that third device. It would be very difficult to brick a Model S through hacking.
 
Perhaps you could retrieve that so-wanted kWh of battery capacity remaining for all of the folks in the "decreasing rated range" topic. And individual cell voltages, to see if they are balanced properly...
(This information is all available from the console in service mode, but the access to that has since been removed.)

Wonder what the port 80 open is - web interface to some diag stuff?
 
Wonder what the port 80 open is - web interface to some diag stuff?

Yes a web server is running, but serves only one file : the image of the radio or media currently played.

- - - Updated - - -

Voiding my Model S warranty by jailbreaking -- very concerned.

Very concerned too. But I only connected to ethernet diagnostic port, and will only read data on this port, will never try to do more, it will not void my warranty
 
Ah - I suppose that's how the dashboard console gets what media is currently playing then :). Kinda unexciting but it makes sense if you have to send some large amount of data like an image. I'd expect there's some API for volume controls/track/etc unless the centre console handles that all and the dashboard is a "slave" as such.
 
Hmm - maybe you have to request the packet, for example by entering the charge status screen? I thought though that the consoles only ever listened to data, they cannot send it, but that doesn't make sense, since then you could not control things like suspension and creep mode.
 
The unknown 3rd device is likely the gateway that controls access to the drivetrain components. I bet if you change the suspension height from the 17" then you will see network packets flying between those two devices.

Regarding hacking, I don't see much risk of bricking the car. The infotainment systems are firewalled against the drivetrain components likely by that third device. It would be very difficult to brick a Model S through hacking.

You are probably right for the 3rd device. The open telnet port can be to send instruction and read value from the drivetrain components. When I was connected, just see 2 different frame sent from this device. A very high rate frame (~1000Hz) with data len between 5 and 12 byte, and a 1412 byte frame at approx. 5Hz.

- - - Updated - - -

Hmm - maybe you have to request the packet, for example by entering the charge status screen? I thought though that the consoles only ever listened to data, they cannot send it, but that doesn't make sense, since then you could not control things like suspension and creep mode.

Cell voltage comes from BMS, I think these data comes from CAN bus
 
Very concerned too. But I only connected to ethernet diagnostic port, and will only read data on this port, will never try to do more, it will not void my warranty

Oh, I know... but it won't be long until other people start peeking and poking around to see what settings they can change or if they can load third party apps, etc into the console system. Not that TSLA engineers don't know what they're doing, but I suspect they've spent a lot less time into system security than Apple has put into their iOS over the last 7 years (since the iPhone was launched) and people can *still* hack into those devices.
 
I had tried this a year ago and when I connected the car went into some diagnostic mode, also could not see any traffic. Sounds like things have changed. Sorry for the list of questions but -- When you connected, what bit rate were you connected at 10/100/1 gig? Did you have to do anything else to start seeing this traffic? When connected did the main display display anything different? What IP address if any did you assign yourself.
 
I had tried this a year ago and when I connected the car went into some diagnostic mode, also could not see any traffic. Sounds like things have changed. Sorry for the list of questions but

Curious because it seems that's the only way of communication between central consol and dash board console.

-- When you connected, what bit rate were you connected at 10/100/1 gig?

Mar 2 16:51:56 localhost klogd: sky2 eth0: Link is up at 100 Mbps, full duplex, flow control both
Mar 2 16:51:56 localhost klogd: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready


Did you have to do anything else to start seeing this traffic? When connected did the main display display anything different? What IP address if any did you assign yourself.
Nothing specific, message I seen are broadcast message for data exchange between the 3 embedded ethernet peripheral

Edit : display has not changed because I just connected to ethernet. I assigned 192.168.90.1 to my computer

- - - Updated - - -

Now I need to write a UDP client software to receive data frame and begin the content analyzing
 
Last edited: