Page 1 of 36 1234511 ... LastLast
Results 1 to 10 of 353

Thread: Successful connection on the Model S internal Ethernet network

  1. #1
    Member
    Join Date
    Jul 2013
    Location
    Nantes, France
    Posts
    618

    Successful connection on the Model S internal Ethernet network

    Almost everyone knows that there is a white 4 pin connector on the left of the dashboard

    Today I susscefully connected to this connector, with a 2 row 4 contact male header (2mm pitch)

    Name:  20140302_174732.jpg
Views: 23209
Size:  121.2 KB

    The ethernet network of the car contains 3 peripherals :
    - The center console, IP Address 192.168.90.100
    - The dashboard/navigation screen, IP Address 192.168.90.101
    - An unknown peripheral, IP Address 192.168.90.102

    These 3 peripheral send of lot of data in broadcast UDP, to 192.168.90.255 broadcat address. Different UDP ports are used depending of data type.

    In fact they use the same principle a CAN bus use :

    - Everyone send data on the network
    - Anyone who need it listen for this data.

    The data shared on the netword seem to be in clear. I can see a Ascii header which define the type of the frame. Some data are in binary format thus it will need some reverse engineering to understand the data.

    I also tested the openeds ports of the 3 peripherals :

    - Central console :

    PORT STATE SERVICE
    22/tcp open ssh
    53/tcp open domain
    80/tcp open http
    111/tcp open rpcbind
    2049/tcp open nfs
    6000/tcp open X11
    MAC Address: FA:9E:70:EA:xx:xx (Unknown)

    - Dashboard screen :

    PORT STATE SERVICE
    22/tcp open ssh
    111/tcp open rpcbind
    6000/tcp open X11
    MAC Address: 36:C4:1F:2A:xx:xx (Unknown)

    - Unknown device :

    PORT STATE SERVICE
    23/tcp open telnet
    1050/tcp open java-or-OTGfileshare
    MAC Address: 00:00:A7:01:xx:xx (Network Computing Devices)

  2. #2
    S-P85#8,766 X-Sig#1,372 araxara's Avatar
    Join Date
    May 2012
    Location
    Tucson, AZ
    Posts
    424
    Thank you so much for doing this. I was wondering what the exact pinouts are for the pin-header? Since most ethernet chips these days are auto-mdix, I suppose that it doesn't matter which is RX or TX and I noticed you wired it using the standard green-white/green & orange-white/orange, so I think this is easy to duplicate.

  3. #3
    Member
    Join Date
    Sep 2012
    Location
    Greater Cincinnati
    Posts
    427
    And thus it begins... network access and open ports means someone is going to hack in there eventually...
    P85 White/Black Leather/CF Trim | Solid Roof | Spoiler | Air | Tech | Sound | 21 / 19" Wheels

  4. #4
    Senior Member HankLloydRight's Avatar
    Join Date
    Jan 2014
    Location
    New England
    Posts
    1,021
    Quote Originally Posted by dave View Post
    And thus it begins... network access and open ports means someone is going to hack in there eventually...
    And brick their car. Should be fun to watch.
    P85+ | Blue | Pano | 21" | Tech | Sound Studio | Black Perf Carbon Fiber | Flux Capacitor

  5. #5
    Member
    Join Date
    Oct 2013
    Location
    Seattle
    Posts
    100
    SC tech told me the ethernet port is the Model S's diagnostic port like OBDII for other cars. Also told me diagnostic equipment/manuals will be eventually available for purchase by law to support independent repair shops. I've seen many copies of factory diag equipment+software for other cars I've owned (Volvo, Toyota, VW), would be great to have a Tesla diag tool Given the high percentage of tech tinkerers that owns Tesla, we might develop our own tool The VW tool (very capable and complete) I have is built completely aftermarket by a diag tool enthusiast.
    S85 P09919 Metallic Blue, Pano, Tan Leather, 19" Wheels
    S85 is wife's car. I get the hand me down Prius

  6. #6
    Member
    Join Date
    Dec 2013
    Location
    United Kingdom
    Posts
    366
    Open SSH? Does that mean you can ssh into the centre console? That is a pretty good point to start. Username: elonmusk1, Password: tesla1

    Note: if Tesla have any brain cells to rub together (and they sure have shown a large number so far) they will have made the flash on the consoles squashfs or similar, with a bootloader and fail over partition. This would reinitialise any body modules which have had firmware updates fail. Which would essentially make the car unbrickable. This is so if a software update gets interrupted (dead 12V is a good one) the car will not require service. The major boot partitions will be read only to the userlevel. I've also heard from someone who has had a look that they statically link all linux modules so that the only way to update the configuration is to replace it all at once.

    However, there's a chance they haven't done this, so until it's know for sure, tread carefully!

  7. #7
    Member
    Join Date
    Jul 2013
    Location
    Nantes, France
    Posts
    618
    For now what I just want to do is extract useful data from this port. I was looking for the CAN bus but everything seem to be here so it's great this connector is easy to access.
    For example I want the exact power value, and I seen a frame called PowerStatus, I think it will contains what I am looking for.

  8. #8
    Senior Member HankLloydRight's Avatar
    Join Date
    Jan 2014
    Location
    New England
    Posts
    1,021
    Voiding my iPhone warranty by jailbreaking -- not to concerned.

    Voiding my Model S warranty by jailbreaking -- very concerned.

    But the idea of third-party apps on the console -- sounds awesome.
    P85+ | Blue | Pano | 21" | Tech | Sound Studio | Black Perf Carbon Fiber | Flux Capacitor

  9. #9
    Sig 255, VIN 320
    Join Date
    Oct 2012
    Location
    So Cal
    Posts
    1,329
    The unknown 3rd device is likely the gateway that controls access to the drivetrain components. I bet if you change the suspension height from the 17" then you will see network packets flying between those two devices.

    Regarding hacking, I don't see much risk of bricking the car. The infotainment systems are firewalled against the drivetrain components likely by that third device. It would be very difficult to brick a Model S through hacking.

  10. #10
    Member
    Join Date
    Dec 2013
    Location
    United Kingdom
    Posts
    366
    Perhaps you could retrieve that so-wanted kWh of battery capacity remaining for all of the folks in the "decreasing rated range" topic. And individual cell voltages, to see if they are balanced properly...
    (This information is all available from the console in service mode, but the access to that has since been removed.)

    Wonder what the port 80 open is - web interface to some diag stuff?

Thread Information

Users Browsing this Thread

There are currently 2 users browsing this thread. (1 members and 1 guests)

  1. Majerus

Similar Threads

  1. Replies: 5
    Last Post: 2013-07-16, 04:41 AM
  2. Replies: 12
    Last Post: 2013-04-21, 12:05 PM
  3. My Successful first 500+ mile trip in 60KW
    By vcor in forum Model S: Driving Dynamics
    Replies: 12
    Last Post: 2013-03-23, 09:34 AM
  4. The Most Successful Electric Car Cities
    By Doug_G in forum Electric Vehicles
    Replies: 3
    Last Post: 2013-02-13, 01:31 PM
  5. Replies: 2
    Last Post: 2008-06-25, 09:35 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •