SlideShare a Scribd company logo

Tesla hacking presentation

J
Jasper Nuyens

Presentation performed at www.loadays.org for fellow Linux geeks.

Automotive
1 of 55
Download to read offline
Tesla Hacking why not
Jasper Nuyens jasper@linux.com +32478978967 Managing Director Linux Belgium http://www.linuxbe.com Only interested in cars since Tesla (and very critical in the beginning) ‘Tesla only’ company car policy (on the waiting list)
Content 1. Disclaimer and the obvious questions 2. The car 3. The mission 4. Components and network layout 5. How to access 6. Hacks performed by other people 7. Hacks performed by me 8. How ‘hacker friendly’ are Tesla Service and Elon Musk? 9. Other questions 10. Q&A
1. Disclaimer and the obvious questions Jasper Nuyens
1. Disclaimer and the obvious questions Disclaimer - I am a Tesla customer, not a Tesla supplier or employee - Tesla hacking might be dangerous: it is a +2t car with electric propulsion, electronically steered and with a high voltage battery - Uncertain what the level of ‘endorsement’ is by Tesla, both officially and unofficially
1. Disclaimer and the obvious questions Disclaimer - It might void the warranty, it might not. The Tesla warranty by default covers ‘everything’. I am not a trained mechanic (this is the first car I actually work on aside from replacing a lamp). So if I break something, I don’t claim warranty on it and pay for the repair (Tesla is very reasonable till now)
1. Disclaimer and the obvious questions Disclaimer - I might create extra work for Tesla Service - I try to avoid that, and create my hacks as much as possible in a forward and backward compatible way to prevent unforeseen events: Tesla Service are ‘car people’, not Linux sysadmins and developers such as us - Your experience with Tesla Service might differ
1. Disclaimer and the obvious questions Disclaimer - I might create extra work for Tesla Service - I try to avoid that, and create my hacks as much as possible in a forward and backward compatible way to prevent unforeseen events: Tesla Service are ‘car people’, not Linux sysadmins and developers such as us - Your experience with Tesla Service might differ
1. Disclaimer and the obvious questions WWW!? - Wife! - Warranty? - Why?
2. The car Model X, Enhanced Autopilot 2.0 75kWh battery, premium interior, towing package…
2. The car “Once you drive electric, there’s no going back” Range: officially 310km in practice between 230 and 310km decreases range: high speed, cold weather never having to go to the petrol station Supercharging network for long distance: charges at 500km per hour; no waiting required Autopilot: not fully self driving yet, but improving (slowly), newest generation of software is just starting
3. The mission Tesla’s mission is: “Accelerate the world's  transition to sustainable energy.” In our case, we drove 38.000 km in 1 year with our Model X. We generated the electricity from our solar roof. This avoided air pollution of: 8755kg CO2 I used to point to the ecological footprint of production, but that’s about the same with regular cars versus electric cars. And Tesla doesn’t use cobalt from Congo. Nor ‘real’ leather. Obviously it’s better for the environment to just walk or bike.
3. The mission Tesla is very high valued compared to the number of car it produces. But it also makes domestic and grid-level batteries (important for dealing with the fluctuations with solar and wind energy) And builds solar panels.
4. Components and network layout - Instrument Cluster (ic) behind steering wheel 192.168.90.101 - Big screen (cid) in the middle 192.168.90.100 - Gateway 192.168.90.102
4. Components and network layout Instrument Cluster (ic) behind steering wheel 192.168.90.101 Custom version of NVidia Tegra 2 SoC cat /proc/cpuinfo Processor : ARMv7 Processor rev 0 (v7l) processor : 0 BogoMIPS : 897.84 processor : 1 BogoMIPS : 897.84 Features : swp half thumb fastmult vfp edsp vfpv3 vfpv3d16 CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x1 CPU part : 0xc09 CPU revision : 0 Hardware : Tegra P852 SKU8 C01 Revision : 0000 Serial : 1f78400042408317 Boots squashfs compressed read-only filesystem, /var is writeable Steering wheel buttons are attached to the ic and the input is sent over Ethernet using the (undocumented) ‘Vehicle API’ Settings are stored in sqlite3 db
4. Components and network layout Massive multimedia 19”screen (cid) in the middle of the car 192.168.90.100 NXP i.MX6 quad core (till last month - now replaced with Intel Atom based board, also in the Model 3) Includes (relatively crappy) Qt based Web browser Runs Spotify and allows to control most settings
4. Components and network layout root@ic:~# nmap -v -p 1-65535 -sV -O -sS -T5 192.168.90.100 Not shown: 65090 closed ports, 419 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.5p1 Debian 4ubuntu4 (Ubuntu Linux; protocol 2.0) 53/tcp open domain dnsmasq 2.78 111/tcp open rpcbind 2 (RPC #100000) 2049/tcp open nfs 2-4 (RPC #100003) 4030/tcp open unknown 4032/tcp open unknown 4037/tcp open unknown 4050/tcp open unknown 4060/tcp open unknown 4070/tcp open unknown 4090/tcp open omasgport? 4092/tcp open unknown 4094/tcp open unknown 4096/tcp open bre? 4102/tcp open unknown 4110/tcp open unknown 4160/tcp open unknown 4170/tcp open unknown 4220/tcp open vrml-multi-use? 4280/tcp open unknown 4500/tcp open sae-urn? 20564/tcp open unknown 25956/tcp open unknown 43164/tcp open nlockmgr 1-4 (RPC #100021) 43427/tcp open status 1 (RPC #100024) 43546/tcp open mountd 1-3 (RPC #100005)
4. Components and network layout Gateway 192.168.90.102 Runs FreeRTOS on Freescale MPC5668G
 592 KB embedded RAM Is attached to the 6 CAN-busses: - Trunk, doors,… - Vehicle speed, engine speed,… - Chassis - BFT - ODBII
4. Components and network layout Gateway 192.168.90.102 firmware name: gtw.hex located on the sd card of the CID In the past, it contained in clear text the (unique) pw to get acces. Was a ‘point of entry’, closed by Tesla.
5. How to access Which data paths exist? Internet: - nightmare of Elon Musk - access from the Tesla Android or IOS App - mothership.tesla.com Internal Ethernet network: - physical connection below CID for Service Centers - physical connection between IC and CID CAN busses: - typical ‘old school car modding’, will phase out (probably)
5. How to access Dilemma: you want to get inside your own Linux systems but you don’t want people to be able to abuse it. So,… break open your brand new 118.000,- Euro Model X. Only 1 tool required, brute force, and balls. Especially if it’s the first time you crack open a car! Beware of the wife ;-)
5. How to access
5. How to access
5. How to access
5. How to access
5. How to access Careful with the special connector which provides power and more (click mechanism)!
5. How to access Experiment with how the wiring to the Ethernet is done.
5. How to access Fakra? 4 Ethernet wires: green, orange green/white orange/white Test: scroll volume
5. How to access
5. How to access Better (version 2):
5. How to access Ethernet (Fakra) from CID to switch Ethernet (Fakra) from IC to switch Extra ethernet cable below CID for attaching laptop Ethernet cable for Raspberry Pi for wired and/or wireless network Raspberry Pi allows to modify stuff ‘permanently’ without changing something to the rootfs Easy access at a side panel to ‘reverse’ all changes (before going back to Tesla Service)
6. Hacks performed by other people Tesla itself created ‘Easter Eggs’ like Model X Chrismas Tree, Mars driving map, drawing app,… 3 minute movie https://www.youtube.com/watch?v=1fmm6Hg7k1U
6. Hacks performed by other people All IC’s can be accessed using the same (leaked) ssh key for the root account (once you are on the Ethernet network between IC and CID). Might not remain so after an update. Ethernet port below CID is only enabled after mothership opens it for Tesla Service through their own cryptographically signed applications/internal network.
6. Hacks performed by other people Replacing an image on Instrument Cluster
6. Hacks performed by other people Playing a movie on the central display (first version) https://www.youtube.com/watch?v=c1Kmqz9UyaE
6. Hacks performed by other people Replacing an image on Instrument Cluster (old MS)
7. Hacks performed by me Replacing lots of images ‘subtle’ to add the Linux Belgium logo.
7. Hacks performed by me Replacing lots of images ‘subtle’ to add the Linux Belgium logo.
7. Hacks performed by me Images stored in /usr/tesla/UI/assets/night/car/modelx/ No permanent changes are made: small script to bind mount the individual files from /var/added and relaunch the Qt based IC process (beware of wife). Automatically launched when rpi starts and re-verifies every minute out of crontab. root@ic:~# crontab -l * * * * /teslascript.sh > /dev/null 2>&1
7. Hacks performed by me cat /teslascript.sh #!/bin/bash nohup ssh -i /root/id_dsa root@192.168.90.101 bash /var/added/addedtotesla.sh & ON IC: bash /var/added/mount-modfiles.sh cat mount-modfiles.sh #!/bin/bash #if an argument is provided multiple directories are allowed #first umount for bindmount in $(mount | grep bind | awk '{ print $1 }') do umount $bindmount done cd /var/added/modfiles$1 for modfile in $(find . -type f) do mount --bind $modfile /$modfile done
7. Hacks performed by me Gives: mount /dev/mmcblk3p3 on /var type ext3 (rw,noexec,nosuid,nodev,data=ordered,barrier=1,commit=20) /dev/mmcblk3p4 on /home type ext3 (rw,noexec,nosuid,nodev,data=ordered,barrier=1,commit=20) none on /var/run type tmpfs (rw) none on /var/lock type tmpfs (rw) cid:/opt/navigon on /opt/navigon type nfs (ro,noexec,nosuid,nodev,nolock,soft,fg,intr,retry=1,retrans=10,addr=192.168.90.100) /var/added/modfiles/home/tesla/.Tesla/data/QtCarClusterSettings.db on /home/tesla/.Tesla/data/QtCarClusterSettings.db type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/doors/trunk_closed_paint.png on /usr/tesla/UI/assets/night/car/ modelx/doors/trunk_closed_paint.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/doors/trunk_open.png on /usr/tesla/UI/assets/night/car/modelx/doors/ trunk_open.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/drive/body_paint.png on /usr/tesla/UI/assets/night/car/modelx/drive/ body_paint.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/hero/frunk_open_paint.png on /usr/tesla/UI/assets/night/car/modelx/ hero/frunk_open_paint.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/hero/frunk_closed_paint.png on /usr/tesla/UI/assets/night/car/modelx/ hero/frunk_closed_paint.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/top/frunk_open.png on /usr/tesla/UI/assets/night/car/modelx/top/ frunk_open.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/top/frunk_closed_paint.png on /usr/tesla/UI/assets/night/car/modelx/ top/frunk_closed_paint.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/park/car_paint.png on /usr/tesla/UI/assets/night/car/modelx/park/ car_paint.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/ghost/body-5.png on /usr/tesla/UI/assets/night/car/modelx/ghost/ body-5.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/about/badge_model_x.png on /usr/tesla/UI/assets/night/about/badge_model_x.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/cluster/background_noise.jpg on /usr/tesla/UI/assets/night/cluster/ background_noise.jpg type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/cluster/hi_res/badges/badge_model_x.png on /usr/tesla/UI/assets/night/cluster/ hi_res/badges/badge_model_x.png type none (rw,bind)
7. Hacks performed by me And then the script does: killall -HUP QtCarCluster The monitoring on the IC will restart the process fairly rapidly (beware of wife if you do this while driving)
7. Hacks performed by me Images stored in /usr/tesla/UI/assets/night/car/modelx/ No permanent changes are made: small script to bind mount the individual files and relaunch the Qt based IC process (beware of wife). 7. Hacks performed by me
7. Hacks performed by me Next step… - Color animation script! cat moonshine.sh #!/bin/bash export DISPLAY=:0.0 while true do for color in rgamma ggamma bgamma do for gamma in 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0 do xgamma -${color} $gamma 2> /dev/null sleep 0.1 done done done https://www.youtube.com/watch?v=XfkuS-ypUTU
7. Hacks performed by me Discovered: Sound is sent over the Ethernet network :) cat gameofthrones.wav | nc 192.168.90.100 4102 Possibility for denial of service attack? (yet not practical) Special sound format needed: file park_assist_red_repeat.wav park_assist_red_repeat.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 48000 Hz RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 48000 Hz Something like this: sox -S --norm gameofthrones-orig.wav -c 1 -r 48000 gameofthrones-good-format.wav reverse silence 1 0 0.05 reverse pad 0 0.100
7. Hacks performed by me Discovered: - Every day a new ‘token’ received in: /var/etc/saccess/tesla1 - SQLite3 database containing settings /home/tesla/.Tesla/data/QtCarClusterSettings.db sqlite3 QtCarClusterSettings.db sqlite> select key, quote(value) from data; select key, quote(value) from data where key='DataValues/GUI_developerMode'; DataValues/GUI_developerMode|X’000000010000' UPDATE data SET value=X'000000010001' WHERE key='DataValues/GUI_developerMode'; Might be GPS-location locked?
7. Hacks performed by me What’s next? Possibility to run Chrome on Rpi and display on-screen for dynamic content Waze was originally an OpenSource program, this code still exists, I cross-compiled it on Rpi, but don’t have the GPS provider integrated yet, nor know if the map server still works Ultimate goal create an alternative ‘xmas show’ with own choreography and music (because it means I can control about everything from the car)
8. How ‘hacker friendly’ are Tesla Service and Elon Musk? Elon Musk has tweeted a few times he likes people to tinker with his cars. My Tesla Service rep stated it’s “officially not allowed” but they like my work and have been very supportive (within limits)
8. How ‘hacker friendly’ are Tesla Service and Elon Musk? Is Dell stopping support for a motherboard problem with a server if you replaced the hard drive yourself? No. Yet, Tesla Service are ‘car people’ instead of ‘Linux Hackers’. I am honest about stuff I broke myself. 1) too many screws after reassembly 2) I broke a small plastic cover 3) I broke the upgrade mechanism
8. How ‘hacker friendly’ are Tesla Service and Elon Musk? I am not interested in doing illegal things like: - changing the VIN number (it might help stolen car sales) - faking the mileage - abusing the (free) data usage I prefer also not to: - touch the can bus directly - mess with the autopilot (I prefer to live ;) - mess with the drive motor steering
9. Other questions “Long tailpipe Myth”: Driving electric on coal generated electrity. -> no grid is 100% coal, it’s always a small minority -> would still be far less CO2 including counting for distribution (because ICE cars are so inefficient) “How to go on holiday”: - At home in the morning it’s always full - Never visit petrol station - Supercharging network for long distance; charging at 500km per hour.
9. Other questions
9. Other questions Or use other (slower) charging networks…
9. Other questions Or use one of these ‘hard to find’ things:
10. Q&A So Long, and Thanks for All the Fish

Recommended

#RIPv1 vs #RIPv2
#RIPv1 vs #RIPv2#RIPv1 vs #RIPv2
#RIPv1 vs #RIPv2
NetProtocol Xpert
 
AIoT: AI Meets IoT (IOT204) - AWS re:Invent 2018
AIoT: AI Meets IoT (IOT204) - AWS re:Invent 2018AIoT: AI Meets IoT (IOT204) - AWS re:Invent 2018
AIoT: AI Meets IoT (IOT204) - AWS re:Invent 2018
Amazon Web Services
 
A survey on Device-to-Device Communication
A survey on Device-to-Device CommunicationA survey on Device-to-Device Communication
A survey on Device-to-Device Communication
Kuldeep Narayan Singh
 
SD WAN
SD WANSD WAN
SD WAN
Bri Molina
 
15 ejercicio redes 3
15 ejercicio redes 315 ejercicio redes 3
15 ejercicio redes 3
Kike Mollá Arana
 
Zigbee ppt
Zigbee pptZigbee ppt
Zigbee ppt
kondalarao7
 
MPLS-based Metro Ethernet Networks
MPLS-based Metro Ethernet NetworksMPLS-based Metro Ethernet Networks
MPLS-based Metro Ethernet Networks
APNIC
 
Advanced ClearPass Workshop
Advanced ClearPass WorkshopAdvanced ClearPass Workshop
Advanced ClearPass Workshop
Aruba, a Hewlett Packard Enterprise company
 

Recommended

#RIPv1 vs #RIPv2
#RIPv1 vs #RIPv2#RIPv1 vs #RIPv2
#RIPv1 vs #RIPv2
NetProtocol Xpert
 
AIoT: AI Meets IoT (IOT204) - AWS re:Invent 2018
AIoT: AI Meets IoT (IOT204) - AWS re:Invent 2018AIoT: AI Meets IoT (IOT204) - AWS re:Invent 2018
AIoT: AI Meets IoT (IOT204) - AWS re:Invent 2018
Amazon Web Services
 
A survey on Device-to-Device Communication
A survey on Device-to-Device CommunicationA survey on Device-to-Device Communication
A survey on Device-to-Device Communication
Kuldeep Narayan Singh
 
SD WAN
SD WANSD WAN
SD WAN
Bri Molina
 
15 ejercicio redes 3
15 ejercicio redes 315 ejercicio redes 3
15 ejercicio redes 3
Kike Mollá Arana
 
Zigbee ppt
Zigbee pptZigbee ppt
Zigbee ppt
kondalarao7
 
MPLS-based Metro Ethernet Networks
MPLS-based Metro Ethernet NetworksMPLS-based Metro Ethernet Networks
MPLS-based Metro Ethernet Networks
APNIC
 
Advanced ClearPass Workshop
Advanced ClearPass WorkshopAdvanced ClearPass Workshop
Advanced ClearPass Workshop
Aruba, a Hewlett Packard Enterprise company
 
VPN (virtual private network)
VPN (virtual private network) VPN (virtual private network)
VPN (virtual private network)
Netwax Lab
 
Ppt on 5G
Ppt on 5GPpt on 5G
Ppt on 5G
vijay singhal
 
Ospf routing protocol
Ospf routing protocolOspf routing protocol
Ospf routing protocol
Edgardo Scrimaglia
 
Teltonika FM1204 Waterproof GPS/GLONASS/GSM vehicle tracker
Teltonika FM1204 Waterproof GPS/GLONASS/GSM vehicle trackerTeltonika FM1204 Waterproof GPS/GLONASS/GSM vehicle tracker
Teltonika FM1204 Waterproof GPS/GLONASS/GSM vehicle tracker
AngelitoAlonzo1
 
Cisco ASA Firewall Presentation - ZABTech center Hyderabad
Cisco ASA Firewall Presentation - ZABTech center HyderabadCisco ASA Firewall Presentation - ZABTech center Hyderabad
Cisco ASA Firewall Presentation - ZABTech center Hyderabad
MehtabRohela
 
10 gigabit ethernet technology
10 gigabit ethernet technology10 gigabit ethernet technology
10 gigabit ethernet technology
Likan Patra
 
ADVA Webinar to Netwell.pdf
ADVA Webinar to Netwell.pdfADVA Webinar to Netwell.pdf
ADVA Webinar to Netwell.pdf
Olam21
 
Single vs. multi-carrier in ROADM networks
Single vs. multi-carrier in ROADM networksSingle vs. multi-carrier in ROADM networks
Single vs. multi-carrier in ROADM networks
ADVA
 
Virtual Private Network VPN
Virtual Private Network VPNVirtual Private Network VPN
Virtual Private Network VPN
Farah M. Altufaili
 
The airborne internet final my
The airborne internet final myThe airborne internet final my
The airborne internet final my
ARUNP116
 
COMO REALIZAR SUBNETEO DEL TIPO VLSM
COMO REALIZAR SUBNETEO DEL TIPO VLSMCOMO REALIZAR SUBNETEO DEL TIPO VLSM
COMO REALIZAR SUBNETEO DEL TIPO VLSM
Mario Hernandez Burgos
 
Tema n° 09 vlan
Tema n° 09 vlanTema n° 09 vlan
Tema n° 09 vlan
Jorge Arroyo
 
Configure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdfConfigure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdf
BT Digital
 
IPv6 Autoconfig
IPv6 AutoconfigIPv6 Autoconfig
IPv6 Autoconfig
Fred Bovy
 
Chapter 8 .vlan.pdf
Chapter 8 .vlan.pdfChapter 8 .vlan.pdf
Chapter 8 .vlan.pdf
manojkumar595505
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to site
IT Tech
 
WiFi-integration into EPC
WiFi-integration into EPCWiFi-integration into EPC
WiFi-integration into EPC
Franz Edler
 
Zigbee
ZigbeeZigbee
Zigbee
WaqarAhmad444
 
Zigbee ppt
Zigbee pptZigbee ppt
Zigbee ppt
Pranjul Rastogi
 
Freenet
FreenetFreenet
Freenet
Ashraf Uddin
 
Tesla hacking presentation fri3d
Tesla hacking presentation fri3dTesla hacking presentation fri3d
Tesla hacking presentation fri3d
Jasper Nuyens
 
Tesla hacking presentation 'jaarbeurs World of Technology and Science' Octobe...
Tesla hacking presentation 'jaarbeurs World of Technology and Science' Octobe...Tesla hacking presentation 'jaarbeurs World of Technology and Science' Octobe...
Tesla hacking presentation 'jaarbeurs World of Technology and Science' Octobe...
Jasper Nuyens
 

More Related Content

What's hot

10 gigabit ethernet technology
10 gigabit ethernet technology10 gigabit ethernet technology
10 gigabit ethernet technology
Likan Patra
 
The airborne internet final my
The airborne internet final myThe airborne internet final my
The airborne internet final my
ARUNP116
 

What's hot (20)

VPN (virtual private network)
VPN (virtual private network) VPN (virtual private network)
VPN (virtual private network)
 
Ppt on 5G
Ppt on 5GPpt on 5G
Ppt on 5G
 
Ospf routing protocol
Ospf routing protocolOspf routing protocol
Ospf routing protocol
 
Teltonika FM1204 Waterproof GPS/GLONASS/GSM vehicle tracker
Teltonika FM1204 Waterproof GPS/GLONASS/GSM vehicle trackerTeltonika FM1204 Waterproof GPS/GLONASS/GSM vehicle tracker
Teltonika FM1204 Waterproof GPS/GLONASS/GSM vehicle tracker
 
Cisco ASA Firewall Presentation - ZABTech center Hyderabad
Cisco ASA Firewall Presentation - ZABTech center HyderabadCisco ASA Firewall Presentation - ZABTech center Hyderabad
Cisco ASA Firewall Presentation - ZABTech center Hyderabad
 
10 gigabit ethernet technology
10 gigabit ethernet technology10 gigabit ethernet technology
10 gigabit ethernet technology
 
ADVA Webinar to Netwell.pdf
ADVA Webinar to Netwell.pdfADVA Webinar to Netwell.pdf
ADVA Webinar to Netwell.pdf
 
Single vs. multi-carrier in ROADM networks
Single vs. multi-carrier in ROADM networksSingle vs. multi-carrier in ROADM networks
Single vs. multi-carrier in ROADM networks
 
Virtual Private Network VPN
Virtual Private Network VPNVirtual Private Network VPN
Virtual Private Network VPN
 
The airborne internet final my
The airborne internet final myThe airborne internet final my
The airborne internet final my
 
COMO REALIZAR SUBNETEO DEL TIPO VLSM
COMO REALIZAR SUBNETEO DEL TIPO VLSMCOMO REALIZAR SUBNETEO DEL TIPO VLSM
COMO REALIZAR SUBNETEO DEL TIPO VLSM
 
Tema n° 09 vlan
Tema n° 09 vlanTema n° 09 vlan
Tema n° 09 vlan
 
Configure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdfConfigure Mikrotik Khmer.pdf
Configure Mikrotik Khmer.pdf
 
IPv6 Autoconfig
IPv6 AutoconfigIPv6 Autoconfig
IPv6 Autoconfig
 
Chapter 8 .vlan.pdf
Chapter 8 .vlan.pdfChapter 8 .vlan.pdf
Chapter 8 .vlan.pdf
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to site
 
WiFi-integration into EPC
WiFi-integration into EPCWiFi-integration into EPC
WiFi-integration into EPC
 
Zigbee
ZigbeeZigbee
Zigbee
 
Zigbee ppt
Zigbee pptZigbee ppt
Zigbee ppt
 
Freenet
FreenetFreenet
Freenet
 

Similar to Tesla hacking presentation

DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdfDEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
Wlamir Molinari
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
Slawomir Jasek
 
NodeMCU || Controlling and observing a robotic car with a smartphone through...
NodeMCU || Controlling and observing a robotic car with a smartphone through...NodeMCU || Controlling and observing a robotic car with a smartphone through...
NodeMCU || Controlling and observing a robotic car with a smartphone through...
Jiangxi University of Science and Technology (江西理工大学)
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
Positive Hack Days
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
Ekaterina Melnik
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON
 
the NML project
the NML projectthe NML project
the NML project
Lei Yang
 
Vlsi
VlsiVlsi
Vlsi
ncct
 
Vlsi
VlsiVlsi
Vlsi
ncct
 
Prj Vlsi Allabstract
Prj Vlsi AllabstractPrj Vlsi Allabstract
Prj Vlsi Allabstract
ncct
 
Prj Vlsi Allabstract
Prj Vlsi AllabstractPrj Vlsi Allabstract
Prj Vlsi Allabstract
ncct
 
The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?
SecuRing
 

Similar to Tesla hacking presentation (20)

Tesla hacking presentation fri3d
Tesla hacking presentation fri3dTesla hacking presentation fri3d
Tesla hacking presentation fri3d
 
Tesla hacking presentation 'jaarbeurs World of Technology and Science' Octobe...
Tesla hacking presentation 'jaarbeurs World of Technology and Science' Octobe...Tesla hacking presentation 'jaarbeurs World of Technology and Science' Octobe...
Tesla hacking presentation 'jaarbeurs World of Technology and Science' Octobe...
 
Tesla Hacking to FreedomEV
Tesla Hacking to FreedomEVTesla Hacking to FreedomEV
Tesla Hacking to FreedomEV
 
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdfDEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
 
Post Graduate in AI PPT.pptx
Post Graduate in AI PPT.pptxPost Graduate in AI PPT.pptx
Post Graduate in AI PPT.pptx
 
NodeMCU || Controlling and observing a robotic car with a smartphone through...
NodeMCU || Controlling and observing a robotic car with a smartphone through...NodeMCU || Controlling and observing a robotic car with a smartphone through...
NodeMCU || Controlling and observing a robotic car with a smartphone through...
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 
SCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имяSCADA Strangelove: взлом во имя
SCADA Strangelove: взлом во имя
 
Machine Learning Tokyo - Deep Neural Networks for Video - NumberBoost
Machine Learning Tokyo - Deep Neural Networks for Video - NumberBoostMachine Learning Tokyo - Deep Neural Networks for Video - NumberBoost
Machine Learning Tokyo - Deep Neural Networks for Video - NumberBoost
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
 
the NML project
the NML projectthe NML project
the NML project
 
INET for Starters
INET for StartersINET for Starters
INET for Starters
 
Vlsi
VlsiVlsi
Vlsi
 
Vlsi
VlsiVlsi
Vlsi
 
Prj Vlsi Allabstract
Prj Vlsi AllabstractPrj Vlsi Allabstract
Prj Vlsi Allabstract
 
Prj Vlsi Allabstract
Prj Vlsi AllabstractPrj Vlsi Allabstract
Prj Vlsi Allabstract
 
Deep Neural Networks for Video Applications at the Edge
Deep Neural Networks for Video Applications at the EdgeDeep Neural Networks for Video Applications at the Edge
Deep Neural Networks for Video Applications at the Edge
 
The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?The (Io)Things you don't even need to hack. Should we worry?
The (Io)Things you don't even need to hack. Should we worry?
 
Basics of Embedded System
Basics of Embedded System Basics of Embedded System
Basics of Embedded System
 

Recently uploaded

John Deere Tractors 5415 Diagnostic Repair Service Manual.pdf
John Deere Tractors 5415 Diagnostic Repair Service Manual.pdfJohn Deere Tractors 5415 Diagnostic Repair Service Manual.pdf
John Deere Tractors 5415 Diagnostic Repair Service Manual.pdf
Excavator
 
一比一原版西安大略大学毕业证(UWO毕业证)成绩单原件一模一样
一比一原版西安大略大学毕业证(UWO毕业证)成绩单原件一模一样一比一原版西安大略大学毕业证(UWO毕业证)成绩单原件一模一样
一比一原版西安大略大学毕业证(UWO毕业证)成绩单原件一模一样
wsppdmt
 
如何办理(爱大毕业证书)爱丁堡大学毕业证成绩单留信学历认证真实可查
如何办理(爱大毕业证书)爱丁堡大学毕业证成绩单留信学历认证真实可查如何办理(爱大毕业证书)爱丁堡大学毕业证成绩单留信学历认证真实可查
如何办理(爱大毕业证书)爱丁堡大学毕业证成绩单留信学历认证真实可查
huxs9sacp
 
如何办理田纳西大学毕业证(UTK毕业证)成绩单原版一比一
如何办理田纳西大学毕业证(UTK毕业证)成绩单原版一比一如何办理田纳西大学毕业证(UTK毕业证)成绩单原版一比一
如何办理田纳西大学毕业证(UTK毕业证)成绩单原版一比一
fhjlokjhi
 
Obat Penggugur Kandungan Di Apotek Klinik Banyuwangi +6287776558899
Obat Penggugur Kandungan Di Apotek Klinik Banyuwangi +6287776558899Obat Penggugur Kandungan Di Apotek Klinik Banyuwangi +6287776558899
Obat Penggugur Kandungan Di Apotek Klinik Banyuwangi +6287776558899
Cara Menggugurkan Kandungan 087776558899
 
如何办理英国埃塞克斯大学毕业证(Essex毕业证书)毕业证成绩单原版一比一
如何办理英国埃塞克斯大学毕业证(Essex毕业证书)毕业证成绩单原版一比一如何办理英国埃塞克斯大学毕业证(Essex毕业证书)毕业证成绩单原版一比一
如何办理英国埃塞克斯大学毕业证(Essex毕业证书)毕业证成绩单原版一比一
avy6anjnd
 
一比一原版(Deakin毕业证书)迪肯大学毕业证成绩单留信学历认证
一比一原版(Deakin毕业证书)迪肯大学毕业证成绩单留信学历认证一比一原版(Deakin毕业证书)迪肯大学毕业证成绩单留信学历认证
一比一原版(Deakin毕业证书)迪肯大学毕业证成绩单留信学历认证
62qaf0hi
 
一比一原版伯明翰城市大学毕业证成绩单留信学历认证
一比一原版伯明翰城市大学毕业证成绩单留信学历认证一比一原版伯明翰城市大学毕业证成绩单留信学历认证
一比一原版伯明翰城市大学毕业证成绩单留信学历认证
62qaf0hi
 
如何办理美国华盛顿大学毕业证(UW毕业证书)毕业证成绩单原版一比一
如何办理美国华盛顿大学毕业证(UW毕业证书)毕业证成绩单原版一比一如何办理美国华盛顿大学毕业证(UW毕业证书)毕业证成绩单原版一比一
如何办理美国华盛顿大学毕业证(UW毕业证书)毕业证成绩单原版一比一
avy6anjnd
 

Recently uploaded (20)

John Deere Tractors 5415 Diagnostic Repair Service Manual.pdf
John Deere Tractors 5415 Diagnostic Repair Service Manual.pdfJohn Deere Tractors 5415 Diagnostic Repair Service Manual.pdf
John Deere Tractors 5415 Diagnostic Repair Service Manual.pdf
 
一比一原版西安大略大学毕业证(UWO毕业证)成绩单原件一模一样
一比一原版西安大略大学毕业证(UWO毕业证)成绩单原件一模一样一比一原版西安大略大学毕业证(UWO毕业证)成绩单原件一模一样
一比一原版西安大略大学毕业证(UWO毕业证)成绩单原件一模一样
 
Is Your Mercedes Benz Trunk Refusing To Close Here's What Might Be Wrong
Is Your Mercedes Benz Trunk Refusing To Close Here's What Might Be WrongIs Your Mercedes Benz Trunk Refusing To Close Here's What Might Be Wrong
Is Your Mercedes Benz Trunk Refusing To Close Here's What Might Be Wrong
 
Preparing for Transportation Electrification: The Electric Coop Perspective
Preparing for Transportation Electrification: The Electric Coop PerspectivePreparing for Transportation Electrification: The Electric Coop Perspective
Preparing for Transportation Electrification: The Electric Coop Perspective
 
如何办理(爱大毕业证书)爱丁堡大学毕业证成绩单留信学历认证真实可查
如何办理(爱大毕业证书)爱丁堡大学毕业证成绩单留信学历认证真实可查如何办理(爱大毕业证书)爱丁堡大学毕业证成绩单留信学历认证真实可查
如何办理(爱大毕业证书)爱丁堡大学毕业证成绩单留信学历认证真实可查
 
如何办理田纳西大学毕业证(UTK毕业证)成绩单原版一比一
如何办理田纳西大学毕业证(UTK毕业证)成绩单原版一比一如何办理田纳西大学毕业证(UTK毕业证)成绩单原版一比一
如何办理田纳西大学毕业证(UTK毕业证)成绩单原版一比一
 
Early Production Containment Training.pptx
Early Production Containment Training.pptxEarly Production Containment Training.pptx
Early Production Containment Training.pptx
 
Is Your Volvo XC90 Displaying Anti-Skid Service Required Alert Here's Why
Is Your Volvo XC90 Displaying Anti-Skid Service Required Alert Here's WhyIs Your Volvo XC90 Displaying Anti-Skid Service Required Alert Here's Why
Is Your Volvo XC90 Displaying Anti-Skid Service Required Alert Here's Why
 
Mercedes Check Engine Light Solutions Precision Service for Peak Performance
Mercedes Check Engine Light Solutions Precision Service for Peak PerformanceMercedes Check Engine Light Solutions Precision Service for Peak Performance
Mercedes Check Engine Light Solutions Precision Service for Peak Performance
 
Obat Penggugur Kandungan Di Apotek Klinik Banyuwangi +6287776558899
Obat Penggugur Kandungan Di Apotek Klinik Banyuwangi +6287776558899Obat Penggugur Kandungan Di Apotek Klinik Banyuwangi +6287776558899
Obat Penggugur Kandungan Di Apotek Klinik Banyuwangi +6287776558899
 
Seamless Driving Experience Premier Mini Cooper Clutch Solutions
Seamless Driving Experience Premier Mini Cooper Clutch SolutionsSeamless Driving Experience Premier Mini Cooper Clutch Solutions
Seamless Driving Experience Premier Mini Cooper Clutch Solutions
 
如何办理英国埃塞克斯大学毕业证(Essex毕业证书)毕业证成绩单原版一比一
如何办理英国埃塞克斯大学毕业证(Essex毕业证书)毕业证成绩单原版一比一如何办理英国埃塞克斯大学毕业证(Essex毕业证书)毕业证成绩单原版一比一
如何办理英国埃塞克斯大学毕业证(Essex毕业证书)毕业证成绩单原版一比一
 
一比一原版(Deakin毕业证书)迪肯大学毕业证成绩单留信学历认证
一比一原版(Deakin毕业证书)迪肯大学毕业证成绩单留信学历认证一比一原版(Deakin毕业证书)迪肯大学毕业证成绩单留信学历认证
一比一原版(Deakin毕业证书)迪肯大学毕业证成绩单留信学历认证
 
Effortless Driving Experience Premier Mercedes Sprinter Suspension Service
Effortless Driving Experience Premier Mercedes Sprinter Suspension ServiceEffortless Driving Experience Premier Mercedes Sprinter Suspension Service
Effortless Driving Experience Premier Mercedes Sprinter Suspension Service
 
Exploring the Heart of Alberta: A Journey from Calgary to Edmonton
Exploring the Heart of Alberta: A Journey from Calgary to EdmontonExploring the Heart of Alberta: A Journey from Calgary to Edmonton
Exploring the Heart of Alberta: A Journey from Calgary to Edmonton
 
01552_14_01306_8.0_EPS_CMP_SW_VC2_Notebook.doc
01552_14_01306_8.0_EPS_CMP_SW_VC2_Notebook.doc01552_14_01306_8.0_EPS_CMP_SW_VC2_Notebook.doc
01552_14_01306_8.0_EPS_CMP_SW_VC2_Notebook.doc
 
John deere 7200r 7230R 7260R Problems Repair Manual
John deere 7200r 7230R 7260R Problems Repair ManualJohn deere 7200r 7230R 7260R Problems Repair Manual
John deere 7200r 7230R 7260R Problems Repair Manual
 
一比一原版伯明翰城市大学毕业证成绩单留信学历认证
一比一原版伯明翰城市大学毕业证成绩单留信学历认证一比一原版伯明翰城市大学毕业证成绩单留信学历认证
一比一原版伯明翰城市大学毕业证成绩单留信学历认证
 
如何办理美国华盛顿大学毕业证(UW毕业证书)毕业证成绩单原版一比一
如何办理美国华盛顿大学毕业证(UW毕业证书)毕业证成绩单原版一比一如何办理美国华盛顿大学毕业证(UW毕业证书)毕业证成绩单原版一比一
如何办理美国华盛顿大学毕业证(UW毕业证书)毕业证成绩单原版一比一
 
EV Charging Resources and Technical Assistance for Rural Communities and Trib...
EV Charging Resources and Technical Assistance for Rural Communities and Trib...EV Charging Resources and Technical Assistance for Rural Communities and Trib...
EV Charging Resources and Technical Assistance for Rural Communities and Trib...
 

Tesla hacking presentation

  • 2. Jasper Nuyens jasper@linux.com +32478978967 Managing Director Linux Belgium http://www.linuxbe.com Only interested in cars since Tesla (and very critical in the beginning) ‘Tesla only’ company car policy (on the waiting list)
  • 3. Content 1. Disclaimer and the obvious questions 2. The car 3. The mission 4. Components and network layout 5. How to access 6. Hacks performed by other people 7. Hacks performed by me 8. How ‘hacker friendly’ are Tesla Service and Elon Musk? 9. Other questions 10. Q&A
  • 4. 1. Disclaimer and the obvious questions Jasper Nuyens
  • 5. 1. Disclaimer and the obvious questions Disclaimer - I am a Tesla customer, not a Tesla supplier or employee - Tesla hacking might be dangerous: it is a +2t car with electric propulsion, electronically steered and with a high voltage battery - Uncertain what the level of ‘endorsement’ is by Tesla, both officially and unofficially
  • 6. 1. Disclaimer and the obvious questions Disclaimer - It might void the warranty, it might not. The Tesla warranty by default covers ‘everything’. I am not a trained mechanic (this is the first car I actually work on aside from replacing a lamp). So if I break something, I don’t claim warranty on it and pay for the repair (Tesla is very reasonable till now)
  • 7. 1. Disclaimer and the obvious questions Disclaimer - I might create extra work for Tesla Service - I try to avoid that, and create my hacks as much as possible in a forward and backward compatible way to prevent unforeseen events: Tesla Service are ‘car people’, not Linux sysadmins and developers such as us - Your experience with Tesla Service might differ
  • 8. 1. Disclaimer and the obvious questions Disclaimer - I might create extra work for Tesla Service - I try to avoid that, and create my hacks as much as possible in a forward and backward compatible way to prevent unforeseen events: Tesla Service are ‘car people’, not Linux sysadmins and developers such as us - Your experience with Tesla Service might differ
  • 9. 1. Disclaimer and the obvious questions WWW!? - Wife! - Warranty? - Why?
  • 10. 2. The car Model X, Enhanced Autopilot 2.0 75kWh battery, premium interior, towing package…
  • 11. 2. The car “Once you drive electric, there’s no going back” Range: officially 310km in practice between 230 and 310km decreases range: high speed, cold weather never having to go to the petrol station Supercharging network for long distance: charges at 500km per hour; no waiting required Autopilot: not fully self driving yet, but improving (slowly), newest generation of software is just starting
  • 12. 3. The mission Tesla’s mission is: “Accelerate the world's  transition to sustainable energy.” In our case, we drove 38.000 km in 1 year with our Model X. We generated the electricity from our solar roof. This avoided air pollution of: 8755kg CO2 I used to point to the ecological footprint of production, but that’s about the same with regular cars versus electric cars. And Tesla doesn’t use cobalt from Congo. Nor ‘real’ leather. Obviously it’s better for the environment to just walk or bike.
  • 13. 3. The mission Tesla is very high valued compared to the number of car it produces. But it also makes domestic and grid-level batteries (important for dealing with the fluctuations with solar and wind energy) And builds solar panels.
  • 14. 4. Components and network layout - Instrument Cluster (ic) behind steering wheel 192.168.90.101 - Big screen (cid) in the middle 192.168.90.100 - Gateway 192.168.90.102
  • 15. 4. Components and network layout Instrument Cluster (ic) behind steering wheel 192.168.90.101 Custom version of NVidia Tegra 2 SoC cat /proc/cpuinfo Processor : ARMv7 Processor rev 0 (v7l) processor : 0 BogoMIPS : 897.84 processor : 1 BogoMIPS : 897.84 Features : swp half thumb fastmult vfp edsp vfpv3 vfpv3d16 CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x1 CPU part : 0xc09 CPU revision : 0 Hardware : Tegra P852 SKU8 C01 Revision : 0000 Serial : 1f78400042408317 Boots squashfs compressed read-only filesystem, /var is writeable Steering wheel buttons are attached to the ic and the input is sent over Ethernet using the (undocumented) ‘Vehicle API’ Settings are stored in sqlite3 db
  • 16. 4. Components and network layout Massive multimedia 19”screen (cid) in the middle of the car 192.168.90.100 NXP i.MX6 quad core (till last month - now replaced with Intel Atom based board, also in the Model 3) Includes (relatively crappy) Qt based Web browser Runs Spotify and allows to control most settings
  • 17. 4. Components and network layout root@ic:~# nmap -v -p 1-65535 -sV -O -sS -T5 192.168.90.100 Not shown: 65090 closed ports, 419 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.5p1 Debian 4ubuntu4 (Ubuntu Linux; protocol 2.0) 53/tcp open domain dnsmasq 2.78 111/tcp open rpcbind 2 (RPC #100000) 2049/tcp open nfs 2-4 (RPC #100003) 4030/tcp open unknown 4032/tcp open unknown 4037/tcp open unknown 4050/tcp open unknown 4060/tcp open unknown 4070/tcp open unknown 4090/tcp open omasgport? 4092/tcp open unknown 4094/tcp open unknown 4096/tcp open bre? 4102/tcp open unknown 4110/tcp open unknown 4160/tcp open unknown 4170/tcp open unknown 4220/tcp open vrml-multi-use? 4280/tcp open unknown 4500/tcp open sae-urn? 20564/tcp open unknown 25956/tcp open unknown 43164/tcp open nlockmgr 1-4 (RPC #100021) 43427/tcp open status 1 (RPC #100024) 43546/tcp open mountd 1-3 (RPC #100005)
  • 18. 4. Components and network layout Gateway 192.168.90.102 Runs FreeRTOS on Freescale MPC5668G
 592 KB embedded RAM Is attached to the 6 CAN-busses: - Trunk, doors,… - Vehicle speed, engine speed,… - Chassis - BFT - ODBII
  • 19. 4. Components and network layout Gateway 192.168.90.102 firmware name: gtw.hex located on the sd card of the CID In the past, it contained in clear text the (unique) pw to get acces. Was a ‘point of entry’, closed by Tesla.
  • 20. 5. How to access Which data paths exist? Internet: - nightmare of Elon Musk - access from the Tesla Android or IOS App - mothership.tesla.com Internal Ethernet network: - physical connection below CID for Service Centers - physical connection between IC and CID CAN busses: - typical ‘old school car modding’, will phase out (probably)
  • 21. 5. How to access Dilemma: you want to get inside your own Linux systems but you don’t want people to be able to abuse it. So,… break open your brand new 118.000,- Euro Model X. Only 1 tool required, brute force, and balls. Especially if it’s the first time you crack open a car! Beware of the wife ;-)
  • 22. 5. How to access
  • 23. 5. How to access
  • 24. 5. How to access
  • 25. 5. How to access
  • 26. 5. How to access Careful with the special connector which provides power and more (click mechanism)!
  • 27. 5. How to access Experiment with how the wiring to the Ethernet is done.
  • 28. 5. How to access Fakra? 4 Ethernet wires: green, orange green/white orange/white Test: scroll volume
  • 29. 5. How to access
  • 30. 5. How to access Better (version 2):
  • 31. 5. How to access Ethernet (Fakra) from CID to switch Ethernet (Fakra) from IC to switch Extra ethernet cable below CID for attaching laptop Ethernet cable for Raspberry Pi for wired and/or wireless network Raspberry Pi allows to modify stuff ‘permanently’ without changing something to the rootfs Easy access at a side panel to ‘reverse’ all changes (before going back to Tesla Service)
  • 32. 6. Hacks performed by other people Tesla itself created ‘Easter Eggs’ like Model X Chrismas Tree, Mars driving map, drawing app,… 3 minute movie https://www.youtube.com/watch?v=1fmm6Hg7k1U
  • 33. 6. Hacks performed by other people All IC’s can be accessed using the same (leaked) ssh key for the root account (once you are on the Ethernet network between IC and CID). Might not remain so after an update. Ethernet port below CID is only enabled after mothership opens it for Tesla Service through their own cryptographically signed applications/internal network.
  • 34. 6. Hacks performed by other people Replacing an image on Instrument Cluster
  • 35. 6. Hacks performed by other people Playing a movie on the central display (first version) https://www.youtube.com/watch?v=c1Kmqz9UyaE
  • 36. 6. Hacks performed by other people Replacing an image on Instrument Cluster (old MS)
  • 37. 7. Hacks performed by me Replacing lots of images ‘subtle’ to add the Linux Belgium logo.
  • 38. 7. Hacks performed by me Replacing lots of images ‘subtle’ to add the Linux Belgium logo.
  • 39. 7. Hacks performed by me Images stored in /usr/tesla/UI/assets/night/car/modelx/ No permanent changes are made: small script to bind mount the individual files from /var/added and relaunch the Qt based IC process (beware of wife). Automatically launched when rpi starts and re-verifies every minute out of crontab. root@ic:~# crontab -l * * * * /teslascript.sh > /dev/null 2>&1
  • 40. 7. Hacks performed by me cat /teslascript.sh #!/bin/bash nohup ssh -i /root/id_dsa root@192.168.90.101 bash /var/added/addedtotesla.sh & ON IC: bash /var/added/mount-modfiles.sh cat mount-modfiles.sh #!/bin/bash #if an argument is provided multiple directories are allowed #first umount for bindmount in $(mount | grep bind | awk '{ print $1 }') do umount $bindmount done cd /var/added/modfiles$1 for modfile in $(find . -type f) do mount --bind $modfile /$modfile done
  • 41. 7. Hacks performed by me Gives: mount /dev/mmcblk3p3 on /var type ext3 (rw,noexec,nosuid,nodev,data=ordered,barrier=1,commit=20) /dev/mmcblk3p4 on /home type ext3 (rw,noexec,nosuid,nodev,data=ordered,barrier=1,commit=20) none on /var/run type tmpfs (rw) none on /var/lock type tmpfs (rw) cid:/opt/navigon on /opt/navigon type nfs (ro,noexec,nosuid,nodev,nolock,soft,fg,intr,retry=1,retrans=10,addr=192.168.90.100) /var/added/modfiles/home/tesla/.Tesla/data/QtCarClusterSettings.db on /home/tesla/.Tesla/data/QtCarClusterSettings.db type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/doors/trunk_closed_paint.png on /usr/tesla/UI/assets/night/car/ modelx/doors/trunk_closed_paint.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/doors/trunk_open.png on /usr/tesla/UI/assets/night/car/modelx/doors/ trunk_open.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/drive/body_paint.png on /usr/tesla/UI/assets/night/car/modelx/drive/ body_paint.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/hero/frunk_open_paint.png on /usr/tesla/UI/assets/night/car/modelx/ hero/frunk_open_paint.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/hero/frunk_closed_paint.png on /usr/tesla/UI/assets/night/car/modelx/ hero/frunk_closed_paint.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/top/frunk_open.png on /usr/tesla/UI/assets/night/car/modelx/top/ frunk_open.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/top/frunk_closed_paint.png on /usr/tesla/UI/assets/night/car/modelx/ top/frunk_closed_paint.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/park/car_paint.png on /usr/tesla/UI/assets/night/car/modelx/park/ car_paint.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/ghost/body-5.png on /usr/tesla/UI/assets/night/car/modelx/ghost/ body-5.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/about/badge_model_x.png on /usr/tesla/UI/assets/night/about/badge_model_x.png type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/cluster/background_noise.jpg on /usr/tesla/UI/assets/night/cluster/ background_noise.jpg type none (rw,bind) /var/added/modfiles/usr/tesla/UI/assets/night/cluster/hi_res/badges/badge_model_x.png on /usr/tesla/UI/assets/night/cluster/ hi_res/badges/badge_model_x.png type none (rw,bind)
  • 42. 7. Hacks performed by me And then the script does: killall -HUP QtCarCluster The monitoring on the IC will restart the process fairly rapidly (beware of wife if you do this while driving)
  • 43. 7. Hacks performed by me Images stored in /usr/tesla/UI/assets/night/car/modelx/ No permanent changes are made: small script to bind mount the individual files and relaunch the Qt based IC process (beware of wife). 7. Hacks performed by me
  • 44. 7. Hacks performed by me Next step… - Color animation script! cat moonshine.sh #!/bin/bash export DISPLAY=:0.0 while true do for color in rgamma ggamma bgamma do for gamma in 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0 do xgamma -${color} $gamma 2> /dev/null sleep 0.1 done done done https://www.youtube.com/watch?v=XfkuS-ypUTU
  • 45. 7. Hacks performed by me Discovered: Sound is sent over the Ethernet network :) cat gameofthrones.wav | nc 192.168.90.100 4102 Possibility for denial of service attack? (yet not practical) Special sound format needed: file park_assist_red_repeat.wav park_assist_red_repeat.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 48000 Hz RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 48000 Hz Something like this: sox -S --norm gameofthrones-orig.wav -c 1 -r 48000 gameofthrones-good-format.wav reverse silence 1 0 0.05 reverse pad 0 0.100
  • 46. 7. Hacks performed by me Discovered: - Every day a new ‘token’ received in: /var/etc/saccess/tesla1 - SQLite3 database containing settings /home/tesla/.Tesla/data/QtCarClusterSettings.db sqlite3 QtCarClusterSettings.db sqlite> select key, quote(value) from data; select key, quote(value) from data where key='DataValues/GUI_developerMode'; DataValues/GUI_developerMode|X’000000010000' UPDATE data SET value=X'000000010001' WHERE key='DataValues/GUI_developerMode'; Might be GPS-location locked?
  • 47. 7. Hacks performed by me What’s next? Possibility to run Chrome on Rpi and display on-screen for dynamic content Waze was originally an OpenSource program, this code still exists, I cross-compiled it on Rpi, but don’t have the GPS provider integrated yet, nor know if the map server still works Ultimate goal create an alternative ‘xmas show’ with own choreography and music (because it means I can control about everything from the car)
  • 48. 8. How ‘hacker friendly’ are Tesla Service and Elon Musk? Elon Musk has tweeted a few times he likes people to tinker with his cars. My Tesla Service rep stated it’s “officially not allowed” but they like my work and have been very supportive (within limits)
  • 49. 8. How ‘hacker friendly’ are Tesla Service and Elon Musk? Is Dell stopping support for a motherboard problem with a server if you replaced the hard drive yourself? No. Yet, Tesla Service are ‘car people’ instead of ‘Linux Hackers’. I am honest about stuff I broke myself. 1) too many screws after reassembly 2) I broke a small plastic cover 3) I broke the upgrade mechanism
  • 50. 8. How ‘hacker friendly’ are Tesla Service and Elon Musk? I am not interested in doing illegal things like: - changing the VIN number (it might help stolen car sales) - faking the mileage - abusing the (free) data usage I prefer also not to: - touch the can bus directly - mess with the autopilot (I prefer to live ;) - mess with the drive motor steering
  • 51. 9. Other questions “Long tailpipe Myth”: Driving electric on coal generated electrity. -> no grid is 100% coal, it’s always a small minority -> would still be far less CO2 including counting for distribution (because ICE cars are so inefficient) “How to go on holiday”: - At home in the morning it’s always full - Never visit petrol station - Supercharging network for long distance; charging at 500km per hour.
  • 53. 9. Other questions Or use other (slower) charging networks…
  • 54. 9. Other questions Or use one of these ‘hard to find’ things:
  • 55. 10. Q&A So Long, and Thanks for All the Fish