This document discusses hacking a Tesla Model X. It begins with disclaimers about safety and an overview of the car's specifications. It then discusses the mission of accelerating sustainable energy adoption. Components and the internal network layout are outlined, including the Instrument Cluster, central display, and gateway. Methods for accessing the system like an Ethernet connection are described. Hacks performed by others like custom displays and a movie are briefly mentioned. The author's own hacks of subtly customizing images to add logos are discussed. Issues with Tesla closing entry points after exploits are found are noted.
Tesla hacking presentation 'jaarbeurs World of Technology and Science' Octobe...Jasper Nuyens
Presentation about Tesla Hacking given at Jaarbeurs in Utrecht. World of Technology and Science, cybersecurity track. I removed the firmware download link upon (a kind) request by Tesla, as it might pose regulatory issues in certain regions.
Tesla hacking presentation 'jaarbeurs World of Technology and Science' Octobe...Jasper Nuyens
Presentation about Tesla Hacking given at Jaarbeurs in Utrecht. World of Technology and Science, cybersecurity track. I removed the firmware download link upon (a kind) request by Tesla, as it might pose regulatory issues in certain regions.
The Electronic Control Units have made the cars smarter over the years and are facilitating the two-wheelers to become Smart as well.
https://www.embitel.com/blog/embedded-blog/electronic-control-units-in-electric-two-wheeler
POWER HUMPS...... power generation using speed breakers!!!Maltesh4jn10me051
ABSTRACT
In the present scenario power becomes major need for human life. Due to day-to-day increase in population and lessen of the conventional sources, it becomes necessary that we must depend on non-conventional sources for power generation. While moving, the vehicles posses some kinetic energy and it is being wasted. This kinetic energy can be utilized to produce power by using a special arrangement called “POWER HUMP”.
The Kinetic energy of moving vehicles can be converted into mechanical energy of the shaft through rack and pinion mechanism. This shaft is connected to the electric dynamo and it produces electrical energy proportional to traffic density. This generated power can be regulated by using zener diode for continuous supply .All this mechanism can be housed under the dome like speed breaker, which is called hump.
The generated power can be used for general purpose like streetlights, traffic signals. The electrical output can be improved by arranging these power humps in series this generated power can be amplified and stored by using different electric devices. The maintenance cost of hump is almost nullified. By adopting this arrangement, we can satisfy the future demands to some extent.
The Electronic Control Units have made the cars smarter over the years and are facilitating the two-wheelers to become Smart as well.
https://www.embitel.com/blog/embedded-blog/electronic-control-units-in-electric-two-wheeler
POWER HUMPS...... power generation using speed breakers!!!Maltesh4jn10me051
ABSTRACT
In the present scenario power becomes major need for human life. Due to day-to-day increase in population and lessen of the conventional sources, it becomes necessary that we must depend on non-conventional sources for power generation. While moving, the vehicles posses some kinetic energy and it is being wasted. This kinetic energy can be utilized to produce power by using a special arrangement called “POWER HUMP”.
The Kinetic energy of moving vehicles can be converted into mechanical energy of the shaft through rack and pinion mechanism. This shaft is connected to the electric dynamo and it produces electrical energy proportional to traffic density. This generated power can be regulated by using zener diode for continuous supply .All this mechanism can be housed under the dome like speed breaker, which is called hump.
The generated power can be used for general purpose like streetlights, traffic signals. The electrical output can be improved by arranging these power humps in series this generated power can be amplified and stored by using different electric devices. The maintenance cost of hump is almost nullified. By adopting this arrangement, we can satisfy the future demands to some extent.
Hardwear.io 2018 BLE Security Essentials workshopSlawomir Jasek
Bluetooth Low Energy (Smart, 4) is recently gaining more and more traction as one of the most common and rapidly growing IoT technologies. Unfortunatelly the prevalence of technology does not come with security. Alarming vulnerabilities in BLE smart locks, medical devices and banking tokens are revealed day by day. And yet, the knowledge on how to comprehensively assess them seems very uncommon.
In this workshop you will get familiar with the basics of BLE security. We will work on a dedicated, readily available BLE hardware nRF devkit device. You will learn how to program and flash it yourself, using special web interface and ready templates. Such approach allows to better understand how things work “under the hood”, experiment with different options, and then secure the hardware properly.
From attacker’s perspective, we will cover among others: sniffing, spoofing, MITM, replay and relay.
Having enough time, we will play with a collection of vulnerable smart locks, sex toys and other devices.
The prevalence of computers in form of so called "smart" devices embedded in our everyday environment is inevitable. From pentester's perspective, the adjective "smart" at first glance can hardly be used to describe their inventors and ambassadors.
Based on a few examples (i.a. BTLE beacons, smart meters, security cameras...) I will show how easily "smart" devices can be outsmarted. Sometimes you don't even need any 'hacking' skills, or the default configuration is wide-open. But are we doomed? What are the conditions for real threat? Can the vulnerabilities be exploited anonymously and as easily as in web application? Where is the physical border the intruder would be likely to cross? The risks involved are usually different, but does it mean we don't have to worry? Are we sure how to use securely the emerging technology?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Julien Vermillard
M2M/IoT is rapidly growing and since its early days different “standard” protocols have emerged (e.g. OMA-DM, TR-069, MQTT, …) or are emerging (e.g. CoAP or Lightweight M2M). Understanding which protocol to use for which application can be intimidating, therefore we propose to give an overview of these protocols to help you understand their goals and characteristics. We’ll present common M2M use cases and why they usually require more than just one protocol ; we will also see whether CoAP associated with Lightweight M2M allows to forge “one protocol to rule them all”.
International Journal of Computational Engineering Research(IJCER)ijceronline
International Journal of Computational Engineering Research (IJCER) is dedicated to protecting personal information and will make every reasonable effort to handle collected information appropriately. All information collected, as well as related requests, will be handled as carefully and efficiently as possible in accordance with IJCER standards for integrity and objectivity
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...Toradex
Read our blog for the latest on demystifying the development of embedded systems using Heterogeneous Multicore Processing architecture powered SoCs! This might provide you with the jump start you need for your development. https://www.toradex.com/blog/first-steps-developing-embedded-applications-using-heterogeneous-multicore-processors
Project link and video: https://github.com/nafizmd09/NodeMCU-controlling-and-observing-a-robotic-car-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Name: Nafiz Md Imtiaz Uddin
B.Sc. student of Computer Science & Technology (江西理工大学) [2019-2022]
personal Email: nafizmdimtiazuddin@yahoo.com
Academic Email: 2520190011@mail.jxust.edu.cn
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The NodeMCU board communicates to the
MIT app cloud through WiFi when the WIFI-controlled automobile is turned on. The data
will be communicated to the NodeMCU board
through the cloud when hit the Commands
(Forward, Backward, Left, Right) buttons on
the interface built in the MIT app. The gear
motors then rotate in accordance with those
values. This is done with the L298N motor
driver board. The speed of these motors may
also be changed via the MIT app's slider.
Challenges and experiences with IPTV from a network point of viewbrouer
OpenSource IPTV MPEG2-TS analyzer.
This presentation was given at OpenSourceDays 2010 (and in earlier stages of the project at Bifrost Workshop 2009 and 2010)
Building your Car Hacking Labs & Car Hacking Community from ScratchJay Turla
This presentation was presented at Bsides Myanmar 2019 which focuses on giving the attendees an overview on how to procure cheap parts to start car hacking and some tools needed to get the work done. This is also a shout out to the community effort of the Car Hacking Village.
𝘼𝙣𝙩𝙞𝙦𝙪𝙚 𝙋𝙡𝙖𝙨𝙩𝙞𝙘 𝙏𝙧𝙖𝙙𝙚𝙧𝙨 𝙞𝙨 𝙫𝙚𝙧𝙮 𝙛𝙖𝙢𝙤𝙪𝙨 𝙛𝙤𝙧 𝙢𝙖𝙣𝙪𝙛𝙖𝙘𝙩𝙪𝙧𝙞𝙣𝙜 𝙩𝙝𝙚𝙞𝙧 𝙥𝙧𝙤𝙙𝙪𝙘𝙩𝙨. 𝙒𝙚 𝙝𝙖𝙫𝙚 𝙖𝙡𝙡 𝙩𝙝𝙚 𝙥𝙡𝙖𝙨𝙩𝙞𝙘 𝙜𝙧𝙖𝙣𝙪𝙡𝙚𝙨 𝙪𝙨𝙚𝙙 𝙞𝙣 𝙖𝙪𝙩𝙤𝙢𝙤𝙩𝙞𝙫𝙚 𝙖𝙣𝙙 𝙖𝙪𝙩𝙤 𝙥𝙖𝙧𝙩𝙨 𝙖𝙣𝙙 𝙖𝙡𝙡 𝙩𝙝𝙚 𝙛𝙖𝙢𝙤𝙪𝙨 𝙘𝙤𝙢𝙥𝙖𝙣𝙞𝙚𝙨 𝙗𝙪𝙮 𝙩𝙝𝙚 𝙜𝙧𝙖𝙣𝙪𝙡𝙚𝙨 𝙛𝙧𝙤𝙢 𝙪𝙨.
Over the 10 years, we have gained a strong foothold in the market due to our range's high quality, competitive prices, and time-lined delivery schedules.
Things to remember while upgrading the brakes of your carjennifermiller8137
Upgrading the brakes of your car? Keep these things in mind before doing so. Additionally, start using an OBD 2 GPS tracker so that you never miss a vehicle maintenance appointment. On top of this, a car GPS tracker will also let you master good driving habits that will let you increase the operational life of your car’s brakes.
Symptoms like intermittent starting and key recognition errors signal potential problems with your Mercedes’ EIS. Use diagnostic steps like error code checks and spare key tests. Professional diagnosis and solutions like EIS replacement ensure safe driving. Consult a qualified technician for accurate diagnosis and repair.
Fleet management these days is next to impossible without connected vehicle solutions. Why? Well, fleet trackers and accompanying connected vehicle management solutions tend to offer quite a few hard-to-ignore benefits to fleet managers and businesses alike. Let’s check them out!
What Exactly Is The Common Rail Direct Injection System & How Does It WorkMotor Cars International
Learn about Common Rail Direct Injection (CRDi) - the revolutionary technology that has made diesel engines more efficient. Explore its workings, advantages like enhanced fuel efficiency and increased power output, along with drawbacks such as complexity and higher initial cost. Compare CRDi with traditional diesel engines and discover why it's the preferred choice for modern engines.
In this presentation, we have discussed a very important feature of BMW X5 cars… the Comfort Access. Things that can significantly limit its functionality. And things that you can try to restore the functionality of such a convenient feature of your vehicle.
Ever been troubled by the blinking sign and didn’t know what to do?
Here’s a handy guide to dashboard symbols so that you’ll never be confused again!
Save them for later and save the trouble!
What Does the PARKTRONIC Inoperative, See Owner's Manual Message Mean for You...Autohaus Service and Sales
Learn what "PARKTRONIC Inoperative, See Owner's Manual" means for your Mercedes-Benz. This message indicates a malfunction in the parking assistance system, potentially due to sensor issues or electrical faults. Prompt attention is crucial to ensure safety and functionality. Follow steps outlined for diagnosis and repair in the owner's manual.
Comprehensive program for Agricultural Finance, the Automotive Sector, and Empowerment . We will define the full scope and provide a detailed two-week plan for identifying strategic partners in each area within Limpopo, including target areas.:
1. Agricultural : Supporting Primary and Secondary Agriculture
• Scope: Provide support solutions to enhance agricultural productivity and sustainability.
• Target Areas: Polokwane, Tzaneen, Thohoyandou, Makhado, and Giyani.
2. Automotive Sector: Partnerships with Mechanics and Panel Beater Shops
• Scope: Develop collaborations with automotive service providers to improve service quality and business operations.
• Target Areas: Polokwane, Lephalale, Mokopane, Phalaborwa, and Bela-Bela.
3. Empowerment : Focusing on Women Empowerment
• Scope: Provide business support support and training to women-owned businesses, promoting economic inclusion.
• Target Areas: Polokwane, Thohoyandou, Musina, Burgersfort, and Louis Trichardt.
We will also prioritize Industrial Economic Zone areas and their priorities.
Sign up on https://profilesmes.online/welcome/
To be eligible:
1. You must have a registered business and operate in Limpopo
2. Generate revenue
3. Sectors : Agriculture ( primary and secondary) and Automative
Women and Youth are encouraged to apply even if you don't fall in those sectors.
5 Warning Signs Your BMW's Intelligent Battery Sensor Needs AttentionBertini's German Motors
IBS monitors and manages your BMW’s battery performance. If it malfunctions, you will have to deal with an array of electrical issues in your vehicle. Recognize warning signs like dimming headlights, frequent battery replacements, and electrical malfunctions to address potential IBS issues promptly.
Core technology of Hyundai Motor Group's EV platform 'E-GMP'Hyundai Motor Group
What’s the force behind Hyundai Motor Group's EV performance and quality?
Maximized driving performance and quick charging time through high-density battery pack and fast charging technology and applicable to various vehicle types!
Discover more about Hyundai Motor Group’s EV platform ‘E-GMP’!
3. Content
1. Disclaimer and the obvious questions
2. The car
3. The mission
4. Components and network layout
5. How to access
6. Hacks performed by other people
7. Hacks performed by me
8. How ‘hacker friendly’ are Tesla Service and Elon
Musk?
9. Other questions
10. Q&A
4. 1. Disclaimer and the
obvious questions
Disclaimer
- I am a Tesla customer, not a Tesla supplier or employee
- Tesla hacking could be dangerous: it is a +2t car with electric
propulsion, electronically steered and with a high voltage
battery. Yet all drive controls keep on working even
when 2 Linux systems are restarted during driving.
- Uncertain what the level of ‘endorsement’ is by Tesla, both
officially and unofficially, we are optimistic :)
5. 2. The car
Model X, Enhanced Autopilot 2.0
75kWh battery, premium interior, towing package…
6. 2. The car
“Once you drive electric, there’s no going back”
Range: officially about 320km
in practice between 230 and 350km
decreases range: high speed, cold weather
never having to go to the petrol station
start ‘full’ every morning
Supercharging network for long distance: charges at 500km per
hour (120kW); no waiting required (lunch, toilet,…)
Ok to drive 1000km per day.
Autopilot: not fully self driving yet, but improving (slowly),
newest generation of software is just starting to learn.
7. 3. The mission
Tesla’s mission is: “Accelerate the world's
transition to sustainable energy.”
In our case, we drove 38.000 km in 1 year with our Model
X. We generated the electricity from our solar roof. This
avoided air pollution of: 8755kg CO2
I used to point to the ecological footprint of production, but
that’s about the same with regular cars versus electric cars.
And Tesla doesn’t use cobalt from Congo.
Nor ‘real’ leather.
Obviously it’s better for the environment to just walk
or bike.
8. 4. Components and
network layout
- Instrument Cluster (ic) behind steering wheel
192.168.90.101
- Big screen (cid)
in the middle
192.168.90.100
- Gateway (gw)
192.168.90.102
- Autopilot (ape)
192.168.90.103
- lb (ape gw)
192.168.90.104
9. 4. Components and
network layout
Instrument Cluster (ic) behind steering wheel
192.168.90.101
Custom version of NVidia Tegra 2 SoC
cat /proc/cpuinfo
Processor : ARMv7 Processor rev 0 (v7l)
processor : 0
BogoMIPS : 897.84
processor : 1
BogoMIPS : 897.84
Features : swp half thumb fastmult vfp edsp vfpv3 vfpv3d16
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x1
CPU part : 0xc09
CPU revision : 0
Hardware : Tegra P852 SKU8 C01
Revision : 0000
Serial : 1f78400042408317
Boots squashfs compressed read-only filesystem, /var is writeable
Steering wheel buttons are attached to the ic and the input is sent
over Ethernet using the (undocumented) ‘Vehicle API’
Settings are stored in sqlite3 db
10. 4. Components and
network layout
Massive multimedia 19”screen (cid) in the middle of
the car
192.168.90.100
NVIDIA quad core (till last month - new cars have it replaced
with Intel based board, like in the Model 3)
Includes Qt based Web browser
Runs Spotify and allows to control most car settings, doors
and so on…
11. 4. Components and
network layout
root@ic:~# nmap -v -p 1-65535 -sV -O -sS -T5 192.168.90.100
Not shown: 65090 closed ports, 419 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.5p1 Debian 4ubuntu4 (Ubuntu Linux; protocol 2.0)
53/tcp open domain dnsmasq 2.78
111/tcp open rpcbind 2 (RPC #100000)
2049/tcp open nfs 2-4 (RPC #100003)
4030/tcp open unknown
4032/tcp open unknown
4037/tcp open unknown
4050/tcp open unknown
4060/tcp open unknown
4070/tcp open unknown
4090/tcp open omasgport?
4092/tcp open unknown
4094/tcp open unknown
4096/tcp open bre?
4102/tcp open unknown
4110/tcp open unknown
4160/tcp open unknown
4170/tcp open unknown
4220/tcp open vrml-multi-use?
4280/tcp open unknown
4500/tcp open sae-urn?
20564/tcp open unknown
25956/tcp open unknown
43164/tcp open nlockmgr 1-4 (RPC #100021)
43427/tcp open status 1 (RPC #100024)
43546/tcp open mountd 1-3 (RPC #100005)
12. 4. Components and
network layoutcat /proc/cpuinfo
processor : 0
model name : ARMv7 Processor rev 9 (v7l)
BogoMIPS : 1795.68
Features : half thumb fastmult vfp edsp thumbee neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 9
processor : 1
model name : ARMv7 Processor rev 9 (v7l)
BogoMIPS : 1795.68
Features : half thumb fastmult vfp edsp thumbee neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 9
processor : 2
model name : ARMv7 Processor rev 9 (v7l)
BogoMIPS : 1795.68
Features : half thumb fastmult vfp edsp thumbee neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 9
processor : 3
model name : ARMv7 Processor rev 9 (v7l)
BogoMIPS : 1795.68
Features : half thumb fastmult vfp edsp thumbee neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 9
Hardware : NVIDIA Tegra SoC (Flattened Device Tree)
Revision : 0000
Serial : 0000005E1XXXXXXX
13. 4. Components and
network layout
Gateway
192.168.90.102
Runs FreeRTOS on Freescale MPC5668G
592 KB embedded RAM
Is attached to the 6 CAN-busses:
- Trunk, doors,…
- Vehicle speed, engine speed,…
- Chassis
- BFT
- ODBII
14. 4. Components and
network layout
Gateway
192.168.90.102
firmware name: gtw.hex
located on the sd card
of the CID
In the past, it contained in clear text the (unique) pw to get
acces. Was a ‘point of entry’, closed by Tesla.
15. SMALL PROBLEM
Unaligned interests between Tesla and Hackers for
now:
- if a new exploit is discovered by creative car owners, and
Tesla finds out how, they close the entry point.
GREAT!
BUT NOT GREAT if it’s the only way to gain access.
We hope in the future Tesla will allow owners a simple or
controlled way to gain root.
16. 5. How to access
Which data paths exist?
Internet:
- nightmare of Elon Musk
- access from the Tesla Android or IOS App
- mothership.tesla.com
Internal Ethernet network:
- physical connection below CID for Service Centers
- physical connection between IC and CID
CAN busses:
- typical ‘old school car modding’, will probably dissapear
26. 5. How to access
1st way:
Ethernet (Fakra) from CID to switch
Ethernet (Fakra) from IC to switch
Extra ethernet cable below CID for attaching laptop
Ethernet cable for Raspberry Pi for wired and/or
wireless network
Raspberry Pi allows to modify stuff ‘permanently’
without changing something to the rootfs
Easy access at a side panel to ‘reverse’ all changes
(before going back to Tesla Service)
27. 5. How to access
2nd step:
Reverse ssh tunnel directly from CID
-> allows hacking in bed and on holiday :-D
-> allows a chrooted ubuntu on a USB stick (with a
powered USB hub).
28. 6. Hacks performed by
other people
Tesla itself created ‘Easter Eggs’ like Model X
Chrismas Tree, Mars driving map, drawing app,…
3 minute movie
https://www.youtube.com/watch?v=1fmm6Hg7k1U
29. 6. Hacks performed by
other people
All IC’s can be accessed using the same (leaked) ssh key
for the root account (once you are on the Ethernet network
between IC and CID). Might not remain so after an update?
Ethernet port below CID is only enabled after mothership
opens it for Tesla Service through their
own cryptographically signed applications/internal
network.
Access from IC to CID is restricted (was a dead end).
30. 6. Hacks performed by
other people
Replacing an image on Instrument Cluster
31. 6. Hacks performed by
other people
Playing a movie on the central display (first version)
https://www.youtube.com/watch?v=c1Kmqz9UyaE
32. 6. Hacks performed by
other people
Replacing an image on Instrument Cluster (1st gen MS)
33. 7. Hacks performed by me
Replacing lots of images ‘subtle’ to add the Linux
Belgium logo.
34. 7. Hacks performed by me
Replacing lots of images ‘subtle’ to add the Linux
logo - and a ‘peace’ sign.
35. 7. Hacks performed by me
Images stored in
/usr/tesla/UI/assets/night/car/modelx/
No permanent changes are made: small script to bind
mount the individual files from /var/added and
relaunch the Qt based IC process (beware of wife).
Automatically launched when rpi starts and re-verifies
every minute out of crontab.
root@ic:~# crontab -l
* * * * /teslascript.sh > /dev/null 2>&1
36. 7. Hacks performed by me
cat /teslascript.sh
#!/bin/bash
nohup ssh -i /root/id_dsa root@192.168.90.101 bash /var/added/addedtotesla.sh &
ON IC:
bash /var/added/mount-modfiles.sh
cat mount-modfiles.sh
#!/bin/bash
#if an argument is provided multiple directories are allowed
#first umount
for bindmount in $(mount | grep bind | awk '{ print $1 }')
do
umount $bindmount
done
cd /var/added/modfiles$1
for modfile in $(find . -type f)
do
mount --bind $modfile /$modfile
done
37. 7. Hacks performed by me
Gives:
mount
/dev/mmcblk3p3 on /var type ext3 (rw,noexec,nosuid,nodev,data=ordered,barrier=1,commit=20)
/dev/mmcblk3p4 on /home type ext3 (rw,noexec,nosuid,nodev,data=ordered,barrier=1,commit=20)
none on /var/run type tmpfs (rw)
none on /var/lock type tmpfs (rw)
cid:/opt/navigon on /opt/navigon type nfs (ro,noexec,nosuid,nodev,nolock,soft,fg,intr,retry=1,retrans=10,addr=192.168.90.100)
/var/added/modfiles/home/tesla/.Tesla/data/QtCarClusterSettings.db on /home/tesla/.Tesla/data/QtCarClusterSettings.db type
none (rw,bind)
/var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/doors/trunk_closed_paint.png on /usr/tesla/UI/assets/night/car/
modelx/doors/trunk_closed_paint.png type none (rw,bind)
/var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/doors/trunk_open.png on /usr/tesla/UI/assets/night/car/modelx/doors/
trunk_open.png type none (rw,bind)
/var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/drive/body_paint.png on /usr/tesla/UI/assets/night/car/modelx/drive/
body_paint.png type none (rw,bind)
/var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/hero/frunk_open_paint.png on /usr/tesla/UI/assets/night/car/modelx/
hero/frunk_open_paint.png type none (rw,bind)
/var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/hero/frunk_closed_paint.png on /usr/tesla/UI/assets/night/car/modelx/
hero/frunk_closed_paint.png type none (rw,bind)
/var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/top/frunk_open.png on /usr/tesla/UI/assets/night/car/modelx/top/
frunk_open.png type none (rw,bind)
/var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/top/frunk_closed_paint.png on /usr/tesla/UI/assets/night/car/modelx/
top/frunk_closed_paint.png type none (rw,bind)
/var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/park/car_paint.png on /usr/tesla/UI/assets/night/car/modelx/park/
car_paint.png type none (rw,bind)
/var/added/modfiles/usr/tesla/UI/assets/night/car/modelx/ghost/body-5.png on /usr/tesla/UI/assets/night/car/modelx/ghost/
body-5.png type none (rw,bind)
/var/added/modfiles/usr/tesla/UI/assets/night/about/badge_model_x.png on /usr/tesla/UI/assets/night/about/badge_model_x.png
type none (rw,bind)
/var/added/modfiles/usr/tesla/UI/assets/night/cluster/background_noise.jpg on /usr/tesla/UI/assets/night/cluster/
background_noise.jpg type none (rw,bind)
/var/added/modfiles/usr/tesla/UI/assets/night/cluster/hi_res/badges/badge_model_x.png on /usr/tesla/UI/assets/night/cluster/
hi_res/badges/badge_model_x.png type none (rw,bind)
38. 7. Hacks performed by me
And then the script does:
killall -HUP QtCarCluster
The monitoring on the IC will restart the process fairly rapidly (beware
of wife if you do this while driving)
39. 7. Hacks performed by
me
Images stored in
/usr/tesla/UI/assets/night/car/modelx/
No permanent changes are made: small script to
bind mount the individual files and relaunch the Qt
based IC process (beware of wife).
7. Hacks performed by me
40. 7. Hacks performed by me
Next step…
- Color animation script!
cat moonshine.sh
#!/bin/bash
export DISPLAY=:0.0
while true
do
for color in rgamma ggamma bgamma
do
for gamma in 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0
do
xgamma -${color} $gamma 2> /dev/null
sleep 0.1
done
done
done
https://www.youtube.com/watch?v=XfkuS-ypUTU
41. 7. Hacks performed by me
Discovered:
Sound is sent over the Ethernet network :)
cat gameofthrones.wav | nc 192.168.90.100 4102
Possibility for denial of service attack? (yet not practical)
Special sound format needed:
file park_assist_red_repeat.wav
park_assist_red_repeat.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 48000 Hz
RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 48000 Hz
Something like this:
sox -S --norm gameofthrones-orig.wav -c 1 -r 48000 gameofthrones-good-format.wav
reverse silence 1 0 0.05 reverse
pad 0 0.100
42. 7. Hacks performed by me
Discovered:
- Every day a new ‘token’ received in:
/var/etc/saccess/tesla1
- SQLite3 database containing settings
/home/tesla/.Tesla/data/QtCarClusterSettings.db
sqlite3 QtCarClusterSettings.db
sqlite> select key, quote(value) from data;
select key, quote(value) from data where key='DataValues/GUI_developerMode';
DataValues/GUI_developerMode|X’000000010000'
UPDATE data SET value=X'000000010001' WHERE key='DataValues/GUI_developerMode';
Might be GPS-location locked?
43. 7. Hacks performed by me
Root on CID
Obtained though a - now patched - way during an upgrade
mechanism to perform commands on the CID; extracting the
daily changing security token.
Thanks to someone on TMC forum for helping me!
CID has an Internet connection (through usb-connected ‘parrot’).
-> reverse ssh tunnel for easy remote access
-> extra backdoors to prevent becoming locked out as a result of
an update
Only /var is writeable
44. 7. Hacks performed by me
Root on CID
CID has 2 USB connections in the central display
-> allows to run ARM/Ubuntu in a mounted chrooted
environment
Big display is not rotated at kernel level; QT application
is written rotated.
Fixed with running X applications in a rotated Xephyr
(nested X server).
45. 7. Hacks performed by me
Root on CID
Sound possible with gstreamer.
Possible to display messages on the CID
46. 7. Hacks performed by me
Root on CID - romance mode
For the 4th anniversary of being married to my sweet
wife, i put this into crontab:
*/15 * * * * bash /var/added/romance_mode.sh >/dev/null 2>&1
Executing:
bash /var/added/speak "Kissy, kissie"
/disk/usb.*/freedomev/talk "I love you, Baby!"
47. 7. Hacks performed by me
Root on CID
Romance Mode
https://www.youtube.com/watch?v=w-gLSPzLo6Q
48. 7. Hacks performed by me
Goals
Integrate touchscreen driver and build application
launcher with free software repository
www.FreedomEV.com
www.FreedomEV.com/wiki
www.github.com/jnuyens/freedomev
“Download/extract the tarball to a usb stick, add
one crontab entry in the CID as root and enjoy the
power of the OpenSource community”
49. 7. Hacks performed by me
Goals
Integrate anbox to run Android apps like Waze on
the CID
Allow anybody to contribute fun stuff back easy to
package and distribute.
Fun, Fun, Fun!
50. 8. How ‘hacker friendly’ are
Tesla Service and Elon Musk?
Elon Musk has tweeted a few times he likes people
to tinker with his cars.
My Tesla Service rep stated it’s “officially not
allowed” but they like my work and have been very
supportive (within limits)
51. 8. How ‘hacker friendly’ are
Tesla Service and Elon Musk?
Is Dell stopping support for a motherboard problem
with a server if you replaced the hard drive
yourself? No. Yet, Tesla Service are ‘car people’
instead of ‘Linux Hackers’.
I am honest about stuff I broke myself.
1) too many screws after reassembly
2) I broke a small plastic cover
3) I broke the upgrade mechanism
52. 8. How ‘hacker friendly’ are
Tesla Service and Elon Musk?
I am not interested in doing illegal things like:
- changing the VIN number (it might help stolen car
sales)
- faking the mileage
- abusing the (free) data usage
I prefer also not to:
- mess with the autopilot (I prefer to live ;)
- mess with the drive motor steering
53. 9. Other questions
“Long tailpipe Myth”:
Driving electric on coal generated electrity.
-> no grid is 100% coal, it’s always a small minority
-> would still be far less CO2 including counting for
distribution (because ICE cars are so inefficient)
“How to go on holiday”:
- At home in the morning it’s always full
- Never visit petrol station
- Supercharging network for long distance; charging at
500km per hour, so driving 1000km is confortable per
day without any waiting.