> Tesla offers a “Root access program” on their bug bounty program. Researchers who find at least one valid “rooting” vulnerability will receive a permanent SSH certificate for their own car, allowing them to log in as root and continue their research further.
Pretty interesting. Sounds like Apple's Security Research Device Program[0], where you're loaned a rooted iPhone, but with a clear qualification criteria.
It strikes a nice balance, because to qualify you have to 1) show you have the skills to get root access anyway and 2) show you're willing to participate in the bug bounty program and get things patched.
I would of course love root on everything I own, but I can understand Tesla's motivation here since root for everyone would make vulnerability discovery easier for malicious actors. And if everyone had root on their Tesla, it'd be much easier to make naughty modifications that might catch the ire of regulators. (like disabling driver attentiveness checks in self-driving mode).
The underlying tension is that "you own the car" means something very different from "you own the software running the car." Tesla treats the firmware as licensed software rather than property you can inspect and modify. The bug bounty program is a PR-friendly way to say "we support security research" while keeping full control over who gets access and under what terms.
Right-to-repair legislation is chipping away at this but slowly. The EU's right-to-repair directive covers physical repair and doesn't really touch software access. The real test would be a regulator taking the position that restricting root access on hardware you own constitutes an anticompetitive tying arrangement, since you can't use the car's data for your own purposes without going through Tesla's APIs and paying their fees.
John Deere has been the main battleground for this argument so far. Farmers can't repair their own tractors without paying for dealer access to diagnostic software. Tesla is the same pattern applied to consumer vehicles, but the consumer advocacy pressure is weaker because fewer people feel the pain directly.
In most cases I agree with this, but maybe not for potentially dangerous things like cars? What if someone roots into their car and disables some essential safety feature - maybe even a legally mandated safety feature?
More concretely, the expertise-required-to-access-root is in a different field to the expertise-required-to-make-wise-changes. i.e. you might know how to hack a car, but that doesn't mean you know how cars operate.
You can feel that way, but plenty of car configuration has always been locked away and walled off, and manufacturers make a tidy profit selling software licenses to dealers and mechanics to perform basic diagnostics. Proprietary software is big business what can you do.
Having shell is extremely handy for further discovery. SO handy that if they were just gonna patch the bug and lock you out, you would simply not disclose it.
This is what happened. Tesla security received tons of bug reports that required root access to identify, yet they got a vanishingly small number of root vulnerability reports. This policy fixes that misincentive.
That’s quite a weak confidence in their own platform security if finding a root level vulnerability is not one-off event, but it’s a program expected to have multiple people routinely finding those.
My read of the output in the post when they tried to SSH to the device was that Tesla are actually doing the right thing here and using an SSH certificate authority, which allows issuing certificates signed with a private key authorising access to a subset of devices (optionally for a defined period of time). https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-b... has more information, but in summary unless the private signing key is compromised in some way this is entirely legit. I'd hope that they also have some mechanism for distributing a new public key if the signing key does get compromised but who knows.
And as we all know, if you're smart enough to get root access, your neighbours children playing football in the street should be subject to the risk of you driven a car that claims to have full self driving with custom code on it.
I used to work for a company that made third party scan tools. We had racks of ecus disconnected from the car with just a diagnostic connector and power. nothing got to a real car without first trying it on the rack. I remember on time we figured out a bmw (pre obdii) had the bytes offset from the standard documentation (it was a semi-standard protocol that some other cars used at the time), we went from we communicate but nothing is wrong to a very long list of dtcs on that controller. (All our competitors also showed nothing wrong, but the official bmw tool showed dtcs)
That's super cool, I'm currently struggling with scan tools for a 1999 Mercedes E300 Turbodiesel. I had one that worked OK for about a decade (Autel something or other) with a 38pin connector, but it recently bricked itself with a message like "connect via USB to Updata" which I assume means its firmware somehow erased itself. Cannot figure out how to "updata" it, doesn't seem to connect via USB, the Autel software runs under Wine but doesn't appear to recognize the device... gave up and bought an iCarsoft device which sorta kinda works. It can talk to every module except for the ECU (Bosch MSA 25.1 I believe?) however if I tell the device that my car is a different model (1995-1997 naturally aspirated) I can blindly clear ECU DTCs, which is good enough because this thing is barely more complicated than a toaster. All that is to say, this space is ripe for some open hardware/software love.
Interesting...1999 is probably a bit early for that Bosch to be running one of the usual ECU update protocols like UDS. It sounds like it's in the bootloader and looking for a valid executable. So the FW updater is likely in the bootloader.
If you can open it up and find the JTAG pads, it should be simple-ish to use a JTAG reader to dump the image and then you can figure out the update protocol from that. It's unlikely to be complicated.
Not sure about your specific car, but a lot of the “consumer friendly” options like OBDeleven, Carly, etc are fantastic. You often have to pay, but a lot of work goes into them and they often just work.
> All that is to say, this space is ripe for some open hardware/software love.
There's just so many computers and what-not in modern cars that this is a very tall ask. You'd need a project on-par with HomeAssistant to get anywhere.
I remember getting that era working. I concluded Mercedes was trying to be clever in making a protocol so complex nobody else could understand it (thus ensuring you had to use a dealer) - and then discovered they couldn't debug it.
each body model (nothing to do with year or style) was different so clearing dtc but nothing else is not a surprise.
i did get that working, but I last touched it in 2007 so I don't remember enough details to be helpful. good luck.
You don't know anything about late-90s Lucas/SAGEM GEMS ECUs do you, or Range Rover BeCMs?
I'm currently picking apart the firmware in those because it is now impossible to get replacement ignition key fobs, and it just can't be that difficult...
It was 16 years ago, and I only worked with what got to the US. I don't remember much and not those at all. I saw a few how to program key fob documents but we decided that was a dealer service and so I never implemented it. still generally just send the right 4-8 bytes and press a button on the fob in a minute. In any case it sounds like you want a different end: making a fob or bypassing them was never something I got anything on.
I spent the last week successfully reverse engineering my car / various scan tools to get the right information to diagnose a fuel pump problem (and to do so without the incredible awkwardness of many of the tools)
It's pretty amazing what Claude + Ghidra + knowledgable coaching can accomplish. It was basically just setting direction, setting up an incremental workflow with the right kind of documentation, and questioning some of its theories and assumptions from time to time.
I'd love to release a lot of it but I'm torn between releasing artifacts created with expensive software I paid for and thinking that many of those things should really be freely available to anyone (specifically the things which definte the protocol to talk to the car and mapping of what various things are reported vs what they actually mean.
> I'd love to release a lot of it but I'm torn between releasing artifacts created with expensive software I paid for and thinking that many of those things should really be freely available to anyone
Release it or not, but either way you’re almost certainly going to get paid back the same amount of money: $0.
I’ve recently built a disassembler and emulator using Claude to help reverse engineer a 90’s ECU based on an Intel embedded cpu.
It was quite impressive to watch when Claude started to use the emulator to help understand how bits of the code worked.
Sorry, what are you talking about? Just release it? Are you talking about trying to make money off it? Are you claiming you reverse engineered ecu tuning software you paid for?
You really must be new to this, huh?
Expensive software that you paid for?! Claude?
Yes, the question is whether you want to share knowledge that cost you literally nothing, and will bring humanity one microscopic step in a better direction - or not, feeling superior in that only you have access to that knowledge.
You have a choice!
It's funny to hear LVDS be described as an "automotive" cable when all of my run-ins with it are for connecting laptop displays to their main-boards! (though that has a very different connector on it, and its a very general term for the signalling protocol from what I remember)
Not saying there's anything wrong with your perspective (lots of terms get in muddied waters, it's common and not a problem if everyone is on the same page), but this is what I just found on Wikipedia:
"Early on, the notebook computer and LCD vendors commonly used the term LVDS instead of FPD-Link when referring to their protocol, and the term LVDS has mistakenly become synonymous with Flat Panel Display Link in the video-display engineering vocabulary."
The cable in the article is pretty much doing the same conflation of terms that Wiki is talking about - the automotive one is a proprietary cable that carries some protocol that uses LVDS as its signalling, so at the most basic level both it and the display cable in the laptop are 'LVDS cables' but that's also the most generic term that gives you no information about the protocol actually being carried by the cables.
Yeah I saw that too which is why I posted my comment, it's surprising to me :) LVDS for display cables was an incredibly term in that context. Even still is sometimes despite them mostly being eDP (embedded-DisplayPort) now, which is quite incorrect hah
Most modern laptops no longer use LVDS for connecting the screen, but they use eDP (embedded DisplayPort).
So LVDS is more likely to linger in automotive displays, while in less obsolete devices it has been replaced by either eDP or by MIPI DSI (used e.g. in smartphones).
Very cool. Over a year and a half ago I installed a towing brake controller in my Tesla Model Y. Found the location of the plug, how to access and the pinout online (confirmed via a voltmeter..) so the car's side felt straight forward. But then I needed to find a brake controller that can work with the higher voltage (14.4v vs the normal 12v). Then built a cable from the brake controller to the connector that plugs into the car that I found on eBay. I velcro'd the controller under the dashboard. It works pretty well. I towed my small camper several times with it last year with no issues. Yay! However my little project is nothing compared to this post. Love people hacking away. So cool.
>then I needed to find a brake controller that can work with the higher voltage (14.4v vs the normal 12v)
Put a voltmeter on the battery terminals of a regular car at 2000rpm and note the voltage. You'd be surpised (the alternator can produce as high as 15V on some cars).
Automotive transients can be wild. I did a bringup with a board that had specified 100+v range specified for transients and finicky quality requirements on the output. The power supplies took up most of the (very large) board.
I typically fault anything above 15.6V as “that’s a bit high, your alternator might be on its way out” when working on automotive / caravan / camper van appliances and accessories.
you're correct. a '12v ICE' alternator generates up to 14.8-15.2v. Most automotive stuff can operate between 9ish-16ish-v , of course totally depending on the product.
of course this is just a modern interpretation. older stuff runs at 6v and some weirdo offbeat cars have a 24v/48v rail sitting around somewhere. Cop cars often had alternators that put out weird voltage ranges for certain equipment, or dual 12v for high amperage output.
You are probably right. Surprisingly the first controller I tried didn't work. I assumed the voltage was too high since it worked in my other (much older) car. I found a reference online of people that tried a particular brand/model and that's what I went for. Thankfully my car isn't the model with the internal 18v battery.
Voltage isn't the whole story, controllers also need to survive current spikes and power transients, and Tesla's rails may not look like generic 12V gear.
> " I needed this because both the computer and a screen were being sold with the cables cut a few centimeters after the connector (interestingly most sellers did that, instead of just unplugging the cables)."
Can't you just solder some extra wires onto the cut off bits, rather than having to try and find a compatible cable? They've left the connectors in, and that's the hard bit, the rest is just wires
He does that in the write-up, though it's unclear from the photos if he actually soldered it or just twisted up pairs. The discussion of part of the wire melting also raises an eyebrow.. no idea about the authors hardware experience, but I've seen software guys use piddly 24 AWG on a multi-amp circuit
LVDS implies differential signals and are designed to minimize EMI and can be hard to splice while still maintaining signal integrity. They can support high data rates (ethernet cables also use twisted pair LVDS). Theoretically this should be feasible up to 100s or even 1000s of mbps
From messing around with these units from various cars, which often need more enablement than these, sometimes it’s nice to just know your interpretation of the wiring diagrams isn’t at fault when chasing down “no lights at all” issues.
The part about reverse engineering the boot process just to get a display output is wild — most people would have given up three rabbit holes earlier. Curious what the latency feels like running actual Tesla UI on desk hardware, does it feel snappy or is there noticeable lag compared to in-car?
Excellent detective work. I had no idea you can get a Tesla's computer off market. I wonder if these may be the last decade that we may be able to get root access to our on hardware consumer products. Keep the good work up.
ECU software development is sort of my day job. If you're going to go down this path, I seriously recommend getting the specialized plugs and connectors and making your own wiring harnesses to whatever size you need. It's absolutely easier than manhandling a full wiring harness or cutting one down. Cheaper, too.
I work on automotive software (not Tesla), and it's like this partially because it makes development _way easier_. Rather than needing to get a whole car to the dev team, you just give them the specific part that they're working on. Anything that needs outside features usually just fails gracefully (e.g. no speedometer or no location for maps). These are usually mocked for testing, or you add the specific ECU that provides it for your testing setup if needed.
Modern cars have tens of ECUs, so if you had to have all of them for testing, that would get unwieldy extremely quickly. Not to mention that cars are pretty resilient to having random parts failing, you don't want to lose the entire dashboard just because the ECU that provides camera data failed, or something.
I work on that software too (again not Tesla). One other thing - often the hardware we get is per-production and has a list of errata that will be fixed before production. They don't want to make too many of these for engineers because it is done in a fast turn-around higher cost factory and it is expected that once in a while things won't work at all (someone forgets to connect power to the CPU pin or something similarly stupid that requires a lot of manual wiring to fix on each one). As such you have to justify getting any controller and often share. Once the product is shipping they make many of them and it isn't a big deal to get one on your desk - but you have now moved onto the next thing and so the problem returns.
Yeah, I expected some gigantic writeup about tricking it into thinking all other systems are connected to it but maybe it's made this way so it's easier to repair without needing the whole car
It's funny how the biggest problem turned out to be a mostly mechanical part, the rather trivial 6-pin connector.
Given the presence of the wiring schematics and the mechanical dimensions, I'm surprised that the author did not try to 3D-print the mechanical parts of the connectors, givem that the electrical parts extracted from the BMW connectors did fit.
That particular statement is also wrong. For this particular setup you can also buy the correct cable (making sure to not get the one that inverts some pins!!!) for cheaper. Mine was around 15$.
Violet HSD Code D 4+2 Pin Female to D Female Jack Connector 6 Pin HSD LVDS High Speed DataTransmission Harness Wire LVDS Cable
https://a.aliexpress.com/_EuGOh9e
Parts and labor combined that would be a 4000-5000 eurobuck job. A Nissan importer tried to weasel out of a warranty replacement on a friend's X-Trail so they first offered to completely refund options that had become unusable.
The car was full of issues and probably spent more time in the shop than on the road. Nissan finally had to buy it back after service techs failed to tighten the oil drain cap after an engine overhaul.
> Turns out that actual cars don’t have individual cables. Instead they have these big “looms”, which bundle many cables from a nearby area into a single harness. This is the reason why I could not find the individual cable earlier. They simply don’t manufacture it.
Typical setup for cars (and lawn mowers). As a software guy my first instinct is, computing power is cheap enough, seems like a CAT5-like thing running between all components would do it. Speaking as a software guy - meaning I'm probably missing a lot of the big picture. On the other hand, it's a lot easier to safety-check a mechanical lockout that physically opens a circuit, than something running on software.
I read somewhere that the reason they don't typically use IT networking cables / tech is because normal IT infrastructure is a lot less strict with things like packet loss. It's actually not a huge deal to drop packets here and there, especially if any given component is at capacity. But in a car, some devices are super chatty and you can't be dropping packets much at all.
That said, I'm sure there's gotta be a better way to solve it with less copper. And I think they did something like that with CyberTruck.
> ...in a car, some devices are super chatty and you can't be dropping packets much at all....there's gotta be a better way to solve it with less copper.
I know CAN is a thing for a while now, and in the aviation world they have ethernet-derived standards like AFDX etc. But for some reason cables abound.
Congrats, OP has recreated a test/development bench, the bane of developers working on automotive software development all around the world. They're so close to being a real vehicle that you think you'll be able to get a lot of work done, but they're not, so you don't.
Honestly I love it. Few things develop a more fun camaraderie than a bringup bootcamp with two precious/priceless new samples on a large conference table, and everyone being very careful to keep cups/mugs very far away.
And a soldering robot with a specialist a few rooms away to beam down the latest errata into physical form, at times.
Tracy Kidder just died, and Soul of a New Machine was a favorite of my formative years as an engineer. Once I started in headunit ECU development it felt very familiar to me at times.
I'm a software guy, but the gear has a lot of allure.
This is awesome. Curious if these are plug and play and if that's the case where is the memory that tells you what the mileage is. If it's attached to the computer than the mileage would be off if you switch/repair it.
Completely unrelated. Would be interested if you figure out how to retrofit the new adaptive shocks on performance models to the older cars. Something I would love to do if I had hobby time. I'm pretty sure they fit physically, but needs to be connected to the main computer. I likely would never touch the main computer unless I got root access. In my brain I was thinking about a separate system made with raspberry pi's.
You can, at the very least, retrofit the Juniper suspension onto the old car [1]. I haven't ridden in the new Performance yet, but I recently got a 2026 Model Y and the suspension is night and day compared to my 2024.
Hey, I just remembered my school used to have ages ago some cool power supplies (I think from Agilent?) that were very idiot proof, they had current limit with a dial that I think didn’t went over 1A or perhaps even less, and they would instantly disarm on short circuit (and indicate it with a led), and also the voltage dial I think wouldn’t go over 25V. I remember it was very big and heavy, but it survived countless students that used the lab daily.
Nowadays, is there any power supply available that is that resistant or is the recommended approach to get an used old one? Does anyone have a power supply at home that is also used by kids with a brand/model they would recommend? Thanks!
What you're describing is a lab power supply. (The "instantly disarm on short circuit" is overcurrent protection, which is a standard feature.) The name brands like Keysight or Rigol are kind of expensive, but there are a lot of no-name models on Amazon which will do the job well enough.
Thanks! I had a BK Vision or something similar at some point and it just blew up. I will give it a search for these brands, sometimes I find a well-cared used one from the more expensive brands at good prices so that’s what I will look for first. :)
> We ordered the chip and took the board to a local PCB repair shop, where they successfully replaced it and fixed the MCU.
What is a "local PCB repair shop"? All the guys who used to fix TVs and radios are gone. Anyone else (not living in China) having trouble locating such an outfit in their neighborhood?
When I’ve brought atypical stuff in to be repaired at one of those shops they have been absolutely willing to solder whatever, however they did have just one “soldering guy” for every shop in the metro area who only came as needed. So just keep that in mind if you’re in a hurry or want to talk an atypical task through with someone. Probably call ahead.
> A REST-like API on :8080 which returned a history of “tasks”
I am curious to know what kind of historical tasks- since it's a media control unit; does it show what kind of media was being played in the last trip? does it reveal any other info about the driver?? There might be a privacy angle here that you could exploit and share it with Tesla.
They hit Odin. Odin is the diagnostic tool of Tesla.
The tasks they've seen are like "TEST_BRAKE_X_STIFFNESS-TEST-PRESSURE-BURNISHED" and are used to test different components of the car. They're also used for example to reset FSD strikes.
In Tesla terms, the infotainment does much more than just playing music - it has full access to the rest of the car.
I remember back when Chrysler did that and researchers were able to shut a Jeep down mid-drive by attacking the internet-connnected infotainment. This doesn't sound great.
People need to request the source code.. There’s a ton of open source they use that forces Tesla to give you source if you’re a customer and you ask. I don’t get why security people aren’t doing this already.
You get the linux kernel and a bunch of other things you can find on github anyway. You can't do anything useful with that, except what you already can get from any linux package manager.
Sure someone should do it just to verify the process works, but it isn't really useful. (in general companies are very careful to not violate GPL license terms, often refusing to use GPL3 at all)
I would love to use the drive units from a Tesla in a conversion project. Unfortunately, they're cryptographically paired with the main computer, and there's no way to use them.
That is done to kill the "chop shops" criminals used to steal cars and then break them up for parts. You can't do that with computers because of that pairing and so stealing a car pays much less and in turn is less common. (it still happens, it just doesn't pay as well)
The trick is to pick up the main computer and the paired drive unit(s) by picking up a whole vehicle (with a salvage title). There are shops in LA, and elsewhere who do conversions this way.
I _do_ find it weird that the LCDs from crashed cars are so expensive. I wonder if newer models have better screens, so people with older cars upgrade? Or if they're a common failure point?
I have a Model 3, but I can't say I follow the forums.. but I've never heard of screens failing -- I'm sure it happens but I think if it was common problem I'd have heard of it.
I'd guess they fail not on their own, but because they are human interface devices and take the brunt of abuse... e.g. iPhone screens are a popular repair despite being reliable components.
I have a 2023 model 3 and my screen had a small defect develop, a slightly darker area in a roughly half cm diameter area. I think most people would have never noticed but I pointed it out to Tesla service and they replaced the screen.
Some newer models have better (bigger) screens, and some are incompatible since they've slightly changed the connector. Old models (pre highland/ jupiter facelift) have used the same display shown in the article for a very long time across M3 and MY. What usually happens is that they physically break because people are not that careful, so the touch screen ends up breaking - although you really have to put a lot of force to break that display.
My 2016 Model S LCD panel developed the well-known fault of delamination and leaking some kind of sticky fluid.
Turns out the early Model S vehicles used consumer grade LCD panels that weren’t designed for the prolonged high heat you get in a metal and glass box left outside in the sun all day.
Tesla since upgraded their vehicle screens to proper automotive-grade LCDs which are excellent.
My point is, automotive-grade hardware is higher spec than regular consumer computer hardware, hence the high prices.
As an aside, I upgraded my whole computer and screen from MCU1 to MCU2 and it was worth the upgrade.
Credit to Tesla for building a retrofit computer upgrade for old vehicles. Thats a non-trivial thing to engineer and I appreciate their effort. Other car manufacturers would prefer you were compelled to buy their latest vehicle instead.
Ha! Reading this comment made me curious, so I went back and looked at the article and there does seem to be a full sized HDMI connector. I wonder if it is enabled, or just for Tesla internal testing?
Granted, I think it would be valuable to look at all sorts of automotive ECUs. I always wonder how the tuning industry does their thing; I shudder to think they're just sitting there flipping hex codes directly in running software...
Anyone finding this fascinating, please check out Openinverter Forum [0]. Ton of work has been done in decoding CAN messages, DBC files are floating around, open source firmware and controllers are available for Tesla and others components, mostly inverters and chargers but there are overlaps with the VCU and displays as well.
I'm amused reading the terms and requirements the author mentions in the bug bounty program for researchers gaining root access (under 'Vehicle Targets') - https://bugcrowd.com/engagements/tesla
"To promote further security research, Tesla offers security researchers the opportunity to retain root access on their infotainment system even after their reported vulnerability has been patched. In order to qualify, a researcher must send in a valid report describing a novel way to gain root access on a Tesla infotainment system. Upon confirmation, Tesla will instruct the researcher on how to use their existing root access to enable the researcher SSH feature, along with an SSH certificate for the researcher's public key (tailored to their specific hardware ID). The certificate restricts SSH access to the local diagnostic ethernet link. Tesla may renew the certificate as long as the researcher continues reporting vulnerabilities."
> Turns out that actual cars don’t have individual cables. Instead they have these big “looms”, which bundle many cables from a nearby area into a single harness. This is the reason why I could not find the individual cable earlier. They simply don’t manufacture it.
I was really surprised to read this at the end of the article -- how could someone be this deep into a project of this depth and not realize this?! Not only because all cars (...er... all vehicles) are wired this way, but also because the documentation they were referencing has plenty of detail to show this... there's even a whole picture of it (and to Tesla's credit they have amazing free docs): https://service.tesla.com/docs/Model3/ServiceManual/2024/en-...
Even if you know that cars consist of a single wiring harness, it's not implied that they aren't modular and the individual cables cannot be purchased separately.
Cars usually consist of multiple harnesses -- as it is in this case as well. The harnesses are the cables in a car. That is the part you can purchase because that is the part.
> and to Tesla's credit they have amazing free docs
Not to Tesla's credit, they had to be dragged kicking and screaming into it (primarily by Massachusetts) and their right to repair legislation through a solid chunk of malicious compliance:
1. When told that they had to have a site for people to order parts, Tesla put up a site that had every single item as "Call us", including the most simple of bolts. And when a few places called, "Sorry, that's not available to you".
2. The service manual was originally only available in a few locations in MA, and had strict conditions: you had to book in advance, there was a $100 fee per booking, and you could only view the manual on premises, and could not bring electronic devices into the room with you, just pen and paper.
The docs they have are great, and who knows how their attitude would have changed over time, but they absolutely didn't want you to have it, initially.
I will say I’m surprised how far apart the two boxes are in the car. I guess they’re not where I thought. I would assume they’re both up near the dash.
The passenger side kick panel or behind the glove box are two very common places for vehicle computers -- some cars have them under the hood, which I always thought was a bad idea.
> I was really surprised to read this at the end of the article -- how could someone be this deep into a project of this depth and not realize this?!
Usually, for most other vehicles, the connectors are either standardized (e.g. radios, ISO 10487 [1], high-current chargers by VG 96917) or the foundation plugs, sockets and re-pinning tools are readily available by the vehicle manufacturer or by aftermarket suppliers.
Tesla truly went out of their way to make the life of third parties (such as wire harness repair shops) more miserable here.
When canbus is already two wires, and by definition, is a bus, so you can just keep stringing those two wires to any module you need. I know Ethernet BUSes exist, but what advantage would those have to canbus then? They're both two-wire buses.
Tesla also went to a 48v wiring harness in some of their vehicles to allow them to power more equipment with less copper. It might be one reason why they use nonstandard connectors, so people don't attempt to hook 12v equipment to the system and also the higher voltages might require connectors rated for it.
Now they just have to take the next step and have everything in the vehicle running on PoE.
Software people tend to overestimate their knowledge of other disciplines, writing it off as "easy" or work beneath them. Being overpaid compared to your peers certainly doesn't help dispel this feeling. Some people have built entire careers around designing wire looms.
Consider whether this is an uncharitable comment --- someone with little expertise in a discipline has made a rookie mistake and didn't realize that the wires weren't produced individually.
Professionals overestimating their knowledge is a very common thing!
It actually stands for "lizard brain"... it is (or at least was) an Infineon Aurix control and monitoring microcontroller, they may have changed to a newer one.
I am surprised that they are surprised that car wiring diagrams are online. People wouldn't accept cars without online service manuals and schematics, and some states mandate them by law. I just looked up this subsystem for my car via my public library. https://appcontent.chiltonlibrary.com/chilton_images/Honda/E...
i wish the ui on those things was more visually appealing. between the cheap looking gloss finish on the display itself and the unextraordinary ui, it's just kinda blah. one can have a debate about to screen or not to screen or whether to use vfd displays or whatever and i get the importance of cost control but it should look good and it really doesn't. the graphic of the car looks like a cartoon.
i think a lot of people do. i don't know what it is, there's maybe just something about the car graphic that doesn't sit right with me. the front/side view when parked just seems cheesy for some reason. maybe because it's meant to show unclosed doors or something and when everything is set the car's status is car which is redundant.
From the article
> Tesla offers a “Root access program” on their bug bounty program. Researchers who find at least one valid “rooting” vulnerability will receive a permanent SSH certificate for their own car, allowing them to log in as root and continue their research further.
Pretty interesting. Sounds like Apple's Security Research Device Program[0], where you're loaned a rooted iPhone, but with a clear qualification criteria.
It strikes a nice balance, because to qualify you have to 1) show you have the skills to get root access anyway and 2) show you're willing to participate in the bug bounty program and get things patched.
I would of course love root on everything I own, but I can understand Tesla's motivation here since root for everyone would make vulnerability discovery easier for malicious actors. And if everyone had root on their Tesla, it'd be much easier to make naughty modifications that might catch the ire of regulators. (like disabling driver attentiveness checks in self-driving mode).
[0] https://security.apple.com/research-device/
> Researchers who find at least one valid “rooting” vulnerability will receive a permanent SSH certificate for their own car
It feels like this is something you should get by being owner of the car, and not have to do free speculative research for the manufacturer to get it.
The underlying tension is that "you own the car" means something very different from "you own the software running the car." Tesla treats the firmware as licensed software rather than property you can inspect and modify. The bug bounty program is a PR-friendly way to say "we support security research" while keeping full control over who gets access and under what terms.
Right-to-repair legislation is chipping away at this but slowly. The EU's right-to-repair directive covers physical repair and doesn't really touch software access. The real test would be a regulator taking the position that restricting root access on hardware you own constitutes an anticompetitive tying arrangement, since you can't use the car's data for your own purposes without going through Tesla's APIs and paying their fees.
John Deere has been the main battleground for this argument so far. Farmers can't repair their own tractors without paying for dealer access to diagnostic software. Tesla is the same pattern applied to consumer vehicles, but the consumer advocacy pressure is weaker because fewer people feel the pain directly.
19 replies →
Normies get scammed on Discord into pasting commands into their browser console.
As a pedestrian I prefer for most people to not have root access to their multi-ton fast-moving killing machine.
9 replies →
In most cases I agree with this, but maybe not for potentially dangerous things like cars? What if someone roots into their car and disables some essential safety feature - maybe even a legally mandated safety feature?
More concretely, the expertise-required-to-access-root is in a different field to the expertise-required-to-make-wise-changes. i.e. you might know how to hack a car, but that doesn't mean you know how cars operate.
5 replies →
As much as I tend to agree philosophically, could it not result in people making changes that endanger other road users?
18 replies →
You can translate that to corresponding car-purchases, i.e. vote with your wallet.
4 replies →
You can feel that way, but plenty of car configuration has always been locked away and walled off, and manufacturers make a tidy profit selling software licenses to dealers and mechanics to perform basic diagnostics. Proprietary software is big business what can you do.
2 replies →
[dead]
[flagged]
Having shell is extremely handy for further discovery. SO handy that if they were just gonna patch the bug and lock you out, you would simply not disclose it.
This is what happened. Tesla security received tons of bug reports that required root access to identify, yet they got a vanishingly small number of root vulnerability reports. This policy fixes that misincentive.
If they don't give root, researcher may have incentive to keep vuln secret for root access. Looks reasonable.
It's a mixed bag. This only applies to the infotainment system and not the autopilot computer.
They've also revoked certificates from researchers personal cars in the past
That’s quite a weak confidence in their own platform security if finding a root level vulnerability is not one-off event, but it’s a program expected to have multiple people routinely finding those.
Well it's a selection bias.
If an athlete breaks a world record, they're likely to do it again. Even though it's incredibly hard to break a world record.
Imagine having to hack your device, then having to submit a request to actually own it.
The interesting part is this implies that Tesla cars have static certifcates that don't rotate. (Whoops.)
My read of the output in the post when they tried to SSH to the device was that Tesla are actually doing the right thing here and using an SSH certificate authority, which allows issuing certificates signed with a private key authorising access to a subset of devices (optionally for a defined period of time). https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-b... has more information, but in summary unless the private signing key is compromised in some way this is entirely legit. I'd hope that they also have some mechanism for distributing a new public key if the signing key does get compromised but who knows.
Not necessarily. All they have to do is roll a pub key into the update package. Same as any OTA update.
Why can't they rotate ? having root ssh keys on the device doesn't imply the certs don't rotate.
And as we all know, if you're smart enough to get root access, your neighbours children playing football in the street should be subject to the risk of you driven a car that claims to have full self driving with custom code on it.
I used to work for a company that made third party scan tools. We had racks of ecus disconnected from the car with just a diagnostic connector and power. nothing got to a real car without first trying it on the rack. I remember on time we figured out a bmw (pre obdii) had the bytes offset from the standard documentation (it was a semi-standard protocol that some other cars used at the time), we went from we communicate but nothing is wrong to a very long list of dtcs on that controller. (All our competitors also showed nothing wrong, but the official bmw tool showed dtcs)
Diagnostic Trouble Codes?
Yes.
That's super cool, I'm currently struggling with scan tools for a 1999 Mercedes E300 Turbodiesel. I had one that worked OK for about a decade (Autel something or other) with a 38pin connector, but it recently bricked itself with a message like "connect via USB to Updata" which I assume means its firmware somehow erased itself. Cannot figure out how to "updata" it, doesn't seem to connect via USB, the Autel software runs under Wine but doesn't appear to recognize the device... gave up and bought an iCarsoft device which sorta kinda works. It can talk to every module except for the ECU (Bosch MSA 25.1 I believe?) however if I tell the device that my car is a different model (1995-1997 naturally aspirated) I can blindly clear ECU DTCs, which is good enough because this thing is barely more complicated than a toaster. All that is to say, this space is ripe for some open hardware/software love.
Interesting...1999 is probably a bit early for that Bosch to be running one of the usual ECU update protocols like UDS. It sounds like it's in the bootloader and looking for a valid executable. So the FW updater is likely in the bootloader.
If you can open it up and find the JTAG pads, it should be simple-ish to use a JTAG reader to dump the image and then you can figure out the update protocol from that. It's unlikely to be complicated.
Not sure about your specific car, but a lot of the “consumer friendly” options like OBDeleven, Carly, etc are fantastic. You often have to pay, but a lot of work goes into them and they often just work.
> All that is to say, this space is ripe for some open hardware/software love.
There's just so many computers and what-not in modern cars that this is a very tall ask. You'd need a project on-par with HomeAssistant to get anywhere.
2 replies →
I remember getting that era working. I concluded Mercedes was trying to be clever in making a protocol so complex nobody else could understand it (thus ensuring you had to use a dealer) - and then discovered they couldn't debug it.
each body model (nothing to do with year or style) was different so clearing dtc but nothing else is not a surprise.
i did get that working, but I last touched it in 2007 so I don't remember enough details to be helpful. good luck.
You don't know anything about late-90s Lucas/SAGEM GEMS ECUs do you, or Range Rover BeCMs?
I'm currently picking apart the firmware in those because it is now impossible to get replacement ignition key fobs, and it just can't be that difficult...
It was 16 years ago, and I only worked with what got to the US. I don't remember much and not those at all. I saw a few how to program key fob documents but we decided that was a dealer service and so I never implemented it. still generally just send the right 4-8 bytes and press a button on the fob in a minute. In any case it sounds like you want a different end: making a fob or bypassing them was never something I got anything on.
I spent the last week successfully reverse engineering my car / various scan tools to get the right information to diagnose a fuel pump problem (and to do so without the incredible awkwardness of many of the tools)
It's pretty amazing what Claude + Ghidra + knowledgable coaching can accomplish. It was basically just setting direction, setting up an incremental workflow with the right kind of documentation, and questioning some of its theories and assumptions from time to time.
I'd love to release a lot of it but I'm torn between releasing artifacts created with expensive software I paid for and thinking that many of those things should really be freely available to anyone (specifically the things which definte the protocol to talk to the car and mapping of what various things are reported vs what they actually mean.
> I'd love to release a lot of it but I'm torn between releasing artifacts created with expensive software I paid for and thinking that many of those things should really be freely available to anyone
Release it or not, but either way you’re almost certainly going to get paid back the same amount of money: $0.
I’ve recently built a disassembler and emulator using Claude to help reverse engineer a 90’s ECU based on an Intel embedded cpu. It was quite impressive to watch when Claude started to use the emulator to help understand how bits of the code worked.
Wait, why wouldn’t you post it/ write it up?
1 reply →
Sorry, what are you talking about? Just release it? Are you talking about trying to make money off it? Are you claiming you reverse engineered ecu tuning software you paid for?
You really must be new to this, huh? Expensive software that you paid for?! Claude? Yes, the question is whether you want to share knowledge that cost you literally nothing, and will bring humanity one microscopic step in a better direction - or not, feeling superior in that only you have access to that knowledge. You have a choice!
+1 on the "plz tell me how" train!
Just dump it in a gist. That your of knowledge should be free
It's funny to hear LVDS be described as an "automotive" cable when all of my run-ins with it are for connecting laptop displays to their main-boards! (though that has a very different connector on it, and its a very general term for the signalling protocol from what I remember)
Not saying there's anything wrong with your perspective (lots of terms get in muddied waters, it's common and not a problem if everyone is on the same page), but this is what I just found on Wikipedia:
"Early on, the notebook computer and LCD vendors commonly used the term LVDS instead of FPD-Link when referring to their protocol, and the term LVDS has mistakenly become synonymous with Flat Panel Display Link in the video-display engineering vocabulary."
https://en.wikipedia.org/wiki/Low-voltage_differential_signa...
The cable in the article is pretty much doing the same conflation of terms that Wiki is talking about - the automotive one is a proprietary cable that carries some protocol that uses LVDS as its signalling, so at the most basic level both it and the display cable in the laptop are 'LVDS cables' but that's also the most generic term that gives you no information about the protocol actually being carried by the cables.
Yeah I saw that too which is why I posted my comment, it's surprising to me :) LVDS for display cables was an incredibly term in that context. Even still is sometimes despite them mostly being eDP (embedded-DisplayPort) now, which is quite incorrect hah
1 reply →
LVDS with Fakra connectors is pretty standard in automotive for cameras and displays. The protocols used over it are often proprietary though.
Most modern laptops no longer use LVDS for connecting the screen, but they use eDP (embedded DisplayPort).
So LVDS is more likely to linger in automotive displays, while in less obsolete devices it has been replaced by either eDP or by MIPI DSI (used e.g. in smartphones).
https://news.ycombinator.com/item?id=47527015
Spoiler alert: it's still LVDS
SpaceWire is also just LVDS with an uber-minimal routing protocol. It runs on a lot of satellites.
Very cool. Over a year and a half ago I installed a towing brake controller in my Tesla Model Y. Found the location of the plug, how to access and the pinout online (confirmed via a voltmeter..) so the car's side felt straight forward. But then I needed to find a brake controller that can work with the higher voltage (14.4v vs the normal 12v). Then built a cable from the brake controller to the connector that plugs into the car that I found on eBay. I velcro'd the controller under the dashboard. It works pretty well. I towed my small camper several times with it last year with no issues. Yay! However my little project is nothing compared to this post. Love people hacking away. So cool.
>then I needed to find a brake controller that can work with the higher voltage (14.4v vs the normal 12v)
Put a voltmeter on the battery terminals of a regular car at 2000rpm and note the voltage. You'd be surpised (the alternator can produce as high as 15V on some cars).
Automotive transients can be wild. I did a bringup with a board that had specified 100+v range specified for transients and finicky quality requirements on the output. The power supplies took up most of the (very large) board.
9 replies →
I typically fault anything above 15.6V as “that’s a bit high, your alternator might be on its way out” when working on automotive / caravan / camper van appliances and accessories.
1 reply →
> But then I needed to find a brake controller that can work with the higher voltage (14.4v vs the normal 12v)
Not understanding this sentence. Most running ICE vehicles product closer to that 14.4 than 12v. I think a standard controller would have worked fine?
you're correct. a '12v ICE' alternator generates up to 14.8-15.2v. Most automotive stuff can operate between 9ish-16ish-v , of course totally depending on the product.
of course this is just a modern interpretation. older stuff runs at 6v and some weirdo offbeat cars have a 24v/48v rail sitting around somewhere. Cop cars often had alternators that put out weird voltage ranges for certain equipment, or dual 12v for high amperage output.
8 replies →
You are probably right. Surprisingly the first controller I tried didn't work. I assumed the voltage was too high since it worked in my other (much older) car. I found a reference online of people that tried a particular brand/model and that's what I went for. Thankfully my car isn't the model with the internal 18v battery.
Voltage isn't the whole story, controllers also need to survive current spikes and power transients, and Tesla's rails may not look like generic 12V gear.
You can run QtCar (the Qt-based app that Tesla uses for their UIs) on QEMU - if you have the firmware.
https://x.com/i/status/1722717318009041104
DM me if interested
Hi, can you DM the firmware?
Just put it online somewhere
It's on GitHub, but I want to avoid Tesla DMCA-ing it
> " I needed this because both the computer and a screen were being sold with the cables cut a few centimeters after the connector (interestingly most sellers did that, instead of just unplugging the cables)."
Can't you just solder some extra wires onto the cut off bits, rather than having to try and find a compatible cable? They've left the connectors in, and that's the hard bit, the rest is just wires
He does that in the write-up, though it's unclear from the photos if he actually soldered it or just twisted up pairs. The discussion of part of the wire melting also raises an eyebrow.. no idea about the authors hardware experience, but I've seen software guys use piddly 24 AWG on a multi-amp circuit
LVDS implies differential signals and are designed to minimize EMI and can be hard to splice while still maintaining signal integrity. They can support high data rates (ethernet cables also use twisted pair LVDS). Theoretically this should be feasible up to 100s or even 1000s of mbps
From messing around with these units from various cars, which often need more enablement than these, sometimes it’s nice to just know your interpretation of the wiring diagrams isn’t at fault when chasing down “no lights at all” issues.
The part about reverse engineering the boot process just to get a display output is wild — most people would have given up three rabbit holes earlier. Curious what the latency feels like running actual Tesla UI on desk hardware, does it feel snappy or is there noticeable lag compared to in-car?
It's exactly the same. Why would it be different?
Excellent detective work. I had no idea you can get a Tesla's computer off market. I wonder if these may be the last decade that we may be able to get root access to our on hardware consumer products. Keep the good work up.
ECU software development is sort of my day job. If you're going to go down this path, I seriously recommend getting the specialized plugs and connectors and making your own wiring harnesses to whatever size you need. It's absolutely easier than manhandling a full wiring harness or cutting one down. Cheaper, too.
I'm actually somewhat surprised the OS fully boots when it's not connected to the expected vehicle peripherals
I work on automotive software (not Tesla), and it's like this partially because it makes development _way easier_. Rather than needing to get a whole car to the dev team, you just give them the specific part that they're working on. Anything that needs outside features usually just fails gracefully (e.g. no speedometer or no location for maps). These are usually mocked for testing, or you add the specific ECU that provides it for your testing setup if needed.
Modern cars have tens of ECUs, so if you had to have all of them for testing, that would get unwieldy extremely quickly. Not to mention that cars are pretty resilient to having random parts failing, you don't want to lose the entire dashboard just because the ECU that provides camera data failed, or something.
I work on that software too (again not Tesla). One other thing - often the hardware we get is per-production and has a list of errata that will be fixed before production. They don't want to make too many of these for engineers because it is done in a fast turn-around higher cost factory and it is expected that once in a while things won't work at all (someone forgets to connect power to the CPU pin or something similarly stupid that requires a lot of manual wiring to fix on each one). As such you have to justify getting any controller and often share. Once the product is shipping they make many of them and it isn't a big deal to get one on your desk - but you have now moved onto the next thing and so the problem returns.
Yeah, I expected some gigantic writeup about tricking it into thinking all other systems are connected to it but maybe it's made this way so it's easier to repair without needing the whole car
It's funny how the biggest problem turned out to be a mostly mechanical part, the rather trivial 6-pin connector.
Given the presence of the wiring schematics and the mechanical dimensions, I'm surprised that the author did not try to 3D-print the mechanical parts of the connectors, givem that the electrical parts extracted from the BMW connectors did fit.
> Unfortunately I had no other choice but to buy this entire loom for 80 USD.
Fwiw, mine costs $450 from Ford. Also in the US we call this a wiring harness, with the loom being the material that goes over the wires
That particular statement is also wrong. For this particular setup you can also buy the correct cable (making sure to not get the one that inverts some pins!!!) for cheaper. Mine was around 15$.
Violet HSD Code D 4+2 Pin Female to D Female Jack Connector 6 Pin HSD LVDS High Speed DataTransmission Harness Wire LVDS Cable https://a.aliexpress.com/_EuGOh9e
Parts and labor combined that would be a 4000-5000 eurobuck job. A Nissan importer tried to weasel out of a warranty replacement on a friend's X-Trail so they first offered to completely refund options that had become unusable.
The car was full of issues and probably spent more time in the shop than on the road. Nissan finally had to buy it back after service techs failed to tighten the oil drain cap after an engine overhaul.
I see in the attached SS that the car has the "BIFL" FSD (?). Does this mean you could swap this CPU a non-FSD Model 3 and get it?
:O
> Turns out that actual cars don’t have individual cables. Instead they have these big “looms”, which bundle many cables from a nearby area into a single harness. This is the reason why I could not find the individual cable earlier. They simply don’t manufacture it.
Typical setup for cars (and lawn mowers). As a software guy my first instinct is, computing power is cheap enough, seems like a CAT5-like thing running between all components would do it. Speaking as a software guy - meaning I'm probably missing a lot of the big picture. On the other hand, it's a lot easier to safety-check a mechanical lockout that physically opens a circuit, than something running on software.
I read somewhere that the reason they don't typically use IT networking cables / tech is because normal IT infrastructure is a lot less strict with things like packet loss. It's actually not a huge deal to drop packets here and there, especially if any given component is at capacity. But in a car, some devices are super chatty and you can't be dropping packets much at all.
That said, I'm sure there's gotta be a better way to solve it with less copper. And I think they did something like that with CyberTruck.
> ...in a car, some devices are super chatty and you can't be dropping packets much at all....there's gotta be a better way to solve it with less copper.
I know CAN is a thing for a while now, and in the aviation world they have ethernet-derived standards like AFDX etc. But for some reason cables abound.
Meh, even in the IT industry cables abound.
Cars are moving towards something like that, mostly because copper is expensive and there are miles and miles of it in even a basic car these days
Say what you will about Tesla, but from a hacking point of view this is some of the coolest things I’ve seen in a while!
Congrats, OP has recreated a test/development bench, the bane of developers working on automotive software development all around the world. They're so close to being a real vehicle that you think you'll be able to get a lot of work done, but they're not, so you don't.
Honestly I love it. Few things develop a more fun camaraderie than a bringup bootcamp with two precious/priceless new samples on a large conference table, and everyone being very careful to keep cups/mugs very far away.
And a soldering robot with a specialist a few rooms away to beam down the latest errata into physical form, at times.
Tracy Kidder just died, and Soul of a New Machine was a favorite of my formative years as an engineer. Once I started in headunit ECU development it felt very familiar to me at times.
I'm a software guy, but the gear has a lot of allure.
Haha, don't forget your wristbands.
Can confirm. We are required to test all of our stuff on a bench, but no one really trusts this, because everything is mocked anyway (RSI).
This is awesome. Curious if these are plug and play and if that's the case where is the memory that tells you what the mileage is. If it's attached to the computer than the mileage would be off if you switch/repair it.
Completely unrelated. Would be interested if you figure out how to retrofit the new adaptive shocks on performance models to the older cars. Something I would love to do if I had hobby time. I'm pretty sure they fit physically, but needs to be connected to the main computer. I likely would never touch the main computer unless I got root access. In my brain I was thinking about a separate system made with raspberry pi's.
You can, at the very least, retrofit the Juniper suspension onto the old car [1]. I haven't ridden in the new Performance yet, but I recently got a 2026 Model Y and the suspension is night and day compared to my 2024.
[1] - https://www.youtube.com/watch?v=EahoyTgkkyU
I feel like maybe you're headed towards this https://youtu.be/K9a2_3XObNI?si=vkP_utLfo3M0LFGO
> A DC power supply capable of providing 12V
Hey, I just remembered my school used to have ages ago some cool power supplies (I think from Agilent?) that were very idiot proof, they had current limit with a dial that I think didn’t went over 1A or perhaps even less, and they would instantly disarm on short circuit (and indicate it with a led), and also the voltage dial I think wouldn’t go over 25V. I remember it was very big and heavy, but it survived countless students that used the lab daily.
Nowadays, is there any power supply available that is that resistant or is the recommended approach to get an used old one? Does anyone have a power supply at home that is also used by kids with a brand/model they would recommend? Thanks!
What you're describing is a lab power supply. (The "instantly disarm on short circuit" is overcurrent protection, which is a standard feature.) The name brands like Keysight or Rigol are kind of expensive, but there are a lot of no-name models on Amazon which will do the job well enough.
Thanks! I had a BK Vision or something similar at some point and it just blew up. I will give it a search for these brands, sometimes I find a well-cared used one from the more expensive brands at good prices so that’s what I will look for first. :)
Keysight == Hewlett-Packard Old School.
2 replies →
Those were called something like desktop power supplies.
https://www.mouser.com/c/power/power-supplies/power-supplies...
AT $5k it better make me breakfast, too.
Got this for ~50$ a while ago. It works perfectly for this exact setup (Tesla MCU on a bench), tested it, and used it for a lot of other projects.
https://a.aliexpress.com/_EvT5Kog
They have variable dc power supplies on amazon on the cheap.
If you want that sort of reliability it will probably go towards 100$.
> We ordered the chip and took the board to a local PCB repair shop, where they successfully replaced it and fixed the MCU.
What is a "local PCB repair shop"? All the guys who used to fix TVs and radios are gone. Anyone else (not living in China) having trouble locating such an outfit in their neighborhood?
Cell phone/laptop repair shops.
When I’ve brought atypical stuff in to be repaired at one of those shops they have been absolutely willing to solder whatever, however they did have just one “soldering guy” for every shop in the metro area who only came as needed. So just keep that in mind if you’re in a hurry or want to talk an atypical task through with someone. Probably call ahead.
Interesting.
> A REST-like API on :8080 which returned a history of “tasks”
I am curious to know what kind of historical tasks- since it's a media control unit; does it show what kind of media was being played in the last trip? does it reveal any other info about the driver?? There might be a privacy angle here that you could exploit and share it with Tesla.
They hit Odin. Odin is the diagnostic tool of Tesla. The tasks they've seen are like "TEST_BRAKE_X_STIFFNESS-TEST-PRESSURE-BURNISHED" and are used to test different components of the car. They're also used for example to reset FSD strikes.
In Tesla terms, the infotainment does much more than just playing music - it has full access to the rest of the car.
I remember back when Chrysler did that and researchers were able to shut a Jeep down mid-drive by attacking the internet-connnected infotainment. This doesn't sound great.
1 reply →
This is cool, how exactly did it boot?
"tuner" almost certainly refers to a radio (think AM/FM/SiriusXM) tuner module
I have no wheels and I must drift
People need to request the source code.. There’s a ton of open source they use that forces Tesla to give you source if you’re a customer and you ask. I don’t get why security people aren’t doing this already.
You get the linux kernel and a bunch of other things you can find on github anyway. You can't do anything useful with that, except what you already can get from any linux package manager.
Sure someone should do it just to verify the process works, but it isn't really useful. (in general companies are very careful to not violate GPL license terms, often refusing to use GPL3 at all)
I would love to use the drive units from a Tesla in a conversion project. Unfortunately, they're cryptographically paired with the main computer, and there's no way to use them.
What a waste.
These conversions are super common. What am I missing?
That is done to kill the "chop shops" criminals used to steal cars and then break them up for parts. You can't do that with computers because of that pairing and so stealing a car pays much less and in turn is less common. (it still happens, it just doesn't pay as well)
The trick is to pick up the main computer and the paired drive unit(s) by picking up a whole vehicle (with a salvage title). There are shops in LA, and elsewhere who do conversions this way.
I _do_ find it weird that the LCDs from crashed cars are so expensive. I wonder if newer models have better screens, so people with older cars upgrade? Or if they're a common failure point?
I have a Model 3, but I can't say I follow the forums.. but I've never heard of screens failing -- I'm sure it happens but I think if it was common problem I'd have heard of it.
I'd guess they fail not on their own, but because they are human interface devices and take the brunt of abuse... e.g. iPhone screens are a popular repair despite being reliable components.
I have a 2023 model 3 and my screen had a small defect develop, a slightly darker area in a roughly half cm diameter area. I think most people would have never noticed but I pointed it out to Tesla service and they replaced the screen.
Some newer models have better (bigger) screens, and some are incompatible since they've slightly changed the connector. Old models (pre highland/ jupiter facelift) have used the same display shown in the article for a very long time across M3 and MY. What usually happens is that they physically break because people are not that careful, so the touch screen ends up breaking - although you really have to put a lot of force to break that display.
My 2016 Model S LCD panel developed the well-known fault of delamination and leaking some kind of sticky fluid.
Turns out the early Model S vehicles used consumer grade LCD panels that weren’t designed for the prolonged high heat you get in a metal and glass box left outside in the sun all day.
Tesla since upgraded their vehicle screens to proper automotive-grade LCDs which are excellent.
My point is, automotive-grade hardware is higher spec than regular consumer computer hardware, hence the high prices.
As an aside, I upgraded my whole computer and screen from MCU1 to MCU2 and it was worth the upgrade.
Credit to Tesla for building a retrofit computer upgrade for old vehicles. Thats a non-trivial thing to engineer and I appreciate their effort. Other car manufacturers would prefer you were compelled to buy their latest vehicle instead.
I love that it has a standard RJ45 ethernet connector.
I thought I saw an HDMI connector, but maybe I was wrong.
Ha! Reading this comment made me curious, so I went back and looked at the article and there does seem to be a full sized HDMI connector. I wonder if it is enabled, or just for Tesla internal testing?
1 reply →
i wonder if usb-c next to is like these diagnostic ports on Dell servers?
[dead]
How many PoE adapters would it take to charge a Tesla?
Mostly depends on how fast you want to charge.
Prime example of free will
Any way to make sure my tesla hasn't been rooted and modified by previous owner, perhaps with remote access?
Granted, I think it would be valuable to look at all sorts of automotive ECUs. I always wonder how the tuning industry does their thing; I shudder to think they're just sitting there flipping hex codes directly in running software...
Nice read. I would LOVE for someone to dump the whole FSD AI/ML model and try to run it in simulator! That would be awesome!
Anyone finding this fascinating, please check out Openinverter Forum [0]. Ton of work has been done in decoding CAN messages, DBC files are floating around, open source firmware and controllers are available for Tesla and others components, mostly inverters and chargers but there are overlaps with the VCU and displays as well.
[0] - https://openinverter.org/forum/
I'm amused reading the terms and requirements the author mentions in the bug bounty program for researchers gaining root access (under 'Vehicle Targets') - https://bugcrowd.com/engagements/tesla
"To promote further security research, Tesla offers security researchers the opportunity to retain root access on their infotainment system even after their reported vulnerability has been patched. In order to qualify, a researcher must send in a valid report describing a novel way to gain root access on a Tesla infotainment system. Upon confirmation, Tesla will instruct the researcher on how to use their existing root access to enable the researcher SSH feature, along with an SSH certificate for the researcher's public key (tailored to their specific hardware ID). The certificate restricts SSH access to the local diagnostic ethernet link. Tesla may renew the certificate as long as the researcher continues reporting vulnerabilities."
Very neat.
Great project. This begs for real-world feedback though. A go kart would be fantastic.
Really cool breakdown. You’ve got a full Tesla gaming rig now!
You're going to make it drive an RC car right?
But can it play doom?
It could probably run it and learn to play it too.
> Turns out that actual cars don’t have individual cables. Instead they have these big “looms”, which bundle many cables from a nearby area into a single harness. This is the reason why I could not find the individual cable earlier. They simply don’t manufacture it.
I was really surprised to read this at the end of the article -- how could someone be this deep into a project of this depth and not realize this?! Not only because all cars (...er... all vehicles) are wired this way, but also because the documentation they were referencing has plenty of detail to show this... there's even a whole picture of it (and to Tesla's credit they have amazing free docs): https://service.tesla.com/docs/Model3/ServiceManual/2024/en-...
> how could someone be this deep into a project of this depth and not realize this
I think this is a software guy who occasionally dips into hardware things (to hunt bugs).
That's what I figure -- but it was wild to read that after reading the part about component-level PCB repair lol
Yeh, it seems odd to have the cut off cables, the wiring information...and then to go and buy a loom rather than bodging a cable at that point.
I was more fascinated that a new wiring harness was $80! I've easily spent $30-50 for a single VAG cable 1ft pigtail.
Even if you know that cars consist of a single wiring harness, it's not implied that they aren't modular and the individual cables cannot be purchased separately.
Cars usually consist of multiple harnesses -- as it is in this case as well. The harnesses are the cables in a car. That is the part you can purchase because that is the part.
There's a list of them here: https://service.tesla.com/docs/Model3/ServiceManual/2024/en-...
[flagged]
1 reply →
> and to Tesla's credit they have amazing free docs
Not to Tesla's credit, they had to be dragged kicking and screaming into it (primarily by Massachusetts) and their right to repair legislation through a solid chunk of malicious compliance:
1. When told that they had to have a site for people to order parts, Tesla put up a site that had every single item as "Call us", including the most simple of bolts. And when a few places called, "Sorry, that's not available to you".
2. The service manual was originally only available in a few locations in MA, and had strict conditions: you had to book in advance, there was a $100 fee per booking, and you could only view the manual on premises, and could not bring electronic devices into the room with you, just pen and paper.
The docs they have are great, and who knows how their attitude would have changed over time, but they absolutely didn't want you to have it, initially.
Tesla treated the service manual like congress treats certain recently surfaced files.
Wrong. They’ve always been open, even with their patents too. All free to use, no royalties
2 replies →
I will say I’m surprised how far apart the two boxes are in the car. I guess they’re not where I thought. I would assume they’re both up near the dash.
The passenger side kick panel or behind the glove box are two very common places for vehicle computers -- some cars have them under the hood, which I always thought was a bad idea.
9 replies →
> I was really surprised to read this at the end of the article -- how could someone be this deep into a project of this depth and not realize this?!
Usually, for most other vehicles, the connectors are either standardized (e.g. radios, ISO 10487 [1], high-current chargers by VG 96917) or the foundation plugs, sockets and re-pinning tools are readily available by the vehicle manufacturer or by aftermarket suppliers.
Tesla truly went out of their way to make the life of third parties (such as wire harness repair shops) more miserable here.
[1] https://de.wikipedia.org/wiki/ISO_10487
EVS have actually managed to reduce the number of wire bundles (mostly due to switching to Ethernet instead of CAN Bus)
How?
When canbus is already two wires, and by definition, is a bus, so you can just keep stringing those two wires to any module you need. I know Ethernet BUSes exist, but what advantage would those have to canbus then? They're both two-wire buses.
Tesla also went to a 48v wiring harness in some of their vehicles to allow them to power more equipment with less copper. It might be one reason why they use nonstandard connectors, so people don't attempt to hook 12v equipment to the system and also the higher voltages might require connectors rated for it.
Now they just have to take the next step and have everything in the vehicle running on PoE.
Software people tend to overestimate their knowledge of other disciplines, writing it off as "easy" or work beneath them. Being overpaid compared to your peers certainly doesn't help dispel this feeling. Some people have built entire careers around designing wire looms.
> Software people tend to overestimate their knowledge of other disciplines, writing it off as "easy" or work beneath them
You should see what happens when someone involved in the sciences, e.g. Chemistry, gets their hands on Claude Code.
5 replies →
Consider whether this is an uncharitable comment --- someone with little expertise in a discipline has made a rookie mistake and didn't realize that the wires weren't produced individually.
Professionals overestimating their knowledge is a very common thing!
1 reply →
What a rancid comment. The first thing you can think of when seeing someone earnestly sharing their learning process, is to insult them of being vain.
3 replies →
There's a reason that John Salvatier's 'Reality Has A Surprising Amount of Detail' blog entry is so evergreen on this forum.
It's called misplaced confidence and it isn't exclusive to software engineers. Doctors, engineers, presidents... The list goes on.
People tend to overestimate their knowledge of other disciplines.
I have worked with a LOT of PHD's in recent years. Their code leaves much to be desired.
I don't know, I've had more non-technical people and trades try and mansplain bullshit they don't understand than tech people have.
I'm sure you're an expert, pro at everything.
I wasn’t criticizing them.
Yes I am. Thankyou for recognising that
Could 'lb' be load balancer?!
It actually stands for "lizard brain"... it is (or at least was) an Infineon Aurix control and monitoring microcontroller, they may have changed to a newer one.
this is the coolest shi i've ever read on hackernews
Fun linguistic quirk: Americans tend to call it a "wiring harness", whereas Brits prefer "loom"
As a result of this and the child comments…
As an Australian. I often find myself saying things like “the wiring hardness, or loom, or cable, or whatever were calling it this week”.
Exasperated by living in a state other than the one I grew up in. South Australians are often easily spotted by their pronunciation of certain words.
And, of course, Germans have a dedicated composite noun for it: Kabelbaum (literal translation: cable tree).
I always like to point out that Germans don’t, in fact, have a word for everything.
It’s just a phrase or sentence with spaces removed.
Knowhatimsayin.
1 reply →
So what do you call the tubing around the wire bundle? That’s what we call “loom”.
In Canada we generally call it the sleeve, or the wrap.
3 replies →
I am surprised that they are surprised that car wiring diagrams are online. People wouldn't accept cars without online service manuals and schematics, and some states mandate them by law. I just looked up this subsystem for my car via my public library. https://appcontent.chiltonlibrary.com/chilton_images/Honda/E...
Just peruse the comments here to see how difficult they are to obtain on many cars.
now this is cool
[dead]
[dead]
[dead]
[dead]
[dead]
[dead]
Very cool.
Now why didn't an AI think of that? :)
Human have a better taste (at least for now :D)
i wish the ui on those things was more visually appealing. between the cheap looking gloss finish on the display itself and the unextraordinary ui, it's just kinda blah. one can have a debate about to screen or not to screen or whether to use vfd displays or whatever and i get the importance of cost control but it should look good and it really doesn't. the graphic of the car looks like a cartoon.
Interesting take–– I feel the total opposite; I love the UI.
i think a lot of people do. i don't know what it is, there's maybe just something about the car graphic that doesn't sit right with me. the front/side view when parked just seems cheesy for some reason. maybe because it's meant to show unclosed doors or something and when everything is set the car's status is car which is redundant.
3 replies →
It's glass...