From the article

> Tesla offers a “Root access program” on their bug bounty program. Researchers who find at least one valid “rooting” vulnerability will receive a permanent SSH certificate for their own car, allowing them to log in as root and continue their research further.

Pretty interesting. Sounds like Apple's Security Research Device Program[0], where you're loaned a rooted iPhone, but with a clear qualification criteria.

It strikes a nice balance, because to qualify you have to 1) show you have the skills to get root access anyway and 2) show you're willing to participate in the bug bounty program and get things patched.

I would of course love root on everything I own, but I can understand Tesla's motivation here since root for everyone would make vulnerability discovery easier for malicious actors. And if everyone had root on their Tesla, it'd be much easier to make naughty modifications that might catch the ire of regulators. (like disabling driver attentiveness checks in self-driving mode).

[0] https://security.apple.com/research-device/

I used to work for a company that made third party scan tools. We had racks of ecus disconnected from the car with just a diagnostic connector and power. nothing got to a real car without first trying it on the rack. I remember on time we figured out a bmw (pre obdii) had the bytes offset from the standard documentation (it was a semi-standard protocol that some other cars used at the time), we went from we communicate but nothing is wrong to a very long list of dtcs on that controller. (All our competitors also showed nothing wrong, but the official bmw tool showed dtcs)

It's funny to hear LVDS be described as an "automotive" cable when all of my run-ins with it are for connecting laptop displays to their main-boards! (though that has a very different connector on it, and its a very general term for the signalling protocol from what I remember)

Very cool. Over a year and a half ago I installed a towing brake controller in my Tesla Model Y. Found the location of the plug, how to access and the pinout online (confirmed via a voltmeter..) so the car's side felt straight forward. But then I needed to find a brake controller that can work with the higher voltage (14.4v vs the normal 12v). Then built a cable from the brake controller to the connector that plugs into the car that I found on eBay. I velcro'd the controller under the dashboard. It works pretty well. I towed my small camper several times with it last year with no issues. Yay! However my little project is nothing compared to this post. Love people hacking away. So cool.

You can run QtCar (the Qt-based app that Tesla uses for their UIs) on QEMU - if you have the firmware.

https://x.com/i/status/1722717318009041104

DM me if interested

> " I needed this because both the computer and a screen were being sold with the cables cut a few centimeters after the connector (interestingly most sellers did that, instead of just unplugging the cables)."

Can't you just solder some extra wires onto the cut off bits, rather than having to try and find a compatible cable? They've left the connectors in, and that's the hard bit, the rest is just wires

The part about reverse engineering the boot process just to get a display output is wild — most people would have given up three rabbit holes earlier. Curious what the latency feels like running actual Tesla UI on desk hardware, does it feel snappy or is there noticeable lag compared to in-car?

ECU software development is sort of my day job. If you're going to go down this path, I seriously recommend getting the specialized plugs and connectors and making your own wiring harnesses to whatever size you need. It's absolutely easier than manhandling a full wiring harness or cutting one down. Cheaper, too.

Excellent detective work. I had no idea you can get a Tesla's computer off market. I wonder if these may be the last decade that we may be able to get root access to our on hardware consumer products. Keep the good work up.

I'm actually somewhat surprised the OS fully boots when it's not connected to the expected vehicle peripherals

It's funny how the biggest problem turned out to be a mostly mechanical part, the rather trivial 6-pin connector.

Given the presence of the wiring schematics and the mechanical dimensions, I'm surprised that the author did not try to 3D-print the mechanical parts of the connectors, givem that the electrical parts extracted from the BMW connectors did fit.

> Unfortunately I had no other choice but to buy this entire loom for 80 USD.

Fwiw, mine costs $450 from Ford. Also in the US we call this a wiring harness, with the loom being the material that goes over the wires

> Turns out that actual cars don’t have individual cables. Instead they have these big “looms”, which bundle many cables from a nearby area into a single harness. This is the reason why I could not find the individual cable earlier. They simply don’t manufacture it.

Typical setup for cars (and lawn mowers). As a software guy my first instinct is, computing power is cheap enough, seems like a CAT5-like thing running between all components would do it. Speaking as a software guy - meaning I'm probably missing a lot of the big picture. On the other hand, it's a lot easier to safety-check a mechanical lockout that physically opens a circuit, than something running on software.

I see in the attached SS that the car has the "BIFL" FSD (?). Does this mean you could swap this CPU a non-FSD Model 3 and get it?

:O

Say what you will about Tesla, but from a hacking point of view this is some of the coolest things I’ve seen in a while!

Congrats, OP has recreated a test/development bench, the bane of developers working on automotive software development all around the world. They're so close to being a real vehicle that you think you'll be able to get a lot of work done, but they're not, so you don't.

This is awesome. Curious if these are plug and play and if that's the case where is the memory that tells you what the mileage is. If it's attached to the computer than the mileage would be off if you switch/repair it.

Completely unrelated. Would be interested if you figure out how to retrofit the new adaptive shocks on performance models to the older cars. Something I would love to do if I had hobby time. I'm pretty sure they fit physically, but needs to be connected to the main computer. I likely would never touch the main computer unless I got root access. In my brain I was thinking about a separate system made with raspberry pi's.

> A DC power supply capable of providing 12V

Hey, I just remembered my school used to have ages ago some cool power supplies (I think from Agilent?) that were very idiot proof, they had current limit with a dial that I think didn’t went over 1A or perhaps even less, and they would instantly disarm on short circuit (and indicate it with a led), and also the voltage dial I think wouldn’t go over 25V. I remember it was very big and heavy, but it survived countless students that used the lab daily.

Nowadays, is there any power supply available that is that resistant or is the recommended approach to get an used old one? Does anyone have a power supply at home that is also used by kids with a brand/model they would recommend? Thanks!

I feel like maybe you're headed towards this https://youtu.be/K9a2_3XObNI?si=vkP_utLfo3M0LFGO

> We ordered the chip and took the board to a local PCB repair shop, where they successfully replaced it and fixed the MCU.

What is a "local PCB repair shop"? All the guys who used to fix TVs and radios are gone. Anyone else (not living in China) having trouble locating such an outfit in their neighborhood?

Interesting.

> A REST-like API on :8080 which returned a history of “tasks”

I am curious to know what kind of historical tasks- since it's a media control unit; does it show what kind of media was being played in the last trip? does it reveal any other info about the driver?? There might be a privacy angle here that you could exploit and share it with Tesla.

This is cool, how exactly did it boot?

"tuner" almost certainly refers to a radio (think AM/FM/SiriusXM) tuner module

I have no wheels and I must drift

People need to request the source code.. There’s a ton of open source they use that forces Tesla to give you source if you’re a customer and you ask. I don’t get why security people aren’t doing this already.

I would love to use the drive units from a Tesla in a conversion project. Unfortunately, they're cryptographically paired with the main computer, and there's no way to use them.

What a waste.

I _do_ find it weird that the LCDs from crashed cars are so expensive. I wonder if newer models have better screens, so people with older cars upgrade? Or if they're a common failure point?

I have a Model 3, but I can't say I follow the forums.. but I've never heard of screens failing -- I'm sure it happens but I think if it was common problem I'd have heard of it.

I love that it has a standard RJ45 ethernet connector.

Prime example of free will

Any way to make sure my tesla hasn't been rooted and modified by previous owner, perhaps with remote access?

Granted, I think it would be valuable to look at all sorts of automotive ECUs. I always wonder how the tuning industry does their thing; I shudder to think they're just sitting there flipping hex codes directly in running software...

Nice read. I would LOVE for someone to dump the whole FSD AI/ML model and try to run it in simulator! That would be awesome!

Anyone finding this fascinating, please check out Openinverter Forum [0]. Ton of work has been done in decoding CAN messages, DBC files are floating around, open source firmware and controllers are available for Tesla and others components, mostly inverters and chargers but there are overlaps with the VCU and displays as well.

[0] - https://openinverter.org/forum/

I'm amused reading the terms and requirements the author mentions in the bug bounty program for researchers gaining root access (under 'Vehicle Targets') - https://bugcrowd.com/engagements/tesla

"To promote further security research, Tesla offers security researchers the opportunity to retain root access on their infotainment system even after their reported vulnerability has been patched. In order to qualify, a researcher must send in a valid report describing a novel way to gain root access on a Tesla infotainment system. Upon confirmation, Tesla will instruct the researcher on how to use their existing root access to enable the researcher SSH feature, along with an SSH certificate for the researcher's public key (tailored to their specific hardware ID). The certificate restricts SSH access to the local diagnostic ethernet link. Tesla may renew the certificate as long as the researcher continues reporting vulnerabilities."

Very neat.

Great project. This begs for real-world feedback though. A go kart would be fantastic.

Really cool breakdown. You’ve got a full Tesla gaming rig now!

You're going to make it drive an RC car right?

But can it play doom?

> Turns out that actual cars don’t have individual cables. Instead they have these big “looms”, which bundle many cables from a nearby area into a single harness. This is the reason why I could not find the individual cable earlier. They simply don’t manufacture it.

I was really surprised to read this at the end of the article -- how could someone be this deep into a project of this depth and not realize this?! Not only because all cars (...er... all vehicles) are wired this way, but also because the documentation they were referencing has plenty of detail to show this... there's even a whole picture of it (and to Tesla's credit they have amazing free docs): https://service.tesla.com/docs/Model3/ServiceManual/2024/en-...

Could 'lb' be load balancer?!

this is the coolest shi i've ever read on hackernews

Fun linguistic quirk: Americans tend to call it a "wiring harness", whereas Brits prefer "loom"

I am surprised that they are surprised that car wiring diagrams are online. People wouldn't accept cars without online service manuals and schematics, and some states mandate them by law. I just looked up this subsystem for my car via my public library. https://appcontent.chiltonlibrary.com/chilton_images/Honda/E...

now this is cool

[dead]

[dead]

[dead]

[dead]

[dead]

[dead]

Very cool.

Now why didn't an AI think of that? :)

i wish the ui on those things was more visually appealing. between the cheap looking gloss finish on the display itself and the unextraordinary ui, it's just kinda blah. one can have a debate about to screen or not to screen or whether to use vfd displays or whatever and i get the importance of cost control but it should look good and it really doesn't. the graphic of the car looks like a cartoon.