su - tesla

su - tesla

Wednesday, April 6, 2016

Hack the S

A couple months ago, for God knows what reason, I decided to hack my Tesla Model S.  My goal was to get root access to the touchscreen, henceforth known as the CID.  I spent about 2 months of research and preparation for this project.  When I was confident everything was all set, I grabbed my tools and my laptops and went to work.

1) Access the Side Panel

The first step was to remove the little side cover right by the door on the drivers side.  This reveals a little white connector that you can see here sticking out.

It may look weird, but it's basically a CAT 6 cable with a proprietary connector from Tesla.  You can connect to it by taking a regular network cable and adding the male proprietary end to it, or try to buy one from a salvage.  The cable I used was one I made myself.
I honestly didn't make it myself... I'm terrible with soldering irons.

So, the white access wire is where I will finally get access to the network and can perform the hack itself. Unfortunately, it's currently locked down behind a VPN that requires a password to unlock, which unfortunately I didn't have, so I had to unlock it.

2) Remove Lower Dash Trim

Seriously, fuck this panel.

After the side cover is removed I had to remove the huge trim underneath the steering wheel.  It had 9 clips that I had to really fight with my wedge to get disconnected.  I finally got it off though.

3) Remove the Vents

It was at this point that I realized that I'm ripping apart a 100K car, and that I had crossed the batshit crazy line.

Oh my god, this took forever.  I had to unscrew the large top pad which covers the entire dash from the chassis.  After that, you have to pry that sucker up which unhooks a few clips but still wants to fight you the whole time.  It was covering the screws for the vents.  The top pad is sensitive, as is the chrome edge to it, so you have to be careful not to bend it while simultaneously prying that sucker apart so you can unscrew the two screws.  After that you just remove the instrument cluster cover and pull the vents out.

4) Remove Instrument Cluster

I need a drink.

The instrument cluster needs to be removed.  Once again, this required lifting the top pad to access the two upper screws.  Honestly, I took this picture after I had removed the bottom screws because I was dreading having to remove the two on top...

I finally got the two screws removed, though.  I'm sure by this point you're wondering how in the heck this will manage to unlock the white connector.  You'll see soon.

5) Instrument Cluster Connector

So much work for something so simple. Don't keep it unplugged for too long or it will complain up to Tesla. I have been trying to avoid that...

And here's that golden ticket: another connector like the white one! This one is a connection to the CID (touchscreen).  The IC connects to the CID through a web interface to get updates on things like the navigation, music, etc. as well as send commands like opening the sunroof.

Haha I'm awesome

What I had to do was disconnect the cable from the IC and plug my earlier cable in to it.  This allowed me to get the car into Factory Mode. Once that was done, I unplugged my laptop and plugged the cable back into the IC.

It was all animated and shit. Whoever made this screen went all out. He probably was like "I'm seriously going to make the best screen on the entire CID." All the other devs were probably upset at his overachieving ass.

If you hold down the Tesla T in Factory Mode you end up with the "Developer Mode" screens. I'll probably make a post another day going through all of it.  I had to add this screen though.  It's the thermal status screen, and most definitely my favorite.

6) Root the S

The car is in Factory Mode, and thus the white cable back at the beginning in the side panel is unlocked and ready for me.  So, I plugged in my laptop and ran a script I had pre-written: obtain_root
Apparently someone didn't bother reading the carefully prepared memo on commonly-used passwords.
Dramatic reenactment of the rooting experience.

This goes through a secret process that eventually gets me connected to the CID (touchscreen) with root privileges.  From there I had a bunch of stuff that ran automagically to set it up so I wouldn't have to go through all this crap every time I wanted access to the car. Then, I just disconnect from the white cable, turn off the factory mode, reboot the car, then reinstall all the stuff I removed.  Bam! Hack complete.

Post Root

The car is rooted, now what? I have a lot of things planned and have been doing a lot of exploring.  I'll be posting my findings, pictures, videos etc. here.  I have something awesome I've been working on.  Hopefully I can get a video up sometime soon.


Unknown said...

This is amazing! Look forward to your future Tesla #hacks

Jay said...

Nice write-up! 2 things:
1) Could you detail a bit about the script you used. I find it a bit hard to believe that you simply bruteforced sudo (or something similar) and "God" was the password
2) I heard that Tesla doesn't look kindly to researchers hacking into their cars. Did you hear from them yet ? said...


You might want to check out the discussion on HackerNews and give proof that the accusations are false:

Hemera said... I went on there and gave my two cents. It doesn't matter much, though. I know this post doesn't show much, it was more just me showing my experience. I wasn't looking to write a how-to. I'm going to have some actual stuff in the near future. Also, it's amusing they think I'm a Tesla shill. When can I expect a check from them?

1) That wasn't the real script, I just wrote up something to ssh into my car far after the fact. All the fluff in there was just me being silly. I do have pictures of the actual root when I did it, but it has tons of identifying info in it. For instance, the actual PS1 on the shell shows tesla@cid-$ I can't really show that if I'm trying to be anonymous...
2) As of now I do not believe that Tesla knows who I am. I would like to keep it that way for as long as I possibly can. I could just be really naive, though. If they do know, I'm sure I'll find out soon!

ALGR6TS said...

The movie ref is great! Could her holiness please change her password?

Dazureus said...

Could you elaborate how you got into factory mode on the IPC? Did you send a CAN message to enter factory mode? Is the IPC a gateway to the CID for diag mode stuff?

Unknown said...

Looking forward to hearing about the progress here. As a game developer with 30 years experience, I expect some really cool stuff can done with the Model S.

roboticians and roboteers said...

unless I repeat those steps myself, allow me to consider this a "story" in the news.
I wonder, what kind of kernel mods do they use. What safety features they implemented, how they ensure fail-safe operation.

Unknown said...

Hello SU TESLA Hemera! Awesome skills, next level. To answer your question where next, two things popped into my mind.
1 is obviously what is the limit of drawable Amps from the batteries to get MOAR POWEEEER.
2 Would be an NFS Autopilot mode where the car basically ignores most of the traffic rules and keeps speeding all the way to the destination.
bonus: a Drift mode where the car utilises its sensors to turn itself into some 4wheel toqrue vectores drift machine

Leslie Lim said...

It is great to have the opportunity to read a good quality article with useful information on topics that plenty are interested on.

essaywriter-online said...


Hendrik Schokker said...

Hack the planet!

Yan P. said...

Run Doom on this car.