M2G Posted April 7, 2016 Report Posted April 7, 2016 A couple months ago, for God knows what reason, I decided to hack my Tesla Model S. My goal was to get root access to the touchscreen, henceforth known as the CID. I spent about 2 months of research and preparation for this project. When I was confident everything was all set, I grabbed my tools and my laptops and went to work. 1) Access the Side Panel The first step was to remove the little side cover right by the door on the drivers side. This reveals a little white connector that you can see here sticking out. It may look weird, but it's basically a CAT 6 cable with a proprietary connector from Tesla. You can connect to it by taking a regular network cable and adding the male proprietary end to it, or try to buy one from a salvage. The cable I used was one I made myself. So, the white access wire is where I will finally get access to the network and can perform the hack itself. Unfortunately, it's currently locked down behind a VPN that requires a password to unlock, which unfortunately I didn't have, so I had to unlock it. 2) Remove Lower Dash Trim After the side cover is removed I had to remove the huge trim underneath the steering wheel. It had 9 clips that I had to really fight with my wedge to get disconnected. I finally got it off though. 3) Remove the Vents Oh my god, this took forever. I had to unscrew the large top pad which covers the entire dash from the chassis. After that, you have to pry that sucker up which unhooks a few clips but still wants to fight you the whole time. It was covering the screws for the vents. The top pad is sensitive, as is the chrome edge to it, so you have to be careful not to bend it while simultaneously prying that sucker apart so you can unscrew the two screws. After that you just remove the instrument cluster cover and pull the vents out. 4) Remove Instrument Cluster The instrument cluster needs to be removed. Once again, this required lifting the top pad to access the two upper screws. Honestly, I took this picture after I had removed the bottom screws because I was dreading having to remove the two on top... I finally got the two screws removed, though. I'm sure by this point you're wondering how in the heck this will manage to unlock the white connector. You'll see soon. 5) Instrument Cluster Connector And here's that golden ticket: another connector like the white one! This one is a connection to the CID (touchscreen). The IC connects to the CID through a web interface to get updates on things like the navigation, music, etc. as well as send commands like opening the sunroof. What I had to do was disconnect the cable from the IC and plug my earlier cable in to it. This allowed me to get the car into Factory Mode. Once that was done, I unplugged my laptop and plugged the cable back into the IC. If you hold down the Tesla T in Factory Mode you end up with the "Developer Mode" screens. I'll probably make a post another day going through all of it. I had to add this screen though. It's the thermal status screen, and most definitely my favorite. 6) Root the S The car is in Factory Mode, and thus the white cable back at the beginning in the side panel is unlocked and ready for me. So, I plugged in my laptop and ran a script I had pre-written: obtain_root Dramatic reenactment of the rooting experience. This goes through a secret process that eventually gets me connected to the CID (touchscreen) with root privileges. From there I had a bunch of stuff that ran automagically to set it up so I wouldn't have to go through all this crap every time I wanted access to the car. Then, I just disconnect from the white cable, turn off the factory mode, reboot the car, then reinstall all the stuff I removed. Bam! Hack complete. Post Root The car is rooted, now what? I have a lot of things planned and have been doing a lot of exploring. I'll be posting my findings, pictures, videos etc. here. I have something awesome I've been working on. Hopefully I can get a video up sometime soon. Source 7 Quote
Silviu Posted April 7, 2016 Report Posted April 7, 2016 @Nytro, proxy-ul pentru imagini nu functioneaza: Quote