Jump to content
M2G

Getting root on Tesla model S

By M2G, in Stiri securitate

Recommended Posts

M2G Rookie

M2G

Posted
Posted
A couple months ago, for God knows what reason, I decided to hack my Tesla Model S.  My goal was to get root access to the touchscreen, henceforth known as the CID.  I spent about 2 months of research and preparation for this project.  When I was confident everything was all set, I grabbed my tools and my laptops and went to work.
 

1) Access the Side Panel

The first step was to remove the little side cover right by the door on the drivers side.  This reveals a little white connector that you can see here sticking out.
 

 
 
service_connector.jpg

 

 

It may look weird, but it's basically a CAT 6 cable with a proprietary connector from Tesla.  You can connect to it by taking a regular network cable and adding the male proprietary end to it, or try to buy one from a salvage.  The cable I used was one I made myself.
I honestly didn't make it myself... I'm terrible with soldering irons.

So, the white access wire is where I will finally get access to the network and can perform the hack itself. Unfortunately, it's currently locked down behind a VPN that requires a password to unlock, which unfortunately I didn't have, so I had to unlock it.
 

2) Remove Lower Dash Trim

Seriously, fuck this panel.
 
 
After the side cover is removed I had to remove the huge trim underneath the steering wheel.  It had 9 clips that I had to really fight with my wedge to get disconnected.  I finally got it off though.
 

3) Remove the Vents

It was at this point that I realized that I'm ripping apart a 100K car, and that I had crossed the batshit crazy line.
 
Oh my god, this took forever.  I had to unscrew the large top pad which covers the entire dash from the chassis.  After that, you have to pry that sucker up which unhooks a few clips but still wants to fight you the whole time.  It was covering the screws for the vents.  The top pad is sensitive, as is the chrome edge to it, so you have to be careful not to bend it while simultaneously prying that sucker apart so you can unscrew the two screws.  After that you just remove the instrument cluster cover and pull the vents out.
 
 

4) Remove Instrument Cluster

I need a drink.
 

The instrument cluster needs to be removed.  Once again, this required lifting the top pad to access the two upper screws.  Honestly, I took this picture after I had removed the bottom screws because I was dreading having to remove the two on top...

 
ic_removed.jpg
 
I finally got the two screws removed, though.  I'm sure by this point you're wondering how in the heck this will manage to unlock the white connector.  You'll see soon.
 

5) Instrument Cluster Connector

So much work for something so simple. Don't keep it unplugged for too long or it will complain up to Tesla. I have been trying to avoid that...
 

And here's that golden ticket: another connector like the white one! This one is a connection to the CID (touchscreen).  The IC connects to the CID through a web interface to get updates on things like the navigation, music, etc. as well as send commands like opening the sunroof.

 
 
Haha I'm awesome
What I had to do was disconnect the cable from the IC and plug my earlier cable in to it.  This allowed me to get the car into Factory Mode. Once that was done, I unplugged my laptop and plugged the cable back into the IC.
 
It was all animated and shit. Whoever made this screen went all out. He probably was like "I'm seriously going to make the best screen on the entire CID." All the other devs were probably upset at his overachieving ass.
 
If you hold down the Tesla T in Factory Mode you end up with the "Developer Mode" screens. I'll probably make a post another day going through all of it.  I had to add this screen though.  It's the thermal status screen, and most definitely my favorite.
 

6) Root the S

The car is in Factory Mode, and thus the white cable back at the beginning in the side panel is unlocked and ready for me.  So, I plugged in my laptop and ran a script I had pre-written: obtain_root
Apparently someone didn't bother reading the carefully prepared memo on commonly-used passwords.
Dramatic reenactment of the rooting experience.
 

This goes through a secret process that eventually gets me connected to the CID (touchscreen) with root privileges.  From there I had a bunch of stuff that ran automagically to set it up so I wouldn't have to go through all this crap every time I wanted access to the car. Then, I just disconnect from the white cable, turn off the factory mode, reboot the car, then reinstall all the stuff I removed.  Bam! Hack complete.

 

Post Root

The car is rooted, now what? I have a lot of things planned and have been doing a lot of exploring.  I'll be posting my findings, pictures, videos etc. here.  I have something awesome I've been working on.  Hopefully I can get a video up sometime soon.
 
  • Upvote 7
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...