It's pretty well known that modern cars are full of little computers talking to each other. This internal network, known as the CAN bus, is pretty specific to cars and as a result is pretty unfamiliar to most people. Tesla, of course, loves to be different. And by different, I mean not different. Hear me out.
Recently, an intrepid and curious Tesla owner found a hidden four-pin connector, and with a hunch and some trial-and-error work discovered that it is in fact an ethernet port, and wired up a standard ethernet cable to connect to it.
What he discovered next is notable for how strangely familiar it all is to anyone with even a passing knowledge of computer networking:
The car's internal 100 Mbps, full duplex ethernet network consists of 3 devices with assiged IP addresses in the 192.168.90.0 subnet, the center console, dashboard/nav screen and one more unknown device. Some ports and services that were open on the devices were 22 (SSH), 23 (telnet),53 (open domain), 80 (HTTP), 111 (rpcbind), 2049 (NFS), 6000 (X11). Port 80 was serving up a web page with the image or media of the current song being played. The operating system is modified version of Ubuntu using an ext3 filesystem.
It's really odd just how, well, normal all this feels — it's just like any home or office network. They're using it in some interesting ways — for example, the current song playing artwork is being served to the center large display simply like normal web traffic.
There's a full thread from the original poster, nlc on the Tesla Motors Club forum, that's full of really interesting information about the network, and lots of useful basic details:
The ethernet network of the car contains 3 peripherals :
- The center console, IP Address 192.168.90.100
- The dashboard/navigation screen, IP Address 192.168.90.101
- An unknown peripheral, IP Address 192.168.90.102
These 3 peripheral send of lot of data in broadcast UDP, to 192.168.90.255 broadcat address. Different UDP ports are used depending of data type.
In fact they use the same principle a CAN bus use :
- Everyone send data on the network
- Anyone who need it listen for this data.
The data shared on the netword seem to be in clear. I can see a Ascii header which define the type of the frame. Some data are in binary format thus it will need some reverse engineering to understand the data.
I also tested the openeds ports of the 3 peripherals :
- Central console :
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
6000/tcp open X11
MAC Address: FA:9E:70:EA:xx:xx (Unknown)
- Dashboard screen :
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
6000/tcp open X11
MAC Address: 36:C4:1F:2A:xx:xx (Unknown)
- Unknown device :
PORT STATE SERVICE
23/tcp open telnet
1050/tcp open java-or-OTGfileshare
MAC Address: 00:00:A7:01:xx:xx (Network Computing Devices)
He even managed to get Firefox running on both the center screen and the dash cluster screen. It's interesting to see how the displays are oriented, at least according to how the OS actually sees them. I'm guessing there's some sort of reason why the screen orientation would be rotated 180° on the dash cluster, though I have no idea what it is.
If you want to try this on your (or a very open/inattentive friend's) Tesla, here's a picture of the pinouts for the color-coded Ethernet wires. Also, you should be aware that Tesla was alerted to his explorations, and contacted him to suggest that he knock it off, already:
This evening I got a call from service center
They told me Tesla USA engineers seen a tentative of hacking on my car...
I explained it was me because I tried to connect the diagnosis port to get some useful data (speed, power, etc...). They told me it can be related to industrial espionage and advised me to stop investigation, to not void the warranty....
Don't know if they really seen something in the log, because I just sniffed the network. Or maybe they seen the port scanning with nmap ? Or maybe they just read this topic ?
I'm all for people hacking the things they own; it was decided that jailbreaking your phone is legal, though you can't blame Tesla for not wanting to be on the hook if someone does something dangerous or stupid. Still, with appropriate caveats, it's the man's car and he should be able to tinker as he pleases.
This opens up all kinds of interesting possibilities, especially since the protocols they're using in the car are so well-known outside the automotive universe. I'm excited to see what happens next.