 Hi there, welcome to my talk where I go through and brick a very expensive automobile than I eventually make it faster Help you enjoy it. It was certainly the most complicated reverse engineering project of the work done So a little bit about me. My name is Patrick Kylie. I'm a member of the penetration testing team at Rapid 7 I've been working in the industry for about 17 years. I've done previous research that I've Released on avionics security I've done quite a bit of research Specifically on internet-connected transportation platforms. I've experienced in hardware hacking internet of things Autonomous vehicles and can bus So here's a overview of all the topics that we're going to cover First we're going to go over the architecture of the Model S and specifically the battery management system You'll find all that needs to be relevant when I explain some of the other stuff The timeline of when the performance model Ass and ludicrous were released The hardware changes that have to occur in order to make a car move at ludicrous speeds The data stored within the diagnostic program at Tesla uses within its service centers called toolbox Some of the firmware changes in fact all the firmware changes that have to occur to the battery management system to make it work The process of modifying the high current shunt for those of you haven't heard the term before shunt is a method within electrical and electronics of measuring current using a known resistance value and this is a device within the High voltage battery that has to be modified in order to Allow it to handle the power of ludicrous. It turns out it was a very important part of this whole process And then we'll actually go over the upgrade process how I failed and brick the car what I learned and had to have it towed across state lines and Some pretty cool things on how I was able to dig a little bit deeper on how The gateway works and some special files that it stores Bit that determine the configuration of the car and then next step So I can we actually take ludicrous speed further should we and what we need to do to make that happen So a little bit about the architecture of the Model S overall It has the central display so when if you sit in the Model S There's a large screen to your right or to your left of your passenger or to your left if you're in a right-hand drive vehicle And then there's also an instrument cluster both of those actually run the NVIDIA Tegra up until recently where The central display switched over to Intel atom All this is going to be Assuming it's an NVIDIA Tegra base because the that that Tegra has to be rooted for this research to work The the next component that's really critical to this is the the gateway The gateway sits between the central display the instrument cluster and the rest of the vehicle it acts as a firewall between the various can buses and between the can buses and the Infotainment features as well as the internet connectivity and Wi-Fi connectivity, etc The next component that's critical to this because that's where all the modifications that are the powertrain can bus This is a standard can bus running at 500 kilobits a second. It contains the battery management system the drive units all the charging and thermal controllers set on that can bus Beyond that it's a standard vehicle can bus it runs at again 500 kilobits a second uses 11 bit arbitration IDs and very importantly it supports UDS Many of the routines that you actually actually have to modify to do this require UDS to work and Having some knowledge of UDS turned out to be critical for me to do this research. I managed one quite a bit about it So next we have the battery management system Better engine system is a board that sits inside the battery pack at the rear It primary microprocessor on is a TI TMS 320 C 2809 There's a hardware backup for it. So in case there's something hard type of hardware failure the hardware backup is an Altera CPLD It's critical for one step of the process that we're going to do later And then there's a current shunt that and pre-charge resistor The full reversing of these components is an ongoing project. So if you want to help Reach out to me because there's some of the skills like an assembly for the TMS 320 that I'm not very good with So here's a skipped over some of the steps because it's easier to show on the screen The high voltage contactors you can see in the middle of those of those round circles with two Large terminal posts on them the high current shunt That sits connects directly to the battery management system It sits between one of the bus bars going from the battery to the contactors There's a pre-charge resistor. So the way that the the contactors are engaged are when the vehicle is wants to Enable battery power to the rest of the vehicle one of the contactors closes and then the pre-charge resistor sits there as a slow relatively slow current path For the rest of the high voltage system to come up to match this is the voltage of the battery And it's only then that the BMS allows the other contactors to close So you don't get in rush current and you don't get damaged with the components from the massive Amount of power that's in that battery system From there. We actually have 16 battery management boards these contain all the Bleed resistors so it can balance the voltage across all the packs. They're 96 of them believe six in each of the 16 modules and then the B&B is also Managed yet they monitor the temperature and of course the voltage of the individual battery modules and then the last thing you see on the far right voltage sense voltage sense is The component that actually sits on the four contactors of the battery So not only can actually detect when the bad contactors are open or closed So if they're not in a state where the BMS expects them, but they're also used to measure the the current voltage level Coming from the battery So a little bit of history and this will be relevant in just a minute. You'll see why so in 2014 of October the performance dual motor model s was announced This was ridiculously fast when it was released something like 3.4 seconds 0 to 60 But it wasn't until July of the next year that ludicrous is announced So when ludicrous is announced they announced it as a $10,000 option on new models of the new versions of the model s And it was $10,000 for a while I think eventually they gave it away for free that they keep going back and forth on it It's that's really up to them So it's it's always been kind of an optional item to make the car a little bit faster and have ludicrous power on it so $10,000 for new buyers, but as an offer for Existing P85 D owners they offered it as a $5,000 upgrade and The press release actually mentioned that the upgrade involved putting in new contactors and a pyro fuse But after a while of many of the performance battery packs of the battery packs that would go into the car would already be Capable of running ludicrous mode. They just wouldn't have the future turned on and What it when I see ludicrous capable what I mean is That all you have to do is modify a single file on the gateway of the vehicle So you route the vehicle modify the single file and it has ludicrous mode The what all the P100 ease as far as I understand and and all the newer model s's that are dual motor performance All you have to do is modify this a single line on the gateway So I've got a little bit of information about that. So The gateway has this file called internal.dat. It stores the car's configuration Has like you know, for example the type of wheels that are on it so that the display is actually reflect correctly the color of the car the version of the thermal controller the Version of the various drive units and the version of the battery pack Bunch of other configurations that also controls. It's also The file that is modified when I heard about how people had supercharging disabled That's where it's disabled. It's actually disabled client side on the vehicle But for the purposes of this talk, all you have to do is From a routing vehicle Request this internal.dat file Make a quick file editor change of which there, you know VI and ANO are both there So you go into internal.dat add this line performance add-on and add the value of one From there you copy it back over to the gateway reboot the gateway and then boom the vehicles ludicrous But that's not the case for the earlier models the earlier models where you actually had to do quite a bit to the firmware I'm just talking about the later one So the later ones that were ludicrous capable already in other words the battery was already capable of ludicrous speeds This is the only thing you have to change So if they kind of alluded to earlier the earlier vehicles, you know, so some of the 90s All the 85s released up to that point Required hardware they required modification of the current shunt You had to reflash the firmware in the battery management system. You had to recalibrate the current shunt Only then could you actually add that value to the gateway file internal.dat and actually reconfigure it To support ludicrous speed if you did it before that they would wouldn't show actually did you the speed it would show you the Setting but it wouldn't go any faster So we did this I actually upgraded an owner vehicle we have a contact in southern California for those We don't know I'm actually located in Las Vegas. So I threw some Online forums as someone else who is actually hacking on their Tesla Guy owned a body shop. He was willing to let me loan his lift So lift isn't something you can just kind of go to a grog to say hey, can I borrow your lift for a couple of days? Because they don't know I have this thing called insurance and no just go away So he let me do this very gracious. Thank you bitbuster. I'll call you out here at the end But another little quick anecdote this guy who loaned me this garage. He was actually hacking on a Model S He took the car and actually enabled Autopilot version 2 on an autopilot 1 car. So he added all eight of the cameras put in the newer computer replaced the steering rack and a bunch of other stuff and actually got Retrofitted autopilot 2 so all the full self-driving stuff to an older model vehicle Pretty cool stuff. I was pretty impressed with that. I believe he's the first person in the world ever do that So here's a picture of the pack dropped It was fairly complicated, but not too hard. You know you remove the central Bolts and then lower it down onto this big heavy rack that could support the weight of the entire vehicle And then you remove the ones along the edges and then raise the car back up battery pack drops drops out All the electrical connections are quick disconnects the coolant is a quick disconnect I believe this is because originally Tesla was toying around with this idea of having swappable battery packs for people on the road I believe they had a pilot program one point. I just never really seemed to go anywhere So they make it really easy to drop the pack as long as you have access to the appropriate equipment So here in this next picture We have a picture of the fuse bay which is up at the front of the vehicle on the opposite side of where the coolant tubes Enter the pack Here the cover over the fuse is removed and the old fuse is visible the fuse that actually has to come out and Then on the right. We have the contactor bay with it opened up The cover plate removed and the old contactors removed Here we have a close-up of the the current shot you can see it sits right next to the BMS And then the new contactors are installed at this point Here's a close-up of the BMS You can see that it just sits at the very bottom of the bay And it's just kind of on the right side or left if you're staring at the car from the front But from my perspective, it's on the right And you can see the TMS 320 right there kind of in the middle CPLD off to the right and What is that between the two? Hats. Oh That's interesting that label says JTAG Get into that later Yeah, it actually has JTAG the the BMS's that I've messed with on my bench None of them actually had that connector It was all covered over with conformal coating But the the one in the car that I modified actually had these These headers on here that they'd say JTAG kind of interesting Another thing that you have to do is you actually have to replace a second fuse. So there's older vehicles This is underneath the rear seat There's a fuse between the the center thing called the high voltage junction box and the front drive unit So One of the things that kind of found by digging around in toolbox I'll get into later is you actually have to replace this fuse With a bus bar. Yeah, that's right. The instructions say you replace the fuse With a bus bar. So we did that Here's the front fuse. Here's the front fuse removed and here's the front fuse replaced with the bus bar Put it all back together put the seat back in connect all the high voltage interlocks back up and That part is done So what about firmware? This is a really where the majority of my timeline the the Physical work was actually pretty easy to figure out Tesla actually publicly talked about the components that were involved The firmware was the hard part and To do this we need to dig into some Python Tesla uses a diagnostic tool called toolbox. It's a Python Windows executable Well, that's right. It's a executable written in Python, but it runs in Windows. So it's been Compiled and then encrypted uses these plugins that are compiled and encrypted But it's designed to work without a connection to the internet So all the information that you need to decrypt these in dual files called scrambled as you can kind of see in this image are actually on the Executable so if you have we're able to get an image or grab the correct files You're able to decrypt these modules to be completely honest. This wasn't my work to figure this out This was other people that actually figured this out They had done some of the Decompiling as well so you can use a uncompiled six to actually Run the PYC compiled files and get Python source code I did a lot of that I wrote a really really ugly Python script to iterate through every single one of the Scramble files to the scramble files are also all kind of zipped up. Yeah, there's a bunch of separate source code files underneath each one And separate directory, so I iterated through them all Ran and compile against them and then did some additional work that I'll talk about my next slides But they also left all the source code comments in place. So thank you that actually helped me figure this out So this is an example of just the header of the file. This is the UDS one You can see it actually has all of this Comments here in place, you know, here's the headers added by uncompile But it actually shows when it was compiled who compiled it who is the author just means email address too And then the copyright information on it So here's the kind of thing that I was able to actually see by digging through all these This is one of the specific Files used to configure for ludicrous. So this is the performance add-on config This is the one that modifies the gateway if you don't do it manually like I did and it tells you That you first have to verify the vehicle can be configured For ludicrous mode the vehicles needs to be all-wheel drive and have a battery pack config that supports the 1500 amp current discharge So this is assuming the battery pack has already been modified There are other routines and toolbox that actually go through this One of the most important things in these toolbox files were these data structures. So you can see these two variable names Three variable names qt resource data qt resource name qt resource struck My really really ugly python script went through those and actually converted those back into binary and Then from there I ran bin walk against those binary files and I got a ton of useful information things like this These this is the pointer that tells me exactly how to do it. It says that So we already know that the donor vehicle has a pack ID of 57 instead of previously But the donor vehicle had a pack ID of 57 says, okay, so if you're gonna change pack ID Battery pack ID 57 to 70. Here are the three firmware files that you need. Okay. Well, where do I get those firmware files? Turns out they were stored within those Python data structures. I ran bin walk against it I actually got a tar file of firmware and when you untar that file you get every single one of these Hex files of firmware. It was all stored within the the Python executable all right there Ready to be used So for this upgrade pack 57 becomes pack 70 pack 57 is 1300 amp battery pack pack 70 is a 1500 amp One of the things that I kind of did that I thought was interesting Since we're still talking about the firmware is I did some differential analysis of the boot loaders So I have the two different boot loaders here 57 and 70 you can see that there really weren't that many changes On one line. It's a single bit that changes The other one that you know five three seven and seven three zero that you see here are just the are and then the Actual number one is 57 one was 70 and then we have this short little String of you know group of hex characters and that was the only change between the different various versions of a bootloader But what's not the application file application file had a few a bunch of different changes. It's just the bootloaders themselves We're all very very similar so To do this upgrade all the instructions and files that you need for this were stored in these toolbox files There also were a bunch of other Really helpful files dbc files for those of you who've hacked on a vehicle before dbc is the Instruction file that stores all of the various can bus signals So that you can interpret them and these Individual dbc files for all the various can buses of the vehicle were stored within toolbox the odx files odx is a XML style format that defines How to do diagnostics how to do firmware upgrades how to get security access a Bunch of other stuff are stored in kind of the odx file format So the diagnostic routines are odx the can bus interpretation routines or dbc and Then there was also there were also files that stored the calibration data for the shunt. Those are stored also in a python pickle turns out that every single vehicle that was eligible for Ludicrous upgrades by upgrading the battery had the shunt calibration values stored as In an array within this python pickle file So you have to actually look up the shunt on the vehicle that you're upgrading Compare it to this pickle file and get these shunt calibration values I'm going to show you in a little bit and Then of course there are all these text comments and other data structures that kind of eventually allowed me to piece together the process So I kind of talk a little bit more about UDS. Here's what a UDS file looks like This is the one for actually shunt calibration. It shows that there are all these parameters hwid cgi 1 ca u 1 there's also a CRC value and a Serial number and serial number And again can networks use a dbc file UDS use odx or GMD So I use the commercial tool vehicle spy to actually do The next steps of this research I took these dbc files and these odx files and imported them the vehicle spy Plugged it into the bench plugged it into an actual vehicle and just sat there and listened to traffic So I could try and figure it out So it turns out that the IDs 232 the arbitration ID is 232 for the BMS 266 and to E5 for the two drive inverters they identify max power those are variables They vary based on state of charge temperature and power recently used on Sunday, I'm actually gonna have an in-depth a deep dive into These dbc files and some of the information because I want to actually map out the entire power curve See if I can put that back and actually figure out where the power curve stored into the BMS firmware But check that out if you if you want to actually see a little bit further into the Talk than what I'm able to cover on this so What a dbc does? This is what raw canvas traffic looks like You can see all the IDs, you know 102 through 302 down here And you just see a bunch of data, but once you put in a dbc file You can actually translate it all so you can actually see that all the values For BMS basically means that this is the BMS who's actually sending this You can see the power available. This is power available before the drive units are engaged So this is just the car sitting in an off mode before you press the brake pedal and Engage the drive units and wake the car up all the way So again ODX routines for shunt calibration Here's the actually ODX routine imported into vehicle spy for actually doing the Shunt calibration so what you do is you actually Connect to the car read the value of shunt you actually do some firmware stuff I'll go over that in a minute and then modify these values. So these are values that are already modified the reason Thing I thought it was interesting is the CGI one and CAE one values are all identical for a ludicrous vehicle where they weren't before And then we have a serial number and a CRC and then of course the hardware ID This is actually it says write success with that. This is actually a read function So the 23 is a read function There's a separate function for actually writing the shunt and again I actually demonstrate the process on Sunday in the deep dive So one of the things I found out by building this all in a bench and Doing this work is the shunt also needed a hardware modification After I did the upgrade on a bench I kept getting this error message that would pop up on this the Central display and also, you know within the DVC's of a can bus that it gives you a raise of all the various error messages and it talks about Overcurrent sense there's a particular error message that just popped up showing overcurrent sense after I modified the That the firmware but the error was not there before so digging into this what I did is I actually made a breakout board and Used a logic analyzer and analyzed all the signals coming off of this shunt actually turns out It's a very simple communications protocol that it used But this one wire as it turns out and eventually connects to the CPLD. So it looks like that there's Sensor within this shunt that They won't for ludicrous power. They want disconnected. They don't want it to be able to communicate to the CPU VLD and since the CPLD didn't change Assuming it has something to do with it, you know the current values going through the CPLD They they didn't want to modify Tesla didn't want to modify so When this wire is disconnected that error message went away So that basically tells me that there's a wire that has to be disconnected during the process of actually doing this upgrade So again Go to California drop the battery pack Drain the battery as much as possible Do all the hardware stuff? Modify the shunt disconnect that wire or very scary stuff And there's actually these special gloves that that I purchased special gloves and special socket wrenches that are used when you deal with high voltage They're a rubber glove with a leather Overlining and then you're just careful about you know where you're standing and proximity to the other components and Even though you that the fuse isolates you there's still enough of a charge and Something where you can shock yourself and again if you're touching the wrong things you can actually hurt yourself So there's quite a few precautions. You actually have to do I talked to a few Tesla tax And they told me like the the gloves were that they were so ordered to set of those and I'm used all possible precautions for doing that So we got the pack do all the hardware stuff Reinstall the pack so the reinstalling the pack was probably the most Pucker factor part of the whole install because I was really nervous about having a rich rebuilds moment and actually Damaging one of the weeds because then I'd have to leave the vehicle there for a long time and have the cluster angry me So I used a boar scope both back here at the battery pack these are the main battery pack contacts Going back into the battery and then up front where the coolant lines were Scoped those and then just very slowly lowered the vehicle onto the mall. Everything went flawlessly Reinstalled all the hardware Lifted the car back up verified everything Dropped it completely off the lift and then had to do all the firmware stuff. So we Turns that you have to actually flash the BMS with special firmware There was you know those three files that actually says that to do the shunt calibration You load this file onto the BMS So there's a special application file just for doing a shunt calibration Look up the shunt value recalibrate the shunt with the value based on the serial number I'd already extracted that serial number validated that it was in the the table. So I knew I was okay there that all went without a hitch Flash the BMS with its new bootloader flash the BMS with its new application firmware updated internal dot dat change the pack ID and Then tried to do a firmware redeploy, which is the thing that's just do after you change any component on the vehicle and then drive away, right? No No, this is where the fun begins I used every known technique that I've used before I've tried putting on new firmware. I messed with this for a day and a half I think I aged myself quite a bit stress myself out It failed it would not Redeploy it would not reinstall. I was getting an error every single time So I started logging a lot of data I Tried to troubleshoot couldn't figure it out was stressed out Finally just said screw it Toad the car for mansion could go longer back to Vegas so I can continue to work on it But it only cost 360 or three point six hundred dollars. So not great not terrible, right? But I learned something cool I was able to figure something else out. So flew home Started messing with my bench trying to replicate this condition dug through my error logs that I Copiesly captured and I was noticing an error mentioning something called firmware dr. See that file was generating some type of error It turns out the gateway uses this is a validation check And the values ended a calculator in the upgrade redeploy So when that in this file stores all these CRC values So I had seen one other reference to it The Tencent guys had done a previous Tesla hacking presentation. Well, they talked about how the gateway used this file So I went to the gateway and said, you know instead of GW transfer internal dot that GW transfer firmware at RC and boom It gave me the file. I saw it and had all these CRC values. So all I had to do was look up from the There's a map of files for the specific BMS firmware that's supposed to be running for that pack ID and that version of software made sure that version of software was or firmware was running on the BMS and then grabbed its CRC value Replace the CRC value in firmware daughter C with the value for the new pack ID And if you look here at the end, you can see the there's a separate one for file CRC There's even little values for the door handles this drfp and drrp those are values for the various door handles So if you upgrade the door handle new firmware firmware that RC has to be changed It turns out I had new door handle that I actually had to change to but it wasn't causing an error That wasn't causing the vehicle be able to operate. So what you do is you strip off the CRC line Calculate the new CRC. It turns out it's a gem CRC 32. So I'll just figure that out while they're helping me I didn't figure that out myself And then put the file back on the gateway after I did that the car woke up the errors cleared and That was the problem and I eventually figured out the reason for the other failure I'm not gonna talk about that. It's really embarrassing. It was something added to the car that it didn't have it didn't need but Yeah, hit me up there with the beer sometime and I'll talk about it So here is the the power before and after the upgrade I was I grabbed the Canvas data before Before the upgrade it had 1305 amps available. These are static values again These aren't the ones that are available based on state of charge. These are a hard limit After the upgrade had 1500 and 16 amps But it actually has a separate canvas line 202 instead of 72 the debug one that Actually has a slightly lower value and I have no idea why so if someone from Tesla wants to tell me I'll keep it to myself. I'm just really curious why the vehicle has that extra 16 plus 8 24 amps of power missing actually 23.6 amps of power missing so If you can tell me that I'm really curious about that It doesn't look like there's any D rating going on because that value right above it is is there says during an active zero So I'm assuming that means no, but I'm curious Okay, so here's where we can take this project from here if you want to help the TMS 320 is Supporting Ida Pro. I've actually got some stuff on that in the car hacking village deep dive Again arbitration ID 72 and 202 defined max current. There's one more for the other drive Inverter I can't remember what it is. So it seems possible to increase speed behind ludicrous and actually do it safely It's been done by others There's a guy back east who actually has a rear-wheel drive P85 that he faked the unit out and basically created a can bus emulator for the front drive unit and Bumped the the BMS beyond the limits that it can handle So it seems that all you have to do is go into that firmware and bump the values up a bit Probably even recap killer calculate the CRC value and it looks like It since we know how to change the gateway we can just change that as well But it could be dangerous if you take this too far. You're gonna burn up the car You're gonna start blowing the individual self uses but there is Some room in there. It looks like it the current amp drain for the Model s batteries. It's only like 6.6 C 20 amps for sell For those of you who worked in RC before you know that you can actually go beyond that for short periods of time But if who knows what the IGP T's it's in the drive unit can handle you blow those you're looking at really expensive upgrade But again, I want just want to reverse engineer this for the person Point of reverse engineering. I want to understand when these values are restored So that others more brave than I can actually Turn their cars into true drag monsters You know I'll put in better Batteries maybe double up on the number of batteries and just turn their model s's into just Things that annihilate everything else on the track I'd also like to understand the shunt parameters CA you one CJ one. I don't know what those are I just know they had to change so again come check out the car hacking village a deep dive and we'll Do some more analysis the firmware will actually show where you can take a project from here So reference materials I had to remove the first link so we don't have a copyright. That was the first thing so But again, thank you for the space holes moving for inspiring ludicrous mode And then the p85d announcement the ludicrous announcement Electro boom if you haven't checked out his YouTube page pretty funny guy He actually describes a current shine better than I ever could The data sheet for the TMS 320 on TI site very helpful for the item stuff that I was working on I like to thank intrepid control systems. They made the vehicle spy software Bitbuster, thank you for letting me use your lift in your garage. It would have been it was invaluable in this work The guys who helped me with the toolbox reversing know you are thank you all invaluable for all this work And then the Tesla security team, thank you for actually letting me do this talk and being so supportive of this research And then of course on all these names the model SP 5d. Those are all registered pigmars of Tesla We are not sponsored by or associated with that's done anyway And thank you for listening. We're gonna have a Q&A at some point later today. So Bring your questions there. I'd be happy to answer them