Browse Category

Cars

Tesla Reverse Engineering: MCU Teardown

Overview

When reverse engineering an important, and rather fun, step is disassembly. Digging into the internals of hardware & software typically provides many clues as to how you can exploit a system. If you know what technologies are being utilized, this will make it easier to understand how the product works and how to exploit it. Additionally, by knowing what key components / technologies are in use will give you a starting point for finding attack vectors. (E.g. known vulnerabilities) Additionally, in many cases, an analysis of the hardware will result in the discovery of diagnostic/debug access to the system. This is especially true for the Tesla Media Control Unit (MCU)

The MCU, which has numerous implementations, is a complex device which is critical to the operation of the Tesla vehicle. The MCU serves as the primary user interface for vehicle control/configuration, navigation, radio, entertainment, communication & coordination w/ other vehicle modules, diagnostics, and remote communication w/ Tesla HQ. Given the complexity of this unit, any/all clues to its operation will be extremely helpful in understanding how it operates. A full tear down & inventory of key components is ONE method to increase our knowledge.

The MCU consists of the key sub-assemblies:

  • Bonded Display – For most people, this is the only assembly that matters as it collects user input and provides visual feedback.
  • Amplifier Assembly – Audio amplifier module which drives speakers, etc.
  • Cellular Communications – This sub-assembly is responsible for cellular communications. Early MCUs supported 3G while newer sub-assemblies support 4G/5G.
  • Infotainment Processor – This sub-assembly provides the main processing power for the MCU. For the MCU 1, this is powered by NVidia while MCU 2 utilizes Intel Atom, and MCU 3 contains an AMD Ryzen processor.
  • Main Board – This is the largest assembly and serves as the hub for all of the other sub-assemblies.

Bonded Display

From a reverse engineering perspective, this is probably the least interesting sub-assembly. The electronics are relatively minimal and single purposed. I don’t expect there to be much value in focusing on this assembly. With that said, there is a USB port on the control board. I suspect this is probably used for pushing firmware in the factory.

Amplifier Assembly

Similar to the display, this assembly is also very single purposed and I don’t see any obvious value in focusing too much time here. A quick review of the circuit board does not find anything remarkably useful for reverse engineering purposes.

Cellular Communications

This module is far more interesting as it is responsible for remote communication, which is quite valuable. There are multiple prominently displayed components on this board of note. Additionally, you’ll see that this contains a removable SIM card. As the older modules came with “unlimited data”, perhaps you can repurpose this? ☺ It would additionally be curious to see if any data is on this card.

Infotainment Processor

The infotainment process assembly is another “high value target” as this is the primary “brains” of the MCU. In addition to the NVIDIA processor, this board contains SDRAM, e-NAND Flash Drive*, a USB Hub, Ethernet controller, and an IC flash device. In additional to the components, on the board, there are a couple of unpopulated pads. Perhaps these pads are simply for optional components or perhaps they are for diagnostic purposes. More investigation is required to determine if they are of any value.

* – Due to how the Flash Drive has been utilized by Tesla, these devices are beginning to fail in older MCU 1 vehicles. When they fail, the MCU will operate erratically eventually resulting in the “black screen of death”. There is a recall and Tesla will replace these sub-assemblies with a newer/higher capacity flash memory. If you are skilled, you can repair this yourself. ☺

Main Board

Given the size of the main board, it shouldn’t be surprising that there are many components of interest here. On this board, there are numerous communications chips: Switched gigabit Ethernet, multi-media serial links, CAN, and LIN. As I know the MCU plays “gatekeeper” for both Ethernet and CAN communications, reviewing these components for weaknesses will be a high priority.

Aside from the communication ICs, this board also contains Micro SD & SD data cards, a hidden USB port, and multiple JTAG/TI diagnostic connectors. While I’m not going to “spill the beans” (yet) on the contents of the data cards, I will say there are both very useful for reverse engineering purposes. I will point out that NEITHER card is automotive/harsh environment grade. Because of this, they will fail much sooner due to the temperature extremes in a vehicle. If either of these cards fail, you are in for a very bad time!

C:\Users\317FX6~1\AppData\Local\Temp\SNAGHTMLa00f8bd0.PNG

“Ports of Interest”

As noted in the sections above, there are some connection points of interest. The following tables is a consolidated list for reference.

Next Post: Navigation Repair

In the next installment, we’ll dig into my Navigation Issue and how the information learned during this disassembly allowed me to ultimately resolve the issue.

Tesla Reverse Engineering: Creating a Bench Setup (MCU)

Overview

After growing up surrounded by cars, I’ve grown accustomed to doing my own maintenance and repairs where possible. When I transitioned to EVs a couple years back, I expected that some repairs may require more manufacturer involvement than I was accustomed to. Unfortunately, due to Tesla being DIY Repair unfriendly, the situation was worse than I expected.

Even more unfortunate, the local service center has struggled to provide consistent quality service trapping me in between a rock and hard place. One prime example was when my 2014 Model S’ navigation stopped functioning properly. After almost nine months of back and forth & no resolution from Tesla, I decided that this would be a good opportunity to dig into the computer system to see if I could resolve the issue myself.

As I didn’t want to tear my car apart (yet) and I prefer to be comfortable while experimenting, my first order of business was to setup a test bench in my “mad scientist lair”. Having this would allow me to analyze the hardware and the physical & software interactions between the various modules used in the vehicle.

While there are numerous modules in the vehicle, my primary point of interest is the Media Control Unit. (MCU). The MCU is the main unit in the Model S and is the obvious analysis point for my navigation issue. The goal of this post will be to simply get the MCU up and running on your bench. In later posts, we’ll dive into more thoroughly analyzing it and other modules.

Step 1 – Getting Parts

In order to run the MCU on your test bench, we’re going to need a few things:

  • An MCU! As it is unlikely you will have a spare laying around, acquiring this will be first on your shopping list. Acquiring directly from Tesla isn’t realistic, so you will be relegated to acquiring a used unit:
    • eBay – For the older MCU 1 units, you should be able to find a good number of them here
    • Car-Part.com – This site links you with salvage yards across the United States, Canada, and Mexico.
    • Facebook / Social Media sites – There are multiple “Salvage / Part” groups where individuals are selling parts.


Tesla Premium MCU 1 Part No

IMPORTANT: If at all possible, try to get the cabling/connects that plug into the back of the MCU. This will make life INFINITELY easier for you. At a minimum, you would want the connectors shown below for the “Premium” MCU 1 device:

Figure 2 – Minimum Required Connectors

  • Power – The MCU will require a steady 12V source that is capable of providing ~3 Amps.
  • Soldering Iron – While not absolutely necessary, having a good soldering station will allow for a cleaner setup. I use the Hakko 936 which is a reliable entry level choice.
  • Ethernet cable – A small Ethernet cable, that you won’t mind cutting up.
  • Speaker – A small automotive speaker for connecting to the MCU to enable audio playback. This isn’t absolutely necessary, but it is a nice to have.
  • Misc. Electronic Project cables / Jumper Cables – These will be used to create the Ethernet to Tesla MCU “Fakra” cable.

Step 2 – MCU Wiring

In order to get the MCU running on our bench, there are 3 three main items that we need to wire up:

  1. MCU Power & Ground : Required to provide power to the unit so that we can interact with it.
  2. MCU Speaker : Optionally recommended so that you can hear audio chimes and/or listen to music while you work. ☺
  3. Ethernet aka Fakra connection : Require so that we can startup the unit, access OS via telnet, or execute REST API commands.

MCU Power & Ground

Wiring up the MCU for power is actually very straight forward and only requires a few positive (12V) and negative connections spread across two of the connectors. The two connectors are located on the lower portion of the MCU and are commonly referred to as X425 (Black) and X426. (Grey)

NOTE: In order to keep your wiring to the Power Supply clean, I recommend using a distribution block for + and – connections.

Close-up of necessary MCU power wiring connections.

MCU Speaker

While you can wire up as many speakers as you would like, we only need the center speaker so that we can hear alert tones, etc. This speaker is also located on the X425 (Black) connector.

The easiest way to connect the speaker to these cables is to simply strip off the ends and use alligator clips:

Ethernet aka Fakra HSD connection

While the Tesla MCU utilizes Ethernet for certain actions, it does not provide you a convenient RJ45 port. The Ethernet connections utilize a “Fakra HSD” connector.

While you can buy these cables pre-made for ~$50, you can make one relatively easily once you know how to map out the HSD pins to the Ethernet cable wire.

The HSD cable consists of 4 pins consisting of two diagonal wire pairs where D+ / D- & Vcc / GND are pairs.

While a standard Ethernet cable consists of 8 wires / 4 twisted pairs, only 2 pairs are typically needed and these two pairs will be matched up to the HSD pinout as follows:

If making your own cable, the jumper wires I recommended at the start of this blog fit perfectly into the Fakra connector. I simply soldered one end to the Ethernet cable, inserted the other into the Fakra connector, and then taped it to ensure it doesn’t come loose.

C:\Users\317FX6~1\AppData\Local\Temp\SNAGHTML20204360.PNG

Step 3 – MCU Startup

Once you have completed all of the wiring in the previous step, you are ready to start the MCU! Next, perform the following actions:

  1. Ensure that you have connected your positive and negative wires to your power supply and that the power supply is set to a 12V output voltage.
  2. Ensure that your speaker is connected.
  3. IMPORTANT: Plug the Fakra/Ethernet cable into the back of the MCU and into either a network device (Hub/Switch) or to a laptop. Even if the MCU has power, it may not fully start unless it sees network traffic. [There are other ways to force it to start, but this is the easiest]

  4. Turn on your power supply – You will notice that at first, it is drawing a relatively low amount of amps, but once it fully starts, you will see the draw increase.
  5. Verify that MCU has power – If you look at the right side of the unit, you should see multiple LED status lights. Initially some will be Yellow/Red. Some will turn green as unit boots, etc.
  6. Wait…. Wait…. Wait… It should take ~20 – 30 seconds to full boot up. If you have the speaker connected, you SHOULD hear a series of chimes around the same time the Tesla ‘T’ appears.
  7. Wait… Wait… Wait some more and then you should finally see the MCU come to life
    Congrats! You now have a functional MCU on your test bench!

Security Devices, only as good as their implementation…

Security Devices, only as good as their implementation…

Recently, I needed to use an old program that is protected by a security device. The device, an M Activator hardware key, connects to your computer’s parallel port.

C:\Users\beyerch\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\K9R4HEY5\IMG_9355.JPG C:\Users\beyerch\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\K9R4HEY5\IMG_9356.JPG

Figure 1 – M Activator Security Key

If the security device is not attached to the PC, the application program will restrict your access to certain application functions or prevent you from using an application altogether.

C:\Users\beyerch\AppData\Local\Temp\SNAGHTML1dd2ee31.PNG

Figure 2 – Application Rejection due to no hardware key

Since I own the software and still have the security key, none of this should be a problem. Unfortunately, modern computers no longer have parallel ports! As the software isn’t maintained, I can’t call the original provider for an alternative leaving me with few choices. The first, and preferred, choice was to purchase a parallel port to USB adapter on-line. I purchased two highly rated units; however, the software failed to recognize the dongle when connected through either of the units.

C:\Users\beyerch\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\K9R4HEY5\IMG_9358.JPG

Figure 3 – Parallel to USB Adapters (that didn’t work..)

As the USB adapter routed was unsuccessful, my remaining option is to …. hack the security key or its implementation in the application program..

A Ridiculously Brief Discussion on Security/Hacking

The first rule of hacking is that you don’t talk about hacking. Wait, or is that the first rule of Fight Club? The first rule of hacking is to accept the fact that nothing will be 100% secure.

When a product is developed, the security implementation is typically driven many factors such as:

  • What is the risk/damage of being compromised?
  • How likely is it that the product will be attacked?
  • What impacts to the development process will occur due to security?
  • How will the timeline be impacted?
  • How will users of the product be impacted?
  • Does the development team understand and have security experience?
  • How much will can we afford????

Because of all of the competing considerations, product security typically looks more like the Griswold family truckster than the shiny red Ferrari.

Figure 4 – Typical Security vs Assumed Security

From the hacker’s perspective, product security really boils down to how badly they want it. Do they have the time, resources, team/skills, and money to dedicate to their mission.

In the case of my ancient dongle security application, I’m willing to invest about 60 minutes into seeing if I can get anywhere. After that, I dig out one of my older computers and use it with this program. (and hope it doesn’t ever die…..)

With that said, let’s see just how secure this old dongle application is…

Hacking 101

Now that we’ve decided that we’re going to take a stab at working around the security device, the first thing we need to do is gather information about our target. Before we can formulate a plan, we need to know what we’re up against. After about 5 minutes of research, we know the following about our target application/security device:

  • Application Program
    • Windows 32 bit executable
    • Written in C++
    • Program appears to leverage multiple external libraries, some of which are known/some are not
      • ZIP/PKZIP – File Compression
      • W32SSI.dll/.lib – ? Not sure. (yet)
  • M Activator Green Key
    • Made by Sentinel
    • The W32SSI files are related to this dongle

NOTE: Researching this scenario finds a lot of “hits” to people with similar scenarios. There are emulators and other products made to solve this problem; however, I’d rather try to figure it out myself first.

Given what has been found, it seems likely that the application program is going to use the W32SSI files to talk to the dongle. Depending on how this is done in the application, we may be able to update the application program and simply bypass the dongle. All we need to do is take a peek at the application software to see what is going on, no biggie.

Source Code, Assembly Code, Machine Code, Oh My!

If this were our application program, we could simply open it in our editor, make our desired changes to the source code, recompile the code, and be on our way. Since we didn’t write this program and the original company is no longer in existence, this isn’t an option. While we could look at the executable binary (e.g. Machine Code) unless you have a photographic memory, know low-level Windows modules by heart, and Intel OpCodes like the back of your hand, it’s going to be impossible to directly analyze the chain of files.

Figure 5 – Machine Code, no problem…..

While it might be cool to rattle off machine code instructions on trivia night, it would take us forever to try and analyze an application in this manner. Fortunately, there are many programs that we can leverage which will translate the machine code into something slightly easier to deal with, assembly code.

Figure 6 – Assembly Code

While assembly code is not nearly as friendly as actual source code, it is a 1 to 1 representation of the machine code in a somewhat human readable format. If you have an appropriate tool, such as the IDA Pro disassembler, you can convert the machine code into the assembly. This tool also allows us to map out the program flow and find text and object file references.

Using the IDA Interactive Disassembler

As mentioned previously, we can use IDA to do a quick search to see if our security device program is called. Since we know that the program uses the security key, we should be able to find one or more references to the W32SSI library files. Depending on how many and what type of references we find, we may be able to easily alter the program so that we can bypass the security hardware.

After opening the program in IDA, we can easily see that the W32SSI libraries are being used by checking the Imports section of IDA.

Figure 7- IDA Imports

In addition to verifying the presence of the libraries via the Imports screen, we can use the Functions / IDA view to find the code references:

Figure 8 – Locating code references to W32SSI

Somewhat surprisingly, the only two functions imported from the security program are referenced once!

Figure 9 – Code section using W32SSI functions

While we do not know what those routines do entirely, since they are only called once, it is safe to assume that they attempt to validate that a security key, of the right type, is connected. To help understand what we’re seeing, we can use the Graph View feature to get a visual representation of the code:

Figure 10 – Graph View of W32SSI logic

Looking at the Graph View of the code leveraging the W32SSI routines, we see that there are two main code branches. The branch on the left performs secondary checks and ultimate ends up with failure messages relating to a security key not being found. The code branch on the right simply returns a value of 1, which presumably is a “TRUE” response.

The Quick and Easy Fix

Looking at the code structure, it appears that the second W32SSI call is performing a check as to whether the security dongle is present or not. If the security dongle is found, a “TRUE” (1) is returned; otherwise, secondary tests are performed. (e.g. serial port instead of LPT, etc.)

Because of this, there appears to be a very easy way to “fix” the program. If we force the initial check to always return TRUE (or flip flop the PASS / FAIL check) then the application program will behave as if the key was present.

The following logic needs to be tweaked from:

call wSSIMIni
cmp eax, 0FFFFFFFFh
jz loc_409FBA

to:

call wSSIMIni
cmp eax, 0FFFFFFFFh
jnz loc_409FBA

JZ and JNZ are machine code instructions that are used in conjunction with comparison checks. If the result of a compare (CMP) instruction is ZERO, a Jump if Zero (JZ) instruction will result in a jump to another portion of the application. Jump if Not Zero (JNZ), on the other hand, results in a jump if the compare (CMP) instruction is non-zero.

To make the change, switch to the Hex View, right click on the highlight value and change the 84 to 85.

Figure 11 – Switching JZ to JNZ

After committing the change, you will see the code switch from

to

After starting the program, we no longer receive an error about the missing security key and the program operates as expected.

Well That Easy…..

While it may be hard to believe that changing one byte of data, by one digit, entirely bypassed an application’s security, this is a surprisingly common scenario. The security dongle used by this application could have been utilized much differently preventing this type of scenario, though. (e.g. the dongle could have stored a required piece of information that the application would need to operated properly)

2004 Pontiac Grand Prix GTP Turbocharger Installation – 401 HP Out Of 231 Cubes

Since you can never have enough horsepower, I worked with my good friend, Kevin Margitta of Cartuning to replace the Eaton Gen IV M90 Supercharger on my 2004 Grand Prix Comp G with an intercooled turbocharger.  While Kevin had the hardware worked out, I contributed to the project by creating the software necessarily to reprogram the engine’s control module.  With the intercooled turbo & software updates in place, this swap easily put down 401 HP to the wheels before I decided I had enough fun at the dyno shop for the day.

A couple of months after the swap was complete, I ran into Don Keefe and asked him if he would like a ride in the car.  While he didn’t seem very interested at first, he became very interested after the boost kicked in!  Shortly thereafter, the following awesome article was published in High Performance Pontiac:

http://www.hotrod.com/how-to/engine/hppp-0603-2004-pontiac-grand-prix/

0603_hppp_01z+2004_pontiac_grand_prix+launch
Getting ready to make an 1/8th mile pass

 

0603_hppp_02z+2004_pontiac_grand_prix+blower_casing
Engine Bay View Post Turbo Install

 

0603_hppp_03z+2004_pontiac_grand_prix+turbo_location
Turbo Installation Closeup

 

0603_hppp_05z+2004_pontiac_grand_prix+hollow_supercharger
Supercharger Rotor Block-off Plate

 

0603_hppp_06z+2004_pontiac_grand_prix+stock_manifold
Another view of Turbo / Inlet piping

 

0603_hppp_07z+2004_pontiac_grand_prix+intercooler
Air-to-Air Intercooler

 

0603_hppp_08z+2004_pontiac_grand_prix+wastegate
Turbonetics Wastegate

 

0603_hppp_12z+2004_pontiac_grand_prix+turbo_kit
Cartuning Turbo Kit Display Model

 

0603_hppp_13z+2004_pontiac_grand_prix+sleeper
Stock Appearing Car