Browse Category

Electronics

Tesla Reverse Engineering: MCU Teardown

Overview

When reverse engineering an important, and rather fun, step is disassembly. Digging into the internals of hardware & software typically provides many clues as to how you can exploit a system. If you know what technologies are being utilized, this will make it easier to understand how the product works and how to exploit it. Additionally, by knowing what key components / technologies are in use will give you a starting point for finding attack vectors. (E.g. known vulnerabilities) Additionally, in many cases, an analysis of the hardware will result in the discovery of diagnostic/debug access to the system. This is especially true for the Tesla Media Control Unit (MCU)

The MCU, which has numerous implementations, is a complex device which is critical to the operation of the Tesla vehicle. The MCU serves as the primary user interface for vehicle control/configuration, navigation, radio, entertainment, communication & coordination w/ other vehicle modules, diagnostics, and remote communication w/ Tesla HQ. Given the complexity of this unit, any/all clues to its operation will be extremely helpful in understanding how it operates. A full tear down & inventory of key components is ONE method to increase our knowledge.

The MCU consists of the key sub-assemblies:

  • Bonded Display – For most people, this is the only assembly that matters as it collects user input and provides visual feedback.
  • Amplifier Assembly – Audio amplifier module which drives speakers, etc.
  • Cellular Communications – This sub-assembly is responsible for cellular communications. Early MCUs supported 3G while newer sub-assemblies support 4G/5G.
  • Infotainment Processor – This sub-assembly provides the main processing power for the MCU. For the MCU 1, this is powered by NVidia while MCU 2 utilizes Intel Atom, and MCU 3 contains an AMD Ryzen processor.
  • Main Board – This is the largest assembly and serves as the hub for all of the other sub-assemblies.

Bonded Display

From a reverse engineering perspective, this is probably the least interesting sub-assembly. The electronics are relatively minimal and single purposed. I don’t expect there to be much value in focusing on this assembly. With that said, there is a USB port on the control board. I suspect this is probably used for pushing firmware in the factory.

Amplifier Assembly

Similar to the display, this assembly is also very single purposed and I don’t see any obvious value in focusing too much time here. A quick review of the circuit board does not find anything remarkably useful for reverse engineering purposes.

Cellular Communications

This module is far more interesting as it is responsible for remote communication, which is quite valuable. There are multiple prominently displayed components on this board of note. Additionally, you’ll see that this contains a removable SIM card. As the older modules came with “unlimited data”, perhaps you can repurpose this? ☺ It would additionally be curious to see if any data is on this card.

Infotainment Processor

The infotainment process assembly is another “high value target” as this is the primary “brains” of the MCU. In addition to the NVIDIA processor, this board contains SDRAM, e-NAND Flash Drive*, a USB Hub, Ethernet controller, and an IC flash device. In additional to the components, on the board, there are a couple of unpopulated pads. Perhaps these pads are simply for optional components or perhaps they are for diagnostic purposes. More investigation is required to determine if they are of any value.

* – Due to how the Flash Drive has been utilized by Tesla, these devices are beginning to fail in older MCU 1 vehicles. When they fail, the MCU will operate erratically eventually resulting in the “black screen of death”. There is a recall and Tesla will replace these sub-assemblies with a newer/higher capacity flash memory. If you are skilled, you can repair this yourself. ☺

Main Board

Given the size of the main board, it shouldn’t be surprising that there are many components of interest here. On this board, there are numerous communications chips: Switched gigabit Ethernet, multi-media serial links, CAN, and LIN. As I know the MCU plays “gatekeeper” for both Ethernet and CAN communications, reviewing these components for weaknesses will be a high priority.

Aside from the communication ICs, this board also contains Micro SD & SD data cards, a hidden USB port, and multiple JTAG/TI diagnostic connectors. While I’m not going to “spill the beans” (yet) on the contents of the data cards, I will say there are both very useful for reverse engineering purposes. I will point out that NEITHER card is automotive/harsh environment grade. Because of this, they will fail much sooner due to the temperature extremes in a vehicle. If either of these cards fail, you are in for a very bad time!

C:\Users\317FX6~1\AppData\Local\Temp\SNAGHTMLa00f8bd0.PNG

“Ports of Interest”

As noted in the sections above, there are some connection points of interest. The following tables is a consolidated list for reference.

Next Post: Navigation Repair

In the next installment, we’ll dig into my Navigation Issue and how the information learned during this disassembly allowed me to ultimately resolve the issue.

Tesla Reverse Engineering: Creating a Bench Setup (MCU)

Overview

After growing up surrounded by cars, I’ve grown accustomed to doing my own maintenance and repairs where possible. When I transitioned to EVs a couple years back, I expected that some repairs may require more manufacturer involvement than I was accustomed to. Unfortunately, due to Tesla being DIY Repair unfriendly, the situation was worse than I expected.

Even more unfortunate, the local service center has struggled to provide consistent quality service trapping me in between a rock and hard place. One prime example was when my 2014 Model S’ navigation stopped functioning properly. After almost nine months of back and forth & no resolution from Tesla, I decided that this would be a good opportunity to dig into the computer system to see if I could resolve the issue myself.

As I didn’t want to tear my car apart (yet) and I prefer to be comfortable while experimenting, my first order of business was to setup a test bench in my “mad scientist lair”. Having this would allow me to analyze the hardware and the physical & software interactions between the various modules used in the vehicle.

While there are numerous modules in the vehicle, my primary point of interest is the Media Control Unit. (MCU). The MCU is the main unit in the Model S and is the obvious analysis point for my navigation issue. The goal of this post will be to simply get the MCU up and running on your bench. In later posts, we’ll dive into more thoroughly analyzing it and other modules.

Step 1 – Getting Parts

In order to run the MCU on your test bench, we’re going to need a few things:

  • An MCU! As it is unlikely you will have a spare laying around, acquiring this will be first on your shopping list. Acquiring directly from Tesla isn’t realistic, so you will be relegated to acquiring a used unit:
    • eBay – For the older MCU 1 units, you should be able to find a good number of them here
    • Car-Part.com – This site links you with salvage yards across the United States, Canada, and Mexico.
    • Facebook / Social Media sites – There are multiple “Salvage / Part” groups where individuals are selling parts.


Tesla Premium MCU 1 Part No

IMPORTANT: If at all possible, try to get the cabling/connects that plug into the back of the MCU. This will make life INFINITELY easier for you. At a minimum, you would want the connectors shown below for the “Premium” MCU 1 device:

Figure 2 – Minimum Required Connectors

  • Power – The MCU will require a steady 12V source that is capable of providing ~3 Amps.
  • Soldering Iron – While not absolutely necessary, having a good soldering station will allow for a cleaner setup. I use the Hakko 936 which is a reliable entry level choice.
  • Ethernet cable – A small Ethernet cable, that you won’t mind cutting up.
  • Speaker – A small automotive speaker for connecting to the MCU to enable audio playback. This isn’t absolutely necessary, but it is a nice to have.
  • Misc. Electronic Project cables / Jumper Cables – These will be used to create the Ethernet to Tesla MCU “Fakra” cable.

Step 2 – MCU Wiring

In order to get the MCU running on our bench, there are 3 three main items that we need to wire up:

  1. MCU Power & Ground : Required to provide power to the unit so that we can interact with it.
  2. MCU Speaker : Optionally recommended so that you can hear audio chimes and/or listen to music while you work. ☺
  3. Ethernet aka Fakra connection : Require so that we can startup the unit, access OS via telnet, or execute REST API commands.

MCU Power & Ground

Wiring up the MCU for power is actually very straight forward and only requires a few positive (12V) and negative connections spread across two of the connectors. The two connectors are located on the lower portion of the MCU and are commonly referred to as X425 (Black) and X426. (Grey)

NOTE: In order to keep your wiring to the Power Supply clean, I recommend using a distribution block for + and – connections.

Close-up of necessary MCU power wiring connections.

MCU Speaker

While you can wire up as many speakers as you would like, we only need the center speaker so that we can hear alert tones, etc. This speaker is also located on the X425 (Black) connector.

The easiest way to connect the speaker to these cables is to simply strip off the ends and use alligator clips:

Ethernet aka Fakra HSD connection

While the Tesla MCU utilizes Ethernet for certain actions, it does not provide you a convenient RJ45 port. The Ethernet connections utilize a “Fakra HSD” connector.

While you can buy these cables pre-made for ~$50, you can make one relatively easily once you know how to map out the HSD pins to the Ethernet cable wire.

The HSD cable consists of 4 pins consisting of two diagonal wire pairs where D+ / D- & Vcc / GND are pairs.

While a standard Ethernet cable consists of 8 wires / 4 twisted pairs, only 2 pairs are typically needed and these two pairs will be matched up to the HSD pinout as follows:

If making your own cable, the jumper wires I recommended at the start of this blog fit perfectly into the Fakra connector. I simply soldered one end to the Ethernet cable, inserted the other into the Fakra connector, and then taped it to ensure it doesn’t come loose.

C:\Users\317FX6~1\AppData\Local\Temp\SNAGHTML20204360.PNG

Step 3 – MCU Startup

Once you have completed all of the wiring in the previous step, you are ready to start the MCU! Next, perform the following actions:

  1. Ensure that you have connected your positive and negative wires to your power supply and that the power supply is set to a 12V output voltage.
  2. Ensure that your speaker is connected.
  3. IMPORTANT: Plug the Fakra/Ethernet cable into the back of the MCU and into either a network device (Hub/Switch) or to a laptop. Even if the MCU has power, it may not fully start unless it sees network traffic. [There are other ways to force it to start, but this is the easiest]
  4. Turn on your power supply – You will notice that at first, it is drawing a relatively low amount of amps, but once it fully starts, you will see the draw increase.
  5. Verify that MCU has power – If you look at the right side of the unit, you should see multiple LED status lights. Initially some will be Yellow/Red. Some will turn green as unit boots, etc.
  6. Wait…. Wait…. Wait… It should take ~20 – 30 seconds to full boot up. If you have the speaker connected, you SHOULD hear a series of chimes around the same time the Tesla ‘T’ appears.
  7. Wait… Wait… Wait some more and then you should finally see the MCU come to life
    Congrats! You now have a functional MCU on your test bench!

Retro Computer (Compaq SLT/286) “Steak Knife” Repair

Overview

Recently, I ran across someone looking to sell an “ancient” laptop that had been long forgotten in their closet for ~30 years. The laptop in question is a Compaq SLT/286. As I’m a sucker for very clean old tech, this was right up my alley! Since it was a Compaq machine, I was especially interested as I have a few of their previous ‘portable’ machines as well.

When I inquired about the machine, the owner state that it turns on perfectly fine; however, they were not able to do much else since it doesn’t ‘boot up’. The person stated that it was a work machine that was upgraded and prompt left, in its original bag, in their closet and was only recently discovered.

When I plugged in the machine, it did start up immediately; however, I was presented with a very familiar error message:

Issue

This error message is a clear indicator that the machine had “forgotten” certain configuration settings. In older computers, these Basic Input / Output Services (BIOS) settings are stored in a Complementary Metal-Oxide-Semiconductor. (aka CMOS) The CMOS requires a small amount of power to retain its memory. The earliest PCs typically had a small battery attached to the motherboard which would provide this power. Unfortunately, batteries do not last forever and will fail. In a best case scenario, the battery simply fails to produce enough power while in worst case scenarios, the battery loses integrity and acid can damage the motherboard.

Worst Case Example: Compaq Portable II w/ catastrophically failed battery

Fortunately, this Compaq model did not use a battery that could fail in such a manner and the motherboard was clean as a whistle. (see all the disassembly pics at the end to see just how clean this machine is!)

A quick scan of the motherboard also reveals that there isn’t a battery per se. For this computer, Compaq chose to use a Dallas Real Time Chip (RTC) module which stores the relevant information. This device, which is still used to this day in certain applications, performs multiple activities: “nonvolatile” RAM memory, supports certain Read Only Memory (ROM) operations, and Real-Time Clock (RTC) operations. The one “gotcha” to this device is that the RAM is non-volatile only because there is a battery hidden inside the module which provides power to the device. Once this internal battery is depleted, it is no longer a nonvolatile RAM device.

The image on the left is the module found on this Compaq’s motherboard. The ‘8849’ is the build date for the module which corresponds to the 49th week of 1988! The image on the right is an X-Ray of this type of module. The power source is the circular item near the middle of the module. (X-Ray image courtesy of https://ardent-tool.com/)

CMOS Repair

In order to get this PC up and running, we will need to address this failed module. There are a few options:

  • Replace the Dallas RTC module with a newer one
  • Carefully modify the existing Dallas module to power it from an external source

As with any repair, there are always trade-offs to consider. In this scenario, I chose to supply external power to the existing module for the following reasons:

  • The existing module is directly soldered to the motherboard. This would require me to desolder the existing module and then solder a new one to the board. While this is not overly difficult, it requires a bit more effort and care than the other option. (If Compaq had placed the module in a socket, I would have opted to replace the module)
  • Many suppliers of compatible Dallas RTC modules are selling “New Old Stock” (NOS) components. Because of this, the batteries may only last for a few years before requiring replacement again.
  • Accessing the module requires a complete disassembly of the unit. (disassembly pictures are in a later section)
    • If I’m going to have to replace a battery again, I’m strongly prefer to *NOT* have to disassemble the unit
    • NOTE: As you’ll see later, my repair allows for a 60 second battery replacement and requires no tools.
  • This approach is relatively low risk. If I make a mistake accessing the internal battery, I can always resort to replacing the module. If someone else acquires this machine and would rather replace the module, they can still do this.

The following steps were performed to implement the external battery solution:

  1. Carefully remove the top layers of the Dallas module’s epoxy to expose the battery
  2. Disconnect the battery from the module pins
  3. Solder new leads to the power pins
  4. Route wires to a convenient location
  5. Solder coin battery holder to other end of leads, add battery, and verify power

Module Modification

If you’ve read this far, you are probably wondering: “Why did Charles mention he used a steak knife to effect this repair”? If so, you don’t have to look any further! To cut into the module, I choose to use a nice and sharp steak knife! While a Dremel would have been more surgical, it was in the garage and I didn’t feel like trekking into the cold to fetch it. As the epoxy/resin material is relatively soft, I had no trouble using a knife to accomplish this task. Once the battery was exposed, a small wire cutter was used to disconnect the existing battery. Next I prepped some wires, soldered them to the appropriate pin outs, and sealed it with my glue gun. (Yes, I could definitely have made this cleaned, but I wanted to make sure it was working first…)

Wire Routing & External Battery

I gave myself plenty of extra wire so that I could route it to a spot where it wouldn’t impact the operation of the laptop *and* it could be easily accessible.

(Look how clean this unit is! Amazing)

I then put together the coin battery holder and verified that I was getting proper voltage.

Next, I soldered the coin battery holder to the module wires. (Always use heatshrink!)

Finally, I wrapped the holder in electrical tape and tucked this into the access port on the side of the laptop. This convenient location will allow a battery swap in seconds without the need for any tools. If I add the optional model, I will need to relocate this; however, it is a perfect location for now.

With the machine physically repaired, the only thing left to do is create the Compaq Diagnostic Disk and reconfigure the device.

Software Reconfiguration

After scouring the internet, I was able to locate the appropriate software and used it in yet another retro machine to create the necessary software:

I insert this newly created disk into the Compaq, turned it on, and the configuration utility started. The utility seemingly auto-detected everything auto-magically.

After saving the configuration, the machine started up w/o any error messages!

It Lives!

After exiting the configuration utility, the computer sprang to life and I was greeted with a DOS prompt. Looking around on this machine, I found some pretty standard late 1980’s business programs. Quite a trip down memory lane.

1-2-3

WordPerfect

PFS Write

Bonus Pics

Below are disassembly and other pictures that didn’t make the cut up above. Take a look at how clean this machine is. Amazing for the age. Also, if you made it this far, there is a hint for my next post. Something else running on that workbench is a bit out of place….. If you recognize it, feel free to point it out and take a guess what we’ll be doing with it!

Compaq Portable Family

The largest machine is only a couple years old. Amazing at how much they shrunk down the electronics! Another post is going to dig into that machine and you will be able to see the difference!

Disassembly

 

H:\4TB-Share\RetroComputers\Compaq SLT 286\20220402_165711.jpg

Electronics Project Room …..

 

I’ve been slowly repurposing a spare room in the basement to serve as my electronics project room.  Not quite done, but thought I’d post some photos showing current status.  Just need to get the electrical finalized and will be good to go!

 

 

Primary Work Area
Bench #1

 

Decorative / Functional Gauges
Decorative / Functional Gauges

Oscilloscope & Stuff
Oscilloscope & Stuff

Trusty Hakko 936
Hakko 936 Soldering Station & EMP 20 Programmer