Everybody talks about Tesla again. When Elon Musk presented a cheaper new model of Tesla not long ago, the preorders were plenty. Meanwhile, older Tesla models attract both eco–conscious drivers and hackers.
Chris Matthieu, head of IoT (Internet of Things) at Citrix and founder of Twelephone, a system of making calls from Twitter, has recently posted a step-by-step guide on how to get root access to a Tesla. Here is the hacker’s GitHub account if you’d like to know more about him. It must be said right from the start that you’d need a laptop, network cables and a screwdriver in order to repeat Chris’ experiment for you’ll have to hack and break in at once.
I really don’t know why but I decided to hack my Tesla Model S aiming to get root access to its CID touchscreen display. I spent two months researching and planning this project. After I was convinced that everything is set, I grabbed my tools and laptops and started to fulfill the plan.
[contact-form-7 id=”530″ title=”Survivor’s Guide To Mobile App Testing”]
Step 1. Getting access to the side panel
The first step is to remove the small side panel right behind the driver’s door to gain access to the small white connector, shown on the photo:
It may look strange but it is just a simple category 6 Ethernet cable with a Tesla connector. It can be connected via simple network cable and a matching connector. I used my improvised cable but you may also look for the proper cable model at the marketplaces where second-hand electronics are sold.
As a result, I connected the network via this small white connector and since that moment I was able to perform the hack. Unfortunately I couldn’t log in because I couldn’t get through the VPN without a password.
Step 2. Removing the lower part of the panel
I had to remove a huge part of the front panel under the steering wheel which was fastened with 9 catchers. It was a hard work but I managed to do it.
Step 3. Removing the ventilation grill
Gosh, I thought it took me ages to remove this grill in front of the lower edge of the windscreen. Firstly, I screwed out a big panel covering the dashboard to find screws which hold ventilation grill. I had to be careful in order not to bent or break anything while gaining access to those screws and disassembling the front panel. Afterwards, I just had to take the dashboard cover and ventilation grill off.
Step 4. Removing the dashboard
You also have to remove the dashboard by raising the upper cover and reaching two upper screws. To tell the truth, I took the following photo after I removed the lower screws as I wasn’t feeling confident enough to unscrew the upper ones. But later on I did that as well.
You may now start to wonder how all this helps to unlock the white connector? Let’s go further.
Step 5. Gaining access to the dashboard’s cable
Now you see another white connector which is connected to the touchscreen CID display. The dashboard is connected to CID via web interface in order to receive navigation updates or music, and to send commands like ‘open the cover’.
My aim was to connect my improvised cable to the dashboard detaching its original cable first. Tesla rolled back to Factory Mode; I disconnected the laptop from Tesla and returned its original cable back to its place in the dashboard.
By the way, you will be able to see the Developer mode screens in case you stay in the Factory mode for a while. But this is another story which I think of publishing some day. For now I am exposing the photo of my favorite thing so far – the temperature display.
Step 6. Gaining root access to Tesla Model S
Tesla is in the Factory mode now. And the white connector near the driver’s door is unlocked and is waiting for us to connect to it. Now it is necessary to connect the laptop again and execute the obtain_root script which I wrote in advance.
The magic process starts allowing me to connect to the touchscreen display with root rights. I made some manipulations to ensure that I won’t have to go through all that stuff next time I need access to the system. Hereafter I disconnected the white cable, switched off the Factory mode, performed Tesla reload and screwed on all the plates and covers. That’s all, the hack is over!
After the hack
And what’s next? What did I gain after all? I did many investigations and research, so follow up to see the results.