Tesla Model 3 Rear Drive Unit Hacking

[royhen99]

WSB BSS138BK, WVS BSS84AK

[Jack Bauer]

That's great thanks so much:)

[Jack Bauer]

Working through the BOM ....

[Jack Bauer]

Latest schematic and PCB layout now on the githyb repo:
https://github.com/damienmaguire/Tesla- ... ter/Design

[Jack Bauer]

Needless to say if anyone has any info on the circuit or feedback etc would be much appreciated:)

[nkiernan]

Seriously impressive work, move your Salvador D, I'd hang this one the wall

[Jack Bauer]

[davefiddes]

Couple of comments on the video:

Seems like the STGAP1BS could be pre-supplied to JLCPCB like the QCA7000 on the Foccci for production runs of your board. Sure it adds cost but reflect that in what you charge for the board. No such thing as a free lunch.

I can recommend the "Fabrication Toolkit" from the KiCAD plugin repository. This creates the gerbers, BOM and position files in a form that JLC are happy with (and they recommend it). More details: https://github.com/bennymeg/Fabrication-Toolkit

If you want to make measurements on the Tesla gate driver behaviour with or without HV enabled this is entirely possible provided you are happy with fixed phase PWM values. I don't have a functioning inverter but the gate driver and PWM generation works fine. Shoot me an email if you want assistance.

[jrbe]

I second the JLC fabrication toolkit.
Check out the interactive html bom plugin as well, it's fantastic.

[Jack Bauer]

Appreciate that guys thanks. I have had some good feedback on the general pcb layout which I intend to address and had a few kind donations so was able to order from Mouser the bits JLC dont have as of now including the 1BS version of the driver chip.

On a related topic I got a tip on this and was very excited until I saw the price tag :
https://leandesign.com/pdf/Munro-Invert ... -Sales.pdf

If I hate one thing in this game its the duplication of effort.

Gonna guess no one will share any details on the design or schematic. Sigh....

[Jack Bauer]

Thanks to a good friend in Germany with a Prusa XL, we have a 3d printed prototype board for fit tests. Good news is it is a VERY good fit. Bad news is genius here totally forgot about the hole and pads for the HV connection hvil Would have been quite an expensive mistake even with bare boards.

[AMP3R]

A few days ago I had an idea to take another close look what the inverter sends to the vehicle CAN and after poking around found something interesting. It turns out that there are many more ids with alerts and errors than I thought. By simple calculations edited the dbc file and when turned on the drive unit I was stunned.

Of course, nothing will work, because the DI_a174_notOkToStartDrive alert is active. The logic lacks 12 volts, which I supply from a regular ATX power supply. If this turns out to be the cause, it will be very funny. But it is too early to rejoice.

[Jack Bauer]

[AMP3R]

It's interesting to look how the immobilizer works.

As soon as the inverter recieved the 0×221 (VCFRONT_LVPowerState) message, it shoots 0×276 to the CAN vehicle for a split of second. This is a challenge for the VCSEC.

Meanwhile, the VCSEC is already ready and when you put the key card, it responds with the 0×3D9. That's it - the immo is unlocked.

The 0×276 challenge message is always new every time the inverter is restarted. After looking on its structure, I dare to assume that it has 65536 possible combinations.

The 0×276 and 0×3D9 messages are tightly linked. To verify this, I generated static challenge for my VCSEC several times in a row and the response at 0×3D9 was the same. During the experiment, the inverter was turned off.

In short how it works:

1. The motor sends a challenge.
2. VCSEC responds with a value calculated using a one-way hash function based on the challenge and the secret.
3. The motor checks the response using its own calculation of the expected hash value. If the values ​​match, authentication is confirmed.

For fun, it's possible to record the entire range of challenge/response pairs (65536), make look up table and try to replay these answers to the drive unit.

[AMP3R]

Keyless driving enabled. This means that you can run the motor without a key card, but with the VCSEC connected.

[jetpax]

While my bench power supply is on its way from China, I wanted to look how the immobilizer works.

Screenshot from 2025-02-17 21-00-20.png

As soon as the inverter logic has power and VCFRONT transmits the 0×221 (VCFRONT_LVPowerState) message, it (inverter) shoots the 0×276 message to the CAN vehicle for literally a split second. This is a challenge for the VCSEC.

Meanwhile, the VCSEC is already ready and when you put the key card, it responds with the 0×3D9 message for about one second. That's it - the immobilizer is unlocked.

The 0×276 challenge message is new every time the inverter is restarted. After looking on its structure, I dare to assume that it has 65536 possible combinations.

The 0×276 and 0×3D9 messages are tightly linked. To verify this, I generated the same challenge for my VCSEC several times in a row and the response in 0×3D9 was the same. During the experiment, the inverter was turned off.

In short, for those who did not understand how it works:

1. The motor sends a challenge.
2. VCSEC responds with a value calculated using a one-way hash function based on the challenge and the secret.
3. The motor checks the response using its own calculation of the expected hash value. If the values ​​match, authentication is confirmed.

What secret is stored in VCSEC, a big big secret.

For fun, you can record the entire range of challenge/response pairs (65536) This will take about 18 and a half hours. But in fact, this method is of little use, since it will only work on a specific motor.

Great job!

So are you saying that if i record these 65536 challenge responses for a paired motor/VCSEC, then i could dump the motor firmware and flash it into another motor and the new motor should authenticate?

[AMP3R]

then i could dump the motor firmware and flash it into another motor and the new motor should authenticate?

I don't know.

[dsp1108]

Hello all.

Previously, projects for Tesla Model 3 and Tesla Plaid inverters were completed. Now I managed to get a printed circuit board for Tesla Cybertruck. I sent the video of the work to the big boss of this site. It probably takes 3-6 months to make a cybertruck. I plan to develop these projects on a non-open basis. Interested enthusiasts can contact me to complete modern projects with Tesla drives.

[AMP3R]

Managed to unlock the processor/memory in the drive unit via the UDS 0×27 security access service. It turned out that Tesla use static seed and key for all CAN ECUs.

I don't know what to do with all this yet. Maybe it will be possible to upload/download something from the inverter or at least change its config.

[AMP3R]

Great job!

So are you saying that if i record these 65536 challenge responses for a paired motor/VCSEC, then i could dump the motor firmware and flash it into another motor and the new motor should authenticate?

A small update for you. It's impossible to dump the inverter flash via CAN, because Tesla disabled UDS services 0×23 Read memory by address and 0×35 Request data upload.

In old drive units, where is a jtag, you can dump and write, knowing the password, but you can't do this in newer ones, where is no jtag.