Page 3 of 4

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Tue Mar 04, 2025 1:12 am
by AMP3R
jetpax wrote: Sat Feb 22, 2025 3:14 pm Great job!

So are you saying that if i record these 65536 challenge responses for a paired motor/VCSEC, then i could dump the motor firmware and flash it into another motor and the new motor should authenticate?
A small update for you. It's impossible to dump the inverter flash via CAN, because Tesla disabled UDS service 0×35 Request data upload.

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Sat Mar 15, 2025 10:34 am
by Refasol123
Hi everyone,
First of all congratulations for the amazing work that you've done here.

I am an electronics student and I want to use the inverter of a m3 front du just to measure some parameters (efficiency, temperature...) as part of a project. I would greatly appreciate it if someone could guide me a bit on how to get started with the purpose of enabling the inverter and controlling some parameters.

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Fri Mar 28, 2025 11:50 am
by AMP3R
AMP3R wrote: Sun Feb 02, 2025 9:18 pm A few days ago I had an idea to take another close look what the inverter sends to the vehicle CAN and after poking around found something interesting. It turns out that there are many more ids with alerts and errors than I thought. By simple calculations edited the dbc file and when turned on the drive unit I was stunned.

Of course, nothing will work, because the DI_a174_notOkToStartDrive alert is active. The logic lacks 12 volts, which I supply from a regular ATX power supply. If this turns out to be the cause, it will be very funny. But it is too early to rejoice.
Screenshot from 2025-02-02 21-54-41.png
The new power supply didn't help, which means the problem is somewhere in the can messages.

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Sun Mar 30, 2025 1:34 pm
by AMP3R
It works. Switches to D and R, but for some reason immediately returns to P. Also, a new alert DI_a125_noBatteryPower appeared.
Screenshot from 2025-03-30 16-11-04.png
Screenshot from 2025-03-30 16-11-21.png
20250330_163059.jpg

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Sun Mar 30, 2025 2:41 pm
by RadioKot
Congratulations on your success! You’ve done a great job, and the results speak for themselves. It’s clear that you know what you’re doing and are moving in the right direction. Keep it up!

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Tue Apr 01, 2025 9:57 pm
by AMP3R

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Tue Apr 01, 2025 11:36 pm
by ScythianNite
so this setup requires an originally-paired inverter and VCSEC and canspoofing for the rest of the messages? (not to be reductive, just trying to parse through the posts so far)

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Wed Apr 02, 2025 12:14 am
by P.S.Mangelsdorf
Dude that is awesome! Great work!

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Wed Apr 02, 2025 5:42 am
by Bratitude
AMP3R wrote: Tue Apr 01, 2025 9:57 pm
great work AMP3R, just to recap:

-stock M3/MY drive unit
-matching VCSEC (from the same vehicle)
-stock pedal
-vehicle CAN
-HVIL terminated


key card is not required? or key card is required to enable keyless driving?

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Wed Apr 02, 2025 8:48 am
by AMP3R
ScythianNite wrote: Tue Apr 01, 2025 11:36 pm so this setup requires an originally-paired inverter and VCSEC and canspoofing for the rest of the messages? (not to be reductive, just trying to parse through the posts so far)
Yes

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Wed Apr 02, 2025 8:50 am
by AMP3R
Bratitude wrote: Wed Apr 02, 2025 5:42 am great work AMP3R, just to recap:

-stock M3/MY drive unit
-matching VCSEC (from the same vehicle)
-stock pedal
-vehicle CAN
-HVIL terminated


key card is not required? or key card is required to enable keyless driving?
Key card is not required. You can enable keyless driving via can and that's it.

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Mon Apr 07, 2025 9:03 pm
by dimonlipko
Great work AMP3R! I long time dont read this thread, you progress is cool!

I very slowly but work on this way to run M3 inverter. I make some research on MY and change rear drive inverter from 990 to 980 version. I make new IMMO pair with VCSEC and DIR with Tesla Toolbox. But then I change back stock inverter, VCSEC forgot it, so VCSEC can make pair only with one inverter.

I buy MCU with old software , display, motor, VCSEC, pedal and wiring for bench test. MCU help me rewrite software in inverter for more old version, when I start redeploy. And MCU help me make IMMO pair.

Next step emulate CAN frame to make motor spin)))

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Thu Jun 26, 2025 4:17 pm
by AMP3R
Does anybody have EEPROM dump of rear inverter?

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Thu Jun 26, 2025 4:31 pm
by davefiddes
Damien has some captures of the EEPROM access with the Tesla firmware running:

https://github.com/damienmaguire/Tesla- ... ter/EEPROM

You need Saleae Logic 1.x software to open these files.

I've attached a dump I made of my EEPROM before I started writing to it. It's mostly empty space.

The program I used to make the dump can be found here: https://github.com/davefiddes/c2000-inv ... dumpeeprom

If you are brave/careful/reckless (delete as applicable) it should be possible to run this on any Tesla M3/Y inverter without wiping the Tesla firmware.

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Thu Jun 26, 2025 4:43 pm
by AMP3R
davefiddes wrote: Thu Jun 26, 2025 4:31 pm Damien has some captures of the EEPROM access with the Tesla firmware running:

https://github.com/damienmaguire/Tesla- ... ter/EEPROM

You need Saleae Logic 1.x software to open these files.

I've attached a dump I made of my EEPROM before I started writing to it. It's mostly empty space.

The program I used to make the dump can be found here: https://github.com/davefiddes/c2000-inv ... dumpeeprom

If you are brave/careful/reckless (delete as applicable) it should be possible to run this on any Tesla M3/Y inverter without wiping the Tesla firmware.
Do you have .bin dump?

Tesla Model 3 Rear Drive Unit Closed Source CAN Hacking

Posted: Thu Jun 26, 2025 4:50 pm
by davefiddes
AMP3R wrote: Thu Jun 26, 2025 4:43 pm Do you have .bin dump?
No. You can run through a simple tool like xxd:

Code: Select all

xxd -r -p eeprom-dump-fast.txt eeprom-dump.bin

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Thu Jun 26, 2025 7:19 pm
by AMP3R
I have figured out the secret of how the immobilizer works and now it's possible to use drive units without VCSEC. Unfortunately, I can't reveal this information, otherwise a falcon 9 rocket will fall on my house, as Damien once joked.

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Thu Jun 26, 2025 8:21 pm
by crasbe
Congratulations.

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Fri Jun 27, 2025 1:38 am
by Bratitude
AMP3R wrote: Thu Jun 26, 2025 7:19 pm I have figured out the secret of how the immobilizer works and now it's possible to use drive units without VCSEC. Unfortunately, I can't reveal this information, otherwise a falcon 9 rocket will fall on my house, as Damien once joked.
Where’s the fun in that? At least give us some clues!

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Fri Jun 27, 2025 7:59 am
by AMP3R
Bratitude wrote: Fri Jun 27, 2025 1:38 am Where’s the fun in that? At least give us some clues!
If I post this info, then what will be the point of the inverter board that Damien is making now? Also I don't want to take away the bread of Johannes, his openinverter shop and so on. Sorry.

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Fri Jun 27, 2025 9:10 am
by johu
It's great that you are very thoughtful.
As for me (OI shop) I don't sell M3 boards and not planning either.

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Fri Jun 27, 2025 11:08 am
by Jack Bauer
First off congratulations. I understand how it feels to see a motor turn after a long process of work. You are free to do with the information as you see fit. I know the broad strokes myself but i'm sure there are hundreds of details to work out along the way. The solution I'm pursuing is a different route with its own advantages and disadvantages. The biggest for me is the freedom to have it all open and accessible without fear or favor or concern about a booster "malfunction" :)

Sure its nice to make some money selling the boards but thats far from the only motivator. Depending on how things pan out i'm a week or two away from dragging my Volvo V50 M3 drive unit test mule into the barn and making it spin wheels with the prototype OI board in the inverter. I'll keep at it no matter what and all going well I'll try selling the board once I'm as happy as I can be that it works. I may decide to just make it fully opensource at that point also depending on circumstances. If there is no business case for selling the boards as various "better" solutions are available then that would make the most sense.

In any event , I owe it to myself and those who have supported me to keep going until I experience 500hp in a Volvo. Now I gotta wrestle a door latch back into the Red Arrow so I can make some room in the barn:)

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Fri Jun 27, 2025 7:33 pm
by catphish
AMP3R wrote: Fri Jun 27, 2025 7:59 am If I post this info, then what will be the point of the inverter board that Damien is making now? Also I don't want to take away the bread of Johannes, his openinverter shop and so on. Sorry.
If this is your only motivation, then please send the data to Damien and Johannes and let them decide whether it's suitable to implement in the Zombieverter project!

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Sat Jun 28, 2025 9:34 pm
by AMP3R
catphish wrote: Fri Jun 27, 2025 7:33 pm If this is your only motivation, then please send the data to Damien and Johannes and let them decide whether it's suitable to implement in the Zombieverter project!
I prefer that this information not become open source.

Re: Tesla Model 3 Rear Drive Unit Hacking

Posted: Sat Jun 28, 2025 9:56 pm
by Bratitude
AMP3R wrote: Sat Jun 28, 2025 9:34 pm I prefer that this information not become open source.
If your planing on releasing your own standalone controller then fair enough, but the open in openinverter dose stand for something….