Hi all,
My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:
This goes to the white port in the driver footwell. Here's a pic:
To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):
The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.
I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.
The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn
Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway
According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.
I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.
Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!
My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:
This goes to the white port in the driver footwell. Here's a pic:
To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):
The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.
I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.
The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn
Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway
According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.
I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.
Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!