Ethernet port in driver footwell

  • SUPPORT THE SITE AND ENJOY A PREMIUM EXPERIENCE!
    Welcome to Tesla Owners Online, four years young! For a low subscription fee, you will receive access to an ad-free version of TOO. We now offer yearly memberships! You can subscribe via this direct link:
    https://teslaownersonline.com/account/upgrades

    SUBSCRIBE TO OUR YOUTUBE CHANNEL!
    Did you know we have a YouTube channel that's all about Tesla? Lots of Tesla information, fun, vlogs, product reviews, and a weekly Tesla Owners Online Podcast as well!
Kyohack

Kyohack

New Member
#1
Joined
Dec 23, 2019
Messages
1
Location
Louisiana
Country
Country
Tesla Owner
Model 3
#1
Hi all,

My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:
diag-connector-png.31322


This goes to the white port in the driver footwell. Here's a pic:
img_20191223_105140-jpg.31321


To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):
soldered-cable-jpg.31324


The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.
img_20191223_105623-jpg.31325


I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.

The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn

Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway

According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.

I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.

Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!
 

Attachments

Frully

Frully

Top-Contributor
#3
Joined
Aug 30, 2018
Messages
1,061
Location
Calgary, AB. Canada
Country
Country
Tesla Owner
Model 3
#3
That was my understanding from the start -- high speed CAN data 'hidden' in physical/data link ethernet. Makes a lot of sense to use industry standard protocols for the electrical connections at the very least - lots of common chips can handle tx/rx with those protocols. Then it's just lots and lots of layers of security to stop someone stealing your car from the diagnostic port :)
 
Perscitus

Perscitus

Top-Contributor
TOO Supporting Member
#4
Joined
Feb 22, 2017
Messages
471
Location
New York City
Country
Country
Tesla Owner
Model 3
#4
Mobile techs and service centers use this port in conjunction with an ethernet to usb cable and tesla software (in part cloud based) to perform all types of diagnostics and reset procedures (for example recalibrate windows, set amber vs red rear turn signal modes on/off, pull logs off the linux xCUs scattered across the car etc).
 
Frully

Frully

Top-Contributor
#5
Joined
Aug 30, 2018
Messages
1,061
Location
Calgary, AB. Canada
Country
Country
Tesla Owner
Model 3
#5
Perscitus said:
Mobile techs and service centers use this port in conjunction with an ethernet to usb cable and tesla software (in part cloud based) to perform all types of diagnostics and reset procedures (for example recalibrate windows, set amber vs red rear turn signal modes on/off, pull logs off the linux xCUs scattered across the car etc).
Click to expand...
Amber signals is a software flag?! I WANT IT! The red signals blend too easily with the brakes I find.
 
Perscitus

Perscitus

Top-Contributor
TOO Supporting Member
#6
Joined
Feb 22, 2017
Messages
471
Location
New York City
Country
Country
Tesla Owner
Model 3
#6
I want it too... not for us mere mortals though. Only insiders playing around with such things on Tesla staff owned cars. Ugh.
 
JWardell

JWardell

TOO Master Member
TOO Sponsor Vendor
#7
Joined
May 9, 2016
Messages
4,459
Location
Boston
Country
Country
Tesla Owner
Model 3
#7
Kyohack said:
Hi all,

My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:
View attachment 31322

This goes to the white port in the driver footwell. Here's a pic:
View attachment 31321

To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):
View attachment 31324

The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.
View attachment 31325

I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.

The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn

Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway

According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.

I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.

Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!
Click to expand...
The Diagnostic port is the first thing I went chasing after about a year and a half ago....

https://teslaownersonline.com/threads/diagnostic-port-and-data-access.7502/#post-130395

I even have the proper connectors and a harness made up. But we determined it was ethernet that was encrypted or must be unlocked in some way and were stuck for a while unable to find any good data in the car, until we finally found CAN elsewhere.

I haven't heard of any further success communicating on the diagnostic ethernet, but you certainly got some useful info here. I hope you can keep trying and maybe figure something out. I'm not sure if @Ingineer knows more about it now too.
 
B

bequa

New Member
#8
Joined
Sep 2, 2019
Messages
1
Location
Tbilisi
Country
Country
Tesla Owner
Model 3
#8
Look here:
https://teslamotorsclub.com/tmc/thr...del-3-note-car-repaired-after-a-crash.174945/

I am also trying to get some ports to respond.
USB-Serial connection to FTDI is asking for username and password, any idea what that could be?

I found out the udp command to unlock diag port but I guess it has to run from the inside. No idea what can it do from outside - thru the firewall because it requires data from ICE emmc.
 
TeslaHaffi

TeslaHaffi

New Member
#9
Joined
Jan 13, 2020
Messages
1
Location
Reykjavik
Country
Country
Tesla Owner
Model 3
#9
Well if I was building this I would have the Tesla Cloud send a Magic packet down to the Car which then enables some ports on the Firewall, Regards to encyrpting Ethernet, never seen that done, not on the ethernetlayer it self. That would happen on higher layers.
Try Ping Broadcast and See whats going on . Leave a Packet capture running while sending some commands via the Tesla App. :p

Just some ideas.
 
Nogas

Nogas

New Member
#10
Joined
May 25, 2020
Messages
4
Location
Thebozzq
Country
Country
Tesla Owner
Model 3
#10
bequa said:
Look here:
https://teslamotorsclub.com/tmc/thr...del-3-note-car-repaired-after-a-crash.174945/

I am also trying to get some ports to respond.
USB-Serial connection to FTDI is asking for username and password, any idea what that could be?

I found out the udp command to unlock diag port but I guess it has to run from the inside. No idea what can it do from outside - thru the firewall because it requires data from ICE emmc.
Click to expand...
What this mean UDP command ( magic packet same as WOL) ? And what is it? Also where did you connect USB to serial? I know the HW3 has two Ethernet ports. Is one of them console?

I'm try to get familiar with Model 3 and trying to understand it more, I had able to get to service mode and trying to get other modes like factory and transport modes. I'm curious and like to know how things works
 
Nogas

Nogas

New Member
#11
Joined
May 25, 2020
Messages
4
Location
Thebozzq
Country
Country
Tesla Owner
Model 3
#11
Kyohack said:
Hi all,

My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:
View attachment 31322

This goes to the white port in the driver footwell. Here's a pic:
View attachment 31321

To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):
View attachment 31324

The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.
View attachment 31325

I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.

The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn

Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway

According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.

I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.

Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!
Click to expand...
Might DDOS crash something and give you access
 
Nogas

Nogas

New Member
#12
Joined
May 25, 2020
Messages
4
Location
Thebozzq
Country
Country
Tesla Owner
Model 3
#12
Kyohack said:
Hi all,

My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:
View attachment 31322

This goes to the white port in the driver footwell. Here's a pic:
View attachment 31321

To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):
View attachment 31324

The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.
View attachment 31325

I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.

The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn

Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway

According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.

I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.

Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!
Click to expand...

Hi,
I have P3D built May 2019, and I have plugged cable to that port same as your way but it never made my Ethernet work it's like nothing connected. I got header 5 pin and installed white-green, green, white-orange, orange and direct it green to the front that led the 5 not usable pin near to driver, but never worked
 
You must log in or register to reply here.