Ethernet port in driver footwell

[Kyohack]

Hi all,

My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:

This goes to the white port in the driver footwell. Here's a pic:

To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):

The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.

I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.

The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn

Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway

According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.

I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.

Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!

 

[FogNoggin]

This car hides so many surprising secrets.

 

[Frully]

That was my understanding from the start -- high speed CAN data 'hidden' in physical/data link ethernet. Makes a lot of sense to use industry standard protocols for the electrical connections at the very least - lots of common chips can handle tx/rx with those protocols. Then it's just lots and lots of layers of security to stop someone stealing your car from the diagnostic port

 

[Perscitus]

Mobile techs and service centers use this port in conjunction with an ethernet to usb cable and tesla software (in part cloud based) to perform all types of diagnostics and reset procedures (for example recalibrate windows, set amber vs red rear turn signal modes on/off, pull logs off the linux xCUs scattered across the car etc).

 

[Frully]

Mobile techs and service centers use this port in conjunction with an ethernet to usb cable and tesla software (in part cloud based) to perform all types of diagnostics and reset procedures (for example recalibrate windows, set amber vs red rear turn signal modes on/off, pull logs off the linux xCUs scattered across the car etc).

Amber signals is a software flag?! I WANT IT! The red signals blend too easily with the brakes I find.

 

[Perscitus]

I want it too... not for us mere mortals though. Only insiders playing around with such things on Tesla staff owned cars. Ugh.

 

[JWardell]

Hi all,

My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:
View attachment 31322

This goes to the white port in the driver footwell. Here's a pic:
View attachment 31321

To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):
View attachment 31324

The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.
View attachment 31325

I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.

The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn

Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway

According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.

I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.

Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!

The Diagnostic port is the first thing I went chasing after about a year and a half ago....

https://teslaownersonline.com/threads/diagnostic-port-and-data-access.7502/#post-130395

I even have the proper connectors and a harness made up. But we determined it was ethernet that was encrypted or must be unlocked in some way and were stuck for a while unable to find any good data in the car, until we finally found CAN elsewhere.

I haven't heard of any further success communicating on the diagnostic ethernet, but you certainly got some useful info here. I hope you can keep trying and maybe figure something out. I'm not sure if @Ingineer knows more about it now too.

 

[bequa]

Look here:
https://teslamotorsclub.com/tmc/thr...del-3-note-car-repaired-after-a-crash.174945/

I am also trying to get some ports to respond.
USB-Serial connection to FTDI is asking for username and password, any idea what that could be?

I found out the udp command to unlock diag port but I guess it has to run from the inside. No idea what can it do from outside - thru the firewall because it requires data from ICE emmc.

 

[TeslaHaffi]

Well if I was building this I would have the Tesla Cloud send a Magic packet down to the Car which then enables some ports on the Firewall, Regards to encyrpting Ethernet, never seen that done, not on the ethernetlayer it self. That would happen on higher layers.
Try Ping Broadcast and See whats going on . Leave a Packet capture running while sending some commands via the Tesla App.

Just some ideas.

 

[Nogas]

Look here:
https://teslamotorsclub.com/tmc/thr...del-3-note-car-repaired-after-a-crash.174945/

I am also trying to get some ports to respond.
USB-Serial connection to FTDI is asking for username and password, any idea what that could be?

I found out the udp command to unlock diag port but I guess it has to run from the inside. No idea what can it do from outside - thru the firewall because it requires data from ICE emmc.

What this mean UDP command ( magic packet same as WOL) ? And what is it? Also where did you connect USB to serial? I know the HW3 has two Ethernet ports. Is one of them console?

I'm try to get familiar with Model 3 and trying to understand it more, I had able to get to service mode and trying to get other modes like factory and transport modes. I'm curious and like to know how things works

 

[Nogas]

Hi all,

My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:
View attachment 31322

This goes to the white port in the driver footwell. Here's a pic:
View attachment 31321

To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):
View attachment 31324

The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.
View attachment 31325

I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.

The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn

Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway

According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.

I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.

Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!

Might DDOS crash something and give you access

 

[Nogas]

Hi all,

My curiosity got the best of me and I recently bought a subscription to Tesla's service website. Going through the electrical diagrams I noticed an ethernet diagnostic port with the pinout labeled. I'm able to communicate with the MCU without having to disassemble my dash! Here's a simplified version for anyone looking to make an ethernet cable for their Model 3:
View attachment 31322

This goes to the white port in the driver footwell. Here's a pic:
View attachment 31321

To make my cable, I soldered to a standard 4-pin header socket (hotglued to increase strength and prevent shorts):
View attachment 31324

The standard 4 pin header fits great. Make sure you catch all 4 pins when you plug it in (the port has an unpopulated 5th pin). Also make sure you plug it in the correct orientation. Orange points towards rear of the car, green towards front.
View attachment 31325

I had to hardcode my laptop to use IP: 192.168.90.110 Subnet: 255.255.255.0. There's nothing special about that IP, it's just an available address in the 192.168.90.X subnet Tesla uses.

The results are the same as what Lewurm found on his GitHub. Using nmap I can see port 8080 and 22 for the CID:
nmap 192.168.90.100 -p8080,22 -Pn

Looking in Wireshark, I notice the CID is also reachable at 192.168.20.2. I see ARP traffic where the CID attempts to find the following. (Comparing with Lewurm's results, I can conclude these MAC's are the same on every car):
192.168.90.60 00:55:7b:b5:7d:f7
192.168.90.105 02:53:6e:00:ae:02
192.168.90.102 dc:44:27:11:02:03 Gateway

According to Tesla's theory of operation for the Model 3, everything should be on the same ethernet switch. In practice, I'm not sure if that is true. I tried spoofing my MAC and IP to match some of the other modules but wasn't able to see any increased traffic. No new ports when rerunning nmap. I'm not sure if they run ACL's on the switch (doubt it, imo) or if the modules are just well locked down.

I was NOT able to access the gateway on port 3500. I was also NOT able to access the MCU's ice-updater on port 25956. I am disappointed by this. There would have been some practical benefit to DIY repair if we could access the ice-updater... That would have allowed us to redeploy firmware for DIY hardware replacement.

Your results may vary... I'm curious if anyone's seen more ports or traffic by doing some ethernet layer 2 trickery. Let me know what you find!

Hi,
I have P3D built May 2019, and I have plugged cable to that port same as your way but it never made my Ethernet work it's like nothing connected. I got header 5 pin and installed white-green, green, white-orange, orange and direct it green to the front that led the 5 not usable pin near to driver, but never worked