logo
allArticlesConferencesPresentations

Reverse Engineering the Tesla Battery Management System for Moar Powerrr!

Conference:  Defcon 28

2020-08-01

Summary

The presentation discusses reverse engineering Tesla's firmware and modifying the configuration to increase speed and current limits beyond factory settings.
  • The speaker was able to reverse engineer Tesla's firmware and modify the configuration to increase speed and current limits beyond factory settings
  • The speaker was able to add features to Tesla vehicles such as heated rear seats and autopilot 2 into an autopilot one vehicle
  • The speaker suggests caution when attempting to modify the firmware as there are limits that are dangerous to push past
  • Tesla has been doing firmware updates to frustrate people from getting access to the main MCU
The speaker mentions a person who was able to reverse engineer the entire autopilot 2 system and add it to an autopilot one vehicle by replacing the steering rack and brake modules and adding all the cameras including in the b pillar where there wasn't a hole for it

Abstract

Tesla released the P85D in 2014. At that time the vehicle came with "insane mode" acceleration with a 0-60 time of 3.2 seconds. Later in July of 2015, Tesla announced "Ludicrous mode" that cut the 0-60 time down to 2.8 seconds. This upgrade was offered both new and as a hardware and firmware change to the existing fleet of P85D vehicles. Since then, Tesla has released newer ludicrous vehicles. What makes the P85D upgrade unique was how the process required changes to the vehicle's Battery Management System(BMS). The 'BMS' handles power requests from the drive units of the car. I was able to reverse engineer this upgrade process by examining the CAN bus messages, CAN bus UDS routines and various firmware files that I extracted from a car. I also decrypted and decompiled Python source code used for diagnostics to determine that the process involved replacing the contactors and fuse with higher current versions as well as modifying the current sensing high voltage "shunt" inside the battery pack. I then performed this process on an actual donor P85D. I bricked the car in the process, forcing me to pay to have it towed to another state so I could troubleshoot. I came to understand that the BMS is the deciding module that allows the drive units to have only as much power as the BMS allows. The car is fixed and is faster.
Materials:
Slides
Tags:

Post a comment

Related work

Reverse Engineering the Tesla Battery Management System to increase Power Available

Conference:  BlackHat USA 2020
Authors:
2020-08-05

The UDS Security Model of the Tesla CAN Bus and Battery Management System

Conference:  RSA Conference 2021
Authors:
2021-05-17

Unleashing the Power of My 20+ Years Old Car

Conference:  BlackHat EU 2019
Authors:
2019-12-05

Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECUs of Tesla Cars

Conference:  BlackHat USA 2018
Authors:
2018-08-09

Thermanator and the Thermal Residue Attack

Conference:  BlackHat EU 2018
Authors:
2018-12-06

Everything has Changed in iOS 14, but Jailbreak is Eternal

Conference:  BlackHat USA 2021
Authors:
2021-08-05